Outshift Logo


11 min read

Blog thumbnail
Published on 05/08/2022
Last updated on 03/21/2024

Tell your SD-WAN about your Service Mesh External Services!


Enterprises and the WAN

Interconnecting enterprises’ multiple locations and sites (headquarters, branches, cloud regions, colocation facilities, etc) is critical for their business. The need for interconnectivity has exploded recently, with a pressuring need to enable high quality connectivity for enterprise remote users, as well as to support the growing number of applications that are being deployed at the edge. Therefore, now more than ever, enterprises are looking for a strong wide area network (WAN) that properly fulfils these requirements. However, traditional WAN technology has struggled to keep up with the agility and efficiency at scale required by these new scenarios.


As a result, many enterprises have now turned to more modern, flexible, and cost-efficient ways of building WAN interconnections. If you have been involved in enterprise networks in the last few years, chances are that you have come across something called Software Defined WAN (SD-WAN). SD-WAN takes the requirements from traditional WAN networks and addresses them with the capabilities enabled by the Software Defined Networking (SDN) paradigm. In an SD-WAN solution, SD-WAN data plane elements (“SD-WAN edges”) are deployed at enterprise sites to enable a networking fabric between the different locations, all driven from a central SD-WAN controller that oversees and remotely configures the WAN deployment. This SD-WAN controller centralizes the state and management of the network, which allows single pane of glass monitoring and eases configuration of routing and policies. This centralization also brings strong programmability and makes it possible to expose a well-defined Application-Programmer Interface (API) for the wide area network. This results in SD-WAN solutions that are API-first and enable a deep level of programmatic automation, unseen in traditional WAN technologies.

SaaS optimization via SD-WAN

With Software as a Service (SaaS) being now part of the backbone of modern enterprises, optimizing SaaS connectivity is one of the key features provided by SD-WAN solutions. Different SD-WAN vendors have different names for their “SaaS optimization” features. For instance, in Cisco SD-WAN solution this is called “Cloud OnRamp for SaaS”, but regardless of name and implementation details all solutions share the same goal of optimizing the traffic from the SD-WAN sites to the remote SaaS applications.

Before moving forward, let’s double click on how an SD-WAN can optimize SaaS traffic. The first aspect to understand is how SaaS applications are typically offered. SaaS providers put a lot of effort and resources into being available at multiple locations, trying to be as close as possible to the SaaS consumers. Still, they are typically not locally present at each and every enterprise site. Often it is not trivial to select from a given enterprise location the optimal entry point, between the many available, for a given SaaS service. Despite one’s intuition, the closest SaaS frontend might not always be the best one. Here is where SD-WAN can help. In a similar fashion to how SaaS frontends are present at multiple locations across the SaaS provider footprint, SD-WAN edges are present at multiple sites across the enterprise footprint. Enterprises can leverage SD-WAN points of presence to probe, monitor, and find the best entry point for each SaaS from every enterprise location.


The detailed operation typically works as follows. From each SD-WAN edge and for each SaaS of interest, the SD-WAN edge monitors the connectivity towards its closest SaaS frontend (i.e. the one that the SaaS provider returns when queried from that edge). In addition, if a given SD-WAN location has multiple Internet links, which is common for many enterprise locations, then SD-WAN will monitor SaaS connectivity through all these different Internet links. This gives the SD-WAN an excellent view of how the connectivity towards that particular SaaS looks like from that particular edge. Information from all edges is then aggregated across all the SD-WAN points of presence, resulting in a detailed view of SaaS reachability across the whole enterprise network. This knowledge is then used to compute the best connectivity path from any given enterprise site to any given SaaS application. The result of this computation might mean that for a given site it is best to break out locally to the internet over a particular ISP, for other sites, it might mean that the best option is to tunnel the traffic to a remote SD-WAN gateway, where SaaS connectivity is better, and break out to the internet from there.

A final note to consider here is that some SaaS services (like Microsoft 365) are designed to go even further and can offer information about their service endpoints from their vantage point to SD-WAN controllers. This showcases how important SaaS optimization is for the user experience, especially for applications where low packet round-trip-times are critical (such real-time document editing).

Modern Applications, Kubernetes, and Service Meshes

Let’s switch gears for a moment. So far, we have discussed how modern enterprise connectivity looks like and how we can optimize it, but “what” is being connected? Which entities connect to the network in the branches, in the enterprise headquarters and so on? Certainly, at the various enterprise locations there are people (end users), but there is also a fair number of applications running there. And just as building enterprise connectivity has evolved, building enterprise applications is evolving as well.

Kubernetes and the microservice pattern have disrupted the application arena in recent years. What started as a way to build applications in the cloud has now spread beyond the cloud and is becoming a popular framework to run modern composable applications. This includes applications that enterprises run at their sites, in their data centers and headquarters, but also at the branches and remote locations (sometime this is referred to as edge computing). As more enterprises move their legacy applications to the cloud native and microservice patterns, Kubernetes is gaining a hold in the enterprise space as well. Not only Kubernetes, but other cloud native tools such as Service Meshes are being adopted. Like others, enterprises take advantage of Service Meshes for improved observability, ease of deployment/testing of microservices, enhanced security, etc.

Similarly to how enterprise users rely on SaaS, enterprise apps follow the same pattern. This is particularly true for composable applications, where SaaS services are in some cases an integral part of the application backend. Given that applications at the enterprise sites also heavily depend on SaaS, they can benefit from SaaS traffic optimization as well. This is especially important for applications at the edge (e.g. branches and remote locations), where internet connectivity might not be ideal all the time. In this case, an SD-WAN can help compensate for the lack of ideal connectivity by providing “SaaS optimization” services.

SD-WAN optimization for Service Mesh External Services

Let's then explore how to optimize SaaS traffic for the applications running at the enterprise sites. There are a few important aspects to consider while trying to optimize SaaS traffic for applications. One challenge is to know which particular SaaS the application is consuming. For the SaaS consumed by end users, the list of which ones to optimize typically comes from the IT department, since they know which SaaS services enterprise users are consuming and which ones should be optimized. An extra challenge when optimizing SaaS traffic for applications, is that applications might also consume more uncommon SaaS services, that go beyond the somehow short list of SaaS applications that end users consume. Typically, most SD-WAN solutions come with pre-defined lists of SaaS applications for which optimizations can be triggered, so network administrators only need to select from that list according to the needs of their enterprise users. While it is possible to define ad-hoc SaaS applications for the SD-WAN to monitor, typically the networking team need to provide extra information (e.g. HTTP(s) endpoint to probe, etc). An example of such configuration of custom SaaS applications can be seen in the figure below.


How can the SD-WAN controller be then programmed with the right information about the SaaS that needs to be optimized and the associated metadata (i.e endpoints to probe, etc)? One way is for the networking team to gather application dependencies from the application team and extract these parameters from there. However, this process is time consuming and hard to scale. So rather than putting the application team on the phone, is there a way to automate this process?

Luckily, if the applications are built leveraging modern tools such as a Service Mesh, the information needed to enable SD-WAN SaaS optimizations can be usually found in the Service Mesh configuration, as part of the definition of Egress policies and External Services. Defining Egress policies and External Services is a practice commonly used for security reasons across different Service Mesh solutions. In general, they allow to control how the services part of the mesh can connect to external services. The figure below shows a couple of examples of these configurations, one from OpenServiceMesh and another from Istio. Looking at these configurations there are a few key pieces of information we can extract. Namely, we can gather which External Services are defined in the service mesh, as well as the hostname and port they are using. Given that External Services are in many cases roughly equivalent to SaaS, this is exactly what is needed to enable SaaS optimization (even for uncommon SaaS) in the SD-WAN.


Open Source brings it all together: the Egress-Watcher

So far, we have identified the information that we need to extract from the Service Mesh, and we know how to use it for SD-WAN SaaS optimization. There is one last piece missing: automation. In fact, to keep up with the pace required by the cloud native application infrastructure, we need to minimize human intervention, and rather rely on SD-WAN APIs to automatically populate the configurations required for SaaS optimization. To that end, we have created a new open-source project under the umbrella of the Cloud Native SD-WAN initiative (CN-WAN) to help extract this information and automate the workflow. We call this piece of open source, the “Egress-Watcher”.


The “Egress-Watcher” is a small component that can be dropped in a Kubernetes cluster. Its role is to be on the lookout for new/updated Egress configurations that contain information about external services, and convert them into SD-WAN SaaS optimization configuration that are then programmed via API in the SD-WAN controller.


The Egress-Watcher implements the end-to-end automated workflow needed for SD-WAN SaaS optimization. When an external service is defined in the Service Mesh of a Kubernetes cluster in an enterprise site, the SD-WAN serving that site is automatically configured to start probing and optimizing the connectivity towards that external service. The figure above provides the whole picture showing how the Egress-Watcher monitors the service mesh and programs the SD-WAN controller to optimize SaaS connectivity over the three different paths (A, B, C) connecting the campus/branch to the SaaS services: Direct Internet Access (DIA), Data Center, or Co-Location facility.

To learn more

If you want to discuss further about SD-WAN SaaS optimization, we’d love to hear from you. Reach us at: cnwan@cisco.com

Detailed info regarding the Egress-Watcher is on the GitHub repository mentioned above. At the time of this writing, the Egress-Watcher supports reading Egress state from an Istio Service Mesh and programming SaaS optimizations in Cisco Viptela SD-WAN. The architecture and code have been designed to be extensible and modular, so other SD-WAN solutions and/or other sources for Egress information could easily be added.

Additionally, we’re going to be at the upcoming KubeCon+CloudNativeCon Europe 2022 in Valencia, Spain in mid-May. We have a demo of the Egress-Watcher, as well as demos of some other cool technologies. If you are around, stop by the Cisco booth and say hi!

Subscribe card background
Subscribe to
the Shift!

Get emerging insights on emerging technology straight to your inbox.

Unlocking Multi-Cloud Security: Panoptica's Graph-Based Approach

Discover why security teams rely on Panoptica's graph-based technology to navigate and prioritize risks across multi-cloud landscapes, enhancing accuracy and resilience in safeguarding diverse ecosystems.

the Shift
emerging insights
on emerging technology straight to your inbox.

The Shift keeps you at the forefront of cloud native modern applications, application security, generative AI, quantum computing, and other groundbreaking innovations that are shaping the future of technology.

Outshift Background