How Netrolix AI-WAN* Broke the SD-WAN Barrier

ID 659543
Updated 5/2/2018
Version Latest



Introduction – Fulfilling WAN Demand

Demand for lower cost wide-area networks (WANs) has increased dramatically in recent years. Industry research shows that in 2016 alone, WAN traffic grew from more than 150 percent in the Americas to nearly 250 percent in APAC. The same data shows that the greatest growth was in new 100-Mbps services, and it reveals a major shift toward Software-Defined Wide-Area Network (SD-WAN) solutions.

It's not difficult to see what is driving this demand:

  • More organizations are moving their IT from on-premises to cloud and hybrid infrastructures.
  • Even the largest business software providers are turning to SaaS delivery models for their flagship products.
  • There are more data-intensive applications that routinely use big data analytics, video, and connected Internet of Things (IoT) devices.
  • Changing WAN topologies are placing more computing power at the network edge, to the point where many connected devices are becoming mini data centers.

Although the cost of dedicated Multiprotocol Label Switching (MPLS) lines has dropped in recent years, it remains prohibitively high for meeting all the demand. This has led to a boom in SD-WAN services that offer a much lower cost and more agile approach to WAN connectivity. But SD-WAN is not an ideal solution. It suffers from performance, reliability, and security issues that make it less suitable for critical business operations.

Working to address these limitations, Netrolix* has created an entirely new kind of WAN. Their AI-WAN* delivers MPLS reliability and security with SD-WAN agility and cost advantages, all while guaranteeing exceptional end-to-end throughput. Adopting an AI-WAN solution is like trading in your economical Chevy for a self-driving, bullet-proof Ferrari, at no extra cost.

How does Netrolix's AI-WAN accomplish this? To understand that, let's look at why typical SD-WANs fall short.

The Promise and Limitations of SD-WAN

MPLS circuits have distinct advantages. Like private roads running directly between branch offices, they are fast, secure, and reliable. To get from one office to another, you just hop in your Ferrari and go as fast as the road will take you. But it takes a long time and a lot of money to build that private road, and it's hard to change once you've built it.

As WAN usage has grown, the idea of replacing high-cost, dedicated MPLS connections with low-cost SD-WANs has appeal that goes beyond just the cost savings. Compared to MPLS services, SD-WANs are easy to set up and configure, which simplifies the task of adding WAN segments to an existing network infrastructure. SD-WANs also centrally manage how applications use the network, enabling some optimization at the network edge for given network conditions.

SD-WANs are great because the roads are already built. They not only run between your branch offices, they go everywhere. You can open a new office anywhere and quickly set up an SD-WAN connection. To get from one place to another, you just hop in your Ferrari and, … well… , maybe you sit in traffic. Or maybe you get robbed while you're sitting in traffic. And that's the downside of SD-WANs. Compared to MPLS, they introduce new security issues, and they have performance limitations.

Because SD-WANs sit at the network edge, they have no control over traffic flow in the cloud. They rely on Internet service provider (ISPs) whose business models are based on over-subscribing capacity and best-effort delivery services. This means there can be, and often is, network congestion somewhere along the data path. Furthermore, ISPs often share network infrastructure. Poor connections across this infrastructure often result in jitter, packet loss, and latency issues. For all of these reasons, SD-WANs are unable to guarantee a quality of service.

From a security perspective, SD-WANs offer built-in security features such as native support for encryption and easy application-specific WAN segmentation. However, their use of encryption is often limited by computing power, and many SD-WAN appliances are not adequately hardened against unauthorized access.

Because of these limitations, many businesses see an SD-WAN as a low-cost supplement to their existing MPLS connections rather than a replacement. So, does this mean organizations are trapped into living with their costly MPLS connections?

Not according to Netrolix.

Netrolix's Unique WAN Solution: AI-WAN*

To understand Netrolix's AI-WAN, it's best to start with the story of how they created it.

It began in 2014 with the idea of solving the challenge of large-scale, centralized firewall, Internet-based networking. Netrolix envisioned building a high-performance Internet WAN that would be compatible with any existing connection protocol or appliance, and it would work by optimizing traffic across the Internet. They wanted to create a solution that service providers and businesses could use to build their own networks. "In fact, that was our original goal. We wanted to empower the end user to architect and build their own network. When we began, we wanted to give complete access and control to that end user," says Wes Jensen, CEO of Netrolix.

Netrolix began by building a network between host data centers and monitoring a multitude of performance metrics, which they put into their own proprietary algorithm for optimizing flow between the data centers. By using IP transit connections, they could also look at to and from downstream service providers.

"We initially deployed on six data centers in Seattle, Los Angeles, Chicago, Dallas, New York, and Atlanta. That allowed us to leverage just about every ISP in the U.S.," says Jensen. "By early 2015, our network grew to about 18 data centers, 9 of which were in the U.S. At that point, we realized our own algorithms weren't going to cut it. We were looking at things statically, on a per data center basis."

That's when they had the idea of applying machine learning and artificial intelligence (AI) to the mass of Internet performance data they were collecting. Suddenly, they were able to analyze and correlate the Internet traffic in all the data centers simultaneously, in real time, and that was a total game changer.

Netrolix used their AI capability to build a model that would look at millions of data points from every ISP on multiple performance factors – latency, jitter, packet loss, throughput, and availability, for real-time and historic events, and how these changed at specific times of day. They developed a suite of low-cost endpoint devices to connect to their AI network, and they extended their analysis to theses endpoints. Continuously monitoring and analyzing all the data paths across this AI fabric became the foundation for using proprietary algorithms to optimize Internet traffic.

Today, Netrolix hardware and software is in 65 data centers globally, leveraging 20,000 nodes just to collect data on the global Internet. "We're collecting data on all the ISPs on the planet to determine optimal paths not only to any endpoint, but also across our core. That is the AI fabric itself. That is the foundation over the Internet that we have created. We have eliminated the whole ‘best-effort' mantra and solved for Internet performance issues, and we're seeing performance that is on a par or better than traditional private networks from your global service providers," Jensen says. And that is what the patent-protected AI-WAN from Netrolix is all about.

So, say you have a Netrolix AI-WAN connection and you want to go from one branch office to another. You hop in your Ferrari, sit back, and let it take you there. With its eyes on the entire global Internet, the AI-WAN has already determined your best route. You take off at top speed. All the lights turn green just as you hit the intersections. There's no congestion. And bam! You're there, every time, at an SD-WAN cost and with much higher security.

How does Netrolix do this? Let's see what's inside the AI-WAN.

Inside Netrolix's AI-WAN

The Netrolix AI-WAN consists of the AI-WAN fabric, which is a vast network of ISPs and host data centers around the globe whose traffic is continuously analyzed and monitored by a proprietary deep-learning analytical engine. To connect to this AI-WAN fabric, Netrolix has developed a suite of low-cost endpoint devices, which are software-defined gateways (SDGs) that run on either their own bare-metal based Intel® architecture platforms or appropriate client-owned equipment.

The AI engine monitors the global Internet while monitoring and communicating with every endpoint device connected to the AI-WAN fabric. All of Netrolix's services, including MPLS, Virtual Private LAN Service (VPLS), Ethernet private line, SD-WAN, global Virtual Private Network (VPN), cloud services, and other offerings are layered over the AI-WAN fabric.

Netrolix SDGs

Netrolix offers a suite of SDGs that are built on Intel® chipsets. They differ from one another based on their rated throughputs and the network functions they perform. They can provide simple connections between existing network appliances and the AI-WAN fabric. They can also act as routers, switches, firewalls, and other edge compute devices, and they can be configured to deliver MPLS, VPLS, and Virtual Private Enterprise (VPE) connections.

All Netrolix SDGs share similar physical characteristics in that they use low-power Intel® components and they don't have any moving parts, such as fans, which enables them to operate in complete silence. Figure 1 and the accompanying descriptions show different ways standard Netrolix SDGs connect to the Netrolix AI-WAN fabric for optimum network performance.

Different ways Netrolix S D G connects to  A I W A N
Figure 1. Netrolix software-defined gateways (SDGs) connect to the Netrolix AI-WAN* fabric in many ways.

1. The Netrolix SDG is a simple network interface device (NID) that basically terminates a circuit. If a Netrolix AI-WAN user wants to keep their existing Fortinet*, Juniper*, Cisco*, or whatever network devices they have in place today, they can do so.

2. The Netrolix SDG can be more than just an NID. It can also be the network access point plus a router, a switch, and a firewall. It can provide all those functions in one solution.

3. The Netrolix SDG can also be a software-defined multi-access and mobile edge compute device (SD-MEC). This combines network access, router, switch, firewall, and edge compute capabilities into one solution.

4. In this scenario, the Netrolix SDG provides cloud access, allowing direct connections to cloud infrastructure. Rather than paying a lot of money for an Microsoft Azure* Express Route or a Amazon AWS* Direct Connect product, a user can spin up a virtual machine (VM) immediately, deploy appropriate Netrolix virtual router software, and immediately connect to a private global network. Jensen explains, "You don't have to go through the hard-to-understand firewall guys, or fight with the VM guy, or have the VM guy pointing to the firewall guy. And by the way, that costs about $5,000 more than our solution. The fact is, we just want to simplify that."

5. Here, the Netrolix SDG is being used as a hub to move aggregated IoT device data and autonomous application data over the AI-WAN. This is an important capability because many IoT applications and remote devices that involve data and control functions, such as drones and industrial control systems, are being built with little knowledge or regard for security. Being able to aggregate sensor and control data and then send it to a control center with absolute security and reliability becomes incredibly important. That is now possible over the AI-WAN at speeds that enable real-time control and the highest levels of data protection possible.

6. This is the user portal that enables users to see and control everything in their AI-WAN. Netrolix's goal is to eliminate centrally configured stacks that require vendor and equipment manufacturer intervention to set up. Netrolix empowers users to do it themselves. "We want you to do everything from a portal," Jensen says. "A device shows up and you plug it in. You have multiple configuration templates you're pushing to different types of network elements and pieces. It just becomes so simple."

Easy setup and automatic, continuous data path optimization.

When a Netrolix SDG is connected to the user's Internet service, the Netrolix AI-WAN detects and identifies that Netrolix device and immediately determines the six most optimal data centers for connection. Then, from those six data centers, the AI-WAN further selects the three most optimal data centers. It automatically connects the newly installed Netrolix SDG to those three data centers using three separate Netrolix gateways that are part of the Netrolix AI-WAN fabric.

Once connected, the new device shows up on the user's AI-WAN portal. The user then configures the SDG with the functionality required by their application.

During normal operation the AI-WAN fabric ranks a device's three active data center connections from most to least optimal and moves data over the most optimal path. If that path becomes impaired, the AI-WAN continues to seamlessly operate over the other two connections. Whether you have one or four Internet connections, the AI-WAN platform views it as one single port into the network. As long as the Netrolix device is connected, the AI-WAN fabric goes through a complete path re-optimization process every five minutes. With three different continuously optimized data center connections, that network link becomes more reliable than a dedicated private line.

Guaranteed throughput at service provider connection speeds.

Netrolix has architected their AI-WAN to guarantee end-to-end throughput at full-duplex Internet service provider connection speeds. This is different than the way SD-WANs operate.

For example, an SD-WAN provider might provide you with a box that is licensed for 200-Mbps throughput. You will pay for the box, the connection speed, and the gateway they set up for you. But in reality, you are not guaranteed 200-Mbps end-to-end throughput because once you reach the network edge (for example, the cloud), the SD-WAN has no control over traffic.

The Netrolix AI-WAN uses its placement in host data center locations and Internet traffic monitoring to optimize data paths based on two basic principles:

  • The "last mile" of Internet connectivity is where congestion is likely to occur due to ISPs over-subscribing their service. Conversely, traffic between host data centers happens in extremely high-bandwidth connections.
  • Based on AI traffic analysis, most disruption in Internet connections happens where the connections jump between major data paths or between service providers.

To most effectively optimize data paths and minimize latency, Netrolix has strategically located its AI-WAN system in key data centers based on actual traffic flow rather than geography. For example, Netrolix placed AI-WAN components in multiple data centers around Chicago rather than putting nodes in surrounding cities that all route through Chicago.

By carefully selecting host data centers, analyzing downstream ISP traffic, and having full knowledge of traffic between data centers, Netrolix is able to guarantee end-to-end throughput at wire speeds. If you have a 200-Mbps full-duplex Internet service, the Netrolix AI-WAN will deliver 200 Mbps of secure end-to-end throughput.

Making the Netrolix AI-WAN as secure as an MPLS connection.

For many users who are considering WAN options, throughput is their primary consideration. But security is just as important, especially in today's environment of non-stop intrusion.

Netrolix has built security into the Netrolix AI-WAN fabric in the following ways:

  • Data encryption – All data passing through the Netrolix AI-WAN is encrypted using IKEv2, which is the most powerful encryption standard currently in use.
  • Key management – The Netrolix AI-WAN uses a robust Key Management System (KMS) to generate encryption keys for every device, every element of the AI-WAN network, every storage instance, and every network configuration. Unlike typical SD-WAN solutions, these are not shared keys. Every network element has its own key, and every key in the global AI-WAN is automatically swapped every five minutes.
  • Hardware Security Module (HSM) authentication – This is the same hardware-based authentication used in credit and debit card chips. It prevents reconfiguration of any Netrolix SDG unless the device is connected over the AI-WAN to a Netrolix management console, which prohibits unauthorized access.
  • RADIUS attributes – These are used to authenticate any devices connecting to the AI-WAN.
  • The AI analytics engine – The same AI engine that monitors and optimizes Internet traffic is also continuously monitoring every device connected to the AI-WAN for any anomalous data patterns. It not only monitors the AI-WAN fabric itself, but also data coming from or going to IoT devices, for example.

To learn more about how Netrolix implemented security in their AI-WAN fabric, read the companion article How Netrolix AI-WAN* Makes Wide-Area Networking More Secure.

Intel Inside® – Why Netrolix Chose Intel® Technology for Its Bare-Metal Platform

Netrolix had several choices when designing their AI-WAN hardware. One was whether to build their solution around another company's hardware platform versus building from the ground up using a bare-metal solution. They chose the bare-metal approach because standard commercial equipment was too heavy, too expensive, and did not offer the flexibility or computing power they needed to deliver the many different network functions they had in mind.

Next came the choices for platform hardware, and that also was a quick decision. They chose Intel chipsets because of their broad compatibility in the networking world, the consistency in the Linux* kernel across different chip sets, and their ability to run x86 software.

There were other factors, too. From an engineering perspective, Intel offered chipsets with low power consumption, which helped enable Netrolix to build rigid boxes with no moving parts. Selecting the interface was another big factor. When choosing a standard router, users are bound by whatever interfaces that company manufactures. Netrolix was already doing a lot of work with the IoT and unmanned aerial vehicles (UAVs), which require nonstandard interfaces. Having this flexibility was a key consideration, and the availability of Intel's open software library became critical.

Ultimately, the flexibility of Intel chipsets in supporting Netrolix's architectural needs and the supporting software was the deciding factor. "We are an open stack shop," says Jensen. "All of our services are software-driven on an open platform, and Intel just became a very easy-to-use and reliable chipset."

The following table lists the different Netrolix hardware platforms, the Intel chipsets used to power them, along with performance and use cases.

Table 1. Netrolix hardware platforms, Intel® chipsets, and use cases.

Netrolix Platform Intel® Chipset Performance and Use Cases
Mobile Rigid (OBD) MR1 Broadwell A rigid network interface device used for mobile connectivity.
SDG100 Gemini Lake Standard software-defined gateway providing up to 100-Mbps secured throughput.
SDG400 Apollo Lake Up to 400 Mbps of secured throughput, often used for network headends.
SDG PE/Core Kaby Lake Used in data centers as a network edge device but also as a network core device. It also acts as a VPN gateway. Up to 2-Gbps secured throughput.
SDG1000 SMRP Gateway Coffee Lake VNF cluster used as a customer headend. Often used by large organizations that need to run multiple separate networks in every location to isolate different types of data falling under different regulatory or security regimes.
SDG2000 Intel® Xeon® Scalable processor Used in large network edge or data center deployments where it’s necessary to interface to multiple 10-, 40-, or 100-Gbps connections.
UAV Cherry Trail Used in very lightweight, low power consumption applications such as drones. Provides full SD-MEC capabilities such as multiple connection failover between multiple providers and edge compute, but on a drone.

In addition to these Intel chipsets, Netrolix used the following features to support virtualization, secure hardware sharing, and hardware-based encryption:

  • Intel® Virtualization Technology (Intel® VT) for IA-32, Intel® 64 and Intel® Architecture (Intel® VT-x)
  • Intel® Virtualization Technology (Intel® VT) for Directed I/O (Intel® VT-d)
  • Intel® AES New Instructions (Intel® AES-NI)

Netrolix AI-WAN Delivers Higher Throughput More Securely at a Lower Cost

"That was our goal, and that's what we achieved," Jensen says, who points out that a 10-Mbps private line between New York and London would cost about $1,500 per month. A similar Netrolix AI-WAN connection delivering guaranteed secure throughput of 10 Mbps would cost about $300 per month. The AI-WAN connection will also be something users themselves can quickly set up and configure, without relying on vendors or service providers.

And whereas the private line will only have one fixed data path, the AI-WAN connection can take many paths. At any given time, it will always have three optimum data paths, and those will be re-tested every five minutes. This means the AI-WAN connection will be much more reliable over the long term compared to a dedicated private line.

The AI-WAN will also be more reliable, more secure, and deliver higher throughput than an SD-WAN, which has little or no visibility into data paths beyond its own network edge. Some SD-WAN vendors attempt optimized data routing based on a limited view of performance metrics. "Most devices that do look at performance metrics are statically configured by architects," Jensen notes. "With our neural network, we don't have to statically architect that at all. The fabric itself is what self-heals and maintains and optimizes constantly. Once we realized that the AI-WAN architecture was more powerful than anything we could humanly architect, that's when the light went on for us."

For More Information

- To learn more about security in the Netrolix AI-WAN, see the article How Netrolix AI-WAN* Makes Wide-Area Networking More Secure.

- Visit the Netrolix website.

- Read the article Netrolix Harnesses the Net’s Wild Mustang: Optimized Internet & Private/Secure Service at Low Cost at the Top Operator website.

- Visit the Intel® Network Builders website and explore a vibrant resource center that provides support to anyone interested in software-defined networking and network function virtualization.