SD-WAN explained
The traditional model of backhauling traffic from branch offices to the data center for robust security inspection is no longer optimal, wasting bandwidth, adding latency, and ultimately impairing application performance. There is a real need for a better way to send traffic directly over the internet from branch locations to trusted SaaS and cloud-based applications while maintaining compliance with enterprise security mandates.
An SD‑WAN assures consistent application performance and resiliency, automates traffic steering in an application-driven manner based on business intent, improves network security, and simplifies the WAN architecture. An SD-WAN uses a centralized control function to steer traffic securely and intelligently across the WAN and directly to trusted SaaS and IaaS providers. This increases application performance and delivers a high-quality user experience, which increases business productivity and agility and reduces IT costs.
SD-WAN architecture
Traditional WANs based on conventional routers were never designed for the cloud. They typically require backhauling all traffic, including cloud-destined traffic, from branch offices to a hub or headquartered data center where advanced security inspection services can be applied. The delay caused by backhaul impairs application performance, resulting in a poor user experience and lost productivity.
Unlike the traditional router-centric WAN architecture, the SD-WAN model is designed to fully support applications hosted in on-premises data centers, public or private clouds, and SaaS services such as Salesforce.com, Workday, Dropbox, Microsoft 365, and more, while delivering the highest levels of application performance.
How does SD-WAN work?
Unlike SD-WAN, the conventional router-centric model distributes the control function across all devices in the network and simply routes traffic based on TCP/IP addresses and ACLs. This traditional model is rigid, complex, inefficient, and not cloud-friendly and results in a suboptimal user experience.
An SD-WAN enables cloud-first enterprises to deliver a superior application quality of experience (QoEx) for users. By identifying applications, an SD-WAN provides intelligent application-aware routing across the WAN. Each class of applications receives the appropriate QoS and security policy enforcement, all in accordance with business needs. Secure local internet breakout of IaaS and SaaS application traffic from the branch provides the highest levels of cloud performance while protecting the enterprise from threats.
Why SD-WAN?
Times have changed, and enterprises are using the cloud and subscribing to software-as-a-service (SaaS). While users traditionally connected back to the corporate data center to access business applications, they are now better served by accessing many of those same applications in the cloud.
As a result, the traditional WAN is no longer suitable mainly because backhauling all traffic—including that destined to the cloud—from branch offices to the headquarters introduces latency and impairs application performance. SD-WAN provides WAN simplification, lower costs, bandwidth efficiency and a seamless on-ramp to the cloud with significant application performance especially for critical applications without sacrificing security and data privacy. Better application performance improves business productivity, customer satisfaction, and ultimately profitability. Consistent security reduces business risk.
Basic SD-WAN vs business-driven secure SD-WAN
- Not all SD-WANs are created equal. Many SD-WAN solutions are basic SD-WAN solutions or “just good enough” solutions. These solutions lack the intelligence, security, performance, and scale needed to ensure a secure network experience. And remember, without a fast, secure, and high performing network, enterprise digital transformation initiatives can stall. SD-WAN is a pivotal digital transformation enabler and drives strategic decisions across the enterprise. So, what is a business-driven secure SD-WAN and why is basic SD-WAN not good enough?
- Consistent Quality of Experience (QoEx). A key benefit of an advanced SD-WAN solution is the ability to actively use multiple forms of WAN transport simultaneously. A basic solution can direct traffic on an application basis down a single path, and if that path fails or is underperforming, it can dynamically redirect to a better performing link. However, with many basic solutions, failover times around outages are measured in tens of seconds or longer, often resulting in annoying application interruption. A business-driven SD-WAN intelligently monitors and manages all underlay transport services. It can overcome the challenges of packet loss, latency, and jitter to deliver the highest levels of application performance and QoEx to users, even when WAN transport services are impaired. Unlike a basic SD-WAN, a business-driven SD-WAN handles a total transport outage seamlessly and provides sub-second failover that averts interrupting business-critical applications such as voice and video communications.
- Continuous self learning. A basic SD-WAN solution steers traffic according to pre-defined rules, usually programmed via templates. A business-driven SD-WAN delivers optimal application performance under any network condition or changes including congestion and when impairments occur. Through continuous monitoring and self-learning, a business-driven SD-WAN responds automatically and in real time to any changes in the state of the network. A business-driven SD-WAN continuously adapts to changes in the network, automatically adapting in real time to any changes that could impact application performance, including network congestion, brownouts and transport outage conditions, allowing users to always connect to applications without manual IT intervention. For example, should a WAN transport service or cloud security service experience a performance impairment, the network automatically adapts to keep traffic flowing while maintaining compliance with business policies.
- Multi-cloud networking. Advanced SD-WANs can be deployed in a public cloud such as AWS, Azure and Google Cloud to optimize connections between branch locations and the cloud using all the SD-WAN benefits. If a brownout or blackout occurs, the remaining link(s) continue to carry traffic so that users don’t notice any disruption to voice calls, audio and video conferences, or any other application. Ruggedized first mile between the branch and the public cloud delivers better network performance, reliability, and quality.
- Built-in next-generation firewall. A business-driven secure SD-WAN should include a next-generation firewall to efficiently secure branch locations. Key capabilities include deep packet inspection (DPI), and intrusion detection and prevention (IDS/IPS). Other advanced SD-WANs can even protect organizations against DDoS attacks. The integration of a next-generation firewall enables organizations to easily replace legacy branch firewalls, reducing the hardware footprint. Additionally, security policies are centrally managed eliminating the need to have IT trained personnel locally and avoiding misconfigurations. Centrally configured security policies are far more consistent due to fewer human errors than with a legacy firewall that often requires configuring policies on a device-by-device basis. If a policy requires a change, it is programmed centrally with a business-driven SD-WAN and pushed to 10s, 100s, or 1000s of nodes across the network, providing a significant increase in operational efficiency while reducing the overall attack surface and avoiding any security breaches.
- Role-based segmentation. While basic SD-WANs provide the equivalent of a VPN service, a business-driven secure SD-WAN provides more comprehensive, end-to-end role-based segmentation. In addition to supporting a next-generation firewall, the SD-WAN platform should orchestrate and enforce end-to-end segmentation spanning the LAN-WAN-data center and the LAN-WAN-cloud. By adding user and device identity and role-based policy, advanced secure SD-WANs provide fine-grained segmentation and enforce Zero Trust. A secure SD-WAN then creates end-to-end zones, from the LAN to the WAN, across any combination of users, devices, application groups and virtual overlays, propagating security policies to all remote sites. Based on the least-privilege access principle, it ensures that users and IoT devices only communicate with destinations consistent with their role in the business, while reducing unauthorized access and limiting the scope of incidents.
- Secure local internet breakout for cloud applications. Many basic SD-WANs provide some application classification capabilities based on fixed definitions and manually scripted ACLs to direct SaaS and IaaS traffic directly across the internet. However, cloud applications change constantly. A business-driven SD-WAN continuously adapts to changes and provides automated daily application definition and IP address updates. This eliminates application interruption and user productivity issues.
Ideally, enterprise customers need to shift to a business-driven SD-WAN platform that unifies SD-WAN, firewall, segmentation, routing, WAN optimization and visibility and control functions, all in a single, centrally managed platform.
Advanced SD-WAN functionality for SASE
SASE combines SD-WAN with cloud-delivered security functions, otherwise known as Security Service Edge (SSE). SSE defines the set of security services that help deliver on the security vision of SASE. Key SSE capabilities include ZTNA (Zero Trust Network Access), SWG (Secure Web Gateway) and CASB (Cloud Access Security Broker).
Ultimately, the goal of SASE is to provide security and performance to cloud-centric organizations and hybrid work environments as users access sensitive data from anywhere and browse unsecure websites. After working with many enterprises that have designed and deployed their SASE architectures, we’ve learned that basic SD-WAN functionality falls short. An SD-WAN with advanced networking and security capabilities is required to fully enable SASE to:
- Seamlessly integrate to an SSE solution to form a unified, consistent SASE architecture.
- Automate orchestration between the SD-WAN and SSE from a single console to make it easy
- Identify application traffic on the first packet and granularly steer it to an SSE solution based on predefined security policies
- Automatically failover to a secondary cloud security enforcement point to avoid any application interruption
- Automatically reconfigure secure connections to cloud security enforcement points if a newer, closer location to the branch becomes available
- Enable customers to easily deploy new cloud security services—and their SASE implementations
HPE and SD-WAN
HPE Aruba Networking EdgeConnect SD-WAN is a comprehensive portfolio of access deployment options to connect enterprise organizations from edge to cloud to a single SD-WAN fabric across locations, data centers, cloud, and SaaS. The solution includes three types of right-sized deployment models, or “onramps,” to the SD-WAN fabric, delivering seamless, secure, high-performance network connectivity from headquarters, data center, campus, branch, small office, work-from-home, and mobile users to reach applications, data, and services anywhere.
- EdgeConnect SD-WAN allows IT admins to architect an advanced SD-WAN edge that continuously learns and adapts to changing business needs and flexibly delivers maximum network and application performance from the edge to the cloud.
- EdgeConnect SD-Branch allows IT admins to consolidate branch networking components for maximum integration across WLAN, LAN, and SD-WAN with integrated security and onboard LTE support with centralized cloud management.
- EdgeConnect Microbranch is ideally suited for small office or work-from-home sites. This minimal footprint option using a range of HPE Aruba Networking remote access points (RAPs) enables secure WAN connectivity to the corporate enterprise network and automated integrations with cloud-delivered security services.
The EdgeConnect SD-WAN Fabric delivers the highest quality of experience and performance by delivering the continuous adaptation, always-on security and agility required to address the most demanding wide area networks. Leveraging automation, machine learning, and AI, advanced capabilities to reduce the burden on IT organizations by removing the complexity and manually intensive tasks required to deploy, configure, and maintain large, distributed networks.
The EdgeConnect SD-WAN Fabric easily extends to the data center, IaaS, SaaS, and private clouds. Automated integrations simplify multi-cloud connectivity for AWS, Microsoft Azure, Google, Equinix, Megaport, and others.
EdgeConnect SD-WAN Fabric automates the integration with HPE Aruba Networking SSE to form a unified SASE platform, as well as third-party cloud security partner solutions.