“We needed more intelligence on our network to route some application traffic to public clouds, route other traffic directly to the internet, and route some back to our data center locations,” Stoev explains. “If you became a mad scientist and worked really hard, you could do this to a certain extent with some very complex policies and configuration, but it wasn’t scalable.”
Growing bandwidth demands from the increased adoption of cloud applications at Salesforce also significantly raised costs for the already expensive MPLS-based architecture. “We would increase bandwidth only in small chunks because it was very expensive,” Stoev explains. “A lot of the bandwidth use was coming from developers. Their standing joke was that they had more bandwidth at home than in the office.”
Salesforce’s digital transformation initiatives required a next-generation SD-WAN solution that could scale across its distributed infrastructure of more than 70 locations across the globe. Salesforce has both small and large remote offices, including locations with as many as 5,000 employees requiring bandwidth of up to 2 Gbps each. The company needed a solution that could handle this as well as cost-effectively scale down WAN throughput for smaller offices with fewer than a dozen employees.
Stoev wanted to improve performance while reducing WAN bandwidth costs. Above all, he and his team wanted the ability to create application-aware policies with control granular enough to accurately steer application traffic to the correct WAN links to optimize performance.
“We wanted to be able to distinguish application traffic even from the same vendor, such as Google, which alternates different Google services on the same IP and other IPs. In other words, we wanted to route some specific Google apps on one path and other Google apps on another,” he says.
Salesforce needed an API-driven solution that could centralize management and simplify operations with granular visibility at the user and application levels. This would allow the company to maintain and update WANs remotely without logging in to separate boxes to manage them.
The next-generation SD-WAN solution also needed to easily and securely integrate networks acquired through Salesforce’s M&A activities, such as its acquisition of Slack. In addition to performance and management improvements, the company also required flexibility in carriers, traffic, and redundancy.
The journey, he adds, did require a change in mindset for his team, as well as a new way of thinking about networking. “The SD-WAN is a departure from the traditional routing mindset. We were moving from a model where our applications ran on a private MPLS network to a model with direct connections to the internet. But it brought us to the next level. Inbound, outbound, east and west—all our traffic controls are now API-driven, with automated centralized management through our Palo Alto Networks portal.”
Stoev also credits these SD-WAN successes to his partnership with the Palo Alto Networks services team.
Salesforce added encryption to secure application traffic over public broadband internet connections using Prisma SD-WAN’s automated overlays. The overlay tunnels operated over multiple WAN links at scale to significantly improve the overall reliability of the network and increase application resilience.
Salesforce also achieved consistent network uptime by implementing high availability using dual devices at branch and data center locations to provide redundancy and failover. In addition, the Prisma SD-WAN ION devices’ fail-to-wire capability allowed Salesforce to maintain branch connectivity even in the event of hardware failure.
“While hardware failures are rare, we wanted to ensure that a box failure will not impact the WAN bandwidth available to our users,” Stoev notes. “This is something our previous network simply couldn’t do, and it’s important for us, especially at our larger sites where an outage means thousands of people become unproductive.”
“WAN optimization was becoming ineffective with all the encryption requirements we have,” Stoev notes. “We wanted to improve and enhance our user experience the right way with a long-term investment in the right architecture and technology and not through hacks like WAN optimization.”
“I’ve never worked in another company that is as focused on security as Salesforce is,” Stoev explains. “Zone-based firewalls and segmentation support the variety of cloud applications our users are accessing. If we need to add another zone, it is easy and straightforward.”