What is an SD-WAN Architecture?

WAN Architecture is the configuration of a network best suited for an enterprise’s environment. There are a variety of architectures to choose from, from hybrid WAN to SD-WAN, and maintaining and optimizing your WAN setup is important for application performance and end-user productivity.

The 2018 Guide to WAN Architecture and Design by Dr. Jim Metzler, sponsored in part by Apcela, asserts that it is important to keep up with the evolving WAN in order to protect cloud resources and mobile users. With more applications migrating to the cloud and users accessing enterprise apps from branch offices and remote locations, it’s critical to understand emerging alternatives to traditional approaches for WAN architecture, networking and security.

Types of WAN Architecture

The various types of WAN architecture serve different speeds and device configuration, and different branch sizes may require different WAN set ups. Main buckets for WAN architecture, particularly SD-WAN, are: On-Premises, Cloud-Enabled and Cloud-Enabled plus Backbone.


SD-WAN Architecture Types

SD-WAN Architecture: Design Considerations for Performance and Security

1. On-Premises

On-prem involves a plug ‘n play SD-WAN box that connects only your company’s sites – and not to any cloud gateways. The best fit companies for this architecture type host all of their applications in-house without any cloud applications. MPLS is a common configuration for real-time apps such as voice or video, coupled with public internet for everything else. This model features lower costs – especially for bandwidth, multi-circuit/ISP load-balancing, real-time traffic shaping and improved disaster recovery via connectivity backup.

2. Cloud-Enabled

This configuration includes both hardware and software that utilizes an onsite SD-WAN box connected to a virtual gateway. This approach delivers benefits of both on-prem and cloud-enabled architectures, with real-time traffic shaping and multi-circuit failover, plus increased performance and cloud apps. Cloud gateways are directly networked to major cloud providers including Microsoft Office 365, Salesforce, AWS, Drop Box and Azure. Companies running major cloud apps would be best suited for this system, especially if they continue to host in-house apps on a small MPLS network and run all other cloud apps over the public internet.

3. Cloud-Enabled plus Backbone

This third option goes a step up by including a backbone to eliminate internet backbone problems. It offers an on-site SD-WAN box that connects your company’s site to the SD-WAN provider’s nearest network point of presence (POP) where your traffic is redirected onto the provider’s private, fiber optic network backbone. This use of a global, low-latency private backbone guarantees reduced levels of latency, packet loss and jitter. Network and application performance, especially for real-time and latency-sensitive apps, improves. Like the second model, it also connects to major cloud app providers, like Office 365, Salesforce and AWS, and serves dedicated gateway to hundreds of public cloud services

This option is typically used by companies that want to optimize, or even scrap, their MPLS network. Instead, they opt to run mission-critical and real-time apps over a private network to avoid the high latency and security issues of the public internet, while routing lower priority traffic over network paths that are adequate from a performance and/or price standpoint. This specialized configuration is delivered by only a handful of vendors, including Apcela which offers a range of network, security, and application delivery solutions that extend the enterprise core to the network edge, replacing the need for expensive MPLS.

Securing SD-WAN Architectures

Taking it a step farther, moving to SD-WAN introduces new options for taking on typical enterprise networking security challenges. The optimal WAN architecture for an enterprise needs to not only support performance requirements, but must also address security priorities.

Gartner recently defined four architectural options for securing SD-WAN infrastructures, including SD-WAN with embedded firewall, firewall with embedded SD-WAN, SD-WAN with SWG, and SD-WAN with third-party firewall. These architectures differ by security level, branch office profile and relative costs. Some next-generation security architectures use embedded security in SD-WAN products to secure internet access, while ensuring network security requirements are supported via traditional next-generation firewalls or secure web gateway services.

To meet the demands of a particular SD-WAN architecture, the security solution should be matched and adhere to many of the same design criteria for speed, performance, flexibility and scalability.  This becomes even more critical for enterprises operating hybrid environments that often combine elements from legacy infrastructure and new networking components.

To learn more on how to build secure, cloud-ready WAN architecture for hybrid IT environments, view our Network World article.

How can we help? 

We love talking about software-defined networks and the cloud! Let us know if we can help by filling out the form. Cheers!