Learn more about the latest ThousandEyes innovations at Cisco Live! | June 2-6, 2024


Understanding SD-WANs: Benefits and Limitations

By Alex Henthorn-Iwane
| | 13 min read


SD-WANs are a significant development in wide area networking, and the first SDN technology to gain widespread deployment. Yet, their usefulness is being muddled by over-hyped expectations that they can provide all-seeing and all-controlling power over every aspect of enterprise IT communications. This isn’t true, and it’s important to understand just what you’re getting with SD-WAN so you can plan your WAN modernization effectively. Let’s look at which domains SD-WANs can see and control, which they can’t, why that matters and how Network Intelligence helps with your hybrid WAN, SD-WAN and Direct Internet Access evolution.

What is the WAN?

In the olden days, all the users were in offices and all apps lived in on-premises data centers. The WAN was very simply what connected all of them together and included on-premises routers and carrier services that came with an SLA. Today, with SaaS adoption, the building of nearly every new enterprise app in IaaS clouds, the shift to Direct Internet Access (DIA) and the near ubiquitous use of cloud-based API endpoints as integral components of even on-premises applications, the “WAN” is getting stretched beyond recognition. The Internet is directly and exclusively carrying a large if not majority share of all enterprise traffic flows today.

The Internet as a whole is fundamentally different in nature from the traditional WAN—it is not a contracted service, but a shared commons consisting of tens of thousands of networks held together through a fragile chain of implied trust lived out most notably through the global BGP routing tables and the Domain Name Service. For enterprises, there are many service dependencies that live exclusively on the Internet, such as CDNs, security providers (DDOS, SWG), plus aforementioned IaaS, SaaS, and cloud APIs. Getting enterprise traffic across the Internet to and through any of these service dependencies involves contacted ISPs plus many other transit ISPs with which the enterprise has no contractual access.

So, we can think of enterprise communications as encompassing two distinct management domains. The first is the internal WAN domain of on-premises networking equipment and inter-site links, be they MPLS or IP-VPN tunnels. Note that while IP-VPN tunnels may cross large expanses of the Internet, they act as single routed adjacencies between routers operated by the enterprise. The other is the external Internet-based domain, in which live networks, infrastructure, services and applications that are neither owned nor controlled directly by the IT team, as enumerated above.

Enterprise communications flowing through internal WAN and external Internet
Figure 1: Enterprise communications flow in both internal WAN and external, Internet-based domains.

What do SD-WANs Actually See and Control?

SD-WANs address the internal management domain of the WAN by bringing a much higher degree of centralized coordination and control around routing policies. This is accomplished by placing physical or virtual SD-WAN enabled routers into environments controlled by the IT team, such as data centers, branch offices and cloud VPCs. SD-WANs pull all the manual configuration of routing policies on individual branch/WAN edge routers into a centralized SD-WAN controller that can set policies on a global basis. SD-WANs allow you to configure preferred paths for various applications. For example, VoIP flows can be steered over MPLS circuits, while less sensitive apps can be steered over the IP-VPN tunnels.

Many SD-WAN solutions include some basic app performance measurements so that they can respond to relative network performance problems. For example, if Webex is performing poorly via the branch DIA pipe, the SD-WAN solution could steer traffic away from the DIA pipe and take it across an IP-VPN backhaul tunnel to a data center’s centralized Internet breakout.

One of the benefits of how SD-WANs manage performance is that they can help you increase the proportional use of Internet bandwidth, which at least in some geographies, can save money. Gartner analysts Ted Corbett, Andrew Lerner and Mike Toussaint have written a useful research report called Fact or Fiction: Does SD-WAN Really Save You Money? that spells out some of the variables that affect SD-WAN savings. Worth looking at if you have a Gartner subscription.

What SD-WANs Don’t See and Control

When it comes to the external portion of modern enterprise communications, SD-WANs leave the vast majority of this domain uncovered. For example, let’s take the case of encrypted IP-VPN tunnels transiting the Internet between branch offices and data centers, or data centers and IaaS VPCs. While that tunnel appears to be a single hop from the point of view of the SD-WAN routers, in reality, the tunnel traffic is likely transiting a dozen or more routers and multiple independent network organizations (Autonomous Systems in BGP parlance). If performance through the tunnel is sub-par, just knowing that binary good/bad status isn’t enough for network operations folks—they have to solve the problem. SD-WANs don’t collect any information about Internet routing tables, Autonomous Systems, hop-by-hop metrics across Internet paths, and all of the network infrastructure outside of the SD-WAN controller’s purview. Without this intelligence, SD-WANs can’t help solve problems in this domain. Without detailed insights, you can’t even figure out which network organization within the Internet is the source of the problem, let alone specific routers and error metrics.

Here’s another scenario: DIA from a branch office to connect users to SaaS providers. That traffic first takes a GRE tunnel from the branch router (transiting multiple ISPs and routers) to a secure web gateway (SWG) provider’s data center. After the traffic is examined by a secure proxy server, it then exits the SWG data center and takes whichever path the Internet prescribes to any one of multiple SaaS providers. Each of those SaaS providers has a different delivery architecture, perhaps front-ended by a proprietary or one of multiple commercial CDNs, or perhaps delivered without a CDN by a front-door data center that hands off to a designated data center instance on another continent. Again, SD-WANs can’t provide any visibility into or any control over these components of the delivery chain.

DIA SaaS connectivity Internet paths
Figure 2: DIA SaaS connectivity relies not only on Internet paths but often on cloud-based security providers.

What about connectivity from data centers and IaaS VPCs to cloud-based API endpoints, which are part of pretty much every application architecture these days. These API calls go directly over the Internet in the vast majority of cases. No SD-WAN insight or control here either.

PayPal cloud-based API endpoints
Figure 3: There cloud-based API endpoints are ubiquitous.

A final example: SD-WANs are primarily for corporate IT connectivity and don’t touch the world of customer-facing web and mobile apps. User experience for e-commerce, online banking, IoT clouds, customer analytics solutions, etc. relies upon Internet-based CDNs, DNS services, DDoS security providers, IaaS providers and SaaS APIs.

Why The External Domain Matters So Much

The point of enumerating all the portions of modern enterprise IT communications that SD-WANs don’t manage, is not to diminish the benefits of SD-WANs. Rather, it is to highlight the growth and criticality of the external domain. Your digital business, brand reputation, employee productivity and revenue are all critically dependent on external providers, networks and services. The fact that neither you (nor SD-WANs) control those resources doesn’t let you off the hook in terms of the business outcomes.

In the absence of control, visibility is key. That’s why 5 of the top 6 U.S. banks, 8 of the top 10 global software companies, 18 of the top 20 SaaS and 50+ of the Fortune 500 use Network Intelligence delivered by ThousandEyes to see, understand and optimize connected experiences for their customer-facing apps, as well as their WAN modernization efforts and cloud adoption strategies. Apropos to SD-WAN, we see more enterprises embracing a cloud readiness lifecycle and deploying ThousandEyes visibility ahead of time to prepare for SD-WAN rollouts to gain an understanding of how the Internet will behave and how cloud resources will perform from their distributed locations. From there, they’re ready to operate successfully in both internal and external dimensions of their enterprise IT communications. If you’re ready to learn more about how Network Intelligence complements and helps the success of SD-WANs, request a demo and we’ll walk you through how to get the overall visibility you need to modernize your WAN.

Subscribe to the ThousandEyes Blog

Stay connected with blog updates and outage reports delivered while they're still fresh.

Upgrade your browser to view our website properly.

Please download the latest version of Chrome, Firefox or Microsoft Edge.

More detail