Look ma, no MPLS!

One of the big dollar technology items organizations like mine will likely look to kill in the next few years are MPLS networks, private lines, point to point T1s, T3s, you know, the 1990s-2000s way corporations connected HQ & Branch Offices securely over the internet. I’ve worked on such networks for all of my career, from being nervous around the dusty old Cisco router with a T-1 WIC card at my first post-college job to being part of a team that deployed 100MegE, 10MegE and T-1s to branch offices in dozens of spots around the world.


For all the hype about the “Cloud,” this is one area that doesn’t get a lot of attention. And it should. Because in many cases, emerging and established technologies could lead the way to saving thousands, tens of thousands or even hundreds of thousands of dollars per month.

Take a look at your IT spend. I bet leasing private lines over commercial carriers is a big part of it, and potentially a huge part of it if you use a managed MPLS service. In some cases, it might even cost as much as one or two FTEs! Certainly the business would be happy to get some of that spend back if it were possible to merge the security, privacy and SLA-backed service of a leased line with the rapid time-to-deploy, ubiquity and ease of provisioning a standard internet circuit or two at a remote office.

This is the model you grew to love and hate over the last 10-15 years if you cut your teeth in corporate IT with Microsoft. Providing software for this topology that was redundant and survivable was Microsoft’s bread and butter during the late Gates era and much of the Ballmer era.

A Typical Active Directory instance spread over a WAN using ipv4, private lines, firewalls, NAT, and routers. A focus on keeping the Internet out, the duality of LAN vs WAN, NAT rules and DMZ. All the classics are here.  If you were lucky, in the early days before people really understood QOS, you got to experience the joy of bakchauling Internet from Site B to Site A and the resulting crush on business traffic

Models like this had their problems: expensive, prone to failure, and slow in the days before Ethernet circuits. You had to buy a bunch of equipment and outfit each site too,which meant more licenses. But this model could scale relatively well, at least for SMEs.

And while the architecture above looks positively archaic if you’ve got your head buried deep in SDN and such, it’s still in use in a lot of SMEs around the world. I’d even go further and say 9 out of 10 enterprises still think of network architecture in the context of Inside vs Outside. And who can blame them? At least you can control what’s inside your network, and it’s useful to think of it in that context.

But cloud providers from Amazon to Google to Azure have failed to abstract this model -or build a hybrid model that offsets this model’s shortcomings- to the cloud. Oh sure, you could move your TLD to Google Apps today and be done with it, but you’ve got a bunch of IT generalists & employees who are aces on Microsoft products. And you like the control of management ability of AD.

All you want to do is kill your expensive monthly leased circuits and effectively put your AD on the internet with proper security & robust A/B internet links, or hire Azure to do that for you. But you’re out of luck because believe it or not, this is how you go from on-prem AD to something else with Azure, ipv6, and all the new shiny stuff we’ve been talking about for the last few years:


You see that? This graphic, ripped off from Azure somewhere, shows how you move your enterprise to the cloud. You tack on another f*(#$#$ VPN device and federate against Azure! And your remote workers? They VPN into Azure or via Remote Access! Hurray, our problems are solved! Why didn’t I think of adding another VPN point-to-point device!

O365 with Azure offers much the same:


Not one, but two clouds to federate against now! What’s not shown in this topology is that your end users aren’t sitting in an Azure cloud as in the diagram; they’re on prem, behind your old ipv4 firewall & router, fat, dumb and happy to be “at work” where their “work stuff” is located. And you’re in your office, jamming through Technet links on provisioning, assigning and deploying certs correctly, tearing your hair out.

Is this the best Azure and all the rest can do? Can’t the Cloud guys figure out a way for me to have my cake and eat it to, to move my Active Directory instance to a cloud provider, kill my premium, high-cost, inflexible, slow-to-deploy leased circuit inventory, end the LAN/WAN duality that haunts us all, and save me from buying server iron for offices with only a handful of people?

So far I don’t think Azure is compelling enough and it’s for the reason above alone. Cheap storage? Sure. Scalable compute? Take my credit card! But while the spillover effect from MS’ experience running Azure is evident in 2012 R2, it’s all one way. Microsoft is learning a bunch of stuff about how to run multi-tenant data facilities that ends up in my hands, but their knowledge of plain vanilla Active Directory on a WAN isn’t being reproduced in a compelling way in Azure.

End result: Keep my expensive leased lines. What a fail.

That’s why I’m excited and optimistic about network startups like Pertino. Pertino offers a brain-dead simple ipv6 service that traverses consumer or enterprise NATs, connects computers over an ipv6 network, and even allows you to run Active Directory over it. Genius!

They’re a startup, yes, and they require a piece of software on the PC which skeptics would point out is not different at all from a VPN client (they’re right), and I don’t think this particular product could scale far and wide, yet, it works. You can run AD and get to domain resources from a remote device on the internet. No Direct Access needed, no VPN devices, no routers, no goddamn certs, no worrying about subject alternative names and no waiting on some provider to stand up a VPN between my house and the server in Virginia.

If you’re an IT Generalist, the potential is this: It’s the Active Directory you know and love. On the fucking internet. Right now.

Last night I stood up a demo of 2012 R2 on my Hyper-V client at home, built a domain at home behind my Netgear wifi router, then built another Windows box on AWS somewhere in Virginia, installed Pertino client on both of them and bam! Just like that -for free- I had two domain controllers pinging, authenticating, routing over ipv6, no leased lines necessary. It just worked.

I’m not a networking guy (to the extent that any virtualization engineer is not a networking guy), so I don’t know how exactly it worked, couldn’t tell you if 6-to-4 was used or pure ipv6, all I can tell you is that I have an Active Directory instance on the internet with just a small client application.


If I can figure out how to engineer this with existing stuff, or if Pertino can scale and really build this technology out, I could eventually kill my leased lines. Game change.

Author: Jeff Wilson

20 yr Enterprise IT Pro | Master of Public Admin | BA in History | GSEC #42816 | Blogging on technology & trust topics at our workplaces, at our homes, and the spaces in between.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: