Early SD-WAN products provided enterprises with a way to decommission expensive, inflexible MPLS links, connect branch offices directly to the cloud and optimize WAN traffic. But many of the initial SD-WAN offerings lacked features such as integrated firewalls, application-aware routing, and advanced data analytics.
Over time, SD-WAN vendors have beefed up their products to encompass a robust set of additional features. However, many enterprises are not taking advantage of the full capabilities of the latest SD-WAN products and managed service options.
So, why aren’t IT execs jumping on these new features? In some cases, vendors have fallen short when it comes to educating IT leaders on the benefits and ease-of-use of these advanced capabilities.
In other cases, organizational siloes, such as the barriers between networking and security teams, have prevented companies from activating, for example, the next-generation firewall or intrusion prevention system that might come with an SD-WAN appliance.
And in many cases networking pros have a standard set of methods and procedures that they’ve been following for years and that get the job done just fine. When it comes to a new way of doing things, such as zero-touch provisioning, there can be some reluctance to take a risk that could end up backfiring if something goes wrong. However, enterprises should consider the benefits that underutilized SD-WAN features, listed below, can provide. After all, you’re paying for the SD-WAN device or the managed service anyway, so why not get your money’s worth?
1. Zero-touch provisioning
The traditional method of deploying branch office networking gear is to bring the physical device to a staging area, configure it, test it, then ship it out to the branch, where a networking pro sets it up. For companies deploying dozens or hundreds of SD-WAN devices across a wide geographic area, this is a manually intensive and time-consuming process.
Zero touch provisioning, which comes standard on most SD-WAN devices, automatically configures an out-of-the-box device. All the device needs is an Internet connection so it can phone home, where it is then fully configured in a fast, efficient, standardized manner based on predefined templates, according to Kunal Thakkar, head of network engineering at Apcela.
2. Encryption key rotation
For enterprises that do business with the federal government, such as aerospace and defense companies, or enterprises with PCI compliance responsibilities, which includes just about everybody else, encryption keys need to be rotated on a regular basis (typically every 90 days). This can be a tedious manual process that entails complex change control policies and can require planned downtime.
SD-WAN platforms can replace conventional VPN-based key rotations with an automated system that can be programmed to make the rotations as frequently as every minute without any interruption to data plane traffic. The result is better security, no downtime and no need for manual intervention.
3. Multiplexed VPNs:
There are many scenarios in which companies need to keep different types of traffic separated from each other. For example, in the case of a merger or acquisition, the combined company might be a single entity on paper, but for business or compliance or security reasons, each business unit continues to operate independently. If the company then decides to upgrade to SD-WAN, it might be considering the purchase of two sets of physical devices.
But SD-WAN technology allows multiple virtual routing and forwarding (VRF) and VPN links to be multiplexed with a single overlay. This was not feasible with previous VPN technologies. In the case of sprawling, complex organizations with multiple business units, traffic isolation can be accomplished simply by setting policies. SD-WAN technology is able to create as many as 16 virtual VPNs, all running on the same physical WAN links, says Thakkar.
4. Application-aware routing
SD-WAN products have the ability to inspect traffic at Layer 7 in order to apply granular routing policies for specific applications. In fact, some devices can identify more than 3,000 distinct applications and understand the performance requirements of each app. This feature helps companies optimize telecom costs at a granular level by constantly monitoring latency, delay, jitter and other characteristics of sensitive applications in real time, and shifting applications to the most cost-effective transport method that meets performance thresholds.
According to Ashwath Nagaraj, CTO at Aryaka Networks, application-aware routing isn’t as widely deployed as it could be. Possible explanations are that Layer 7 traffic inspection does come with some level of performance overhead, and it does require that companies take the time and effort to define policies for each app. But he argues that application-aware routing can provide significant performance and cost benefits.
5. Programmatic APIs
The use of APIs can help companies orchestrate and automate functionality throughout the SD-WAN life cycle, according to Raviv Levi, senior director of product management at Cisco Meraki. While currently an underused capability, Levi says interest is growing because IT execs are starting to understand that with APIs “large organizations can take ownership and control over the network in a way they couldn’t before.”
APIs enable enterprises to customize and automate the initial configuration of SD-WAN gear, to change configurations at scale at any time, to automate the trouble ticket process and to harvest data on WAN performance for both real-time traffic optimization and longer-term monitoring and management of the infrastructure. For example, companies can use APIs to program devices to perform more frequent polling than what is called for in the default settings.
Through APIs, companies can set up their SD-WAN infrastructure to automatically collect data that can be helpful in functions such as managing user groups, viewing audit logs, collecting device inventories, conducting real-time monitoring, and troubleshooting network devices.
6. Optimized cloud connectivity
Cloud breakout, or the ability to connect branch office traffic directly to the cloud, rather than back to the data center, is one of the key benefits of SD-WAN. But in many cases, network administrators have limited or no visibility into the network performance characteristics between the end user and cloud SaaS applications. However, vendors are now offering a feature, dubbed Cloud OnRamp in the example of Cisco Viptela, that uses programmatic APIs to measure the performance of SaaS applications or to IaaS services from Amazon Web Services and Microsoft Azure.
In the IaaS scenario, a virtual instance of the SD-WAN router inside the cloud service provider’s domain continuously measures the performance of the app, giving network administrators visibility into application performance in a way that has never been available. In the SaaS scenario, the SD-WAN device connects to the closest SaaS point of presence and makes real-time decisions to choose the best-performing path. According to Rohan Grover, senior director of product management, SD-WAN and enterprise routing at Cisco, end users have seen a 40% performance improvement for popular productivity apps like Office 365.
7. Data analytics
Another underused feature of SD-WAN systems is the ability to use data analytics to troubleshoot network performance issues and to perform long-range network capacity planning. Whether you have a managed service or are taking the do-it-yourself route, a wealth of traffic data is available that covers the end-to-end WAN connection. The use of analytics eliminates the typical finger pointing that occurs between the enterprise customer, the cloud services provider, the IPS, the last-mile provider, etc.
8. End-to-end microsegmentation
Microsegmentation has become an increasingly popular approach to securing applications running in data center and cloud environments by isolating workloads based on policy. Microsegmentation gives companies greater control over east-west traffic and if breaches occur, microsegmentation limits potential lateral movement by hackers.
The rise of software overlays like SDN and NFV paved the way for microsegmentation, so it’s only natural that microsegmentation would become a feature of SD-WAN overlays. According to Sunil Khandekar, CEO at Nuage Networks, the benefit of microsegmentation is that if a branch node were under attack, a central policy server could automatically take action to quarantine the branch from the rest of the network.
9. Service chaining
When branch office traffic was routed back to the data center via secure MPLS links, there wasn’t much need for additional networking and security functionality in the branch. But now that branch offices are connecting directly to the Internet, companies may find themselves with multiple branch office devices like firewalls, NAT boxes and intrusion prevention systems. Service chaining enables companies to reduce branch office clutter, as Khandekar puts it. Organizations can create a chain of connected network services and automate the way different traffic flows are treated depending on traffic requirements in areas such as security, latency or QoS.
10. Fixed wireless connectivity
Although not specifically an SD-WAN feature, experts say that enterprises setting up their branch office links should consider fixed wireless, especially if speed to deployment is of the utmost priority. For companies with a small regional footprint, ordering WAN links from the incumbent ISP can be relatively painless. But for organizations with rural locations that are not served by traditional broadband, or for companies who need to quickly provide SD-WAN to a new retail store or other pop-up business location, fixed wireless circuits can be a lifesaver.
Early SD-WAN deployments were focused primarily on basic connectivity and cost savings. But today, SD-WAN is seen as a network automation platform to support digital transformation, says Khandekar. And deploying these underused features can help IT organizations align their WAN with the needs of the business.