SD-WAN Use Cases
SD-WAN technology typically creates a transport-agnostic virtual overlay. This is achieved by abstracting underlying public or private WAN connections, such as Internet broadband, fiber, long-term evolution (LTE), wireless, or multiprotocol label switching (MPLS). An SD-WAN overlay helps organizations to continue using their own existing WAN links. SD-WAN technology centralizes control of the network, reducing costs and providing real-time application traffic management over existing links.
The most common SD-WAN use cases fall into the following categories:
- Geographic expansion—when a company expands into a new geographical region, or executes a merger or acquisition, it can use the existing network services at the new location, leveraging SD-WAN to manage new and old locations using one unified policy and control interface.
- Making better use of WAN capacity—using a dual connectivity strategy combining public and private network services. SD-WAN can use public Internet services to offload some private network traffic, reserving private network capacity for applications that are business critical or need low latency.
- Improving WAN resilience—creating a hybrid network environment with multiple network connections to the same site, operating in an active/active configuration. Under normal circumstances, traffic can be balanced between services, but if one connection is lost, traffic can fail over to another service.
- Cloud migration—enabling digital transformation, by migrating various applications to the cloud. SD-WAN supports application-based routing, so each application can use the wide area service that best suits its needs, whether it is deployed in the cloud or on-premises.
SD-WAN Architecture and Components
SD-WAN uses an abstracted network architecture composed of two separate parts:
- A control plane—operated from a central location, meaning that IT staff can manage WAN resources remotely without being on-premises
- A forwarding plane—manages traffic flows, dynamically configuring network resources according to policies set by the control plane
An SD-WAN architecture consists of the following components:
- Edge—this consists of network equipment deployed in the cloud, in on-premises data centers, or in branch offices.
- Controller—provides centralized management and enables operators to visualize and monitor the network and set policies.
- Orchestrator—a virtualized network administration component, which monitors traffic and enforces policies and protocols as defined by the controller.
SD-WAN implementations leverage a wide range of technologies, including:
A centralized controller that manages SD-WAN deployments. The controller enforces security and routing policies, as well as monitors the virtual overlay, any software updates, and provides reports and alerts.
Software-defined networking (SDN)
Enables key components in the architecture, including the virtual overlay, the centralized controller, and link abstraction.
Wide area network (WAN)
Responsible for connecting geographically separated facilities or multiple LANs, using either wireless or wired connections.
Virtual network functions (VNFs)
First-party or third-party network functions, such as caching tasks and firewalls. VNFs are typically used for the purpose of reducing the amount of physical appliances or to increase flexibility and interoperability.
SD-WAN technology can leverage multiple bandwidth connections and assign traffic to any specific link. This provides users with more control and enables cost savings, by moving traffic from traditional costly MPLS lines to low cost commodity bandwidth connections.
SD-WAN technology can improve existing last-mile connections through the use of more than one transport link or by simultaneously using multiple links.
SD-WAN Best Practices
Use Public Internet Selectively
SD-WAN can use public Internet connections for all middle mile transmissions, and while this can be extremely cost effective, it is not advised. There is no way to know which links traffic will go through, raising security and performance concerns.
Whenever possible, especially for sensitive or mission critical communication, prefer to transmit SD-WAN traffic over private networks. Some SD-WAN providers let you use their own secure global network. Reserve public Internet capacity for non-critical and non-sensitive workloads, or failover scenarios when the private network is down.
Communicate the Deployment Process to Stakeholders
When embarking on an SD-WAN project, educate stakeholders about the deployment process and explain that SD-WAN is an addition to existing network infrastructure. Executives should not view SD-WAN as a simple drop-in replacement for traditional network technology.
Make it clear that you need to keep the existing technology and integrate it with new SD-WAN investments. A better understanding of the technical background and deployment methods will give you better leadership support.
Test the SD-WAN Service
SD-WAN solutions may offer automation and zero touch deployment, but you need to verify that it works as expected. Testing is often overlooked, but it is a critical part of an SD-WAN project. Ensure you test extensively before, during, and after implementation. A typical SD-WAN project involves testing over 3-6 months, focusing on quality of service (QoS), scalability, availability and failover, and reliability of management tools.
SD-WAN Security and SASE
The SD-WAN model operates using a distributed network fabric, which typically does not include the security and access controls needed to protect enterprise networks in the cloud.
To address this problem, Gartner proposed a new network security model called secure access service edge (SASE). SASE combines WAN functionality with security features such as:
- Firewall as a Service (FWaaS)
- Secure web gateway (SWG)
- Cloud access security broker (CASB)
- Zero trust network access (ZTNA)
The combination of these security capabilities, built for a cloud environment, makes it possible to ensure SD-WAN networks are secure.
SASE solutions provide mobile users and branch offices with secure connectivity and consistent security. They provide a centralized view of the entire network, allowing administrators and security teams to identify users, devices and endpoints across a globally-distributed SD-WAN, enforce access and security policies, and provide consistent security capabilities across multiple geographical locations and multiple cloud providers.