What Can SD-WAN Do For You? | Key to the Black Box #3
Obvious disclaimers out of the way first. On the table right away: we’re going to be talking about SDWAN as an entire category of technology. Your exact mileage will vary depending on the actual SDWAN solution you end up integrating. As of the time of writing, there are some 25-30 different SDWAN solutions, each one focusing on a different aspects of SDWAN as their strength. Because of the nuances of between each solution, there is a lot of value in a complete and proper evaluation of what you really want to get out of your SDWAN solution.
The most widely touted and easiest-to-discuss benefit of SDWAN is lowered cost. This benefit is geared toward those organizations who are currently consuming Multi-Protocol Label Switching (MPLS) technology from their telecom service providers. The private nature of MPLS requires all circuits be with the same carrier. Yet, no carrier can deliver the strongest pricing in all markets in the US, let alone internationally. This conflict led many organizations to simply accepting a very high cost of private WAN services. With SDWAN, the provider’s on-premise terminating device will create IPSEC VPN connections between locations and/or cloud gateway (which then connect to cloud services). This is all done over standard internet connections (either Consumer or Business grade, as is appropriate to your needs), which can be extremely economical and flexible, so you can choose “best of breed” circuits at each of your locations rather than being forced to buy expensive circuits from one provider everywhere. In almost every case, an organization moving from MPLS to SDWAN can improve resiliency and bandwidth or reduce cost, and many can achieve both.
You might ask: What about additional latency, now that we’ve gone from private MPLS to encrypted VPN? And, to be fair, that does add a few milliseconds. However, SDWAN includes a couple considerations that help improve resiliency and application performance, and they tend to do so to a greater degree than what is lost via encryption. Going back to the core of SDWAN, we are able to virtualize high-end routers on low-cost hardware. This allows us to achieve the horsepower necessary to aggregate bandwidth between multiple networks. Some SDWAN solutions manage this via traditional load-balancing behavior, while others are able to offer a more true aggregation of bandwidth. In either case, we can leverage this ability by combining two or more circuits from disparate underlying providers to build a high level of inherent fault tolerance into our network. SDWAN solutions will poll each connection and determine the best path for your traffic based on real-time responses. SDWAN is also able to prioritize all traffic within its IPSEC tunnels, the same as MPLS, and because you’re connecting through a cloud gateway, you can ensure that your most sensitive applications are first in line on both the upload and the download, unlike traditional internet services. In short, the active-active links and application-aware routing allow a dynamic level of responsiveness that quickly adjusts to combat latency.
Let’s turn our attention to the idea of a cloud gateway for a moment. One will quickly recognize that not every SDWAN solution includes a cloud gateway. Meraki, Ecessa, and Barracuda are a few examples of “premise-based” or site-to-site SDWAN solutions. They still offer the same single pane of glass to orchestrate all devices, and it is accessible from the cloud, but that’s just an administration portal. Other solutions, such as VeloCloud, Cato, and Versa all offer a node on the network defined as the cloud gateway, which acts as the hub of your SDWAN network. On one hand, a Cloud Gateway allows virtualized access to each and every data center that the SDWAN provider partners with, allowing layer 2 connectivity with other cloud services hosted inside those same datacenters. On the other hand, the cloud gateway can also act as the ingress/egress point for connectivity to public cloud services. Cloud gateways can even present your IP addresses to the world, regardless of which physical circuit is actually handling the traffic, allowing you to have seamless inbound traffic failover – not only within a single location, but even between locations! This direct and secure connection allows for a seamless extension of the WAN to multiple clouds, both private and public. This allows for real-time performance management for cloud apps like MS Office 365 and SalesForce, as well as optimization of workflows for cloud infrastructure environments like AWS and Azure.
At a general level, SDWAN also reinforces network security. As already described, SDWAN offers application-specific policies with end-to-end real-time access control. With this as a strong foundation for monitoring and management, integration of threat detection and response becomes exceptionally empowered. Some SDWAN solutions, like VeloCloud, allow integration of virtualized NextGen firewalls and UTM. Other solutions, such as Cato Networks, are built around cloud-based firewalls. And others, still, like Meraki and Barracuda, are the result of security appliances beginning their evolution to the cloud. Regardless of which form it takes, SDWAN is well positioned to enable a distributed yet unified approach to security across multiple branch locations.
And, lastly, as touched on briefly before, the most tangible benefit of SDWAN is cloud-accessible orchestration. All SDWAN solutions offer a single, centralized, cloud-delivered management dashboard for configuration and reporting of WAN activity. With template-based “zero-touch” provisioning for all locations, whether branch, campus, or cloud, operations are simplified by magnitudes, not just margins. Detailed reporting of application and WAN performance are combined with a certain degree of business analytics to allow SDWAN solutions to shape routing and adjust policies based on typical network behavior. This enables such capabilities as bandwidth forecasting, which allows for optimal utilization of “on-demand” bandwidth services, which, in turn, leads to an even lower overall cost.
As mentioned at the start, there is not a single SDWAN solution that can accomplish all of these features. There are, however, numerous solutions that do some or even most of this extremely well. However, some of the smallest technical variances between solutions can result in some of the most impactful changes to your network performance, so it is always essential to ensure you have a clear spec, either by designing it yourself (See our article on Controlling your Procurement Outcomes), or leverage an expert resource, such as the Comtel Group, that can lead you through an SDWAN evaluation.