• Security: inbound access challenges
  • Convenience: client configuration challenges
  • Performance: unlike link challenges
  • Cost: unlike link cost

1

High Availability Dual WAN Remote Industrial Connectivity

Industry cannot stop. Many processes are very expensive to shutdown and restart (think plastic extrusion and the material condensing solid). When this is combined with the rising Subscription Model, and increasing Remote Operations and Asset Management, it becomes clear that Industry 4.0 has a reliance on reliable, non-stop Internet connectivity. However, Industry is commonly not colocated with multiple resilient fibre providers, leading to a challenge: How can we ensure a highly-available, economical, industrial connectivity that will meet our security objectives, end-user objectives, and performance objectives using multiple unlike Internet (WAN) links?

High Availability Dual WAN Industrial Connectivity Challenges

There are multiple methods to provide a high-resilience always-on connectivity experience. These include:

Packet Ring Fibre Architectures

In this model, a single networking provider uses ring-architectures (originally SONET/SDH, later Resilient Packet Rings) and technologies such as MPLS. These Metro Ethernet type standards become very expensive as your facility moves away from the downtown core of a larger city.

These technologies have the benefit of high performance, low latency. However, no matter how much resilience is engineered into the network, they still rely on a single provider. The old adage of “the Internet’s natural predator is the backhoe” remains true.

Single Provider, Dual Technologies (AKA cellular failover)

In this architecture, the network provider has a termination device consuming a wireline technology, and, it has a cellular modem in it that becomes active if the wireline becomes unavailable for some time.

This solution might also be bundled with a SD-WAN architecture, in which a VPN is also used over each link to a cloud provider.

The downside to this architecture is it is impossible to have any inbound connectivity (since the IP is not public, or, can change). Also, for SD-WAN overlays, the impact of unlike links with unlike latency and MTU can generate significant performance reductions even in the normal, online case.

In 2022, Rogers Communications, a provider of wireline and wireless connectivity, had a nation wide outage in Canada. This took down even (believed) highly resilient systems such as payment processing. Dual technologies is not sufficient as a backup mechanism.

Dual WAN

In an uncorrelated dual WAN setup, two independent Internet providers are contracted. This provides high resiliency, accounting for even e.g. BGP routing failures, peering failures.

Typical challenges here include inbound traffic (no public IP is present, all clients would need reconfiguring), unlike latency and MTU on the two links, health checking to know which link to use.

Other Challenges

The use of remote connectivity in industrial settings remains a contentious issue, largely due to the unreliability of common tools like VPNs. When an industrial facility lacks a fixed, always-available IP address, establishing inbound VPN connections becomes impossible. This necessitates the reconfiguration of all external clients whenever a failover occurs, which can be inconvenient and time-consuming.

Port forwarding to a DMZ, another frequently used tool, suffers similar limitations. Cellular or satellite backup links typically lack the public IP address needed for port forwarding. Even if one were available, it would necessitate either updating DNS records and waiting for cache expiration, or reconfiguring all external clients, both inconvenient and time-consuming solutions.

Firewall configuration is also rendered more complex when there are multiple unlike WAN, usually requiring calibrated changes on multiple firewalls simultaneously. It is also complex to deal with internal constructs such as NAT and default routes. Some routers support tools like MWAN3, but these require complex health checks to setup.

High Availability Dual WAN Industrial Connectivity: Agilicus AnyX

Agilicus AnyX provides a Zero Trust Network Architecture which is an ideal complement to a dual WAN architecture.

High Availability Dual WAN Remote Industrial Connectivity

The Agilicus AnyX Connector maintains at least two concurrent outbound TCP connections, one for each WAN link, keeping them up and ‘hot’, ready to service.

Ongoing health checks ensure traffic is sent down the link which is up.

These outbound connections terminate in the Agilicus AnyX cloud, giving a fixed external IP.

Agilicus AnyX Dual WAN benefits

  1. No client reconfiguration. The end user is unaware of changes in network topology of the plant
  2. Automatic handling of unlike latency, MTU. Each TCP connection has its own cached routing table, with its own path-mtu-discovery.
  3. No inbound ports open. There are no firewall configurations to be made per link, it is fixed.
  4. No VPN required, no SD-WAN required, saving cost

Conclusions High Availability Dual WAN Remote Industrial Connectivity

Industry 4.0 and beyond requires always on, reliable, secure, economical connectivity. The best solution is to use two independent WAN connections, from two independent providers (fibre and cellular, cable and satellite, etc). Once these two providers are wired up, Agilicus AnyX provides the secure, simple traversal of these links, always on, simple, economical.

Ready To Learn More?

Agilicus AnyX Zero Trust enables any user, on any device, secure connectivity to any resource they need—without a client or VPN. Whether that resource is a web application, a programmable logic controller, or a building management system, Agilicus can secure it with multi-factor authentication while keeping the user experience simple with single sign-on.

9f758437 agilicus logo horizonta

info@agilicus.com, +1 ‪519 953-4332‬

300-87 King St W, Kitchener, ON, Canada. N2G 1A7

partner

info@partner.com, +1 ‪555 555-5555

1 Main Street, Townsville, ON, Canada. POST-CODE