SASE & SDWAN providers
Posted by Competitive_Smoke948@reddit | sysadmin | View on Reddit | 12 comments
As always on this subreddit - you guys are awesome and thanks in advance for your expertise - even Dave...the guy who always reboots without asking - you know who you are ;)
I hav ea question on SASE providers since all the vendors lie.
Specifically I'm looking at a situation where there is no POP point within 100 miles of a DC, but need to get users from the other side of the World to an application.
"Stick it in the Cloud" is not an option at the moment nor is refactoring it for CDN networks etc.
This is literally get the fastest connection across the planet for non technical users working from home.
SD-WAN all the way isn't the answer as that will shovel traffic across the internet and whatever routes it decides to use.
Maybe using a VDI in Azure or AWS and relying on their backbone is an answer, however is there a SASE provider that has their own legitimate backbone across the planet so we can reduce the hops/latency as much as possible - with the proviso that we know the local ISP is a bottleneck and is the final hop to the DC
Again Thanks.
Special-Cause7458@reddit
This is exactly the Cato networks use case. They own their global private backbone so traffic between remote users and your DC rides their network not random internet routing. Last mile is still your ISP but everything in between is controlled end to end.
nwmcsween@reddit
Seems like a giant waste of money to fix the wrong problem? Guessing it's a website based on the CDN part? If it is a website anycast DNS + master-master sql backend, really though this needs more information.
Competitive_Smoke948@reddit (OP)
annoyingly no. legacy legacy legacy apps. like.... legacy will cost £100,000s or more to refactor & thus will need internal isolation & segmenting at the hardware layer for security purposes legacy.
HDClown@reddit
I'm a Cato customer, so most familiar with them. They manage their own worldwide backbone. They are obviously buying data center space and circuits from others, but it's all their gear in those facilities so they control how they route data across their backbone. In their early days they were using AWS and Azure for PoP's but as far as I know, those are all gone and it's all their own. Connection performance is still going to be tied to closet PoP's to the user and the consumed resource, as well as the quality of the backbone between PoP's.
Azure/AWS/GCP wouldn't really be any difference in concept if you had the front end hosted in a region closest to the user and ride their private network to hit the back end resource. The differences would be down to distance to PoP's and private backbone performance.
sryan2k1@reddit
You can do it yourself with some transit VPCs in AWS.
Competitive_Smoke948@reddit (OP)
sdwan is just a fancy vpn, you're still relying on the service levels of a bunch of 3rd world ISPs & random routing choices.
A single supplier means one person to shout at & they'll have more control over routing & less likely to lose contact because some fool in pakistan pushes an incorrect BGP update ... again.
man__i__love__frogs@reddit
Being a SASE or in the cloud doesn't change anything.
If users have to connect through the internet, whether that's to a Cloud provider or on-prem, it goes through the internet.
If that doesn't meet performance requirements, then you look into VDI or RDS hosted in the same LAN as the the apps/services.
Competitive_Smoke948@reddit (OP)
vdi is still reliant on the entry and exit points. need a provider with its own backbone rather than your queue of yocal ISPs around the world bouncing your traffic across badly setup BGP tables & copper wire across the horn of africa.
The big providers DO have their own backbones, it's just finding that AND someone who uses hardware pop points and isn't virtualising it, so that latency is as low as you can get before you hit the internet.
man__i__love__frogs@reddit
Unless you're going to be setting up Express Routes and VDIs in every region your users are in, there are going to be very diminishing returns on that kind of setup. And with that setup the complexity is likely not much different than just migrating or lifting and shifting the app to the cloud in the first place.
Competitive_Smoke948@reddit (OP)
app lift and shift would be in the £millions.
no express route.
user home or user office to ingress POP is put off my control & egress POP to server room is out of my control, BUT across the world is... rather have it go securely across private links inside a SASE than the internet. even azure private links & tenancy pairing or across AWS you're running across their fibre not the internet.
piece of piss to set up. i've done more complicated stuff wasted at 3am in a server room
flitz_@reddit
Cato , hands down
zlimvos@reddit
Catos and versa have their own cloud , check their websites for current pop locations as these numbers change all the time.