Fixing internet VPNs with software-defined WAN

SD-WAN promises to fix some of the key limitations of Internet VPNs. Let's look at how this works in practice.

Internet VPNs have been a feature of many global enterprise WANs for the last 10 years. In a previous article I mentioned that this technology is often used out of necessity, with cost pressure forcing enterprises to just deal with Internet performance limitations.

With increasing interest in Software Defined WAN (SD-WAN) recently, many use cases have been proposed by vendors and early enterprise adopters alike. However, it is today's site-to-site Internet VPNs that should be seen as the 'low-hanging fruit' for initial SD-WAN deployments. Moving to a software-defined solution results in a topology that should be very familiar to enterprises with existing VPN deployments, while solving some of the bigger performance and management issues.

Getting organized with profiles and templates

One major limitation of traditional networks is that they are based on individual device configurations, and the concept of life cycle management doesn't really exist. Sophisticated enterprises often use third-party tools to centralize configuration management, implement version control, and use templates, but organically growing Internet VPNs in the network are often forgotten.

Most SD-WAN solutions address this by establishing a hierarchical, template-driven structure for the network in the orchestrator by default. You start by defining what each site type should look like in advance - single or dual WAN connections, VLAN settings for voice/data, SSID for internal and guest Wi-Fi, etc. Then you establish enterprise-wide settings like QoS schemes, firewall policies and private IP subnet ranges for LANs. Once this is in place, creating new sites or changing existing sites requires a minimal amount of site-specific effort. This is what is making SD-WAN intriguing for retailers; 1,000 very similar stores can be defined once and then kept perfectly in sync as business policies change.

Is this completely new? Definitely not; automation tools have been available for years on traditional networks. Packaging it up into a turnkey solution is a helpful approach, though - especially when combined with some performance-improvement features.

Addressing link quality issues

VPNs are great when they work. The problems start when sites are in regions with poor-quality connectivity, and they are compounded when the enterprise wants to deliver high-quality voice, video, and other business-critical traffic to the site using this infrastructure. 

One of the most compelling features of some SD-WAN solutions is the ability to separate the underlying infrastructure from the overlay network. This allows multiple types of connectivity to be plugged in - maybe a business-grade ADSL2+ circuit to start with, as well as a cable modem link and perhaps a 4G/LTE service also - but operate the network without worrying about which packets are being routed over each link.

The software platform is aware of the pool of connectivity. It continuously measures the performance and throughput available over each path, and makes a decision on a per-packet basis, taking QoS settings into account and duplicating critical packets across circuits if needed. It's still the Internet, but now there is a level of active traffic steering and management that can make the solution a viable option for more applications. If a link goes down or is performing too poorly, it just drops out of the available pool until it is restored.

The tools to understand what's going on

Visibility is another area where the packaged approach of SD-WAN solutions can be appealing to enterprises. There are certainly ways to get detailed visibility of application-level traffic flows in Internet VPNs, but they usually require third-party software, server infrastructure, and all the usual patch management and maintenance to keep them functional. Almost all SD-WAN offerings include built-in visibility of usage levels and performance on the network, and several combine this with an application database that includes hundreds or even thousands of traffic signatures. This can be a valuable troubleshooting and capacity management tool for an over-stretched IT team.

The next VPN

Looking at the SD-WAN feature set as a whole, it's easy to see why enterprises are already finding it compelling as a VPN replacement. Some of the 'challenger' vendors in this space have priced their solutions at a point that is comparable to the maintenance of traditional VPN routers, which can help with the business case. If you have some problem sites on VPN in a traditional network today, it could be worth evaluating SD-WAN as a potential solution to some of these issues - and then see if the technology also makes sense at other sites.

This article is published as part of the IDG Contributor Network. Want to Join?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10