Rebuilding Kaiser Permanente’s WAN for the Cloud

Kris Kline Principal, Network Strategy Office of the CTO

© 2016 Kaiser Foundation Hospitals April 2016

2 © 2016 Kaiser Foundation Hospitals April 2016

Introduction to Kaiser Permanente

- Kaiser Permanente is the US's largest nonprofit health plan - Services provided across 7 national regions: 8 states and the District of Columbia - Over $62 billion in annual revenue

3 © 2016 Kaiser Foundation Hospitals April 2016

Kaiser Permanente WAN “Eras”

• 1995 – 2007 • 1Mb – 155Mb • Hub / Spoke

WAN 1.0 (ATM / Frame Relay)

WAN 3.0 (Hybrid WAN)

• 2015 – and beyond • 1Mb – 100Gb • SD-WAN Enabled • Multi-Vendor • Multi-connection types •  Integrates Carrier Neutral Facilities

(CNF) & Cloud

• 2007 – 2015 • 1Mb – 10Gb • Full MPLS Mesh • Single Vendor

WAN 2.0 (MPLS)

Enterprise Legacy WAN

(Passport)

Regional Legacy WAN

(Passport)

MO

SMO

DC

DC

MC

National Data Centers

Regional POP Sites

ATM WAN Architecture

SC

SMO

MO

Regional Legacy WAN

(Passport)

MO

SMO

MC

SCSMO

MO

Regional POP Sites

8 Regional WANs

KP Intranet WAN(AT&T MPLS)

DC

DC

MCMC

All Locations

SC

MC

MO

MO

SMO

SMO

Current WAN Architecture (KP TOP)

4 © 2016 Kaiser Foundation Hospitals April 2016

Previous WAN Architecture

5 © 2016 Kaiser Foundation Hospitals April 2016

Business Drivers for New WAN Approach

§  Increased criticality of the network §  Membership growth & Acquisitions §  New methods of care delivery §  Highly regulated industry – PHI, PCI, HIPAA §  Strategic move to external cloud services §  Forecast network growth – 20% to 40% YoY §  30%-60% of KP WAN traffic is Internet bound

6 © 2016 Kaiser Foundation Hospitals April 2016

WAN Architecture – Two Strategies

Hybrid WAN Edge Carrier Neutral Facility (CNF) Core

§  Grow bandwidth with Internet connections at edge

§  Increase utilization on dual MPLS links

§  Enables application profiling, prioritization, and transport selection

§  Sets foundation for the future – direct internet access to surf, guest, and public cloud

§  Leverage CNF for carrier flexibility, availability, and competitiveness

§  Enable high-speed Layer-2 DCI between DCs and CNFs

§  Deploy private MPLS and VRFs for powerful network underlay and traffic segmentation

§  Enable future core overlay capabilities (NSX / VXLAN)

7 © 2016 Kaiser Foundation Hospitals April 2016

Hybrid WAN Edge Architecture

8 © 2016 Kaiser Foundation Hospitals April 2016

KP Hybrid WAN Edge Detail

- Secure transport over both MPLS and Internet to Core - Traffic separation of Internal, Internet, Guest, & Wi-Fi Calling - Retaining Dual MPLS ; Adding Internet as tertiary connection - Dynamic Multi-Path capability via centralized application policy

9 © 2016 Kaiser Foundation Hospitals April 2016

Core WAN Architecture Drivers

§  Cost Effective – Leverage Layer-2 Waves from multiple carriers – Connections start at 2x10G

§  Maturity – Edge SD-WAN solutions not ready for core bandwidth and throughput

§  Flexibility – Enables various overlay and traffic separation technologies in core

§  Capability – Delivers bandwidth and performance for KP migration from internal DCs to IaaS/PaaS

10 © 2016 Kaiser Foundation Hospitals April 2016

Core WAN Architecture Concept

11 © 2016 Kaiser Foundation Hospitals April 2016

Combined Edge and Core WAN Architecture

12 © 2016 Kaiser Foundation Hospitals April 2016

Lessons Learned

§  Security –  New interfaces to cloud providers drive new security

flows and hardware placement –  Define which security stack applies to each different

cloud type

§  Application team excitement for cloud –  Drive for real requirements and scope

§  CNF selection and placement –  Understand each cloud vendor’s cloud connection points

and interface method

13 © 2016 Kaiser Foundation Hospitals April 2016

Thank You