SaaS Express Fundamentals
By using SaaS Express, the Branch Gateways dynamically identify the optimal path to reach high-priority SaaS applications. The following components are required to identify the optimal path:
- Branch Gateways must be capable of measuring the Quality of Experience (QoE) through all circuits with internet access. Branch Gateway will also be capable of monitoring the actual performance of SaaS applications after a path is chosen and traffic is flowing through the gateway.
- Gateways must proxy DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. requests to those SaaS applications to ensure the closest SaaS nodes are resolved.
- Branch Gateways must forward SaaS traffic through the selected path (based on the measurements done by probing the SaaS front doors).
The following topics are discussed in this section:
- Quality of Experience Measurement
- Active SaaS Monitoring
- Passive SaaS Monitoring
- Ensure Routing to the Closest SaaS Node
- Best Path for Routing the Traffic
- Application Identification
- Traffic Forwarding
Branch Gateways monitor the state of each WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. circuit by probing their default gateway and the tunnel destinations. It also probes a distributed responder service that is hosted on the Aruba Cloud (Aruba PQM Service) to assess the health and status of every uplink. The following components are required for assessing the health and status:
- A default gateway through every WAN interface to consider as the uplink.
- Gateways sending probes to all tunnel destinations (through all uplinks) to measure the health and state of the overlay.
- Gateways sending probes to a Health Check IP/FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. (by default, Aruba PQM service) to measure health and state of the underlay.
These synthetic probes provide a good measure of how the overlay communications are working as well as the quality of the last mile for each WAN circuit. Based on the quality measured by the probes, Branch Gateways select the best WAN circuit as per the defined policies in the Dynamic Path Steering configuration. This happens regardless of whether the traffic is going over the SD-WAN Software-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. overlay or directly out to the internet.
The approach described above works well for internal networks as well as general internet traffic. However, business-critical SaaS applications (Microsoft 365, Google Workspace, Zoom, and so on) require a dedicated method to guarantee the best user experience. Problems outside the control of the enterprise network administrator, such as ISP Internet Service Provider. An ISP is an organization that provides services for accessing and using the Internet.-SaaS peering problems or DNS issues may impact a critical service for the business.
When SaaS Express is set to optimize an application, Branch Gateways resolve the front door URLs Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. by querying the DNS servers configured (or learned through DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. from the ISP) for SaaS applications every 15 minutes. This resolves the closest SaaS front doors and sends probes to SaaS front doors (every 10 seconds when set to optimize or every 60 seconds in monitor-only mode). The statistics collected from these probes are used to enforce path steering policies on the SaaS traffic.
Figure 1 Active SaaS Monitoring
To close the loop on the visibility, once the SaaS traffic flows start going through the Branch Gateway, it will measure the actual performance of the LAN Local Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server. and WAN segments by monitoring the TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. flows going through the datapath.
Having both, the active measurements (based on synthetic probes) as well as the passive monitoring (based on observing TCP flows), allows for a better understanding of how SaaS applications are performing.
Figure 2 Passive SaaS Monitoring
It is common in enterprise networking for users to resolve addresses against the corporate DNS server that is either hosted in the datacenter or virtual private cloud. This provides additional control and security mechanisms for traffic that is going out to the internet along with allowing the resolution of internal IP addresses.
While the reasons above (and many others) fully justify the use of corporate DNS servers, that could lead to suboptimal user experience, as the IP addresses of these critical SaaS applications would be resolved by a DNS server that could be in a very different location.
Figure 3 Closest SaaS Node
When using SaaS Express, DNS requests going to the domains corresponding to the applications being optimized are captured by the Branch Gateway and proxied to the ISP. This mechanism works irrespective of the DNS server configured in the client devices.
Figure 4 Sending DNS Requests
SaaS Express is designed to optimize SaaS applications when the traffic exits through the local breakout. When using a split tunnel traffic pattern (where only the prefixes advertised by other gateways are routed through the overlay), SaaS chooses the local breakout. In full tunnel scenarios or in scenarios where the internet traffic is sent through a cloud security service, exceptions must be introduced in the routing policies to prevent sending SaaS traffic through the overlay.
Branch Gateways use different application identification mechanisms. The traffic must be properly classified to breakout locally, prioritize, and provide visibility on SaaS traffic.
When defining a SaaS application (or customizing the default ones), the FQDNs used by the application are defined as part of the SaaS Express configuration. When it is configured to optimize a particular application, the Branch Gateway DPI Deep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. engine snoops the DNS requests to learn which IP addresses are being used by each application. This allows the application identification engine to form a cache of all the IPs or ports that are in use by that application.
For DNS snooping, DPI must be enabled on Branch Gateways.
Deep Packet Inspection
Branch Gateways performs Deep Packet Inspection for more than 3400 well-known applications. To make classification for SaaS applications more robust, pre-defined SaaS Express applications are associated with one or more of the applications classified by the DPI engine.
Microsoft 365 provides an API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. to help SD-WAN vendors classify the IP addresses and FQDNs. By probing aka.ms/IPURLWS, the SD-WAN solution learns what IPs/FQDNs are being used by the different applications in Microsoft 365. These IPs/FQDNs are classified in the following categories:
- Optimize: Services hosted by Microsoft that involve real-time traffic, and therefore it must be optimized. As per the recommendation from Microsoft 365, these must be reached directly over the internet to minimize the distance. Microsoft guarantees the security of the resources.
- Allow: Services hosted by Microsoft that do not involve real-time traffic. Microsoft guarantees the security of the resources, so it is still recommended to reach these services directly over the internet.
- Default: Services that are required as part of the Microsoft 365 experience, but may or may not be hosted by Microsoft. Microsoft does not offer security guarantees, therefore recommends treating this as normal internet traffic.
SaaS Express uses fastdpi, a micro-service running on Aruba Central that polls Microsoft’s API every 90 minutes to be up-to-date with any new IP/FQDN. Gateways configured to optimize Microsoft 365 applications query the fastdpi service through the dedicated control channel pre-established with Aruba Central (gRPC) to learn the list of IPs or domains used for every category. For SD-Branch versions 18.104.22.168-22.214.171.124 and higher, the SD-Branch automatically maps the prefixes in the Optimize and Allow categories to the corresponding application_saas aliases, and the FQDNs to the SaaS Express application definitions to facilitate according to Microsoft 365 best practices. The gateways act as DNS proxy for all FQDNs classified by Microsoft, and the _saas Microsoft application makes use of the IP addresses learned from the API for traffic classification (WAN or PBR Policy-based Routing. PBR provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator. policies).
Figure 5 Classifying Microsoft 365
After the SaaS application traffic is identified correctly, the SaaS Express option is effectively an extension of Dynamic Path Steering (DPS). The performance of a circuit is measured using synthetic probes and traffic is dynamically steered on available paths that comply with the Service Level Agreements (SLA). An additional nuance is the requirement to locally breakout SaaS application traffic, which results in adding exceptions to the Policy Based Routing (PBR) policies.
To facilitate this, when an application is defined in SaaS Express, a matching application group alias is created. This alias represents the IPs (in the case of Microsoft 365) or FQDNs used by the SaaS application. It allows the Branch Gateway to route all the traffic corresponding to each SaaS application through the defined path. These aliases are easily identified as the name is suffixed with _saas. For example, dropbox_saas or exchange_saas.