SD-WAN, so many people are talking about it, but so many more people don’t fully understand what it is. This article is mostly for those of you who know what it is, understand its importance to businesses of every shape and size, and are looking for answers to more technically-oriented, application-based questions.

Is this solution entirely cloud-based or is there something physical installed at the branch site?

An SD-WAN appliance must be installed at the branch. The device is called an Edge. The Edge device is represented by various sizes. A virtual software version of the Edge, known as a VNF, is also available to service providers for instantiation on a general purpose, virtual CPE (Customer’s Premise Equipment).

How do I size the appliance at the branch and data center?

There is no limitation to Edge sizes. Additionally, Edges can be installed at branches of every size, as well as in headquarter and data center locations. Edge devices vary in throughput capacity (typically ranging between 30Mbps to 2000Mbps), as well as tunnel capacity, which is especially important for Edges that are provisioned at hub sites.

How does this solution support application workloads in the cloud?

In addition to the Edges for SD-WAN performance, security and ease of management benefits between enterprise sites, cloud hosted Gateways provide the exact same benefits directly to cloud destinations such as SaaS and IaaS. Edges can utilize the network of hosted Gateways as a service on a simple subscription basis.

With an SD-WAN solution, does all my traffic have to go through the cloud?

Enterprise site-to-site traffic does not require, nor is it typically configured to traverse a cloud Gateway.

Is there a new device that must be installed in the data center for legacy applications?

SD-WAN optimized hybrid access to enterprise data centers is supported with the installation of an Edge appliance. However, a cloud Gateway may be leveraged to enable branch to legacy data center connectivity via a standard IPsec tunnel without adding any new device to the data center. SD-WAN service provider partners may also offer the option for Gateway access to an enterprise private backbone – providing access to all existing sites on the network.

Are there any single points of failure? The SDN controller?

There are no single points of failure in the SD-WAN architecture. For the distributed WAN architecture, a hybrid SDN approach offers the benefits of centralized control plane policies, but with distributed local control plane forwarding with local real-time knowledge of link conditions for reliability. All data plane functions continue even if communications with the centralized Orchestrator is disrupted. On-site Edges support high availability configuration and cloud Gateways are redundant with sub-second failover.

Does this replace all private circuits, or must the site have a private line?

SD-WAN provides the flexibility to support hybrid WAN connectivity, combining private with public Internet broadband circuits or pure Internet connected sites. Dynamic Multi-Path Optimization ensures that the different WAN circuits with their performance and capacity are optimally and automatically used to provide assured application performance.

How is application performance assured over best effort broadband links?

Dynamic Multi-Path Optimization includes three critical capabilities for assuring application performance. Continuous monitoring of link performance including packet loss, latency and jitter, as well as capacity provides the real-time information to protect against brownouts and blackouts.

Dynamic application steering will direct flows on a per application and packet basis across the optimal links. On-demand remediation with error correction and jitter buffering will address degradations that cannot be steered around. The end result is engineered performance even over best effort links.

If traffic is sent over multiple links won’t the flows arrive out of sequence or be asymmetric?

Path symmetry is maintained throughout the overlay from tunnel entry to exit points. The dynamic multi-path optimization also maintains application sessions and flows, while uniquely steering a single flow on a per-packet basis across multiple links, based on performance and load, by buffering and re-sequencing at tunnel endpoints.

Is this a hub and spoke architecture or is branch-to-branch traffic supported?

Both hub to spoke and dynamic branch-to-branch traffic with full Dynamic Multi-Path Optimization and VPN features are supported.

Is all my traffic encrypted, including over the private line?

By default, all site-to-site enterprise traffic is uniformly encrypted independent of the underlying transport, while Internet-bound traffic is not. However, with one-click policy adjustments these defaults can be changed.

Can I still use my existing firewalls?

The built-in application aware firewall can be used, or the Edge can co-exist with existing firewalls. In the branch, the Edge would typically be deployed on the WAN side of the firewall and be responsible for the site-to-site VPN. Additionally, the one-click application aware service chaining capability enables forwarding of traffic to more centralized enterprise regional hubs or cloud provider POPs for firewall and security services.

How is traffic inserted into the SD-WAN overlay?

Edge devices may be placed inline, for example at small branch sites, to directly receive traffic and forward via various tunnels depending on business policies, as well as application performance objectives. Edges may also be deployed off-path, using standard routing protocols to interact with the underlay routing system to attract selected traffic.

What are the benefits of a cloud-based Orchestrator?

The Orchestrator provides the benefit of centralized control and visibility, all in one GUI, without the need for any device by device CLI configuration. Additionally, the Orchestrator is provided as a cloud based service accessible from any browser-enabled device.


SD-WAN from NetFortris is a fully managed network solution which aggregates and maximizes all bandwidth resources, regardless of access type and size. Mission critical applications get the priority and QoS they need, and can be adjusted at any time. That means your business operations can leverage connected technology to sell and service your customers, partners and employees better, without compromising security, privacy, or control.