ℹ️ Single-vendor SASE with Magic WAN Connector
Presented by: Annika Garbers, Ameet Naik
Originally aired on September 29, 2023 @ 4:00 PM - 4:30 PM EDT
Welcome to Cloudflare CIO Week 2023!
This CIO Week we’ll demonstrate how Cloudflare is helping CIOs keep data, devices and employees both safe and fast across hybrid and remote environments. We’ll show how Cloudflare accelerates digital transformation and modernizes networking and security towards a Zero Trust model.
In this episode, tune in for a conversation with Cloudflare's Annika Garbers, and Ameet Naik.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
For more, don't miss the Cloudflare CIO Week Hub
English
CIO Week
Transcript (Beta)
Hi, everyone. Thanks for joining us on today's session on the Magic WAN Connector.
My name is Ameet Nayk. I'm director of product marketing here at Cloudflare.
And joining me today is Annika Garbers, who has been working on this for the last several months and is really excited to tell you all about it.
And we're really excited to talk to you about Magic WAN Connector, what it is and how you can use it and how it changes the game in the industry.
But before we jump into that, let's just for our viewers level set a little bit, right?
SASE. This is a term that has been thrown around a lot since the Secure Access Service edge.
It sounds a little bit buzzworthy, but it can sometimes overused.
But let's Anika, I wanted to ask you, what's your take on SASE, Right?
What does it mean to you?
What should it mean to our CIO listeners and for the industry at large?
Yeah, what SASE represents to me and the customers that I talk to is really a fundamentally new network architecture that represents the direction that CIO and enterprise networks really are taking.
And we've been in this sort of transitional state for so long as companies have been transitioning and moving their infrastructure to the cloud and they've been embracing new forms of work and users and applications have left the data center in the offices that they used to live in.
And there's been lots of technologies that have been sort of introduced to be able to deal with those problems, but not really one unifying sort of framework or architecture that actually helps solve these problems holistically.
And so the customers that I talk to talk about dealing with this really sort of messy patchwork of tools, variations on existing technology, things like virtualization, and that they have this feeling of sort of playing Whac-A-Mole, both with attackers and external threats and then also internal challenges and being able to enable the new ways that their team wants to work.
And so this hunger for a better way to solve these problems in a way that embraces really the Internet itself as the foundation of the new corporate network.
I think customers have been looking for this for a long time. So that's what SASE really is, is it's a different way to think about connectivity and security for enterprise networking use cases.
And that's that's at a high level.
We can talk more about what it means specifically as we go through.
Yeah, yeah, I think about this a lot, right?
So we've seen sort of a shift from the classic castle-and-moat model where apps and users were all sort of inside this well defined perimeter.
Right?
And now we've seen initially we saw apps leave the building, we saw users leave the building.
And then a few years ago, we saw users leave the building in a really big way and they just couldn't come back for several months on end.
And that really forced a lot of shift in thinking and how enterprises view network.
But the one thing that I think is really clear to us is that any organization today, like you have to plan for a hybrid work future, right?
Anybody you talk to, any customer you talk to, it's there's, there's a lack of clarity, but there's also sort of a need for flexibility.
Right.
So a lot of organizations are operating in this mode of like, yeah, we want to have offices, we want to have facilities, we want to have presence.
But in some cases we may also be to prepare for everybody staying at home, right?
If we have to do another shutdown, God forbid. And but then there are other organizations that are very much facilities driven, like manufacturing, hospitals, health care, like you can't do a lot of that stuff from home.
So I think one thing we can all agree on is hybrid work is a new norm and a new future.
And one of the things I wonder about in this new world is like, what's the role of the corporate world really, Right?
What does it mean to have a WAN like what traffic is going to carry if everybody's using Google Suite or Office 365 and using Internet based SaaS applications?
What are your thoughts on that?
Yeah, that's a really interesting question.
I think if we're seeing more and more applications, obviously it's already started, but a higher and higher percentage of network traffic workload is shifting to SaaS.
And so maybe there's a world somewhere in the future where 100% of applications that users need to access to do their jobs are Internet exposed public applications.
And then maybe there's some kind of security and force in between them to make sure that people can only access the tools that they need to.
But most of the organizations that I talked to, especially larger enterprises that have a traditional way and infrastructure still in place, are not there yet.
There are long, some parts of that journey. They've still got a lot of private traffic workloads.
Maybe those are still running on forms of private connectivity like MPLS or lease lines that they're looking to reduce their reliance on or remove completely in order to cut costs.
Or maybe they are running over the Internet.
I talked to a customer last week who's made the transition away from MPLS and just have direct Internet access or gets everywhere, but they're now maintaining basically a.
And match over all of those Internet circuits, which can get really complicated if you need to connect lots of different locations with sort of a disparate hardware stack.
And then thinking about security, layered on top of that is challenging, too.
And so I think the direction that we want to help customers move toward is embracing this concept of the Internet is going to be the foundation of the corporate network.
And whether that means that the applications that you're actually accessing are exposed to the public Internet or their private applications, but you're accessing them using the Internet as your sort of underlay as your Internet fabric doesn't matter.
We just want to help make that experience as solid as possible and more secure, more fast and more reliable than companies have traditionally thought of the Internet as being able to be.
Yeah.
I mean, I think back to sort of the many generations of lands, right? One of the one of the biggest sort of the most the hardest application to deliver on the land was telepathy.
Right.
Used to be phone calls between offices. And this is the most sensitive to complaints and latency and jitter.
And that sort of gave us the whole MPLS world.
Right.
Which is a gold plated service with multiple tiers of service with air tight slots.
And we sort of lived with that.
But that has shifted.
Communication patterns have shifted.
A lot of the communication that used to happen in organizations on voice calls is now moving to Slack and Teams, and what have you, and along with that so that some of the requirements and expectations are changing as well.
Right.
And this is causing a lot of organizations to rethink their brand strategy is like, do I need to pay for that gold plated SLA?
Right.
If my phone usage is dropping or people are shifting more and more mobile or personal devices and so on.
right now.
One last thing.
Just the customers that we've talked to, I think that went through the experience of moving from an entirely office culture to this world really rapidly where everyone was doing all their work from home, then going back into offices.
Describe this experience of we and a lot of cases actually doing my job is easier from home where I happen to be able to get really good wi fi connection.
We're talking right now we're streaming this on a live streaming service just over the wi fi that I have here at my house.
And so I think that experience and having gone through that, maybe not by choice, but watching it happen and then comparing sort of the office experience to at home really led lots of CIOs to kind of question that and step back and say, okay, what do we actually need this for?
And that goes for both the connectivity itself as well as a lot of the traditional security solutions that were in place across all that traffic that's sitting in the office.
So all that kind of ties back again to this new architecture model that you asked about of Sassy, where you don't depend on that one location where you've got gold plated connectivity and a super expensive hardware boxes enforcing that security for you there.
Cool.
Before we I want to ask you more questions about Sassy and Cloudflare One and the Magic WAN connector itself.
But before we jump into that one thing, one term that comes up in any one discussion is SD-WAN software defined , right?
What's going on there?
What's the level of adoption?
Does it solve some of these challenges as you describe?
What?
Give me a take. Yeah.
I mean, SD-WAN as a technology has been around for a while and sort of the. Is a little bit reductionist, but a way to think about it is just smarter, easier to manage routers.
Right?
Organizations that were evolving and developing more and more complex network architectures, realizing that it was taking a lot of time and effort from their IP and network teams in order to maintain those and spinning up a new location and connecting it to the rest of the corporate WAN took a long time.
And so the idea of software defined networking and these boxes that were smarter than a traditional edge router that gave you tools like maybe a cloud portal to go and administer all of your different places that you wanted to connect in and defined policies in order to do that, instead of being sort of confined to a command line terminal in order to make those types of changes, that was really helpful.
And the customers that I've talked to that have adopted SD-WAN say it solved a lot of problems for them.
One of those is the orchestration problem.
How do I manage all of these different locations that I need to have all connected to each other?
It also helped with last mile connectivity.
Again, when Internet connectivity maybe wasn't as freely available or was expensive, you could do some types of things like traffic shaping and say, we're going to make sure that we prioritize only the most important traffic if a link is congested.
And then it gave companies, I think, a first step towards deprecating MPLS and other forms of private connectivity in places where they didn't necessarily have those really business critical traffic workloads.
But they've also described these customers that I've talked to that have gone through this journey with SD-WAN, a lot of problems that are left over and actually some new ones that were created.
And this isn't the fault of SD -WAN, it's just some of those other changes that we were talking about, the shift of applications to the cloud and the migration of users outside of the office.
Change the environment in which SD-WAN was operating such that it didn't solve the new problems that were created anymore.
Some of those were things like security SD-WAN doesn't necessarily have security embedded.
You have to think about what additional devices are you going to put in place or what cloud security providers are you going to integrate to make sure that your traffic can flow through a stack of security policies before it goes to where it's headed, whether that's somewhere on your private network or in the public internet.
And also didn't help with middle mile connectivity.
So you can if you have a presence in a branch office, you can make decisions about the best way to use your last mile Internet, the connectivity that you got from that branch.
But then what about if you're talking about the Internet, all of the hops in between that location and where your traffic needs to go?
And how do you make sure that those stay as optimal as possible and you can deal with things like congestion on the public Internet and all of those intermediary hops.
There is also this really strong promise of a big cost reduction in a return on investment, and you're going to be able to get rid of MPLS, replace it with SD-WAN, and save all this money for your organization.
And for most customers that I talked to that wasn't really delivered because in a lot of cases, because of those previous problems, the security in the middle mile optimization, they had to keep their MPLS.
And so in many cases it was in addition to their existing network spend and not this sort of loop where you could put in a sd-wan take out MPLS, just use your Internet for everything.
And so companies have had a lot of success adopting this technology, but I view it as sort of a bridge to the architecture that we want to help customers embrace this single vendor sort of secure access service edge where instead of thinking about their network locations as kind of choke points for all this traffic, they can embrace really cloud native connectivity.
And I'm sure that's where we're headed next, or at least soon in this conversation.
Yeah, and there's some interesting stats from Gartner as well, Right.
In the latest magic quadrant, SD-WAN.
They're just they're envisioning a massive shift toward Sassy as well.
So talk to us about how Cloudflare One and Magic WAN addresses a lot of the problems that you just described that SD Wan still has.
And how does it take it further?
Yeah, so Cloudflare, fundamentally, if you're not familiar with us, is a network, a really big global network.
We've got points of presence in countries all over the world, really close to users and applications.
And at each of those points of presence, we deliver a full stack of networking and security functions.
And so you can think of it as the stack of boxes that you might have traditionally had deployed in an office or a data center that's scanning your traffic, applying security policies, doing deep packet inspection, looking at where things are going and make sure that every request is authorized.
Instead of doing that in one or a couple of locations that you have to backhaul your traffic to if it isn't originating from that location.
Cloudflare actually delivers those everywhere.
Every server within our global network does all of those services, the security, the traffic optimization, etc..
And so what that means is that all customers need to do in order to get access to those services is get their traffic to the closest Cloudflare network.
And the other part that makes that much easier is that the network is not just everywhere, it's also Anycast.
So traffic from a customer network will automatically get to the closest location.
One example of this is I'm sitting here right now in my laptop in Atlanta, Georgia.
My traffic is going through Cloudflare's Atlanta location. But if I were to hop on a plane today and go visit you in San Francisco, then I would automatically connect to the closest Cloudflare location in San Francisco without having to do any of that configuration.
Or let's say that our LAN and POP is out for maintenance.
The battle over to the next closest location will happen seamlessly without our great team having to do anything or configure anything in order to make that happen.
So it's not just realizing those functions, it's really making them cloud native.
And then this idea of Anycast in the network delivering those functions really helps give access to them a whole lot easier than needed to in traditional architecture.
Anycast is a technology that's just so simple but so powerful, right?
And we don't give it enough credit.
Sometimes it's just sort of it's a different way of looking at your services architectures, right?
There is no concept of having a primary home data center location.
There's no concept of having to do manual cut or doing maintenance windows.
You don't have to worry about a primary or secondary.
It's just a whole, whole network.
Right?
And this is actually some cool innovations we've done on the Magic WAN side with IP seq to make all of that work.
Can you just dive into that a little bit for us?
Yeah, sure.
So as you just mentioned, customers usually think of networking traditionally as kind of point to point, right?
I have one location and then another one that I'm going to connect to.
So I could either have like a hub and spoke where there's one central place, maybe where I've got my big expensive stack of security boxes and then I've got all of these locations that are going to connect in, or maybe I've got a full mesh where any location can talk to any other one.
But in that case, or in both of those cases, you need each location that's connected in to have awareness of where all the other ones are and establish that ahead of time.
Right. You can figure, okay, here's my primary and here's my backup for how I'm going to get connected.
And with Cloudflare's implementation, the connectivity to us is automatically for Cloudflare's entire network everywhere because the IP address in just one example of our of a tunnel on our side actually lives at every single Cloudflare location.
And so our customers do the same process that they've always done to set up connectivity to Cloudflare.
You can think of us as sort of like a hub in the hub and spoke architecture where you're just setting up one tunnel to connect to us.
But then because that IP address on our side lives everywhere, you actually get automatic connectivity to the entire network.
And then we do some pretty exciting and interesting things with propagating information.
In the case of IPsec Tunnels, for example, about security association and encryption keys and other things like that across our entire network so that whatever server a tunnel is set up on first can give information about that tunnel to all of the rest of the servers across our network.
So once you've got that initial connection, then any location can talk to back to the customer network and vice versa so that it's really incredibly redundant and resilient to any kind of failure on the Cloudflare side, on the customer side or with the Internet in between, which is really the entire point, right?
Make the Internet more reliable than it was originally built to be. Yeah.
And it just gives you that automatic veil over automatic resiliency. So if there's problems in one location or even one part of the Internet that's close to your office.
Traffic is just going to seamlessly failover to another location and users will not notice a difference.
Admins won't have to do anything that just sort of automatically feels over it.
Right.
And I think that's really, really powerful. I think it's a really cool, unique differentiator of Cloudflare Magic WAN and how we do that.
So I'm really excited about that. So let's dive in a little bit and do what the announcement today and let's talk about what we announce.
Magic WAN Connector and how is this different from what we had before and what kind of options do customers have now to connect to transform their brands?
Yeah, sure.
So Magic WAN as a product is really network level connectivity through Cloudflare.
So it's a new way to think about how to get all of your network sources and destinations talking to each other and add security policies on top.
The options that customers had previously for how to do this.
Again, get those locations connected to the closest Cloudflare network where to use their existing hardware infrastructure and basically standards based connectivity methods to get their traffic to us.
So that can be some kind of puzzle mechanism over the internet like diary or IP seq that we just talked about, where they could basically just set up one of those tunnels from their existing router or SD-WAN device, or if they're co-located with us in the same data center or in a location with one of our partner networks.
So folks like Megaport and Packet Fabric, then they could also get direct connectivity into Cloudflare network as well.
So a couple of different sort of from layer 1 to layer 3 of the OSI network stack ways to think about connectivity to Cloudflare.
But one of the things that we've heard are pieces of feedback that we've gotten from customers really consistently over the past year or so has been that they wished that there was a cloud native way, a piece of software that they could run in their own environment in order to establish that connectivity to us, make it even easier than it already is to get that traffic to the closest Cloudflare network location as close to zero touch configuration as possible.
And they describe this ideal world where they could just plug something in and then it would automatically detect the internet connections they had available, pull down any security policies and configuration that they'd already deployed from the Cloudflare dashboard connect them to the closest Cloudflare network location.
And that's what the magic connector is, and that's what it does. It's a piece of software that customers can deploy on their existing hardware or purchase prepackaged on a certified appliance that basically connects to the Cloudflare network and does some lightweight traffic shaping and steering capabilities to make the best use out of whatever Internet connectivity our customers have at their locations so they can define policies and control these things all from the same Cloudflare dashboard that they have been using already for connectivity and security policies.
But it's basically just transforms that initial experience of going from 0 to 1, from maybe a couple of minutes or hours to get configuration set up with an existing device into just a few seconds or minutes after they plug in one of these or install a virtual machine on their existing hardware.
Yeah, it's sort of I'm excited about this because this is realizing the vision of a single vendor.
SASE solution, right? That's and Cloudflare.
It's all easy to manage.
All manage from one dashboard doesn't depend on any sort of other technologies.
But I'm also excited about this for a couple other reasons. One is we saw last year in the industry some massive issues with supply chains and chip shortages that were impacting networking devices.
And we talked to a lot of customers who were impacted by that.
And it was seeing 12, 14, 15 month lead times on just basic branch routing hardware.
Right. And being forced to use a certain SD-WAN technology or certain SD WAN or certain vendor's products.
They were kind of stuck in that.
They couldn't just swap it out right with with something else.
So having something like a Magic WAN connector, which is a software package that's not tied to any specific model of hardware or version number, right.
It gives our customers a flexibility.
So if they do need to, let's say they've got 80% of their upgrades done, another 20% remaining, they can get box X, but they can get box Y, they can run the software on it and get the project completed.
Really excited about that capability.
That simplicity is really what it's all about.
And I think the concept of SASE, the idea of it's this brand new network architecture that is really exciting.
I'm super jazzed about that, but it can also, I think for teams feel really daunting, right?
Like we're talking about major transformation. This is going to take years or it's going to be like this huge gnarly project that will take all this investment from our team just to test out one initial location.
And really what we are proving with Cloudflare One and the customer experience that we're delivering is it doesn't have to be like that.
It actually is so much better if you can approach sassy transformation incrementally.
And we've proven that with our Zero Trust network access products where you can get up and rolling and have a user in an application secured in a manner of just minutes and actually go and test that out for free on our really generous per year pay as you go plans if you want to.
And now we're doing that on the network side as well and proving that you can get network level connectivity from an entire branch office or a whole data center, an entire cloud environment in just a few minutes with this connector software.
So that's what it's really about.
Give you a place that you can start, give you a quick win that you can go show to your organization.
Here's the value and then continue from there on the rest of your journey and your transformation, adopting more and more incrementally over time.
And you mentioned cloud networking.
So this is another really exciting area, right?
And that just has a lot of it in network engineers sort of confused or what to do what's the right solution.
All the cloud providers have their own sort of vendor specific ways of doing it.
There isn't really sort of a good multicloud poly cloud solution that ties all of these pieces together.
So now with Magic WAN Connector, you have that right.
You can run the software and your VPC and your cloud instance on any platform and then you can use it to bring traffic back into the Cloudflare network use the Cloudflare network as a hub and then sort of get all the benefits of not having to backhaul everything, the benefits of lower latency vehicles for the users and really improve performance on your end.
And so that's that's really exciting.
So how does one before we jump into kind of Magic WAN connector and how it works, I also want to talk about our we want to give customers the maximum flexibility and we have our network on ramp for our partner program, right?
So we are continuing to work with partners.
We got some exciting additions in the recent past, so talk to us a little bit about that.
Sure.
Yeah. So what we've been talking about so far, just to recap magically and connected software you can get from Cloudflare.
So one kind of unified solution, end to end traffic flow for customers that want to go with a multi-vendor approach, which is still really common, especially because this entire concept of single vendor SAP is pretty new to the marketplace and cloud.
There's really kind of the bleeding edge of delivering this. If you want to go with a multi multi-vendor approach, if you've got a significant investment in existing sd-wan technology, you want to keep using them.
But add the security at the middle mile traffic optimization and controls that Cloudflare gives you.
No problem.
We've got that in place and we're working with a really fantastic network of partners that are helping enable this.
And so today in our announcement that just went out, we added three new partners to the Network Onramp Partner program and you can go read the Cloudflare documentation or go to their websites and see instructions for how to get set up and configured.
If you've got a device that's in your network already deployed from one of these partners.
And what I'm excited about is this gives customers the maximum flexibility, right?
They're not locked into any one particular approach.
You know, everybody out there right now is very few sort of customers who have the opportunity to start over.
Green field, right?
And build something from scratch. So the hardest thing is one of the hardest things for network engineers and IT admins is how do you integrate what's already there into this new architecture?
Envisioning is going to take you to a better place, but you can't just leave behind everything that's already there.
So all these onramp partnerships make it really easy for our customers to connect what they have, use the devices they have, use the hardware they have.
Another common use case I see is like, you know, customers may want to turn on additional security functions, but they have an older version of the device or the appliance and they have to get diversion Y from X, and that's going to run the newer software that has all these features and they can do that or there's supply chain delays.
So one of the things they can do with Magic WAN and Cloudflare One is actually set up and use the same old hardware as long as it can do IPsec Tunnels connecting to Cloudflare, they can turn on all of the security functions on the Cloudflare side and get the best of both worlds right.
So it's not a rip and replace.
Keep what they have, but they're moving the complexity, moving the harder functions, if you will, that would have otherwise had a performance impact on this little device moving that into the cloud.
So that's that's really powerful and a good way to use it.
Exactly.
I think what we've seen over the past couple of years is as people started working from home, attackers really realized that the corporate network and enterprise infrastructure represents this entire new attack landscape and that because people are relying more and more in the Internet and making more of their previously sort of private and behind the walls of the corporate network applications more publicly available that this is a new attack vector for them.
And so new types of attacks, new vulnerabilities are coming out all the time.
And you really need a SaaS model in order to be able to enable the kind of rapid response that security teams need.
And so I think that's one of the key value propositions that customers see when they're thinking about Cloudflare from a security perspective.
As long as your traffic can get to us, any new attack type or new vulnerability that comes out that we can have a patch for in our security policies, you're automatically going to be protected for without ever having to update your software to a new version or deploy a new box to have that protection.
And our shared threat intelligence is really been a strong differentiator.
It's why a lot of customers have joked with servers and Zero Trust and Cloudflare One just because of where we sit on the Internet and sort of the amount of the of the Internet that we serve.
It just puts us in a really good position to see threats as they happen and get advanced warning on them.
And we've got some of the smartest engineers who get involved in analyzing and researching these threats and get ahead of them.
And sometimes with some very simple managed policy rules, we can protect a good chunk of the Internet.
We saw that with.
We see that repeatedly with threats.
We saw that with Log4j.
So that's another really exciting thing that customers would get out of out of Cloudflare One.
Right. I know we're almost out of time, but just two quick questions.
How is Magic WAN connected priced and how can customers give it a try?
Yeah, sure.
So again, the idea the name of the game here is flexibility and easy access to get your traffic to Cloudflare's network.
And so the software for Magicband Connector will be included with a Cloudflare One Enterprise subscription.
There's not an additional software fee or licenses for that.
Customers that want to purchase the package version where they've got an appliance and the software preinstalled can do that through our network of partners and there's a cost for the appliance.
But then again software subscriptions included with their Magic WAN.
And then there's also additional simplification of pricing, new options for bundling with our Zero Trust suite of products where you can buy networking and user based kind of solutions together that will be coming out pretty soon in this new year.
So stay tuned for those if you want to try it out. Magic Connectors in Beta today and there's a link from our blog post and our press release to a sign up form that you can fill out.
And someone from Cloudflare will be in touch about how to get started with testing it out.
Thanks, Annika.
This is a really exciting announcement. I can't wait to try it out myself, and I hope a lot of our customers will take it for a spin pretty soon.
So thanks for joining us and sharing more thoughts and color on this announcement.
Again, stay tuned for more content on this.
And glad you could all join us.
Great.
Thanks. Meet.