Tech Accelerator

SD-WAN explained: Ultimate guide to SD-WAN architecture

Evaluating SD-WAN architecture can be confusing, especially as the market grows. This guide helps IT pros learn SD-WAN basics, choose the best product and deploy it with confidence.

The software-defined wide area network (SD-WAN) is a quickly maturing technology widely adopted by enterprises and organizations as a cost-effective way to connect branch offices to their own data centers and to SaaS and other cloud-based applications.

This guide to SD-WAN links to articles that will walk you through all things SD-WAN. The collection explains the basics of SD-WAN technology, how it works, buying options, planning for implementation, best practices and troubleshooting advice. This guide also offers insight into how SD-WAN architecture will evolve over the next few years.

Articles in this guide cut through the confusion the range of SD-WAN options might present and help enterprises make informed decisions about how SD-WAN fits into the organization's network environment. Don't forget to click on the links throughout this article to learn even more about SD-WAN technology.

Introduction to SD-WAN

The wide area network (WAN) has always posed significant challenges for organizations with distributed workforces. The need for fast and reliable application performance, the high cost of dedicated network circuits and the complexities of day-to-day tasks such as configuration, monitoring and management are all magnified across a WAN. Whether an organization grows organically or through mergers and acquisitions, it can be challenging for IT teams to deploy edge gear quickly to connect users to business applications.

While advances in WAN optimization and traffic shaping certainly help improve IT's ability to move traffic across the WAN, they don't resolve all the problems at the network edge. Dedicated circuits are still cost-prohibitive and can take months to deploy. Additional staff can also be required to manage devices at branch offices and remote locations.

SD-WAN overlay graphic

Enter SD-WAN. The technology centralizes network control by abstracting and automating the tasks traditionally programmed manually on each edge device. SD-WAN architecture creates a network overlay that enables IT to remotely configure, manage, monitor and secure most aspects of the WAN, including edge devices and traffic flows. By abstracting the transport layer from hardware to software, SD-WAN facilitates traffic prioritization, enabling IT to use lower-cost public and private links such as broadband and wireless alongside more expensive Multiprotocol Label Switching (MPLS) connections. The automation, centralization and flexibility afforded by SD-WAN result in a more agile WAN environment for midsize to large businesses.

How SD-WAN technology works

Following the introduction of SD-WAN -- and the myriad variations of SD-WAN offerings -- many organizations have been confused about what exactly it is and is not.

SD-WAN products and services have the following common capabilities: virtualization of the WAN connection, centralized policy oversight, orchestration and the ability to dynamically manage traffic.

Vendors sometimes claim to offer SD-WAN products when, in fact, they offer only a fraction of the technology's typical capabilities, a practice called SD-WAN washing. As networking expert John Fruehe emphasizes in this SD-WAN washing article, a product is not truly SD-WAN if any of the key functionality is absent.

Much of an IT professional's understanding of SD-WAN architecture will come from getting familiar with the terms most often used in conjunction with the technology. One such term is controller, which is a hardware or software client that directs data flows between two points and distributes network and security policies to connected devices. Another key SD-WAN term, as explained above, is overlay, which describes how the SD-WAN architecture sits above the network. This glossary of SD-WAN terms provides information about the lingo vendors and service providers use to describe SD-WAN.

Traditional WAN vs. SD-WAN

SD-WAN benefits

When considering SD-WAN adoption, organizations should assess SD-WAN's advantages. As IT teams check off enough benefits, the decision to adopt the technology becomes clearer. For instance, if an organization has accepted the high cost of MPLS to satisfy business-critical traffic needs, SD-WAN architecture enables the use of lower-cost links, such as internet circuits.

SD-WAN offers redundancy among WAN connections, automatically failing over to a second path if the primary one fails or is unavailable. SD-WAN can use load balancing across multiple connections to improve application and network performance, as well.

As SD-WAN has matured, many vendors have added cloud-based SD-WAN options, where the controller sits in the cloud. Extracting the controller from the data center should enable more network flexibility and scalability, as well as improved management, and many businesses are taking that route.

SD-WAN presents many benefits that can address issues of managing and maintaining WAN configuration.

SD-WAN vs. traditional WANs

Traditional WANs have many capabilities that SD-WAN also has built-in, such as load balancing and disaster recovery features. In traditional WANs, however, adding on these capabilities can be time-consuming, complex and kludgy. SD-WANs enable real-time, automated and standardized configuration changes, reducing the opportunity for human error that often occurs through the manual programming required by traditional WANs.

SD-WAN architecture relies on virtualized overlays that make it easier to shift and replicate policies among distributed edge devices. As an organization grows, for example, it can use a location's existing WAN connections with the SD-WAN device, and IT can remotely manage the site policies via the centralized controller. This agility offered by virtualization is essential to meeting business demands.

When putting SD-WANs up against VPNs, the differences are noticeable. For instance, typical VPNs work well for businesses with a single IP backbone, but that architecture breaks down when introducing voice and video or when congestion impedes the network.

SD-WAN's granular level of support makes it far more advanced when it comes to quality of service (QoS) compared to basic internet VPNs. It is also important to note that VPNs can't always provide the internet connectivity with optimization and advanced security that cloud-based services require.

Perhaps most importantly, SD-WAN automatically detects network conditions and provides visibility into the network, creating a predictable level of performance.


MPLS has been a trusted go-to connectivity option for organizations for decades, but it is also costly and somewhat inflexible. SD-WAN architecture enables organizations to continue the use of MPLS circuits but gain more efficiency and cost savings by adding alternate, less costly links, such as broadband or wireless.

MPLS still has the advantage of being a private connection that offers end-to-end QoS. MPLS providers also can deliver more comprehensive service-level agreements than providers that offer connectivity over public links.

Moving away from a largely MPLS environment requires some savvy migration techniques. Companies that decide to transition to SD-WAN should ask their providers for a copy of their MPLS contracts. Items such as termination charges and minimum commitment clauses should be taken into consideration in the cost-benefit analysis of a migration. Organizations should also order internet connections right away because they can take a while to be installed.

Connectivity options for SD-WAN

SD-WAN challenges

While the advantages of SD-WAN are plentiful, its disadvantages must be taken into account. For instance, while SD-WAN should decrease connectivity costs in the long term, the cost to license SD-WAN software is a near-term consideration.

Adding a layer to the WAN could introduce an opportunity for new vulnerabilities that must be closely monitored and managed. SD-WAN will likely require companies to procure connectivity from multiple providers, which could add to IT's portfolio of service contracts they need to manage.

Organizations can't overlook the expertise needed to deploy and manage SD-WAN technology properly, despite the fact that many vendors describe SD-WAN as a do-it-yourself technology. While vendors have tried to simplify most processes surrounding SD-WAN, IT teams still must think carefully about requirements for each feature they want to roll out, as well as plans for overall security.

5 common SD-WAN challenges

SD-WAN market and providers

The SD-WAN market is growing rapidly and is projected to reach $5.25 billion in 2023, according to IDC. Still, it can be difficult to discern exactly what is included in each vendor's or service provider's offering. This SD-WAN vendor comparison chart can help organizations of all sizes determine which products or services best fit their network and business requirements.

Beyond what sounds good on a product data sheet, businesses also want to know how easy these SD-WAN offerings are to deploy and provision -- questions that can only be answered by the vendors and real-world references. For example, if a vendor claims its product or service has zero-touch provisioning, potential users should put that question to one of the vendor's customer references. Organizations also want to know whether SD-WAN software can work on any edge device or if it requires specific, proprietary equipment.

A critical question to ask is what partnerships the vendors or managed service providers (MSPs) have in place to provide security and other key functionality. Insight into their preferred providers helps potential customers extract the most benefit from SD-WAN deployments.

Shifting managed SD-WAN providers

Companies concerned about the level of expertise required to run SD-WAN in-house and deal with the complexity of managing multiple service providers can alleviate those concerns by outsourcing SD-WAN to an MSP. Handing off internet service provider management challenges to a third party could provide greater choice in connectivity and enable in-house IT to focus on tasks more critical to the business.

An SD-WAN MSP should be able to support current network infrastructure and ensure WAN connectivity options that span an organization's entire geographic footprint. Users also need to know how easy it is to scale the SD-WAN deployment because delays in service can be costly.

How to buy SD-WAN

SD-WAN buying is not an easy exercise -- it requires a significant amount of research and preparation. However, experts said to worry less about vendor lock-in -- which might be inevitable -- and more about picking a product or service well matched to the organization.

Although SD-WAN is an overlay technology, which makes it a bit easier to course-correct, changes in network infrastructure and policies can delay the goal of getting better application performance and centralized management.

Questions to ask for an SD-WAN RFP

One way to start to get a handle on what the organization needs from SD-WAN is to create an SD-WAN request for proposal. IT teams can use this RFP to outline the technology requirements -- including dynamic path selection, link steering and remediation, and network functions virtualization -- and how the vendor would handle them.

The SD-WAN provider will be instrumental in how well customers achieve QoS, including identifying and classifying traffic, and analyzing the decisions in real time. Customers need to understand a provider's expertise in QoS and how it will help fulfill the organization's performance goals. Potential customers will also want to assess the usability of the vendor's console, especially the metrics they consider most important and how easily the console can be customized. One of SD-WAN's selling points is its network visibility, so the console should convey the ability to both see and control what is happening across the whole network.

SD-WAN uses

As SD-WAN matures, IT teams are finding more uses for the technology, including deploying applications that would be too costly or have too high of volume for dedicated circuits alone. Among the scenarios shared in this article, an automotive software developer and cockpit electronics manufacturer used SD-WAN architecture to migrate old on-premises apps to SaaS and to give the company's remote developers local egress to the internet and cloud applications. Also, a biotech firm explained its use of SD-WAN to address its fast-paced growth, enabling new sites to come online at a significantly faster pace than via the existing VPN.

SD-WAN pioneers recommend working with a proof of concept and encouraging IT teams to experiment with the new technology. Those users stressed the importance of knowing what you need compared to what the vendors want to sell you. They also expressed the need to align business goals with SD-WAN's capabilities. Technology teams should be ready to explain to their executives why SD-WAN would be a good investment if the network is already performing well.

For example, network pros can demonstrate the performance hit their WAN would take during an Office 365 rollout without SD-WAN. IT can also sell the idea of SD-WAN technology if the growth rate of new branch offices or remote locations will soon outpace the budget for WAN bandwidth -- a problem potentially solved with more connectivity choices.

Multi-cloud deployments offer another appealing use for SD-WAN. The technology's ability to apply appropriate business policies and steer traffic enables IT to connect users to private cloud, IaaS and SaaS platforms. SD-WAN also supports microsegmentation, a way to isolate certain traffic flows, which increases security in a multi-cloud environment.

Deploying SD-WAN

Once an organization has settled on a vendor and is ready to bring SD-WAN into the network, it's necessary to prepare the network infrastructure for implementation.

SD-WAN adopters should examine their existing networks and determine if their hardware can support SD-WAN as-is or if they need to upgrade or buy new equipment. Some companies might need to purchase hardware-based appliances or virtual server software.

The prep work can involve diving deep into details, such as which routing protocol will work best in each location. Not every protocol works well everywhere, so businesses must carefully consider the choices.

Before deploying SD-WAN technology, users should conduct proof-of-concept testing that measures important metrics -- such as how fast failover is from a failed link to an operational path, the segregation of traffic types to different links and how throughput increases by using multiple parallel links. Here's a nine-step testing process to help organizations stay out of the weeds during the process.

As important as it is to test ahead of SD-WAN deployment, it's equally critical to develop a steadfast troubleshooting and monitoring strategy. Networking teams need to account for event handling, active path testing, physical status and topology, all of which are essential for troubleshooting. These tips serve as a guide to establish policies for monitoring and troubleshooting SD-WAN architecture.

Efficient SD-WAN troubleshooting

SD-WAN security

While security is not touted as a main reason to adopt SD-WAN, vendors and providers have addressed security concerns by supporting IP security standards and partnering with top security vendors to integrate protection into their products and services.

One essential capability organizations want to see in an SD-WAN product or service is a process to safely integrate new devices into the SD-WAN to prevent rogue devices from gaining access to their WAN traffic. Other desired capabilities are data plane encryption and control plane encryption.

Organizations should find out the specifics of the SD-WAN vendor's or provider's security strategy and make sure it aligns with the needs of the business. For instance, evaluate whether the SD-WAN software chronicles invalid connection attempts or warns admins about unauthorized access or malware. Journaling of this type, according to networking consultant Tom Nolle, could detect and prevent denial-of-service attacks.

Steps to bolster SD-WAN security

The future of SD-WAN

SD-WAN is a technology that will likely pair well with both 5G, or fifth-generation wireless, and the internet of things (IoT). While IoT is gaining traction, enterprise 5G services and equipment are not yet widely available, but their potential looks promising.

With lower latency than 4G wireless, 5G will create faster and better connections, and reach areas that currently don't have wireless access. SD-WAN is expected to intelligently streamline communications from IoT edge devices to a centralized data center, especially when paired with 5G's lower latency.

SD-WAN's future is set to flourish as newer technologies emerge that can benefit from its use, such as Secure Access Service Edge. IT professionals should take the time now to weigh whether SD-WAN makes sense in their corporate setting.

Dig Deeper on SD-WAN

Unified Communications
Mobile Computing
Data Center