What was the initial situation and why wasn't the existing solution sufficient?
The customer — a Czech manufacturer of technical plastic components with approximately 200 employees across the three locations — operated a network infrastructure that had grown organically with the company: each location gradually obtained its own internet connection from a local provider, and branches were connected using commercial VPN tunnels over the public internet. This approach worked until the company migrated to a centralized ERP system (SAP S/4HANA) running in Microsoft Azure and began transferring production data, CAD documentation, and quality control reports between Prague, the manufacturing plant, and Munich in volumes that the existing solution could not handle. Three specific problems emerged. Unstable VPN tunnels between locations caused access outages to SAP during work shifts — for the manufacturing plant, any loss of access to production documentation directly halts the production line. Asymmetric connection at the manufacturing plant (50/10 Mbit/s) was insufficient for uploading quality control data and video recordings from quality inspection. And Azure access over the public internet was slow and unstable — the cloud-based SAP responded to operator inputs with noticeable delays.How did New Telekom design the architecture for three locations in two countries?
Three locations, three layers of connectivity
New Telekom designed an architecture built on three interconnected layers — with each layer handling different data flows and having its own guaranteed parameters. Layer 1 — Business B2B internet at each location: Guaranteed symmetrical internet connection for regular business operations — email, video conferencing (Microsoft Teams), access to public web services, and software updates. Each location has its own dedicated FTTO or FTTH connection with capacity matching the number of users and traffic nature. Layer 2 — Private MPLS VPN WAN between the three locations: Dedicated L3 MPLS VPN circuits connecting Prague, the manufacturing plant in the Central Bohemian Region, and Munich into a single private corporate network — with no segment traversing the public internet. ERP data, production documentation, quality control reports, and internal communications travel over the dedicated New Telekom network and partner operator networks in Germany. Layer 3 — CloudConnect private line to Microsoft Azure: A dedicated private circuit from the Prague headquarters to Microsoft Azure ExpressRoute — a direct connection to the customer's cloud environment outside the public internet. SAP S/4HANA in Azure communicates with users at the manufacturing plant and in Munich over the private WAN network, not over the public internet.SD-WAN orchestration — automatic management of three layers
All three locations are equipped with Juniper NFX250 SD-WAN CPE devices that automatically manage which traffic takes which path:- SAP / ERP traffic: exclusively over the private MPLS VPN WAN — never over the public internet
- Microsoft Teams video conferencing: over B2B internet with QoS prioritization (EF DSCP)
- Azure cloud access: via the CloudConnect private circuit from Prague, shared over MPLS VPN for the manufacturing plant and Munich
- Backup scenario during MPLS WAN outage: automatic failover of critical traffic over encrypted IPSec tunnel via B2B internet within 60 seconds
What was implemented at each location?
Prague — headquarters and main network hub
The Prague headquarters is the primary hub of the entire network — from here, MPLS VPN circuits to both production locations and the CloudConnect line to Azure originate. Physical connection: FTTO 1 Gbit/s symmetrical on New Telekom fiber optics with direct access to the backbone network and NIX.CZ. Measured latency to NIX.CZ: < 1.2 ms. Latency to Azure West Europe via CloudConnect: < 8 ms. Active equipment in Prague: Juniper MX204 backbone router with three VRF instances (internet, MPLS WAN, CloudConnect), Juniper EX3400 access switch, Fortinet FortiGate 200F NGFW firewall with IPS and SSL/TLS inspection for the internet layer, Juniper NFX250 SD-WAN CPE. Backup connectivity: LTE-A Pro via New Telekom eSIM with automatic failover within 10 seconds.Manufacturing plant — Central Bohemian Region
From a network requirements perspective, the manufacturing plant is the most demanding location: 150 production workers, dozens of CNC machines connected to the network via industrial Ethernet, quality control stations transmitting image data, and a SCADA system for production monitoring. Physical connection: FTTO 500 Mbit/s symmetrical — symmetrical upload was critical for transferring quality control data and production documentation to Prague. The connection is linked to the New Telekom regional distribution node in the Central Bohemian Region. MPLS VPN circuit plant—Prague: capacity 200 Mbit/s symmetrical, guaranteed 1:1, latency < 5 ms. QoS settings prioritize SAP traffic and production documentation transfer over other traffic. Active equipment at the manufacturing plant: Juniper NFX250 SD-WAN CPE with integrated firewall, Cisco Catalyst 9300 industrial access switch with PoE+ for industrial IP cameras and terminals, separate VLAN for OT (Operational Technology) network for SCADA and production machines — isolated from IT traffic.Munich — sales branch
The Munich branch (25 sales representatives and application support technicians) is less demanding in terms of capacity from a network architecture perspective, but critical in terms of availability — loss of access to SAP or the customer CRM directly impacts business processes. Physical connection in Munich: 100 Mbit/s symmetrical via New Telekom's partner operator in Germany — coordinated and invoiced through New Telekom Prague, without the need for a separate contract with a German provider. MPLS VPN circuit Munich—Prague: capacity 100 Mbit/s symmetrical, latency Prague—Munich < 15 ms — a standard value for this distance over the backbone network via Frankfurt. Fully sufficient for SAP and Microsoft Teams calls. Active equipment in Munich: Juniper NFX250 SD-WAN CPE, Cisco Catalyst 9200 access switch. Backup connectivity: LTE backup connection via a mobile operator in Germany with automatic failover.What results did the architecture deliver?
| Parameter | After implementation | Previous state |
|---|---|---|
| SAP availability for manufacturing plant | 99.9% SLA, outages < 1 hour/month | VPN tunnel outages 3–8× per month |
| Production documentation upload | 200 Mbit/s guaranteed | Actually 8–10 Mbit/s (asymmetric) |
| Latency Prague ↔ manufacturing plant | < 5 ms (MPLS VPN) | 20–60 ms variable (VPN over internet) |
| Latency Prague ↔ Munich | < 15 ms (MPLS VPN) | 25–80 ms variable |
| Latency to Azure (SAP) | < 8 ms (CloudConnect) | 25–70 ms (over internet) |
| Number of operator contracts | 1 (New Telekom) | 3 separate contracts in 2 countries |
| Backup connectivity | Auto-failover within 60 seconds | Manual, hours of outage |
| ERP data transfer security | Private WAN, no public internet | VPN tunnels over public internet |
| Azure egress costs | Reduction ~45% (CloudConnect) | Full Azure egress rates |
Why is a single operator important for a manufacturing company with foreign branches?
Managing network infrastructure across three locations in two countries under three different contracts means three different points of contact during an outage, three different escalation procedures, and three different invoices with different currencies and billing cycles. During a previous outage of the MPLS VPN circuit Prague—Munich, the customer would call the German operator, who would refer to a transit partner, who would refer back — and meanwhile, the manufacturing plant couldn't access SAP. Under the New Telekom architecture, there is one point of contact: the New Telekom NOC in Prague, available 24/7, which coordinates outage resolution on all segments — including the German last mile via the partner operator. The customer doesn't need to determine where on the route the outage occurred. This principle also applies to billing: one invoice covers B2B internet at all three locations, the MPLS VPN circuits between them, and the CloudConnect line to Azure — regardless of the fact that part of the infrastructure is physically located in Germany.How did CloudConnect change access to SAP in Azure for all three locations?
The CloudConnect private circuit is terminated at the Prague headquarters, but its benefits are shared by all three locations. The manufacturing plant in the Central Bohemian Region and the Munich branch access Azure via the MPLS VPN circuit to Prague and from there via CloudConnect — thus still over the private network, without traversing the public internet. The result is consistent latency for accessing SAP S/4HANA in Azure for all users regardless of location — the production line operator at the plant, the sales representative in Munich, and the CFO in Prague all work with the system with comparable response times. The previous state — where the Munich branch accessed Azure via the German internet with latency of 50–70 ms — caused noticeable delays when working with extensive reports and dashboards. The reduction in Azure egress costs by approximately 45% was a positive side effect — for a customer transferring tens of TB of production and business data monthly from Azure back to the locations, this is a non-negligible financial saving. A detailed overview of CloudConnect technology and a calculation of potential savings is available at cloudconnect.cz (Czech language).Frequently asked questions about business internet and branch connectivity
What exactly does "business internet" from New Telekom mean compared to standard commercial connections?
Business internet from New Telekom is a guaranteed symmetrical connection — same speed for download and upload — non-aggregated, with direct peering at NIX.CZ in Prague and contractually guaranteed availability of 99.9%. Retail and commercial connections are typically asymmetric (higher download, low upload), aggregated (capacity shared with other customers), and without SLA guarantees. For manufacturing companies transferring production data, documentation, or backups, symmetrical upload is just as important as download.Can New Telekom arrange MPLS VPN connectivity to Germany under a single contract?
Yes. New Telekom has a partner network of 120+ operators abroad and provides international MPLS VPN circuits to all of Europe — Germany, Austria, Slovakia, Poland, Hungary, and others — under a single contract concluded in the Czech Republic. The customer does not communicate with foreign operators separately. The international circuit is managed and monitored by the New Telekom NOC in Prague 24/7.How does CloudConnect work for a company with multiple branches — does each branch need its own circuit?
No. The CloudConnect circuit only needs to be terminated at one location — typically at the main headquarters, where the backbone router and strongest connection are located. Other branches access the cloud via the MPLS VPN circuit to the headquarters and from there via CloudConnect. The entire path remains private — no segment traverses the public internet. The capacity of the CloudConnect circuit can be dimensioned for the sum of all locations' needs and scaled over time without physical intervention in the infrastructure.How long does implementation take for a network across three locations in two countries?
The project for three locations (Prague, manufacturing plant in the Central Bohemian Region, Munich) was completed within 10 weeks from contract signing. Connections in Prague and the manufacturing plant were active in week 5, the Munich circuit via New Telekom's German partner was activated in week 8. The remaining two weeks involved testing SD-WAN failover scenarios and QoS settings for SAP traffic. Projects with multiple locations or cross-border coordination are implemented in parallel, not sequentially — this shortens the overall implementation time.What happens if the MPLS VPN circuit between the manufacturing plant and Prague fails?
The SD-WAN logic on the Juniper NFX250 at the plant detects the outage within 30 seconds and automatically reroutes critical SAP traffic over the backup path — an encrypted IPSec tunnel via the plant's B2B internet connection. Performance will be lower and latency higher than on the private MPLS WAN, but access to SAP and production documentation will be preserved without manual intervention. The New Telekom NOC is notified of the outage immediately and begins resolution.Conclusion
Business internet with multiple locations in multiple countries isn't a catalog product — it's an architecture designed specifically for the data flows, applications, and security requirements of a particular company. The project described in this article — headquarters in Prague, manufacturing plant in the Central Bohemian Region, and branch in Munich connected by a private MPLS VPN network with a CloudConnect circuit to Azure — is one typical example of how New Telekom solves this task. The results in numbers: 99.9% SLA for SAP access in production, < 5 ms latency between the manufacturing plant and headquarters, < 8 ms latency to Azure, Azure egress cost reduction of ~45%, and one operator instead of three for two countries. If your company is dealing with connecting multiple locations — in the Czech Republic, Germany, or anywhere in Europe — and you're looking for business internet with guarantees, dedicated site-to-site data connectivity, or a CloudConnect private line to the cloud, contact the New Telekom expert team via the contact page. We will design an architecture that meets your operational requirements — without unnecessary layers and without unnecessary costs.This article was prepared by the expert team of New Telekom s.r.o. Technical parameters correspond to the state on the project handover date. The customer's industry and employee counts are disclosed with customer consent; the exact business name and location addresses are not disclosed for commercial reasons. Information corresponds to the technological state as of April 2026.
Technologies and standards used
- Juniper MX204, NFX250, EX3400 — backbone router, SD-WAN CPE, access switch Prague
- Cisco Catalyst 9300, 9200 — industrial and office access switches
- Fortinet FortiGate 200F — NGFW firewall with IPS and SSL/TLS inspection
- CloudConnect / cloudconnect.cz — private MPLS VPN circuit to Microsoft Azure ExpressRoute
- Microsoft Azure ExpressRoute — private circuit to Azure West Europe
- MPLS VPN, L3 VRF, BGP, MP-BGP — private WAN technologies
- SD-WAN, IPSec, QoS DiffServ, EF DSCP — traffic orchestration and backup connectivity
- SAP S/4HANA — customer's ERP system in Microsoft Azure
- NIX.CZ — Neutral Internet eXchange Prague, New Telekom direct peering
- SNMPv3, NetFlow, syslog — New Telekom NOC Prague 24/7 monitoring
- 3GPP LTE-A Pro — backup mobile connectivity (New Telekom eSIM)
- ČSN EN 50173 — structured cabling
- EU Regulation 2016/679 (GDPR) — data protection during international WAN transfer
- Act No. 181/2014 Coll. (NIS2 transposition) — cybersecurity