Does a Network Backbone Within an SD-WAN or SASE Solution Really Matter?

POP-Based SD-WAN Architecture Diagram

If you’ve read my article on SD-WAN architecture types, you’ll know that the main difference between a gateway- and POP-based SD-WAN solution is a network backbone connecting the POPs. In that post, I gave a brief description of the scenarios in which this network backbone would be beneficial, but I’ll dive a bit deeper here.

If you haven’t read it yet, I highly suggest starting here: SD-WAN Architecture Types and When to Use Them

I want to give a special thank you to Matt Frederickson, an engineer with Aryaka, for collaborating with me on this post. Aryaka is a POP-based SD-WAN/SASE provider that offers a network backbone. More on that later!

What Is a Network Backbone?

You may have heard of a network backbone, a middle mile, or a private backbone… or all the above. However we choose to refer to them, within the SD-WAN and SASE space, they all mean the same thing. It’s a “private” network between SD-WAN POPs that is typically owned and maintained by the SD-WAN provider.

When speaking with Matt, I asked him to describe, physically, what Aryaka’s network backbone consists of. He explained that it’s a mix of wavelength and ethernet services, transported on dark or lit fiber, all controlled by Aryaka. They don’t necessarily have to interact with Tier 1 carriers for those services, but they will buy fiber from them when needed.

Different Types of Network Backbones

To the dismay of anyone trying to grasp an understanding of this industry, not all network backbones are the same! In terms of transport, we see two different types:

1. Layer 2 Network Backbone

A layer 2 network backbone is made up of layer 2 transport (i.e., P2P, private line, etc.). This type of backbone is the most costly, but it’s also very efficient and generally has a higher SLA (Service Level Agreement) attached to it. If providers offer both backbone options, this is the one they would use for critical applications and long-haul (intercontinental) traffic. It is especially useful to get traffic in and out of Mainland China (bypassing the “Great Firewall”) as it is a private transport.

2. Layer 3 Network Backbone

A layer 3 network backbone is made up of layer 3 transport (typically, tier 1 carriers’ ethernet services) and VPN tunnels from POP-to-POP. It is much more cost effective than layer 2 and is more widely used across different SD-WAN providers on the market.

Who Owns the Network Backbone?

One more difference between different SD-WAN network backbones is who actually owns the backbone. Most POP-based SD-WAN providers own and operate their own backbone, but some providers who haven’t built one will leverage an existing option by partnering with AWS, Azure, or GCP.

If this distinction is important to you and your organization, this is definitely a question to ask any potential SD-WAN or SASE provider. Generally, it’s preferable to have an SD-WAN/SASE provider that owns and maintains their own network backbone as they have more visibility and control over it.

Benefits of a Network Backbone

The main benefit that comes with deploying an SD-WAN or SASE solution with a network backbone is optimization of long-haul traffic. With a middle mile, traffic flows through fixed, predictable paths instead of relying on “hot potato” routing with public internet. This can significantly cut down on latency and jitter, especially with cross-country or intercontinental traffic. For example, if a company has users sitting in Europe accessing applications hosted in the US, they should definitely be considering an SD-WAN or SASE solution with a network backbone.

However, even if offices are close together, a network backbone can also be beneficial for remote or traveling employees. Most of these SD-WAN/SASE solutions include some kind of VPN (virtual private network) or ZTNA (zero trust network access) method to connect to their POPs. This means remote users can access the network and gain the benefits of the middle mile, typically by downloading a software client onto their end user device. So, if users are traveling across the country or to different continents, they can access applications by riding the network backbone back to the US, cutting down on latency and giving them a better experience.

Another very specific use case that can benefit from a network backbone is getting traffic in and out of Mainland China. The Chinese government is incredibly strict about traffic being sent in and out of their country. Deploying a private network can help companies completely bypass China’s Great Firewall. Many customers use an MPLS or P2P circuit to a location in Hong Kong, or another nearby region. However, a network backbone within an SD-WAN solution can help with this as well. A few of our POP-based SD-WAN providers have POPs in mainland China. Therefore, traffic leaving China will hit that POP, ride the private backbone to a POP outside of China, and then keep going to wherever the traffic needs to go.

During my conversation with Matt, he also mentioned that a lot of Aryaka customers are seeing a reduction in data transfer costs from public cloud environments (e.g., AWS, Azure, etc.). He said that because Aryaka does compression and deduplication (i.e., WAN Optimization) on their layer 2 network backbone in addition to offering dedicated connections into public cloud, customers will often see better performance, increased security, and lower egress fees.

When It Might NOT Make Sense

Like any technology, a network backbone isn’t necessary for every company. If all the locations within a particular company are regionalized, their applications are onsite or close by, and their users are all in the office, a network backbone isn’t going to do much for them.

If there’s one thing to take away from this article, it’s to think of a network backbone as a bridge between dispersed sites, applications, and/or people. If a company’s locations, resources, and/or employees are spread out, there’s a chance a network backbone can help improve their end user experience.

SD-WAN and SASE Technologies and Providers that Offer a Network Backbone

I invited Aryaka to collaborate on this article with me because their network backbone is a huge differentiator for them. They give customers the choice between a layer 2 or layer 3 backbone depending on the use case. They also run WAN optimization over their layer 2 backbone, which is part of the reason why their clients see lower ingress/egress fees with public cloud. In addition to offering a POP-based SD-WAN solution, Aryaka also has security built into their POPs. Right now, that includes Secure Web Gateway (SWG), and they are continuing to build out this cloud-based security stack.

Not sure what SWG is, or if it’s for you? Check out this post about the features of SASE and who can benefit from them!

Here are several examples of other providers offering a network backbone within SD-WAN/SASE:

  • Cato
  • Palo Alto
  • Cloudflare
  • Open Systems
  • Bigleaf
  • Nitel (with Cisco, Versa, and Barracuda)
  • AT&T (with VMware VeloCloud)
  • Windstream (with VMware VeloCloud and Fortinet)
  • Masergy (with Fortinet)
  • CommandLink (with Versa)
  • TPx (with VMware VeloCloud)
  • Airespring (with VMware VeloCloud)
  • ConsoleConnect (with VMware VeloCloud and Fortinet)
  • GTT (with VMware VeloCloud)
  • Lingo (with VMware VeloCloud)
  • MetTel (with VMware VeloCloud)
  • Sangoma (with VMware VeloCloud)