CPC H04L 45/64 (2013.01) [H04L 12/4633 (2013.01); H04L 45/02 (2013.01); H04L 45/04 (2013.01); H04L 45/74 (2013.01); H04L 41/508 (2013.01); H04L 41/5025 (2013.01)] | 22 Claims |
1. A network system comprising:
a plurality of edge network devices, each edge network device comprising one or more network interfaces to communicate with a communication network, a processor coupled to the one or more network interfaces and configured to execute a process, and a memory configured to store the process, the process when executed operable to:
maintain one or more tunnel-based overlays over the communication network to one or more remote edge network devices of the plurality of edge network devices,
wherein the communication network comprises two or more physical provider networks, and
wherein each of the plurality of edge network devices are part of a first enterprise network and provide access via the one or more tunnel-based overlays to resources hosted at one or more sites associated with the first enterprise network;
apply one or more firewall functions to network traffic received via the one or more network interfaces;
receive a plurality of policies from a central network controller,
wherein at least one of the plurality of policies is an overlay network policy comprising a first mapping between a first particular application and one of the one or more tunnel-based overlays, and
wherein at least one of the plurality of policies is a domain-based policy defining a mapping between one or more application traffic types and a direct internet access path across the communication network to one or more service domains that are not part of the first enterprise network; and
route the network traffic based on the plurality of policies,
wherein the domain-based policy is operative to cause the plurality of edge network devices to route selected network traffic on the direct internet access path outside of the first enterprise network to the one or more service domains, and
wherein the overlay network policy is operative to cause the plurality of edge network devices to route the selected network traffic on a corresponding tunnel-based overlay; and
the central network controller, the central network controller comprising one or more network interfaces to communicate with the communication network, a processor coupled to the one or more network interfaces and configured to execute a process, and a memory configured to store the process, the process when executed operable to:
transmit the plurality of policies to the plurality of edge network devices.
|