An SD-WAN project to bolster security across an expanding network of urgent care facilities went well beyond its original focus.
PM Pediatrics, based in Lake Success, N.Y., launched on the East Coast but has opened care centers across the U.S., including locations in Alaska, California and Texas. The company sought to boost security across more than 75 branch sites and give technology administrators centralized visibility over its IT network.
PM Pediatrics tapped Vandis, an IT services and consulting firm headquartered in Albertson, N.Y., for the security assignment. Vandis recommended Fortinet’s Secure SD-WAN technology, which was new to the urgent care provider. Fortinet “was not on the radar,” noted John Tabako, director of IT infrastructure, PM Pediatrics.
The service provider conducted a three-site proof of concept with PM Pediatrics and the Fortinet rollout took off from there. Vandis deployed a high-availability pair of Fortinet firewalls at every branch site, PM Pediatrics’ primary data center and its headquarters. Fortinet’s SD-WAN portfolio is built into its FortiGate firewall technology and requires no additional licensing. The project also included FortiManager, an appliance that lets administrators centrally manage Fortinet devices and security policies.
“One of the things we wanted to focus on was providing a much deeper layer of security and also making it very easy to manage from a single pane of glass,” said Ryan Young, CTO at Vandis.
Ryan YoungCTO at Vandis
With Fortinet Secure SD-WAN and FortiManager installed, Vandis established unified security policies for PM Pediatrics. The urgent care provider previously managed site-specific policies. The new approach lets the company rapidly deploy application-aware security configuration updates across its network, according to Vandis.
PM Pediatrics now has a security policy for its data center and a global policy for all of its branches, Young noted. One result of the unified policy is that logs generated by Fortinet appliances in each care center flow back to a central point, where PM Pediatrics uses FortiAnalyzer, a log management, analysis and reporting platform, to look at internet-bound and data center-bound traffic.
Improving branch security was priority No. 1, Young noted. But additional opportunities emerged with the security foundation in place. Network bandwidth had started to become an issue for PM Pediatrics because of its legacy network architecture. The urgent care company had previously deployed a firewall in its primary New Jersey data center and routed all networking traffic through that device, with branches connecting to the data center through multiprotocol label switching (MPLS) circuits.
The SD-WAN rollout, however, provided meshed connections back to the data center, allowing multiple routes for data to travel. Branch locations now use commodity-grade circuits from internet providers such as Optimum and Verizon Fios, Young explained. In total, branches use two to three connections: one or two physical handoff circuits and an emergency cellular backhaul — using FortiExtender cellular gateways — in the event of a full, physical carrier loss, Young noted. Those circuits connect to Fortinet SD-WAN appliances, which perform load balancing and route traffic to the lowest latency circuit. As a result, care center users have faster access to the internet and SaaS applications.
The approach also yields considerable cost savings: SD-WAN eliminated the need for MPLS, which can cost around $1,500 per month for a 50 Mbps fiber MPLS circuit, Young noted.
The mesh network, along with SD-WAN routing policies, reduced bandwidth needs, but Vandis found more room for latency improvement. The network still needed to backhaul enterprise application traffic at each care center to the New Jersey data center. Latency issues persisted for branch locations in distant states such as Alaska, California and Texas, which had longer routes back to the data center.
Vandis recommended PM Pediatrics use Azure Virtual WAN, a Microsoft networking service that integrates with Fortinet Secure SD-WAN to provide branch connectivity. The linkup lets each remote site connect to the primary data center, avoiding the public internet. Integration also allows branches to connect to the nearest Azure hub to further reduce latency.
A PM Pediatrics care center in San Francisco, the first to go online with Azure Virtual WAN, saw an immediate 70% reduction in latency. “There was huge improvement there,” Young said.
Expanding Azure’s role
Azure Virtual WAN can also play a disaster recovery role, letting organizations connect to any Azure region as a failover site. PM Pediatrics took advantage of this capability and retired its secondary data center. From there, the urgent care center’s use of Azure expanded to Azure Virtual Desktop, a desktop and application virtualization service. PM Pediatric tapped Azure Virtual Desktop to support its telemedicine platform.
Tabako noted the wave of Azure-related projects. “In a way, it almost mirrors how Azure has become the de facto platform for virtualization,” he said.
Yet another Azure initiative, which began in December 2021, involves building PKI server infrastructure inside of Azure. Vandis has taken on that effort for PM Pediatrics. “I don’t have the talent on my team … to build out PKI in Azure,” Tabako said.
The PKI effort is the first step toward replacing PM Pediatrics’ primary data center in the Azure cloud. The goal is to have cross-region replication using Azure’s East U.S. and West U.S. locations by the end of 2022.
The wave of follow-on projects has taken the urgent care provider into new directions. What started out as a branch security effort in 2021 has evolved into a large-scale cloud migration initiative.
“It is interesting how each one of the pieces we brought online solves other issues they had in their environment,” Young noted.