SD-WAN as MPLS Replacement: Why the Internet Isn’t Enough

The public Internet poses unacceptable performance and security risks for SD-WAN deployments. Here’s what to look for in a private cloud backbone instead.

istock 1132912639

As companies turn to SD-WAN services, they’re often looking to migrate away from expensive MPLS services at the same time and employ Internet services instead. But the public Internet doesn’t provide the kind of predictable performance that enterprises expect from an MPLS replacement. The Internet also introduces unacceptable security risks.

A sound alternative is a global, privately managed cloud-based network that can provide the consistent performance and low latency that enterprises demand, but at a fraction of the cost of MPLS – and with security built in. To get a sense for the requirements companies should look for in a managed cloud backbone to make for a successful SD-WAN migration, I spoke with Dave Greenfield, Secure Networking Evangelist with Cato Networks, which has built just such a backbone.

Performance and optimization

Performance is one of the key reasons to adopt a private cloud backbone vs. using the public Internet for transport, so it pays to delve into how the network is constructed and what service level agreements the provider offers. Instead of the free-for-all of public Internet peering that can undermine SD-WAN performance, global private cloud networks are predictable and more efficient.

The points of presence (PoPs) of the global private cloud should be interconnected by redundant Tier 1 carriers for reliability and performance. Software in the PoPs should continuously monitor each carrier in real time and dynamically select the optimum data path for every packet, Greenfield says.

With such a setup, the provider “can deliver to customers better availability and performance than with any of the underlying Tier 1 carriers, and far better than the public Internet,” Greenfield says. “Traffic is not subject to any peering or congestion that happens in the Internet core.”

User and application awareness is also important to overall performance. For example, the provider should be able to differentiate between a salesperson talking with a customer and two internal employees talking with each other, and prioritize the sales call. “So you not only prioritize voice calls, but also different users,” Greenfield says.

Sound security

Security is another crucial reason to opt for a private backbone vs. the public Internet.

Backhauling traffic to a central security gateway, for example, adds latency to cloud sessions. SD-WAN does allow for cloud traffic to be sent directly onto the Internet and then to its destination. But this requires branch offices to have secure direct Internet access (DIA), which involves additional security tools and appliances at each branch. Building security into the global private backbone instead is a way to avoid that problem, Greenfield says.

Among the security technologies that should be available are next-generation firewalls, secure web gateways, anti-malware, mobile security, and encryption. More advanced features include a managed detection and response capability, where the provider monitors the network for compromised end points, provides an alert when an infection is found, and helps with remediation. Cato also subjects all traffic, including encrypted traffic, to inspection by multiple homegrown security engines, a capability Greenfield says is “radically different” from most SD-WAN providers.

Support for mobile and cloud

A private cloud network naturally has to support not just fixed locations, but mobile users, ideally with an agentless architecture – meaning no software is required on the mobile device. That simplifies rollouts and ongoing maintenance and support for IT. 

The network should also be able to connect with multiple cloud providers. If the private backbone provider is co-located in the same physical data centers as the cloud service providers, the connection is fast and seamless, with no need to deploy additional SD-WAN appliances in the cloud.

“A few clicks on our management console enables traffic to exit the Cato backbone through the relevant PoP and then it’s only a short jump into the cloud data center,” Greenfield says.

Keeping costs down

Finally, while any private cloud network is likely to cost less than MPLS services, the question of who owns the software used in the backbone can create differences in value and pricing among providers. Cato, for example, built its own cloud-native, networking and security software stack, so it doesn’t have to pay licensing fees to any third parties. That also enables it to deliver enhancements more quickly and reduce the time to resolve problems, Greenfield says, as support personnel work with engineers to solve problems and deliver new features. 

Learn more at