"Should the internet traffic exit the network at a central DC or directly at the branch?"; is a well known debate among engineers specially when the cloud emerged. Here is the view of an architect for that matter.
Centralized Internet Breakout
All branch traffic is backhauled to a central data center where internet links connected and Firewalls, Proxies, IDS/IPS are placed.
Organizations choose this model for:
- Easy security enforcement
- Centralized policy control
- Easier compliance & logging
- Traditional MPLS based approach
Drawbacks:
- Increased latency
- WAN bandwidth consumption
- Internet link bandwidth consumption
- DC becomes a large failure domain
This model worked perfectly when all applications hosted in the DC, internet usage was limited to certain requirements and MPLS was dominant.
But cloud changed this landscape.
Distributed Internet Breakout (Direct Internet Access / DIA)
This is where each branch / site has its own internet, local firewalls / Secure Web Gateways and Direct SaaS access.
Why it was adapted widely:
- Optimized SaaS performance
- Lower latency
- Reduced WAN link costs as fever bandwidth consumption
- Split failure domains
Drawbacks:
- Security Policy consistency becomes harder
- Larger attack surface
- More distributed devices to manage
- Need to purchase / manage many internet circuits
Note that most of the drawbacks related to managing stuff could be countered with innovations in SD-WAN technologies.
The Real Decision Making Point
It's not about the security enforcement, managing devices or managing circuits; it's about the user experience when using cloud based applications like SaaS especially SaaS traffic like M365, Teams, Zoom, CRMs etc. It's in fact the whole point of architecture.
Modern enterprise architectures often combine distributed breakouts with central policy control via SASE / cloud security platforms and centralized path for sensitive applications.
Final Thought
Centralized breakout optimizes control.
Distributed breakout optimizes performance.
The best designs utilize both, intentionally for different application needs.
If SaaS traffic hairpins through a data center 1,000 kms away, you are paying MPLS unnecessarily and getting bad cloud experience.
