A software-defined wide area network (SD-WAN) is a virtualized WAN architecture that abstracts and centralizes the management of smaller and otherwise disconnected WAN networks, allowing an organization to share data and applications across branch offices, remote workers and authorized devices (also referred to as “nodes”)that span vast geographical distances and multiple telecommunications infrastructures.
Think of an SD-WAN architecture as a software-defined WAN layer that rests on top of one or more physical WAN networks. Because an SD-WAN architecture is software-based, IT staff can use it to set governance polices—such as those that determine how network resources should be prioritized—adjust and enforce user permissions, and monitor for security threats across the WAN networks that sit beneath it. Edge devices within a WAN network can also be controlled remotely from the SD-WAN solution in the architecture layer.
A traditional WAN is a network of physical routers that transmit data to and from devices within multiple local area networks (LANs) such as ethernet or Wi-Fi networks. A WAN can use one of several protocols to transmit data, such as multiprotocol label switching (MPLS). An MPLS is a protocol that routes WAN traffic using the shortest physical path.
While a single LAN is relegated to a physical location such as an office building, a WAN can include multiple LANs that are in the same office as well as different buildings miles apart.
However, WANs are restricted to their region’s telecommunications circuit and the service-level agreement (SLA) of an internet provider’s transport service. For example, a WAN that carries information across cable or broadband internet provided by that region’s internet provider cannot extend beyond that physical infrastructure. So, the WAN network can encompass all 20 LANs from both offices only because they share the same transport service. If the organization owns a third office building that resides in a region with a different transport service, a separate WAN is needed to manage any LAN connections there. Additionally, the offices within the WAN are limited to the bandwidth their internet access guarantees. This is where an SD-WAN offers several benefits over a traditional WAN.
By serving as the software layer that lives on top of a series of router-based WANs, an SD-WAN extends beyond the physical limitations that those WANs face. It allows all network traffic spanning various regions, infrastructure types, and transport services providers to be monitored, controlled, and optimized from a single application accessible to any authorized user from anywhere. Conversely, without an SD-WAN above a series of WAN networks, the control and configuration of each individual WAN is restricted to the hardware level.
A secure access service edge (SASE) architecture is an alternative to SD-WAN. Both architecture types serve as forms of WAN optimization and fall under the broader category of software-defined networking (SDN). However, much like how an SD-WAN centralizes the management of a series of WANs in an abstracted software layer, a SASE architecture abstracts a network’s management and security services into a cloud-based deployment that resides closer to or on the edge of a network.
While SD-WAN architecture places emphasis on the connectivity between locations, a SASE deployment is concerned with network endpoints and the devices that use the network.
An SD-WAN architecture establishes a software-based controller that consolidates and centralizes the unique configuration settings of each underlying WAN network, enabling data provisioning, network security protocols, and policy settings to be orchestrated to multiple WAN endpoints and edge devices at the same time.
This centralized software layer is formed by establishing encrypted tunnels (also known as “the overlay”) between it and the WAN networks it manages via an SD-WAN device. Each WAN location is equipped with an SD-WAN device that serves as a communication hub between that physical WAN network and the SD-WAN software layer. This device receives and enforces customed-defined configuration and traffic policies from the centralized SD-WAN layer above it. These physical SD-WAN devices can be managed remotely and are what enable the SD-WAN layer to operate beyond a WAN’s physical boundary.
An SD-WAN is not a virtual private network (VPN). SD-WAN architecture serves as a central gateway for all devices on the underlying series of one or more WAN networks. In contrast, a VPN establishes a private point-to-point connection across a public network such as the internet. In a VPN internet connection, network traffic is routed through an encrypted tunnel managed by the VPN provider’s private server network.
Because an SD-WAN combines the underlying network services of multiple WANs together, it can utilize any of those services to achieve the performance optimization of each application. These services include the physical infrastructure such as transport service, bandwidth capacity, and security features such as firewall settings. Optimized settings for each application are determined by application performance monitoring and configured through policy settings.
Due to the SD-WAN existing as a virtualized layer, it provides several advantages over a traditional WAN, including:
An SD-WAN can overcome a circuit issue from one of its underlying WANs by redirecting traffic. Alternatively, IT staff can also automate the SD-WAN to perform one of the following quality of service (QoS) techniques to mitigate packet loss and jitter:
Yes, three common SD-WAN architectures include:
An internet-based SD-WAN is also known as a “Do it Yourself” SD-WAN, and it occurs when an organization deploys an SD-WAN using in-house resources. The company’s IT staff is responsible for the installation of necessary SD-WAN devices, the deployment of the SD-WAN software, and the ongoing maintenance and management of the SD-WAN.
A telco or MSP service SD-WAN is one in which an organization pays a service provider to install and deliver SD-WAN connectivity across its WAN locations. The provider supplies equipment and labor, as well as ensures the necessary network and transport services are available.
Managed SD-WAN as a service allows an organization to access a provider’s existing SD-WAN architecture through software orchestration. This SD-WAN resides on the provider’s private network and is often offered as a Software as a Service (SaaS) to clients.
Optimize IT operations with intelligent insights from a comprehensive and scalable network performance monitoring and management solution
IBM Hybrid Cloud Mesh offers simple, secure and predictable application-centric connectivity.
Designed for modern networks, IBM SevOne® Network Performance Management (NPM) helps you spot, address, and prevent network performance issues early with machine learning-powered analytics. With real-time, actionable insights, it helps proactively monitor multi-vendor networks across enterprise, communication, and managed service providers.