Does SD-WAN Leave You Exposed?

Posted by on June 7th, 2018
June 7th, 2018

Attending the Gartner CIO Conference in Toronto a few weeks back gave me the opportunity to talk to IT leaders about their top of mind concerns. A topic that repeatedly came up in conversations with enterprise attendees was SD-WAN adoption. The cost and manageability benefits are clearly compelling, and even though there’s always some trepidation around adopting any new technology, attendees were generally optimistic about the state of SD-WAN—with one exception. Vendor stability was repeatedly cited as a worry and source of risk.

I talked to a CIO who had recently done a major SD-WAN rollout, covering all branch offices. Overall, his experience had been very positive, yet he noted that he and his peers worry about the instability in the vendor landscape. There’s so much movement in terms of new upstarts, legacy vendors, and emerging players like ISPs wanting a piece of the action that it’s hard to know what to expect over the next several years. Will my vendor get acquired? Will it acquire another vendor? How will my ISP fit into the picture? Will any change affect my organization?

A Gartner survey of enterprise IT professionals supports my anecdotal experience. It lists vendor stability as one of the top two SD-WAN concerns, with 44% of respondents expressing worry over the maturity of the landscape or how that increases their adoption risk. While uncertainty will remain until the landscape begins to reach a more stable state, specific steps can be taken to decrease over-reliance on SD-WAN as the total sum of your Internet management strategy.

SD-WAN is often implemented in conjunction with DIA or a hybrid WAN for enterprises looking to either eliminate or reduce their dependence on traditional MPLS, which is widely viewed as expensive and management intensive. SD-WAN, as an application-driven policy engine, creates the efficiencies needed to manage many locations and many more Internet gateways. It’s also viewed as an easy way to take the sting out of the inherent unpredictability of Internet transit because it uses metrics, such as overall latency, to execute defined policies. While these metrics give SD-WAN a certain level of “Internet awareness,” and enable it to make relative decisions based on path performance, it doesn’t control the Internet. If something goes wrong, SD-WAN can’t tell you what the problem is or who’s responsible. It can’t tell you if an upstream ISP is dropping packets, or if a BGP hijacking has put your users at risk. It can’t tell you if your performance is in line with regional norms.

Given that SD-WAN deployments typically go hand in hand with increased reliance on the Internet, it’s critical to gain comprehensive visibility into all of the external dependencies you’ll be relying on to reach your applications and services. These dependencies include BGP routing, various ISPs, DNS service, cloud security proxies, CDNs, DDoS protectors, and others, so you need to see every hop in your network path, along with detailed loss, latency and jitter metrics. Relying on SD-WAN as your sole source of Internet visibility is like relying on sunglasses as your sole source of sun protection. Sure, you have some limited coverage, and it will undoubtedly influence your perspective. But you’re in for a nasty burn if you’re going outside the shade of your data center or branch office unprotected.

Network Intelligence for SD-WAN

Vendor stability isn’t the only reason to think about getting independent, deeper external visibility. There are other significant questions and decision points when migrating to SD-WAN and DIA that would benefit from visibility into external networks and services.

Five key SD-WAN scenarios requiring deeper Internet and end-to-end visibility:

1. Branch readiness and SD-WAN vendor selection—Understanding your existing performance and using that data to set goals and evaluate ISPs and vendors is key to a successful planning, evaluation and readiness phase.

2. SD-WAN site selection—If you’re deploying SD-WAN selectively, you need to understand what your current performance looks like and which sites would most benefit from DIA or a hybrid WAN model.

3. Troubleshooting in the cloud—Think about Internet instability that intermittently but continuously affects the quality of service for SaaS apps delivered to remote and global offices. You may be in for a painful choice— continually switching to backhaul, possibly maxing your MPLS bandwidth, or providing poor user experience. If we’re honest, we know that intermittent, user experience issues happen all the time even for internally-hosted applications. They’ll get worse when that user experience is relying on two dozen hops and several ISPs to deliver it.

4. Managing cloud-based security providers—Solutions like Zscaler are increasingly common once you’ve gone DIA at your branch offices. These providers add to the complexity of your digital service delivery chain. Managing the performance of these providers is key to ensuring that they aren’t adversely affecting your overall user experience. You’ll need to understand performance of the connectivity to and through their data centers.

5. Monitoring SD-WAN performance (tunnel endpoints, MPLS backhaul, policy routing, etc.)—How will you effectively validate that your policy routing is working the way you expect? Do you have visibility into the underlying Internet transport for your SD-WAN tunnels? How will you verify the performance of your SD-WAN solution so that you can gradually migrate away from costly MPLS links?

Leveraging visibility across every stage of your SD-WAN lifecycle, from readiness to deployment and operations can ensure that you’re making critical decisions, such as vendor choice, site selection, and security with necessary performance data—data you need before you rollout SD-WAN. Once you’re in operations, it’s not enough to rely on SD-WAN for troubleshooting and managing your external providers. The SD-WAN vendor landscape is still in a state of volatility. If you’re using (or plan to use) your SD-WAN solution as your sole source of Internet visibility, you could be leaving your organization overly reliant on one vendor—and blind to all of the external dependencies that impact the performance and security of your users. Taking a visibility approach that’s SD-WAN vendor agnostic, could provide you with more in-depth visibility and mitigate the impact of vendor changes.