Introduction

Today’s applications have changed tremendously over the past few years. Traditional enterprise software runs on premise or in managed private cloud, with dedicated network links between the servers and office location. In addition, traditional enterprise users are working from branch offices using dedicated enterprise computers. In contrast, the most popular software applications of the modern enterprise have shifted toward highly connected apps and devices including mobile and IoT. The modern workforce is mobile, often on the road, on customer premises, at home or from coffee shops.  This workforce is using modern enterprise applications built on XaaS, Public cloud, Public/Private Cloud, and more.  

However, the internet infrastructure that supports these apps have changed little over this period.  As Software-as-a-Service (SaaS) applications such as Zoom Video Conferencing or Salesforce CRM today run over the public internet with no priority or “best effort” priority, users can experience congestion, latency and reliability issues, throughput throttling, and many other issues.  The result is unpredictable performance for consumers, and even more so for enterprises.

One Example of the problems with public internet infrastructure is that latency and throughput are not optimized  in the default Internet routing path.  In Figure 1 below, you will see a comparison of a file transfer over the public internet or “direct download” vs the same file downloaded using NKN’s virtual network.  The NKN network is an overlay network on top of the public internet infrastructure that opens multiple concurrent paths in order to overcome these congestion issues.  The result is 2-3x performance improvement.

Direct Download vs NKN Multi-path Acceleration
Direct Download vs NKN Multi-path Acceleration

The example above not only shows the problems that are inherent in the internet infrastructure, but also provides a glimpse into some of the solutions that innovative companies have developed to insure good performance in an uncoordinated open internet. I am calling these solutions App-centric Virtual Networks.  These companies are developing networking technologies that are enabling the next generation of highly connected applications.  In the following sections, I will further define the App-Centric Virtual Network and provide examples of benefits and use cases in which these technologies can be applied.

The App-Centric Shift

One of the biggest advantages of highly connected SaaS applications, is that they often run within an internet browser like Chrome or Firefox and do not require the user to download, install, and configure any software to setup and maintain any network infrastructure.  This gives users the ability to deploy and scale services quickly while only paying for the resources that are used.  At the same time, users expect these applications to perform as well if not better than similar standalone or on-premise applications running on dedicated hardware.  In order to accomplish this, an App-Centric network approach is required.

Let’s look at 3 different industries and see how companies in these industries applied an App-centric Virtual Network approach to adapt to modern applications and to improve their user experience.  These industries include SD-WAN, Gaming, and Network Security.

SD-WAN, Gaming, Security
SD-WAN, Gaming, Security

SD-WAN

Software Defined Wide Area Network (SD-WAN) is an application of SDN and utilizes WAN connections such as broadband internet, LTE, 5G, or MPLS to dynamically connect enterprise locations and services over large geographic areas.  One use of this technology is connecting the regional offices of an enterprise to a common company network in order to access shared internal and external applications and services.  However, with more and more of these applications becoming external SaaS services such as Microsoft Office 365 or Google G-Suite, SD-WAN solutions need to adopt a App-centric network model.

One such company is San Mateo, California based Aryaka.  Aryaka is a cloud first SD-WAN solution that uses a layer 2 meshed network with over 30 PoPs around the world.   To provide good latency and performance for its enterprise customers, the company has direct or co-located connectivity to leading IaaS, SaaS, UCaaS and other XaaS service providers including AWS, Azure, Salesforce, and more.  See Figure 2 below. 

Aryaka Mesh Network for SD-WAN
Aryaka Mesh Network for SD-WAN

Aryaka’s meshed network allows the service to optimize data flow and bandwidth for lower latency and improved performance for enterprise applications.  The data flow optimization is key to their performance.  The company has employed proxies at different segments along the data path including first, middle, and last-mile locations to provide a multi-segment optimized route.  In doing so, they have created their own overlay network to improve the performance of existing infrastructure.

Aryaka has raised $184 Million to date with its latest series F round of $50 Million completed in 2019 led by Goldman Sachs Private Capital Investing.  The company has seen tremendous growth since it was founded 2009 and services over 10 million users across 7,000+ sites.  Recognized by Gartner as a visionary in WAN Edge Infrastructure in 2019, Aryaka as of Q2 2019 held 3rd place in SD-WAN market share behind such industry titans as VMWare and Cisco.  The company offers pricing based on either predefined regions or global infrastructure with smart bundles of 10 sites within North America or Europe for less than $2,000 / mo.

Gaming

There are approximately 2.2 Billion gamers in the world from the casual gamer playing the latest Pokemon Go to the professional gamer in the highly competitive world of eSports like Fortnite.  However, for many of these players who play online, the network quality is frustrating and can even be the difference between winning or losing a match.  This frustration usually comes as the result of increased latency or lag and reliability.  Most online games need between 20-40ms for optimal performance and anything more than 100ms is considered unacceptable. Google Stadia, which is Google’s game streaming service, was measured by PC Gamer in November 2019 to be at least 125ms or higher for HD games and even higher for those in 4K.  The result was degraded video and jerky movement leading to a poor experience for gamers. 

Luckily there are a number of OTT providers that have stepped in to provide a better service for games.  One such company is Haste.

Like Aryaka, Haste built their own application centric optimized network.  However, instead of enterprise applications, they were focused entirely on online videogames.  Using a meshed network of relay servers and dedicated fiber links together with custom software for multipath transmission (see figure 3), they have been able to achieve better performance for gamers.

Haste Multipath Data Transfer for Reliable Game Play
Haste Multipath Data Transfer for Reliable Game Play

You can see from Figure 3 above, that often the default routing on the open Internet is not ideal.  Providing multiple concurrent paths increases reliability from congestion in any one area of the network, and with dedicated fiber the network can offer much lower latency.

The Haste network only supports a limited number of optimized game titles today, but the list is growing. And the gamers are clearly willing to pay for such improved gaming experience.  Haste has more than 600,000 registered users and  offers a free 14 day trial with plans starting at $10/month.

Secure Access Service Edge – SASE

While SD-WAN and Gaming are examples of App-centric Virtual Networks for performance, SASE takes the same approach for security.  SASE brings together many of today’s network security features such as Firewall-as-a-Service and Zero Trust and provides a holistic security solution for cloud native applications.  These capabilities are delivered as a service based on the identity of the application, device, or user as well as real-time context and security policy.  See Figure 4 below.

Secure Access Service Edge - SASE
Secure Access Service Edge – SASE

The main benefit of SASE is that it applies security directly to the application regardless of where that user is on a public or private network.  This is important as enterprises and consumers use SaaS services in ever greater numbers and are more mobile than ever. Traditional network domain based security is no longer enough: e.g. security policy based on Intranet versus Internet.  For this reason, SASE is often associated with SD-WAN networks since these networks combine public and private network resources to create their overlay networks.

Among the players providing SASE services today, Palo Alto Networks has a history of being at the forefront of cloud security.  Palo Alto Networks, made famous for their Next Generation Firewall (NGFW), was one of the first to combine firewall, filtering, intrusion prevention, and application security with deep packet Inspection all in a virtualized offering in the cloud.  The company offers the Prisma Access SASE solution (see Figure 5) built on their own cloud platform with 100+ locations across 76+ countries.

Palo Alto Networks Prisma Access SASE Solution
Palo Alto Networks Prisma Access SASE Solution

Solutions like Prisma Access are SaaS services that can be integrated into any hybrid cloud environment to provide application security for your organization anywhere you are connected.  Palo Alto also recently purchased SASE vendor, CloudGenix, for $420 Million in March 2020 to help strengthen Prisma Access to offer a combined platform for complete SASE service. They take an App-centric approach to supporting security in the virtual network and cloud.

Prisma, which was launched in 2019, consists of Prisma Access, Prisma Public Cloud, Prisma SaaS, and VM-Series has approximately 9,000 enterprise customers.  The SASE component, Prisma Access is priced based on bandwidth in increments from 2 Mbps to 1000 Mbps and users with tiers from 200 to 100,000 users.  In Q4 2019, Palo Alto Networks touted their first over $10 Million deal for Prisma Access, further helping to solidify their expansion into the SASE market. 

Conclusion

The trend toward SaaS services on open Internet for both enterprise and consumers has accelerated, and these customers expect the same performance for cloud applications as is available for native local applications.  However, the Internet was not designed for these highly connected applications.  Application developers that rely solely on the open internet to provide their connectivity will be met with congestion, latency, and reliability issues.  Therefore, a new kind of application focused approach to networking is needed, hence the App-centric Virtual Network.

The App-centric Virtual Network creates a software overlay using existing Internet infrastructure as well as dedicated network resources to enhance the performance or provide new functionality for cloud applications like SaaS.  Such a more dynamic network layer can improve performance and security for many applications for Enterprise SD-WAN, Gaming, and Security.   Companies working on app-centric virtual network have seen great success in offering market solutions in these areas: for example Aryaka, which provides a mesh overlay network for better application performance for enterprise, Haste, using multi-path to enhance online gaming reliability, and finally Palo Alto Networks, enabling SASE in SDN/cloud environments.

Application developers should take advantage of these new App-Centric Virtual Networks to provide the best experience for their customers.  A good way to get started is with the free and open source SDK from NKN, which offers developers a performance optimized virtual network service for true peer to peer messaging, streaming, and file transfer.  With App-Centric Virtual Networks from NKN and others, developers can focus on what they do best, creating amazing applications while ensuring the best network performance.