The acquisition of VeloCloud Networks by VMware closely follows the acquisition of Viptela by Cisco few months ago. In this post, I want to touch...
The VMware VeloCloud acquisition and the battle for the future of network services The acquisition of VeloCloud Networks by VMware closely follows the acquisition of Viptela by Cisco few months ago. In this post, I want to touch on the drivers for this acquisition given the apparent success of VeloCloud with service providers, and what it implies about the role legacy service providers will play in the future of network services.
SD-WAN is driving WAN transformation
SD-WAN is a change agent in the stagnant market for WAN services. The ancestor of SD-WAN, SDN, promised to use software and commodity hardware to reduce the dependency of enterprises on proprietary legacy routers. SD-WAN followed the same logic, targeting network service providers’ private MPLS networks. With SD-WAN, customers virtualized their networks, enabling the use of multiple types of underlying services (MPLS, fiber, xDSL, cable and 4G/LTE) to meet specific business requirements. Before SD-WAN, setting up a routing environment to support this kind of diverse set of services was prohibitively complex. With SD-WAN, underlying services could be deployed, adjusted, and swapped without massive network re-engineering.
Service provider business models are under attack
SD-WAN was in fact, a serious threat to service providers. Before SD-WAN, they offered an “all or nothing” or “one size fits all” network service that focused on selling a premium product (MPLS) at a premium price and then “locking in” the network architecture to ensure service levels are met. The side effect of this approach was a rigid and expensive network that was slow to evolve and adapt. These network constraints started to impact the business when traffic flows changed with the increased adoption of cloud services. Virtualizing the network with SD-WAN meant that it was now possible to open up the network architecture to multiple service providers, multiple types of underlays, and optimize service levels vs. the cost of services. The MPLS “cash cow” was suddenly at risk.
Service providers embrace SD-WAN…or did they?
Service providers faced a conundrum. Their lucrative MPLS business was under attack but ignoring SD-WAN was not possible. Customers were in a position to seriously re-examine their service provider relationships as contracts came up for renewal by augmenting or outright replacing their MPLS networks with affordable, MPLS alternatives.
Service providers responded by signing up SD-WAN vendors and adding SD-WAN appliances to their offerings. However, it was still in the best interest of service providers and their channel ecosystem to re-sign customers to existing MPLS services even at a reduced price without introducing SD-WAN. Keeping customers on MPLS maintained customer control.
50 service providers agreements and one modest exit
VeloCloud was the poster child of a provider-centric go-to-market strategy, closing more SD-WAN partnerships than any other vendor. As SD-WAN was projected to take the world of enterprise networking by storm, VeloCloud was standing to benefit from a “tsunami” of customers adapting SD-WAN delivered by service providers. And yet, VeloCloud had chosen to be acquired by VMware instead of playing its “hand” in the exploding SD-WAN market. With a purchase price that is rumored to be far lower than Viptela’s $610M acquisition by Cisco, it seems likely that an opportunity to build a multi-billion dollar enterprise software company was lost.
Or was it? Maybe VeloCloud looked at its chosen go-to-market strategy, the service provider bundle, and saw some worrying signs. We mentioned above the inherent conflict of interest service providers have when selling WAN services, and their MPLS bias. In addition, service providers initiatives to software-enable their infrastructure are painfully slow to get to market. Network Function Virtualization is still in pre-production phase and the NFV industry is buzzing about the lack of real return on this massive investment.
In a conversation we had with an analyst of a very large firm on the the link between SD-WAN and legacy service providers, he said: “Enterprises are unsure that their existing service providers are the right partners for SD-WAN. If you take a simple and agile SD-WAN solution, and bolt it on top of a rigid and expensive service model, you end up with very little of the promised SD-WAN benefits.”
The battle for the future of network service providers
SD-WAN is, for the most part, an enabling technology for a new type of a network service provider. One that is not hampered by legacy business models, and bloated and expensive processes. Much like Amazon Web Services took over the hosting industry with a new agile, simple, affordable, and self-service solution, the battle for the future of network service is on. It is not enough to have the “right technology” or even all of the “right pieces.” To win in the market, all network service providers, both incumbents and upstarts, must adapt to deliver the total customer experience businesses are looking for. Can Cisco/Viptela and VMware/VeloCloud arm their partners with the tools needed to achieve that level of customer experience? Transforming legacy network service providers into agile and nimble organizations will require more than just technical capabilities and prove to be a significant challenge for them both.
Over the past two decades, carriers have built massive global networking platforms that are faithfully serving many enterprises. At a premium cost. MPLS-based services are...
The Carrier Cloud Needs a New Fabric, Not a Patched Cloth Over the past two decades, carriers have built massive global networking platforms that are faithfully serving many enterprises. At a premium cost. MPLS-based services are under pressure from emerging Internet-based solutions. With MPLS revenue streams at risk, the carriers are pursuing a two-prong strategy: augmenting MPLS with Software-Defined Wide Area Networking (SD-WAN) and adding value-add services to the core network with Network Function Virtualization (NFV).
This strategy is attempting to “patch” the carrier MPLS cash cow and slow its decline. In reality, what the carriers could use, is a whole new fabric built for the cloud-centric enterprise and driven by cloud economics to reduce costs and maximize customer value delivery.
SD-WAN for the Carrier Network Edge
SD-WANs are driven by the explosive growth of Internet traffic and the changes in traffic flows. There is less demand for MPLS-to-the-datacenter and more demand for accelerating and securing traffic to internet destinations, such as cloud infrastructure and public cloud applications. SD-WAN offers a good way for carriers to augment their MPLS services. It allows their customers to boost the capacity, manageability and agility of MPLS by adding Internet-links into a hybrid WAN.
But alone, SD-WAN will be insufficient for enterprises to transform their WANs and for carriers to stay competitive. SD-WAN relies on the Internet, which makes delivering a consistent user experience for voice, video and other latency-sensitive applications difficult, if not impossible, particularly when routes span long-distance, internet regions, and carrier backbones. Customers remain forever locked into MPLS with all of its high costs and lack of agility, leaving carriers exposed to churn as customers look for more effective approaches.
NFV for the Carrier Core Network
The challenges of maintaining and deploying rigid, hardware-based MPLS infrastructure is leading carriers to look for new service delivery models. A successful on-demand infrastructure model exists with Amazon AWS and has thoroughly changed how we purchase servers and build datacenters. But how can carriers deliver an Amazon-like offering for networking and security services?
The initial thinking was that the virtualization of physical appliances and network functions virtualization (NFV) would make carriers more agile. They could run a fully managed orchestration platform, spinning up virtual network functions (VNFs) in a generic customer premise equipment (CPE) device. Carriers would gain the efficient use of software licenses, centralized management, and upfront saving they’ve long sought and enterprises achieve the branch office operational cost reductions they’ve long wanted.
But operationally, VNFs are still multi-sourced virtual appliances. Each has to go through a complete lifecycle of sizing, deployment, configuration, and upgrades. Each must have its own redundancy scheme built per customer. Each must be run through its own management interface and policy engine. Can you imagine Amazon offering AWS where virtual machines are deployed per host, run a vendor-specific operating system, and managed by vendor-specific tools? What a headache. If that was the case, AWS would be far less compelling.
And the more VNFs running in the CPE, the more features activated, or the more business traffic grows the more processing that’s required from the finite resources of the CPE. At some point, it will underperform or force an upgrade.
Moving VNFs into the carrier core isn’t much help even with the telco’s plentiful compute and storage resources. VNFs from multiple customers running side-by-side may impact one another as customer activity bursts or new capabilities are deployed. For example, adding deep packet inspection of SSL content to stateful firewalls can increase loads on firewalls by 10x. Carriers and service providers also need to develop the management and OSS systems to accommodate for those sudden shifts.
And that’s not all. VNFs, like virtual appliances, must still be maintained, patched and configured, increasing operational costs. Creating multi-tenant VNFs is complicated for VNF providers, forcing carriers to deploy individual instances for their customers. The result: inefficient use of compute and storage resources.
From a business standpoint, VNFs have always posed a problem for the VNF suppliers. Evolving VNFs to be more standardized, reducing lock-in and brand value. VNF providers can't allow a situation of easy swap outs with other offerings. They’ve become somewhat reluctant partners in the architecture, sort of like trying to dance when your feet are controlled by two brains. Coordination becomes very difficult indeed.
Network Functions Built for the Cloud
Rather than trying to adapt a legacy, appliance-based architecture to the cloud, carriers should embrace a new architecture for a network and security cloud-based service. Don’t run discrete appliances (i.e VNFs) in the cloud. Create a distributed multitenant software stack for networking and security services and overlay them on a carrier-grade backbone. The software would provide policy based routing, optimization, encryption and full network security stack - governed by a unified networking and security policy.
We call this the Network Function Cloudification (NFCL) fabric. It is comprised of NFCL nodes, each running the same integrated software stack.
As a cloud-based service, NFCL is multi-tenant by design, and fully distributed as PoPs, each with multiple NFCL nodes. There is no proprietary hardware to complicate geographic expansion of a service offering. And without the hardware, there is no need for massive capital expenditures. NFCL nodes are accessible from any location, data center, cloud resource and mobile user that can connect to the Internet.
Figure 1: NFCL Fabric and Nodes
As traffic flows through the NFCL node routing, path selection, and multiple security engines are applied to the traffic.
Figure 2: NFCL PoP Integrated Network and Security Services
The unique advantage of NFCL is that it is built for the cloud. It breaks the notion that every network function must be locked into a proprietary appliance. Instead, the network function is delivered without a 1:1 bond with any specific appliance. Customer resources simply connect to the NFCL fabric using a secure tunnel and are attached ad-hoc to an available NFCL node.
NFCL brings significant operational and capital cost benefits to carriers.
It provides built-in redundancy and scalability. New NFCL nodes can be spawned as needed to ensure capacity is available. Global coverage can be expanded easily by adding NFCL software nodes at a regional datacenter or a hosting service. If a node fails, the customer resource tunnel can reconnect to any nearby available NFCL node. The NFCL fabric always maintains the overall context of the virtual customer network within the multi-tenant infrastructure.
Finally, the NFCL software seamlessly upgrades in the background, so neither the carrier nor the customer have to own that responsibility.
The Way Forward for the Carrier Cloud
The obvious advantage of legacy appliance-based approaches is choice. Customers can choose to work with specific vendor appliances and handle the resulting fragmentation and complexity. Fewer enterprises can afford it these days, as more and more solutions are introduced to the market and new business requirements emerge. Providing customer choice also means higher costs for carriers for the reasons we discussed above.
With NFCL, choice comes not from deploying standalone appliances but from seamlessly extending the NFCL fabric with third-party, cloud-delivered functions. In this way, NFCL can maintain its unique availability, scalability and functional attributes while delivering the capabilities customers require, anywhere they need it, whenever they want it. While technology purists may scowl at the lack of “do it yourself” options, business and IT leaders understand the tremendous benefits from the AWS-like approach of NFCL.
It is the past or the future. NFV vs. NFCL. What will be the right choice for the carrier cloud?
This article was originally published on the SDxCentral.
Changing the (IT) world is a big task, but we are off to a great start. Cato Networks has captured the imagination of numerous IT...
December 28, 2016
2017: All Engines Go! Changing the (IT) world is a big task, but we are off to a great start. Cato Networks has captured the imagination of numerous IT professionals with an all-new approach to an age old problem: the ever-growing cost and complexity of networking and security point products.
In February, we emerged out of stealth and introduced the Cato Cloud, a fully converged network and security platform delivered as a cloud service. In September, we have announced a Series B funding round of $30M led by Greylock and we are rapidly growing all parts of the company: engineering, support, sales, and marketing. We made great progress teaming up with strategic and forward-looking distributors, resellers and managed security service providers that are quickly onboarding customers into the Cato Cloud using our multi-tenant Cato Management Application. Throughout 2016, Cato has gained the trust of organizations of all sizes piloting, deploying and running our service in production. We are exiting 2016 with dozens of production customers across all of our use cases.
The Cato Cloud is built upon a global network of Points of Presence (PoPs). The buildout will continue in 2017 with the goal of placing a PoP within 25ms latency from every business customer in the world. Why build a global network? Because Cato’s mission is to do what once thought impossible: fully secure and optimize enterprise networks without the operational complexity and cost of distributed legacy hardware appliances and the new point solutions needed to address emerging requirements like cloud and mobility. Cato offers a new hope for overburdened and short-handed IT teams, one already being realized by our production customers.
What differentiates Cato is our underlying architecture. Cato didn’t put a “lipstick on a pig” with a patchwork of solutions that has been “lifted and shifted” into the cloud. We created a revolutionary new architecture, from scratch, that is seamlessly delivering networking and security capabilities everywhere we have a PoP. We have no notion of an appliance as a logical entity. Customer’s offices, datacenters, mobile users and cloud infrastructure dynamically connect to the nearest available PoPs and instantly become part of the customer’s single, logical secure network. Even if a resource reconnects to a different PoP, it always remains part of the enterprise network.
This means enterprise does not need to think about sizing, deploying, configuring, managing and upgrading boxes for each of their locations. There is just one network with one security engine that is running one, granular policy. And, all maintenance for this infrastructure is done by Cato, taken completely off the customer’s plate. As our customer footprint grows, Cato can rapidly spin up PoPs running our software stack anywhere in the world and they immediately join the global network and connect customers’ regional resources.
For our partners and their customers, this architecture represents a revolution, eliminating one of the major pain points undermining the business of delivering networking and security services. Integrating security and networking functions in software means there is no more static configuration of appliances. Cato has eliminated not just the physical appliance, but also the dependency between a specific device and a specific customer resource. This strong binding creates a huge headache for service providers that try to create a cloud service by taking on all the appliances grunt work customers want to offload. Moving the problem from the customer to a service provider does not create efficiency or value.
Cato isn't a “cloud security solution”, “a network security product”, or “SD-WAN box”. Cato is a holistic solution to a systemic problem: the perfect storm of the dissolving perimeter, the explosion of enterprise security point solutions and the lack of people to run it all.
Cato makes network+security simple - again. In the early days of IT, enterprise networks were simple and the threat landscape subdued - they were manageable. We can’t go back to this period, but we must rethink how we adapt our infrastructure to today’s new reality of accelerating threats velocity and a distributed, global, mobile-first and cloud-centric enterprise.
We put a stake in the ground. Cato Networks is the answer to this challenge.
Stay tuned - 2017 here we come.