SD-WAN is more than just an alternative to MPLS. Zero-touch Provisioning, Application Routing, and Micro Segments are just some of the features that SD-WAN technology can provide.
The early stages of SD-WAN technology enabled companies to drop expensive, rigid MPLS links, connect branches directly to the cloud, and optimize WAN traffic. However, many of the original SD-WAN offerings lacked features such as built-in firewalls, application routing, and advanced data analysis.
Over time, SD-WAN vendors have increased the quality of their products to include a reliable suite of advanced features. However, many companies do not take full advantage of the latest SD-WAN product capabilities and managed services.
So why aren’t IT professionals jumping on these new features? In some cases, vendors failed to educate IT leaders about the benefits and ease of use of these advanced capabilities.
In other cases, organizational issues such as barriers between the network and security teams prevented companies from activating, such as the next-generation firewall or intrusion prevention system that might come with SD-WAN devices.
In most cases, networking professionals have a standard set of methods and procedures that they have followed for many years and that do the job well. Talking about a new way of doing things like zero-touch provisioning can be risk aversion and could hurt if something went wrong. However, companies should consider the benefits that underserved SD-WAN features can bring: After all, you are still paying for an SD-WAN device or managed service, so why not make the most of the technology?
The traditional method of installing branch network equipment is to bring the physical device to a staging point, configure it, test it, and then transport it to a branch, where it is set up by a network professional. For companies deploying tens or hundreds of SD-WAN devices over a wide geographic area, this is an intensive and time-consuming process.
Zero touch provisioning, which is standard on most SD-WAN devices, automatically configures the external device. It requires an internet connection so it can phone home where it is fully configured quickly, efficiently, in a standardized manner based on predefined templates.
Companies that do business with the federal government, such as aerospace or defense companies, or companies responsible for PCI compliance, which include almost all others, need to turn their encryption keys regularly (usually every 90 days). This can be a tedious manual process involving complex change control strategies and may require planned downtime.
SD-WAN platforms can replace standard VPN-based key rotations with an automated system that can be programmed to rotate as often as every minute without interfering with data plane traffic. The result is better security, no downtime and no manual intervention.
There are many scenarios where companies need to keep different types of traffic separate from one another. For example, in a merger or acquisition, a merged firm may be a single firm on paper, but for business or compliance or security reasons, each business unit continues to operate independently. If the company then decides to upgrade to SD-WAN, it may consider purchasing two sets of physical devices.
But SD-WAN technology allows multiple virtual routing and forwarding (VRF) and VPN links to be multiplied in a single overlay. This was not possible with previous VPN technologies. The flow of scattered complex organizations with multiple business units can be separated by simply defining strategies. SD-WAN technology can create up to 16 virtual VPNs, all operating on the same physical WAN links.
SD-WAN products have the ability to check flow in Layer 7 to tailor granulation routing strategies to specific applications. In fact, some devices may recognize more than 3,000 different applications and understand the performance requirements of each application. This feature helps companies optimize telecommunications costs at the pellet level by continuously monitoring real-time latency, delays, and other sensitive application features, and moving applications to the most cost-effective transport method that reaches performance thresholds.
Routing for applications is not as extensive as it could be. Possible explanations are that Level 7 traffic screening is associated with a certain level of performance, and it really requires companies to set policies and times for each program. However, routing can bring significant performance and cost benefits to the application.
Using APIs, you can help companies design and automate functionality throughout the SD-WAN lifecycle. While opportunities are currently underutilized, interest is growing as IT workers begin to realize that using the API, “large organizations can take ownership and manage the network in ways they couldn’t before.”
The API enables companies to customize and automate the initial configuration of SD-WAN drives, change configuration at any time, automate the problem-solving process, and gather WAN performance data for both real-time traffic optimization and long-term monitoring and infrastructure management. For example, companies may use the API to program devices to conduct more frequent polling than required by default.
Through APIs, companies can configure their SD-WAN infrastructure to automatically collect data that can be useful in features such as user group management, audit log review, device inventory gathering, real-time monitoring, and network device troubleshooting.
Cloud Breakout, or the ability to connect affiliate traffic directly to the cloud instead of back to the data center, is one of the key benefits of SD-WAN. However, in most cases, network administrators have limited or no visibility into the network performance characteristics of potential users and cloud SaaS applications. However, vendors now offer Cisco Viptela’s flagship Cloud OnRamp, a software API used to measure the performance of SaaS applications, or IaaS services from Amazon Web Services and Microsoft Azure.
In an IaaS scenario, a virtual instance of an SD-WAN router continuously measures application performance in the cloud provider domain, allowing network administrators to see application performance in a way never before. In a SaaS scenario, the SD-WAN device connects to the nearest SaaS location and makes real-time decisions to select the best-performing path. End users have seen a 40% increase in performance of popular productivity programs such as Office 365.
Another underutilized feature of SD-WAN systems is the ability to use data analytics to troubleshoot network performance issues and map long-range network capacity. Whether you have a managed service or a DIY route, there is a wealth of traffic data that includes a direct WAN connection. Analysis removes the typical fingerprinting that occurs between an enterprise customer, a cloud service provider, an IPS, a last-mile provider, and more.
Micro-segmentation has become an increasingly popular method for protecting applications running in data center and cloud environments by segregating workloads based on policies. Micro-segmentation gives businesses greater control over east-west traffic, and if violations occur, micro-segmentation limits the potential lateral movement for hackers.
Increased software overlays such as SDN and NFV have formed the basis for microsegmentation, so it is only natural that microsegmentation will become a feature of SD-WAN overlays. The advantage of microsegmentation is that if a branch node were attacked, the central strategy server could automatically take steps to quarantine the branch from the rest of the network.
When branch traffic was redirected back to the data center using secure MPLS links, the branch did not require additional networking and security features. However, now that affiliates are connecting directly to the Internet, companies can find many affiliate devices such as firewalls, NAT boxes, and intrusion prevention systems. Combining services allows companies to reduce branch clutter. Organizations can create a chain of interconnected network services and automate the treatment of different flows based on traffic requirements in areas such as security, latency or QoS.
While this is not a special feature of SD-WAN, experts say companies creating their own affiliate links should consider setting up fixed wireless, especially if deployment speed is the highest priority. For companies with a small regional footprint, ordering WAN links from your current ISP can be quite painless. But for organizations in rural areas where traditional broadband is not available, or for companies that need to quickly deliver an SD-WAN to a new retail store or other pop-up business location, fixed wireless circuits can be a lifeline.
Early deployment of SD-WAN focused on basic connectivity and cost savings. Today, however, SD-WAN is considered as a network automation platform supporting digital transformation. By implementing these underutilized features, IT organizations can help tailor their WANs to business needs.
If you want to learn more about how you can expand your business internationally with SD-WAN, feel free to download our e-book “SD-WAN for dummies” in pdf.