An SD-WAN project to bolster security in a sprawling network of urgent care centers went far beyond its original focus.
PM Pediatrics, based in Lake Success, New York, launched on the East Coast but has opened care centers across the US, including locations in Alaska, California and Texas. The company was looking to increase security at more than 75 branch offices and give IT administrators centralized visibility into its IT network.
PM Pediatrics selected Vandis, an Albertson, New York-based IT services and consulting company, for the security task. Vandis recommended Fortinet’s Secure SD-WAN technology, which was new to the urgent care provider. Fortinet “wasn’t on the radar,” said John Tabako, director of IT infrastructure for PM Pediatrics.
The service provider ran a three-site proof of concept with PM Pediatrics, and the Fortinet launch took off from there. Vandis deployed a pair of highly available Fortinet firewalls at each branch, PM Pediatrics’ main data center, and its headquarters. Fortinet’s SD-WAN portfolio is integrated into its FortiGate firewall technology and requires no additional licenses. The project also included FortiManager, an appliance that allows administrators to centrally manage Fortinet devices and security policies.
“One of the things we wanted to focus on was providing a much deeper layer of security and also making it very easy to manage from a single pane of glass,” said Ryan Young, CTO of Vandis.
ryan youngCTO at Vandis
With Fortinet Secure SD-WAN and FortiManager installed, Vandis established unified security policies for PM Pediatrics. Site-specific policies were previously administered by the urgent care provider. The new approach allows the company to quickly roll out application-aware security configuration updates throughout its network, according to Vandis.
PM Pediatrics now has a security policy for its data center and a global policy for all its branches, Young said. One result of the unified policy is that logs generated by Fortinet devices in each care facility are returned to a central point, where PM Pediatrics uses FortiAnalyzer, a log management, analysis and reporting platform, to look at data tied to Internet and data center. traffic.
Improving branch security was the No. 1 priority, Young said. But additional opportunities arose with the security base in place. Network bandwidth had started to become an issue for PM Pediatrics due to its legacy network architecture. The urgent care company had previously implemented a firewall at its main New Jersey data center and routed all network traffic through that device, with branches connecting to the data center via label-switched circuits. multiprotocol (MPLS).
However, the SD-WAN implementation provided mesh connections back to the data center, allowing multiple paths for data to travel. Branches now use entry-grade circuits from Internet providers such as Optimum and Verizon Fios, Young explained. In all, the branches use two to three connections: one or two physical handover circuits and an emergency cellular backhaul (using FortiExtender cellular gateways) in the event of a total physical loss of the carrier, Young said. Those circuits connect to Fortinet SD-WAN appliances, which perform load balancing and route traffic to the lowest latency circuit. As a result, call center users have faster access to the Internet and SaaS applications.
The approach also yields considerable cost savings: SD-WAN has eliminated the need for MPLS, which can cost about $1,500 per month for a 50Mbps fiber MPLS circuit, Young noted.
The mesh network, along with SD-WAN routing policies, reduced bandwidth needs, but Vandis found more room to improve latency. The network still needed backhaul enterprise application traffic in each service center to the New Jersey data center. Latency issues persisted for branches in distant states like Alaska, California, and Texas, which had longer paths back to the data center.
Vandis recommended PM Pediatrics use Azure Virtual WAN, a Microsoft networking service that integrates with Fortinet Secure SD-WAN to provide branch connectivity. The link allows each remote site to connect to the main data center, bypassing the public Internet. The integration also allows branches to connect to the nearest Azure hub to further reduce latency.
A PM Pediatrics care center in San Francisco, the first to go online with Azure Virtual WAN, saw an immediate 70% reduction in latency. “There was a big improvement there,” Young said.
Azure role expansion
Azure Virtual WAN can also play a disaster recovery role, allowing organizations to connect to any Azure region as a failover site. PM Pediatrics took advantage of this capability and retired its secondary data center. From there, the urgent care center’s use of Azure expanded to Azure Virtual Desktop, a desktop and application virtualization service. PM Pediatric turned to Azure Virtual Desktop to support its telemedicine platform.
Tabako noted the wave of projects related to Azure. “In a way, it almost mirrors how Azure has become the de facto platform for virtualization,” he said.
Yet another Azure initiative, which began in December 2021, is to build a PKI server infrastructure within Azure. Vandis has taken on that effort for PM Pediatrics. “I don’t have the talent on my team… to build PKI on Azure,” Tabako said.
The PKI effort is the first step in replacing PM Pediatrics’ primary data center in the Azure cloud. The goal is to have cross-region replication using Azure US East and West locations by the end of 2022.
The wave of follow-up projects has taken the urgent care provider in new directions. What started as a branch security effort in 2021 turned into a large-scale cloud migration initiative.
“It’s interesting how each of the pieces that we put online solves other problems that they had around them,” Young said.