How to migrate from MPLS

Article Summary:

• Establish a performance baseline by documenting current network topology and bandwidth. Then, select a provider that supports hybrid environments to ensure a smooth MPLS migration transition.
• Implement SD-WAN or SASE to replace rigid, location-bound circuits. This modernization enhances scalability, lowers operational costs, and provides faster application performance for distributed, cloud-first workforces.
• Transition branch offices using Anycast GRE or IPsec tunnels over broadband. Gradually shift traffic to cloud-delivered network services and zero trust security before decommissioning legacy private circuits.

How to migrate from MPLS

Multiprotocol label switching (MPLS) offers stability and predictable service levels while allowing enterprises to connect their branch offices. However, its static nature makes it a poor fit for modern ways of working, for cloud computing, and especially for integrating artificial intelligence (AI) into workflows.

To increase network flexibility, scalability, and security, enterprises often modernize their networks by migrating from MPLS to alternative networking models, including SD-WAN or SASE (the latter of which natively integrates zero trust security principles). The move to SD-WAN was a common step in the 2010s for many businesses, although organizations today find that SD-WAN on its own has limitations, and are looking to modernize further by moving straight to SASE.

Network modernization can be an intensive process that takes weeks or months, but organizations can reap the benefits of it for years to come, including:

• Simpler connectivity
• Faster application and network performance
• Scalable security
• Increased agility
• Lower operational costs

How to migrate from MPLS to SD-WAN

1. Assess and document the current network setup

Document bandwidth needs, business-critical applications, and network topology. Recording a baseline of network performance is critical, as that provides a comparison point as the SD-WAN migration is first tested.

2. Choose an SD-WAN provider

Different providers offer different features and levels of support; ensure the selected vendor can support business-critical applications and other must-haves.

Many organizations have critical systems or infrastructure that cannot be moved off of MPLS. Partial migration to SD-WAN can still help optimize much of their network. In such cases, enterprises should ensure they select a vendor who can support hybrid network environments.

3. Create a migration plan

Define the future state of the migrated network, determine which steps to take to reach that state, then decide what aspects of the network should be migrated first. Set a schedule for migration

4. Execute the migration

Start switching over parts of the network to the SD-WAN provider in accordance with the plan from step 3; many organizations start with a single branch network, followed by performance testing, before migrating other parts of the network. Maintain legacy systems as a backup before fully cutting over to the new network.

5. Monitor post-migration performance

Before switching off legacy systems completely, make sure the new configuration is performing better than the baseline documented in step 1.

Why SASE has evolved out of SD-WAN

Though SD-WAN is often thought of as the next stage for organizations as they modernize their networks, on its own it has many performance and security gaps that can continue to hinder organizational growth. In particular, SD-WAN is designed to connect buildings, not people. As a result, relying solely on SD-WAN means connectivity is fundamentally location-bound. This is less than ideal for the way many modern organizations work. A SASE model replaces location-dependent rules with a unified set of policies and experiences that remains identical whether a user is at an office desk or on the move.

Secure access service edge (SASE) is the next logical step in network modernization. SASE, in addition to a flexible, software-defined networking model, has security built in. It is a cloud-based architecture that converges network connectivity and comprehensive zero trust security in a single, unified platform.

How to migrate from MPLS to SASE

1. Modernize user-to-app access

Switch to a policy that connects users only to the specific apps they are authorized to use, via zero trust network access (ZTNA) controls, instead of the broad access offered through VPNs. For flexibility, SASE relies on a range of connectivity methods, not exclusively private circuits; internal data, applications, networks, and users therefore need to be protected regardless of location or how they are connected. Start by:

• Enforcing multi-factor authentication (MFA) for critical applications
• Applying zero trust policies for access to critical applications
• Applying advanced phishing filters to email traffic
• Closing all inbound ports open to the Internet for application delivery
• Using global DNS filtering to block risky requests

2. Replace private circuits with broadband Internet access for branch connectivity

The goal here is to switch from private circuits to cloud-delivered network services, with network traffic and applications protected by ZTNA instead of VPNs and on-premises point solutions at branch networks. Steps include:

1. Choose two MPLS-connected locations to start with, and ensure they have Internet connectivity.
2. Measure network performance at these locations to establish a baseline.
3. Select a cloud-based WAN or network-as-a-service (NaaS) provider.
4. Establish a pair of redundant Anycast GRE or IPsec tunnels over Internet circuits to the cloud WAN provider's network. (Anycast specifically addresses reliability concerns by routing traffic to the nearest healthy data center rather than a fixed point.)
5. Test performance (throughput, latency, packet loss, jitter) of those tunnels.
6. Change routing policies to migrate production traffic from MPLS to Internet tunnels.
7. Repeat at next MPLS-connected location.
8. Decommission MPLS circuits as needed.

3. Secure cloud environments

At this point, multi-cloud environments should be connected following a similar process to that described above:

1. Choose one cloud environment to start with, and measure app performance to establish a baseline.
2. Establish a connection to the cloud-based WAN or NaaS provider.
3. Test performance via this connection.
4. Change routing policies to migrate cloud production traffic through WAN/NaaS provider.
5. Repeat for all cloud deployments.
6. Then, use a service like Multi-Cloud Networking to discover, manage, and secure all data and workloads in the cloud.

4. Decommission hardware appliances and private circuits

Not all organizations will be able to, or even desire to, reach the point of turning off all on-premises infrastructure and hardware-based networking and security. However, migrating to SASE does give organizations the opportunity to do so, for increased flexibility and scalability with minimal latency.

How to start modernizing MPLS networks with Cloudflare

The Cloudflare connectivity cloud delivers secure, fast, and reliable service to any point in the world, and easily adapts to new business requirements. Here's how:

• Cloudflare handles BGP traffic by allowing customer edge routers (CPE) to peer directly with the Cloudflare network. This replaces the need for static routes and allows for dynamic failover.
• Customers establish a BGP session over their existing connectivity, via GRE tunnels, IPsec tunnels, or a Cloudflare Network Interconnect (CNI).
• Customer routers advertise their internal prefixes (e.g. branch office subnets) to Cloudflare.
• Cloudflare then updates its Virtual Network routing table across all 330-plus global data centers.

Use Cloudflare for networking and security to strengthen business continuity, improve the user experience, and reduce operating costs. Learn how to start modernizing networks with Cloudflare.

 

FAQs

Why are traditional multiprotocol label switching (MPLS) networks less effective for modern businesses?

While MPLS provides reliable connectivity for branch offices, its rigid design struggles to keep up with the demands of cloud computing and the integration of artificial intelligence (AI) into daily operations. Modern work environments require more flexibility than these static networks can offer.

What are the primary advantages of upgrading to a more modern network architecture?

Transitioning away from legacy systems allows organizations to experience better application performance, simplified connectivity, and improved agility. Additionally, these updates can lower overall operational costs while providing security that scales alongside the business.

How does a secure access service edge (SASE) model differ from software-defined wide area networking (SD-WAN)?

SD-WAN was primarily built to link physical buildings, which can restrict users to specific locations. In contrast, SASE is a cloud-native framework that combines networking with zero trust security. This ensures that employees have a consistent and secure experience whether they are working from a branch office, working from home, or traveling.

What initial steps should an organization take when starting a migration to SD-WAN?

The process begins by documenting the current network topology, bandwidth requirements, and most important applications to establish a performance baseline. Organizations must then choose a provider that aligns with their specific technical needs, especially if they require a hybrid setup to maintain certain legacy systems.

What is the recommended process for transitioning branch offices to a SASE-based model?

Organizations should start by establishing Internet connectivity at a few locations and measuring their performance baseline. After selecting a cloud-based provider, they can create secure Anycast GRE or IPsec tunnels to route traffic. Once these tunnels are tested and production traffic is successfully moved to the new Internet-based paths, the old private circuits can be decommissioned.