SD-WAN Explained

What is SD-WAN

Software-Defined WAN (SD-WAN), a new way to manage and optimize a wide area network, is designed to address the changing use of enterprise networks due to the growth of cloud computing and mobile devices. It is a more flexible solution than MPLS, better supporting a distributed and mobile workforce, and is more reliable and scalable than VPN-based WAN.

SD-WAN is implemented as a network of SD-WAN appliances connected by encrypted tunnels. Each SD-WAN appliance is connected to a set of network services (typically MPLS and some Internet services) and monitors the current availability and performance of each of these services. Traffic reaching an SD-WAN appliance is classified based upon application and prioritized using a set of centrally-managed priorities before being sent out over the best available network link.

SD-WAN makes it possible to replace MPLS, which is expensive and time-consuming to connect to new locations. It also allows security functionality to be distributed to the network edge, making it unnecessary to send all traffic through the enterprise datacenter for scanning before forwarding it to cloud services, a practice that degrades latency and performance.

By converging networking and security functionality, an SD-WAN can eliminate the need to deploy expensive point security products at branch locations. An SD-WAN with a large network of globally-distributed points-of-presence (PoPs) can provide high-performance, secure networking with centralized management and visibility.

Learn more about What SD-WAN is

A History of SD-WAN

Software-defined WAN (SD-WAN) brings the abstraction of SDN to the WAN; however, it is only the latest in a series of transformations of WAN.

The very first stage of WAN, in the 1980s, used point-to-point (PPP) lines to connect different LANs. The price and efficiency of these connections were improved with the introduction of Frame Relay in the early 1990s. Instead of requiring a direct PPP connection between each pair of communicating parties, Frame Relay allowed connection to a “cloud” from a service provider, allowing shared last-mile link bandwidth and the use of less expensive router hardware.

The next stage was the introduction of Multiprotocol Label Switching (MPLS), which provided an IP-based means of carrying voice, video, and data on the same network. MPLS provides dependable network connections protected by SLAs but is expensive and slow to provision.

In 2013, SD-WAN emerged, showing the potential to be a viable and cost-effective alternative to MPLS – making it the logical next step in WAN technology. By abstracting away the network layer and routing traffic based upon a collection of centrally defined and managed policies, SD-WAN is able to optimize routing and prioritization of various types of application traffic. The flexibility provided by SD-WAN also allows it to better meet the needs of cloud and mobile users. As this type of use is becoming more common, it is unsurprising that many organizations are anticipated to adopt SD-WAN.

Learn more about the History of SD-WAN

The Evolution of SD-WAN

SD-WAN 1.0: Hungry for bandwidth

The first stage of SD-WAN evolution was focused on solving the issues of availability and last-mile bandwidth. New MPLS links are expensive and slow to provision, and the use of an Internet backup meant that the backup was only used in the case of an outage. Using link-bonding, an SD-WAN predecessor could combine multiple different types of connections at the link level, improving last-mile bandwidth.

SD-WAN 2.0: The rise of SD-WAN startups

The limitation of link bonding is that it only improved last-mile performance. Achieving improved performance throughout the WAN required routing awareness throughout the path. Early SD-WAN solutions offered virtualization failover/failback and application-aware routing. With application-aware routing, SD-WAN could move away from being fully reliant on MPLS links and optimally route traffic based upon the application type.

SD-WAN 3.0: Reaching out

The latest stage of SD-WAN evolution focuses on going beyond networking branch locations. As organizations increasingly move resources to the cloud, SD-WAN provides a solution for securely connecting these cloud deployments to the enterprise WAN.

Learn more about the Evolution of SD-WAN

How does SD-WAN Work?

Software-defined WAN (SD-WAN) is designed to solve many of the challenges associated with traditional WAN design. SD-WAN abstracts away the details of the networking layer, allowing the WAN to use a variety of different connection types interchangeably, including LTE, MPLS, and broadband Internet.  This abstraction can improve network bandwidth, performance, and redundancy and enables centralized management and orchestration.

SD-WAN works by creating a network of SD-WAN appliances connected by encrypted tunnels. Each site on the WAN has its own SD-WAN appliance, and all traffic flows through that appliance. Since all appliances are centrally managed, consistent networking policies can be enforced throughout the organization. When traffic enters an SD-WAN appliance, the appliance determines the type of application traffic and routes it to its destination based upon existing policies and the availability and performance of different network links.

Traditional SD-WAN is hardly perfect. Many SD-WANs do not include integrated security, so each branch location must deploy its own standalone security products. SD-WAN also includes the deployment of an SD-WAN appliance at each endpoint, which makes it difficult or impossible to use it for cloud and mobile traffic. Finally, SD-WAN often relies upon public Internet, which can cause reliability concerns.  However, many of these problems are solved with secure access service edge (SASE) platforms.

Learn more about How SD-WAN works

SD-WAN Benefits

Designed to provide an alternative to traditional MPLS-based WAN, Software-defined WAN (SD-WAN) provides organizations with five major benefits when compared to MPLS.

Reduced WAN costs

MPLS bandwidth is expensive, and it can take weeks or months to provision a new MPLS link, compared to days with SD-WAN. Both in cost of operation and in lost business opportunity, MPLS is inferior to SD-WAN.

Enhanced WAN performance

MPLS is very effective at routing traffic between two static locations, but the growth of the cloud makes this less useful to businesses. SD-WAN’s policy-based routing allows traffic to be optimally sent through the network based upon the needs of the underlying application.

Improved WAN agility

SD-WAN also provides much more agile networking than MPLS. With SD-WAN, the network layer is abstracted away, allowing the use of a variety of different transport mechanisms throughout the WAN.

Simplified WAN management

With MPLS, an organization may need to deploy a variety of standalone appliances to manage WAN optimization and security. With SD-WAN, these operations can be centralized, allowing organizations to scalably manage growing networks.

Increased WAN availability

Finally, SD-WAN can provide dramatic redundancy and availability improvements over MPLS. With MPLS, adding redundant links can be expensive. SD-WAN, on the other hand, can route traffic over a different transport mechanism in the case of an outage.

Learn more about SD-WAN benefits

How to connect multiple offices

WAN connections to branch offices have a variety of different constraints: they must be secure, reliable, affordable, and offer enterprise-level network performance. Several different solutions exist, but many of them have their issues.

A common solution to connecting branch locations is the use of VPNs over the public Internet. While these can provide the security that an organization may require, they are often difficult to set up and may not meet the organization’s needs. Mobile VPN clients are non-existent or clunky, and physical VPN appliances can be time-consuming to deploy and may not meet the needs of a mobile workforce. The dependence of VPN upon the public Internet means that VPNs may also not provide the reliability that the enterprise requires.

While MPLS provides more reliable, high-performance network connections, MPLS connections are slow to deploy, and MPLS bandwidth is expensive. The technology is also ill-suited to mobile and cloud users and lacks built-in security.

Cloud-based software-defined WAN (SD-WAN) provides a solution to the challenges of branch networking. Cloud-based points-of-presence (PoPs) connected by layer-1 network connections backed by SLAs provide high-performance, reliable, and affordable networking. The network of cloud-based PoPs makes it possible for users to connect from anywhere with minimal latency, and an integrated security stack provides security throughout the network.

Learn more about Connecting multiple offices

SD-WAN security

MPLS and appliance-based software-defined WAN (SD-WAN) can both provide an organization with the networking capabilities needed for a WAN. However, they often have significant security shortcomings. MPLS lacks any encryption of its circuits, and both MPLS and appliance-based SD-WAN may have no built-in security. As a result, many organizations using these systems deploy standalone security appliances at each location to provide the necessary cybersecurity protections.

However, this approach to WAN security can be complex, unscalable, and expensive since each new location requires another set of security appliances. Each of these appliances must be individually purchased, configured, monitored, and managed, which creates significant costs throughout their lifetimes. This approach also does not work for the cloud and mobile, where security appliances cannot be deployed on-site.

Cloud-based SD-WAN provides a solution to this problem. By placing points-of-presence (PoPs) in the cloud, they can achieve global coverage, allowing users to connect via a nearby PoP and use the SD-WAN with minimal latency impacts. These PoPs can also have integrated security functionality, removing the need to deploy standalone appliances at each location and enabling centralized networking and security visibility across the enterprise WAN. Networking and security integration can also improve performance since networking and security appliances can be optimized to interoperate with one another.

Learn more about SD-WAN security

SD-WAN vs. MPLS vs. public internet

As global organizations become more common, the need to connect geographically-distributed LANs via a WAN becomes extremely important. In order to compete effectively, organizations need access to stable, high-performance WAN at an affordable price. Three options exist for providing this: the public Internet, MPLS, and software-defined WAN (SD-WAN).

The first option for an enterprise is to route internal traffic over the public Internet. The two primary advantages of this approach are quick setup and relatively low costs since broadband Internet is widely accessible and typically affordable. However, these advantages come at the cost of unstable performance, volatile latency, and a lack of end-to-end management.

MPLS is designed to provide high-performance and reliable network connections backed by SLAs guaranteeing latency, packet delivery, and availability. However, these high-performance connections are expensive and extremely slow to deploy (taking weeks or months). MPLS connections are also ill-suited to cloud computing since traffic must be pulled back to a centralized access point before being sent out to its destination.

SD-WAN provides the best of both worlds by abstracting away the details of the network infrastructure. By choosing the optimal route from a collection of public Internet connections and MPLS links, SD-WAN can balance performance and cost on a per-application basis. Cloud-based SD-WAN provides additional benefits, including integrated security, support for mobile and cloud users, and predictable latency and packet loss.

Learn more about SD-WAN vs. MPLS vs. public internet

MPLS Alternative

MPLS, a common choice for enterprises that need high-speed, reliable network connections, provides guaranteed availability, packet loss, and latency backed by SLAs.

Yet while the technology is indeed mature and built for the enterprise, it also has its disadvantages. The guaranteed features of MPLS mean that MPLS bandwidth is expensive, not to mention that changing MPLS connections is difficult as new connections can take weeks or months to deploy. This affects the ability to set up new branch locations, expand bandwidth at existing locations, and other network changes.

Software-defined WAN (SD-WAN) is designed to provide an alternative to MPLS that addresses these challenges. SD-WAN, which consists of a network of SD-WAN appliances that are connected via tunnels over multiple transport media, abstracts away the network layer and optimally routes traffic over a variety of different data services depending on the type of application traffic. As a result, it can reduce the cost of networking and allows rapid deployment.

And yet, SD-WAN is not a perfect solution. Its reliance upon existing communications links means that MPLS may still be needed for certain applications, and SD-WAN appliances often do not have security built-in by default. Addressing these issues, and expanding coverage to mobile and cloud users, requires cloud-based SD-WAN.

Learn more about MPLS alternatives

SD-WAN redundancy vs MPLS redundancy

Redundancy is vital for the enterprise WAN. Network outages are a leading cause of downtime, so redundant network connections are needed to minimize downtime. Software-defined WAN (SD-WAN) is a viable alternative to MPLS for enterprise WAN, but reliability and redundancy can be an issue. However, if implemented properly, SD-WAN can offer better redundancy than MPLS.

MPLS is well-known for its middle-mile reliability. However, the same level of reliability is often not attainable for last-mile connections. MPLS bandwidth is expensive, so the price of last-mile redundancy can be prohibitive. As a result, downtime can be easily caused by events that terminate this last-mile connection. Last-mile redundancy requires dual-homed connections that are routed in different ways to different providers. Typically, MPLS offers active-passive redundancy with failover based upon route or DNS convergence.

SD-WAN is designed to abstract away the network layer and allow traffic to be routed over a variety of different connections. Therefore, all SD-WAN connections are in active use at all times, with real-time availability and performance monitoring. This not only improves the bandwidth and reliability of WAN connectivity but also enables active-active redundancy. In the case of an outage in one transport method, data can seamlessly be routed via an alternative connection. Thus, in addition to providing high middle-mile redundancy, SD-WAN can also provide better last-mile redundancy than MPLS.

Learn more about SD-WAN redundancy vs. MPLS redundancy

SD-WAN vs VPN: How Do They Compare?

Redundancy is vital for the enterprise WAN. Network outages are a leading cause of downtime, so redundant network connections are needed to minimize downtime. Software-defined WAN (SD-WAN) is a viable alternative to MPLS for enterprise WAN, but reliability and redundancy can be an issue. However, if implemented properly, SD-WAN can offer better redundancy than MPLS.

MPLS is well-known for its middle-mile reliability. However, the same level of reliability is often not attainable for last-mile connections. MPLS bandwidth is expensive, so the price of last-mile redundancy can be prohibitive. As a result, downtime can be easily caused by events that terminate this last-mile connection. Last-mile redundancy requires dual-homed connections that are routed in different ways to different providers. Typically, MPLS offers active-passive redundancy with failover based upon route or DNS convergence.

SD-WAN is designed to abstract away the network layer and allow traffic to be routed over a variety of different connections. Therefore, all SD-WAN connections are in active use at all times, with real-time availability and performance monitoring. This not only improves the bandwidth and reliability of WAN connectivity but also enables active-active redundancy. In the case of an outage in one transport method, data can seamlessly be routed via an alternative connection. Thus, in addition to providing high middle-mile redundancy, SD-WAN can also provide better last-mile redundancy than MPLS.

Learn more about SD-WAN redundancy vs. MPLS redundancy

Last Mile Constraints

MPLS is well-known for middle-mile reliability; however, the same is not true for last-mile. The cost of MPLS bandwidth often makes deploying redundant last-mile connections cost-prohibitive, leading organizations to seek alternative solutions.

Two early methods for dealing with the last-mile reliability problem are the use of a backup Internet connection and link-bonding. While a backup Internet connection can help to deal with MPLS outages, the failover process is slow and often results in a loss of current connections. Link-bonding attempted to solve the problem of last-mile reliability by aggregating multiple different last-mile transport services. While this positively impacted last-mile bandwidth and reliability, it did nothing to help the middle-mile.

Software-defined WAN (SD-WAN) takes the concept of link-bonding a step further. By abstracting away the network details, SD-WAN is able to present a range of transport options as a single pipe to an application and perform traffic routing behind the scenes.

This allows SD-WAN to provide numerous advantages for an enterprise WAN. The last mile can be optimized using policy-based routing, hybrid WAN support, active/active links, packet loss mitigation, and QoS (upstream and downstream). With cloud-based SD-WAN, where the middle mile is composed of private Tier-1 backbones, it is also possible to perform middle-mile optimization, allowing SD-WAN to compete with MPLS with regard to middle-mile network reliability and performance.

Learn more about Last mile constraints