Industrial Connectivity White Paper
High Availability Dual WAN Remote Industrial Connectivity
Industry cannot stop. Industry is also commonly located in remote areas with less network connectivity choices. In this white paper we discuss some of the challenges (and solutions) regarding dual WAN connectivity.
Topics covered include:
- Security: inbound access challenges
- Convenience: client configuration challenges
- Performance: unlike link challenges
- Cost: unlike link cost
1
High Availability Dual WAN Remote Industrial Connectivity
Industry cannot stop. Many processes are very expensive to shutdown and restart (think plastic extrusion and the material condensing solid). When this is combined with the rising Subscription Model, and increasing Remote Operations and Asset Management, it becomes clear that Industry 4.0 has a reliance on reliable, non-stop Internet connectivity. However, Industry is commonly not colocated with multiple resilient fibre providers, leading to a challenge: How can we ensure a highly-available, economical, industrial connectivity that will meet our security objectives, end-user objectives, and performance objectives using multiple unlike Internet (WAN) links?
High Availability Dual WAN Industrial Connectivity Challenges
There are multiple methods to provide a high-resilience always-on connectivity experience. These include:
Packet Ring Fibre Architectures
In this model, a single networking provider uses ring-architectures (originally SONET/SDH, later Resilient Packet Rings) and technologies such as MPLS. These Metro Ethernet type standards become very expensive as your facility moves away from the downtown core of a larger city.
These technologies have the benefit of high performance, low latency. However, no matter how much resilience is engineered into the network, they still rely on a single provider. The old adage of “the Internet’s natural predator is the backhoe” remains true.
Single Provider, Dual Technologies (AKA cellular failover)
In this architecture, the network provider has a termination device consuming a wireline technology, and, it has a cellular modem in it that becomes active if the wireline becomes unavailable for some time.
This solution might also be bundled with a SD-WAN architecture, in which a VPN is also used over each link to a cloud provider.
The downside to this architecture is it is impossible to have any inbound connectivity (since the IP is not public, or, can change). Also, for SD-WAN overlays, the impact of unlike links with unlike latency and MTU can generate significant performance reductions even in the normal, online case.
In 2022, Rogers Communications, a provider of wireline and wireless connectivity, had a nation wide outage in Canada. This took down even (believed) highly resilient systems such as payment processing. Dual technologies is not sufficient as a backup mechanism.
Dual WAN
In an uncorrelated dual WAN setup, two independent Internet providers are contracted. This provides high resiliency, accounting for even e.g. BGP routing failures, peering failures.
Typical challenges here include inbound traffic (no public IP is present, all clients would need reconfiguring), unlike latency and MTU on the two links, health checking to know which link to use.
Other Challenges
The use of remote connectivity in industrial settings remains a contentious issue, largely due to the unreliability of common tools like VPNs. When an industrial facility lacks a fixed, always-available IP address, establishing inbound VPN connections becomes impossible. This necessitates the reconfiguration of all external clients whenever a failover occurs, which can be inconvenient and time-consuming.
Port forwarding to a DMZ, another frequently used tool, suffers similar limitations. Cellular or satellite backup links typically lack the public IP address needed for port forwarding. Even if one were available, it would necessitate either updating DNS records and waiting for cache expiration, or reconfiguring all external clients, both inconvenient and time-consuming solutions.
Firewall configuration is also rendered more complex when there are multiple unlike WAN, usually requiring calibrated changes on multiple firewalls simultaneously. It is also complex to deal with internal constructs such as NAT and default routes. Some routers support tools like MWAN3, but these require complex health checks to setup.
High Availability Dual WAN Industrial Connectivity: Agilicus AnyX
Agilicus AnyX provides a Zero Trust Network Architecture which is an ideal complement to a dual WAN architecture.
The Agilicus AnyX Connector maintains at least two concurrent outbound TCP connections, one for each WAN link, keeping them up and ‘hot’, ready to service.
Ongoing health checks ensure traffic is sent down the link which is up.
These outbound connections terminate in the Agilicus AnyX cloud, giving a fixed external IP.
Agilicus AnyX Dual WAN benefits
- No client reconfiguration. The end user is unaware of changes in network topology of the plant
- Automatic handling of unlike latency, MTU. Each TCP connection has its own cached routing table, with its own path-mtu-discovery.
- No inbound ports open. There are no firewall configurations to be made per link, it is fixed.
- No VPN required, no SD-WAN required, saving cost
Conclusions High Availability Dual WAN Remote Industrial Connectivity
Industry 4.0 and beyond requires always on, reliable, secure, economical connectivity. The best solution is to use two independent WAN connections, from two independent providers (fibre and cellular, cable and satellite, etc). Once these two providers are wired up, Agilicus AnyX provides the secure, simple traversal of these links, always on, simple, economical.
Get In Touch
Ready To Learn More?
Agilicus AnyX Zero Trust enables any user, on any device, secure connectivity to any resource they need—without a client or VPN. Whether that resource is a web application, a programmable logic controller, or a building management system, Agilicus can secure it with multi-factor authentication while keeping the user experience simple with single sign-on.
info@agilicus.com, +1 519 953-4332
300-87 King St W, Kitchener, ON, Canada. N2G 1A7
info@partner.com, +1 555 555-5555
1 Main Street, Townsville, ON, Canada. POST-CODE