Network as a Service (NaaS)BlogGraphiantSoftware Defined WAN (SD-WAN)MPLS and Segment RoutingSASENetworkingSecurity Transformation
Blog7 minute read

Bringing Network as a Service to Market

Graphiant provides a core backbone with full mesh connectivity (no tunnels), high bandwidth and low latency.

In this blog

Networking is more complex than ever. 

Expertise is in short supply.

Time is at a premium.

Security is a mandate.

Graphiant provides a next-generation private network delivered as a service that addresses these realities.

It has been a long time since your only concern was connecting your enterprise locations. Today there is an increasing requirement to connect to multiple clouds, an expanding number of partners, and Security Service Edge (SSE) solutions. Current wide area network (WAN) networking solutions provide flexibility to address your connectivity requirements at the cost of complexity, requiring high levels of expertise, which is in short supply.

Graphiant provides a core backbone with full mesh connectivity (no tunnels), high bandwidth and low latency. With the core, there is no design or deployment required. You turn up an edge node and connect it to the Graphiant Core, set your traffic and security policies, and the core provides any-to-any connectivity by default allowing Graphiant to remove complexity and save time when connecting new locations.

Expanding connectivity increases your attack surface, mandating a solid security posture. Graphiant helps; it encrypts all IP packets at the ingress edge and only decrypts at the egress edge. Graphiant segments enterprise traffic in this multi-tenant environment, and all connections between the edge and the core are authenticated and checked for integrity. Thus ensuring you have a private and secure WAN.

Graphiant's Network as a Service provides the agility and rapid deployment required by today's business, while simultaneously removing complexity and delivering fast, optimal and secure connectivity. You have connectivity in minutes, not days or weeks.

 Solving existing challenges for wide area networking

Three use cases are driving the Graphiant solution:

  • Network edge – facility to core connectivity
  • Business to business – connecting at scale without large numbers of IPsec tunnels
  • Cloud – integrated access to cloud services

Let us start with a primer on the architecture to understand how Graphiant provides a differentiated solution for these use cases and the explicit problems it solves.

Figure 1 High-level architecture view
Figure 1 High-level architecture view

 What are the fundamental building blocks to the solution?

Two core building blocks comprise the solution: the orchestration and control block and the network element block.

Figure 2 Core blocks of Graphiant architecture
Figure 2 Core blocks of Graphiant architecture 

The first core building block is the cloud-delivered orchestration and visibility platform, comprised of three functional elements hosted in the Graphiant Cloud Portal and accessed through the Internet.

Figure 3 Graphiant's Cloud Portal
Figure 3 Graphiant's Cloud Portal

The Orchestrator

Providing an onboarding server that validates, authenticates, and assigns certificates to onboard Edges into the Graphiant network.

The Manager

Provides management of edge devices and policies with software upgrade capabilities and visibility tools.

The Controller

Is the Control plane device that's responsible for advertising, updating, and connecting routes between Graphiant Edges

The second core building block is the network elements block comprised of three elements.

Figure 4 Graphiant's three network elements
Figure 4 Graphiant's three network elements

The three network elements that comprise the architecture are:

The Core:

A Core that never decrypts customer traffic.

Graphiant's Core is a stateless, multi-tenant, fully visible and programmable environment allowing on-demand site-to-site connectivity. The Core is a full mesh with no over-subscription and configurable QoS queues providing the ability to keep latency at a minimum while delivering SLAs and guaranteed delivery.

The Core leverages IPv6 SRv6 (segment routing) to enable traffic routing and policy via embedded metadata. Metadata is embedded in a Graphiant label applied at the Edge device. Tenant segmentation is provided within the Core, keeping traffic private and preventing crosstalk. Also, a tenant's macro segmentation can be maintained across the Core.  

Edge(s):

The Edge is an on-premises software deployed on a physical or virtual device and is a connection point from the customer facility to the Graphiant Core. The Edge device provides several functions. Connection authorization to the Core, integrity checks and encryption of all user packets, and attaching a Graphiant metadata label for routing information and policy application within the Core. Encryption is at scale, unlike traditional IPsec.

Virtual or cloud edges can also be provisioned within a public cloud provider infrastructure, extending the network from the customer premise into the Cloud.

Gateway(s):

Gateways provided connectivity to non-Graphiant subscribers, such as Secure Service Edge (SSE) providers or B2B connectivity from Graphiant subscribers to non-Graphiant subscribers. The gateway uses a traditional IPsec type connection.

No gateways are needed when both business partners are Graphiant subscribers, and they can communicate Edge to Edge after setting policies.

 Understanding how Graphiant delivers the three use cases

Armed with the basics of the architecture, it should be apparent in how Graphiant provides a differentiated solution that addresses many of the problems with today's networks.

 Network Edge

Connecting Enterprise locations is accomplished simply by connecting Edge devices to the Core. The Edge device provides end to end encryption and segmentation and NGFW capabilities. The Core provides any to any connectivity with SLAs.

Figure 5 Network Edge with encryption and segmentation
Figure 5 Network Edge with encryption and segmentation

 Business to business

Graphiant offers two scenarios for B2B connectivity.

  1. Graphiant subscriber to a non-Graphiant subscriber.
  2. Graphiant subscriber to Graphiant subscriber.

The first scenario requires using a gateway hosted in the Graphiant Core. The Non-Graphiant Business leverages one IPsec tunnel to connect to the gateway or two for redundancy. Note these IPsec connections terminate on the gateway and do not extend into the core. 

No longer is it incumbent on the Graphiant subscriber to manage myriads of IPsec tunnels. 

It is also the same for the non-Graphiant subscriber; they can use those same IPsec connections to connect to more than one business partner across the Graphiant core.

Figure 6 B2B connectivity with Graphiant's gateway
Figure 6 B2B connectivity with Graphiant's gateway

In the second scenario, both businesses are Graphiant subscribers, meaning they are already connected to the core via Edge devices.

Figure 7 B2B with Graphiant subscribers requires just setting policy
Figure 7 B2B with Graphiant subscribers requires just setting policy

In both scenarios, the businesses cooperate to define the policies on the marketplace portal. This is a service publisher and service subscriber concept, allowing both parties of the B2B to either place (publish) a service or subscribe to one.

All policies are applied at the edge device, leveraging the metadata tags for the routing, policy and segmentation.

 Cloud connectivity

We will cover three of the several options when providing cloud connectively.

In the first scenario, Graphiant offers cloud connectivity as a service. Graphiant leverages the Graphiant gateway hosted in the Core and connects the gateway privately to clouds via Direct connect AWS, Express Route Azure, and Cloud Interconnect Google.   

This option enables the Enterprise to have lower egress charge from the cloud providers, which alleviates the high cost of cloud consumption via Internet connectivity that SD-WAN vendors deploy today.

Figure 8 Graphiant offers Direct Connect - Express Route - Cloud Interconnect
Figure 8 Graphiant offers Direct Connect - Express Route - Cloud Interconnect

In the second scenario, you turn up a Graphiant Cloud edge and connect using the Internet.

Figure 9 Leveraging Graphiant Cloud Edge
Figure 9 Leveraging Graphiant Cloud Edge

There are other, more traditional scenarios like turning up a Graphiant edge in Equinix. The WAN side of the edge connects to the Graphiant Core, and the LAN side leverages Equinix Fabric for access to cloud providers and the internet in general.

Figure 10 Equinix

 Conclusion

Traditional solutions such as MPLS and SD-WAN continue to struggle with modern network topologies that are no longer made up of fixed locations. Rather than putting a band aid over current solutions, the creators of Graphiant saw the need for protocol innovation. 

Graphiant provides a next-generation private network delivered as a service. Think of it as your own personal, secure internet. You do not need to design, deploy, or maintain the solution. By bringing up the edge, and setting traffic and security policies, you will be able to quickly and easily solve for enterprise, business-to-business and cloud connectivity in your environment.

Figure 11 Graphiant Network as a Service
Figure 11 Graphiant Network as a Service

In conclusion, by providing any-to-any connectivity on demand in a predictable "pay-as-you-go" model, Graphiant's Network as a Service saves time and money while providing secure optimal connectivity.

Technologies