Cloud-delivered/On-Prem, software-defined WAN (SD-WAN) from VeloCloud, assures enterprise and cloud application performance over Internet and hybrid WAN while simplifying deployments and reducing costs. VeloCloud provides an architecture that decouples the network control, management, and forwarding functions; enables network control to be directly programmable; and abstracts the underlying infrastructure for applications and network services. The business policies implemented by the logical overlay abstract application flows and become independent of the underlying physical transport.
The architecture includes three layers: Cloud Network, Virtual Services Delivery, and SD-WAN Services Orchestration.
Cloud Network
Data center backhaul penalties are eliminated with a cloud-ready network, providing an optimized direct path to public and private enterprise clouds. Secure SD-WAN overlay tunnels (Edge-to-Edge or Edge-to-Cloud) enable access to enterprise and cloud applications such as traditional DC-hosted, Software as a Service (SaaS), and Infrastructure as a Service (IaaS).
Virtual Services Delivery
The branch office footprint is reduced with single-click, seamless insertion, and chaining of virtualized services on premise or in the cloud. The services provided by VeloCloud include DMPO, Cloud VPN, routing, segmentation, NGFW, and voice quality monitoring; or they can be offered by third-party virtual services such as cloud web security.
SD-WAN Services Orchestration
Low-touch branch network deployment is enabled by automation and business policybased orchestration. VeloCloud provides a complete cloud-delivered solution that considerably simplifies the WAN by delivering enterprise-grade performance, visibility, and control over both Internet and private networks, combining the economy of the Internet with the flexibility of the cloud. The solution enables per-packet application traffic steering between the multiple underlays without session interruption, subsecond failover, and link remediation.
- Application performance optimization for virtual private instances at IaaS/PaaS/SaaS destinations.
- A range of both real-time and historical connectivity and application information.
- Remote diagnostics tool to confirm LAN/WAN reachability and access through the Cloud Gateway to both SaaS and external VPNs.
VeloCloud SD-WAN Edge (VCE)
The VMware SD-WAN Edge device provides a no-touch solution that is configured in the Orchestrator interface and can be implemented in the remote location without the help of network technologists.
This dynamic device is connected to Internet ISP or MPLS networks and balances the load across the links or provides routing received from the Orchestrator.
Connection services to traditional DC, SaaS, or IaaS are provided in a secured and managed method.
VeloCloud SD-WAN Gateway (VCG)
VeloCloud network consists of gateways that are deployed at top-tier network points-of presence and cloud data centers around the world, providing SD-WAN services to SaaS, IaaS, and cloud network services as well as access to private backbones. The VCGs can also be hosted on the Control site Data Center.
The primary function of the gateway is to perform SD-WAN control plane functions including highly scalable route distribution. Also, the gateways provide the advantage of an on-demand, scalable, and redundant cloud network for optimized paths to cloud destinations. These gateways when deployed on-prem can be managed by the central IT team. They are designed to be secure, resilient, and redundant.
Each Edge device, once activated, automatically discovers the nearest VCG and also connects to any other VCG needed to establish VPN and cloud connectivity (if needed). Each gateway has over 10 Gbps of peering capacity.
Velo-Cloud SD-WAN Orchestrator (VCO)
VMware SD-WAN Orchestrator provides centralized enterprise-wide management configurations and real-time monitoring, as well as orchestrates the data flow into and through the SD-WAN overlay network. Also, it provides the one-click provisioning of virtual services across Edges, in centralized and regional enterprise service hubs and in the cloud.
VeloCloud Network Segmentation
Segmentation is the process of dividing the network into logical sub-networks called Segments by using isolation techniques on a forwarding device such as a switch, router, or firewall. Network segmentation is important when traffic from different organizations and/or data types must be isolated.
In the segment-aware topology, different Virtual Private Network (VPN) profiles can be activated for each segment. For example, Guest traffic can be backhauled to remote data center firewall services, Voice media can flow direct from Branch-to-Branch based on dynamic tunnels, and the PCI segment can backhaul traffic to the data center to exit out of the PCI network.
- Macro Segmentation:
- Site Segmentation: At the macro level, segmentation involves dividing the network into separate sites or locations, such as edge sites, data centers, or cloud environments. Each site may represent a substation of the Utility Customer, and macro segmentation allows for isolation and independent management of traffic between these sites.
- Service Segmentation: VMware VeloCloud SD-WAN enables the creation of separate service domains within each site. These service domains can represent different business units, departments, or types of traffic (e.g., voice, video, data). Macro segmentation at the service level allows for tailored network policies and traffic management based on the specific requirements of each service.
- Micro Segmentation:
- Application Segmentation: Micro segmentation involves further dividing the network within each site or service domain based on specific applications or application types. VMware VeloCloud SD-WAN supports application-aware policies that allow administrators to define granular rules for traffic handling, QoS, and security based on application characteristics.
- User Segmentation: Micro segmentation can also extend to user-level policies, where access controls and permissions are enforced based on individual user identities or user groups. This enables organizations to implement role-based access control (RBAC) and enforce security policies tailored to different user roles or departments.
Key features and benefits of macro and micro segmentation in VMware VeloCloud SD-WAN include:
Enhanced Security: Segmentation helps improve network security by limiting the scope of potential attacks and reducing the impact of security breaches. By isolating traffic between sites, services, applications, and users, VMware VeloCloud SD-WAN helps prevent lateral movement of threats within the network.
Optimized Performance: Granular segmentation allows for the prioritization and optimization of critical applications and services, ensuring they receive adequate bandwidth and performance. VMware VeloCloud SD-WAN dynamically adapts to network conditions to maintain optimal performance levels across segmented traffic.
Simplified Management: The centralized management interface of VMware VeloCloud SD-WAN provides administrators with visibility and control over macro and micro segmentation policies from a single dashboard. This simplifies policy configuration, monitoring, and troubleshooting across distributed network environments.
Compliance: Segmentation enables organizations to enforce regulatory compliance requirements by implementing access controls, data separation, and security policies tailored to specific segments of the network.
To configure the segments through VeloCloud Orchestrator, see the topic Configure Segments, located in the VMware VeloCloud SD-WAN Administration Guide.
VMware VeloCloud SD-WAN Enhanced Firewall Service
VMware VeloCloud SD-WAN™ Enhanced Firewall Service is an important building block of the overall VMware VeloCloud solutions. This service, based on proven VMware NSX security technology, is built into physical and virtual VMware VeloCloud SD-WAN Edges. The service improves performance and eliminates the need for legacy firewalls at branch locations—while also providing comprehensive security. Like all components of VMware VeloCloud SASE™, secured by Symantec, Enhanced Firewall Service management is integrated into the VMware Edge Cloud Orchestrator, simplifying operations, and avoiding the need for separate security management.
To configure the firewall in VeloCloud Environment, see the topic Firewall Overview located in the VMware VeloCloud SD-WAN Administration Guide.