Most of us have heard of SD-WAN and understand that it can have a huge impact on our networks and the way our businesses operate. What is SD-WAN? SD-WAN is best defined as traffic monitoring and management from physical devices to the application itself, capitalizing on flexibility and agility. This intelligent routing is abstracted into a virtual overlay, enabling a secured pooling of both private and public connections allowing for automation, centralized network control and real-time management across multiple links. In other words, it is able to take multiple sources of internet, optimize them, control the network flow and provide seamless failover. Sounds pretty great, right?
The other side of this tech coin is that SD-WAN is not a ratified standard in any way. The approach used by providers is varied, and the features and results are dramatically different. Differences between products may seem trivial at first glance, but after further evaluation not all products will fit for all businesses. This isn't a one size fits all T-Shirt after all; this is critical data connectivity and routing. As this technology continues to advance, there are some common traits across these platforms, but they have segmented into three distinct architectural strategies we call: Site to Site, Cloud, and Hybrid.
Common Features Across SD-WAN platforms
- Route across open Internet
- Provide WAN performance optimization across multiple circuits
- Prioritize traffic providing QoS style prioritization on commodity Internet
- Network analytics and measurements
Site to Site Only SD-WAN Explained
Site to Site SD-WAN solutions communicate from edge device to edge device using instructions from a centralized orchestrator. The primary purpose of a Site to Site solution is to displace or augment an existing private network. Using this strategy, we can increase bandwidth, create automated failover, and performance optimization over a private/public network while reducing costs. Setting up a new site is simple: order commodity grade Internet connections, install your box and register it on the centralized orchestrator and you are connected. Site to Site SD-WAN solutions usually include an orchestrator hosted on a server in your datacenter or HQ location, and hardened remote edge appliances that perform the routing and monitoring. Typical configurations allow the solution to act as a NATing firewall which most times will displace any current firewalls. The Site to Site architecture automatically creates meshed VPN connections to associated sites making deployment relatively painless even for the most complex multi-site organizations. All edge devices and the orchestrator are purchased and managed locally giving complete control to local IT. If you are using private MPLS/VPLS or VPN tunnels across the Internet for connectivity between sites now, a Site to Site model can make this configuration more robust by providing multiple paths to all locations.
Complimentary SD-WAN Solution Guide
(featuring Bigleaf & VeloCloud)
Cloud Only SD-WAN Explained
Cloud only SD-WAN is not focused on displacing your private network, instead the solution specializes in optimizing your cloud application experience. With this design an edge appliance communicates back to the SD-WAN provider’s datacenters creating transparent tunnels, giving the solution complete control of ingress and egress to the cloud. The edge appliance is installed in front of your current firewall/NATing router but is transparent to it. With a simple IP address change the SD-WAN solution becomes a part of your network and starts doing its job, eye-wateringly easy. If your goal is to mesh sites using your existing firewall solution while you migrate to the cloud, this solution is designed for you. The design also works perfectly for single site, fully cloud, or multi-site organizations without the need for site to site meshing. The cloud only design revolves around edge gateways communicating to the SD-WAN provider’s main equipment, which has been strategically placed in datacenters that house major Internet peering points. All traffic routes through public Internet circuits to the datacenters allowing for finite control of the network. The edge gateways don't speak directly to each other and aren't dependent on any of your internal infrastructure for survivability. This solution is not designed to act as a firewall, instead it gives you the flexibility to use the security appliances that you trust in tandem with SD-WAN.
Hybrid SD-WAN Explained
Deploying a hybrid solution is highly flexible, giving you the capabilities of both a cloud only and site to site design. Hybrid provides local edge devices that provide mesh VPN to other gateways while optimizing cloud traffic to edge gateways provided by the manufacturer. This gives businesses the flexibility of routing to wherever the application (cloud or premise) lives, using SD-WAN intelligence. The meshing VPN technology is included and simple to setup, making it a natural at displacing or augmenting expensive, slow MPLS or VPL connections. In this model the local devices are Layer 7-aware and make routing decisions based on the end destination of the packet and the priority assigned. The advantages of hybrid are obvious, but the drawback is that SD-WAN is not inherently a security platform but still acts as a NAT router. This can lead to a challenge with network configuration where we are forced into service chaining to existing premise firewalls or implementing a cloud based security platform. For businesses looking to migrate to the cloud, but with the need to maintain existing premise equipment hybrid appears to be a natural fit. The hybrid model allows edge gateways to communicate with other gateways and to the cloud points of presence in a highly adaptable way. Hybrid works well whether you plan to migrate entirely away from a private network like MPLS or plan to use with commodity grade Internet. The hybrid model allows for the most flexibility of any SD-WAN offering today, however it is more complex to set up and support than a cloud only deployment and provides less robust security features than a premise based solution.
Choosing a SD-WAN Path
With an industry so new, choosing the right product and partner is challenging but very important to the success of the project. One model might not work in your environment at all but be perfect for the business down the street. Work with an expert in SD-WAN who offers a variety of products and has familiarity deploying for different types of businesses. Most offerings include a 30-day trial, something we advise our clients to take advantage of, allowing them to pilot the cutting-edge technology. Understanding the way your network will be affected by your chosen solution is critical, taking the word of the vendor's salesperson is not sufficient; talk with other clients and your trusted partners and resources. Moving to SD-WAN can save companies gobs of money, while dramatically improving the performance of their wide area network, but it doesn't come without challenges. Let Matrix Networks be your guide as you explore this awesome tech!
Check out our Collection of SD-WAN & Networking Education
SD-WAN Bill of Rights!
Author: Kyle Holmes