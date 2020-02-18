When SD-WAN was introduced, it was widely seen as an MPLS alternative. Today just about any credible, Internet-based SD-WAN solution can be used to replace a regional MPLS network. The bigger question is what happens the day after you networked your regional offices.

How will your SD-WAN deliver predictable application experience overseas or where Internet routing is unpredictable? How will your SD-WAN adapt to the cloud and mobile users, the new tenants of the modern enterprise? In short, understanding how your SD-WAN will accommodate the unpredictable is essential if you hope to future-proof your WAN.

Global Connectivity

When you add global connectivity to your network, focusing too much on cost savings can miss the bigger picture. Although broadband Internet lines are a fraction of the cost of MPLS circuits, consider what this means for response time. Only by addressing those issues can SD-WAN serve as an effective, affordable MPLS alternative.

The public Internet as a transport method can be unpredictable when traffic is routed over long distances. “The Internet” is a collection of interconnected networks, and it’s difficult to know or control how traffic moves through them. The time of day, the place of origin or destination of the traffic, and contracts among autonomous systems affect response time. As shown below, response times over the Internet can be much longer compared to a private network.

Sample Average Response Times Internet (seconds) Private Network (seconds) Dubai to Dallas 1.185 0.375 Dubai to London 4.24 0.19 Frankfurt to Shanghai 1.99 0.2 San Jose to Shanghai 3.97 0.306 San Jose to Chicago 0.194 0.158

Source: Zeus Kerravala, ZK Research

Not thinking through the response time conundrum can leave you marooned with MPLS for fast, responsive global connectivity.

A better alternative is building a private, global SLA-backed backbone. With affordable, SLA-backed capacity across multiple tier-1 carriers and the right, cloud-native software that can assess the real-time conditions across those networks, the global backbone can deliver latency far lower than the Internet yet at Internet-like prices.

Secure Branch Internet Access

The traditional model of backhauling traffic to a central secure Internet access point makes little sense when traffic is destined for the public Internet. But providing Secure Branch Internet Access presents issues because many SD-WAN products don’t have built-in security, requiring add-on security technologies.

These security functions can be delivered via physical appliances in the branch; virtual appliances running on a white box server as in the case of VNFs in an NFV architecture; or cloud security services such as ZScaler. This prompts the need for integration services and ongoing software updates and patches.

An approach that solves this problem is one that converges security into the SD-WAN. Then all traffic passes through the desired security services as a routine part of traffic routing, and no integration of third-party security services is necessary.

Optimize Cloud Access

The next challenge is how to deliver cloud acceleration and control in addition to access. One pitfall to avoid is not understanding the traffic flows between end users and your cloud applications. Failure to map your applications and adapt your network routing can lead to latency and poor user experiences.

A network design goal should be to minimize latency by reducing the round-trip time between your network and the major cloud data centers. Appliance-based SD-WAN introduces latency between branches and the cloud-based hosting centers for various SaaS applications.

You can provide seamless acceleration of cloud traffic by routing all traffic from the SD-WAN edge devices to PoPs in the cloud that share the data-center footprint of major cloud providers where applications are hosted. This essentially cuts the latency down to zero and ensures a great user experience.

Optimize Mobile Access

Historically, mobility was never a “WAN issue” because mobile users connected to firewalls to access applications in the company data center, not to the WAN. That’s no longer the case as mobility is now the rule rather than the exception, and cloud-based applications have supplanted those in the corporate data center.

One challenge is how to deliver mobile access optimization to workers who need to conduct business from anywhere. A second challenge is how to control and secure mobile access to business applications, whether they’re private apps in physical or cloud data centers, or public cloud applications such as Office 365.

But mobile users are “out of scope” for appliances as they're location-bound, limited to the branch in which they sit. Mobile users must still establish VPNs back to their “home” locations, leaving them subject to erratic performance of the Internet and the effects of “hair pinning” their traffic.

The answer to this dilemma is mobile access optimization. Mobile users establish secure tunnels not back to a home site but to the nearest PoP. The PoP’s software forming that private backbone not only provides low latency but also WAN optimization to improve throughput over distance.

Such an approach is a full replacement for traditional mobile VPN access. The mobile client finds and connects to the nearest PoP and authenticates the user using two-factor authentication. Once connected to the PoP, the user is part of the virtual enterprise WAN and can access any authorized application.

Simple Network Management

While SD-WAN is supposed to simplify your network, don’t overlook the time and talent needed to manage your new WAN. Networking analyst Zeus Kerravala points out that network professionals need to make decisions they never had to before, including where to do local Internet breakout, the level of meshing, path selection criteria, how to connect to the cloud, and what kind of security to deploy. Add to that the responsibility of updating and patching software, and provisioning new branches and resources as needed.

Network management doesn’t have to be a stumbling block. Some SD-WAN solutions allow you to choose a management style that best fits your needs: completely self-managed internally, co-managed with a service provider, or completely outsourced management.

You want the SD-WAN solution you choose today to adapt to your future needs as well. Consider all the steps above and you should have a high functioning network that serves your needs for years to come.