Seeking scalability and application awareness for a globallydispersed workforce
“We needed more intelligence on our network to route some application traffic to public clouds, route other traffic
directly to the internet, and route some back to our data center locations,” Stoev explains. “If you became a mad scientist
and worked really hard, you could do this to a certain extent with some very complex policies and configuration, but it
wasn’t scalable.”
Growing bandwidth demands from the increased adoption of cloud applications at Salesforce also significantly raised costs for the already expensive MPLS-based architecture. “We would increase bandwidth only in small chunks because it was very expensive,” Stoev explains. “A lot of the bandwidth use was coming from developers. Their standing joke was that they had more bandwidth at home than in the office.”
"Many of the SaaS services we wanted to use were regionallyavailable much closer to our users, but we still had to hairpinthe traffic around the country, or in some APAC regions wehad to route that application traffic from one country toanother because of the limitations of our legacy WAN."
Georgi Stoev
Senior Network Architect, Salesforce
Elevate control, application awareness, and bandwidth
Salesforce’s digital transformation initiatives required a next-generation SD-WAN solution that could scale across its distributed infrastructure of more than 70 locations across the globe. Salesforce has both small and large remote offices, including locations with as many as 5,000 employees requiring bandwidth of up to 2 Gbps each. The company needed a solution that could handle this as well as cost-effectively scale down WAN throughput for smaller offices with fewer than a dozen employees.
Stoev wanted to improve performance while reducing WAN bandwidth costs. Above all, he and his team wanted the ability to create application-aware policies with control granular enough to accurately steer application traffic to the correct WAN links to optimize performance.
“We wanted to be able to distinguish application traffic even from the same vendor, such as Google, which alternates different Google services on the same IP and other IPs. In other words, we wanted to route some specific Google apps on one path and other Google apps on another,” he says.
Salesforce needed an API-driven solution that could centralize management and simplify operations with granular visibility at the user and application levels. This would allow the company to maintain and update WANs remotely without logging in to separate boxes to manage them.
The next-generation SD-WAN solution also needed to easily and securely integrate networks acquired through Salesforce’s M&A activities, such as its acquisition of Slack. In addition to performance and management improvements, the company also required flexibility in carriers, traffic, and redundancy.
"Cost was an important factor, but bandwidth, security,support, automation, application-focus, availability,and proper redundancy were our top requirements. After theRFP and extensive testing, our top requirements came back toapplication awareness and flexibility."
Georgi Stoev
Senior Network Architect, Salesforce
Securely supports Salesforce’s flexible traffic requirements
The journey, he adds, did require a change in mindset for his team, as well as a new way of thinking about networking.
“The SD-WAN is a departure from the traditional routing mindset. We were moving from a model where our applications
ran on a private MPLS network to a model with direct connections to the internet. But it brought us to the next level.
Inbound, outbound, east and west—all our traffic controls are now API-driven, with automated centralized management
through our Palo Alto Networks portal.”
Stoev also credits these SD-WAN successes to his partnership with the Palo Alto Networks services team.
"I was happy with the journey we started several years agowith the Palo Alto Networks team. They were truly interestedin helping navigate the solution with a lot of brainstormingand investigating how to best solve our problems. We felt thatmeeting our needs and shaping their product to help us wastheir primary goal."
Georgi Stoev
Senior Network Architect, Salesforce
Ensures simple deployment and management
“Once we tested, certified, and procured the SD-WAN gear and obsoleted our old routers, installation of the new Prisma SD-WAN moved quickly,” Stoev explains. “All the pieces are templatized, so deployment is simple. Once the WAN circuits come up and the SD-WAN appliances are reachable from the Palo Alto Networks central management portal, everything else is a snap.”
He also cites other benefits with Prisma SD-WAN centralized management. His team no longer needs to log in to separate devices for maintenance, he says, adding, “The process of maintaining our SD-WAN instances is more straightforward than before, with much lower operational costs.”
Improves network resilience with diverse connectivity andappliance redundancy
Salesforce added encryption to secure application traffic over public broadband internet connections using Prisma SD-WAN’s automated overlays. The overlay tunnels operated over multiple WAN links at scale to significantly improve the overall reliability of the network and increase application resilience.
Salesforce also achieved consistent network uptime by implementing high availability using dual devices at branch and data center locations to provide redundancy and failover. In addition, the Prisma SD-WAN ION devices’ fail-to-wire capability allowed Salesforce to maintain branch connectivity even in the event of hardware failure.
“While hardware failures are rare, we wanted to ensure that a box failure will not impact the WAN bandwidth available to our users,” Stoev notes. “This is something our previous network simply couldn’t do, and it’s important for us, especially at our larger sites where an outage means thousands of people become unproductive.”
"Managing our whole environmentfrom a central management systemlends itself well to automation andour future plans to collect morerich data telemetry and bring thatinformation up to the applicationlayer for proactive analytics andtroubleshooting. That is nowbecoming an important part ofour network strategy."
Georgi Stoev
Senior Network Architect, Salesforce
Dramatically increases bandwidth without increasing costs
“WAN optimization was becoming ineffective with all the encryption requirements we have,” Stoev notes. “We wanted to improve and enhance our user experience the right way with a long-term investment in the right architecture and technology and not through hacks like WAN optimization.”
Reduces risk with a significantly stronger security posture
“I’ve never worked in another company that is as focused on security as Salesforce is,” Stoev explains. “Zone-based firewalls and segmentation support the variety of cloud applications our users are accessing. If we need to add another zone, it is easy and straightforward.”
Share this story
