Reimagining the edge

While the importance of the cloud is obvious to anyone, the increasing importance of the edge is often overlooked.  As digitization and the Internet of Things are  leading to an exponential growth in the number of devices, the amount of data that is being generated by sensors in devices such as self-driving-cars, mobile endpoints and  people tracking systems for retail is astronomical. Analyzing and turning that data into immediate actions is key to success in the era of digitization. The cloud enables massive data storage and processing, but it does not always lend itself to real time processing and immediate actions. Latency and the sheer amount of data to be transmitted are much less of a factor for the edge compared to the data center. In order to make instant decisions, some of the data processing needs to happen at the edge.  At the same time, a large number of employees no longer work form the corporate HQ, but have ever increasing expectations with regards to application access regardless of their physical location.  Distributed computing across the edge, along with high performance cloud access and distributed security enforcement give organizations “the edge”. Centralizing management and operations with distributed control and enforcement could define the Next-Generation Branch.

Challenges with legacy branch architecture

While digital transformation has lead to organizations embracing the Software-Defined Data Center, the Remote and Branch Office (ROBO) infrastructure has remained largely unchanged. The static nature of branch architecture does not only result in high operational expenses, but also slows down the organization as it impacts the rollout of new applications to those branches.  Bringing up a new branch typically involves shipping and configuring a number of infrastructure hardware and appliances, such as pairs of firewalls, routers, file/print servers, point of sale, etc. The logistics involved with getting those appliances delivered and configured is complex, slow, and often requires specialized personnel to spend time on site.  Sending CCIE certified engineers out to branch locations to configure a branch router is not a rarity, and yet certainly not scalable nor efficient. These challenges extend beyond the initial branch deployment, as any change to the branch infrastructure or even day-to-day management and operations of a large number of branches, each with their own stack of appliances is a heavy lift operation.

In addition, while branches often don’t have the same  level of security controls as the corporate HQ, employees at the branches have the same expectations as employees at the HQ when it comes to accessing corporate resources; as a result, branches are often leveraged as an attack vector to target the corporate data center.  While many companies still backhaul all branch traffic to a centralized location and provide Internet access services and security from that central location, organizations are increasingly leveraging public broadband connections to provide Internet access services and access to cloud applications from the branch. This effectively introduces a new perimeter at every branch, which in turn needs to be secured.

The increase in cloud utilization, massive uptake in number of connected devices, as well as customer and employee expectations are at the base of another challenge with the traditional branch.  Often branches are using private links such as MPLS through a service provider. Those circuits come with a very high operational expense, take multiple months to get provisioned, and are very inflexible.

Building a Software-Defined Branch

Given the above challenges with traditional branch infrastructure, what are the characteristics of a next-generation branch solution? What would a Software-Defined Branch look like?

bubblesKey requirements of the Software-Defined Branch solution are depicted in the diagram. With these, the branch can evolve to be more agile asset of the organization, adaptable and open to new innovations. In addition, these can lower capital and operating expenses compared to the traditional branch infrastructure by enabling a more streamlined operational IT model.

Central Management and Operations

Managing infrastructure and applications across a large number of geographically dispersed branches is challenging due to distributed nature of these appliances. In addition, the multitude of services that exist at those branches often forces a siloed and costly model of operations and management.  In order to deal with those challenges, enterprises are looking at how branch management and operations can be centralized, with fewer panes of glass. The VMware ROBO solution allows the management plane to be centralized, so that the central management functions vCenter, NSX, and partner solutions can be deployed at the HQ to manage branch IT remotely.

Infrastructure Consolidation

Another branch pain point is the quantity and footprint of physical appliances that are deployed at each branch. Each appliance is a potential point of failure, and replacing hardware either requires costly RMA contracts or a large number of different purpose-built spare devices collecting dust in a depot. Many of the services that run as physical appliances in the branch can be virtualized and consolidated on a single x86 server with ESXi and NSX as the converged software platform. The VMware stack provides a smart fabric, leveraging native network and security services. Additional infrastructure solutions such as SD-WAN along with branch applications can be deployed over this platform.

Streamlined Provisioning

Enterprises want to drastically reduce the time and expense associated with bringing up new branch infrastructure. Because remote and branch offices often have such similar requirements, virtualization and automation are key in solving the provisioning problem.  With VMware vSphere and NSX, templates and policies (such as security groups and security policies) can be used to pre-define the ROBO software stack and security requirements for a set of branches.  Leveraging IT automation tools or vSphere and NSX APIs and tools such as PXE, the provisioning of x86 from bare-metal to branch-ready can be automated.

Reliability and Availability

Corporations need their branch infrastructure to be resilient to failure such as failure of individual appliances or applications, or failure of a WAN link. vSphere for ROBO includes vSphere HA and vSphere Replication for High Availability and Resiliency. vSAN for ROBO enables hyper-converged storage optimized for VMs. NSX for ROBO provides high availability functionality for the Edge Services Gateway, and 3rd party SD-WAN solutions enable a highly available WAN which can typically be deployed as a HA pair of VMs.

Adaptable Network

Organizations want to be able to define local area networking in software, distributed across the branches and controlled centrally, which enables them to provision applications and infrastructure rapidly with great flexibility. Additionally, there’s a growing interest in using multiple business broadband links in an active/active fashion, with business policies defining how different applications use the available pool of Internet/WAN connectivity, and/or use secured tunnels to connect branches to each other and to the data center.  NSX allows network connectivity, services, and security policies between applications to be orchestrated or manually changed remotely and without physical changes. Software-Defined WAN enables the use of multiple different types of WAN/Internet circuits in an active/active fashion based on an administratively defined business-policy. By running an SD-WAN Virtual Machine on the branch ESXi host running NSX, enterprises can implement hybrid WAN as a function of a software defined branch platform, as well as security and visibility for East-West and Internet/WAN traffic through the NSX Distributed Firewall and partner firewall services. Alternatively, an existing router can remain in place or can be replaced by the NSX Edge Services Gateway which provides functionality including first hop routing for all users, workloads and physical compute resources, DHCP server/relay and security for all North/South traffic (in addition to East/West traffic) from the branch to the Internet or WAN. The ESG also enables IPSec VPN tunnel termination between the branches and data center. NSX allows networking to be centrally defined in software, and distributed across the hypervisors in the data center and in the branches.

Visibility and Security

A branch security solution needs to be able to protect the perimeter, which typically involves Next-Generation Firewall functionality such as Application Visibility and Control and URL filtering. This perimeter protection should be able to protect users, virtual workloads and physical appliances.  In addition to protecting the perimeter, the branch security solution should also provide the ability to segment branch workloads, and enable organizations to move to extend the Zero Trust architecture from the data center to their branches. As the WannaCry global ransomware attack – which spreads laterally through SMB and RPD – made painfully clear, a least privilege/ zero-trust security model is foundational to security in the datacenter and beyond in order to contain laterally moving attacks..  NSX Micro-Segmentation can be leveraged in the branch in order to segment different workloads from each other within a branch or across branch locations.  In addition, the NSX Service Insertion framework allows for additional partner services such as NGFW, IPS or AV to be applied granularly to select VM traffic.  The NSX Edge Services Gateway provides L3/L4 filtering and can act as a router for all traffic, including traffic from users and physical appliances. If SD-WAN is deployed as a virtual machine on the branch host, the NSX Distributed Firewall can be applied to the SD-WAN VM to provide native L3/L4 filtering  as well as NGFW partners services to all traffic crossing the perimeter.

The below diagram depicts VMware ESXi and NSX as the converged software platform for the branch, consolidating branch application workloads and virtual network functions:


NSX for ROBO Licensing

In addition to existing ROBO licenses for vSphere and vSAN, ROBO Licensing for NSX is now available as of the release of NSX for vSphere® 6.3 . Licensed features include distributed switching and firewalling, edge services, service insertion and more.

Learn More

If you want to learn more about how the VMware ROBO solution enables the Software-Defined Branch, check out this whitepaper: NSX for Remote and Branch Offices (ROBO) .