Planning Your Deployment
This topic provides an overview of the provisioning process and describes deployment considerations for the Megaport Virtual Edge (MVE).
|You Provide||Megaport Provides|
|Internet connection from branch||Platform to host virtual SD-WAN appliances|
|SD-WAN vendor enabled at branch||Complete connection from a branch to any destination on the Megaport network and interoperation with other Megaport products and services|
|Customer Premises Equipment (CPE) installed in branch||Distributed denial-of-service (DDoS) connection to the internet to terminate tunnel between MVE and CPE at branch|
|SD-WAN software license to use on Megaport SDN||Access to the Megaport ecosystem|
This section provides an overview of the MVE deployment options and features.
Fortinet Secure SD-WAN uses virtual FortiGate appliances or physical FortiGate appliances much like many other SD-WAN vendors. However, with Fortinet, you can configure the appliances for several different uses. For example, you can configure a Fortinet appliance for use:
Strictly as a next-generation firewall (NGFW) for remote offices with local configuration and local logging only.
As central management with central logging, or as central management without central logging.
In a traditional SD-WAN style overlay network.
For details, go to the Fortinet Documentation Library.
MVE is integrated with Fortinet SD-WAN, which uses Fortinet’s FortiManager console to create the private overlay network.
Additional SD-WAN providers include Cisco SD-WAN, Versa Secure SD-WAN, and VMware SD-WAN.
Before you create an MVE, you need to determine the best location - one that supports MVE and one that is in the most compatible metro area.
MVE instances are located in key metro areas to maintain low latency from your cloud and SaaS workloads to MVE.
Transit gateway functionality is built into each MVE that enables traffic flow to and from branch locations using SD-WAN technologies through internet connections. You use pre-existing internet connectivity from your premises to securely access the MVE that is geographically located closest to those premises.
In general, you’ll want to provision MVEs at the metro locations nearest to your branch sites and on-premises locations to benefit from the lowest latency and highest throughput.
You can connect multiple locations to an individual MVE. You can also deploy multiple instances within a metro area and load-balance your branch sites.
We recommend two MVE host systems per metro area for resiliency.
|Asia Pacific||North America||Europe|
Sizing your MVE instance
The instance size determines the MVE capabilities, such as how many concurrent connections it can support. The MVE instances are consolidated into three sizes.
|Size||Maximum Throughput||SD-WAN Endpoints||DRAM|
|Small (2 vCPUs)||500 Mbps||40||4 GB|
|Medium (4 vCPUs)||1 Gbps||100||8 GB|
|Large (8 vCPUs)||5 Gbps||500||16 GB|
These performance and capacity metrics are estimates and your speeds will vary. When choosing an MVE instance size, keep in mind these items:
The maximum throughput numbers are characterized using a pure SD-WAN hub for hub-and-spoke connections.
Any increase on the network data stream load can degrade performance. For example, establishing secure tunnels with IPsec, adding traffic path steering, or using deep packet inspection (DPI) can impact the maximum throughput speed.
Future plans to scale the network.
What if I need more MVE capacity in the future?
You have a couple options:
You can provision another MVE instance, add it to your SD-WAN overlay network, and split the workload between the two MVEs.
You can provision a larger MVE instance, add it to your SD-WAN overlay network, migrate connections from the old MVE to the new larger MVE, and then retire the old MVE.
MVE provides capacity to and from your internet-enabled branch locations securely, to any endpoint or service provider on Megaport’s SDN. CSP-hosted instances of partner SD-WAN products route critical traffic across Megaport’s SDN, reducing internet dependence. Traffic remains encrypted and under your policy control while traveling across the Megaport SDN, to or from, MVE.
Each MVE subscription includes distributed denial-of-service (DDoS) attack protection for no additional charge.
You bring your own Fortinet (FortiGate) SD-WAN license for use with MVE. It is your responsibility to have the appropriate licenses for the SD-WAN endpoints created on the Megaport network.
Megaport uses Q-in-Q to differentiate VXCs and MVEs on a host hardware system. The tenant MVE receives untagged traffic for the internet-facing link, and single-tagged 802.1Q traffic for VXCs toward other destinations on the Megaport network (such as CSP onramps or other MVEs).