The new branch office SD-WAN model

How enterprises are combining SD-WAN with next-generation security and connectivity solutions for a better outcome.

bridge between two buildings

Wrapping up an SD-WAN workshop session with a client last week, I reflected on how rapidly the branch office WAN connectivity and management model is changing. Some great opportunities are emerging for enterprise IT teams that can materially impact how the network is designed, paid for and managed. Here are some thoughts:

1. Public cloud is driving a lightweight edge security model

Most people agree that SD-WAN can facilitate service chaining, and a selective backhaul model is interesting to many enterprises that want to concentrate next-generation firewall services in larger locations. But with the rapid growth of distributed content in public cloud applications (even from Microsoft and Salesforce, who long resisted this trend that Google pioneered) it’s increasingly counterproductive to backhaul browsing traffic long distances from the end users. It reduces performance, and adds significant load at hubs on the network — not ideal when this can represent 80 percent or more of the traffic.

We’re starting to see a two-tier approach emerge for Internet-bound traffic. A lightweight content filtering and threat protection solution (e.g., Zscaler or similar) at the edge for web applications, and more traditional next-gen firewalls at strategically positioned hubs in the network for non-web Internet traffic.

This allows enterprises to select something other than the extreme positions they previously had to work with, and cater for the different traffic types in more appropriate ways. SD-WAN of course is key to this - the selective forwarding behavior needed for each traffic type is much more challenging in a traditional network.

2. Dual Internet circuits are becoming the default, even at the smallest branches

I’ve been involved in many deployments over the years that categorized sites into the usual Platinum / Gold / Silver / Bronze hierarchy, with everything except for Bronze having some sort of backup. In a traditional WAN it was very difficult to justify resilient circuits at the smallest locations, especially if one would sit idle 99% of the time.

With most SD-WAN deployments, I’m starting to see this change. A couple of factors are driving this. First, adding a second circuit is much more appealing if it can be used. Most SD-WAN overlay solutions accommodate this without rigid policy-based routing approaches. Second, the price point of a realistic secondary circuit has fallen dramatically. In many cases a low-end broadband circuit or high-data-limit 4G service can be added for $100 / month or less, and will provide a large amount of usable bandwidth.

Operationally, it’s hard to overstate the benefits that having a second circuit provides. Circuits fail more often than equipment, and having two circuits (ideally with different physical delivery or failure patterns) provides a wealth of information when something does go wrong. If one circuit fails, you can usually confirm that it’s a circuit failure (and progress it appropriately) rather than spending hours determining if it’s a power or equipment issue at the site. Then there are the SD-WAN related performance benefits - most sophisticated solutions will use that second circuit to drive up the overall performance of the site. For a very small investment, the enterprise sees a much more reliable branch office footprint.

3. Non-carrier service providers can play an important role

We’re now far enough down the SD-WAN development path that it’s more than just the early adopters considering it. It’s increasingly apparent that enterprises will obtain a significantly different perspective when working with a service provider that is not aligned with the underlying infrastructure, versus a carrier that is selling SD-WAN as an add-on service.

Why does this matter, and does it apply to every deployment? It really depends on the geography involved, the services the enterprise requires and how the business case is being developed. For enterprises with a real need for hybrid connectivity, the carrier-based model offers a one-stop-shop approach to combining public and private connectivity. However, for enterprises with a highly distributed environment and a business case based on displacing MPLS connectivity, a non-carrier service provider will generally go much further to find innovative low-cost connectivity options. SD-WAN business cases built on single-sourced DIA connectivity from a Tier 1 ISP do not typically work; a more fragmented mix of in-country operators is typically needed.

4. Carrier-neutral co-locations can form the new backbone

An interesting model is emerging for interconnecting regional networks in an SD-WAN environment. For enterprises that need reliable connectivity between these regions, carrier-neutral co-locations and low-cost, elastic capacity between them offer a compelling alternative to MPLS or VPLS. Enterprises can utilize an Internet-based SD-WAN overlay in the region, and then use the capacity between the co-locations for the middle mile. These hubs can then act as delivery points for interconnections to IaaS environments such as AWS or Azure, as well as SIP services and other resources. The commercial approach proposed by several of the newer providers (e.g., Megaport) offering capacity between co-locations, along with the ability to flex capacity using APIs can allow an entirely new operating model to be created.

5. New monitoring tools keep everyone informed, but who is responsible?

Enterprises that have already adopted SD-WAN have realized that there are many more elements that can be monitored and reported on than in traditional WANs. Application and user-level statistics, overlay path quality measurements, and many more can be obtained through most SD-WAN APIs. A new set of monitoring tools can sit outside the SD-WAN overlay and provide deep insights into Internet path health, BGP peers, congestion and other Internet-related metrics.

It’s natural for the enterprise to expect that the data collected by these tools will form part of the branch office monitoring and management service, and it will be interesting to see how service providers build offerings to incorporate them. Few enterprises have staff available to look at new monitoring screens providing highly granular data, so the quality of the management overlay becomes critical. 

There’s also the question of whether many of these new “problems” identified by management tools can even be actioned. Enterprises like the commercial benefits of using low-cost Internet services in an SD-WAN environment, but many will need to reset some expectations regarding just what is possible at small branch offices with only Internet connectivity. The tools may be able to show what the problem is, but there may not be anyone that owns the resolution of the issue.


As SD-WAN services mature, it’s proving to be a very interesting time to build branch office networks. The challenge is that it’s a fragmented environment. Each layer of the stack—circuits, SD-WAN service, security services and monitoring tools—can be highly optimized using best of breed tools, but with very little overlap between them. Innovative service providers will use these tools to provide a cohesive service to the enterprise, swapping out components as materially better options become available. The well-optimized solutions can deliver a real competitive advantage to the enterprise in terms of cost, performance and operational insights—and it looks like there is even more to come.

Copyright © 2017 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022