Software-defined wide area networking (SD-WAN) has become a much-touted technology for “cloudifying” and streamlining connectivity for multilocation businesses, allowing for a reduction in MPLS dependence, more flexible management, deeper visibility, and a way to boost performance for cloud services. OpenEye Scientific, the creator of a popular cloud-based pharmaceutical design platform favored by several Fortune 500 companies, considered all of these benefits when it decided that it needed to modernize its WAN. But one main objective stood out above the rest: It needed a more efficient way to expand its Amazon Web Services (AWS) footprint.

Santa Fe-based OpenEye Scientific was founded in 1997 to develop large-scale molecular modeling applications and toolkits that are used by computational chemists, medicinal chemists, and synthetic chemists for early-stage pharmaceutical discovery. Pharmaceutical discovery is a long and expensive process, requiring 10 to 15 years and $1 to $2 billion per pharmaceutical. The goal is to find out early if an idea isn’t going to work, to avoid unnecessary investment and reduce time to market for new drugs.

“There’s a lot of push to make the process more efficient and to fail fast,” said Craig Bruce, scientific software development manager at OpenEye. “Our software helps you understand in the first few years if you’re going in the right direction.”

During most of its 20-year history, OpenEye has sold its technology in the form of software development toolkits (SDKs) for developers and licensed applications for scientists. Recently, however, the company has embraced the software-as-a-service (SaaS) zeitgeist, launching its Orion cloud-native pharmaceutical design platform.

Orion resides on AWS and provides client-by-client instances of hundreds, thousands, or even tens of thousands of processors, unlimited storage, and archiving via reliable networks, all backed up by world-class data security. OpenEye takes advantage of AWS virtual private clouds (VPCs) as a way to provide isolation at the network level and ensure the security of pharmaceutical companies’ data.

The problem is that as Orion has gained popularity, OpenEye has found it difficult from an IT perspective to keep up with demand. Scaling up with networking hardware and existing processes would have been expensive and overtaxing to the company’s small IT staff.

“We have grown organically, and our IT infrastructure has grown along with it,” said Bruce. “When we moved to a SaaS model, that required a big shift in technology. We worked with AWS to use VDCs [virtual data centers] as our default, but I spent many months getting our main VPN tunnel set up to AWS. We don’t have certified engineers, and using the VPN from AWS requires a black-box approach; it’s confusing, even for the experts. We even had a partner come in to assist us, but even they were struggling. So, as we move from a development version to a production version of our platform, the idea of doing that for every customer is just a non-starter. We needed something else.”

Further, connecting customers to Orion via the company’s own Cisco-based network would be cost-prohibitive. “Our current hardware just would not support this,” said Bruce. “We would have needed to buy a lot more hardware for a rather large price, and scalability would have been incredibly costly and difficult.”

Here, too, a lack of resources was an issue. “We don’t have an internal Cisco resource here at OpenEye, so it was taking weeks’ to months’ worth of work to get network connectivity set up,” Bruce said.

Bruce investigated whether he could achieve what he wanted using AWS Direct Connect, which would provide a private connection between OpenEye’s network and AWS, but decided that wasn’t a great fit. “Partly, that was because we would have needed a partner to do the last mile,” he explained.

Ultimately, he began evaluating SD-WAN, which would allow tight integration with AWS and a much more flexible approach to getting new links set up.

“SDN seemed much more appealing in that we could buy a smaller amount of hardware,” Bruce said. Also, the SDN approach would be the obvious way to allow us to scale up quickly.”

In addition to its Santa Fe headquarters, OpenEye has offices in Boston, Cologne, and Tokyo. It decided to evaluate SD-WAN by connecting its two U.S. locations to AWS using a solution provided by Riverbed SteelConnect for Amazon Web Services. Initially, the network is being used by internal team members to connect to AWS resources. However, Bruce said that the results have been so positive that the company plans to expand its use for customer links as well.

The reduction in overhead to get new links set up, Bruce said, has been significant—and represents the biggest benefit that the company has enjoyed so far.

“I don’t need to contact anyone external to help me. Between my system administrator and myself, we can enable a new VPC and the virtual private network [VPN] connection in less than an hour. The most complicated part is the subnet definition. The connection itself is just a few clicks.”

OpenEye is using SD-WAN over MPLS and broadband links for an internal backbone connection between all of the VPCs, with a consistent and secure connection anywhere in the world.

“The ability to enable a new connection so quickly, instead of the weeks or months it took in the past, is really important for the success of our SaaS offerings,” Bruce said. “Also, as a company, we will be able to grow quickly since we have the ability to add more and more connections without hardware limits or other technical frustrations.”

OpenEye is using virtual gateways with its SD-WAN, which requires downloading a VMware image from the management console. This is one of the main perks of using SD-WAN with AWS in general, according to Mike Fratto, principal analyst for GlobalData on the business technology and software team.

“If a company has applications sitting at Amazon, you can bring up a virtual gateway in that instance and optimize that traffic, with reliability and capabilities built in to the SD-WAN,” Fratto said. “This makes things so much more streamlined.”

One virtual gateway is implemented on the OpenEye side, and then another connects each of the VPCs.

“We can simply deploy an instance through our SD-WAN console, and because it sees our entire topology it will automatically discover the other gateway,” Bruce said. “This is far easier than buying hardware or integrating hardware, and carries zero cost with it. This offers us ease, cost-savings and agility. We see no reason to add fixed VPNs in the future.”

The company is seeing other benefits as well. From a security perspective, Bruce explained that the default function is that every VPC talks to each other in a mesh network configuration. However, in OpenEye’s case, the company is hosting sensitive data for its customers, so each customer instance needs to be isolated from each other. With a few clicks within the GUI, Bruce was able to move from mesh mode to a hub-and-spoke layout. The console also provides full logs describing which machines are connected—a key requirement for compliance needs.

Fratto noted that SD-WAN also carries other security benefits. “The traffic traversing the SD-WAN will be encrypted and authenticated between the gateways, and it allows companies to set policies based on users, i.e., who the user is and what their role is,” Fratto said. “This helps support the governance requirements that regulations put in place. You can also always direct traffic to a firewall and support different levels of integration there.”

When it comes to return on investment (ROI), OpenEye’s SD-WAN implementation is pay-as-you-go, with no upfront investment in hardware or expertise/engineers.

“We pay $122 for four VPN tunnels per month,” Bruce said. “Our needs are about connectivity instead of data transfer, but can change the size and number of those tunnels as needed. We’ll pay more for getting more, but scaling up means we’re selling more products. We saw ROI straight away with this.”

On the management front, gaining a “single-pane-of-glass-view” has been an operational boon. Previously, gaining visibility into customer accounts required the team to log into each individual account on AWS separately. Now, it’s possible to gain a holistic view of what’s happening in the network, across customers. OpenEye can log into a web portal in order to see all of its devices in a single view.

OpenEye’s foray into SD-WAN is still in evaluation mode, and the company is still learning how to make the technology work best for its needs. And, having the SD-WAN and legacy Cisco network co-existing has made its network footprint a bit more complicated, adding another support desk and footprint to be aware of, but Bruce said the benefits are a worthy trade-off.

“We didn’t experience any issues with this implementation, and the downsides are minimal,” he said. “SD-WAN has enabled us to be very flexible and agile and empowered. But, we’re still tweaking the system.”

One of the things OpenEye is working on is reducing single points of failure. “We have redundancy for our gateways, but on the other side is a VM image that’s just running on its lonesome,” Bruce explained. “We will deploy hardware for traffic failover and multisite redundancy for local connections, which can be configured through the SD-WAN console. It should be an easy migration as we expand our implementation.”

Going forward, OpenEye also plans to make use of deep analytics and ramp up the automation of the network—something Fratto said will pay off.

“Traditionally you have to load-balance on a routing protocol and it gets complicated. SD-WAN makes that go away because you don’t have to configure that,” Fratto explained. “You say, this is a branch, and you decide who can talk to it, and the orchestration controller does the routing. The operational benefits are huge.”