Application-Aware Routing, Dual-Path Resilience & Cloud-Ready WAN
SD-WAN (Software-Defined Wide Area Network) replaces static, router-by-router configs with centralized policy and application-aware path selection. It steers each flow over the best available underlay (fiber DIA, MPLS, fixed wireless, LTE/5G, satellite) based on loss, latency, jitter, and business intent—with sub-second failover and deep observability.
Where SD-WAN fits in the SolveForce model:
🌐 Connectivity (Grammar) → Connectivity • 🖧 Fabric → Networks & Data Centers
☁️ Cloud (Syntax) → Cloud • 🔒 Security (Semantics) → Cybersecurity • 🧠 Decision Layer → SolveForce AI
🎯 Outcomes (What SD-WAN Delivers)
- Dual-/multi-path resilience — instant steer/failover across fiber + wireless + 5G + MPLS.
- Better app experience — per-application SLOs (loss/latency/jitter) with brownout detection.
- Cloud-ready edges — local Internet breakout to SaaS/IaaS with policy, or hub-and-spoke if required.
- Faster changes — push policies from a controller; zero-touch provision (ZTP) new sites in minutes.
- Proof — per-app dashboards, SLO compliance, change/audit trails, and carrier ticket evidence.
🧭 When to Use SD-WAN (and When Not)
Use SD-WAN when you need:
- Active-active paths (fiber + fixed wireless/5G/satellite) and loss-aware steering.
- Local Internet breakout for SaaS (M365, Salesforce) while keeping governance.
- Cloud on-ramps (AWS Direct Connect / Azure ExpressRoute / Google Interconnect) with policy control. → Direct Connect
- Rapid scale — dozens/hundreds of sites with consistent config and ZTP.
Pair with / Consider
- MPLS (Multiprotocol Label Switching) where regulated or L3VPN contracts are required, often as an underlay alongside Internet. → MPLS
- SASE (Secure Access Service Edge) if you want the security stack (SWG, CASB, FWaaS, ZTNA) delivered from the cloud next to SD-WAN. → SASE
🧱 Architecture (The Pieces)
- Controller / Orchestrator — central brain for policy, inventory, ZTP, and upgrades.
- SD-WAN Edges — CPE at branches/DCs/cloud (virtual or physical).
- Underlays — Fiber DIA → Fiber Internet, MPLS → MPLS, Fixed Wireless → Fixed Wireless, LTE/5G → Mobile Connectivity, Satellite → Satellite Internet.
- Service Chains — route a flow through NGFW, IDS/IPS, DLP, or ZTNA (on-box or cloud security). → Cybersecurity
Common topologies
- Hub-and-Spoke (simple, central services)
- Partial/Fully Mesh (low-latency site-to-site)
- Regional Hubs (cloud/on-ramp locality)
- Cloud Edge (vEdge in VPC/VNet with BGP to TGW/ER/Cloud Router) → Cloud
🧠 Policy Model (Intent → Action)
- App ID / DPI (Deep Packet Inspection) — recognize apps (SaaS/IaaS/VoIP) even if ports change.
- Per-App SLOs — e.g., “Teams: loss≤0.1%, jitter≤15% latency, latency≤80 ms.”
- Brownout vs. Blackout — detect degradation (brownout) and shift before a hard down (blackout).
- Cost/Path Bias — prefer low-cost Internet until SLA breach, then escalate to MPLS/secondary.
- QoS / Queues — prioritize voice/real-time; police bulk/backups to off-hours.
- Path Conditioning — FEC (Forward Error Correction), packet duplication for voice, jitter buffers.
Policies are versioned and pushed; each change is auditable and roll-backable via the controller and ITSM.
📐 Transport Classes & Path Steering (SolveForce SLO Guardrails)
| Class | Typical Underlays | One-Way Latency | Jitter Target | Loss Target | Notes |
|---|---|---|---|---|---|
| A | Metro fiber, wavelength | ≤ 2–5 ms | ≤ 15% latency | < 0.1% | DC/DCI, voice, trading |
| B | Regional DIA/MPLS | ≤ 15–35 ms | ≤ 15% | < 0.1% | General enterprise |
| C | Continental/global DIA (+ CDN/Anycast) | ≤ 80–120 ms | ≤ 15% | < 0.1% | Global SaaS/API |
| D | LEO/GEO satellite, remote | variable | engineered | engineered | Remote/backup |
SD-WAN edges continuously measure these and steer per flow. Violations generate evidence for the NOC and—if carrier‐related—open tickets. → NOC Services • Circuit Monitoring
🔒 Security Interlock (SD-WAN + SASE)
- SASE = SD-WAN transport + cloud-delivered security (SWG, CASB, FWaaS, ZTNA).
- ZTNA (Zero Trust Network Access) — per-app, per-session identity; replaces flat VPNs. → ZTNA • Zero Trust
- Segmentation — VRFs per business unit; microsegmentation for crown-jewel apps in DC/cloud. → Microsegmentation
- Crypto — IPsec tunnels/DTLS; MACsec on L2; TLS for SaaS with DLP/ATP. → Encryption
☁️ Cloud & On-Ramps (Design Patterns)
- Local Internet Breakout — SaaS direct from branch; enforce SWG/DLP/SSL inspection via SASE.
- Regional Hubs — break out near AWS/Azure/GCP regions for low-jitter SaaS/API. → Direct Connect
- Cloud vEdges — deploy virtual edge in VPC/VNet; BGP to Transit Gateway / ER Gateway / Cloud Router.
- Anycast Front Doors — publish the same VIP from multiple hubs for “closest healthy” entry. → BGP Management
🔭 Observability & Evidence (Prove It)
- Per-app SLO dashboards — latency/jitter/loss by app & site; “good/brownout/blackout” status.
- Underlay health — path loss, optical dBm, flaps, provider POP issues.
- Overlay health — tunnel SLA, packet dup/FEC stats, QoE for voice/video.
- Change audits — who changed what, when; success/rollback events.
- Exports — logs/metrics to SIEM/observability for correlation and long-term proof. → SIEM / SOAR
🛠️ Integration Cheatsheet
- Routing — BGP/OSPF redistribution; default-originate; PBR for edge cases. → BGP Management
- DNS — split-horizon for SaaS; Anycast VIPs for APIs.
- WAN Opt / Caching — only where needed; SD-WAN pathing usually beats legacy compression.
- NTP/PTP — keep clocks sane for logs and voice; over-the-top GPS at hubs if required.
- ZTP — ship edge, plug power/links; phone-home to controller; auto-join policy.
🧪 Reference Designs (By Outcome)
A) Resilient Branch (Voice + SaaS)
- Underlays: Fiber DIA + Fixed Wireless; optional LTE/5G tertiary.
- Policy: voice loss ≤ 0.1% → duplicate packets; Teams/Zoom jitter ≤ 15% latency; SaaS local breakout.
- Security: SASE SWG + CASB; ZTNA for admin apps.
B) Cloud-First Enterprise
- Hubs in colo with Direct Connect/ExpressRoute/Interconnect; branches steer cloud apps to nearest hub.
- Anycast APIs; BGP communities mark “golden” routes; MACsec on L2. → Colocation • Direct Connect
C) Remote / Harsh Links (LEO/GEO)
- Policy favors FEC + jitter buffers; downgrades video to audio on sustained Class-D breach; store-and-forward for bulk.
🧾 Commercials & Licensing (What Drives Cost)
- Edge count & bandwidth tiers; throughput licensing per device or pool.
- Security bundle (SASE/SSE) add-ons (SWG, CASB, FWaaS, ZTNA).
- Controller (cloud/SaaS vs. on-prem) and analytics retention.
- Underlays — DIA/MPLS/wireless contracts, cross-connects in colo. → Colocation • Fiber Internet
✅ Implementation Checklist (No Surprises)
- Inventory & address plan — sites, subnets, IPv4/IPv6 overlaps; target SLOs by app.
- Underlays — primary fiber; secondary fixed wireless/5G; tertiary satellite if remote. → Fixed Wireless • Mobile Connectivity • Satellite Internet
- Policy — app catalog, per-app SLOs, cost/route bias, packet dup/FEC rules.
- Security — ZTNA groups, SWG categories, DLP rules, microsegments. → ZTNA • Microsegmentation
- Cloud — hubs and/or vEdges; on-ramp circuits; BGP policy. → Direct Connect
- ZTP & change — staging images, controller templates, maintenance windows.
- Observability — synthetics, packet loss maps, SIEM/SOAR hooks. → SIEM / SOAR
- Runbooks — brownout thresholds, carrier escalation, rollback, and RCAs. → NOC Services
🔄 Where SD-WAN Fits (Recursive View)
1) Grammar — controls flows across Connectivity underlays.
2) Syntax — optimizes paths to Cloud and data centers.
3) Semantics — enforces identity/inspection with Cybersecurity / SASE.
4) Pragmatics — signals drive SolveForce AI for prediction/auto-tuning.
5) Foundation — coherent terms under Primacy of Language.
6) Map — indexed across the SolveForce Codex & Knowledge Hub.
📞 Design an SD-WAN You Can Prove
Related pages:
Connectivity • Networks & Data Centers • Cloud • Cybersecurity • SASE • ZTNA • Direct Connect • BGP Management • NOC Services • Circuit Monitoring • Knowledge Hub