How is SD-WAN defined?
Enterprise adoption of software-defined wide-area network, commonly referred to as SD-WAN, is growing and maturing. SD-WAN is an evolution of wide area networking concepts that have been in use in enterprises for the past few decades.
SD-WAN provides the foundation to modernize the WAN infrastructure to support today’s applications, which in many cases are offered as service or hosted in multiple locations.
Traditionally, organizations have used leased lines from service providers to interconnect remote locations to central data center hubs. Traffic flowed from a remote location (spoke) to a central hub to reach applications services and public internet provided from central locations. The hub and spoke design concept became the suitable architectural model for years as organizations became more interconnected, thanks to the ability to centralize services in a few core locations.
More recently, applications became widely available outside of the centralized hubs due to proliferation of cloud-based applications, provided as a service that could be consumed using standard internet access. Traditional WAN architectures became a performance bottleneck for the new application models due to the inefficient traffic flow through the central hub.
SD-WAN technology was born to solve these new challenges. The first generation of SD-WAN solutions provided a new foundation of features for WAN architecture improvements.
There are four original core features of SD-WAN:
- Transport independence
- Application visibility
- Path intelligence
- Centralized management
SD-WAN vendors have developed product offerings that include these common features as the foundation to their respective SD-WAN portfolios.
The concept of transport independence is not new. Overlays such as dynamic multi-point virtual private networks (DMVPN) have been steadily adopted over the last decade. SD-WAN expanded on this concept by making the IPSec protocol a core component of the architecture. This provided the ability to create a virtual network, or overlay, on top of any service provider or connection creating greater flexibility to introducing commodity connectivity such as broadband access into remote locations.
SD-WAN enabled application visibility as a standard feature for the WAN that was not as prevalent in the past. Application identification tools help classify applications so that application aware policies can be implemented to better suit the needs of the business. Additionally, SD-WAN solutions provide integrated monitoring tools that leverage application identification capabilities to provide the ability to see what applications are traversing the WAN, giving a more insightful view of network utilization.
Overlay technology provides the foundation for path intelligence by providing end-to-end encapsulation that gives administrators the ability to build policies based on an application type and performance requirement. Load balancing across multiple connections became a standard design option instead of an afterthought. Path monitoring allowed for business-critical applications to be routed across any available connection that met the policy definition.
SD-WAN provides centralized management that allows for common templates to be developed based on site type, reducing the variations of configurations that were deployed in the WAN. Gone are the days of configuring hundreds of routers using a CLI interface. The central management tools also have Application Programming Interfaces (APIs) that allow for customizable automation that can be accessed using HTTP-based RESTful interactions.
How has SD-WAN evolved?
There are some common themes evolving in SD-WAN that are starting to build on the core tenants of the technology. SD-WAN is a key component, but network architects are starting to look more holistically at the network design to include adjacent components including security, cloud interconnection and automation.
Security is a wide, encompassing technology domain. As it relates to WAN architecture, security plays critical roles in segmentation and direct internet access (DIA).
Segmentation is provided through the concept of virtual routing and forwarding, commonly known as VRF, that creates virtual routing domains within the same physical device. This type of segmentation helps differentiate protected resources to support a regulatory requirement like PCI or to separate guest traffic from enterprise traffic. Additional protections can be provided by Zone Based Firewall (ZBFW) functionality that provides further segmentation within the VRF.
Another important security consideration is how to create a distributed security model. Traditional security models revolved around a few internet gateways that provided a well understood security stack of hardware and capabilities where all the traffic inbound and outbound to the internet could be properly inspected and protected. Applications offered as a service over the internet were limited in this model due to the bottlenecks created by this centralized design.
Many applications could be reached directly from a local internet connection available at the remote sites, but it was not allowed by the enterprise security policies. As policy was reviewed, it became too complex to manage a large number of internet egress points, so many organizations shifted to a regional security model where the centralized security stacks could be expanded into regional hubs to provide the user experience required for internet based applications.
Direct internet access is still available for common, repeatable use cases such as guest traffic. Since the traffic profile is well understood and common between locations, a comprehensive security policy can be developed to support it. SD-WAN provides tools such as content filtering and firewall features to secure guest traffic. The complex enterprise security requirements will be enforced at the regional hubs while the distributed security requirements (for use cases such as guest users) will be enforced using the SD-WAN management tools.
Increasingly, SD-WAN design is a component of a broader cloud interconnection strategy. Regional performance hubs have emerged not only as a solution to the security scalability problem, but also as a solution for network interconnectivity. Regional performance hubs are usually based in special colocation facilities known as carrier neutral facilities, or CNF, because of the proximity to many service providers.
The CNF provides WAN connectivity aggregation of various service providers. This provides efficient connectivity to the underlay network that is a mix of service providers used to connect to the various locations. Additional connectivity is available from the CNF to many of the cloud service providers including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
The CNF provides a foundation for the modern multi-cloud strategy by solving many of the challenges created by distributed applications. Regional connectivity hubs help to manage the complexity of the network architecture by solving the key requirements of advanced security capabilities, providing the most efficient path between the user and the application and seamless connectivity between cloud providers, the private data centers and the internet.
Additional services can be provided in the regional performance hubs to support off-premise workload hubs for private compute and storage environments as well as a method for simplified data sovereignty and regulatory compliance.
SD-WAN has provided the foundation for network automation. Having a central management platform with API support creates the basis to treat the network infrastructure as software. Networks can be programmed using tools such as Ansible that allow for playbooks to be created to cover common networking tasks.
Automated deployment and configuration changes, as well as software updates, are providing more agility to the business and allowing organizations to be more competitive by adapting to changes in the business landscape. Network infrastructure is evolving into an infrastructure as code (IaC) model thanks to the deep automation capabilities available from the SD-WAN vendor offerings.
Automation capabilities will be a core feature for creating the next generation WAN. Network configuration will become automated and seamless, providing a new level of agility and simplification to the complexity of today’s WAN solutions.
It is important to remember that infrastructure exists to connect users and devices to applications. The edge of today’s networks includes a wide range of things, from user devices and endpoints to sensors and cameras. The core is no longer the only place applications reside. The network provides the primary transport between the edge and the applications.
The illustration below shows a high-level view of the components required for end-to-end connectivity. It is important to notice that SD-WAN is a key capability to connect locations, howver, other options exist and could be a more viable option depending on the requirements of the network.
The carrier neutral facility (CNF) is becoming the hub for today’s networks. CNFs provide a regional footprint for better performance and access to distributed applications while maintaining a manageable footprint of core devices and security management. It is easier to support enterprise security stacks in a few regional facilities instead of at every remote site.
The CNF also provides high speed, low latency connectivity to other regions, enabling multi-national organizations to provide services efficiently. This could also help with regional hubs within the United States as well, so that local geographies can have a superior user experience.
The diagram below shows a high-level reference design for what could be constructed in a CNF.
SD-WAN provides a solid foundation and many advanced features to provide the next generation WAN architecture. However, it is critical to evaluate the ability of the SD-WAN architecture to replace the existing infrastructure. The needs of the business still need to be met by deploying an SD-WAN solution that has the ability to be integrated with your current enterprise architecture for a successful migration to occur.
SD-WAN is the evolution of the WAN, not the replacement of the WAN. It does not mask issues that are present in the current WAN or correct bad network designs due to many WAN evolutions over the decades.
Organizations can’t skip out on the time needed to plan, build and manage this new solution. Processes such as market research, training, pilot testing, migration strategy development and integration tasks are required when implementing SD-WAN architecture and supporting operations. Without comprehensive network planning and design, it will be extremely difficult to realize the benefits of an SD-WAN deployment.
How to get started
SD-WAN provides the foundation of the next generation WAN architecture and will be critical to successful migration to cloud and beyond. However, there are three basic components to consider when selecting an SD-WAN solution: its ability to replace existing infrastructure, functionality when addressing business requirements and integration ability with your current enterprise architecture. Additionally, it is important to consider the SD-WAN vendor’s ability to provide support, continue innovating and produce detailed documentation.
Over time, the next chapter of WAN architecture will focus less on software defined and will start focusing on automation and repeatability. The “cattle vs pets” analogy often used in describing cloud services will be key to network service and physical infrastructure. Devices will be configured at scale and will be less dependent on the core knowledge of just a few individuals in the organization. More emphasis will be placed on how users are connected to applications and less focus on the plumbing that will make that possible.
It’s vital that organizations are able to sort through the noise and identify the actual solution capabilities, aside from what is advertised. Considering the changing requirements of the enterprise network and the rate of today’s innovation, we can see differences emerge between solutions. Focus on which capabilities are fully tested and in production, while also keeping an eye on future features.
WWT provides services like on-demand labs, proofs of concept, workshops and ideation around SD-WAN to help compare and contrast approaches from different vendors to help identify the right technology decision. Schedule a briefing to get started today.