Skip to content

MPLS to Zero Trust in 30 days

MPLS to Zero Trust in 30 days

Employees returning to the office are experiencing that their corporate networks are much slower compared to what they’ve been using at home. It’s partly due to outdated line speeds, and also partly due to security requirements that force all traffic to get backhauled through centralized data centers. While 44% of the US currently has access to fiber-based broadband Internet with speeds reaching 1 Gbps, many MPLS sites are still on old 1.5 Mbps circuits. This is a reality check and a reminder that the current MPLS based networks are unable to support the shift from centralized applications in the datacenter to a distributed SaaS and hybrid multi-cloud world.

In this post, we are going to outline the steps required to take your network from MPLS to Zero Trust. But, before we do — a little about how we ended up in this situation.

Enterprise networks today

Over the past 10 years, most enterprise networks have evolved from perimeter hub and spoke networks into franken-networks as a means to solve connectivity and security issues. We have not had a chance to redesign them holistically for distributed application access. The band-aid and point solutions have only pushed the problems further down the road — to a future day for someone else to solve.

The advent of cloud adoption put additional pressure on the already ailing legacy WAN. Increased Internet use for business, mining data for actionable insights, advanced security monitoring multiplied bandwidth demand at customer branches. This puts additional pressure on companies seeking to manage their WAN cost. Below is a graphical representation of business loss due to growing bandwidth needs on.

Business loss = (X) cost of project delay  + (Y) loss of productivity due to outages

Excitement about SD-WAN

Organizations have been looking to Software-Defined WAN (SD-WAN) to solve some of these challenges. It allows organizations to shift from MPLS private lines to broadband Internet and significantly reduce their cost per Mbps. SD-WAN offers other valuable features like application-aware intelligent routing based on path quality. Orchestrator and analytics help to provide much-needed deployment speed and network visibility, respectively.

Despite the incremental improvement that SD-WAN offers over traditional network architectures, some fundamental challenges remain. SD-WAN is a hardware-dependent edge routing technology that does not always account for the middle mile. While broadband Internet is reasonably fast and available everywhere, it doesn’t offer the end-to-end security and reliability that mission-critical applications require. Further, managing security policies and Internet breakouts across hundreds of edge devices is complex, and many organizations are still choosing to backhaul traffic to centralized data centers. We require a new architecture — with security, speed, and reliability built-in.

Cloudflare Magic WAN

Cloudflare Magic WAN simplifies legacy WAN architectures by enabling customers to use the Cloudflare global network to interconnect their branch offices, data centers, and public cloud services. It includes Zero Trust security services that can be enabled as needed, improve performance, and can be managed through a single dashboard.

Magic WAN has many advantages over traditional WAN architectures. It eliminates the need to manage a mesh of tunnels. A single Anycast IPSec or GRE tunnel from a site provides connectivity to all other sites and applications, with the Cloudflare network acting as the network hub, simplifying operational overhead. It removes the requirement for all traffic to be backhauled to a centralized data center to enforce security policies. Cloud-native firewall-as-a-service (FWaaS) for inbound and site-to-site traffic and security web gateway (SWG) for outbound traffic is available at the same data centers where WAN traffic enters the Cloudflare network. Organizations can deploy consistent security policies globally which get enforced at the Cloudflare data center closest to the user at any of our 270+ cities. SaaS and consumer application traffic can be routed directly to the Internet from the edge of the network. With Cloudflare serving millions of websites, the destination might be available on the same server, resulting in better performance for users.

Furthermore, with no appliances to manage or scale, Magic WAN gives you an elastic WAN with zero capital investment that you can quickly scale up or down depending on business needs.

Bridge to Zero Trust

The ultimate goal for many organizations is to move their network and security architecture from a castle & moat model to a Zero Trust model where there’s no longer a hard boundary between “private” and “public” networks. Instead, security is enforced at the user and the application level, using identity, endpoint health and location as key attributes. So an employee on a managed laptop in their home country may have access to all corporate applications, but if they log in from a personal laptop, they might have limited access to only certain applications. Or if the network detects malware on their managed laptop, their access can be quickly revoked, preventing the spread of ransomware, for example, through their organization.

This requires a WAN that is intelligent enough to understand user identities and endpoint health and make intelligent enforcement decisions based on these attributes. This also requires enforcement points that can apply consistent security policies regardless of whether the users are coming from a corporate branch office or from a home office over the Internet.

Cloudflare Magic WAN, part of the Cloudflare One product suite, enables this transition to a true Zero Trust architecture by building in security natively into the network.

Prep work for successful transformation from MPLS to Zero Trust

Planning leads to awareness, while preparation leads to readiness.

MPLS to Zero Trust transformation is a team effort. Traditionally, network managers are responsible for the WAN; security managers for the security perimeter & policies; infrastructure team for the cloud; application teams for application development. Future transformed state has built-in security for seamless on-demand, secured and reliable distributed application access.

1) Network, security, infrastructure, and application project management teams should collectively discuss and document the current/future state.  Sample document below

Current state
Future state

Example: 1600 apps
Example: 2400 apps

Local: 300, DC: 600, Public cloud: 400, Private cloud:100, SaaS: 200

Regional application needs
Local File servers

# of branch locations

Example: Platinum 99%, Gold 95%, Silver: 90%, bronze: best effort
Platinum 100%, Gold 99%, Silver: 95%, bronze: best effort

Current set up
Platinum: Dual MPLS, Gold: MPLS + Internet etc
Platinum: 2 x 1G DIA, Gold: 2 x 1G DIA etc

Platinum: 100M, Gold 50M etc
Platinum 1G, Gold 500M etc

CSP with location
1G ExpressRoute 1G Direct Connect
10G 10G

Internet breakout
On demand

DC: XXX Firewall HA
Cloud based local break out

Limited security control
Identity based granular ZT based policies

Remote Access
1000 seats
2000 seats

Zero Trust Network Access

Cloud security


Device posture


2) Conduct transformation workshop to

  • Map all combinations of future traffic flows: Device Type – User profile – Application – Enforcement technology – Zero Trust rules
  • Traffic flows help to determine future architecture baseline

3) Invite vendors, partners, and providers for discussion to validate the design and identify technology readiness to support traffic flows and architecture.

4) Carry out budgeting exercises and a business plan to map current pain points with solutions and pricing. Involve specialized experts to develop business plans if needed.

5) Form a special project team that includes project managers, engineering point of contact from all technical groups, local site contacts, escalation team, stakeholder representatives, business owners.

Transition plan

A transition plan is a critical step toward a successful transformation. A good transition and project plan will ensure minimal downtime, while a bad plan will result in outages, business disruption, increased transition time, and cost. The plan should include detailed steps and milestones.

Sample transition plan below:

  • Identify bridging point

    • Bridging point will act as a bridge between transitioned and non-transitioned branch locations.
    • Ideally, regional and global data centers are preferred bridging points between existing MPLS and the new Cloudflare based WAN.
  • Create user acceptance test (UAT)

    • Collaborate with internal teams and site contacts to create a UAT.
    • Perform UAT before and after cutover for each site to ensure users can access their applications as expected performance after transition.
  • Migration schedule

    • Develop a migration schedule to ensure minimal business impact.
  • Prep for Magic WAN

    • Connect applications: Leverage Cloudflare onramp options to connect your various applications to Cloudflare platform.
    • Connect branch: Configure your WAN Edge device (router, SD-WAN device, firewall etc) and connect to Cloudflare platform
    • Please refer for detailed step-by-step instructions to configure Magic WAN
  • Note: Above step will NOT impact existing traffic flows via the existing MPLS path. Take precautions to ensure no production impact. Please follow your change control guidelines and request a maintenance window if applicable.

  • Ready for cutover

    • We are ready for cutover after steps 4 & 5, i.e., ready to migrate and transition branches to Cloudflare based network.
  • Cutover window

    • During the cutover window, production traffic will stop traversing the existing MPLS path and transition to the new Cloudflare based network..
    • Perform UAT before and after cutover.
  • Disconnect MPLS

    • MPLS circuits can be disconnected, as sites are migrated.
  • Additional:

    • Retire legacy VPN
      • Customers can leverage Cloudflare’s Zero Trust Network Access to access their applications and retire legacy VPN based access.
    • Assumption
      • Customer is responsible for Internet circuit procurement and installation to replace MPLS circuits.

    We’re proud of how we’ve been able to help some of Cloudflare customers reinvent their corporate networks. It makes sense to close with their own words


    Replacing MPLS, modernizing network and network security to provide business agility is a must for the digital future. Move to Zero Trust is inevitable for most organizations. Temporary band-aids and point solutions have resulted in business losses, poor employee experience and increased security risk. Moving from MPLS to Zero Trust sounds like a daunting task but teamwork, proper planning, preparation, and right solution will make transformation easily achievable and more manageable.

    If you’d like to get started, contact us today and get started on your journey.

    Replacing MPLS lines is a great project to fit into your overall Zero Trust roadmap. For a full summary of Cloudflare One Week and what’s new, tune in to our recap webinar.

    Source:: CloudFlare