Software-Defined WAN (SD-WAN) is a networking technology that seamlessly connects branch offices, HQs cloud and data centers over broadband internet rather than MPLS leased lines.
Software Defined WAN (SD-WAN) is a new way to manage and optimise a Wide Area Network (WAN) or simply put, a new way to deliver secure business broadband internet connections, enabling global connections from HQ to branch offices, mobile and remote workers or staff working from home.
SD-WAN addresses the changing use of enterprise networks, away from centralised offices designed for all users to be in the office all the time, with a few remote workers, towards the growing trend of cloud computing and remote working. It is more flexible than MPLS (expensive leased line internet connections), and better at supporting a distributed and mobile remote workforce, it is also more reliable, scalable and secure than VPN-based WAN links.
As SD-WAN is an evolving category, there are a variety of vendor implementations, some which very basic repackaging of traditional WAN solutions, border-line marketing hype, adopting the term, without truly delivering on the promise of SD-WAN, and others are next-generation, blurring the role of traditional WAN security and MPLS over a broadband internet connection.
A good implementation offers a secure, feature rich alternative to MPLS or leased lines, with convergence of optimised routing to accelerate cloud traffic, replace standalone point devices like Firewalls, IPS, Anti-malware, URL filtering, WAN load balancers, and VPN devices. Delivering value-added services over the wire. What this means is, organisations no longer require maintenance of firewalls and other security items, as the security is maintained centrally throughout all connections and quality of service is greater than or equal to leased line at a fraction of the cost.
SD-WAN is implemented as a network of SD-WAN appliances connected by encrypted tunnels. Each SD-WAN appliance is connected to a set of network services, which can be a mix of multiple ISPs and existing MPLS, with monitoring of the current availability and performance of each of connection. Network traffic reaching an SD-WAN appliance is classified based upon application and prioritised using a set of centrally-managed priorities, before being sent out over the best available network link via dynamic path selection.
SD-WAN makes it possible to replace MPLS, which is not only expensive, but lacks the real-time single-point of view and control for applications, connections, users, and security. SD-WAN allows security functionality to be distributed to the network edge, making it unnecessary to send all traffic through the enterprise datacenter for scanning before forwarding it to cloud services, a practice that degrades latency and performance. This is a significant change for organisations used to backhauling all internet traffic to the data center to apply global security and filtering policies.
By converging networking and security functionality, an SD-WAN can eliminate the need to deploy expensive point security products at branch locations. An SD-WAN with a large network of globally-distributed points-of-presence (PoPs) can provide high-performance, secure networking with centralized management and visibility.
Software-defined WAN (SD-WAN) brings the abstraction of software-defined networking (SDN) to the WAN; however, it is only the latest in a series of transformations of WAN.
The very first stage of WAN, in the 1980s, used point-to-point (PPP) lines to connect different LANs. The price and efficiency of these connections were improved with the introduction of Frame Relay in the early 1990s. Instead of requiring a direct PPP connection between each pair of communicating parties, Frame Relay allowed connection to a “cloud” from a service provider, allowing shared last-mile link bandwidth and the use of less expensive router hardware.
The next stage was the introduction of Multiprotocol Label Switching (MPLS), which provided an IP-based means of carrying voice, video, and data on the same network. MPLS provides dependable network connections protected by SLAs but is expensive and slow to provision.
In 2013, SD-WAN emerged, showing the potential to be a viable and cost-effective alternative to MPLS – making it the logical next step in WAN technology. By abstracting away the entire network layer and routing traffic based upon a collection of centrally defined and managed policies, SD-WAN is able to optimize routing and prioritization of various types of application traffic. The flexibility provided by SD-WAN also allows it to better meet the needs of cloud and mobile users. As this type of use is becoming more common, it is unsurprising that many organizations are anticipated to adopt SD-WAN.
Learn more about the history of SD-WAN
The first stage of SD-WAN evolution was focused on solving the issues of availability and last-mile bandwidth. New MPLS links are expensive and slow to provision, and the use of an Internet backup meant that the backup was only used in the case of an outage. Using link-bonding, an SD-WAN predecessor could combine multiple different types of connections at the link level, improving last-mile bandwidth.
The limitation of link bonding is that it only improved last-mile performance. Achieving improved performance throughout the WAN required routing awareness throughout the path. Early SD-WAN solutions offered virtualization failover/failback and application-aware routing. With application-aware routing, SD-WAN could move away from being fully reliant on MPLS links and optimally route traffic based upon the application type.
The latest stage of SD-WAN evolution focuses on going beyond networking branch locations. As organizations increasingly move resources to the cloud, SD-WAN provides a solution for securely connecting these cloud deployments to the enterprise WAN.
Learn more about the evolution of SD-WAN
Software-defined WAN (SD-WAN) is designed to solve many of the challenges associated with traditional WAN design. SD-WAN abstracts away the details of the networking layer, allowing the WAN to use a variety of different connection types interchangeably, including LTE, MPLS, and broadband Internet. This abstraction can improve network bandwidth, performance, and redundancy and enables centralized management and orchestration.
SD-WAN works by creating a network of SD-WAN appliances connected by encrypted tunnels. Each site on the WAN has its own SD-WAN appliance, and all traffic flows through that appliance. Since all appliances are centrally managed, consistent networking policies can be enforced throughout the organization. When traffic enters an SD-WAN appliance, the appliance determines the type of application traffic and routes it to its destination based upon existing policies and the availability and performance of different network links.
Traditional SD-WAN is hardly perfect. Many SD-WANs do not include integrated security, so each branch location must deploy its own standalone security products. SD-WAN also includes the deployment of an SD-WAN appliance at each endpoint, which makes it difficult or impossible to use it for cloud and mobile traffic. Finally, SD-WAN often relies upon public Internet service, which can cause reliability concerns. However, many of these problems are solved with secure access service edge (SASE) platforms.
Learn more about how SD-WAN works
Designed to provide an alternative to traditional MPLS-based WAN, Software-defined WAN (SD-WAN) provides organizations with five major benefits when compared to MPLS.
MPLS bandwidth is expensive, and it can take weeks or months to provision a new MPLS link, compared to days with SD-WAN. Both in cost of operation and in lost business opportunity, MPLS is inferior to SD-WAN.
MPLS is very effective at routing traffic between two static locations, but the growth of the cloud makes this less useful to businesses. SD-WAN’s policy-based routing allows traffic to be optimally sent through the network based upon the needs of the underlying application, resulting in increased application performance and better end user experience than traditional WAN architecture.
SD-WAN also provides much more agile networking than MPLS. With SD-WAN architecture, the network layer is abstracted away, allowing the use of a variety of different transport mechanisms throughout the WAN.
With MPLS, an organization may need to deploy a variety of standalone appliances to manage WAN optimization and security. With secure SD-WAN, these operations can be centralized, allowing organizations to scalably manage growing networks.
Finally, SD-WAN technology can provide dramatic redundancy and availability improvements over MPLS. With MPLS, adding redundant links can be expensive. SD-WAN, on the other hand, can route traffic over a different transport mechanism in the case of an outage.
Learn more about how SD-WAN benefits digital transformation
WAN connections to branch offices have a variety of different constraints: they must be secure, reliable, affordable, and offer enterprise-level network performance. Several different solutions exist, but many of them have their issues.
A common solution to connecting branch locations is the use of VPNs over the public Internet. While these can provide the security that an organization may require, they are often difficult to set up and may not meet the organization’s needs. Mobile VPN clients are non-existent or clunky, and physical VPN appliances can be time-consuming to deploy and may not meet the needs of a mobile workforce. The dependence of VPN upon the public Internet means that VPNs may also not provide the reliability that the enterprise requires.
While MPLS provides more reliable, high-performance network connections, MPLS connections are slow to deploy, and MPLS bandwidth is expensive. The technology is also ill-suited to mobile and cloud users and lacks built-in security.
Cloud-based software-defined WAN (SD-WAN) provides a solution to the challenges of branch networking. Cloud-based points-of-presence (PoPs) connected by layer-1 network connections backed by SLAs provide high-performance, reliable, and affordable networking. The network of cloud-based PoPs makes it possible for users to connect from anywhere with minimal latency, and an integrated security stack provides security throughout the network.
Learn more about how to connect multiple branch offices
MPLS and appliance-based software-defined WAN (SD-WAN) can both provide an organization with the networking capabilities needed for a WAN. However, they often have significant security shortcomings. MPLS lacks any encryption of its circuits, and both MPLS and appliance-based SD-WAN may have no built-in security. As a result, many organizations using these systems deploy standalone security appliances at each location to provide the necessary cybersecurity protections.
However, this approach to WAN security can be complex, unscalable, and expensive since each new location requires another set of security appliances. Each of these appliances must be individually purchased, configured, monitored, and managed, which creates significant costs throughout their lifetimes. This approach also does not work for the cloud and mobile, where security appliances cannot be deployed on-site.
Cloud-based SD-WAN provides a solution to this problem. By placing points-of-presence (PoPs) in the cloud, they can achieve global coverage, allowing users to connect via a nearby PoP and use the SD-WAN with minimal latency impacts. These PoPs can also have integrated security functionality, removing the need to deploy standalone appliances at each location and enabling centralized networking and security visibility across the enterprise WAN. Networking and security integration can also improve performance since networking and security appliances can be optimized to interoperate with one another.
Learn more about the challenges of SD-WAN security
As global organizations become more common, the need to connect geographically-distributed LANs via a WAN becomes extremely important. In order to compete effectively, organizations need access to stable, high-performance WAN at an affordable price. Three options exist for providing this: the public Internet, MPLS, and software-defined WAN (SD-WAN).
The first option for an enterprise is to route internal traffic over the public Internet. The two primary advantages of this approach are quick setup and relatively low costs since broadband Internet is widely accessible and typically affordable. However, these advantages come at the cost of unstable performance, volatile latency, and a lack of end-to-end management.
MPLS is designed to provide high-performance and reliable network connections backed by SLAs guaranteeing latency, packet delivery, and availability. However, these high-performance connections are expensive and extremely slow to deploy (taking weeks or months). MPLS connections are also ill-suited to cloud computing since traffic must be pulled back to a centralized access point before being sent out to its destination.
SD-WAN provides the best of both worlds by abstracting away the details of the network infrastructure. By choosing the optimal route from a collection of public Internet connections and MPLS links, SD-WAN can balance performance and cost on a per-application basis. Cloud-based SD-WAN provides additional benefits, including integrated security, support for mobile and cloud users, and predictable latency and packet loss.
Learn more about SD-WAN vs. MPLS vs. broadband public internet
MPLS, a common choice for enterprises that need high-speed, reliable network connections, provides guaranteed availability, packet loss, and latency backed by SLAs.
Yet while the technology is indeed mature and built for the enterprise, it also has its disadvantages. The guaranteed features of MPLS mean that MPLS bandwidth is expensive, not to mention that changing MPLS connections is difficult as new connections can take weeks or months to deploy. This affects the ability to set up new branch locations, expand bandwidth at existing locations, and other network changes.
Software-defined WAN (SD-WAN) is designed to provide an alternative to MPLS that addresses these challenges. SD-WAN, which consists of a network of SD-WAN appliances that are connected via tunnels over multiple transport media, abstracts away the network layer and optimally routes traffic over a variety of different data services depending on the type of application traffic. As a result, it can reduce the cost of networking and allows rapid deployment.
And yet, SD-WAN is not a perfect solution. Its reliance upon existing communications links means that MPLS may still be needed for certain applications, and SD-WAN appliances often do not have security built-in by default. Addressing these issues, and expanding coverage to mobile and cloud users, requires cloud-based SD-WAN.
When it comes to sizing your MPLS alternative, there can be a lot of confusion about "what you pay for" and "what you get". For example a 100Mbps MPLS line may only achieve 80Mbps effective bandwidth and a 1Gbps broadband connection may only achieve 250-500Mbps effective bandwidth. You can test your current internet speed with the ICG internet speed test.
Learn more about MPLS alternatives
Redundancy is vital for the enterprise WAN. Network outages are a leading cause of downtime, so redundant network connections are needed to minimize downtime. Software-defined WAN (SD-WAN) is a viable alternative to MPLS for enterprise WAN, but reliability and redundancy can be an issue. However, if implemented properly, SD-WAN can offer better redundancy than MPLS.
MPLS is well-known for its middle-mile reliability. However, the same level of reliability is often not attainable for last-mile connections. MPLS bandwidth is expensive, so the price of last-mile redundancy can be prohibitive. As a result, downtime can be easily caused by events that terminate this last-mile connection. Last-mile redundancy requires dual-homed connections that are routed in different ways to different providers. Typically, MPLS network offers active-passive redundancy with failover based upon route or DNS convergence.
SD-WAN is designed to abstract away the network layer and allow traffic to be routed over multiple connections. Therefore, all SD-WAN connections are in active use at all times, with real-time availability and performance monitoring. This not only improves the bandwidth and reliability of WAN connectivity but also enables active-active redundancy. In the case of an outage in one transport method, data can seamlessly be routed via an alternative connection. Thus, in addition to providing high middle-mile redundancy, SD-WAN can also provide better last-mile redundancy than MPLS.
Learn more about SD-WAN vs. MPLS redundancy
Redundancy is vital for the enterprise WAN. Network outages are a leading cause of downtime, so redundant network connections are needed to minimize downtime. Software-defined WAN (SD-WAN) is a viable alternative to MPLS for enterprise WAN, but reliability and redundancy can be an issue. However, if implemented properly, SD-WAN can offer better redundancy than MPLS.
MPLS is well-known for its middle-mile reliability. However, the same level of reliability is often not attainable for last-mile connections. MPLS bandwidth is expensive, so the price of last-mile redundancy can be prohibitive. As a result, downtime can be easily caused by events that terminate this last-mile connection. Last-mile redundancy requires dual-homed connections that are routed in different ways to different providers. Typically, MPLS offers active-passive redundancy with failover based upon route or DNS convergence.
SD-WAN is designed to abstract away the network layer and allow traffic to be routed over a variety of different connections. Therefore, all SD-WAN connections are in active use at all times, with real-time availability and performance monitoring. This not only improves the bandwidth and reliability of WAN connection but also enables active-active redundancy. In the case of an outage in one transport method, data can seamlessly be routed via an alternative connection. Thus, in addition to providing high middle-mile redundancy, SD-WAN can also provide better last-mile redundancy than MPLS.
Learn more about SD-WAN vs. VPN comparison
SD-WAN as a Service extends the core capabilities of traditional SD-WAN. It converges the WAN edge, a global backbone and a full network security stack into a unified cloud-native platform. Known as SASE (or the Secure Access Service Edge) it is built to optimally connect and secure all enterprise resources; physical locations, cloud datacenters, and the mobile workforce. By integrating SD-WAN into SASE, enterprises can gradually transform their WAN to address the full WAN transformation journey, without deploying multiple point solutions.
Learn more about SD-WAN as a Service
MPLS is well-known for middle-mile reliability; however, the same is not true for last-mile. The cost of MPLS bandwidth often makes deploying redundant last-mile connections cost-prohibitive, leading organizations to seek alternative solutions.
Two early methods for dealing with the last-mile reliability problem are the use of a backup Internet connection and link-bonding. While a backup Internet connection can help to deal with MPLS outages, the failover process is slow and often results in a loss of current connections. Link-bonding attempted to solve the problem of last-mile reliability by aggregating multiple different last-mile transport services. While this positively impacted last-mile bandwidth and reliability, it did nothing to help the middle-mile.
Software-defined WAN (SD-WAN) takes the concept of link-bonding a step further. By abstracting away the network details, SD-WAN is able to present a range of transport options as a single pipe to an application and perform traffic routing behind the scenes.
This allows SD-WAN to provide numerous advantages for an enterprise WAN. The last mile can be optimized using policy-based routing, hybrid WAN support, active/active links, packet loss mitigation, and QoS (upstream and downstream). With cloud-based SD-WAN, where the middle mile is composed of private Tier-1 backbones, it is also possible to perform middle-mile optimization, allowing SD-WAN to compete with MPLS with regard to middle-mile network reliability and performance.
Learn more about last mile constraints for SD-WAN
ICG enables customers to move away from expensive, rigid, and capacity-constrained MPLS networks to a combination of high-capacity broadband Internet links. Using ICG SD-WAN edge appliances, customers boost usable capacity and improve resiliency at a lower cost per megabit. Customers with a global footprint, leverage ICG affordable global private backbone to replace global MPLS and the unpredictable Internet. The ICG SD-WAN solution optimizes performance and maximizes the throughput to on-premises and cloud applications.
ICG SD-WAN uses a global private backbone with built-in WAN and cloud optimization to deliver an SLA-backed, predictable, and high-performance network experience everywhere. Customers who suffer from high latency and network inconsistency across their global locations use ICG to deliver a great user experience when accessing on-premises and cloud applications.
ICG provides a complete network security stack built into the SD-WAN solution. By connecting all branch locations to ICG secure SD-WAN, all traffic, both Internet-bound and WAN, is fully protected by ICG enterprise-grade, cloud-based security services. There is no need to backhaul Internet traffic to a data center or a regional hub, deploy branch network security appliances, or procure stand-alone cloud security solutions.
ICG provides seamless acceleration of cloud traffic by routing all traffic from all edges to the ICG PoP closest to the cloud data center. Because ICG PoPs share the data center footprint of major cloud providers, the latency between ICG and these providers is essentially zero. Cloud application access optimization requires just a single application level rule that determines where cloud application traffic should egress the ICG SD-WAN. There is no need to install cloud appliances or setup hubs to reduce latency to the cloud or SaaS Cloud Apps.
ICG extends global networking and security capabilities down to a single user’s laptop, smartphone, or tablet. Mobile and remote users are no longer treated like second-class citizens of your network and security infrastructure. Using a ICG Client, or clientless browser access, users dynamically connect to the closest ICG PoP, and their traffic is optimally routed over the ICG global private backbone to on-premises or cloud applications. ICG security-as-a-service stack protects users against threats everywhere and enforces application access control. Unlike legacy VPN, the ICG SD-WAN solution scales globally to support 24×7 access for the entire workforce, creating a viable business continuity plan for working from home.
ICG seamlessly supports work-from-home for all employees, all the time. Customers rapidly connect their on-premises and cloud data centers to ICG SD-WAN and enable self-service provisioning of Clients to all users who require work-from-home or remote access. Unlike legacy VPN and SDP products that can’t scale to support the entire business, ICG global and cloud-scale platform is built to optimize traffic to all applications with a global private backbone, and continuously inspect traffic for threats and access control with the converged security stack.
ICG makes global connectivity affordable, reliable, and agile. Our global SLA-backed private backbone provides a consistent user experience at a fraction of the cost of legacy MPLS, and natively extends to cloud data centers, cloud applications and mobile users. With over 50 points of presence all over the world from the US to Europe, Asia Pacific and South East Asia, you can now achieve a secure global connectivity that meets your business needs within minutes. ICG security stack ensures the same enterprise-grade security is applied for all branches, users, and applications – everywhere.
ICG gets your entire enterprise network connected and secured through a single cloud service. Whether it's across Australia, New Zealand, China, Indonesia, Malaysia, Philippines, Singapore, Thailand, Vietnam, Japan or Korea. Our edge SD-WAN and Security-as-a-Service help IT teams build reliable business networks across the region with ease. ICG helps you make the most of your Internet last mile by automatically building the WAN full mesh, enforcing QoS and path selection based on application and user awareness, optimizing access to cloud resources, making VPN users integral parts of your network, and enforcing the same enterprise-grade security on all locations, users, and applications. ICG SD-WAN can be managed by your IT team and ICG as a managed service provider via a single, user-friendly, web-based application.
ICG SD-WAN services enable enterprise IT to access detailed, real-time and historical, network analytics and security events through a cloud-based management application. All policies including security, routing, and quality of service, can be directly configured by your IT team or ICG as a managed service. As a cloud service, ICG requires no customer involvement in updating or upgrading the underlying infrastructure, saving IT teams, precious resources previously needed for network management of multiple point solutions.
Customers who prefer “hands off” management, including plug-and-play pre-provisioned appliances for zero-touch deployments, monitoring of last-mile links, defining policy configurations, and monitoring the network for pervasive security threats. As a cloud service, ICG maintains the SD-WAN platform and all of its components, saving IT teams precious resources previously needed for maintaining multiple point solutions.
ICG Cloud Connect SD-WAN service can be activated instantly to remote users and cloud data centers, with on-site deployments within 48-hours to almost anywhere in the world. Delivered as-a-service, replacing existing Routers, Firewalls, IPS, Load Balancers, URL Filtering, and VPN appliances. Reduce the cost of MPLS by ~50%. Improve internet speed. Optimize applications like Office 365, Teams, Zoom, and SAP. Remove the technical debt of procuring, managing, and securing the network.
Get started with a free proof of concept (PoC) today by live chat or WhatsApp.
Face to face or over Zoom, we are here to help you.