SD-WAN Explained

A Brief History of WANs

The concept and implementation of a WAN (wide area network) first came about as a means of facilitating remote terminal access to mainframes and minicomputers. From arguably the first clouds that used X.25 in the 1970s and 80s to Frame Relay in the early 90s, it wasn’t until IPsec VPNs and MPLS VPNs in the late 90s that WANs became more predominant.

Just as the rise of the Internet has spawned many innovations at scale, there has been a constant desire to reduce the cost per bit of bandwidth, especially across expensive WANs. As broadband connections became more ubiquitous, organizations began to use these connections as cheaper paths for multiple types of traffic across different scenarios.

In the early 2010s, SDN (software-defined networking) began to be recognized as an approach that could reignite innovation in data networking. Its goal was to abstract networks further for a range of functional, operational, and performance gains. Early goals sought to disaggregate networking hardware and software, standardize the control plane, and deliver more openness. SDN also sought to accelerate innovation cycles. Just as compute and storage had gone through major evolutions and shed levels of complexity, SDN began to rewrite the “how” not just the “what” of networking.

It’s from the SDN school of thought that SD-WAN (software-defined wide area network) was born. SD-WAN technology is not one specific WAN architecture but rather a concept and abstraction that seeks to address many of the constraints and shortcomings experienced with traditional WANs.

WAN Challenges

Even with dynamic routing protocols, rarely are WAN paths optimized for anything more than the most basic reachability. CSPs (communications service providers) may make the most extensive use of routing metrics such as latency, jitter, and packet loss, along with policy-based techniques, to apply their business practices and optimize costs for deploying failover links and other customer experience enhancements across the WAN. For many organizations, however, such tasks are complex, time-intensive, and cost-prohibitive.

On the other hand, enterprises whose WANs rarely generate revenue are often beset by productivity-impacting issues that result in a loss of user confidence. This loss can be due to suboptimal WAN performance, outages, or maintenance tasks that affect business-critical workflows and communication.

Although dynamically routed, traditional WAN orchestration and operations are burdened by a lack of situational awareness related to individual user sessions and the extent of the footprints they serve. Modern multimedia applications such as voice, videoconferencing, gaming, and a host of other latency-sensitive apps require constant peak performance. They do not suffer congestion or packet loss well.

So, what are some of the problems or challenges an SD-WAN aims to solve?

  • Expensive WAN connectivity
  • Operational complexity
  • Limited controllability and coarse metrics
  • Service brittleness
  • Lack of application and session awareness
  • Suboptimal performance, congestion, and complex queueing
  • Limited scalability and elasticity
  • No default defensive security posture
  • Applying or embedding business policies


The SD-WAN Promise

As mentioned, SD-WAN is a concept and an abstraction layer. It’s a networking approach that has varying architectures, implementations, and goals but is focused on improving all facets of WAN service delivery. A natural offshoot of SDN, SD-WAN makes a WAN more malleable, programmable, and intelligent. This approach facilitates new functionality, improved service delivery, and reduced costs. Additionally, SD-WAN plays a role in evolving models of infrastructure management, monitoring, and security.

SD-WAN Meaning: What Exactly Is Software-Defined?

Whether to simplify orchestration, add more programmability to a WAN, or deliver a new overlay virtual network, SD-WAN means different things to different people (hence the somewhat ambiguous nature of the term). What does software-defined mean relative to the WAN?

Rather than let traditional network operating systems and static configurations define the totality and operation of a WAN, SD-WAN presents a new interface or platform that is influencing or providing WAN functionality and features. Everything from orchestration, operations, and low-level packet control can be driven by this new (and often centralized) software platform.

SD-WAN is not just a reinterpretation of an NMS (network management system). It represents a paradigm shift in reshaping and controlling low-level and high-level WAN functions. By embracing the approach and benefits of SDN (commonly seen in modern data centers), WAN services can evolve and adapt more quickly to an organization’s changing needs and requirements.


SD-WAN Solutions: Defining and Redefining the WAN

Although networks with dynamic routing protocols are themselves a type of distributed system, SD-WAN implies the use of intelligent logic to provide a new service overlay or interfaces to drive, accelerate, and optimize the WAN in real time. Enhanced logic, additional automation, and new features are orchestrated and controlled from this platform. Some SD-WANs can also directly engage with an existing underlay (via traditional routing protocols) and provide a whole new virtual overlay plane for packet control, steering, and forwarding.

SD-WAN comes with varied architectures. Often SD-WAN entails a centralized physical, virtual, or cloud-based controller. Some solutions augment the underlay WAN with new physical or virtual nodes. Most organizations take advantage of market-based SD-WAN solutions, while a few build their own solution platform subject to the right internal expertise and willingness.

With the new system interfaces and overlays, SD-WAN can redefine and transform traditional WAN service delivery and operations. Where reachability and reliability were the conventional building blocks of existing underlays, SD-WAN addresses the need for a more aware, intelligent, and resilient network.

SD-WAN: A New Approach

Goals of an SD-WAN

Although organizations may have differing goals for deploying an SD-WAN, they generally seek a blend of common business and technical requirements:

  • Simplified operations with greater network resilience
  • More intelligent pathing, orchestration, and agility
  • The ability to embed business logic and policy deep into the network
  • Reduced transport costs and optimized resource utilization
  • Better observability and application analytics
  • Application acceleration (increasingly for SaaS applications sensitive to latency, loss, and jitter)
  • Increased security with fine-grained policy control
  • Improved user experience and better quality of service
  • Programmability, wider automation, and more modern APIs


SD-WAN Benefits and Drivers

As technology morphs and changes, so too do network traffic patterns. Organizations continually seek to better manage network complexity, all while controlling costs and providing the best services they can to their customers and employees. As cloud-based services usher in greater demands on WAN connectivity, the services being accessed may result in flows along trusted or untrusted paths. Depending on the transport used, these paths may make use of shared rather than dedicated links and may not offer multiple classes of service.

To simplify, unify, and secure multiple access types, be they branch, campus, data center, or otherwise, SD-WAN solutions promise greater elasticity, agility, and security delivered in a range of form factors and business models. When evaluating SD-WAN solutions, it’s imperative that organizations are clear about their motivations, requirements, and desired outcomes, not just for Day 0 (design), but all the way through Day 1 (deploy), Day 2 (operate), and beyond.

Who Does SD-WAN Benefit?

SD-WAN benefits large-scale network operators, smaller players, and everyone in between. SD-WAN is not just about enhancing orchestration, operations, and security, but also about enhancing service delivery and improving the quality of user experience. Network operators, a company’s bottom line, and WAN users, whether human or machine agents, all benefit.

For NSPs (network service providers), SD-WAN implementations enable them to offer more robust and enhanced WAN services. SD-WAN is evolving toward becoming a form of IaaS (infrastructure as a service), which can be applied internally or as an MNS (managed network service) at the network edge. As SD-WAN-powered managed WAN services grow in popularity among enterprises, large campuses, and retailers, SD-WAN service providers will continue to innovate their offerings. Many already offer features like ZTP (Zero Touch Provisioning) and ZTC (Zero Touch Configuration) to reduce friction, scale operations, and improve time to delivery and time to value.

Across all organizations, network and security teams that embrace SD-WAN have the capabilities to improve services, decrease response times, and most of all, remove everyday toil. The less time IT teams spend on keeping the lights on, the more time they can spend on projects that help move their business forward. Any business workflow, network flow, or workload that relies upon a WAN has the potential to benefit from SD-WAN features and functionality, resulting in a higher-performing, more resilient, and secure organization.

SD-WAN Architecture

One of the original goals of SD-WAN was to separate the data and control plane to facilitate higher-order logic and intelligence. Yet there still is no single unified SD-WAN network architecture. There are many approaches and variants, and some people might argue that automated orchestration and operations can also constitute an SD-WAN.

There are, however, common building blocks and boundaries that constitute SD-WAN as a conceptual delivery model. It can be thought of as a platform that may engage with, augment, or displace elements of a WAN and its operation, by either integrating with or replacing network functions in the data and control planes.

SD-WAN designs and solutions also typically play a major role in network provisioning, orchestration, management, and monitoring, while some deliver far more dynamic and granular capabilities for performance, policy, and security requirements.

Even with differing business models and use cases, SD-WAN commonly includes a centralized controller and either a full or partial mesh (versus a traditional hub-and-spoke topology). Although an SD-WAN may leverage an underlying traditional or hybrid WAN to build its new transport overlay, it’s an OTT (over-the-top) model that enables the most rapid deployments and lifecycle management, thus avoiding costly rip and replace upgrades.

Tunnel-Based or Tunnel-Free Designs

Tunnels create packet overheads and increase fragmentation. Additional data and increased processing overheads negatively affect throughput and performance. Tunnel-based approaches also complicate and hinder scaling while contributing to slower session failover across backup paths. Additionally, even when tunnelled, there’s an inability to apply security policies mid-flight until subsequent decapsulation allows for inspection, identification, and profiling from behind the tunnel endpoint.

Newer tunnel-free approaches reduce SD-WAN packet overheads and maintain optimal throughput without using costly encapsulation. This approach also supports rapid scaling and, while not infinitely scale-free, requires a lot fewer resources and configuration to deliver a growing any-to-any topology. Tunnel-free also facilitates better situational and session awareness, leading to the ability to steer flows and apply security policies earlier.

SD-WAN Deployment

As mentioned, SD-WAN may come in many forms (and form factors), but the most popular involve the least amount of real-world friction. Some scenarios use an on-premises appliance or whitebox, but most SD-WAN architectures and solutions offer virtual machines and virtualized network functions that can be wholly software provisioned on existing servers and routers.

Just as a traditional WAN provides connectivity and transport between sites, assets, and services, an SD-WAN can also extend an intelligent edge or mesh to anywhere there are managed entities or agents (even when using unmanaged underlays):

  • Branch and remote office to corporate
  • Distributed campus
  • Data center to data center
  • Remote access
  • Corporate to public or private cloud
  • CSP or ISP core/edge

As SD-WAN is not an explicit protocol or technology, many implementations of SD-WAN overlay make use of disparate underlying wired and wireless transports or technologies, including but not limited to SD-WAN over MPLS VPNs, DSL, and 5G/LTE (or other wireless backhauls).


SD-WAN doesn’t directly replace MPLS VPNs but can offer an alternative when combined with other transports. SD-WAN integrates with a whole host of WAN technologies across disparate architectures. Different flavors of SD-WAN will easily leverage existing MPLS services and build their own new topology or overlay, some of which are tunnel-less. By dramatically decreasing data encapsulation overheads, these tunnel-free SD-WAN solutions immediately address cost optimizations on a wide variety of links while maintaining security and associated confidentiality.

In certain scenarios, SD-WAN implementations can diminish the need for MPLS VPNs by using more cost-efficient connectivity options while maintaining many of the characteristics of more expensive transport options.


The Keys to SD-WAN

All About User Experience

It’s often assumed that an organization knows exactly who and what is using its WAN. But it's not until the flows and sessions are analyzed can an organization truly understand who the actual users are and what their use cases really consist of.

Over time network usage oscillates and alternates between machine-based agents and user-initiated traffic. The WAN itself is a finite resource, and as traffic patterns morph, some sessions and flows encounter congestion. These sessions can and should be immediately prioritized or steered via alternate paths, but this isn’t always the case.

Congested paths are unable to meet the demands of real-time communications, and this has always been a challenge for WAN service delivery. Previous generations of SD-WAN solutions have provided mostly static implementations that use QoS (quality of service) markings and queueing strategies, but rarely can they dynamically influence and steer individual sessions to improve a user’s flagging experience in real time. Some SD-WAN solutions can even provide for symmetric session pathing for optimized performance and policy adherence.

Session awareness is a crucial component of modern SD-WAN solutions. It offers the best fidelity view of a network from the user’s perspective. Sessions are temporal and involve specific application flows whose quality can differ greatly (due to factors such as capacity, delay, congestion, and intermittent outages). Session awareness goes further than standard application identification and can be used by an intelligent fabric to direct individual sessions for each and every user or agent on a session-by-session basis. By taking a more holistic and unified view, tied with a fine-grained capability to route traffic flows, some SD-WAN solutions can automatically elevate, demote, or selectively steer these sessions based upon criteria such as service-level objectives. Individual sessions have become the ultimate currency for network operators to deliver superior user experiences.

WAN Assurance

Assurance is a means of providing confidence. The WAN is critical, not just for connecting sites but for accessing services and resources and expediting workflows. Confidence brings peace of mind. Whether provisioning new locations, scaling capacity, or helping ensure that security and operational teams have the right tooling and support, it’s crucial for network operators to have the right capabilities. Operations is not just about performing well, but more importantly, failing well and minimizing harm. Outages and congestion may occur, but with an intelligent overlay, less time is spent worrying about MTBF (mean time between failures) and MTTR (mean time to repair).

Where historically, IT teams were limited by the metrics or tradeoffs of traditional routing protocols, there is now an option to virtualize the WAN itself while adding new layers of intelligence and better feature velocity. SD-WAN promises more fine-grained control of packets and their flows and opens up endless possibilities on how to implement everything from better security policies to improved cost controls, all the while improving user experience.

Connected Security and SASE

Security is about risk. In a world of borderless and accelerating digital threats, organizations strive to protect their assets, services, and staff. Increasingly digital security impacts safety. The risks related to intentional attacks have also begun to impact other elements of operations. The more digital connectivity and control there is, the wider the digital attack surface that requires protection.

Security architectures have long sought to limit and partition failure domains against the propagation of failures, but there is a real struggle on how to do so without adversely impacting the smooth running of workflows and processes. SASE (Secure Access Service Edge) offers a combination of security functions delivered at trusted boundaries that limit the traditional overheads associated with remote-access solutions.

When SD-WAN is understood as a conceptual delivery model for services, it can then be understood as underpinning many security best practices. It’s not a matter of SD-WAN vs. SASE but the knowledge that SD-WAN delivers the foundational building blocks of SASE. The network is still one of the best places for many security controls. The WAN edge creates an efficient and effective policy enforcement point, and one that also provides the means for better observing and controlling zone boundaries and related security requirements. With ZTNA (Zero Trust Network Access), the coin firmly lands on “default deny” posture being the most advantageous and robust compared to less secure “default permit.”

The remaining challenge is to help ensure that complexity is controlled and managed. When microsegmentation and micropermissions are bound by granular IAM (Identity Access Management), assigning permissions, access, and roles manually becomes too tedious. Increasingly, organizations are turning to automation and software-based solutions to handle IAM.

SD-WAN is poised to help deliver on the promise of increased security, elevated confidence, and greater peace of mind by reinforcing the strongest policy enforcement points possible, the network.

Operator Experience

In the quest to reduce TCO (total cost of ownership), it’s often OpEx (operational expenditure) that outstrips CapEx (capital expenditure) over a given timeframe or lifecycle. Complex systems imply operational complexity, but this isn’t always so. Just as abstractions enable network operators to do more with less, so too does SD-WAN deliver on simplified management and operations that can empower IT teams to exceed expectations.

Teams that embrace tooling and approaches that intelligently remove or reduce toil enjoy greater satisfaction, resulting in lower employee churn and greater productivity (2020 SoNAR–State of Network Automation Report).

At the end of the day, it's the operations teams that dictate the technical health of an organization, and thus IT can have an outsized impact on an organization’s success or failure. Widespread failures become visible not just to users but also customers and eventually the market at large. Although cost savings and security are key areas targeted by SD-WAN, they’re not the only SD-WAN ROI (return on investment) that can be taken advantage of.

The AIOps Advantage

AI (artificial intelligence), and one of its subsets, ML (machine learning), can deliver tremendous value throughout the networking domain. Problem areas that have well-known features and protocols (such as data networking) are ripe for the use of ML in a host of scenarios. In these well-defined problem spaces, AI bias can be easily removed to deliver on real-world outcomes, in addition to better network connectivity and security. When training ML with a mix of blended and accelerated learning (such as Transfer learning) and then augmenting AI with production data, trust can be built quickly. Accurate insights and recommended remediation actions surface and can be quickly validated.

Data networking is an area where the volume and velocity of operational data and telemetry constantly outstrip the ability of traditional methods to keep pace. Networks are graphs. AI and ML can offer rapid and actionable insights into graphs and their dependencies, including everything from identifying complex root causes to providing better interfaces to navigate and manage increasing network complexity.

AIOps (artificial intelligence for IT operations) is a practice that seeks to ease the burden on network operators by automating many repetitive and low-value tasks that create toil. Freeing up human talent for more strategic challenges is a crucial step in innovation, as is democratizing the ability to make sense of the growing networks and complexity that surrounds us.


SD-WAN Meaning: What Exactly Is Software-Defined?

Whether to simplify orchestration, add more programmability to a WAN, or deliver a new overlay virtual network, SD-WAN means different things to different people (hence the somewhat ambiguous nature of the term).

Who Does SD-WAN Benefit?

SD-WAN benefits large-scale network operators, smaller players, and everyone in between. SD-WAN is not just about enhancing orchestration, operations, and security, but also about enhancing service delivery and improving the quality of user experience.