Blog
Tags:
Is your VPN really saving money? 7 reasons why it's costing you more
Many companies choose a VPN over their existing Internet connection by default for their cloud connection when migrating to the cloud. Seems like a cost effective choice, right? Unfortunately that's not always true. While a VPN connection appears to be cheaper at first glance, often hidden costs show up that quickly exceed the apparent savings. As is often the case, what at first appears cheap can turn out to be quite expensive.
We notice that VPN connections often cause challenges. They are not just minor inconveniences, they are often large disruptions. In a previous blog I described how handhelds often froze, caused by VPN problems, which was difficult to trace and solve. Recently we had a customer where a VPN caused disruptions for weeks on end. It doesn't always have to fail completely, but those intermittent problems are especially difficult to find and fix. And if the connection slows down gradually, you might not notice productivity loss immediately, but in the end you can run up high costs.
We also see companies using VPN's more and more to connect different locations, in their own country or internationally. It looks like a cheap alternative for leased lines or MPLS, because the connections themselves are cheaper. Still, many companies quickly run into the limitations of VPN's, causing cost to rise rather than fall, and causing problems to multiply.
But what cause VPN's to carry so many hidden costs? Let's go through the top 7 reasons together.
A VPN is not scalable
A VPN works as a so called 'serialization point'. Imagine a highway with 60 lanes that suddenly narrows to a single lane. The result? A traffic jam. This is caused by the way data is encrypted: every data packet needs to be encrypted individually and one by one, causing the speed to decrease. Without doing a deep dive into the technology, this is similar to how blockchain works - the first block needs to be fully completed before you can start the next one.
Because all data packets need to paas though the VPN in sequence, congestion starts happening quickly, even if the load seems low. Even when your VPN is loaded for 60% for 15 seconds, users will start to notice. At 70% it becomes annoying, at 80% it becomes disruptive.
VPN’s where not designed to handle a large number of concurrent connections. Do you have 100 users and 6 applications in the cloud? That's 600 connection, more than enough to seriously slow your VPN down.
Your Internet connection has no traffic controller
Your Internet connection was once deployed to get access to Internet - visiting websites and sending e-mails. But that's completely different from accessing your business applications, even if they're web based.
Internet services like YouTube and Netflix are designed to work without traffic control, using smart technology like buffering. Your business applications do not have that advantage. Additionally buffering is not an option with video conferencing, unless your OK with hearing someone 15 seconds after they speak.
Without a traffic controller it may still work with a few concurrent users, like when you're visiting websites. But as soon as you start using multiple business applications on that same line, the load increases significantly. Then you may not have 20, but 500 'users' on the same line. And without effective traffic control that will clog the line quickly.
Higher latency is the culprit
When you access application over a WAN, you're already confronted with a higher latency than when you access them over a local network (LAN). Add a VPN to it and the latency increases even further. For those not familiar with latency: if bandwidth is the width of the road, latency is the length of the road. The higher the latency, the longer it takes for your data to reach the other side, regardless of how much bandwidth you have.
WAN connections have a higher latency than an office LAN, but a VPN makes this worse. Our measurements show that latency with a VPN is often two and a half times as high as without. That means your applications will respons two and a half times as slow. What would you rather have? Wait two seconds for a page of five seconds?
A VPN is a Single Point Of Failure (SPOF)
When your VPN fails, all your cloud applications go down. But the problem is worse, if you have cloud based security, like Azure AD, your on premise applications go down as well. Even your WiFi will fail, because that requires cloud as well these days. How long can you afford to have your entire IT infrastructure offline?
But maybe you'll think: "My Internet connection is redundant, so I won't have that issue". Unfortunately most VPN's are not redundant. Even if a VPN runs over a redundant line, most problems are in the VPN itself and not in the physical connection.
Of course you can provision a fully redundant VPN, but that's so complex and expensive that the cost advantage of a VPN quickly disappears.
A VPN adds a lot of complexity
A VPN comes with a lot of complexity: encryption keys, certificates, subnets, management end difference in the equipment you and your provider use. Compare that to a leased line or MPLS connection where you just plug in your Ethernet cable and you're done. The provider handles all that complexity for you behind the scenes, which explains the price difference.
With a VPN all that complexity is on you. You can hire someone to handle that for you, but the complexity remains. Because you still need to coordinate your equipment, network topology and security with that of your cloud provider.
“But Hugo, what if I just buy the same equipment the cloud provider has?" That will certainly fix part of the problem. But I know what that equipment costs and from that purchase you can run you MPLS for years to come.
A VPN jitters
For security reasons the keys a VPN uses are refreshed periodically, a process called 're-keying'. During this refresh the VPN is temporarily not available. If you have a complex VPN - which is often the case with cloud connections or connections between company locations - this process can take up minutes. All that time you're not connected and that's long enough to disrupt, say, a back-up or data load of a data warehouse.
Re-keying is usually done every 8 hours, but it's difficult to plan. The next 8 hours start when the re-keying is complete. That means the exact moment your connection drops shifts a few minutes every day. Before you know it, it happens in the middle of office hours or an important back-up window. And when you restart your VPN equipment the 8 hour period restarts from there.
These disruptions, that sometimes happen and sometimes don't at unpredictable moments are difficult to trace. And because it's a 'normal' part of the technology, it can't be easily fixed.
Double encryption offers ... no extra security
One of the most important functions of a VPN is encrypting your traffic to keep it safe. But a lot of that traffic, like HTTPS to a secure website, is already encrypted these days. This means the VPN adds a layer of encryption, but no extra security.
What is does do is cause extra delays. Each time data is encrypted and decrypted takes time. And it requires more bandwidth on your connection, which also reduces your performance without offering any security advantage in return.
Long story short, double encryption doesn't help you, it just slows you down.
But Hugo, what should I do then?
Leased lines and MPLS connections are still the most reliable options. These solutions offer guarantees for quality and available bandwidth.
You often hear that SD-WAN is a good solution, but your mileage will vary. Some SD-WAN solutions offer no more than a VPN with some management and provisioning tools added, and they offer no improvements over a regular VPN. Other offerings can prioritize traffic, routing critical traffic over a faster connection and less important traffic over a slower connection. But the better SD-WAN solutions are often expensive and complicated to set up and maintain.
With IPv6 you can get a big advantage if you use your Internet connection. In another blog I give a detailed explanation of how IPv6 can help you make VPN's redundant. We've worked like that for 6 years - fast and failure free.
And when a VPN is your only option? Make sure you have effective traffic control. Technically that's calle Quality of Service (QoS). That gives important traffic priority over less critical traffic. And don't forget to strictly separate your Internet traffic from business traffic to the cloud or other locations of your business, because you can't regulate regular Internet traffic.
Curious what's the best solution in your case? Make an appointment with me. In only 15 minutes of your time I'll show you how to provision a reliable and fast connection with your cloud and your business locations.