Much is made in the marketplace about the logical layer 2/3 delivery of connectivity to customer sites. Some organisations actively produce market messaging making statements about the delivery of connectivity that they have little or no direct experience of. This is not new. Large hardware vendors have been going to market for years to tell you to replace ‘expensive’ MPLS with cheap ‘Internet’ connectivity.
Clearly, such organisations not only have vast marketing budgets but also paid for market analyst businesses onside, as well as a vested interest in selling more complex hardware devices and licenses for their devices. There are good reasons to buy these devices and licenses, to support things like software defined networking, zero trust and UTM. However, these services are overlay services and do NOT dictate connectivity choice.
The untold truth, especially here in the UK market, is that from the perspective of a UK service provider the logical delivery makes little or no difference. The underlying networks that carry the traffic between sites and The Internet are exactly the same, regardless of their logical (layer 3) delivery.
It’s all connectivity, boxes and cables!
Direct Internet Access, from the service provider’s perspective, is not direct at all. Yes, the connectivity can be used to deliver The Internet directly to an end site, so yes its direct from that perspective but actually the traffic is on the same provider network as all the MPLS traffic is delivered over – the same sets of cables in the ground, the same exchanges, the same back haul circuits, the same PoPs, the same NNIs and in most cases to the same Internet peering.
By and large all carrier / service provider networks in the UK are made up in the manner depicted above. They will all be some variation of this diagram which is greatly over simplified. The point here, I hope, is really clear: traffic very rarely goes directly to The Internet unless an organisation has set themselves up as a service provider and peers directly themselves. All traffic will be travel through PoPs / exchanges to carriers and service providers who peer with each other.
In the UK, your Internet access is highly likely to be happening in either London or Manchester, or in some cases in one of the smaller regional exchanges. These locations are also where it is most sensible for service providers to host centralised firewalls.
What does this mean to the end site or the end user?
Firstly, the idea that DIA means a more direct route to your cloud based services is in fact a complete misnomer, the traffic in most provider networks will take the same paths regardless of the logical delivery. Direct paths are a product of service provider peering arrangements.
Secondly, since the physical networks that carry the traffic are the same, there are no bottlenecks in using centralised Internet breakout, at least not in a provider network that is well managed. So long as the firewall instances used to manage the traffic are properly scaled, organisations can continue to benefit from the cost and management benefits of using centralised break out to The Internet, without opening more of their border to the public.
In my opinion it also means that the layer 2/3 overlay of the underlying physical connectivity should be largely unimportant to any organisation buying a managed or co-managed solution and even to some extent a self-managed network. In truth DIA is almost always delivered as an S-VLAN, VRF or Carrier Grade NAT to the end site, though this is usually transparent to the user.
“But wait a minute, that’s not what we’ve been told…we can buy ‘cheap as chips’ Internet circuits and save money.”
Well, not exactly. There are three somewhat ambiguous messages out there which appear to be confusing the UK market.
In Part 2 we will examine these in detail before clarifying things from a more objective point of view, helping users see the wood for the trees for making the right choice for their business needs.