SD-WAN: lessons for better deployment


Safeguard against dynamic security threats and ensure end users have high-speed access to cloud applications.

Enterprises today are migrating more and more traffic to the Internet as they accelerate their cloud transformation projects. Gartner forecasts that by the end of 2020, more than 60 percent of enterprises will have deployed direct internet access in their branch offices, up from less than 30 percent in 2016.

Connectivity is the lifeblood of any digital business. This makes it essential for enterprises to safeguard against new dynamic security threats and ensure that end users can gain high-speed access to the cloud applications they need to be productive.

Learning the lessons of early pilots

SD-WAN has fast emerged as an answer to these challenges in recent years. According to the WAN Summit 2017, the top three reasons to use SD-WAN are to cut costs, improve performance and reduce provisioning time.

SD-WAN decouples physical and virtual devices from the software management layer in a Wide Area Network (WAN). This enables dynamic path selection with load sharing across multiple connections, which could include Internet, MPLS or even LTE links. It provides support for VPNs as well as other third-party services, such as WAN optimization controllers, firewalls and web gateways.

Despite the advent of SD-WAN, enterprises are still facing problems with cloud application performance. Through 2019, Gartner predicts that over half of all global-scale deployments of Microsoft Office 365 will experience network-related performance problems.

Managing global Internet providers

In early pilots, some enterprises have opted to source their own Internet Service Providers (ISPs) and use the SD-WAN device on a stand-alone basis. The average multinational corporation (MNC) has 23 connectivity providers around the world. This means procurement teams need to track many different service contracts and bills and are more likely to have to step in to resolve disputes. Meanwhile, in-house IT teams will have to deal with multiple technical support organizations when problems occur. An enterprise may very well find that some of their ISPs do not staff on weekends or they may schedule downtime for repair at the most inconvenient time.

The alternative is to work with a managed provider to handle this complexity. When there is an issue with an application, enterprises don’t want to be left to figure out what is wrong. One entity owning the SD-WAN infrastructure and managing the underlay, including global ISP peering relationships, takes this problem away.

For example, Orange Business Services reviews the performance of all Internet carriers it partners with around the world on a monthly basis, and by the end of 2017 we offered Internet access in 100 countries with local ISPs and in 210 countries including Internet aggregators. It looks at the criticality, scale and repetitiveness of issues. Analysis is carried out on both a top-down and bottom-up basis with analysis of key performance indicators (KPIs) on a global, regional and individual basis. Global buying power provides leverage to keep ISPs on track. Orange can even take over the management of any additional ISPs an enterprise currently uses.

End-to-end application and networking performance management capabilities enable a CSP to pinpoint performance issues across the data center, SaaS application, network and device stack. A unified management dashboard provides application performance and connectivity link visibility and eases the identification and reporting of issues, ensuring visibility of not only end-user performance but also of the back-end.

SLAs that extend to the SD-WAN customer premise equipment (CPE) are key. The repair or replacement time of CPE is critical to ensuring continued operations of SD-WAN locations. A large global CSP has forward stocking locations of equipment, which accelerates the opening of new branch offices and reduces downtime if issues occur. It means that equipment won’t be stuck in customs, and enterprises won’t face unexpected import duties and taxes.

Synergistic SD-WAN

Enterprises can choose from a range of flexible Do It Yourself, Do It for Me or Co-managed SD-WAN service models. In each case, the enterprise benefits from more consistent levels of performance and better guarantees with an SD-WAN solution that works synergistically with the CSP’s network.

There is a range of SD-WAN architectural deployment models. SD-WAN can be provided as a virtualized on-premise or cloud-delivered solution. Using service chaining with micro-segmentation, enterprises can add additional cloud-based security and WAN optimization functions in a highly targeted way at specific regional locations where there is a specific need. A real world example might be a need to connect a site located in Asia to a centralized cloud-based app in Europe, which would require WAN optimization, something not necessary for European sites.

This means enterprises can benefit from cost-effective bandwidth on demand, combined with usage-based billing for additional functionality that is required. By taking advantage of their network footprint and deploying additional, geographically dispersed private gateways or Points of Presence (POPs), performance is assured.

One size does not fit all

SD-WAN requirements tend to vary across applications and locations – especially for the world’s largest enterprises. For example, a simple SD-WAN overlay could be sufficient to ensure high-speed access to and from retail stores to a cloud-based inventory system. But the CCTV surveillance monitoring systems may require additional security to ensure tamper-proof operations. The point-of-sale (POS) terminals will need optimized and links will need secured for fast transaction processing times and to ensure compliance with PCI credit/debit card processing regulations.

A CSP can offer tiered services that support a mix of low, high and mission-critical applications that are either premise- or cloud-based. As Gartner notes, legacy applications should no longer be seen as a dirty word and will continue to be part of an enterprise’s estate for the foreseeable future. Many enterprises are likely to be Internet-first, but not Internet-only. It is important to evaluate the reliability and security needs of each application to determine which traffic is routed over traditional MPLS and which traffic is routed over the Internet. A consultancy approach could be the best way to secure the right design and ensure success for this deployment, which could be done using tools like Application Visibility Services during the proof of concept phase.

The SD-WAN is configured to centrally manage the traffic routing according to business policies and to use embedded firewalls, AutoVPNs, network segmentation, and access control for tighter security. As an extra precaution, some companies opt to deploy integrated cloud-based security solutions with their SD-WAN to ensure all direct Internet traffic, even SSL, is inspected.

Network segmentation and granular access control can be configured using the SD-WAN solution to contain security breaches. One enterprise Orange is working with needed secure connectivity for both its offices and factories. Increasingly, IoT-enabled equipment on 24/7 production lines needs to be accessed by external providers carrying out predictive maintenance and to send alerts to offsite managers.

Using the SD-WAN solution, it’s possible to assign users to a virtual network zone by name, role, or job function, giving people limited access to equipment they need to check regardless of whether they are using a PC, mobile or tablet access device. As SD-WAN isn’t a box, but a solution, you can continually adapt security to new use cases that emerge like this.

What does the future hold?

SD-WAN is part of a journey enterprises will take towards software defined networking (SDN). The goal is the self-adaptive network that responds to real-time employee and customer demand.

The first step starts with “intent-based” networking. A Gartner study that found 85 percent of networks use the command line interface (CLI) as the primary method for managing their networks today, which is time consuming and often prone to human error. Intent-based networking removes the need for CLI and automates day-to-day tasks such as configuration, provisioning and troubleshooting. Rules can be implemented, deployed, managed and changed universally throughout the system.

CSPs continue to work hard to deliver flexible services beyond the boundaries of their own infrastructure. With the support of the MEF (Metro Ethernet Forum), a global standardization group, Orange is developing APIs to provision and manage connectivity across physical infrastructures from different network providers. This allows automated ordering, provisioning and instantaneous bandwidth changes over a third-party network and cloud services.

What appears clear is that SD-WAN is and will be central to helping companies of all kinds manage cloud and hybrid networks moving forward – according to Riverbed, 98 percent of global IT decision-makers endorse this. The same survey found that four percent of companies are already using SD-WAN today, while 52 percent plan to migrate to it within two years, with respondents citing overcoming lack of network and application visibility as their top reason for doing so.

Find out why leading analyst GlobalData rates Orange as “Very Strong” in this recent report on Global WAN Services.