To deliver business outcomes in a timely manner enterprises are looking to consume applications as SaaS which are hosted outside of their data centers. As per Gartner, Software as a service (SaaS) remains the largest market segment and is forecast to reach $145.3 billion in 2022. Some of the examples of these applications are Office 365, G Suite, Salesforce, Box, Dropbox etc.

As leveraging SaaS becomes more and more accepted, enterprises are enabling their workforce to buy some of these tools for their specific needs without having to go through a traditional IT buying cycle. This makes it very difficult for IT organizations to track these tools and at the same time deliver enterprise grade security and performance for these applications.

SaaS Network Architecture

Before explaining the solution to this problem, let’s take a look at how a SaaS application is designed and architected from a network standpoint.

Typically, these applications are distributed in nature. They are deployed globally in different regions either inside a public cloud or within the data centers directly peering with cloud service providers.

From a security standpoint they can only provide user authentication services and can not monitor any other security related events. In order to achieve optimal application performance, expectation from the enterprise is to ensure that users are very close to these applications and can access the application with very low latency.

Figure 1 shows a general architecture for SaaS applications with direct access in the same region as users and branch sites.

Figure 1: Per region SaaS access for optimal performance

This means enterprises have to get out of the castle and moat type of architecture as it centers around securing the data centers and providing access to the internet based application through it.

With centralized architecture, all the remote user and branch traffic need to backhaul back to the datacenter, resulting in elevated application latency and network bandwidth starvation, all of which negatively impact application experience.

The Solution

The answer to this problem is to adopt a network architecture which is designed like the SaaS application with distributed points of presence (POPs) across the globe.

These POP locations should be interconnected using high bandwidth and low latency backbone. Users and branches should terminate to the closest POP location with access to Internet and SaaS applications.

This will improve the overall application performance by shortcutting the last-mile access over less efficient and less predictable internet transport.

Alkira Cloud Area Networking Architecture

The Alkira Cloud Services Exchange (Alkira CSX) serves as a foundation for Alkira Cloud Area Networking. It consists of a highly available and resilient cloud backbone of globally interconnected Alkira Cloud Exchange Points (Alkira CXPs), virtual multi-cloud points of presence with a full routing stack and network services capabilities, accessed and managed through Alkira CSX Portal.

Users, sites, data centers, regional SD-WAN fabrics, collocations, and public clouds connect to the closest Alkira Cloud Exchange point (CXP). CXPs can also be configured for Internet/SaaS exit. Users will be able to access SaaS applications directly through the geographically closest CXP thus reducing the overall latency between the users and the application.

Figure 2: Per region SaaS access with Alkira CXPs

From a security perspective, customers can choose to deploy firewalls in different regions inside the CXP and inspect the traffic towards the SaaS applications without needing to backhaul traffic to the datacenter which can be detrimental to application performance.

Another option is to have a firewall at each branch location which can be very costly. Alkira’s flexible policy framework allows customers to select the type of the traffic and redirect it towards the firewall for inspection by using five tuples or actual application names.

This provides enterprises an option to bypass firewalls to improve latency for traffic going to any known SaaS application like Office 365, Salesforce, Workday, etc while the rest of the internet traffic can be redirected to the firewall for inspection.


Alkira Cloud Area Networking is built for the cloud to meet the network challenges for the cloud era. It provides an efficient, clean and fast way to access SaaS applications which consequently can provide improved application performance without the need for delivering custom solutions for every new application which you on board into your enterprise.