The underlay network: Abstracting the complexity with SD-WAN 2.0 (Reader Forum)
The benefits of SD-WAN for enterprise networks are now well understood. By creating a managed overlay network with centralized control, enterprises have transformed their WAN into an intelligent and automated construct that increases scalability, service agility, and decreases operational complexity and cost. Enterprises are now looking at their SD-WAN infrastructure for more than just connectivity. They want to leverage it to deliver a range of IT services, such as the flexible and automated deployment of virtualized network functions, or to provide true end-to-end application visibility, control, and security. SD-WAN 2.0 is the infrastructure needed to offer this.
One of the requirements to achieve SD-WAN 2.0, is to have a seamless end-to-end “overlay” network or abstracted forwarding plane that can intelligently interconnect private data centers (DCs), public clouds, and branch locations. This end-to-end overlay depends on having a seamless underlay transport network beneath it, which may consist of various diverse transport segments like IP/MPLS links, internet broadband, or even mobile transport options like 3G or LTE.
Extending the traditional underlay boundaries
With a seamless end-to-end overlay, the value of SD-WAN can be maximized by offering a single point of visibility and control across the entire network.
Achieving true end-to-end connectivity
True end-to-end connectivity extends beyond the boundaries of the enterprise WAN. Traditional SD-WAN 1.0 deployments and DC SDN solutions have been treated as two separate silos, requiring manual stitching of the underlay boundaries from both while connecting the separate SD-WAN/SDN policy, control and data planes. Most SD-WAN solutions deliver traffic from the branches to a gateway in the DC, relying on a different solution to carry the traffic within the DC. This breaks the automation and security story and adds more complexity. To offer true end-to-end connectivity, the SD-WAN solution must provide an interworking function with full automation that does not require “stitching” across two different solutions, ensuring seamless and boundary-less connectivity from users in branches all the way to applications within the DC.
Extending the SD-WAN to the public cloud
The industry is witnessing greater demand for public cloud services, creating a need for enterprises to uniquely integrate each public cloud in order to extend their SD-WAN reach. Unfortunately, these custom integrations can be complex and will reduce workload portability while creating a public cloud vendor lock-in. SD-WAN 2.0’s approach is to front-end the virtual public cloud (VPC), at the public cloud zone, with a virtualized SD-WAN vCPE avoiding complex proprietary API integrations and providing a standard policy-based connection that is independent of the public cloud. With this approach, the public cloud service is just another branch site and will benefit from the same single point of visibility and control like the rest of the network.
Making the WAN underlay seamless
The enterprise WAN underlay can be complex, disconnected, and diverse. It is incumbent upon SD-WAN 2.0 to hide this complexity to create a seamless WAN.
Bring your own transport (BYOT) with SD-WAN
In many cases, enterprises have deployed IP/MPLS, internet broadband, and even mobile (3G/LTE) WAN underlay transport services from various providers. In the case of multi-national enterprise networks, each region and country could look different in terms of underlay transport infrastructure and providers. SD-WAN 2.0 solutions should be agnostic about this and offer multi-national boundary-less SD-WAN service regardless of geography and WAN transport service.
Joining the disjointed
Although SD-WAN service should be agnostic to the WAN underlay transport type, there are cases where underlay connectivity between specific sites are from disjointed or heterogeneous transport technologies (e.g., internet broadband or IP/MPLS). In these cases, there needs to be a managed policy-controlled function at the boundary of these disjointed or heterogeneous underlays that joins both segments making the underlay whole.
Marrying the new with the old
For many large enterprises, it is crucial that SD-WAN deployments in new locations can support connectivity to legacy IP/MPLS connected sites. With SD-WAN 2.0, both new SD-WAN overlays and legacy IP/MPLS underlay links will need to be compatible to continue to provide connectivity. In general, this means that SD-WAN 2.0 needs to support an intelligent and automated “breakout” or handover capability to legacy PE “underlay” routers.
Routing pedigree to the rescue
Legacy “underlay” routing can be complex, and SD-WAN 2.0 must support this complexity. One example is being able to support the often-complex routing configuration at branch sites. This complexity is exemplified further in the following examples: extranet support, and internet breakout.
Extranets connect portions of a partner’s intranet to the enterprise and are very tightly designed and controlled. Extranet rules are programmed in the underlay network, and as SD-WAN 2.0 is deployed, it will need to be compatible with the configuration and rules of legacy extranets. As an example, if the enterprise network shares IP addresses with the connected extranet, then SD-WAN 2.0 will have to support bi-directional NAT to continue to allow for bi-directional communication between entities from each network.
Breaking out to the Internet locally
Often enterprises want specific traffic to leave the SD-WAN overlay and breakout to the raw internet, and SD-WAN 2.0 should allow traffic to do so at any given local branch site. For example, if internet broadband is one of the underlay transport options, then it is highly desirable to break traffic out locally if the traffic is destined to the internet itself. The solution should allow ease of provisioning of local breakout as well as the option to apply security policies and features like Network Address Translation (NAT) at the point of breakout.
New service assurance tools required
By creating an abstracted overlay network through an SD-WAN service, the complexity of the underlay is hidden, but when there is a fault in the network, it is often a result of a fault in the underlay network. SD-WAN 2.0 will be able to dynamically correlate the underlay network with the overlay network to proactively understand the impact each fault may have on specific customers, applications, services, or virtual machines (VMs). With this information, dynamic policies can be created to take remedial actions to reduce the impact of the fault while it is being addressed.
The picture above, shows the various underlay integration points that SD-WAN 2.0 provides to effectively make the underlay WAN seamless. The picture on the right shows an example of two SD-WAN 2.0 VPNs connecting various elements of the enterprise network now that the underlay transport is seamless.
To achieve a successful SD-WAN deployment, a lot of integration is required between the SD-WAN service and the underlay network. Often these integrations are overlooked resulting in unexpected and manual re-configurations – increasing the operational complexity, thus defeating the purpose of SD-WAN. To achieve the benefits of SD-WAN 2.0 as an infrastructure for IT service delivery, these underlay integrations must be built-in to the technology itself, creating seamless end-to-end connectivity.