Know Before You Go: SD-WAN
BLUF: Bottom Line Up Front
SD-WAN is a flexible, software-defined network solution that enhances WAN connectivity by optimizing multiple connections and improving application performance. It has become essential as traditional MPLS and VPNs struggle to keep pace with hybrid operations, moveable workloads, and evolving technologies like AI and Edge Computing. While SD-WAN provides significant advantages, organizations must carefully plan and test deployments to ensure it integrates effectively with their network and security infrastructures.
Quick Orientation
Definition
Software Defined - Wide Area Network. SD-WAN is in the family of Software Defined network which aims to provide a flexible software controller experience that acts as a configurator of connections as needed and adjust to meet business or performance requirements.
Key Characteristics
Common Terms
Backstory
Perspective helps give us the contrast on how the technology we are discussing in different than where we have been - what is currently running our world. Yes, this is the conversation that our parents had when we were complaining about the Music CD-ROM getting scratched and then they would tell us about their 8-tracks.
What was before (what most are using now)
For the last 5+ years, Enterprises only had a few options to connect their various offices to each other and their corporate resources. The actual solutions used was largely based upon their budget.
What changed and broke what was “good enough”
Necessity is the mother of all inventions. SD-WAN did not need to be created as the current technologies were sufficient but these approaches could not accomadate the changing landscape. These are a sample of the catalyst events that caused SD-WAN to move from a science project into a necessity for digital transformation towards the fifth industrial revolution.
Is SD-WAN still relevant (AI, Edge Compute)
Per Wikipedia, SD-WAN started around 2014 and then became a thing in 2020 given the demand during COVID to interconnect remote works and move workloads. In contrast, MPLS started in 1994. Yet a new technology does not mean that it is ready to accommodate rapidly evolving technology like Artificial Intelligence, the shift back to Edge Computing, etc.
First, Artificial Intelligence will be infused into the Applications that we use. This is not the development of AI, but rather that AI becomes a native feature that either runs locally on your device or accessible through a remote service. In the area of AI inference running locally, chip manufacturers like Intel have been designing co-processors which enable AI inference with extremely lower power consumption. Don’t even get me started on Apple’s M chips. I’m right now composing this article on an iPad that has an M4 chip in it. Completely ridiculous to use a 3 Nano Meter chipset that has 36 cores with 28 Billion transistors … to write an article. Yet, it is the power of these processing chips to enable AI models and other more complex Application features that will greatly increase the demand for always-on WAN connectivity and the expectation for low-latency access to multiple resources to facilitate the application.
To illustrate the AI demand for SD-WAN connection, consider that the application you currently access might have 10-15 resources behind it - all invisible to you as the user as these resources sit behind the published service. Now, with AI powered software and just the plain amount of computational power at the workstation - the application now running on the device will need to access those same 10-15 services directly from the device/end-point. See the challenge, today you only need to monitor and assure a few flows - now the flows are multiples higher.
Pulling on the thread of high-powered end-points, let’s discuss the demand brought upon by Edge Computing. Edge Computing is the advent of shifting the computation, storage, or place from where an application is ‘served’ closer to the end-user rather than a distant Cloud or Data Center. We see the cycle of de-centralization, centralization, and then back to de-centralization again over time as computation, regulation, and bandwidth dynamics change.
Edge Computing demands the ability for the relationship between the user, Edge resource, Cloud resource, etc. to be fluid and dynamically adjust to what provides the best experience, assures compliance, etc. For instance, I’ve been working with mission critical systems for over a decade. We normally have to intricately design system to be highly available for zero downtime during maintenance or changes. As an easy example, consider an organization’s HTTP based application that is serviced from a local server at an office but if that application is down for whatever reason, the user’s machine automatically re-routes them to another application server dynamically based upon business rules and performance characteristics.
In summary, AI, Edge Compute, evolving WAN connectivity options, all demand dynamic relationships between users and their resources. Knowing that it is a circumstantial many to many relationship that if manually configured and maintained with be so overly complex that it is likely to fail and hamper mission/business outcomes.
Current alternatives to SD-WAN
Alright, so let’s say that you don’t believe in SD-WAN or don’t want to implement a vendor’s technology in to achieve some of the benefits that have been described above. After all, it’s software defined - there should be a way to realize some of the value without having to purchase yet another tool from a vendor or cloud service provider.
Publishing >> CDN & modern multiplexing
A CDN (Content Distribution Network) only applies to Applications that your organization creates or controls. Utilizing a CDN enables dynamic interactions between highly intelligent browsers using modern Java Script and HTML5 technologies which interconnect with a CDN ecosystem.
Subscriber >> DNS
Please don’t forget the basics. Remember that DNS (Domain Name System) still under-pins the how your user ‘finds’ your application and that intelligence can be applied to the destination presented to the user. Remember the example I provided earlier about highly available systems that needed to be available during maintenance but not cause an interruption to the end-user - old school DNS worked magic.
Publishing >> Zero Trust
For 80% of all organizations and their applications, implementing a REAL Zero Trust methodology accomplishes the equivalent of what an SD-WAN provides on the Publishing side of the equation since it enables the full power of the Internet routing and scale - without the need for hair-pinning traffic through a POP, private access through an MPLS, and the workload can move anywhere there is an Internet connection. Comment on this article is you want the to dive into the 20% of situations where SD-WAN is still required even through Zero Trust is implemented.
End Point >> Multiple network interfaces
Most devices don’t have the ability to distinguish between multiple network connections (say wired and wireless) and then when those connections each have multiple WAN connections. Further, it is normally that a network client (laptop, desktop, WiFi device) don’t have the ability to influence how they connect to the resource - they only have the ability to say what they want to access. That being said, my Apple iPad can simultaneously have & utilize WiFi and 5G. We are not too many generations from 5G being how a small office sets up their Local Area Network.
Office Location >> Multiple WAN links
There are a myriad of technologies that enable efficient routing to SaaS resources, combine together multiple WAN links, and provide WAN optimization & caching. Now, these technologies don’t avoid the purchase of another piece of equipment that you have to implement and maintain, but it does highlight that you can address individual needs for your environment with individual technologies.
What SD-WAN does not solve
Physics
Yes, physics still applies. It does not make light travel faster. So when you consider the overall latency and jitter, it cannot make radio waves or photons move faster.
Now the unfair part about this is - not all traffic is treated the same by service providers so the ability to provide Direct Internet Access (DIA) from a physical location to your resource being hosted in the cloud might result in a different REALIZED bandwidth and user experience. Latency and jitter matter just as much as bandwidth when it comes to the inter-connection between a user and their resource.
Restrictions on the last mile
SD-WAN cannot magically turn a remote 5 kbps into a 10 Gbps connection. It just cannot, no matter how much that vendor tells you. So unless you are planning to use SD-WAN as a way to combine together multiple WAN connections or enable a back-up WAN connection architecture, putting an SD-WAN router at a location in place of a standard router is not going to get you as far.
I do echo here though that enabling SD-WAN for bandwidth restricted sites that cannot get MPLS, etc.- SD-WAN does enable a more direct, efficient path on how the user can access the resource they need. This eliminates the needs for the user’s traffic to ride a VPN back to a POP where they can hop on the MPLS to then get to the Data Center where the application lives.
Poor performing applications
Yup, does not fix this easier. Let’s say you have an application that is a poor performer for what ever reason - old code, old computer, just takes a long time to work its magic, whatever. Hooking up the application to SD-WAN is not likely to fix the application’s performance. It might actually make the problem worse, since now more users and more bandwidth are now coming in to hit the application. So make sure to gauge the need to actually restrict the incoming number of users, sessions, bandwidth, etc. to not knock over the application.
Now an advantage you can have by enabling SD-WAN is that you might have some ability to prioritize which users are able to access the resource - a set of controls that you did not have before. Also, you might realize some improvements for individual users since the application will have less “network wait” conditions since the latency between the user and application will be reduced.
Hamstrung by dependencies
This one is a little more complex, so stick with me. Most data center resources or even applications installed on the user’s device have various dependencies. These can be as simple as DNS, email relay, log-on server, etc. When we examine the user’s experience, the weakest (slowest, most unreliable) dependency for that overall application or what the user needs to perform their job, slows down their entire reality. It does not matter if the connection between the user and the application server that is presenting the web page is now faster - when the back-end database still cannot keep up.
Recommended by LinkedIn
Other controls that cannot adapt
Just because you can, doesn’t mean that you can. Sometimes when SD-WAN is implemented there are still organizational policies or compliance requirements that still require traffic to take a particular path. This is normally because the necessary security controls are centralized and not designed to move with the workload or handle the location egressing through multiple WAN connections. While this does go back to the Zero Trust methodology mentioned before, this section is to remind us all that our expected benefits of new technology is held-back until other technologies and compliance requirements catch up.
Your cyber security needs - well mostly
Know that I’m a cyber security guy, so that is how my brain is wired. SD-WAN is a networking technology that is application aware. It can assist an organization’s cyber security objectives when they consider the crossing of risk zones as where security controls are applied at the network level. Yes, this does align more to a defense-in-depth and perimeter security approach rather than a modern Zero Trust, yet does align with how most organization’s security policies are written. This also does follow the United State’s civilian government TIC 3.0 architecture/program (Trusted Internet Connections).
SD-WAN does enable a private connection, but privacy does not mean secure. So at the most, SD-WAN does help keep unnecessary load from transiting through a centralized cyber security stack. At the least, it just opens up more avenues and more bandwidth if your cyber security plan cannot accommodate the changes. Ideally, you’re either able to choose a cyber security oriented (or originated) SD-WAN vendor OR can create a tight integration between your SD-WAN deployment & your controls.
Getting the most from your investment
Yes, that was a very long pre-amble to finally get into the title of this article - what to know about SD-WAN before you start purchasing and implementing. This section focuses on how to best orient the project and organization to get the most out of your time, energy, and financial investment.
Plan for Hybrid
Hybrid operations are a reality for both how resources are made available to users and how users operate. A workload can exist at a local premise, Cloud Service Provider, organization’s Data Center, and more. A user is now expected to operate from a cafe, home, plane, office, shared office space, and when on vacation. Simply planning for the reality that you’ll have less and less control on where and how your precious resources and users operate.
So when selecting your vendors and deciding on how to start your project, be aware of the limitations of your architecture and vendor as it relates to the how future proof you are.
Plan ahead for IPv6, Edge Compute, transformers, …
Consider your 5-8 year horizon of what other technologies that you’ll need to support in order to complete the rollout or not have to perform another major change. While IPv6 is an easy example, each organization will need to perform their own research and than dove-tail those requirements into your immediate needs. If your current investment of time and technology cannot withstand the future organizations requirements, then the value of your investment will be limited. When at all possible, pick the vendor who is most likely to accommodate your future needs with a software update or enables you to natively integrate another solution to achieve the additional objective.
Acknowledge the value of Customer Experience
I love technology and most readers of this article are likely the same enthusiast. I encourage you to remember that technology exists to enable a business or organization to function. Then employees exist to fulfill the company or organization’s objectives. Increasing the User Experience or Customer Satisfaction is the real objective.
Get a baseline - be able to know the change
You might not be surprised, but so many organizations base an entire project based upon a directive from leadership and a few accounts from users. Get a real baseline for both information where and how you start your project - to really identify the real problem that you’re trying to solve. Become aware early in the project if SD-WAN will only solve part of the problem, both to set users and management expectation - but also line up secondary projects to now address those additional constraints.
Also, don’t forget that a user commenting “it seems to be the same speed” or an application owner saying “my application is not the problem” create confusion when not substantiated by quantitive monitoring. This is beyond pretty reports that management and operations need to see, it becomes a central point of communication and understanding. And given that SD-WAN is application aware, it might be first time that you have this level of awareness on which applications are running across your network - so a baseline provides the ability to have a point in time snapshot.
I cannot emphasize this enough. Remember when you start the spring cleaning of the closet and forget to take a before picture and then take a picture 60% of the way through. It is really hard to describe to anyone else what really existed before … “it really was that bad.”
Play nice = network + security + application + compliance + …
SD-WAN change the fabric that connects users and resources. This means that an SD-WAN project will impact many areas of your organization. It will challenge their current approach and what they are comfortable with. There will be comments like “we did not budget for this”, or “that will not be compliant”. Just know that disrupting technology like SD-WAN will either result in a forced maturity process for your organization or only 10% of its effectiveness will be realized.
Field test before you commit
When at all possible, perform a field test of your short list of vendors for three sites each. Have the vendors implement the technology as they best see fit. This is the only true way to understand the benefits of their approach, what level of reporting information you’ll see, and what underlying issues were present of which you were not aware. I emphasize that you want to let the vendor implement the solution to the most ideal approach determined by the vendor and require the least amount of stipulations as possible. This will let the vendor show their true strength before you apply more complexity.
The exact opposite approach is valid too. Place your final selected vendor into the harshest environment possible - but you’ll likely only be able to perform this for one vendor and not gain a comparative view of how other vendors were to perform. The goal is to evaluate the vendor’s ability to withstand your requirements and how they react as a Partner of your requirements and expectations. Also, please don’t forget that opening up Technical Support cases, performing firmware upgrades, etc. are all a part of experiencing how gracefully your new corporate workhorse will fare.
Decide, document, and apply discipline
We as human forget and we each have our own recall of a meeting - what is next, what we decided, what needs to be researched. Since SD-WAN will impact so many areas of the organization, basic project management, accountability, documentation, etc. are necessary for a successful SD-WAN implementation.
My greatest recommendation is that you create a basic set of rules and constraints that are then applied consistently across the ecosystem. For example, any corporate location that does not have an MPLS link will use SD-WAN. Or any organization location that is outside of the United States will use SD-WAN to both access corporate resources and connect with Business partners for audit trail and privacy.
Recommendations on where to start
Use SD-WAN as a pressure relief valve
This approach is to find the areas in your organization who are red-lining (yes, another car analogy) their capacity for network connections, handling burst traffic, etc. For instance, let’s say you have a Cloud On-Ramp link from a Cloud Service Provider (a very expensive and fast link from a Data Center to a CSP like AWS). When this link is constantly being clogged, then you can use SD-WAN to handle some of the traffic via this alternate traffic path. This gives the organization the benefit of not needing to increase the spend to increase the link’s size and also the waiting time requirements.
Streamline application path for same security boundary
This applies mostly to government operations but might apply to commercial organizations as well. The concept of a security boundary applies to users and resources that exist on networks where the security controls (firewall, IPS, authentication, etc) are applied based upon a legacy defense in depth or perimeter security approach. This means that if you don’t “cross the moat” when going from site one to site two, then your traffic is not subjected to additional controls.
So, where does SD-WAN come into play? Let’s say you’re at an airport in Terminal 1 and need to get to Terminal 2, but the only way to do so is to exit the TSA security zone and have to re-enter through TSA security. Oh, what a pain. It costs time (walking, TSA security), costs money (TSA has to screen more people and bags than really necessary), potentially costs the travelers money (missed flights, hotel stays, etc.), and more. When TSA first existed, what I’m describing used to be a reality. Now airports have created short-cuts between different terminals, so you are able to reach your connecting flight without leaving the protected security zone.
In the same way, SD-WAN allows for short-cuts between users and the resources that they are wanting to access - without needing to exit and come back in. Practical examples:
Solve remote site local bandwidth problems
Core sites and office locations which are in major city locations get the best Internet connectivity and thus the best experience when accessing the organization’s resources. Yet remote locations suffer from quality, fast, reliable Internet connectivity. SD-WAN allows the ability to combine together multiple different Internet providers and types to get an aggregated better experience. This specifically helps in a few ways:
Mesh for moveable workloads
Ok, this one is fun and not a traditional use of SD-WAN. First, a moveable workload means that the components of a particular resource is a group of systems that can move. For example, a website and data base is probably the simplest resource group. Many organizations and government agencies want or require the ability for the group to move between Cloud Service Providers and their Data Center. This can be for cost control or resiliency of operations.
SD-WAN comes into the mix as the application aware mesh the connects all your various users and their resources. The resource group has a SD-WAN connection point that adds itself into the “application matrix” and self-publishes its availability. When you combine the Moveable Workloads justification for SD-WAN in combination with the Security Boundary and/or the Pressure Relief Value - things really get interesting. Use cases for moveable workloads:
Before you leap to your comments: yes, there are other ways that are more elegant or streamlined to solve some of the objective above: Content Distribution Network, DNS, Cold Site for Disaster Recovery, etc.
Please comment below what interests you more, on how SD-WAN can also be used for:
P.S.: If you are a small or disadvantaged business, I provide complimentary advisory services to help you figure out new technology, how to architect your needed change. Reach out to me via LinkedIn to find out together what is possible.
>> My own words. Edited by GenAI.
>>AI image created by me and my genius son.
👍Driving SD-WAN adoption in South Africa 🇿🇦
3moGreat read.