If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they worth the investment? As someone who makes and sells SD-WANs for a living, I do love the technology. However, even I know that SD-WANs aren’t a fit for every company. Here, then, are five reasons from an SD-WAN insider why not to buy an SD-WAN.
Numerous surveys show that a driver, if not the major driver, for SD-WANs is reduction in monthly spending for bandwidth. Proponents will point to the 90 percent difference between MPLS and Internet bandwidth. You will reduce costs, but often actual savings are much more conservative than the quoted 90 percent number. Many locations will require dual fiber links for reasons of resiliency, increasing costs. Service provider management, an inherent part of any MPLS service, must be assumed by the enterprise with SD-WAN -- another cost center. There are also security costs that need to be calculated, if branch offices are to use local Internet to improve cloud application performance.
So, where will cost savings come from? Depending on the SD-WAN selection, you can save the cost of replacing end-of-life routers at branch offices. Bandwidth costs will almost certainly reduce when replacing MPLS with Internet, unless you happen to be in a region where Internet availability is limited. SD-WANs offered by some Firewall-as-a-Service providers allow you to eliminate or reduce security as well as networking costs. You’ll also reduce your operational costs through the use of centralized configuration and management.
To be MPLS-free is the wish of any WAN manager, but there’s an excellent chance that with most SD-WANs, you’ll remain tied to the MPLS umbilical cord. Companies depending on latency-sensitive and loss-sensitive applications will not be able to deliver the kind of consistent, quality experience, day-in and day-out, with the Internet. As I mentioned, routing dynamics and Internet economics are such that there’s very little incentive for providers to deliver the kind of consistent latency and loss statistics needed by enterprise-grade application. This is particularly true when delivering services in underserved areas or between Internet regions. For those applications, organizations should retain MPLS or replace it with another SLA-backed backbone.
The quality of experience (QoE) of some applications will improve with an SD-WAN when compared with MPLS, but not for all applications. SD-WANs are not WAN optimization, which applies a variety of compression, caching and protocol optimization, as well as link correction techniques to improve application efficiency, reduce latency, and minimize loss. SD-WANs are about controlling the overall network; WAN optimization improves one path across the network. SD-WANs may include WAN optimization techniques, but that’s the exception -- not the rule.
All SD-WANs can help improve application performance in three ways:
SD-WANs go a long way to making wide area networking more plug-and-play, but I don’t think anyone who’s deployed an SD-WAN will say it’s easy. Zero-touch deployment does make deployment far more rapid than configuring dozens of individual routers, but someone still needs to understand routing, policy configuration, network performance and more. Some vendors give you GUIs for those deployments, in which case large scale deployments may be tedious. Other vendors rely on CLI, in which case you’ll certainly want to retain the expertise of a networking engineer. Adding a multi-tunnel environment that’s used in overlay makes troubleshooting more challenging. Now you need to worry, not just about L3 and routing issues, but the SD-WAN, as well.
SD-WANs do not provide advanced security. They encrypt traffic, like any other VPN, which protects against wiretapping and man-in-the-middle attacks, but they provide none of the advanced security services needed to defend against malware penetration, advanced persistent threats and more. This is particularly important because SD-WANs rely on DIA to improve cloud and Internet performance. But direct internet access is only possible if those Internet connections can be secured against Internet-borne threats. You’ll still need to invest in IPS, malware protection, next generation firewall (NGFW) and other advanced security services, increasing the cost of an SD-WAN deployment.
As with any new technology, there are more than a few misconceptions around the value of SD-WANs. But there’s also real value to the technology around operational savings, end-to-end performance, and more. Understanding those benefits will help you get the most from you SD-WAN.