What is SD-WAN?

Your Software-Defined Wide Area Network questions answered

Need an introduction to SD-WAN? Here’s what you need to know about a Software-Defined Wide Area Network.

What is SD-WAN?

SD-WAN stands for software-defined wide area network. The phrase “software-defined WAN” refers to the application of software-defined networking (SDN) concepts to the WAN. These modern architectural principles are applied to the WAN in order to turn the control layer of the network (once all hardware) into software. That’s a revolutionary change, because now the network’s control functions are in a cloud-based controller that can be programmed in ways that were never possible before.

SD-WAN virtualizes numerous components of the traditional network (e.g. secure routing, application optimization, etc.). Plus, it centralizes the network management via a cloud-based “orchestrator.” This centralized control is a key feature because it allows SD-WAN solutions to intelligently direct IP traffic in order to optimize performance. SD-WAN continually monitors bandwidth utilization, packet loss, and latency, and dynamically selects the best path according to whatever parameters you choose. By continually monitoring and readjusting, SD-WAN ensures that you always get the best application performance possible.

How does SD-WAN work?

SD-WAN fundamentally does two things:

  • Enables hybrid networking: Utilizes all WAN connections simultaneously – broadband public internet, DIA, ethernet, private MPLS lines, etc. – while intelligently steering traffic to optimize application performance
  • Allows more IT agility: Gives you the agility to add new WAN connections and sites quickly and with less downtime

Now, let’s talk about exactly how SD-WAN accomplishes this. SD-WAN is an endpoint device that must be installed on a corporate network. It’s usually a hardware appliance but sometimes the endpoint can be virtual customer-provided equipment or “vCPE”.

SD-WAN makes use of all network paths (both private and public) through the centralized controller. Using a system of rule-based policies, bandwidth resources are automatically assigned based on your prioritized list of applications, users, and locations. SD-WAN continually monitors bandwidth utilization, packet loss, and latency, and dynamically selects the best path according to whatever parameters you choose. By continually monitoring and readjusting, SD-WAN ensures that you always get the best application performance possible.

SD-WAN’s centralized management controls are available in the web portal or online console, also called a “single pane of glass.” This is where you configure exactly how you want your SD-WAN to prioritize and route traffic and which features you want it to use. It’s also where you can view network and application performance data for your entire WAN. From here, you can access SD-WAN’s features, provisioning new links and services and tapping into features like active-active links, dynamic routing protocols, quality of service, and more.

What are the benefits of SD-WAN?

SD-WAN can help you:

  • Increase network availability and reliability
  • Improve cloud application performance
  • Reduce network service costs
  • Enhance IT agility
  • Access cloud services directly and more efficiently
  • Make network changes faster and more cost-effective
  • Update WAN routing equipment
  • Enhance security

SD-WAN has popularized the strategy of converting your network’s private MPLS connections to public connections. The benefit is that you can leverage the cost advantages of broadband internet service for secure connectivity and access to cloud-based resources. This allows for cost savings, but it may also decrease the reliability and performance of the network.

Another key benefit of SD-WAN is that it can act as an on-ramp to the cloud, offering direct connections to top cloud service providers such as Amazon® Web Services, Microsoft® Azure, Google® Cloud Platform, IBM®, and more. This gives CIOs and network architects a simple way to link their corporate WAN with an array of private and public cloud resources. It also means they don’t have to accept the performance of the public internet to connect them. You get turnkey private or shared connections to your cloud infrastructure or applications.

Another benefit of SD-WAN is its ability to detect network outages and automatically reroute IP traffic accordingly to reduce downtime. SD-WAN improves the resiliency of the WAN by dynamically balancing traffic across multiple paths to increase application performance. SD-WAN solutions determine the best path to deliver business-critical applications based on available bandwidth across the entire WAN.

What problems does SD-WAN solve?

The advantage of SD-WAN is that it can solve an array of traditional network challenges, including:

  • Not enough bandwidth: the proliferation of SaaS applications, cloud services, and digital transformation initiatives create an ever-increasing demand for network resources
  • Long deployment times for new sites: Traditional networks require manual processes to make changes and provision new locations and services
  • Network outages and application performance problems: Network reliability and availability issues plague business continuity and corporate communications
  • IT management and security complexities: monitoring application performance, network activity and troubleshooting is difficult with rigid legacy architecture
    See why digital transformation demands a new network architecture.

What is the difference between SD-WAN and MPLS?

When first introduced decades ago, Multiprotocol Label Switching (MPLS) upended the networking world as the new highly-efficient way to transport data between two or more locations. Today, SD-WAN is largely doing the same thing. So, what’s the difference? It comes down to cost and reliability mostly, but the two are also fundamentally different.

MPLS operates similarly to switches and routers by using packet-forwarding technology and labels to make data-forwarding decisions for IP traffic on a network. The result is the highest quality of service and reliability possible, which explains why businesses still typically use MPLS to carry their high-priority IP traffic across the WAN. But this stability comes at a higher cost when compared to other types of connectivity or network access methodologies.MPLS is also subject to geographical boundaries as each MPLS link is reliant on the local telecommunications carrier.

To be clear: SD-WAN is not a network connectivity type or access methodology, so comparing it to MPLS is not an apples-to-apples comparison. SD-WAN is a hardware device and solution offering that allows you to leverage any type of bandwidth–private or public. Many people incorrectly believe that “it’s only SD-WAN if you use internet links,” but this is false.

In an SD-WAN deployment, IP traffic is intelligently routed to either hardware or software endpoints with end-to-end encryption across the entire WAN. Because SD-WAN is not tied to a particular carrier, the endpoints can leverage any type of bandwidth–meaning you can use a private MPLS service or a more cost-effective public internet broadband service. And what’s more, you can mix and match public and private connections in a hybrid model. This can lower the per-megabit cost as well as reduce the geographical barriers associated with MPLS.

What is the difference between SD-WAN and SDN?

SD-WAN is a hardware device installed on a network to gain distinct advantages, whereas a software-defined network is just that–a network built using software-defined principles and architectural models. The two are often confused because they can come bundled together in a single solution, sometimes called “in-net SD-WAN solutions.”

Think of a software-defined network (SDN) as the foundation or cloud platform that serves an SD-WAN solution offering. With an in-net solution, the SD-WAN functionality is tied to the providers’ network service cloud. In essence, it’s an SD-WAN-equipped Network as a Service (NaaS) solution. Some people also call this SD-WAN as a Service.

How much money can I save with SD-WAN?

Generally speaking, the more private MPLS links you can convert to public internet broadband links, the more savings you will generate. But SD-WAN offers more ways to save than just link conversion. And the more important consideration is: How will the public internet affect the reliability of your network? Here’s what you need to know.

Most CIOs are attracted by the cost savings of SD-WAN with public broadband, and rightfully so. Some articles online show savings of 90% and upwards. While these cases are probably verifiable, IT leaders should be aware that these case studies reflect situations where ALL (or the vast majority) of private connections were converted to broadband internet. Customers that move only a few access points to the public internet will recognize a far more conservative cost savings.

Keep in mind that cost savings and network reliability work in positive correlation–as costs decrease so does reliability. Networks using only broadband have a much lower reliability than those using private MPLS access. Depending on the importance of business continuity and your network risk tolerance, an all-broadband approach to SD-WAN may not be advisable for your critical business applications.

At Masergy, we see our clients recognize about 40% cost savings, on average. They report the savings not just from network link conversion but also from vendor consolidation, productivity gains, and security efficiencies as well.

How does SD-WAN improve network security?

SD-WAN secures traffic in transit, making it a key player in network security. Solutions that include integrated firewalls and associated unified threat detection and response services help strengthen security posture as offices and branch locations leverage the internet for connectivity.

But there are other security benefits that are often overlooked. SD-WAN facilitates the normally difficult task of WAN segmentation, which helps businesses address issues such as security threats coming from within. Segmentation is a key security strategy and a focal point for many Zero-Trust security strategies. SD-WAN also plays a key role in first-line-of-defense capabilities. SD-WAN solutions can improve network security by whitelisting online applications and websites for branch offices that may not have local firewalls.

What security considerations do I need to make with SD-WAN?

Given that SD-WAN paves the way for companies and their branch locations to leverage the internet for connectivity, security must be at the top of the priority list. When SD-WAN is deployed over dedicated internet connectivity or public broadband it can introduce security risks that require next-generation firewalls, threat monitoring and management. Therefore, bundling security into SD-WAN isn’t just an option—it’s a requirement.

Closely monitored firewalls are key defense mechanisms when SD-WAN shifts the network architecture away from a small set of centrally managed internet gateways and toward a highly distributed set of gateways. Because this dispersed architecture inherently increases the attack surface, the next move of any savvy network engineer is to implement next-generation firewalls with Unified Threat Management. You’ll want:

  • A single on-premise or virtual client device that can handily and cost-effectively serve multiple security functions, including embedded firewalls for secure internet offloads and automatic encrypted tunneling to secure data across the internet
  • The ability to centrally drive policies and configurations to reduce complexity and ease of security management–for example, centralized orchestration is a path to chaining WAN security services like firewalls and routers across locations around the globe
  • The ability for SD-WAN network performance monitoring as well as 24/7 security monitoring to sort through alerts generated by your SD-WAN firewalls
  • Response services to take action against those threats as needed

Which basic types of SD-WAN deployment are on the market?

The first step in planning for SD-WAN is to decide how you want to deploy it. Do you want a self-managed solution or a fully managed service? IT leaders are thinking long and hard about who should take on the responsibilities required, because SD-WAN deployment can entail:

  • broadband service procurement, link procurement and installation
  • 24/7 service monitoring and optimization with ongoing policy management
  • hardware updates and upgrades
  • service troubleshooting and training for the IT team
  • security, which requires additional resources and specialized knowledge

Taking a Do-It-Yourself (DIY) approach requires purchasing hardware from a manufacturer and administering, maintaining, and managing the service using your own internal IT team. This may be worth it if you want total control. But even with skilled and experienced networking staff, some feel more comfortable using a managed SD-WAN service, working with a provider that implements and manages SD-WANs every day. This removes the burden off the client’s IT team, freeing them to work on more strategic initiatives.

What do most IT leaders do? Here’s what the research shows:

  • Nemertes Research shows adoption of managed services rose from 8% in 2017 to 49.5% in 2020.
  • Research from Omdia shows 98% of SD-WAN adopters are using external parties at least somewhere along their journey, with 59% of them asking providers to help manage security, 53% asking for help managing network policies, and 46% asking for help with solution access, design, and installation.

What is the difference between a fully managed SD-WAN solution and a co-managed solution?

According to analysts at Omdia, in making the choice to adopt a managed service, most IT leaders are reluctant to outsource SD-WAN completely–only desiring selective service. SD-WAN providers have responded by adding co-managed services to their portfolios. Recognized as an alternative to a fully managed service, here’s what this “middle” option means.

A co-managed model is a shared responsibility arrangement between the client and provider. It creates a balance where businesses benefit from distancing themselves from the day-to-day administration while still retaining control over the network service. This model decreases the burdens of SD-WAN setup and network performance management without eradicating the client’s loss of control. Of course, service charges apply.

In shared models, companies no longer face the binary choice between a fully managed service and DIY, where cost and control have traditionally been pitted against each other. Thus, the co-managed decision may feel like a no-brainer. However, truly getting the best of both worlds takes consideration in the areas of responsiveness, agility, flexibility, and security.

What are the different types of network connections I can use with SD-WAN? And, how do I design an SD-WAN solution?

SD-WAN makes it easy to diversify WAN connectivity with both private and public access methodologies. You can mix and match a network connectors including:

  • Direct internet access (DIA)
  • Fixed wireless (5G or LTE)
  • Public internet access (broadband)

But this flexibility also brings the responsibility to engineer the smartest solution design. When should you use each of these options and how do you establish your SD-WAN routing rules, mapping your business applications to each option?

First, you should have an intimate understanding of your business continuity risk tolerance. It helps to categorize your list of business applications, locations, and user groups by importance, listing them as critical, important, or discretionary. The result of this exercise provides a framework for prioritization and an SD-WAN solution design blueprint that allows you to match applications, locations, and user groups with appropriate connectivity types.

How does SD-WAN help with direct connections to cloud service providers?

As with any cloud application or service, the performance is only as good as the network connection that supports it. When IT leaders rely on public internet connectivity to support cloud services, availability and reliability can be compromised. SD-WAN helps by offering direct connections to top cloud service providers such as Amazon® Web Services, Microsoft® Azure, Google® Cloud Platform, IBM, and more. This gives CIOs and network architects a simple way to link their corporate WAN with an array of private and public cloud infrastructure resources. Turnkey private or shared connections increase cloud performance and reliability with service level agreements.

How do you use SD-WAN to enable work-from-home?

When every remote employee becomes a branch office to provision, SD-WAN and SD-branch capabilities offer rapid-deploy VPN connections backed by software-defined agility and built-in security. Plus, unified communications applications can be bundled with SD-WAN offerings, helping you ensure crystal clear VoIP and video conferencing across the globe.

Rapid-deploy VPN connections: With SD-WAN dialing up and down connections, tunnels, links, loops, and bandwidth is faster and easier when compared to legacy networks governed by manual processes.

Built-in security: Home Wi-Fi routers and work-issued devices shared at home can become new attack vectors for hackers to exploit, but SD-WAN can help mitigate security risks using cloud firewalls that make it easy to open SSL tunnels and secure them with 24/7 threat monitoring and response services. Clients also add on endpoint detection and response, identity-based WAN analytics, cloud security technologies like Cloud Access Security Broker (CASB) and more.

UCaaS digital collaboration tools: Pairing SD-WAN with unified communications applications creates a fully managed service, backing VoIP and video conferencing with a top-performing network and service level agreements to ensure consistent experiences all around the world.

How do SD-WAN providers differ?

The SD-WAN vendor landscape is noisy with large providers and an ever-increasing number of startups and competitors. This muddies the waters if you’re a decision maker. Do you go with a seemingly safe big-name brand? Or do you bet your global network on a startup? Size aside, there are two different types of providers: SD-WAN equipment manufacturers or resellers, who sell only hardware for the do-it-yourself solutions, and managed SD-WAN service providers.

In the managed services industry, there is a distinct polarity problem: Large providers and small startups, saturate the market. Thus, very few agile, mid-sized providers exist. This is challenging for SD-WAN buyers who may not have the brand clout or company size to earn the full attention of “gorilla-sized” legacy providers, and yet may not feel comfortable partnering with a startup. Thus, many decision makers feel they must choose between the two extremes–getting the service they deserve or the technology they need (see chart below). Extra efforts during due diligence stages are helpful in finding a partner that is “just right.”.

Does Masergy’s SD-WAN provide active-active configuration and application-based routing?

Yes, here are some of the standard features included in Masergy’s SD-WAN solutions:

  • Active-Active Configuration – Leverage primary and backup circuits simultaneously while still supporting failover requirements
  • Application-Based Routing – Automate WAN traffic management with the ability to prioritize business-critical applications and allocate bandwidth resources accordingly
  • Dynamic Application Steering – Create policies to switch transports on the fly based on your defined parameters, and make use of all network paths (both private and public).
  • Distinguish applications and control multipath networking environments Packets or sessions traverse available paths to the WAN or multi-cloud environments
  • Automatic failover recovery keeps you productive during an outage or brownout
  • Centralized Orchestration – Streamline performance optimization processes with centralized policy and configuration management
  • Network Function Virtualization – Cut costs and simplify management by virtualizing more aspects of your WAN. You can mix and match across three different options: virtual (vCPE), in the cloud, or premise-based hardware

What differentiates Masergy’s SD-WAN management portal?

Having a “single pane of glass” unified portal is what every network architect and IT manager dreams about. But the reality is that adding SD-WAN to a corporate network can also add another separate admin portal in addition to your existing WAN’s admin interface. Multiple logins and multiple interfaces result in a fragmented experience that never achieves 100% visibility and control over the entire corporate WAN… that is unless you use Masergy.

Masergy’s Intelligent Service Control portal is a unified management dashboard and control platform that frees enterprises from cross-referencing disconnected networks and disparate components. With centralized management and a single view of application performance, monitoring and managing your entire network is less complex.

Unmatched network and application intelligence – Get a holistic view of your network, SD-WAN, and cloud applications, including unified communications. End-to-end visibility of application performance across public and private connections – See real-time analytics on every endpoint on your WAN no matter if the site is connected via private links or public “best effort” broadband. Masergy’s unified portal gives you the visibility needed to make faster, more informed decisions about bandwidth allocation and service improvement.

Self-service or full-service options – Make adjustments on the fly using self-service controls or rely on Masergy professionals to manage the network for you. Most customers do both, leveraging the benefits of a co-managed model.

How does Masergy AIOps provide a 24/7 virtual network engineer?

Masergy AIOps is the industry’s first AI-based, digital assistant for network, security, and application optimization. It leverages machine learning and behavioral analytics for network insights. Acting as a virtual engineer for your global SD-WAN, AIOps delivers automated network evaluation for easier configuration improvement. Get real-time alerts and recommendations inside your Masergy SD-WAN management portal, allowing you to quickly enhance application performance. AIOps is based on Masergy’s 20 years of innovative anomaly detection and predictive analytics leadership.

Masergy AIOps:

  • Predicts potential challenges based on network and application anomalies
  • Delivers actionable insights for your global network and app performance
  • Reduces support calls and costs by anticipating your network optimization needs
  • Requires no complex setup and comes standard with every Masergy Managed SD-WAN solution.

What access or transport options can I use with Masergy SD-WAN?

Any one you want and a mixture of all. Masergy’s SD-WAN is transport agnostic, meaning you have the flexibility to mix and match public and private access, designing your connectivity to meet the unique needs of your applications, users, and locations all across the globe. Your options include: private connectivity via Masergy’s global software-defined network, dedicated Internet access, and broadband, and fixed wireless (LTE and 5G). You can leverage your existing infrastructure across private and public access points, and Masergy will work with any last-mile provider. You can bring your own bandwidth or Masergy can provision broadband service via any of our 300+ internet service providers around the world.

When you choose Masergy’s private, software-defined network service, you get industry-leading performance with <1 millisecond of jitter and 100% packet delivery across the globe.

But no matter which way you go, you get 24/7 network performance monitoring with proactive service notifications.

Does Masergy offer SD-Branch capabilities?

Yes. SD-Branch is an SD-WAN-based strategy that allows enterprises to remove IT infrastructure and personnel from branch offices, helping to reduce costs while also improving application performance. SD-Branch replaces the standard IT branch office hardware with software, using SD-WAN as a single platform to address all branch network needs. This enables businesses to operationalize their WAN expenses, turning the capital expense of networking hardware into the operational expense of software and services. SD-Branch can also reduce the time required to turn up a branch office by leveraging LTE and 5G wireless access options.

Masergy virtualizes the multiple networking appliances commonly used at your branch offices extending Masergy’s global, software-defined network into your LAN. Our SD-Branch solution delivers a combination of next-generation firewalls, secure switching, and Wi-Fi access points that are perfect for hybrid WAN deployments with a combination of private Layer 3 links at large offices and SD-WAN at branch locations. Improve your network uptime and application performance, using SD-WAN’s abilities to connect directly to the internet and better utilize bandwidth.

Does Masergy offer direct connections to major cloud service providers?

Yes, and more! As your applications move to the cloud, you need agile and secure connectivity to support your digital strategy. Masergy makes it easy to rapidly establish direct connections to cloud service providers and get high-performing SaaS applications with industry-unique cloud service guarantees. Masergy Direct Cloud Connect solutions provide:

  • Latency-free connections to leading cloud IaaS providers including Amazon® Web Services, Microsoft® Azure, Google® Cloud Platform, IBM®, and more
  • Direct connections to 200+ popular enterprise SaaS applications; everything from SAP® and Salesforce® to Zendesk® and Box®
  • Industry-unique SLAs for cloud connections to help enterprises ensure a consistent and high-quality service experience across the globe with 100% service availability

Who makes the SD-WAN hardware for Masergy’s solutions?

Our Managed SD-WAN solution includes modified Fortinet® FortiGate devices at the secure network edge. Masergy selected Fortinet hardware due to the company’s expertise in enterprise cybersecurity and our recognition that in a multi-cloud world, networking and security are inextricably linked.

How is security built into Masergy’s solutions?

In addition to the built-in Fortinet next-generation firewalls with secure routing that comes standard with all solutions, we also offer three separate tiers of additional managed detection & response services:

  • SD-WAN with Unified Threat Management (UTM) combines logging and alerting cybersecurity features visible in the Masergy Intelligent Service Control admin portal
  • SD-WAN with Threat Monitoring & Response (TMR) adds upon the UTM bundle with 24/7 monitoring and incident response of UTM events from certified security analysts in Masergy’s three global SOCs
  • SD-WAN with Managed Security Services (MSS) includes the TMR bundle along with all additional security features

When it comes to designing an SD-WAN solution, what flexibility does Masergy offer?

Masergy’s solutions are hyper flexible, providing virtually unlimited design flexibility. You can connect every location, application, and user group in the way that makes the most sense for your business needs today and enjoy the freedom to make changes on an ongoing basis.

  • Flexible access options – Masergy’s SD-WAN is transport agnostic, meaning you have the flexibility to mix and match public and private access, designing your connectivity to meet your unique needs
  • Bring your own network – Locked into a contract with a third-party MPLS provider but want to immediately move to an SD-WAN solution? No problem. Masergy’s “bring your own network” (BYON) option allows you to overlay Masergy’s SD-WAN Secure Over the Top solution on top of your existing third-party network
  • Last-mile vendor neutrality – Reduce your risk of vendor lock-in. We never lock you into a single last-mile provider because Masergy will work with any last-mile provider. You can bring your own bandwidth or Masergy can provision broadband service via any of our 300+ internet service providers around the world.
  • Multi-Cloud Connectivity – Get latency-free direct connections to leading cloud IaaS providers 200+ popular enterprise SaaS applications
  • SD-Branch capabilities – Extend Masergy’s global, software-defined network into your LAN. We deliver a combination of secure switching and Wi-Fi access points are perfect for hybrid WAN deployments with a combination of private Layer 3 links at large offices and SD-WAN at branch locations
  • Flexible security options are built in – Fortinet next-generation firewalls with secure routing come standard with all solutions–plus, we also offer three separate tiers of additional managed detection & response services