The internet has proven to be the global fabric that interconnects all things. However, networks today need to provide more value than simply raw bandwid­th. As networks globally transform them­­selves into an on-demand and real-time set of programmable systems, many applications are moving to the cloud as an information technology (IT) utility for a globalised and mobile workforce. While the advancements of multi protocol label swit­ch­ing (MPLS) and carrier ethernet (CE) have proven to deliver a business-grade private wide area network (WAN) for enterprises worldwide, challenges persist. Today it can take many months to enable a multinational business to connect various sites globally to each other or to their public and private clouds. Additionally, service chan­ges, even just bandwidth changes, can often take weeks because they involve manual workflow-based processes. Software-defi­n­ed WANs (SD-WANs) have emerged as one solution to address these issues.

There are many use cases for SD-WANs, from providing a completely secu­re, multi site virtual private network (VPN) service to simply providing access to off-net sites via last-mile internet broadband. Unlike other network connectivity services, SD-WANs use application-driven networ­king where application traffic is forwarded over different WANs based on quality of service (QoS), security and business priority policies.

Since SD-WANs provide centralised control and management automation plus a secured overlay network over multiple WANs, enterprises worldwide can reduce costs. However, SD-WANs must be operated by either the enterprise or by a service provider. Many enterprises prefer to have a communications service provider (CSP) or managed service provider (MSP) deliver an SD-WAN managed service rather than own and operate it themselves since network management and operations is not their core business. CSPs and MSPs are now aggressively introducing SD-WAN ma­­na­­ged services to address enterprise challenges and deliver agile, assured and or­chestrated third-network connectivity services leveraging SD-WAN technologies.

Characteristics of SD-WAN

Secure, IP-based virtual overlay network

SD-WANs provide secure IP-based virtual overlay networks that typically use IPsec tu­nnels over the internet or MPLS underlay networks. SD-WANs support any topology, for example, full/partial mesh and hub and spoke. Because IP-based SD-WANs are virtual overlay networks, no mo­­difi­ca­tions need to be made to any of the un­­de­rlay networks. Also, IP-based SD-WAN im­plementations often use the public internet as one of their WANs, in which case they need to include some firewall and network address translation (NAT) capabilities.

Transport-independence of underlay network

SD-WANs operate over any type of wireline or wireless access networks. Each WAN may use a different underlay tech­no­logy. This independence from the underlay network facilitates tremendous agility and simplicity in creating and deploying virtual network connectivity.

Service assurance of each SD-WAN tunnel

Service assurance is a critical part of any managed network service. QoS is measured over each SD-WAN tunnel in real time. These measurements determine whe­ther a particular WAN meets the performance requirements of an application, resulting in application-based performance assurance. Further, SD-WAN service can correct for packet loss in the underlay network, resulting in higher QoS in the SD-WAN overlay tunnel.

Application-driven packet forwarding

SD-WANs perform application-level classification, up to Open Systems Inter­con­n­ec­tion (OSI) Layer 7, at the customer pre­mises. This enables subscribers to specify the applications that are forwarded via SD-WAN tunnels over different WANs. The WAN or SD-WAN tunnel selection is determined by an application’s QoS, security or business policy requirements.

High availability through multiple WANs

SD-WANs support packet forwarding over one or more WANs at each site. This is often referred to as hybrid WAN, when a site has two or more WAN connections and each WAN uses a different WAN te­chnology. When using multiple WANs, tunnels are created over each WAN. Each WAN underlay network can use a different wireline or wireless access provider, providing SD-WAN tunnel diversity. SD-WAN tunnels can operate over different underlay network technologies.

Policy-based packet forwarding

SD-WANs use policies to make application forwarding or blocking decisions for SD-WAN tunnels over each WAN. Policy en­forcement considers an application’s QoS performance requirements or an organisation’s security or business priority policy requirements. For example, a QoS policy may be set so Skype for Business packets are forwarded over any WAN as long as its QoS performance requirements are met. A business priority policy may be set so payment card transactions may be sent ahead of any Skype for Business packets.

Service automation

Service automation can be achieved via centralised management, control and or­chestration of SD-WAN tunnels with the automatic configuration of SD-WAN customer premises equipment. The latter is referred to as zero touch provisioning (ZTP), where all configuration information is pre-populated into the centralised management system. ZTP enables subscribers to self-install the customer premises equipment (CPE) by simply plugging in local area network (LAN), WAN and power cables. Management, control and or­chestration functions are accessible via web portals or application programming interfaces (APIs). Further, depending on the role assigned to a user, on-demand service modifications and service monitoring can be done via a web portal.

WAN optimisation

WAN optimisation is the compilation of many different functions that increase WAN bandwidth and QoS. WAN optimisation can include data de-duplication, data compression, data caching, forward error correction (FEC) and protocol spoofing. Since WAN optimisation is not required at all SD-WAN sites, it is often provided as a value-added service. Data de-duplication, data compression, data caching and protocol spoofing reduce the amount of WAN bandwidth required by minimising the amount of data transmitted over WAN. FEC compensates for WAN packet loss by sending duplicate packets over multiple WANs and then reassembles the packets in the correct se­quence at the receiving end.

SD-WAN service components

SD-WAN edge

An SD-WAN edge is where the SD-WAN tunnel is initiated or terminated, and provides the SD-WAN service demarcation. An SD-WAN edge creates and terminates secured (encrypted) tunnels over different types of wired or wireless underlay networks. It also performs application-based QoS and security policy enforcement, application forwarding over one or more WAN connections, and QoS performance measurements over each WAN to determine WAN path selection. It may also perform WAN optimisation functions such as packet buffering/reordering, data de-duplication, data compression, and FEC. The SD-WAN edge functionality may be provided by a physical CPE device or as a software-based virtual network function (VNF).

SD-WAN gateway

The SD-WAN gateway is a special type of an SD-WAN edge that also enables sites interconnected via the SD-WAN to connect to other sites interconnected via alternative VPN technologies. There are two ways to deliver an SD-WAN service to sites connected via another VPN service. The first way requires an SD-WAN wdge to be placed at each subscriber site connected to the VPN service so that SD-WAN tunnels can be created over the VPN. In the second scenario, an SD-WAN gateway is used to initiate and terminate SD-WAN tunnels and VPN connections.

SD-WAN controller

The SD-WAN controller provides physical or virtual device management for all SD-WAN edges and SD-WAN gateways associated with the controller. This inclu­des, but is not limited to, configuration and activation, IP address management and pushing down policies. The SD-WAN controller maintains connections to all SD-WAN edges and SD-WAN gateways to identify the operational state of SD-WAN tunnels across different WANs and retrieve QoS performance metrics for each SD-WAN tunnel. These metrics are used by the service orchestrator.

Service orchestrator

The service orchestrator provides the management for the SD-WAN life cycle including service fulfilment, performance, control, assurance, usage, analytics, security and policy. For example, the service orchestrator is responsible for configuring the end-to-end SD-WAN managed service between SD-WAN edges and SD-WAN gateways over one or more underlay.

Subscriber web portal

The MSP or CSP typically integrates the subscriber web portal for the SD-WAN ma­­naged service into their existing custo­mer portal used for other managed services.


Although SD-WANs are being embraced by the networking industry, SD-WAN terminology, deployment scenarios, solution architectures and open APIs are yet to be standardised. CSPs and MSPs are working towards introducing SD-WAN managed services to address the desire of enterprises to outsource their managed network services. A common SD-WAN would enable buyers, sellers and users to more effectively communicate requirements and intent while open, standard APIs facilitate and accelerate SD-WAN implementations and service deployments. Clearly, the benefits of SD-WAN for service providers and subscribers are multi fold.

Based on a white paper, “Understanding SD-WAN Managed Services”, by Metro Ethernet Forum