什么是SD-WAN?
SD-WAN Explained
A Software-defined Wide Area Network (SD-WAN) is a virtual WAN architecture that allows enterprises to leverage any combination of transport services—including MPLS, LTE and broadband internet services—to securely connect users to applications.
An SD-WAN uses a centralized control function to securely and intelligently direct traffic across the WAN and directly to trusted SaaS and IaaS providers. This increases application performance and delivers a high-quality user experience, which increases business productivity and agility and reduces IT costs.
SD-WAN架构
基于常规路由器的传统WAN从未为云设计。他们通常需要从分支机构到集线器或总部数据中心的所有流量,包括云的流量,包括云的交通。回程造成的延迟会损害应用程序性能,从而导致用户体验差和生产力失去。
与传统的以路由器为中心的WAN体系结构不同,SD-WAN模型旨在完全支持在本地数据中心,公共或私有云以及SaaS Services(例如Salesforce.com,Workday,Workday,Drowbox,Microsoft 365和Microsoft 365)和SaaS服务中托管的应用程序的全面支持。更多,同时提供最高水平的应用程序性能。
How does SD-WAN work?
Unlike SD-WAN, the conventional router-centric model distributes the control function across all devices in the network and simply routes traffic based on TCP/IP addresses and ACLs. This traditional model is rigid, complex, inefficient, and not cloud-friendly and results in a poor user experience.
AnSD-WAN使云领先的企业能够为用户提供卓越的应用体验质量(QOEX)。通过识别应用程序,SD-WAN在整个WAN上提供了智能应用程序感知的路由。每个类别的应用程序都符合业务需求,都会收到适当的QoS和安全政策执法。从分支机构获得的IaaS和SaaS应用程序流量的安全本地Internet突破提供了最高水平的云性能,同时保护企业免受威胁。
Why SD-WAN?
时代已经改变,企业正在使用云并订阅软件即服务(SaaS)。传统上,用户连接回公司数据中心以访问业务应用程序,但现在可以通过访问云中的许多相同应用程序来更好地为他们提供服务。
As a result, the traditional WAN is no longer suitable mainly because backhauling all traffic—including that destined to the cloud—from branch offices to the headquarters introduces latency and impairs application performance. SD-WAN provides WAN simplification, lower costs, bandwidth efficiency and a seamless on-ramp to the cloud with significant application performance especially for critical applications without sacrificing security and data privacy. Better application performance improves business productivity, customer satisfaction, and ultimately profitability. Consistent security reduces business risk.
Basic SD-WAN vs business-driven SD-WAN
- Not all SD-WANs are created equal。许多SD-WAN解决方案是基本的SD-WAN解决方案或“足够好”的解决方案。这些解决方案缺乏确保卓越网络体验所需的智能,可靠性,性能和规模。请记住,没有一个快速,安全和高性能的网络,企业数字转换计划可能会停滞,因为它们依赖于依赖网络的服务的应用程序。SD-WAN是一个关键的数字转型支持者,正在企业中推动战略决策。那么,什么是业务驱动的SD-WAN,为什么基本的SD-WAN不够好?
- 生命周期的编排和自动化。最基本的SD-WAN产品提供某种程度的zero-touch provisioning. However, basic SD-WAN solutions do not always provide full end-to-end orchestration of all WAN edge functions such as routing, security services, including service chaining to advanced third-party security services and WAN optimization. When enterprises deploy new applications or when a QoS or security policy change is required, a business-driven SD-WAN supports centralized configuration, enabling the required changes to be deployed in a few minutes instead of weeks or months. Centralized orchestration greatly minimizes human errors that can compromise performance or security.
- Continuous self-learning.A basic SD-WAN solution steers traffic according to pre-defined rules, usually programmed via templates. A business-driven SD-WAN, delivers optimal application performance under any network condition or changes including congestion and when impairments occur. Through continuous monitoring and self-learning, a business-driven SD-WAN responds automatically and in real-time to any changes in the state of the network. A business-driven SD-WAN continuously adapts to changes in the network, automatically adapting in real time to any changes that could impact application performance, including network congestion, brownouts and transport outage conditions, allowing users to always connect to applications without manual IT intervention. For example, should a WAN transport service or cloud security service experience a performance impairment, the network automatically adapts to keep traffic flowing while maintaining compliance with business policies.
- Consistent Quality of Experience (QoEx).一个关键的好处的dvanced SD-WAN solution is the ability to actively use multiple forms of WAN transport simultaneously. A basic solution can direct traffic on an application basis down a single path, and if that path fails or is underperforming, it can dynamically redirect to a better performing link. However, with many basic solutions, failover times around outages are measured in tens of seconds or longer, often resulting in annoying application interruption. A business-driven SD-WAN intelligently monitors and manages all underlay transport services. It can overcome the challenges of packet loss, latency and jitter to deliver the highest levels of application performance and QoEx to users, even when WAN transport services are impaired. Unlike a basic SD-WAN, a business-driven SD-WAN handles a total transport outage seamlessly and provides sub-second failover that averts interrupting business-critical applications such as voice and video communications.
- End-to-end micro-segmentation.尽管基本的SD-WAN提供了相当于VPN服务的功能,但业务驱动的SD-WAN提供了更全面的端到端安全功能。除了支持基于国家区域的防火墙外,SD-WAN平台还应编排并强制跨越Lan-Wan-Data中心和Lan-Wan-Cloud的端到端微分离。与以设备为中心的WAN模型或基本的SD-WAN模型相比,由于人类错误少,因此中心配置的安全策略的一致性要少得多,该模型通常需要以设备为基础配置策略。如果政策需要进行更改,则将其以业务驱动的SD-WAN进行集中编程,并将整个网络上的10s,100s或1000秒推向,从而显着提高了操作效率,同时降低了整体攻击表面并避免任何事情安全漏洞。
- Secure local internet breakout for cloud applications.许多基本的SD-WAN提供了一些基于固定定义和手动脚本ACL的应用程序分类功能,可直接通过Internet引导SaaS和IaaS流量。但是,云应用程序不断变化。业务驱动的SD-WAN不断适应更改,并提供自动化的每日应用程序定义和IP地址更新。这消除了应用程序中断和用户生产率问题。
理想情况下,企业客户需要转移到business-driven SD-WAN platformthat unifies SD-WAN, firewall, segmentation, routing, WAN optimization and visibility and control functions, all in a single, centrally managed platform.
Advanced SD-WAN functionality for SASE
Ultimately, the goal of SASE is to deliver the best end-user quality of experience for cloud-hosted applications without compromising security. After working with many enterprises that have designed and deployed their SASE architectures, we’ve learned that basic SD-WAN functionality falls short. An SD-WAN with advanced networking capabilities is required to fully enable SASE:
- 确定第一个数据包上的应用程序流量,并颗粒引导其执行QoS和安全策略,如业务意图所定义
- 保持云应用程序定义和TCP/IP地址每天自动最新
- SD-WAN和从单个控制台中的SD-WAN和云提供的安全服务之间的自动编排,以使其变得简单
- Automatically failover to a secondary cloud security enforcement point to avoid any application interruption
- Automatically reconfigure secure connections to cloud security enforcement points if a newer, closer location to the branch becomes available
- 使客户能够以自己的步调采用云安全服务及其SASE实施
- And most importantly, provide the freedom of choice to deploy new security innovations as they become available from any vendor to easily address unknown future threats
相关资源
