Software Defined Wide Area Networking (SD-WAN) has radically changed both the telecommunications and wide area networking (WAN) landscapes. SD-WAN enables enterprises to connect multiple offices together while also allowing an easy means to prioritize which applications are most important to the business and give them priority over the network. SD-WAN considers the public internet itself as part of the network, and the same policies can be created to ensure that traffic destined for a cloud based CRM or a VoIP provider have priority over someone watching a YouTube video or posting on Instagram.
SD-WAN solutions allow network admins to have insight into what types of traffic are traversing their networks, how much bandwidth individual applications are consuming and how their underlying ISPs are performing. Additionally many SD-WAN providers have their own cloud networks which incorporate peering arrangements with other cloud and SaaS providers. This improves access and performance, and can ultimately rival the quality of traditional private WAN solutions like MPLS and point-to-point circuits.
For the first time we have WAN solutions that make compelling value propositions to even single location enterprises. Additionally, due to the fact that SD-WAN is deployed over the top (OTT), there are a plethora of solutions available from both the largest telcos and innovative startups.
In this guide we’ll give you an overview of the SD-WAN provider landscape and go over a few specific provider solutions in detail, giving you everything you need to be an informed buyer.
But first, what is SD-WAN anyway?
Before going any further in this guide, we recommend reviewing the following to ensure you understand how the underlying technology works:
This article from us on what SD-WAN is and how it compares to MPLS
We don’t want to rehash information we’ve already covered in another article, so I won’t repost it here, but I recommend at least doing a quick Google search to solidify your understanding of the technology itself to get the most value out of this guide. We’ll do our best to keep things simple and high-level to ensure we accommodate buyers of all experience levels here.
General Provider Landscape
From a provider perspective, the SD-WAN landscape is fragmented and concentrated in different areas and use cases. Some of the players are heavily focused on interoffice networking while others focus on application and SaaS performance optimization. There are solutions that are geared towards global enterprises and others towards the SMB market. To know what’s best for your company, you need to first delineate your own objectives in deploying SD-WAN.
Edge analytics report courtesy of Masergy
Appliance vs. Platform vs. Integrated Provider, take your pick
Currently, there are 3 popular flavors of SD-WAN:
Appliance. The first method to deploy is by self-managing SD-WAN appliances (or having an MSP do it) that are installed at the edge. While these devices will have cloud management capabilities, they don't actually route WAN traffic through their platforms. Instead, they provide traffic shaping and prioritization on the LAN that is enforced before the local WAN interface is reached. Cisco Meraki and Fortinet are good examples of solutions that operate in this manner. In most cases these solutions can be purchased as a one time capex. Typically, this is the lowest-cost option for deployment.
Platform. The second method to deploy is by adopting a major proprietary cloud based platform like VeloCloud, Silver Peak, Cisco Viptela, CATO Networks, Aryaka or BigLeaf Networks. These too rely on physical or virtual appliances at the edge, but the key difference is that in addition to cloud management, these companies also have the ability to route your traffic through their clouds which are often peered with major ISPs, other public clouds, and numerous SaaS providers. This in essence allows for direct routing to these services by largely avoiding the inherent uncertainty of the public Internet. Most of these companies have built out global points-of-presence to make their core networks easy to reach. These solutions are provided as a service, and in many cases have both an upfront cost for hardware / setup and an ongoing monthly service charge.
Integrated. The third method to deploy is by partnering with a telco or NSP who has deployed one of the proprietary platforms mentioned above within their own network. The major platform solutions like VeloCloud offer carrier-focused solutions that can have some nuances in terms of functionality vs. their native platforms, but in general offer parity across the major feature sets. The value proposition of this model is largely two fold:
Large telcos may have global networks and peering that may be superior to the leading cloud-based platforms, allowing enterprises to access services with more direct paths and lower latency, etc
Telcos offer other adjacent services, often viewed as complementary to SD-WAN and enterprises may gain efficiency by having multiple services bundled from a single provider. Good examples are SD-WAN and UCaaS or security.
For the purposes of this post, we are going to focus on both proprietary cloud-based platforms and carriers who have integrated these technologies into their core networks, as we feel that in many cases these flavors offer the best value proposition to enterprises of all sizes. In future posts, we will come back to SD-WAN appliance-only deployments as these
represent different use cases and value propositions.
ISP Latency and Packet Loss Reporting courtesy of Bigleaf Networks
Key Use Cases and Benefits
Like most modern technologies, decisions on which SD-WAN solution is most appropriate for a specific enterprise come typically down to use case. Here is a quick look at some of the top SD-WAN use cases:
Managed site-to-site VPNs: provider managed wide area network connectivity between multiple offices. Provider manages tunnels, quality of experience and adds and deletes locations as appropriate.
WAN acceleration and optimization: caching, compression and other tricks that allow data to move across the network more quickly and efficiently.
Application queuing, traffic prioritization and SaaS QoE, (Quality of Experience): prioritization of application data across the WAN, often combined with peering arrangements that provide shorter and more predictable routes to SaaS and VoIP providers.
Multi-link/ISP aggregation and or load balancing/failover: real-time, or near real-time monitoring of ISP quality with dynamic routing of traffic based on which ISP link is best able to transmit and receive traffic destined for a specific url or domain; some SD-WAN solutions even have the ability to fail a voice call over from one ISP to another without dropping the call.
Rich reporting both on layer 7 WAN utilization as well as ISP quality and uptime metrics: insight into how ISPs and SaaS applications are performing, network utilization on an application (and sometimes user) level, where quality issues may lie on the network, etc.
The last element of SD-WAN offerings that is paramount to consider during evaluation is how security is handled. Some SD-WAN solutions incorporate native security functionality while others point to either architecture benefits or overall flexibility and efficacy as reasons to not specifically address security within their product. Security in and of itself is top of mind for most organizations, but considering SD-WAN solutions leverage the public internet, and in many cases are displacing private, point-to-point or MPLS networks, security needs to be considered. Most of the major solutions offer IPSec to secure site-to-site VPN traffic with up to-256 bit encryption, some even go as far as providing Layer 7 firewalling.
Remote site monitoring and reporting courtesy of CATO Networks
Before we dive into an overview of popular SD-WAN solutions in an attempt to flesh out meaningful differences, there are a few common denominators across most SD-WAN solutions that we consider essential elements:
All of the solutions can support multiple WAN links >1 Gbps from multiple services providers and are able to dynamically route traffic over them.
They all offer H/A options for their edge appliances with automatic failover and monitor / report on ISP connection quality, and provide for real time route and ISP optimization.
Many of the providers below will manage third-party ISP circuits in order to maintain a single vendor solution while also incorporating diverse underlying carriers for access.
*takes deep breath* Phew, okay now let’s discuss specific providers!
Founded in 2009, Aryaka has focused on large enterprises who are motivated to move away from (often global) MPLS services for something more modern and cloud-centric. As such, much of Aryaka’s core value proposition and platform has been designed by looking at how large enterprises bought and leveraged MPLS and adopting a familiar functionality and management for their SD-WAN offering. For example, Aryaka is a fully managed solution, whether it’s used for cloud application optimization or site-to-site WAN connectivity, while also providing the ability to incorporate, manage, and even procure transport from third-parties, which checks a big box for globally distributed multinational organizations who are accustomed to having their WAN managed by a single provider. Aryaka provides superb peering, a global network backbone and rich reporting in a familiar “MPLS-like” fully managed model. From a security perspective, Aryaka can provide basic necessities for site-to-site connectivity like IPSEC and even layer 3 firewall, but in general has looked to partner and integrate with security leaders such as Zscaler and Palo Alto Networks. For very large enterprises with unique and demanding security needs, this strategy makes a lot of sense.
Aryaka at a glance:
Management Model: Fully Managed
Market Focus: Medium to Large Enterprise
Security: Layer 3 firewall, IPSec with encryption up to 256-bit; integrations for comprehensive firewalling and secure Internet gateways
Unlike some of the larger proprietary SD-WAN platforms that are often focused on carriers and very large enterprises, Bigleaf Networks is a growth-stage startup that has shaken up the SD-WAN space by mostly focusing on small to mid-market companies. As such, they offer a simple UI and straightforward policy management. Applications are automatically dropped into 6 different (reassignable) buckets that delineate how traffic prioritization policies are created. One of Bigleaf’s best features is that they assign customers a public IP address from their cloud, which provides organizations the ability to aggregate and failover between multiple links without their public facing IP ever changing. The entire Bigleaf solution is designed to be very user friendly, and in some places sacrifices feature functionality and configurability for an “it just works” kind of approach.
Bigleaf’s network has solid peering, and an ability to ensure that traffic destined to major public clouds is optimized. Bigleaf does not offer managed site to site VPNs, so IT admins will be forced to create and manage their own tunnels. Bigleaf is an example of an SD-WAN vendor that offers near zero security functionality. While some may see this as a negative, in many cases it lends itself to being simple and easy, as it has been designed to be deployed in the DMZ where site-to-site WAN/VPN and sensitive browser traffic has already been encrypted. Unlike many SD-WAN providers, Bigleaf does not offer to manage and troubleshoot circuit issues with underlying ISPs. Bigleaf is one of the SD-WAN companies that offers a strong value proposition for single site organizations that rely heavily on cloud based services and value both their route optimization capabilities and bulletproof failover.
CATO Networks describes themselves as a Secure Access Service Edge Provider which is a term that Gartner introduced in 2019 to describe a combination of SD-WAN functionality with comprehensive, native, and embedded security architecture. Considering that many of the senior leadership team spent time at Imperva, the fact that CATO has chosen to heavily incorporate security into their strategy does not come as a huge surprise.
CATO aims to be a one stop shop for managed everything - from network and layer 7 firewalling and unified threat management, site-to-site interoffice connectivity, WAN optimization / acceleration and even DNS and CDN. When you consider that the majority of SD-WAN solutions require onsite appliances at the branch level, having security embedded simplifies both network architecture and management.
Much like Aryaka, CATO offers their services in a fully managed model and leverages a private global network with excellent peering and easy access. CATO will procure transport and access from third-parties on a customer’s behalf, or manage trouble reporting and resolution for existing circuits that are already in place. CATO also offers rich yet straightforward reporting on both security and WAN aspects of the network through their single pane of glass.
GTT is the largest ISP you may have never heard of. Offering over 600 global points-of-presence with impressive density across the US and EU, GTT is consistently ranked as one of the top 5 ISPs in the world in terms of the amount of traffic moving across their network. In addition to their own facilities-based core network, GTT has an extensive number of partnerships to deliver last mile connectivity, making them a single source provider of Internet connectivity, voice, transit, data center, and of course SD-WAN solutions.
GTT currently has two different SD-WAN offerings, one leveraging Fortinet’s platform which has been built to target SMB users, and another more enterprise-focused solution built using VeloCloud which we will focus on here. The GTT / VeloCloud solution offers everything that you would expect from a leading SD-WAN platform, and wisely GTT has chosen to not restrict flexibility in an attempt to drive their network services sales so that enterprises are free to leverage their own ISPs or MPLS connections or slowly transition over time to GTT provided access if they’d like. Additionally, GTT offers end users the ability to support BGP and OSPF protocols and will even let users set their own routing policies at the edge should they choose to do so. From a security perspective, the solution checks the major boxes by offering IPsec encryption and a network firewall out of the box. Additionally, GTT has a comprehensive suite of additional security products that can easily be deployed alongside their SD-WAN offering.
GTT at a glance
Management Model: Fully Managed with some user control
Market Focus: Small (Fortinet), medium and large enterprises. (VeloCloud)
Security: Layer 3 firewall, IPsec with up to 256 bit encryption for site to site traffic.
Masergy has long been an elite, enterprise-focused managed service provider offering a robust portfolio of voice, Internet and data services across their private facilities-based network. Like GTT, Masergy also offers two SD-WAN platforms: Fortinet for their SMB customers and Silver Peak as their enterprise platform. Along with VeloCloud, Silver Peak has been a leading platform for SD-WAN services for several years offering broad functionality and high performance, especially for WAN optimization and acceleration when delivered over Masergy’s global backbone.
Like most of the other solutions, Masergy’s offering provides for IPsec VPN with 256-bit encryption but stops short of natively incorporating any type of firewalling or unified threat management. However, Masergy has made a substantial push towards security over the last several years and has a comprehensive suite of adjacent services that can be opted into including layer 3 firewall and UTM to augment their SD-WAN offering. Masergy’s service tends to lean towards a fully managed model but also offers enterprises the ability to set their own traffic prioritization policies and incorporate existing BGP or OSPF routing. Masergy provides SD-WAN as a stand alone service, and does not require access and transport be procured directly through them, although we think doing so will make sense to most enterprises.
Masergy at a glance:
Platform: Fortinet, Silver Peak
Management Model: Fully Managed with minimal user control.
Market Focus: SMB (Fortinet) to large enterprise (Silver Peak)
Security: IPsec with up to 256-bit encryption for site to site traffic; comprehensive bolt-ons available
SD-WAN represents a means to enable businesses superior insight and control over their WAN traffic while also providing a superior means to ensure network resiliency over low-cost ISP access. However, SD-WAN should not be looked at as a point solution. What type of traffic an enterprise has running across their WAN and how much flexibility and control they need are key items that buyers must consider. As you can see from this guide, there are a multitude of options available depending on what an organization is seeking to accomplish. We will take a look at a few of the providers below and outline where we see general fits.
Aryaka is an attractive solution for large enterprises who are ready to migrate away from their MPLS network but still want to maintain a fully-managed solution down to circuit monitoring and procurement. While Aryaka has excellent peering and a robust network, they do not offer a portfolio of adjacent technologies like unified communications or security so their solution will appeal to enterprises who are focused on deploying a managed WAN as a foundation for moving towards a next generation network strategy. Aryaka offers high-touch service, and can also incorporate existing MPLS infrastructure which allows enterprises to migrate at their own speed with limited risk.
Bigleaf Networks is an “easy button” of sorts for SD-WAN and is geared towards organizations who require high availability and quality access to cloud applications and who also have existing edge security devices in place to handle security and site-to-site connectivity. Bigleaf is equally valuable to single location enterprises who want to aggregate multiple ISP links and take advantage of Bigleaf's peering into major SaaS platforms and public clouds.
CATO Networks’ embedded security will pose a compelling value proposition for the mid-size to large enterprise. These organizations often have personnel constraints and are increasingly looking to consolidate multiple services under a single vendor for simplified management, but are not willing to sacrifice functionality and performance. CATO’s wholly-managed strategy will also be of benefit to this profile of organization and their network peering will likely be in place to optimize connectivity to cloud based applications that have already been deployed. For organizations that have separate security teams in place and infrastructure deployed that they are comfortable with, the CATO solution may be less compelling.
GTT’s global network reach with the ability to aggregate broadband and DIA connections from over 3,000 carrier partners is undeniably their biggest benefit to enterprise. Additionally, GTT offers an array of complementary solutions like UCaaS, SIP trunking, and security while being known to price aggressively. GTTs solutions are flexible and provide an ability for IT professionals to control what they want to control while also feeling like they have a truly managed service. GTT’s solution is extremely compelling for organizations that have a large number of geographically dispersed remote sites that require a mix of broadband and dedicated Internet connectivity and value both a single management and billing platform.
Masergy offers an interesting value proposition for mid-size to large enterprises who have complex voice and data needs across multiple locations and are seeking a partner that can deploy and manage an assortment of premium services. Masergy has an excellent reputation in the marketplace and is capable of managing all aspects of a user’s network including high availability SD-WAN, UCaaS, Contact Center, or security regardless of how complex each need may be.
That’s all folks! Genuinely hope you found this guide useful. If you have any questions or suggestions regarding what’s written here, reach out to me directly at rob AT lightyear DOT ai. If you’re looking to buy SD-WAN and want to leverage our software to make your decision process easier (for free!), fill out our questionnaire here. More on what we do here.