Design and Deployment
To design a network using SaaS Express, it is important to understand how SaaS Express interacts with other mechanisms as traffic traverses the Branch Gateway. Given the particular nature of SaaS Express, both control and data plane components must be considered.
The following elements are used in a control plane:
- Probes that are sent to the SaaS front doors to measure quality through every Internet Service Provider (ISP Internet Service Provider. An ISP is an organization that provides services for accessing and using the Internet.).
- DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. traffic is snooped to learn the destination IP addresses associated with each domain.
- DNS requests to SaaS domains are proxied to the servers learned from each ISP.
The synthetic probe works similarly like the underlay health checks. Probes are sent through every uplink interface configured in SaaS Express to all optimized (every 60 seconds) and monitored-only (every 10 seconds) applications. SaaS probes always take the underlay path.
The DNS component is a little more nuanced, as there are potential overlaps with other mechanisms. Firstly, Branch Gateways do not do DNS Snooping for only SaaS applications, this can be done for any type of session and has been enabling name-based firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. aliases in ArubaOS. When configuring PBR Policy-based Routing. PBR provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator. policies to locally breakout SaaS traffic, name-based aliases can also be used to locally breakout SaaS traffic. Nevertheless, it is generally simpler to use the application group aliases created by SaaS Express (ending in _saas). SaaS Express optimization must be enabled for such applications for the aliases to work.
Secondly, Branch Gateways can also serve as a DNS server for the branch (ArubaOS runs a small dnsmasq that can cache up to 150 entries). In such a case, Branch Gateways can selectively redirect DNS requests on a per-domain basis (up to 32 domains) using the Redirect DNS feature. It is configured in System > General > DNS.
When using SaaS Express, DNS requests going to the domains corresponding to the applications being optimized, are captured by the Branch Gateway’s Data Plane. DNS requests are then proxied to the DNS server that is learned from a given ISP or configured in the SaaS Express Exit Profile. SaaS Express intercepts DNS requests in the Branch Gateway Data Plane and takes precedence over DNS redirect.
Figure 1 Control plane—SaaS front door
Data Plane Integration
In a data plane with data traversing the gateway, the following components are related to the SaaS traffic traversing the Branch Gateways:
- Security: Firewall policies potentially leveraging applications defined by SaaS Express.
- Routing: PBR influences the paths or next-hops that are available for the application, while routing defines a set of best routes (or default gateways).
- WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. policies (which includes DPS and SaaS Express) choose between the best routes provided by PBR or routing.
For the security component, SaaS Express requires Advanced subscriptions, and the fact that these may not be present in all the members of a group (where security policies are defined), complicates the use of the _saas aliases. As a result, SaaS Express aliases are not available for use in session ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port..
The global routing in combination with PBR determines the next hop(s). It provides up to four active (best cost/priority) paths to the WAN engine. WAN policies (SaaS/DPS) determines which path must be taken for each traffic flow. For SaaS Express to be effective, traffic for the optimized SaaS applications must locally breakout. Therefore, routing must determine the next hop and WAN must choose the path(s).
When SaaS and DPS policies coexist, SaaS policies always get index, 1-32, while DPS policies get index, 33-64. SaaS Express policies therefore always take precedence over DPS policies for any traffic going to the domains or IP addresses associated with the SaaS application being optimized.
Figure 2 Data plane—Policy Based Routing