If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they worth the investment? As someone who makes and sells SD-WANs for a living, I do love the technology. However, even I know that SD-WANs aren’t a fit for every company. Here, then, are five reasons from an SD-WAN insider why not to buy an SD-WAN.
You might not save as much money as you thought
Numerous surveys show that a driver, if not the major driver, for SD-WANs is reduction in monthly spending for bandwidth. Proponents will point to the 90 percent difference between MPLS and Internet bandwidth. You will reduce costs, but often actual savings are much more conservative than the quoted 90 percent number. Many locations will require dual fiber links for reasons of resiliency, increasing costs. Service provider management, an inherent part of any MPLS service, must be assumed by the enterprise with SD-WAN -- another cost center. There are also security costs that need to be calculated, if branch offices are to use local Internet to improve cloud application performance.
So, where will cost savings come from? Depending on the SD-WAN selection, you can save the cost of replacing end-of-life routers at branch offices. Bandwidth costs will almost certainly reduce when replacing MPLS with Internet, unless you happen to be in a region where Internet availability is limited. SD-WANs offered by some Firewall-as-a-Service providers allow you to eliminate or reduce security as well as networking costs. You’ll also reduce your operational costs through the use of centralized configuration and management.
You might not be able to replace your MPLS networks
To be MPLS-free is the wish of any WAN manager, but there’s an excellent chance that with most SD-WANs, you’ll remain tied to the MPLS umbilical cord. Companies depending on latency-sensitive and loss-sensitive applications will not be able to deliver the kind of consistent, quality experience, day-in and day-out, with the Internet. As I mentioned, routing dynamics and Internet economics are such that there’s very little incentive for providers to deliver the kind of consistent latency and loss statistics needed by enterprise-grade application. This is particularly true when delivering services in underserved areas or between Internet regions. For those applications, organizations should retain MPLS or replace it with another SLA-backed backbone.
It will not make everything faster
The quality of experience (QoE) of some applications will improve with an SD-WAN when compared with MPLS, but not for all applications. SD-WANs are not WAN optimization, which applies a variety of compression, caching and protocol optimization, as well as link correction techniques to improve application efficiency, reduce latency, and minimize loss. SD-WANs are about controlling the overall network; WAN optimization improves one path across the network. SD-WANs may include WAN optimization techniques, but that’s the exception -- not the rule.
All SD-WANs can help improve application performance in three ways:
- Applications requiring a lot of throughput (think: data replication or backup) will benefit from SD-WAN’s ability to leverage high-bandwidth Internet links.
- Cloud and Internet application performance will improve by being able to access the Internet directly (direct Internet access, DIA) from a branch office, assuming secured Internet connection is provided. By contrast with MPLS, Internet traffic is commonly backhauled to a secured Internet portal. This can introduce significantly more latency into the connection through the so-called trombone effect.
- Voice, video and other latency sensitive applications, in particular, benefit from the SD-WAN’s ability to select the path with the least latency. Normally, Internet routing is application agnostic, routing traffic based on a combination of the number of hops and peering economics. By contrast, SD-WANs monitor the characteristics of the underlying transports and use that information, along with policies describing business logic, to select the optimum path to a destination.
Networking will not become easy
SD-WANs go a long way to making wide area networking more plug-and-play, but I don’t think anyone who’s deployed an SD-WAN will say it’s easy. Zero-touch deployment does make deployment far more rapid than configuring dozens of individual routers, but someone still needs to understand routing, policy configuration, network performance and more. Some vendors give you GUIs for those deployments, in which case large scale deployments may be tedious. Other vendors rely on CLI, in which case you’ll certainly want to retain the expertise of a networking engineer. Adding a multi-tunnel environment that’s used in overlay makes troubleshooting more challenging. Now you need to worry, not just about L3 and routing issues, but the SD-WAN, as well.
Security problems will not be solved
SD-WANs do not provide advanced security. They encrypt traffic, like any other VPN, which protects against wiretapping and man-in-the-middle attacks, but they provide none of the advanced security services needed to defend against malware penetration, advanced persistent threats and more. This is particularly important because SD-WANs rely on DIA to improve cloud and Internet performance. But direct internet access is only possible if those Internet connections can be secured against Internet-borne threats. You’ll still need to invest in IPS, malware protection, next generation firewall (NGFW) and other advanced security services, increasing the cost of an SD-WAN deployment.
As with any new technology, there are more than a few misconceptions around the value of SD-WANs. But there’s also real value to the technology around operational savings, end-to-end performance, and more. Understanding those benefits will help you get the most from you SD-WAN.