Background
A leading civil construction and infrastructure supplies company faced mounting limitations with their legacy MPLS WAN and telco-hosted voice services. Their network relied on traditional SIP trunks and MPLS links, with traffic centralised through third-party hosted services. This architecture introduced latency, cost inefficiencies, and limited flexibility as the business expanded across Australia and New Zealand.
Challenges
The client's network infrastructure presented several critical challenges:
- Rigid MPLS architecture with limited scalability across growing branches
- High dependency on third-party data centre as the central VPN and application termination point
- 30 SIP channels via traditional telco provider tied to on-premises legacy PBX systems
- Limited visibility and control over edge network performance and failover
- Inconsistent security posture across sites with varying firewall brands
Vee Tech's Solution: Full-Stack WAN Modernisation
Vee Tech designed and delivered a multi-phase WAN redesign built around modern IPsec VPN architecture and unified security management.
1. Full Palo Alto Next-Generation Firewall Rollout
Each of the client's 20+ sites â from major offices to depots across NSW, VIC, QLD, WA, SA and NZ â was provisioned with dedicated Palo Alto PA-410 or PA-440-HA appliances. These were centrally managed via Panorama, providing:
- Unified security policy enforcement across all locations
- Complete application visibility across all sites
- Reliable IPSec overlays between branches
- Secure AWS edge integration
2. ISP Redundancy and Dual-WAN Strategy
Where possible, each site was provisioned with:
- Primary and secondary ISPs (e.g., TPG Fibre + NBN EE)
- Redundant uplinks per firewall
- Dynamic failover with BGP routing between VR instances
This ensured 99.99% branch uptime and simplified troubleshooting via Panorama health visibility.
3. Retirement of MPLS and SIP Legacy
A complete modernisation of the telecommunications infrastructure:
- Decommissioned all legacy MPLS circuits and SIP trunks
- Retired dependency on third-party hosted VPN gateways
- Migrated to modern SIP or Microsoft Teams voice architecture (client-managed)
- All network services now route directly over secure broadband or fibre
4. Zero Touch Branch Deployments
Standardised deployment procedures enabled rapid rollout:
- Each firewall was pre-configured with VPN, routing, and segmentation profiles
- Detailed diagrams for standardised VLANs (corp, guest, ops, mgmt, DMZ) and NAT policies
- Standardised cabling layouts using consistent colour conventions
Outcomes
The transformation delivered significant business value:
- 50%+ cost reduction in WAN circuits
- Unified threat management at every site
- Direct internet breakout and full visibility from HQ
- Faster onboarding of new locations using reusable playbooks
- Improved staff productivity with fewer outages and better performance
Client Feedback
The client's internal IT and procurement teams reported high satisfaction with the ease of rollout, the improved performance of VoIP and SaaS apps, and the confidence brought by active/standby ISP paths at every location.
Key Takeaways
This project demonstrates the tangible benefits of moving from legacy MPLS to modern IPsec VPN architecture:
- Cost Efficiency: Modern broadband with VPN can deliver better performance at half the cost
- Resilience: Dual-ISP architecture with automated failover eliminates single points of failure
- Scalability: Zero-touch provisioning enables rapid site deployment
- Security: Unified management through Panorama ensures consistent policy enforcement
- Visibility: Centralized monitoring provides real-time insights across all locations
Want to break free from legacy telco constraints? Reach out to Vee Tech to modernise your WAN with a secure, scalable architecture tailored for growth.