In the past few years, SD-WAN (Software-Defined WAN) has gone from emerging technology to a mature and widely adopted WAN connectivity solution. For example, a recent survey has found that 71% of network security decision-makers have deployed or plan to deploy SD-WAN.
So, what exactly is SD-WAN? How does it work and what makes SD-WAN so compelling for enterprises? Why does it fit into modern network architectures better than legacy alternatives? In this piece, we’ll explore the answers to all the above.
SD-WAN explained
At a high-level, SD-WAN is the use of software to manage and control WAN connectivity. Gartner has defined four key characteristics of SD-WAN:
- SD-WAN supports multiple transport methods such as MPLS (Multiprotocol Label Switching), 4G LTE, xDSL, etc.
- SD-WAN supports dynamic path selection
- SD-WAN should provide a simple management interface
- SD-WAN must support third-party services like VPNs (Virtual Private Networks), firewalls, gateways, etc.
While there are different approaches to SD-WAN, those characteristics help to conceptualize the core SD-WAN functionality you can expect across vendors.
SD-WAN Vendors
Evaluation Wizard
Types of SD-WAN
There are a variety of vendors in the SD-WAN space, each boasting a unique value proposition and feature set. However, they can be grouped into three general categories of SD-WAN:
Appliance-based SD-WAN. These are hardware or virtual SD-WAN appliances. With appliance-based SD-WAN, there is no underlying network infrastructure, and therefore no uptime SLA, just overlay functionality. Enterprise-grade security features like NGFW (next-generation firewall) or SWG (secure web gateway) are not built-in and must be integrated.
SD-WAN managed services. From a technology standpoint, SD-WAN managed services are the same as appliance-based SD-WAN. The major differences are twofold: the provider manages and maintains the solution, and the provider is generally a carrier that provides an underlying transport method with an SLA.
Cloud-based SD-WAN. With cloud-based SD-WAN, the underlying network and security processing infrastructure resides in the cloud. PoPs (points of presence) across the globe create a network backbone which providers back with an SLA. Generally, enterprise-grade security functionality is built into appliances in the locations connecting to the network.
How does SD-WAN work?
SD-WAN works by creating a virtual overlay connecting locations, abstracting away the underlying network services. This means that with SD-WAN, network services are decoupled from applications, enabling more efficient network configurations that can optimize application performance.
While there are nuances to appliance-based SD-WAN architectures, in general they works like this:
Administrators define configuration and traffic-management policies to be distributed from the SD-WAN controller.
The SD-WAN appliance in the branch office or datacenter is connected to the network on one site and to multiple network services, often MPLS and public Internet services, on the other.
Once on the network, the SD-WAN appliance retrieves its configuration and traffic-management policies, and configures itself.
The SD-WAN appliance establishes encrypted tunnels to the other SD-WAN appliances, creating the virtual overlay.
As traffic leaves the site and enters the SD-WAN, the appliances dynamically set the optimum based using its policy-based routing algorithms and business priorities, and forward traffic accordingly.
From a routing perspective, cloud-based SD-WAN works similarly, except the virtual overlay is created across a private global backbone of PoPs.
The network and security challenges SD-WAN addresses
Understanding why SD-WAN has surged in popularity begins with understanding the problems legacy WAN solutions faced. Prior to SD-WAN, MPLS and Internet-based VPN were the two most popular WAN connectivity solutions.
MPLS provides enterprises with a reliable and high-performance means to connect WAN locations. However, MPLS bandwidth is costly and cloud and mobile traffic create challenges for MPLS networks. While MPLS bandwidth costs have dropped in recent years, the prices are still significantly higher than comparable public Internet costs. Additionally, to route WAN traffic to cloud services like SalesForce, Office 365, or Amazon Web Services, enterprises often had to backhaul traffic through a single WAN endpoint (e.g. a firewall appliance) for security purposes. This backhauling leads to degraded cloud performance at a time when more and more workloads are shifting to the cloud.
Internet-based VPN provides enterprises with a way to interconnect sites using more affordable public Internet bandwidth. While this addresses the cost aspect of MPLS, the approach is difficult to scale and can come with significant performance tradeoffs. Further, by depending on the public Internet alone, VPN leaves enterprises without SLAs to guarantee performance.
With SD-WAN appliances, enterprises can implement optimized routing policies across different transport services, MPLS included, and get the most “bang for their buck.” In those cases, MPLS still connects branch locations while more affordable public Internet connections transport cloud traffic.
However, appliance-based SD-WAN alone shares a shortcoming with Internet-based VPN: there is no underlying SLA-backed transport method. As a result, SD-WAN appliances often complement, but can’t outright replace, MPLS. Further, the lack of security tools, like NGFW, in SD-WAN appliances requires enterprises to integrate additional solutions to secure the network. Additionally, securely connecting mobile users to the WAN remained a challenge for many appliance-based SD-WAN solutions, MPLS, and Internet-based VPN.
Cloud-based SD-WAN addresses these problems. It provides enterprises with a private backbone that is backed by an SLA and delivers performance comparable to MPLS networks. It also makes securely connecting mobile users easy for two reasons: security is built-in to the underlying cloud-native infrastructure and the cloud-based means mobile users can connect to the nearest PoP from anywhere with Internet access.
Final thoughts: SD-WAN brings agility, reliability, and scalability to the modern WAN
While there is no one-size-fits-all solution for WAN connectivity, SD-WAN helps address the network and security challenges enterprises face today. By decoupling the network services from the management plane, SD-WAN allows for granular and agile routing configurations that can optimize performance and improve scalability. Additionally, by aggregating multiple network services SD-WAN adds a layer of resilience and fault tolerance to the WAN.