Subscribe to receive notifications of new posts:

MPLS to Zero Trust in 30 days


8 min read
MPLS to Zero Trust in 30 days.

Employees returning to the office are experiencing that their corporate networks are much slower compared to what they’ve been using at home. It’s partly due to outdated line speeds, and also partly due to security requirements that force all traffic to get backhauled through centralized data centers. While 44% of the US currently has access to fiber-based broadband Internet with speeds reaching 1 Gbps, many MPLS sites are still on old 1.5 Mbps circuits. This is a reality check and a reminder that the current MPLS based networks are unable to support the shift from centralized applications in the datacenter to a distributed SaaS and hybrid multi-cloud world.

In this post, we are going to outline the steps required to take your network from MPLS to Zero Trust. But, before we do — a little about how we ended up in this situation.

Enterprise networks today

Over the past 10 years, most enterprise networks have evolved from perimeter hub and spoke networks into franken-networks as a means to solve connectivity and security issues. We have not had a chance to redesign them holistically for distributed application access. The band-aid and point solutions have only pushed the problems further down the road — to a future day for someone else to solve.

Example of legacy MPLS-based WAN

The advent of cloud adoption put additional pressure on the already ailing legacy WAN. Increased Internet use for business, mining data for actionable insights, advanced security monitoring multiplied bandwidth demand at customer branches. This puts additional pressure on companies seeking to manage their WAN cost. Below is a graphical representation of business loss due to growing bandwidth needs on.

Business loss = (X) cost of project delay  + (Y) loss of productivity due to outages

Excitement about SD-WAN

Organizations have been looking to Software-Defined WAN (SD-WAN) to solve some of these challenges. It allows organizations to shift from MPLS private lines to broadband Internet and significantly reduce their cost per Mbps. SD-WAN offers other valuable features like application-aware intelligent routing based on path quality. Orchestrator and analytics help to provide much-needed deployment speed and network visibility, respectively.

Despite the incremental improvement that SD-WAN offers over traditional network architectures, some fundamental challenges remain. SD-WAN is a hardware-dependent edge routing technology that does not always account for the middle mile. While broadband Internet is reasonably fast and available everywhere, it doesn't offer the end-to-end security and reliability that mission-critical applications require. Further, managing security policies and Internet breakouts across hundreds of edge devices is complex, and many organizations are still choosing to backhaul traffic to centralized data centers. We require a new architecture — with security, speed, and reliability built-in.

Cloudflare Magic WAN

Cloudflare Magic WAN simplifies legacy WAN architectures by enabling customers to use the Cloudflare global network to interconnect their branch offices, data centers, and public cloud services. It includes Zero Trust security services that can be enabled as needed, improve performance, and can be managed through a single dashboard.

Magic WAN has many advantages over traditional WAN architectures. It eliminates the need to manage a mesh of tunnels. A single Anycast IPSec or GRE tunnel from a site provides connectivity to all other sites and applications, with the Cloudflare network acting as the network hub, simplifying operational overhead. It removes the requirement for all traffic to be backhauled to a centralized data center to enforce security policies. Cloud-native firewall-as-a-service (FWaaS) for inbound and site-to-site traffic and security web gateway (SWG) for outbound traffic is available at the same data centers where WAN traffic enters the Cloudflare network. Organizations can deploy consistent security policies globally which get enforced at the Cloudflare data center closest to the user at any of our 270+ cities. SaaS and consumer application traffic can be routed directly to the Internet from the edge of the network. With Cloudflare serving millions of websites, the destination might be available on the same server, resulting in better performance for users.

Furthermore, with no appliances to manage or scale, Magic WAN gives you an elastic WAN with zero capital investment that you can quickly scale up or down depending on business needs.

Bridge to Zero Trust

The ultimate goal for many organizations is to move their network and security architecture from a castle & moat model to a Zero Trust model where there’s no longer a hard boundary between “private” and “public” networks. Instead, security is enforced at the user and the application level, using identity, endpoint health and location as key attributes. So an employee on a managed laptop in their home country may have access to all corporate applications, but if they log in from a personal laptop, they might have limited access to only certain applications. Or if the network detects malware on their managed laptop, their access can be quickly revoked, preventing the spread of ransomware, for example, through their organization.

This requires a WAN that is intelligent enough to understand user identities and endpoint health and make intelligent enforcement decisions based on these attributes. This also requires enforcement points that can apply consistent security policies regardless of whether the users are coming from a corporate branch office or from a home office over the Internet.

Cloudflare Magic WAN, part of the Cloudflare One product suite, enables this transition to a true Zero Trust architecture by building in security natively into the network.

Prep work for successful transformation from MPLS to Zero Trust

Planning leads to awareness, while preparation leads to readiness.

MPLS to Zero Trust transformation is a team effort. Traditionally, network managers are responsible for the WAN; security managers for the security perimeter & policies; infrastructure team for the cloud; application teams for application development. Future transformed state has built-in security for seamless on-demand, secured and reliable distributed application access.

1) Network, security, infrastructure, and application project management teams should collectively discuss and document the current/future state.  Sample document below

Current state Future state
Applications List Example: 1600 apps Example: 2400 apps
Location Local: 300, DC: 600, Public cloud: 400, Private cloud:100, SaaS: 200 TBD
Regional application needs Local File servers Cloud
Location/branch # of branch locations 80 85
Availability Example: Platinum 99%, Gold 95%, Silver: 90%, bronze: best effort Platinum 100%, Gold 99%, Silver: 95%, bronze: best effort
Current set up Platinum: Dual MPLS, Gold: MPLS + Internet etc Platinum: 2 x 1G DIA, Gold: 2 x 1G DIA etc
Bandwidth Platinum: 100M, Gold 50M etc Platinum 1G, Gold 500M etc
CSP with location Azure/GCP/AWS 1G ExpressRoute 1G Direct Connect 10G 10G
Internet breakout Capacity 500M On demand
DC: XXX Firewall HA Cloud based local break out
Features Limited security control Identity based granular ZT based policies
Remote Access Quantity 1000 seats 2000 seats
Technology SSL VPN Zero Trust Network Access
Cloud security None CASB, RBI
Device posture None Yes

2) Conduct transformation workshop to

  • Map all combinations of future traffic flows: Device Type - User profile - Application - Enforcement technology - Zero Trust rules
  • Traffic flows help to determine future architecture baseline

3) Invite vendors, partners, and providers for discussion to validate the design and identify technology readiness to support traffic flows and architecture.

4) Carry out budgeting exercises and a business plan to map current pain points with solutions and pricing. Involve specialized experts to develop business plans if needed.

5) Form a special project team that includes project managers, engineering point of contact from all technical groups, local site contacts, escalation team, stakeholder representatives, business owners.

Transition plan

A transition plan is a critical step toward a successful transformation. A good transition and project plan will ensure minimal downtime, while a bad plan will result in outages, business disruption, increased transition time, and cost. The plan should include detailed steps and milestones.

Sample transition plan below:

  1. Identify bridging point

    • Bridging point will act as a bridge between transitioned and non-transitioned branch locations.
    • Ideally, regional and global data centers are preferred bridging points between existing MPLS and the new Cloudflare based WAN.
  2. Create user acceptance test (UAT)

    • Collaborate with internal teams and site contacts to create a UAT.
    • Perform UAT before and after cutover for each site to ensure users can access their applications as expected performance after transition.
  3. Migration schedule

    • Develop a migration schedule to ensure minimal business impact.
  4. Prep for Magic WAN

    • Connect applications: Leverage Cloudflare onramp options to connect your various applications to Cloudflare platform.
    • Connect branch: Configure your WAN Edge device (router, SD-WAN device, firewall etc) and connect to Cloudflare platform
    • Please refer for detailed step-by-step instructions to configure Magic WAN

Note: Above step will NOT impact existing traffic flows via the existing MPLS path. Take precautions to ensure no production impact. Please follow your change control guidelines and request a maintenance window if applicable.

  1. Ready for cutover

    • We are ready for cutover after steps 4 & 5, i.e., ready to migrate and transition branches to Cloudflare based network.
  2. Cutover window

    • During the cutover window, production traffic will stop traversing the existing MPLS path and transition to the new Cloudflare based network..
    • Perform UAT before and after cutover.
  3. Disconnect MPLS

    • MPLS circuits can be disconnected, as sites are migrated.


  • Retire legacy VPN
    • Customers can leverage Cloudflare’s Zero Trust Network Access to access their applications and retire legacy VPN based access.
  • Assumption
    • Customer is responsible for Internet circuit procurement and installation to replace MPLS circuits.

We’re proud of how we’ve been able to help some of Cloudflare customers reinvent their corporate networks. It makes sense to close with their own words


Replacing MPLS, modernizing network and network security to provide business agility is a must for the digital future. Move to Zero Trust is inevitable for most organizations. Temporary band-aids and point solutions have resulted in business losses, poor employee experience and increased security risk. Moving from MPLS to Zero Trust sounds like a daunting task but teamwork, proper planning, preparation, and right solution will make transformation easily achievable and more manageable.

If you’d like to get started, contact us today and get started on your journey.

Replacing MPLS lines is a great project to fit into your overall Zero Trust roadmap. For a full summary of Cloudflare One Week and what’s new, tune in to our recap webinar.

We protect entire corporate networks, help customers build Internet-scale applications efficiently, accelerate any website or Internet application, ward off DDoS attacks, keep hackers at bay, and can help you on your journey to Zero Trust.

Visit from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
Cloudflare One WeekZero Trust

Follow on X

Ameet Naik|@naik_ameet

Related posts