A Brave New WAN; An SD-WAN

If you’re involved in enterprise networking in any way, you’ve assuredly heard of SD-WAN (Software-Defined Wide Area Network). The term has been in use since at least 2014, which in IT years is a lifetime ago. Still, most of us have not yet actually deployed an enterprise-wide production SD-WAN solution. And many of us have doubts, questions, or blind spots when it comes to the evolution of the modern WAN, which is now well underway.

This post aims to help address your curiosity about SD-WAN and to describe how best to update and upgrade your own WAN network. We’ll start with a quick history of the traditional (fast-becoming “legacy”) enterprise WAN architecture and why change is needed. Then we’ll dive into a few of the technical SD-WAN use cases, as well as some of the ways that SD-WAN may be able to address your most pressing enterprise networking (and security) challenges. Finally, we’ll focus out a bit further, looking toward the horizon in an attempt to see what’s coming next for enterprise networking and cybersecurity in the WAN, branch, cloud, edge, and everywhere in-between.

Traditional Enterprise WAN Architecture

Once upon a time, company networks were small and self-contained. You put all your people in a building, stuffed all your servers in a closet, wired everything up on a LAN, and locked the doors when you went home for the night. But we soon outgrew this. Maybe you realized that the factory should connect to those same servers. Or, maybe you needed your remote sales offices or other branches/retail locations to work off of those same systems. Maybe you decided that you could no longer allow your corporate website to go off-line every time the local power or Internet went out at headquarters. Whatever the specific driver, almost all of us have since decided that we simply must extend our corporate network out of a single building. And thus, the enterprise WAN was born.

First, We Built the WAN

So our servers escaped that closet and moved to a data center, either one we owned or one where we leased collocation space. Our communication needs escaped the building as well, stretching out to data centers, production facilities, branch offices, retail locations, etc. Because all of our enterprise software lived on servers at the data center (DC) and the DC had plenty of clean power, high bandwidth connectivity, and robust cooling, we tended to centralize our network and security gear there as well.

This was the birth of the traditional hub-and-spoke enterprise WAN. It just made the most sense to connect all of our various locations back to the spot with all of our IT resources. While we needed this WAN to be both private and reliable, for most of us, it didn’t make sense to build our physical network. That’s where MPLS services came into the picture. And for a while, these carrier-managed virtual private networks (VPNs) served us well.

Along Came the Cloud

In 2006 Amazon Web Services (AWS) brought us their Elastic Compute Cloud (EC2). But long before that, back in 1999, we were introduced to SaaS by Salesforce. Why is this important to our tale of the enterprise WAN? Well these, and all of the various XaaS (Anything as a Service) “cloud” offerings that have come since, have drastically changed the connectivity requirements placed on our corporate networks. When key applications that serve your business or your customers migrate from physical servers housed in a DC to virtual clouds accessible primarily over the Internet, you have to re-think that old hub-and-spoke MPLS VPN that backhauls all of your traffic to a central location before it can get out on the public Internet, and ultimately to the cloud.

Don’t Forget Digital Disruption

At the same time that we were busy taking advantage of an ever-increasing number of Internet-accessible as-a-service offerings, digital disruption started fundamentally changing the way we do business. Since this is a post about the evolution of the enterprise WAN and not about software development, digitalization, or social media…let’s just say that the demands on our networks have grown as a result. The businesses we support as IT professionals are now completely dependent on fast, reliable, secure, and scalable network communications. Even more than that, digital disruption means that basic connectivity is not enough. Forget red light / green light; welcome to the era of application performance.

Security Gets Serious

Over the same couple of decades that cloud services and Internet connectivity have been woven into the fabric of our organizations, cybersecurity has been thrust front and center. I won’t debate here the causation or correlation of these trends, but I will point out that the security of our digital assets grows in importance every year. Look at the increasing level of government regulation, the growth of end-user privacy concerns, the exploding number and effect of attacks, and the overall level of awareness surrounding cybersecurity. Strong security measures must be built into every aspect of our IT infrastructure, and that includes the WAN.

And Then We Got Remote

A final trend worth noting is the growing popularity of remote work and distributed workforces which place an additional strain on the traditional WAN. But we’re starting to get ahead of ourselves. So, let’s shift from the old way to the new way. A brave new WAN: An SD-WAN.

SD-WAN Use Cases

You may think I’m misusing the term “case study” as you read on. In this section, I’m going to focus on the technical use cases.The technical aspects of SD-WAN can help you understand where the business benefits come from as well. Here we’ll briefly explore a few of the top ways that an SD-WAN will help you address the challenges mentioned above and the demands being placed on the modern enterprise WAN.

But before we do that, we need to understand just what is meant by this term, SD-WAN.

SD-Huh?

Unlike MPLS or BGP, VPLS, E-VPN, etc. SD-WAN does not describe a specific protocol. More like VPN, the term SD-WAN describes a concept or more accurately in this case, a methodology. Essentially, we are talking about applying the key tenants of Software-Defined Networking (SDN) to the enterprise WAN. Modern SDN is generally defined by two things: The separation and centralization of management and control away from distributed forwarding, and the abstraction of network and security functionality from physical equipment through virtualization.

Still confused? That’s okay. Let’s look at some use cases to further define what SD-WAN is, and why you probably need it, now. While we are discussing SD-WAN fairly generally here, it is worth remembering that not all SD-WAN products and services are created equal. With somewhere around 60 vendors currently claiming to offer SD-WAN, it is important to get past the moniker and look at the actual features offered, the track record of performance, and the vision and leadership provided. As you can tell from many of the links in this post, and as we’ll discuss more in-depth in a future post, VMware SD-WAN by VeloCloud has both the ability to execute and the completeness of vision, along with the futuristic innovation needed to make your SD-WAN deployment successful.

Making it Easy

Ease of use is one of the key reasons to deploy SD-WAN. Centralized provisioning and management of your entire enterprise WAN removes the need to manually configure devices box-by-box and allows you to uniformly apply policy to all locations, branch or otherwise. This is crucial now more than ever as we are continually asked to do more with less while the demands of digital disruption make our work more critical than ever. The inherent automation and agility of an SD-WAN solution allow us to address these needs, speed time to market, and lower our operating expenses.

Saving That Money

In addition to the lower OPEX required to manage and maintain an SD-WAN, there is another potential cost-saver. By using intelligent circuit path analysis, SD-WAN can enable reliability in traditionally unreliable broadband Internet circuits. This means that businesses aren’t locked into using MPLS to ensure guaranteed connectivity. Offering choice in the circuit types allows organizations to pick the cost model that works best for them. In many cases, a pair of broadband Internet connections, or even a broadband connection coupled with LTE (or soon, 5G) access can often provide the same or better quality of experience as a dedicated MPLS circuit at a much-reduced price.

This effect can be best realized when SD-WAN is deployed when your existing network service provider (NSP) or other managed service provider (MSP) contracts come up for renewal, and/or when it’s time to refresh your existing branch office routing and security equipment. Another critical factor for cost savings with SD-WAN is found when dealing with the increased bandwidth requirements at branch locations as we move more and more critical applications to the cloud. High bandwidth Internet circuits are much cheaper than comparative MPLS circuits.

Connecting the Cloud

Speaking of the cloud, support for cloud workloads is another key SD-WAN use case. As we discussed above, the increasing use of cloud, hybrid-cloud, and multi-cloud services is rendering that traditional hub-and-spoke enterprise WAN architecture obsolete. We need the flexibility to securely connect to SaaS, IaaS, and any number of other XaaS offerings without inefficiently backhauling (and often hair-pinning) that traffic through a central, or even regional, data center.

What’s more, traditional physical circuits are typically not an option for connectivity to cloud applications accessible over the Internet. Many SD-WAN providers offer an alternative in dedicated cloud gateways or virtual appliances (hosted in the cloud) that provide encrypted tunnels directly into your cloud environments.

Applications are King

When discussing workloads, whether hosted in a public or private cloud (or even a more traditional data center environment), it pays to remember that “software is eating the world”—which effectively means that applications are king. Simple connectivity is not enough in this digitally disrupted world of eCommerce, applications, enterprise resource planning (ERP) tools, and the like. To ensure the required level of quality of experience (QoE) you need visibility and control into application performance. And where better to manage that than right in your network?

SD-WAN provides application-aware routing, giving you the ability to steer critical latency-sensitive applications over your highest quality links, file transfers and other data operations over your highest bandwidth links, and cat videos over the cheapest or least reliable path. In addition to application steering, forward error control, and other features targeting application performance are available as well. Beyond just control, modern SD-WAN platforms provide deep application-level analytics (visibility), so that you’re always in the know—and can remediate issues before you get that dreaded 3 AM support call.

Networking and Security

You knew it was coming. Cybersecurity is (finally) no longer an option. It simply must be built into all of our IT infrastructures, including that most foundational layer—the network. By merging security and networking, SD-WAN provides many benefits in this area. And it couldn’t have come at a better time. As we distribute Internet access out to the edges of our network to meet the demands of cloud computing, we are also changing our security perimeter.

Luckily for us, the centralized management and network function virtualization (NFV) aspects of SD-WAN allow us to address this growing challenge head-on. A software-defined controller allows us to embed business intent directly into the network through easy and consistent policy enforcement. This allows us to meet new application performance requirements and it also enables us to meet increased security demands.

Likewise, virtualized security functions can be pushed right out to the edge, whether that is typical Next-Generation Firewall (NGFW) features or additional functionality like cloud-access security broker (CASB) and user behavior analytics (UBA). SD-WAN also increases our data privacy, by sending all WAN traffic over encrypted tunnels. High-fives all around.

The Future WAN

We’re not quite done yet. The SD-WAN market is still maturing and growing, and there are some exciting features, functionality, and benefits just around the corner. Some of these capabilities are already showing up in top vendors’ SD-WAN products. As William Gibson once wrote, “the future is here, it’s just not evenly distributed”. In any case, let’s close out this post with a quick look towards the future of SD-WAN.

Virtualize all the Things

As we saw above, virtualization and NFV are already a big part of SD-WAN. Virtual SD-WAN appliances in the cloud and virtual security functions on the CPE are two examples we’re familiar with. But what if we extrapolated that out into other functions? What if you could combine your WAN, your LAN, and your WLAN into a single, centrally managed, automated, agile, and scalable platform? This path promises to evolve SD-WAN into a truly cloud-integrated network in the not so distant future.

Zero-Trust

You may already be familiar with the concept of zero-trust security, or even software-defined perimeter (SDP). If not, go look them up! As SD-WAN providers continue to optimize their technologies and platforms for an increasing number of fully-distributed enterprises with dozens, hundreds, or even thousands of remote workers, it makes sense to start building in identity-based, and location-based, security. This will ensure that your employees, partners, and customers only have access to the applications and data that they are supposed to have.

Leveraging AI/ML

The future of any technology, even SD-WAN, must include some form of discussion about artificial intelligence (AI) and machine learning (ML). Once you have a centralized management plane providing full visibility and control of your network enterprise-wide, why wouldn’t you start putting smart algorithms, or true machine learning to work analyzing all the data and either making intelligent recommendations or automatically remediating issues as they appear—before users have a chance to notice? You would. Of course, you would.