A traditional WAN is a network of physical routers that transmit data to and from devices within multiple local area networks (LANs) such as ethernet or Wi-Fi networks. A WAN can use one of several protocols to transmit data, such as multiprotocol label switching (MPLS). An MPLS is a protocol that routes WAN traffic using the shortest physical path.

While a single LAN is relegated to a physical location such as an office building, a WAN can include multiple LANs that are in the same office as well as different buildings miles apart.

However, WANs are restricted to their region’s telecommunications circuit and the service-level agreement (SLA) of an internet provider’s transport service. For example, a WAN that carries information across cable or broadband internet provided by that region’s internet provider cannot extend beyond that physical infrastructure. So, the WAN network can encompass all 20 LANs from both offices only because they share the same transport service. If the organization owns a third office building that resides in a region with a different transport service, a separate WAN is needed to manage any LAN connections there. Additionally, the offices within the WAN are limited to the bandwidth their internet access guarantees. This is where an SD-WAN offers several benefits over a traditional WAN.

By serving as the software layer that lives on top of a series of router-based WANs, an SD-WAN extends beyond the physical limitations that those WANs face. It allows all network traffic spanning various regions, infrastructure types, and transport services providers to be monitored, controlled, and optimized from a single application accessible to any authorized user from anywhere. Conversely, without an SD-WAN above a series of WAN networks, the control and configuration of each individual WAN is restricted to the hardware level.

A secure access service edge (SASE) architecture is an alternative to SD-WAN. Both architecture types serve as forms of WAN optimization and fall under the broader category of software-defined networking (SDN). However, much like how an SD-WAN centralizes the management of a series of WANs in an abstracted software layer, a SASE architecture abstracts a network’s management and security services into a cloud-based deployment that resides closer to or on the edge of a network.

While SD-WAN architecture places emphasis on the connectivity between locations, a SASE deployment is concerned with network endpoints and the devices that use the network.

An SD-WAN architecture establishes a software-based controller that consolidates and centralizes the unique configuration settings of each underlying WAN network, enabling data provisioning, network security protocols, and policy settings to be orchestrated to multiple WAN endpoints and edge devices at the same time.

This centralized software layer is formed by establishing encrypted tunnels (also known as “the overlay”) between it and the WAN networks it manages via an SD-WAN device. Each WAN location is equipped with an SD-WAN device that serves as a communication hub between that physical WAN network and the SD-WAN software layer. This device receives and enforces customed-defined configuration and traffic policies from the centralized SD-WAN layer above it. These physical SD-WAN devices can be managed remotely and are what enable the SD-WAN layer to operate beyond a WAN’s physical boundary.

• Cloud and edge computing models: An SD-WAN can be configured as part of a full data mesh architecture to enable a distributed computing environment where large quantities of data are processed at the edge. This alleviates the data backhauling that WAN networks create. That’s because all data transfers within a WAN are routed through an organization’s corporate datacenter. When a WAN network experiences heavy use, data can bottleneck at this datacenter. Imagine five lanes of traffic being forced to funnel through a single toll booth. An SD-WAN can be used to allocate and manage processing power on devices closer to or on the edge, as well as in cloud environments, eliminating the need for data and application traffic to be routed through the datacenter

• End-to-end security integration across the network: Because an SD-WAN architecture creates a virtualized network, SD-WAN solutions for security can be integrated at any point across a physical or cloud-based infrastructure. Additionally, an SD-WAN provides a single point of visibility for an entire network comprised of multiple WANs. Security monitoring and management becomes centralized and scalable as a result. Security policies can be defined for the network as a whole or customized for specific sections of the network via encrypted tunnels

• Centralized management: An SD-WAN provides a single point of control for a complex series of WAN networks and makes this control accessible anywhere to authorized users. For example, in the event of a merger between two financial firms, an SD-WAN can elevate the management of the disparate WAN networks across both organizations into an abstracted software layer. Within this centralized management, IT staff can perform network segmentation to divide the entire network into smaller segments where localized policies can be set and enforced. This gives IT staff a level of granular control over the network while retaining total visibility and management over the network at large

• Ensuring SLAs are met for specific applications: With an SD-WAN, network administrators can define and adjust priorities for mission-critical applications to ensure they always have the network resources and pathways needed to meet requirements. Imagine a busy highway with an open carpool lane that’s reserved for mission-critical data to get where it’s needed as fast as possible. This “carpool lane” may be the network’s 5G bandwidth, while the slower-moving lane may be the network’s 4G LTE bandwidth. Through the SD-WAN interface, an IT staff member designates which apps get to use this lane to reach their destinations as fast as possible
  

An SD-WAN is not a virtual private network (VPN). SD-WAN architecture serves as a central gateway for all devices on the underlying series of one or more WAN networks. In contrast, a VPN establishes a private point-to-point connection across a public network such as the internet. In a VPN internet connection, network traffic is routed through an encrypted tunnel managed by the VPN provider’s private server network.

Because an SD-WAN combines the underlying network services of multiple WANs together, it can utilize any of those services to achieve the performance optimization of each application. These services include the physical infrastructure such as transport service, bandwidth capacity, and security features such as firewall settings. Optimized settings for each application are determined by application performance monitoring and configured through policy settings.

Due to the SD-WAN existing as a virtualized layer, it provides several advantages over a traditional WAN, including:

• Being well-suited for the management of a hybrid network: An SD-WAN gives IT staff the ability to manage complex hybrid network connections that consist of private data centers, public clouds, and edge devices. This centralized control of hybrid environments is critical for digital transformation initiatives that require virtualization and public cloud adoption

• Agility: An SD-WAN simplifies network management, enabling IT staff to efficiently monitor and adjust traffic in real time to respond faster to business demands. Additionally, this simplified management also enables faster provisioning of network resources though zero-touch provisioning (ZTP), an SD-WAN feature used for the automatic configuration of network devices

• Efficiencies and cost-savings: SD-WAN technology removes the need for many physical tasks, such as having to visit or dispatch an IT staff member to a WAN’s geographic location where its controls reside. This results in a lower cost and greater efficiency in managing the network. An SD-WAN also enables a better use of existing resources. For example, a single IT staff member can use the SD-WAN software layer to relegate non-critical traffic to cost-effective transport services or transmit mission-critical/sensitive traffic via secure MPLS connections

• High-performance applications and improved user experience: Through performance monitoring conducted in the SD-WAN layer, IT staff can determine optimal network settings for each application. The IT staff can then redirect traffic to the appropriate transport services and adjust network settings to reduce application latency and improve availability to end users. For example, network resources can be configured as failover options if the resources a mission-critical application is using suddenly becomes unavailable. In the event of a disruption, an application is immediately redirected to the failover resources to prevent or minimize service disruption

• Faster deployment compared to traditional MPLS-based WANs: Because an SD-WAN is a virtual abstraction that manages physical resources, it can deploy faster than MPLS-based WANs, which require hardware configurations. This can result in lengthy deployment times that involve purchasing, installing, and implementing physical components. An SD-WAN can be an on-premises, cloud-based or hybrid deployment

• Reduced packet loss and jitter: When a technical issue arises with a traditional WAN’s telecommunications circuit, packet loss and jitter can result. Packet loss occurs when not all requested data arrives at the intended destination, while jitter is the result of a prolonged time delay between when a data packet is sent and when it arrives. For example, users experience jitter when a video conference call’s image and audio become distorted

An SD-WAN can overcome a circuit issue from one of its underlying WANs by redirecting traffic. Alternatively, IT staff can also automate the SD-WAN to perform one of the following quality of service (QoS) techniques to mitigate packet loss and jitter:

• Forward error correction (FEC): This technique helps reduce packet loss by sending multiple copies of the same data packet
• Jitter buffers: This technique involves holding data packets and releasing them in intervals to compensate for high network latency. Imagine cars waiting at a red stoplight and being allowed to move forward in batches in 30 second intervals
• Negative acknowledgement (NACK): In the event of packet loss, this technique detects what specific data is missing and quickly resends the missing information

Yes, three common SD-WAN architectures include:

1. Internet-based SD-WAN
2. Telco or MSP service SD-WAN
3. Managed SD-WAN as a Service

An internet-based SD-WAN is also known as a “Do it Yourself” SD-WAN, and it occurs when an organization deploys an SD-WAN using in-house resources. The company’s IT staff is responsible for the installation of necessary SD-WAN devices, the deployment of the SD-WAN software, and the ongoing maintenance and management of the SD-WAN.

A telco or MSP service SD-WAN is one in which an organization pays a service provider to install and deliver SD-WAN connectivity across its WAN locations. The provider supplies equipment and labor, as well as ensures the necessary network and transport services are available.

Managed SD-WAN as a service allows an organization to access a provider’s existing SD-WAN architecture through software orchestration. This SD-WAN resides on the provider’s private network and is often offered as a Software as a Service (SaaS) to clients.