How Does an SD-WAN Work?
SD-WAN is a software-enabled networking capability that works in conjunction with simplified hardware configurations to provide cloud and network access to multiple locations in a wide area network. Although widely adopted by most enterprises, SD-WAN is evolving with enhanced software-defined services and security features. To better understand SD-WAN, it helps to compare the technology to legacy private networks that depend on private circuits and hub-and-spoke models for public cloud access.
The Drawbacks of Private Circuit-Enabled Networks
In legacy private networks, all employees in the hub data center and spoke branch offices would access services and SaaS applications through the centralized data center firewall. This connectivity was made possible with multiprotocol label switching (MPLS), a standard routing protocol provided by telcos at high cost. Businesses relied on MPLS circuits instead of standard internet services because MPLS connections could ensure service level agreements (SLAs) and security requirements.
As the number of branch offices in a network increased, so too would the cost and complexity of the network. Because SaaS applications are accessed through the hub data center, the hub became a primary bottleneck to accessing services fast. Enterprises would also need to cover the cost of expensive service calls, known as truck rolls, to branch locations to set up equipment and troubleshoot connectivity issues or hire someone with the required technical knowledge.
SD-WAN Simplifies Connectivity with Virtualization
SD-WAN abstracts private line connectivity like MPLS into a software-controlled overlay network that is supported over physical broadband access and wireless and MPLS networks. WAN functionality, such as switching and routing, is implemented with virtualized network functions (VNFs) that run on simplified infrastructure, typically a single rack server per branch office. SD-WAN provides direct access to public cloud applications and the internet from branch offices while enabling an SD-WAN controller, which can be supported from the hub data center or cloud, to push centrally managed policies and services to the network. Branch offices no longer need to access SaaS services through the hub data center, eliminating the data flow bottleneck.
The Components of SD-WAN
SD-WAN consists of three primary components: the appliance or customer premise equipment (CPE), an aggregator, and an SD-WAN controller. CPE is on-premises hardware that includes servers, routers, and firewalls at each branch location. The aggregator is a software-level function that brings together disparate WAN connections into a unified layer that the control element can then manage. The SD-WAN controller is what enterprise IT departments will use to monitor the network, push new policies, and update services across all branch offices.
Benefits of SD-WAN
Legacy MPLS-based private networks were very structured, rigid, and resistant to flexibility or change. SD-WAN offers massive improvements in manageability and cost with networks that can scale efficiently as businesses expand and add new branch office locations. Other key benefits include:
- Better user experiences: Employees at branch offices no longer need to access SaaS services through the bottleneck of the hub data center. They have direct access to SaaS apps, data, and services in the public cloud.
- Simple configurations: Legacy MPLS-based private networks can require multiple devices per branch office, each of which require manual provisioning. Because SD-WAN is a VNF, it can run with other network functions on a single white box server and can scale up processing power based on the edge performance needs at each branch location.
- Flexibility in choice: Businesses used to be dependent on telcos for high-cost, MPLS-based WAN connections in markets with minimal competition and innovation. With SD-WAN, businesses can use broadband access and wireless networks in addition to MPLS circuits and choose from a broad range of hardware/software vendors, OEMs, and solution providers to deploy their own SD-WANs.
- Redundancy built in: SD-WANs are not dependent on MPLS circuits and can establish virtual private network (VPN) connections over standard broadband access, Wi-Fi, and LTE or 5G. With several options, employees have multiple ways to stay connected to their apps and data in the public cloud.
- Centralized management: Hub data centers and enterprise IT departments can use control plane software to push new policies and services and set up new connections across all branches on the SD-WAN.
CPE for Locations with Variable Computing Needs
SD-WAN appliances or CPE can scale up in processor performance based on the needs of each branch location. For example, a convenience store or small retail location may only have need for a simple appliance for encrypting data flows into VPN tunnels and connecting to the cloud. This is an example of a thin edge application, and a small-footprint server enabled by an Intel Atom® processor may fulfill these needs handily.
On the other hand, medium and thick edge applications can integrate functions like AI at the edge to analyze video streams or high-performance edge compute or support large-scale deployments for hundreds of employees at hospitals and factories. For these applications, a more robust processor such as the Intel® Xeon® D processor or Intel® Xeon® Scalable processor can offer more cores or use case–specific enhancements such as hardware-enabled AI and crypto acceleration.
The Next Evolution of SD-WAN
One of the challenges with SD-WAN is that giving direct cloud access to branch locations will also increase the total attack surface of the network. Attack surface refers to potential points of entry or vulnerability that hackers can exploit to access sensitive data or to compromise network functions. To help address this problem, Secure Access Service Edge (SASE) is an advanced security architecture that hosts security services in the cloud and integrates with SD-WAN.
SASE can support functions including web gateways with zero-trust network access, remote browser isolation, encryption/decryption, and Firewall as a Service (FWaaS). The primary benefits are that SASE helps enable zero-trust access to cloud-based services and applications, with a consistent user experience, while still enabling centralized management through control plane software.
SD-WAN and SASE Deliver Flexibility and Choice
As applications moved from the data center to the cloud, businesses needed a new way for their branch offices to access services and software. SD-WAN is a huge leap toward more-flexible access, and SASE is the next evolution of SD-WAN. Businesses today have many more choices for online collaboration and cloud access, and Intel can help with resources, guidance, and key hardware solutions.