“Is your network Cloud Ready ?” With the advent of the Cloud, Enterprise Network is changing significantly. Discover the European Analysis commissioned by #Verizon and #Zscaler featuring #Gartner research which examines this major IT transformation

1. Featuring research from
2
9
15
Enterprise Computing Has Changed, So Why Hasn’t
Network Design?
From the Gartner Files:
Four Steps to Optimize Your Network for IaaS
About Verizon Enterprise Solutions and Zscaler
Is Your Network Cloud-Ready?
A European Perspective
This paper, commissioned by Verizon and Zscaler, examines how networks are evolving in Europe, focusing on
the factors that are driving companies to consider moving more of their traffic over the internet.
This work would not have been possible without the contribution of four European Senior Consultants: Ivan
Rogissart, Peter Franken, and Alistair Neil from Verizon, and Charles Milton from Zscaler.

2. 2
Enterprise Computing Has Changed,
So Why Hasn’t Network Design?
Enterprise computing isn’t what it used to be.
Ask any team of executives if they can imagine
running their enterprise system the same way
they did ten, even five years ago, and they will
likely laugh. Computing has changed and so
has the way business interacts with and uses
technology. Mobile access is more important
than ever. Along with mobile, the need for users
to access enterprise systems from anywhere, at
any time, on any device has become integral
to companies of all sizes. Yet, for many
businesses, network design has not kept up
with the pace of change. This has led many
industry leaders to begin to re-evaluate and re-
think the way they approach network design.
This newsletter details innovative responses
to those changes and cutting-edge practices
businesses can implement to safeguard
themselves, while also capitalizing on the
opportunities of an ever more mobile, cloud-
based, and interconnected marketplace.
Way Back When: Previous Network Designs
Compared to technologies like radio or TV,
computing is relatively young. Thus, it may
seem unnecessarily dramatic to speak of
corporate network designs as being archaic
or outdated. But with the rapid speed of
technological change, it’s fair to say that many
enterprise network designs are antiquated and
ill-equipped to deal with the contemporary
business climate.
Traditional network designs were predicated on
a hub-and-spoke model, with the central office
as the hub and the branch offices emanating
from that. In this model, wide area networks
(WANs) generally connected to the Internet
through a company’s main office. That network
was protected by hardware, often housed in
the central office. This setup, based on the
assumption that the bulk of traffic flowed
to and from the central office, permitted a
business to exert tight security over employees’
Internet use and made it possible to centralize
data protection. Branch offices would
connect to the main office through dedicated
multiprotocol label switching (MPLS) lines
that directed all traffic, regardless of location,
through this central hub to ensure uniform
security across the business. Access to the
public Internet was also funneled through the
central office.
This model had a number of upsides, foremost
among them that businesses were able to
achieve a high level of security and protection.
However, this type of network design is a poor
fit for a world in which employees want to use
their own (often multiple) devices to access
enterprise systems, want to do so from anywhere
in the world, and expect to have low latency and
consistent quality of access wherever they might
be. Additionally, the core assumption of that
network model is no longer true: the applications
housed at the central office are consuming
an ever-diminishing share of network traffic.
Companies are increasingly turning to SaaS and
cloud computing to achieve cost savings and
greater agility and to reduce the footprint of their
IT infrastructure. Cloud services are projected
to grow by over 18% through 2017 (Gartner “Is
MPLS Dead?”, Andrew Lerner and Neil Rickard,
June 2013). The result is that many companies
are now seeking a network design solution that
offers the security of the traditional model, with
the flexibility, speed and lower costs of public
Internet providers and the cloud.
With a safe path to SaaS provided by Zscaler,
an international construction company in Great
Britain was able to ensure high performance for
SaaS regardless of users’ location.
“We’ve gone from a world where de facto
standards of technology for most of our corporate
clients have been private networks, typically

3. 3
using technologies such as point to point or
MPLS. Increasingly, however, customers are
questioning the validity of utilizing private
networks,” says Alistair Neil, EMEA Security
Senior Consultant Manager of Verizon.
Our Brave New World
There is a new reality for which any successful
network design must account. Hybrid WAN
architectures offer many unique benefits of MPLS
networking that ensure performance and security
while also offering the flexibility of the public
cloud. This reality has a number of key aspects,
covered below.
Localization. In many cases, accessing the
Internet locally makes more sense than having
to route through an office that may be hundreds
if not thousands of miles away from the user.
There are myriad reasons for this. Regulations
differ from country to country, and security must
be compliant. Latency becomes a significant
problem when Internet traffic must flow
through distant hubs. Usability is another very
important factor. As Charles Milton, Service
Provider Director EMEA of Zscaler said, “User
perception isn’t just about latency. It’s also about
localization of content. Imagine for a moment
that you work for a German company. But, you
are based in London, and the Internet breakout
for your network is in Germany. Every time you
go to a weather website, you will see German
weather, and if you go to www.google.com you
will get www.google.de. Problems like this can
obviously annoy users and impede effectiveness,
but most importantly bad localization can put
critical content off limits. As just one example,
an employee in France cannot access French
government websites if they are seen to be
accessing the internet from outside France.
SaaS is driving change. Unquestionably, the
cloud has arrived. Businesses of all scales have
recognized the opportunity of operating in the
cloud and are becoming increasingly comfortable
with migrating major operations there. SaaS
applications, like Office 365, Google Apps,
and Salesforce.com are all drivers of this cloud
adoption. SaaS is projected to grow at 18.5%
through 2017 (Gartner “Is MPLS Dead?”, Andrew
Lerner and Neil Rickard, June 2013). Corporate
apps were designed for WANs, but corporate
interest in the cloud is intensifying. Companies
experience significant benefits with the cloud,
which include cost savings and no longer having
to run hardware. More importantly, the cloud is
an easy and efficient way for the employees of
global corporations to collaborate harmoniously
and in real time. Even when businesses have
security and safety concerns about putting
sensitive information in the cloud, adoption of
SaaS apps continues to increase. Cloud providers
hosting SaaS applications are expanding their
presence around the world, so accessing these
datacenters directly via the Internet makes
much more sense than backhauling traffic
through central offices using MPLS. According
to Ivan Rogissart, Head of Solution and Sales
Engineering France for Verizon, “SaaS providers
are doing more and more geographical expansion
and are adding Internet data centers around the
world where they host applications in the cloud
environment. Therefore, you’re closer to these
providers by using direct connections to the
Internet for SaaS.”
A French retail brand initiated a move to SaaS
applications including Salesforce and Office
365. With the increased traffic from SaaS,
as all workers rely on the Internet for day to
day tasks, the company’s connectivity to the
Internet was becoming as critical as its MPLS
connectivity. The company deployed a hybrid
WAN networking solution from Verizon, enabling
local breakout Internet connections around the
world, protected using the Zscaler cloud proxy
solution.
Consistent performance. With high-speed
Internet available almost everywhere, users are
less and less tolerant of dealing with uneven
performance and online accessibility. It’s just
not realistic to imagine that a company’s entire
business will be in the same office. They want
the same experience whether they’re in the office
or not, and whether they’re logging in from an
iPad, laptop or mobile phone. Enterprise systems
have to respond to these demands while also
preserving the security and internal coherence
found in traditional MPLS-based networks.
Consistent performance is even more critical as
more and more daily work moves to the cloud. “If
you move some of those critical applications to
the cloud, you can’t have a bad user experience
or the local business units will find alternatives,”
says Milton. “Most users are accustomed to the
fast broadband they have at home. They are not
prepared to tolerate a lesser experience in the
office, especially when they are trying to use
applications that are critical to their job. So that
is driving change in the network architecture.”
According to Gartner
analysts Andrew Lerner
and Neil Rickard,
“Network architects
should revise WAN
architectures to
improve performance
for external cloud
applications and
resources. In most
cases, hybrid WAN
architectures will
provide the best blend
of performance and
availability”
(Gartner “Is MPLS Dead?”,
Andrew Lerner and Neil
Rickard, June 2013)

4. 4
A global manufacturing company headquartered
in the UK deployed Zscaler to replace a
proliferation of web security technologies. The
deployment introduced a consolidated web
access policy and reporting framework, which,
along with a consistently good user experience,
has led to increased user satisfaction.
Network performance. In both personal and
professional spheres, users are accustomed to
direct connections to the Internet and the high
speed and reliability this provides. By relying
on the hub-and-spoke model for all Internet
connectivity, users can experience high latency
and poor performance. This problem can become
especially pronounced when a network becomes
overly stretched out. Call this phenomenon
tromboning. It occurs when a traditional WAN is
broad geographically, with many branch offices
and remote users, yet everything is still being
funneled through a central location, negatively
impacting latency and reliability. This type
of bottleneck frustrates users and impedes
performance.
A multinational Dutch retailer was facing the
challenge of how to allow Internet browsing
at two offices, one in Amsterdam and one in
Asia. The delays incumbent in its MPLS system
were dragging down performance. The company
adopted a proxy service housed in the cloud,
improving performance and allowing high-speed
Internet browsing regardless of user location.
Consumer connectedness. More than ever,
businesses want as much information on their
customers as possible and want to connect
with consumers in meaningful ways. This poses
challenges for the traditional model, in which,
with a centralized gateway, there is a static
security perimeter protecting all of the business’s
online interactions. This static perimeter is too
restrictive for a world in which social media and
mobile phones are crucial elements to driving
and meeting consumer demands. Businesses
have to be able to protect themselves, without
bogging down customer experience.
A major manufacturer runs key manufacturing,
supply chain, and financial elements of
its business on SAP, delivered across a
predictable global MPLS infrastructure. Since
the manufacturer represents a confluence of
numerous consumer brands, global marketing is
a critical function of its business, which in turn
requires more low-cost bandwidth to support
Internet marketing, client research, and partner
collaboration. These requirements drove the
successful adoption of integrated cloud security
for the manufacturer’s global WAN.
Cost. Attempting to use a traditional WAN
to meet these new realities cannot only be
challenging from the technical side: it can also
be overwhelmingly expensive. Businesses can
try to address the barriers by adopting numerous
direct connections, but to use the appliance-
based architecture in this way is prohibitively
costly. According to Gartner, monthly service
costs for consumer-grade Internet services
are generally 20-40% lower than the cost of
traditional MPLS (Gartner “Is MPLS Dead?”,
Andrew Lerner and Neil Rickard, June 2013)
A major UK retailer with an increasingly
globalized footprint, dynamic requirements to
follow the market, and customer centricity at
the core of its business successfully combined
a hybrid global WAN, secure Internet hubs,
and localized Internet breakout. This network
model provides secure, reliable, predictable
communications for core global applications,
with the flexibility and cost-efficiency of local,
cloud-secured Internet access at the branch
level.
A New Type of Networking Is Emerging in
Europe
Where there are problems, there are solutions—
and opportunities. Businesses and Internet and
security providers have not been sitting idly
on their hands. In Europe particularly there are
pioneering new network designs to meet today’s
challenges.
The bandwidth
required between the
enterprise’s data center
and the cloud center
can be highly variable
and difficult to predict,
as workloads move
back and forth between
data centers and cloud
centers. As a result,
enterprises should
ensure they have
high-capacity access
lines and, if available,
‘bandwidth on demand’
services, allowing them
to adjust capacity at
short notice.”
(Gartner “Four Steps to
Optimize Your Network for
IaaS,” Neil Rickard and Andrew
Lerner, December 2013)

5. 5
Getting Connected, Directly
For any network redesign to be successful,
the network must be optimized to incorporate
elements of traditional MPLS WAN architecture
with the ability to support cloud-based services.
Services have evolved to provide greater
customization for businesses and a wider
range of options. One of the most effective
methods, both from an economic and a usability
perspective, was introduced first in Europe but is
spreading across all geographic borders. This new
design allows branch offices to direct connect
to the Internet for nonsensitive operations and
SaaS apps, rather than having to go through the
central chokepoint of traditional systems. It also
pushes noncritical, time-sensitive operations
into the cloud to improve multilocation
collaboration. A company’s most confidential or
operationally essential information can still be
located in the central office and accessed via
an MPLS hub to protect against data leakage.
Crucially, this design does not inherently have to
sacrifice security if companies use an effective
cloud security provider. It’s all depends who is
providing the services and how the network is
designed. According to Gartner, by employing
WAN optimization, a business can reduce latency
anywhere from 30% to 70%, as well as reducing
bandwidth by similar margins (Gartner “Four
Steps to Optimize Your Network for IaaS,” Neil
Rickard and Andrew Lerner, December 2013).
A major utility in the Netherlands adopted the
Verizon-Zscaler solution to move a small number
of its services to the cloud. The utility was risk
averse and wanted to retain many of the benefits
of MPLS control, but still experienced cost
savings and improved employee collaboration by
adopting a hybrid network.
Verizon and Zscaler: An Established
Partnership Designed for the Future
With the direct connect model, to ensure that
any network operates at the highest capacity,
Internet connectivity, reliability, and security
must be complementary ingredients rather
than oil and vinegar. For the past three years,
industry leaders Verizon and Zscaler have worked
together to support this new network design.
The match is as logical as it is strategic: Zscaler
provides rigorous cloud-based security while
Verizon provides the support services, network
design, and optimization features required of
any high-functioning network. As Alistair says,
“Our offering is about enabling agility for clients.
It’s about using the best technologies for the
purpose, hybrid technologies, whether in the
cloud, whether on premise, whether traditional
private or public networks, to deliver the right
kind of solutions for sophisticated business
requirements.”
Vital to this partnership is the flexibility of the
solutions Verizon and Zscaler can create and
tailor for individual businesses. Use of the public
Internet can be optimized in many ways because
there’s no one-size-fits-all solution for an entire
global economy.
A major European beverage company deployed
Zscaler to replace its existing appliance-based
web security solution. The project enabled a
transition to a more distributed Internet access
architecture, important for many business units
operating in emerging economies.
The Verizon-Zscaler team allows a company
to make the best decisions about where to
position certain types of information. It’s critical
to remember that this is not a death knell
for MPLS. MPLS will still have its place, but
companies have to decide where and how to use
it, juggling the increased security provided with
the competing needs of immediacy, latency,
mobile accessibility, and cost. Gartner supports
this, projecting 4% annual growth for MPLS
through 2017 ( Gartner “Is MPLS Dead?”, Andrew
Lerner and Neil Rickard, June 2013). But with
Verizon-Zscaler, companies develop guidelines
and internal regulations to direct traffic based
on its content. A company’s most sensitive
information can still be housed within the static
perimeter of a data center. But for less critical
data, or consumer information, Zscaler can set
up protection that makes the cloud and public
Internet secure. And this can all be done without
any hardware for the company to purchase, as
well as with dedicated customer service not
available through SaaS alone.
Verizon-Zscaler Recommendations
Based on extensive work in and observation of
the changes underway in networking in Europe,
here is some actionable advice.
Seek single responsibility. Having one point of
contact for network infrastructure and security
makes life considerably easier, particularly as
new use cases and business initiatives emerge.
This is true of the Verizon-Zscaler partnership.
Though businesses receive the best of Internet
and support services from Verizon and cloud
security from Zscaler, they only have to interact
with a single vendor. There’s no question of
“Due to the
performance,
feature and security
requirements for most
branches, enhanced
MPLS and hybrid
solutions will emerge
as the most common
approaches.”
(Gartner “Is MPLS Dead?”,
Andrew Lerner and Neil
Rickard, June 2013).

6. 6
who to call or contact for support, regardless
of the nature of the problem. Verizon-Zscaler
will diagnose the problem, whether it’s a
connection or protection issue, and then fix it,
saving executives and IT departments countless
hours going back and forth between vendors
that each place responsibility on someone else.
This is especially critical in this era when almost
all business depends upon the functionality
and availability of fast Internet connectivity.
Businesses just can’t afford to have their
networks down for any amount of time.
Look for a full spectrum of solutions. Zscaler’s
offering of protections is as comprehensive as
it is valuable. When a business contracts with
Verizon-Zscaler, it is entering into an agreement
that can meet all of its needs, both present and
future. Zscaler offers protections that include
HTTP scans, SSL scanning, data loss protection
(DLP), and advanced threat protection (ATP). A
business may not require all of these services
initially or at any one time, but Zscaler can
provide them as needed, allowing the company
to change its range of services as its security
needs evolve over time. It is even possible to use
the Zscaler Enforcement Node appliance locally
if a cloud-based approach is not appropriate
for legal or proxy reasons, according to Peter
Franken, Manager Security Engineers at
Verizon.
Move from capex to opex. Cloud-based
security solutions reduce hardware costs and
maintenance onus for a company and since they
are services, shift the costs from capital expenses
to operating expenses. Hardware was a large
expense associated with security when networks
were designed to backhaul all traffic through
central points.
Overcome geographic limitations. Because
Zscaler is cloud-based, it easily handles
geographic scalability, regardless of business
size, location, or size of the workforce. Its
scalability allows companies to constantly
right-size their relationship with Zscaler—like
Goldilocks, never having too much or too little,
while also having the added assurance that they
can add services whenever they need to.
Cut costs. Every company wants to improve its
bottom line and cut costs. Moving some traffic
from private MPLS circuits to the cloud and the
public Internet can achieve this. Verizon and
Zscaler and allow businesses to have a high level
of performance for information safe enough to
travel on the public Internet, which can lead to
significant savings. As Gartner points out in a
2013 report, WAN prices continue to decrease,
with a decline of 10% or more annually in
countries with competitive telecom markets
(Gartner “Is MPLS Dead?”, Andrew Lerner and Neil
Rickard, June 2013).
Look to move fast. By migrating some operations
to the cloud, businesses can realize greater speed
and scalability with application deployment
and new product development. Customers
and employees no longer have to be beholden
to MPLS circuits that can slow the speed of
business. SaaS can be quickly adopted with
security assured.
A major international
European Financial
institution was trying
to improve efficiency
on a huge WAN that
was proxy-based and
proving to be incredibly
costly. With the
protection provided
by Zscaler and the
Internet reliability of
Verizon, this financial
institution was able to
dramatically improve
performance and offer
localized content.

7. 7
Support mobility. Any device, anywhere,
anytime. It’s what customers and employees
are demanding and it’s what Verizon-Zscaler
provides. Employees can work where and when
is most convenient for them, while companies
have the certainty that granting mobile device
access isn’t resulting in a loss of protection.
“The concept of the enterprise has changed,”
explains Alistair. “We moved from a very defined
perimeter of the enterprise to something much
more expanded. You’ve got more and more
people who are traveling, working on the train, at
the airport, working from home all or part of the
day, meeting with customers and working from
customer offices, working with partners and so
on. The nature of the business has changed and
there are no more boundaries delineating the
perimeter of the enterprise. You don’t need only
to think about the security inside the corporation,
but also to consider all the remote users, the
people equipped with smartphones, with tablets,
and also those doing more traditional remote
access on a PC.”
Find faster protection. Unlike traditional
centralized hardware solutions, Zscaler has the
flexibility to provide up-to-the-second security
protection. Zscaler adapts to threats as they arise,
without the need for new hardware or software
downloads.
Look for distributed enforcement with centralized
control. “What a large multinational wants is
to maintain centralized policy and reporting
control,” said Milton. “Distributed enforcement
enables small branches to break out to the
Internet using the most efficient type of
connection available to them, and do it securely.”
Zscaler allows a business to have a uniform
security protocol, with consistent regulations,
protocol, and accessibility controls, regardless of
where the user is located. Zscaler also enables
companies to comply with all local regulatory
compliance restrictions, adjusting compliance
restrictions appropriately for the user’s location.
An executive can thus set a companywide policy
that’s adaptable to local conditions.
Get centralized reporting. Zscaler is foremost a
security solution, but it also provides companies
with powerful analytical tools and reporting,
all housed in one central location. Businesses
can learn more about how and when customers
and employees are using their network and
thus make targeted adjustments based on this
information. Look for a product whose logs can
be fed into existing systems for analytics, says
Franken. “Customization can be done to take
security feeds and integrate them into existing
management systems.”
What Is Right For Your Business?
Whenever a company embarks on the process
of rethinking and restructuring its network
design, it needs to take a number of factors into
consideration to make sure its solution covers
all aspects of the enterprise. Gartner analysts
Andrew Lerner and Neil Rickard recommend that
enterprises first analyze their own needs and then
find a WAN solution that is “based on the features,
availability and performance requirements of the
business” (Gartner “Is MPLS Dead?”, Andrew Lerner
and Neil Rickard, June 2013). With a solution like
Verizon-Zscaler, companies have a partner to help
them think through these challenges, such as the
following:
Increased support at the endpoints. More locations
mean more endpoints to support. Each branch
location can have public Internet access, and with
this, there’s a loss of centralized control from
both security and connectivity perspectives. Any
platform must provide continuous support, like
Verizon-Zscaler, to protect against any loss of
Internet connectivity.
The public Internet becomes more critical. The
reliability of the public Internet connection in each
branch and for each user becomes paramount in
this new reality. Any downtime can significantly
impact customers’ and employees’ impressions of
the business. Verizon is well-equipped to provide
maximum reliability. Says Franken, Verizon’s
background enables the company to “give
guarantees on part of our backbone, which means
that we really ensure availability and quality of
service on the global Internet.”
MPLS is not obsolete. Again, it is critical to
keep in mind that even in this new reality,
MPLS remains vital for critical applications. The
most integral systems for a business must still
run through MPLS. For instance, at a clothing
manufacturing plant, a connection to the central
office network remains essential, as does the
access to applications that require guaranteed
the high performance and high reliability that
MPLS provides.
New Wave Adopters
The type of network design solution offered
by Verizon-Zscaler is gaining traction across
industries and business sectors. While rates
of adoption and needs differ by industry,
international corporations are especially keen to
implement hybrid network solutions to satisfy
the demands of their diverse and geographically
scattered workforces.
“…closer analysis
reveals that while
Internet VPNs and
Ethernet services will
play a greater role in
the enterprise WAN
over the next two to
four years, it will largely
be as part of a hybrid
network, blended
with MPLS service
to ensure delivery
of the performance,
availability, and feature
functionality that
businesses desire.”
(Gartner “Is MPLS Dead?”,
Andrew Lerner and Neil
Rickard, June 2013)

8. 8
Who Is Driving Adoption?
Motivations for adoption differ by industry.
There is no single reason hybrid networks are
increasingly popular across sectors. For instance,
in the finance sector, companies want improved
performance and ever better security in the
cloud. So much of their operations are dependent
on the reliability of high-speed connections. With
milliseconds meaning the difference of millions,
hybrid networks are a logical solution.
The retail and manufacturing sectors are lead
adopters, in large part because they have so
many branches and individual use cases as part
of their enterprises. It makes sense for these
industries to migrate noncritical operations to
the cloud whenever possible to lower costs and
improve performance.
Manufacturing plants, warehouses, and
distribution centers are often in remote and
far-flung locations where MPLS connectivity is
more expensive than in large cities. The ability
to securely support activities such as email and
web surfing using local broadband connections
such as DSL means that mission-critical activities
requiring MPLS can be supported by the same
low-bandwidth connections currently in use.
Retailers are transforming their businesses with
new applications such as mobile point of sales.
Tablet deployment within stores and warehouses
is growing along with Internet application
usage. On top of this, more and more retail
stores are offering their customers Guest WiFi
hotspots. Retail stores’ Internet usage is therefore
increasing in a way that the typical MPLS store
connection cannot support cost-effectively.
Adoption of hybrid networking is seen as the most
appropriate answer for these stores, which are
often located in well-connected cities that offer
high-speed broadband connectivity (such as FiOS
in the US, cable, and other broadband offerings).
Conclusion
Numerous trends are transforming business.
Mobility enables us to do business from
anywhere. The use of cloud services and software
are on the rise. Increasingly, multinational
corporations are finding that they need a hybrid
network infrastructure that uses MPLS where
the business case justifies it but allows as
much traffic as possible to traverse the public
Internet, accompanied by leading edge cloud-
based security. Decisions about the corporate
network require a trusted advisor and partner
that can help organizations take a hard look
at their current infrastructure, their business
requirements, and the array of options available
to help them continue to offer their users a
responsive, localized, productive experience, from
any device, anywhere, any time securely.
Source: Verizon & Zscaler EMEA Experts

9. 9
Four Steps to Optimize Your Network for IaaS
The performance of IaaS-based applications
is highly dependent on the networks used
to support them. Enterprise networking and
architecture staff must undertake specific
activities to optimize performance and ensure
consistent delivery of application networking
services.
Key Challenges
• Differences in network services (such as
routing, security and application delivery)
between internal data centers and IaaS
environments can cause issues when
migrating applications between these
environments.
• There are a broad range of enterprise use
cases for IaaS, leading to a wide range of
networking requirements that can only be
met via a portfolio of vendor and architectural
approaches.
• The performance of applications running
in an IaaS cloud is highly dependent on
connectivity to the enterprise, and the default
connectivity may not be “good enough.”
Recommendations
Application and networking teams:
• Collaborate to quantify specific use cases and
requirements.
• Ensure network consistency, for applications
that may need to be moved between internal
and IaaS deployments, with a portable suite of
virtualized networking products.
• Maximize the back-end network performance
between the enterprise’s data centers and the
IaaS data centers.
• Optimize the front-end network between the
users and the IaaS service to maximize the
end-user experience.
Introduction
Many organizations are adopting infrastructure
as a service (IaaS) for the promise of increased
agility and elasticity, improved fault tolerance,
and reduced capital expenditure. This is
evidenced by:
• Gartner projects IaaS investments to continue
to grow significantly (37.3% CAGR) through
2017.
• Gartner clients have searched gartner.com for
IaaS at a higher rate (7,112) than WAN (4,074)
(note: search results include synonyms as
well).
• Inquiry volume regarding IaaS from Gartner
clients has increased 26% during the past
12 months, as compared with the prior 12
months.
• According to a PC Connection survey* of more
than 500 organizations, 48% are investigating
IaaS for public cloud services.
Networking Is Often Overlooked
In most organizations, the selection and initial
deployment of workloads to an IaaS provider
is typically led by development, architecture
or line-of-business teams, versus traditional
infrastructure or networking teams. In fact, nearly
80% of Gartner’s 3,400-plus client inquiries into
IaaS over the past 24 months have been initiated
by teams other than the IT infrastructure team.
This can create gaps in performance, security or
consistency, as infrastructure teams are typically
well-versed in these aspects while other teams,
such as architecture or application teams, are
more focused on developing applications in a
timely fashion. The teams selecting and procuring
IaaS services often have basic networking
knowledge and are looking to IaaS primarily
for increased infrastructure agility. In many
instances, infrastructure and networking teams
are pulled in after the IaaS decision is made.
Key Networking Considerations
When considering IaaS from a provider, there
are several networking challenges that must
be addressed, including performance, security
and maintaining the appropriate degree of
homogeneity with internal data center network
services. When designing IaaS environments,
organizations are faced with a microcosm of
their internal network decisions, including IP
addressing, VPN, firewall, application delivery and
load balancing.
From the Gartner Files:
*http://www.pcconnection.com/IPA/PM/Brands/Cisco/PCCB2B/~/media/F6D6A531FB6943ACB374E8B06C8B8397.ashx?v=1

10. 10
While many cloud providers offer basic
networking services, organizations must
determine if these “vanilla” services are
good enough for their specific use cases and
requirements. For example:
• Most IaaS providers offer only basic load-
balancing services versus a full suite of
application delivery services.
• Several IaaS providers offer limited VPN
capability in terms of number of tunnels that
can be configured and/or the encryption
strength that can be used.
• Default IaaS connectivity is via the public
Internet, which has no end-to-end SLA or
capability to provide elevated levels of quality
of service.
Enterprise networking teams need to act to
ensure that their IaaS deployments are supported
by appropriate network architectures or risk
poorly performing IaaS-based applications and a
lack of consistency between the internal and IaaS
networking environments, which can be a major
obstacle to enabling application mobility in a
hybrid cloud model.
Analysis
Application and Networking Teams Must
Collaborate to Quantify Specific Use
Cases and Requirements
Since IaaS initiatives are often being led by
noninfrastructure personnel, infrastructure teams
should press for a cross-functional effort to
ensure appropriate performance, availability and
consistency with existing data center services.
These teams must collaborate to identify the
following:
• Existing and proposed workloads and use
cases delivered via IaaS. This includes
identifying existing IaaS providers.
• The associated performance and availability
requirements of workloads. Performance
should be focused on application response
time, as measured from the end-user
perspective.
• Where the workloads will ultimately reside
(that is, will they remain in the cloud
or “return” to traditional corporate data
centers?).
• The appropriate degree of homogeneity or
consistency required with existing network
services, including VPN, firewall, intrusion
detection system (IDS)/intrusion prevention
system (IPS), WAN optimization controller
(WOC), application delivery controller (ADC),
Web application firewall (WAF) and data loss
prevention (DLP).
The networking team can then develop a cloud
networking architecture that accommodates
these requirements.
Typical mainstream IaaS workloads can be
categorized as cloud-native applications,
e-business hosting, general business applications,
enterprise applications, test/development/QA
and batch computing. These workloads often
have dramatically different requirements as
illustrated in Table 1.
Table 1. Typical Networking Needs of
Different IaaS Workloads
Workload Performance
Need
Availability
Need
Cloud-Native
Applications
High Moderate
E-Business
Hosting
High High
General
Business
Applications
High Moderate
Enterprise
Applications
High High
Test,
Development
and QA
Good Enough Good Enough
Batch
Computing
High Moderate
Disaster
Recovery
High High
Source: Gartner (December 2013)
Organizations should inventory their specific
workloads and applications on a per-IaaS
provider basis, and identify specific performance
and availability requirements for each. This
will provide the basis to ensure performance
and availability requirements are met from the
networking perspective.
Organizations must identify where these
workloads are ultimately destined to be run – in
the IaaS cloud permanently versus “coming back”
to traditional data centers for the production
phase after test and development in IaaS.
Based on these requirements, the enterprise’s
networking teams need to determine the degree
of consistency required with existing network

11. 11
services. For example, many organizations have
remarked to Gartner that they have difficulty in
bringing test/development workloads “back”
to private data centers for production, due to
security or ADC configuration mismatches
between IaaS provider and corporate IT services.
Similarly, organizations that utilize their IaaS
provider for disaster recovery will likely want to
maintain a high degree of consistency between
their existing network services and what resides
in the IaaS provider’s network to simplify
business continuity activities.
Once these criteria have been determined,
testing of the network performance and
functionality should be factored into the vendor
selection and adoption process.
Ensure Network Consistency, for
Applications That May Need to Be Moved
Between Internal and IaaS Deployments,
With a Portable Suite of Virtualized
Networking Products
Enterprises frequently develop and test
applications in an IaaS environment with the
intention of moving the application to their own
data center for the production phase. However,
Gartner clients report that in many cases they
face issues when they attempt to move the
application back in-house, because they have
used the networking functionality embedded in
the IaaS service, such as routing, firewalling and
load balancing, which operates differently in their
internal environments. When they attempt to
move the application in-house, they are unable
to easily replicate these configurations on their
own networking platforms. The cost and time
required to re-engineer and test the changes
are unacceptable. As a result, the application is
often kept in the IaaS environment for production
deployment, despite the high usage costs this
incurs. A similar issue can occur when trying
to move an in-house application to an IaaS
environment, where differences in replicating
the networking environment can restrict the
enterprise’s ability to move applications and/or
deliver equivalent outcomes when they do so.
The networking functionality provided as part
of IaaS offerings is often very limited compared
with that found on enterprises platforms. For
example, IPsec VPNs may be limited to 128-bit
encryption versus the 256-bit or more possible
on enterprise platforms. Basic load balancing is
often supported, but not content acceleration,
to boost performance for remote users. Even
when the functionality is adequate, it can be
challenging to replicate a configuration between
internal and IaaS-provided platforms, such as
developing an equivalent set of firewall rules in
both environments.
To address this issue, and ensure consistent
networking functionality between internal and
IaaS environments, the networking team needs to
develop a portable suite of networking products.
This requires using virtual machine versions of
the networking devices the enterprises uses
internally, such as:
• Routers
• WOCs
• ADCs
• Firewalls
Or using cloud-based services, which can be
applied equally to internal or IaaS environments,
such as:
• Secure Web gateway as a service
• WOC as a service
Most vendors of enterprise networking equipment
now have virtual machine editions of their
appliances. However, the enterprise’s networking
team needs to do more than simply confirm the
availability of a virtual edition of their products. It
needs to:
• Put in place the commercial arrangements to
acquire the virtual editions of these products.
• Determine the necessary maintenance and
management services to support them.
(If devices, such as routers and WOCs, are
provided as part of a managed network
service, enterprises will need to work with
their managed network service provider to
determine how these devices will be deployed
and supported.)
• Gain hands-on experience with these products
and/or cloud services, determine how they
should be configured and combined in an IaaS
environment, and test these configurations.
• Determine the IaaS resources that these
products will need to deliver different levels
of performance and resilience.
The objective should be to have a preconfigured
suite of virtual networking products and services,
with a known IaaS footprint, fully tested and
ready to be deployed on demand whenever
IaaS is used. Network architects should require

12. 12
that this suite of capabilities is used whenever
the organization uses IaaS, rather than use the
functionality embedded in the IaaS service. Any
incremental cost arising from this approach will
be more than offset by the reduced time and
effort required to re-engineer the applications
and networks later.
Enterprises should also make the availability
of virtual versions of networking products a
requirement for future network equipment
sourcing decisions, for products such as ADCs,
WOCs, routers and network security. Enterprises
should make the availability of their preferred
networking products one of their selection
criteria when choosing IaaS providers.
Maximize the Back-End Network
Performance Between the Enterprise’s
Data Centers and the IaaS Data Centers
Most enterprises’ applications are intertwined
with other applications and systems within the
enterprise. For example, an e-commerce website
will link to back-end payment systems, customer
databases and stock control systems. These
back-end connections, between the IaaS-hosted
application and in-house systems, typically
require low latency and substantial bandwidth to
ensure optimal performance.
In instances where an enterprise is using multiple
IaaS centers, there may be a need for back-end
traffic between the different IaaS providers’
centers. Finally, in the case of dynamic use of
IaaS services, such as “cloudbursting,” additional
capacity may be needed when the application
images need to be moved to and from the IaaS
environment.
Connectivity Is Paramount
Minimizing the physical distance between the
enterprise’s data centers and the IaaS provider’s
centers will not only reduce latency, but also
typically reduce networking costs, and should be
included as one of the decision-making criteria
when selecting IaaS providers. However, when
IaaS services are being used as part of a disaster
recovery solution there may be a minimum
separation requirement between the enterprise’s
and the IaaS provider’s locations. For test and
development environments high-capacity
Internet services will normally be adequate.
When production workloads are being run in the
IaaS environment, high-bandwidth low-latency
services, such as wavelength or Ethernet services,
should be preferred, although higher-capacity
(1 Gbps and 10 Gbps) MPLS services may be
suitable when available.
For business-critical production applications,
these links will need fully diversely routed access
lines and diverse backbone routing. The good
news is that both the enterprise’s data center and
the cloud provider’s center will typically already
have diversified access in place.
If virtualized workloads are to be moved
between the enterprise data center and the
IaaS environment (for example, long-distance
vMotion), then Layer 2 (Ethernet) adjacency
and virtual LAN (VLAN) extension between
the enterprise’s data center and the IaaS
environment will be required, making MPLS
services and Internet VPN connectivity less
attractive.
The bandwidth required between the enterprise’s
data center and the cloud center can be highly
variable and difficult to predict, as workloads
move back and forth between data centers and
cloud centers. As a result, enterprises should
ensure they have high-capacity access lines and,
if available, “bandwidth on demand” services,
allowing them to adjust capacity at short notice.
In the longer term, software-defined networking
(SDN) should allow even greater flexibility to
adjust capacity, although understanding the cost
implications of such volume/capacity related
charges is vital to avoid unexpectedly high costs.
Where IaaS providers do not allow direct
connectivity to their data centers, then
enterprises will need to establish connections to
the providers’ “direct connect” locations, which
will often be at hub sites (for example, Equinix),
where access to multiple cloud and network
providers will be possible.
WAN Optimization
Where latency between an enterprise’s data
center and the cloud center is high (typically
greater than 10 ms round-trip delay), and/or
bandwidth is expensive, it may also be beneficial
to deploy WAN optimization to reduce bandwidth
and mitigate the impact of latency. Vendors, such
as Silver Peak and Riverbed, offer high-capacity
WAN optimization, support application and data
center protocols, and are available embedded in
leading IaaS offerings. WOC solutions typically
reduce the impact of latency significantly (30% to
70%), as well as reduce bandwidth (35% to 70%),
but can cost several hundred thousand dollars for
a multigigabit configuration.
IP Addressing
Enterprises will need to consider how IP
addressing is managed between their own data
centers and the IaaS service. The IaaS vendor

13. 13
may provide their own IP addresses for the virtual
machines, or may allow the enterprise to use its
own public or private IP addresses and isolate
the virtual machines in one or more VLANs.
Depending on what addressing capabilities the
IaaS provider offers, enterprises may need to
provide network address translation between the
IaaS environment and their data centers, and/
or may need tunneling between the IaaS service
and their own data centers. A virtual router
capable of supporting complex routing tasks is
therefore highly desirable.
Optimize the Front-End Network Between
the Users and the IaaS Service to
Maximize the End-User Experience
IaaS is often used to support external (Internet or
extranet) user-facing applications. IaaS providers
typically have good Internet connectivity readily
available. However, for intranet applications
where good performance is often vital, there
are a number of connectivity options – and
for all applications, network-level services can
be used to enhance security, ease of use and
performance.
Connectivity Options for Intranet Users
There are several connectivity options to deliver
IaaS-hosted production applications to intranet
users with different cost and performance trade-offs:
• Connecting the IaaS service directly to the
enterprise’s WAN provider’s backbone – A
growing number of MPLS providers are
extending their services into IaaS-hosting
centers, or “direct connect” locations, which
are connected to the IaaS center. This allows
the enterprise to add the IaaS center as a
location on their WAN, as if it was another of
their data centers (for example, Verizon with
Equinix, or AT&T with IBM and CSC). Since
the provider’s edge router is in the IaaS data
center, access costs should be almost zero,
resilience inherent and provisioning lead
times low.
• Adding the IaaS services’ centers as “sites” on
the enterprise WAN – If the enterprise’s MPLS
provider does not have a point of presence
(POP) in the IaaS provider’s data center, it is
still possible for the enterprise to arrange for a
router, WAN optimizer and any other required
devices to be provisioned, either as physical
devices in colocation space in the same data
center, or as virtual machines running on the
IaaS service and connected over an access
line to the enterprise WAN. This approach will
have longer lead times and higher costs than
direct WAN backbone connectivity, as access
lines will need to be installed from the WAN
provider’s POPs to the IaaS centers.
• Routing user traffic back to the enterprise data
center over the back-end connectivity – This
can be reasonably effective provided it does
not add significant latency to the end-to-
end path, or result in single points of failure.
Quality of service (QoS) will be needed on
shared links to ensure front-end and back-end
traffic cannot interfere with each other.
• Accessing the intranet application over the
Internet – If the enterprise allows local
Internet breakout at its branch locations, then
users can access their own organizations’
IaaS-based applications over the public
Internet. Security will need to be addressed
with IPsec or SSL tunnels. Performance
will usually be lower than with direct WAN
connectivity, and the reliability of Internet
access at the branch may need to be
improved.
Each of these options will have different
reliability, performance and cost characteristics,
which will depend on the specific circumstances.
(For example, does the enterprise have
local Internet breakout at all sites? Does
the enterprise’s MPLS provider offer direct
connectivity to the IaaS provider?)
In many cases, the IaaS location will be farther
away from the enterprise’s branch sites than
their own data centers, resulting in higher
latency between the user and the application
and potential performance degradation. This
will strengthen the case for deploying WAN
optimization on the enterprise’s WAN, to reduce
bandwidth and offset the impact of latency on
application performance. WAN optimization can
also reduce the need to run multiple instances
of an IaaS-based application in different
geographies to ensure adequate performance.
Physical WOC appliances in the enterprise’s
branches and data centers can be complemented
by virtual WOCs in the IaaS center, cloud-based
WAN optimization services or even public
content delivery network (CDN) services.
Network Services for Internet and Intranet
Users
In addition to connectivity, there are several
other networking aspects that still need to be
addressed in order to deliver a consistent and
optimized application experience to the end
user, while minimizing support efforts and risk.

14. 14
These network services will typically be required
regardless of whether the application users are
internal or external. These include:
• Performance optimization using ADC
functionality
• Integration with the IP-addressing and DNS
services used by the enterprise
• Ensuring consistency with firewall measures,
including application firewalling
• Enabling transport security features, such as
SSL and IPsec VPNs
The enterprise’s networking teams should
determine how each of these networking
functions will be delivered for the IaaS-based
applications, and ideally ensure the same
standards, resilience and management processes
(for example, how encryption keys are managed
and who can administer firewall rules) are
employed as are used for comparable internally
hosted applications.
Note 1
Typical IaaS Use Cases
Cloud-native applications. These are applications
specifically architected to run in a cloud IaaS
environment, using cloud transaction processing
(TP) principles.
E-business hosting. These are e-marketing
sites, e-commerce sites, SaaS applications,
and similar modern websites and Web-based
applications. They are usually Internet-facing.
They are designed to scale out and are resilient
to infrastructure failure, but they might not use
cloud TP principles.
General business applications. These are the
kinds of general-purpose workloads typically
found in the internal data centers of most
traditional businesses; the application users
are usually located within the business. Many
such workloads are small, and they are often
not designed to scale out. They are usually
architected with the assumption that the
underlying infrastructure is reliable, but they are
not necessarily mission-critical. Examples include
intranet sites, collaboration applications such as
Microsoft SharePoint, and many business process
applications.
Enterprise applications. These are general-
purpose workloads that are mission-critical, and
they may be complex, performance-sensitive or
contain highly sensitive data; they are typical
of a modest percentage of the workloads found
in the internal data centers of most traditional
businesses. They are usually not designed to
scale out, and the workloads may demand
large VM sizes. They are architected with the
assumption that the underlying infrastructure is
reliable and high-performance.
Test, development and quality assurance. These
workloads are related to the development and
testing of applications. They are assumed not to
require high availability or high performance.
Batch computing. These workloads include high-
performance computing (HPC), big data analytics
and other workloads that require large amounts
of capacity on demand. They do not require high
availability, but may require high performance.
Source: Gartner Research, G00259040, Neil Rickard, Andrew Lerner,
20 December 2013

15. 15
About Verizon Enterprise Solutions and Zscaler
Is Your Network Cloud-Ready? A European Perspective is published by Verizon Enterprise Solutions and Zscaler. Editorial content supplied by Verizon Enterprise Solutions
and Zscaler is independent of Gartner analysis. All Gartner research is used with Gartner’s permission, and was originally published as part of Gartner’s syndicated research
service available to all entitled Gartner clients. © 2014 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not
indicate Gartner’s endorsement of Verizon Enterprise Solutions and Zscaler’s products and/or strategies. Reproduction or distribution of this publication in any form without
Gartner’s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties
as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may
include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public
company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include
senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their
managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website, http://
www.gartner.com/technology/about/ombudsman/omb_guide2.jsp.
ABOUT VERIZON ENTERPRISE SOLUTIONS
Verizon Enterprise Solutions provides intelligent
networks, cloud, mobility, managed security
and machine-to-machine (M2M) solutions to
the world’s most successful companies. With
industry-specific solutions and a full range of
global wholesale offerings, Verizon Enterprise
Solutions helps open new opportunities around
the world for innovation, investment and
business transformation. Visit verizonenterprise.
com or the Verizon Enterprise Solutions News
Center to learn more.
About Zscaler
Zscaler is transforming enterprise security with
the world’s largest Security Cloud built from the
ground up to safely enable users doing business
beyond the corporate network. Zscaler’s Security
Cloud processes over 12 billion transactions a
day with near-zero latency to instantly secure
over 12 million users in 180 countries, with no
hardware or software required. More than 4,500
global enterprises are using Zscaler today to
simplify their IT operations, consolidate point
security products, and securely enable their
business for mobility, cloud and social media.
Visit us at www.zscaler.com