Digital transformation is happening now, and fast. It includes cloud, services, mobile. It’s hybrid, it’s the Internet, it’s the user. Most importantly, it’s the seamless orchestration of all these things together.
“True digital transformation is the ability to orchestrate apps, networks, and devices to provide seamless access to digital services for end-users.”
Such orchestration can only be achieved by the one thing that connects everything: the network. In the highly centralized, controlled, and self-contained enterprise IT environments of the past, static hardware-based networking worked ok.
This is a period of significant growth for SD-WAN as we move past the initial hype phase. Many companies have done pilot projects and proofs-of-concept and are now moving to enterprise-scale. With successful large-scale deployments, SD-WAN is becoming a trusted technology critical to maximizing the value of the cloud.
Creating an enterprise-scale software-defined connectivity and orchestration fabric requires the ability to:
Manage centrally from a cloud console with a complete view of the connectivity fabric that unifies all enterprise networks, from the hybrid WAN at branch locations, into cloud infrastructure environments and even reaching to the end user with branch wireless and wired LAN networks.
Orchestrate globally with business-aligned policies that automate enforcement of performance objectives and access privileges for all apps/users, wherever they may be.
Deploy remotely with zero-touch activation of on-prem network components, and “one-click” extension into cloud networks.
These are the three essential requirements of an SD-WAN architecture which this paper explores in detail.
The Ability to Manage Centrally
Improving agility in the midst of complexity. The pressure on IT organizations to quickly deploy sites, roll out applications, manage changes, and ensure seamless application performance across the enterprise is the highest it’s ever been, and will only continue to grow.
At the same time, the complexity of the hybrid environment in which IT must assure end-to-end security, performance, and visibility is the highest it’s ever been, and will only continue to grow.
The requirement for network management going forward is that it can be performed centrally via policy using a pane of glass that provides a comprehensive view of your enterprise connectivity fabric that connects datacenter and cloud apps with branch and mobile users, all in an integrated management platform that spans and unifies hybrid WANs, cloud networks, and branch wireless and wired LANs with a single policy framework.
To achieve this goal, the central SD-WAN orchestrator must:
□ Support business-aligned policy through the use of simple, plain-language instructions based on a new set of primitives—apps, users, locations, performance SLAs, and security constraints.
□ Enable software-defined control across a unified network fabric that extends across cloud networks, WANs, and branch LANs/WLANs to ensure seamless, secure application delivery, controlled by business policies, from any point to any point.
□ Provide intuitive, cloud-centric workflows that allow instant and elastic expansion of new network end-points without additional operational overhead.
□ Automate creation of secure and encrypted inter-connectivity (VPNs) between datacenters, remote locations, the cloud, and end-users.
□ Enforce performance and security control based on policy defined in the central management console.
The Ability to Orchestrate Globally:
For today’s hybrid enterprise, an effective SD-WAN solution must apply the power of software-defined and business policy-based orchestration across the entire connectivity fabric, spanning hybrid WANs, cloud networks, and branch wireless and wired LANs.
Securing, optimizing, troubleshooting SaaS apps. SD-WANs need to enable total management of SaaS applications from local breakout management, to latency mitigation, to visibility into end-user experience. Factors affecting application performance include:
Physical distance from the end user to the application server, which is typically longer with cloud-based apps than on-premises apps;
Added distance in the network path when SaaS traffic is backhauled through an enterprise datacenter or via low-cost but indirect routes on the Internet;
Bandwidth constraints that slow large file transfers associated with certain SaaS apps;
Health and performance of the end-user device.
Ensuring end-to-end visibility. Effective optimization of application flows over the SD-WAN requires a proper understanding of both available network resources and usage of those resources by individual applications and users.
The goal is to use business-aligned, policy-based automation to define quality of service and access privileges for all apps and users, combined with automated path selection, end-to-end performance monitoring, WAN optimization, and security.
To achieve this goal, your SD-WAN solution must include a range of innovations that solve the hardcore technical issues involved in global orchestration:
□ Automated and secure connectivity to and between cloud networks and to branch networks to minimize operational overhead in creating VPNs.
□ Seamless integration with critical network services.
□ Efficient management of local breakouts with the ability to select traffic directed to local breakouts vs. central breakouts vs. cloud-based security brokers from the very first packet based on Layer 7 information.
□ Automated path control with the ability to path select based on application type, business priority, and path quality as determined by available bandwidth, latency, jitter, or packet loss.
□ End-to-end network segmentation with all aspects of the segmentation integrated into a single concept of “zones”:
Ability to segregate traffic based on applications defined at Layer 7.
Ability to segregate traffic based on users with Active Directory Sync.
Ability to segregate traffic across the WAN and into branch wireless and wired LANs using VLANs and Wi-Fi authentication.
The Ability to Deploy Remotely
With cloud-based apps, every user is remote. An effective SD-WAN solution must extend the enterprise connectivity and orchestration fabric from the central place of management to provide all users, whether employees, partners, or customers, wherever they are located, with easy, secure, high-performing access to the applications and data they need.
Integrating with existing network elements. Automated, zero-touch provisioning is especially critical as enterprises migrate from a few SD-WAN branch locations to thousands.
Extending into LANs and WLANs. SD-WAN policy-based management must extend into branch LANs and WLANs to support such common use cases as:
Guest Wi-Fi. SD-WAN solutions must include the capability to define specific policies for performance and security (including web filtering).
BYOD. Logical segregation of the network into zones allows BYOD traffic or other insecure traffic to be placed on different paths as compared to sensitive/confidential data traffic, in order to help prevent security breaches without requiring significant overhead in management.
IoT. These same required policy capabilities can be extended into IoT environments where IoT traffic should be segregated from traditional traffic for security or performance reasons.
The goal is to deploy locally with zero touch via automated activation of all necessary secure WAN gateways, branch LAN switches, Wi-Fi access points, firewalls and WAN optimization.
To achieve this goal, your SD-WAN must enable:
□ Zero-touch provisioning of new branch equipment without requiring skilled personnel at the branch locations. .
□ Branch router overlay or replacement with the ability to operate in conjunction with or replace the Customer Premise Equipment (CPE) branch routing device with a “thin” branch device where core SD-WAN and routing capabilities are available on the same physical or virtual appliance.
□ Security via native firewall capability and ability to integrate with third-party CASB or on-prem firewalls.
□ Deployment options with appliances available in physical, virtual, and cloud-based form factors for
flexibility to integrate with white box hardware/NFV deployments and into public/private cloud environments.
□ A complete software-defined networking solution spanning all endpoints including secure SD-WAN gateways in the branch, datacenter, and cloud, as well as wireless access points and wired LAN switches in remote business locations.