Instrumenting Network Visibility to Support SaaS Adoption

Enterprise IT organizations are increasingly moving back-office and productivity applications to Software-as-a-Service (SaaS) platforms such as Office 365, Salesforce, and ServiceNow. Although the consumption models and rapid rates of innovation associated with SaaS applications are attractive to IT organizations, giving up operational control of applications can sometimes result in lost visibility to factors impacting end-user experience.

Prior to the emergence of SaaS applications, enterprises maintained end-to-end visibility of business applications because they controlled and managed all elements involved, including workstations, networks, application servers and databases. The performance and availability of SaaS applications are no longer solely dependent on a self-contained corporate network. This new model of application consumption now relies completely on Internet Service Provider (ISP) networks that connect users to SaaS provider data centers.

Network Visibility and State Tracking

The ThousandEyes Monitoring platform leverages testing agents both inside the corporate network and across the public Internet to track network connectivity state along with hop-by-hop performance metrics. This allows organizations to correlate blips in application level availability and performance with packet loss, latency and BGP path changes for the underlying network hops.

Organizations can take advantage of the insight provided by the ThousandEyes platform to better understand how performance and routing changes in the public Internet impact end-user experience of SaaS applications. Figures 1 and 2 below demonstrate how the path and performance characteristics within service provider networks are inter-related. The latency graph at the top of each figure, represents the end-to-end latency between the test agent running in the AWS Oregon region and the service front door for Microsoft Teams which is running in a Microsoft Washington data center. The path visualization sections in each figure show the hop-by-hop paths observed via network probes sent from the testing agent during the selected timeframes. Figure 2 demonstrates that the elevated end-to-end latency is most likely due to congestion associated with the traffic collapsing from three paths down to one. The red circle in Figure 2 also indicates elevated levels of packet loss.

Figure 1: Network Path from Oregon to Microsoft Teams (Normal Latency)

Figure 2: Network path from Oregon to Teams (Abnormal Latency)

Performance Event Isolation

Although it’s useful to understand how network path changes can impact performance characteristics, it’s even more important how those performance characteristics affect end-user experience. ThousandEyes provides information to help correlate fluctuations in application session performance and availability with underlying network events. Figure 3 below shows a graph of http session availability between a ThousandEyes testing agent in the Denver Cogent network and a Slack service front door in Dallas. The graph indicates multiple timeframes where the http session is unable to successfully establish.

Figure 3: Http Availability Fluctuations from Denver Cogent Network to Slack

Figure 4 shows a packet loss graph that directly correlates to the http session availability drops. The packet loss metrics come from network level probes from the ThousandEyes test agent to each hop in the path to the Slack service front door. During the period of extensive packet loss, the drops are associated with second router hop from the test agent.

Figure 4: Underlying Packet Loss Contributing to HTTP Availability

Quantifying the Impact of Local Internet Breakout

Many corporate networks have centralized or regionalized Internet egress points. This enables organizations to centralize costly Internet perimeter security functions such as firewalls, proxies, web-filtering and intrusion prevention. This model worked well when most of the business application traffic stayed within the corporate network. With increasing migrations to SaaS platforms, companies are much more dependent on their Internet connections. Microsoft strongly recommends that organizations allow remote offices to directly route traffic to its Office 365 platform applications instead of backhauling it to a centralized corporate Internet egress point. With the introduction of SD-WAN technologies, organizations now have the option of selectively routing traffic destined for verified SaaS providers directly out local internet circuits in remote offices while tunneling all other Internet traffic back to a centralized egress point.

ThousandEyes provides a way to track the performance characteristics from remote offices to critical SaaS applications as the corporate network evolves over time. ThousandEyes Enterprise Agents can be deployed in remote offices on several different platforms, including a container in a Cisco IOS XE router, directly onto an Intel NUC or as a hypervisor-based appliance. Instrumenting Enterprise Agents across a set of remote office allows organizations to quantify the network path and session performance differences between remote offices with direct Internet access and remote offices that backhaul Internet traffic.

Interested in Learning More?

If visibility into the network performance of SaaS applications is important to your organization, ThousandEyes has recently released a blog article (Monitoring Office 365 Blog) and webinar (Monitoring Office 365 Best Practices webinar) which provide additional guidance for monitoring Office 365 applications with their platform.

Hybrid Pathways is a ThousandEyes partner with innovative solutions for helping customers get the most out of their investment in the platform. Contact us for more information or product demonstration.