| technology | networking - David Chapman
SD-WAN: What It Is and How It Works
Software-defined Wide Area Network (SD-WAN) is a hot topic for companies who are embracing cloud technology. It helps manage cloud architecture and controller deployment, among other things. SD-WAN is also a useful tool for corporations that do not have cloud deployments but still want to utilize cheaper internet circuits to phase out more costly MPLS circuits.
Building a wide area network (WAN) can be complicated, rigid, and difficult to maintain. Often an enterprise WAN is more of a hub and spoke with the branches connecting to 1-2 data centers as the hub for their traffic. SD-WAN promises to overcome these limitations, but it also comes with its own challenges.
SD-WAN technology transforms rigidly configured WANs into an agile, software-defined edge topology. This involves a slightly different way of treating remote branch offices and remote locations. Some confusion still exists about what SD-WAN is and how it works. Let's take a look at SD-WAN and some examples of how it's used.
How Does SD-WAN Work?
Keeping your employees connected can be difficult, especially if they're working remote. SD-WAN helps manage all of this. As with any networking topology, you have a control plane and a data plane. The control plane is where you configure commands and happens within the SD-WAN Controllers. The control plane is usually located on the same device on a traditional router, although its processes may be segmented from the data plane.
The data plane is the actual traffic movement, which happens on the edge routers or SD-WAN routers. Policies are pushed to the routers that dictate how they should handle traffic and where to route it.
SD-WAN detangles the control and data planes. Because management and provisioning happen centrally, less processing is needed on the data planes. With that, specialized SD-WAN routers typically replace the traditional edge routers at each location.
The job of the controller is to manage the control plane. This entails provisioning and configuration. The SD-WAN edge routers just do what they are told from the control plane/controller. Many SD-WAN solutions allow for templatization to help ease administration.
Through the controllers, you can configure policies on what to do with traffic. Perhaps each site has an MPLS link, but you want a backup VPN tunnel from each site to each other site (full mesh). This can be achieved by setting the appropriate policies. You may dedicate MPLS links for mission-critical apps that need lower latency and push other traffic through the VPN. Or you may decide to combine the links for redundancy and throughput.
Due to the controllers' importance, you will want to ensure that they are highly available so you can make changes and push them out. Organizations that do not have multiple data centers many times opt to put these controllers in diverse regions in public clouds like Azure or AWS. Other organizations with existing data centers that are geographically diverse may opt to utilize existing infrastructure to host them.
Placement of the SD-WAN routers will be at the branch location's edge to help route any traffic leaving the facility into its appropriate location/path. Where SD-WAN is extremely useful in terms of automation is when you need to archive things. For example, full mesh VPNs where each site connects to every other site.
This is a very tedious and error-prone process to configure manually and becomes exponentially more time consuming with each site brought on. SD-WAN can completely automate that. In less extreme cases, branch sites may need a VPN tunnel to a Data Center. Templating can assist in automatically provisioning this process upon deployment of a new edge.
What Considerations to Take with Physical vs Virtual Implementations?
The question of physical or virtual is always a difficult one to answer for any organization. From a cost perspective, utilizing an existing on-prem virtualization infrastructure can be cost-effective, but there are downsides. If your environment is not tuned correctly, you may not get adequate performance. You can also run into "chicken and the egg" type problems if your controller and/or edge appliances are hosted in the virtual environment — and it goes down.
On the other hand, it may be overkill for small branches to purchase physical hardware if a virtualization platform already exists. That device is then a single point of failure as if it fails. A physical replacement has to be procured if it cannot be repaired.
To augment SD-WAN, Virtual Network Functions or VNF exists. These are secondary services for functions such as firewalling and load balancing that can be loaded onto a virtual environment. It’s a benefit of having virtual appliances. Environments that benefit from SD-WAN also tend to use such services, which helps manage and provision the entire ecosystem.
Technical expertise to manage and operate SD-WAN is something that is often overlooked during planning phases. This is particularly so if you have a consulting firm help deploy it and then hand it over. Quickly you realize that the training and knowledge transfer line-item that was struck is very important. Always ensure your staff is effectively trained on new technologies that your business depends on.
What is Secure Automated WAN?
Secure Automated WAN is the ability to encrypt and secure data, regardless of the transport. Traditionally MPLS and private links are deemed secure because they are private, but the data is not usually encrypted. If it is, it is manually done via a VPN tunnel.
Secure Automated WAN automates this by creating a secure fabric regardless of the transport. It allows sites to augment private-link bandwidth with public-internet bandwidth without concern for ensuring the security measures as this technology automates that.
Automated Zero-Touch Provisioning is an interesting and related technology. In short, it is the ability to plug in a device and have it phone home to auto-configure — meaning, you won't have to configure initial IP addresses or initial settings. This can be highly effective for remote branches where no technical staff exists. An appliance can simply be drop-shipped to location and plugged in.
What is SD-WAN Direct Internet Access (DIA)?
In many branch office cases, all of their internet traffic routes through the WAN. It is then backhauled through to a datacenter, possibly in another region or country.
Direct Internet Access allows for locally offloading internet access at the branch. This has a few benefits. Primarily it assists in lower utilization of private circuits that are usually limited on bandwidth. They can be sized for the business-critical applications that require it. It also allows branch offices to reach local Points of Presence (POPs) for any cloud services they may utilize instead of being backhauled to another geographical region and connected to that POP near the Data Center.
The internet is relatively economical these days, so offloading this traffic can save money, increase available bandwidth for the internet, and decrease latency.
What are Use Cases for SD-WAN?
We have touched on a few use cases above. Generally, SD-WAN is a good fit for companies with multiple branches or locations looking to augment their traditional leased lines or entirely replace VPN tunnels. Verticals that need secure connections regardless of the medium can also rely on SD-WAN to ensure traffic meets regulatory compliance for security and encryption, independent of the path traversed.
For companies that still need to retain leased lines or MPLS due to Service Level Agreements for performance and latency, policies can be created for mission-critical applications to prefer those paths. At the same time, less critical traffic traverses more economical paths. This allows for performance prioritization for the business applications that require it and best-effort routing for those that do not.
Newer companies often have a less physical WAN footprint and rely on public internet links. This helps to ensure their traffic is secure, even to their public cloud. By deploying an edge at the cloud, remote offices have secure access to the public datacenter and applications behind it. Many cloud deployment strategies involve multiple public cloud providers for redundancy, and SD-WAN can help assist with seamlessly routing through either.
You can easily deploy technology to your remote workers (an increasingly valuable resource) to grant them this access. And remote working is invaluable to IT teams can ship Small Office/Home Office (SOHO) appliances quickly and easily. These appliances will auto-connect over their existing internet. Cell connectivity as a backup option can also be configured. Remote workers can have all this without much configuration by the team that manages the environment.
What are Real-World Examples of SD-WAN?
A real-world example might be a restaurant chain that needs to process credit cards for their Point of Sale (POS) terminals. Traditionally that has happened over Plain Old Telephone Service (POTS) lines. In recent years, the internet is another medium. What if your card processing gateway does not want to open itself to the public internet? What if you do not want to pay for leased lines? SD-WAN can be a great tool to facilitate that access via whatever internet is available. Along with that, a 3,4 or 5G Cell service can be provisioned as a backup to ensure cards can be run.
Banks are another good use case. Banks may have business apps they prefer to be accessed over leased lines for decreased latency. However, they may also have public cloud applications that need to be securely accessed via secure tunnels to their regional public cloud. Banks may also need to access web applications that should be routed via Direct Internet Access to alleviate the private lines' load. Additionally, they may have a 4G or 5G cell service provisioned as a backup to ensure the branch's business continuity.
Internet of Things, or IoT Edges, exist to help buffer local IoT appliances from having to communicate to cloud platforms. IoT Edges bring that processing to the edge of the network. These IoT Edge devices then need to communicate securely back to the back ends, whether it be a public or private cloud. SD-WAN can assist with this as well.
Imagine a vehicle like a Tesla that has many onboard sensors. It needs to be able to act quickly, so much of the decision making happens locally. Some of that data needs to be sent back to Tesla, though, so it can be analyzed for further review. This allows them to make recommendations to the user or other users later on, such as recommending a service visit for a diagnostic.
SD-WAN can significantly help organizations that struggle with a massive sprawl of WAN routing that is currently manually managed. It can also help better utilize existing circuits or offer avenues of routing traffic that was not previously an option. It can allow for scaling and ease of management as the topology scales.
Sometimes it can have a rough upfront cost because ideal implementations require replacing existing WAN routers with SD-WAN capable appliances. However, many of the benefits help with that Return on Investment. Over time, it can help you avoid having additional hires as the business grows and ensures the connections' security.