Best Practices for an Internet-based SD-WAN

Posted by on May 3, 2017

CIOs and IT executives are constantly challenged with reducing IT spend, optimizing operating expenditures while increasing service agility, delivering and maintaining superior quality of service. Enterprises are constantly searching for innovative solutions to execute on these business objectives. While the industry continues to innovate, initiatives like ‘as-a-service’ solutions and WAN re-design through SD-WAN have been in the spotlight. Apart from being touted as cost-saving initiatives, these trends have another common thread: Their influence on the architecture of enterprise networks and the adoption of the Internet as the backbone for enterprise communication. We believe that before jumping on the SD-WAN bandwagon and adopting SaaS services, IT decision makers should familiarize themselves with the intricacies involved with using the Internet as transport.

Internet Transport: Prerequisite for the Cloud

When enterprises adopt SaaS services or deploy applications on IaaS platforms, they are inherently subscribing to an Internet-based service delivery model. Services are no longer delivered over a secure, highly available MPLS WAN, but instead over a best-effort network. Very quickly, the Internet becomes the underlying transport for enterprise-grade traffic. The high costs associated with a traditional WAN network, meshing branch offices and data centers, stems from procuring carrier-grade MPLS access. Direct Internet access (DIA) or broadband Internet, with its ubiquitous availability, speed of deployment and cost efficiency (in terms of bandwidth-to-cost ratio), presents an alternative and attractive option. Using DIA can sometimes result in 20-30% cost savings.

Figure 1
Figure 1: The Internet becoming a prerequisite for the Cloud.

SD-WAN Fuels an Internet-centric WAN

In its simplest form, SD-WAN is a technology that provides the flexibility to choose the most optimal access transport by dynamically steering traffic across multiple links. SD-WAN allows enterprises to choose between using a MPLS network, the Internet or a LTE network based on algorithmic computations of network performance and application behaviour. These algorithmic computations of best path are proprietary and unique to each SD-WAN vendor. Enterprises now have the versatility of using multiple links and maintaining lower operational costs by using an Internet circuit rather than an MPLS link. The overarching benefits of SD-WAN go beyond infrastructure-related hard costs to soft benefits related to centralized management and operational agility.

While the cost savings and flexibility are truly enticing, enterprises need to be aware of the performance implications of using different types of circuits. Application performance and end-user experience is tightly tied to network behaviour. While architecting your network to be SD-WAN compatible, arm yourself with the right tools to compare and contrast multiple circuits at an application level. Consider the following example (Figure 2), where two different circuits are used to access a service in London. The path taken by traffic from an Internet location in Dallas has 8 extra hops compared to the path taken from a WAN location in Dallas. Network latency, loss and QoS can be impacted based on the network path and play a critical role in the perceived application performance.

Figure 2
Figure 2: Path Visualization shows distinctly different paths across two different access types.

Best Practices for a SD-WAN Migration

Understanding the performance, reliability and security implications of using Internet circuits with SD-WAN will benefit enterprises to manage and overcome any challenges.

Evaluate and Benchmark Performance

Relying on the Internet as transport for enterprise-grade traffic involves setting the right expectations from the perspective of service delivery. Performance depends not only on the application, but also on the underlying network.

  • Baseline the performance of the network and application before launching or accessing a service over the Internet. For example, an active monitoring solution like ThousandEyes can help baseline connection performance, topology and bandwidth. A flow monitoring solution can provide insights into how the connection is utilized.
  • Consider supplementing your SD-WAN vendor’s view of network measurements to get a reliable and unbiased view that can help mitigate risk.
  • Choose your primary and secondary ISPs by monitoring them for outages and frequent failures. Validate the new architecture before deploying it.

How Secure is the Internet?

Choosing the right upstream providers and optimizing BGP routes across multiple providers is critical. While BGP hijacks and leaks — routing events where illegitimate prefixes are wrongly propagated through the internet — are not very frequent, they are hard to troubleshoot and can have devastating repercussions. Last week’s BGP route leak of specific prefixes belonging to financial and e-commerce services by Russian ISP, Rostelecom, is yet another example of how vulnerable the Internet is.

Figure 3
Figure 3: ThousandEyes BGP Visualization identifying the route leak incident by Rostelecom, indicated by AS 12389.

Relying completely on the Internet also has some degree of risk associated to it. Partial or complete service disruption is not uncommon when connectivity to an entire region is shut down for political or economic reasons. Also, in traditional WAN networks, Internet-bound traffic exits the enterprise from the data center. Locally breaking out traffic from the branch office through SD-WAN conceptually creates a highly distributed “mini data center” model. This means extending the security measures in place from the data center all the way to the branch office. Although more and more applications idealize and choose to fold security into the L7 stack than completely relying on the access, security best practices should still be considered.

Marching Forward

Moving to an Internet-driven architecture and adopting SD-WAN technologies is a massive undertaking. Systematically ease into the migration by supplementing your existing WAN with Internet circuits to familiarize yourself with the challenges and intricacies. Irrespective of the path selected by SD-WAN, it is important to have end-to-end visibility of the underlay network and application overlay.