SD-WAN Architecture Types + When to Use Them

I’ve spent the last two years studying the different types of SD-WAN technologies, interviewing the providers that offer them, and recommending solutions to our clients based on their unique needs.

In all this research, my team and I have classified three main architecture types: edge, gateway, and POP (point of presence). Of course, things can’t always be this simple. Sometimes a particular technology can be edge-based, but certain providers configure it in a POP model.

Let’s take a step back and start with the basics.

Edge-based SD-WAN Solutions

Edge-based SD-WAN platforms consist of two SD-WAN devices that talk to each other and measure packet loss, latency, jitter, and congestion. This is where SD-WAN started and is the simplest setup to explain, because there aren’t any POPs or gateways to worry about.

Edge-based technologies work really well with MPLS or private line networks. They can utilize the bandwidth on these circuits in the same way as public internet. This means dynamic path selection is possible using MPLS and edge-based SD-WAN.

Where edge-based platforms fall short is when we start talking about SaaS (Software as a Service) applications. Since SD-WAN often relies on a second device to measure packet loss, jitter, etc., edge-based solutions can’t inherently do dynamic path selection for SaaS applications (e.g., UCaaS, Salesforce, O365, etc.).

The best that an edge-based SD-WAN solution can do for SaaS-based applications is QOS at the edge (i.e., prioritizing one application over another at the edge of the WAN). This is also known as traffic shaping.

If your company is using applications hosted in a data center, an edge-based SD-WAN solution will certainly help optimize those. It will also help applications hosted in public cloud (AWS, Azure, Google, etc.), assuming the SD-WAN vendor offers a virtual appliance that can run in the cloud.

There is one major caveat here: Palo Alto Prisma (formerly known as Cloudgenix). This is an edge-based SD-WAN solution that has the unique ability to take round trip measurements and optimize SaaS-based applications. Since Cloudgenix was acquired by Palo Alto, we may see it become gateway- or POP-based in the future, if they choose to further integrate it with Palo Alto’s cloud-based firewall.

Summary: Edge-based SD-WAN solutions are best for clients who are using on-prem applications or applications hosted in public cloud.

Gateway-based SD-WAN Solutions

All SD-WAN platforms start out the same: we need two devices to talk to each other to get measurements of packet loss, jitter, latency, and congestion over two circuits. The difference with gateway-based solutions is that some providers have built out gateways across the globe to act as this second device.

We can think of these gateways as large, multitenant SD-WAN devices deployed into top-tier data centers. These gateways can be used as a steppingstone to SaaS applications. Instead of just QoS at the edge for SaaS apps, companies can now leverage gateways to optimize the majority of the route to the applications they’re accessing. In fact, these gateways are often deployed in the same data centers as major SaaS applications, optimizing traffic from end to end.

Here’s an example of how this works: I’m sitting in Chicago and I want make a phone call, using a UCaaS platform that’s hosted in Ohio.

Scenario 1: With an edge-based SD-WAN platform, I can prioritize my real-time voice and video over any other applications at the edge. Then, I’m relying on my primary Internet circuit to get me from Chicago to Ohio. Unfortunately, if that circuit starts to degrade in the middle of my session, the SD-WAN device doesn’t know that, and it can’t switch over to my backup circuit.

Scenario 2: With a gateway-based SD-WAN platform, my SD-WAN device sets up a VPN tunnel from my office to a gateway closest to me. The traffic between my office and the gateway is completely optimized, meaning if circuit A starts to experience a lot of jitter, my SD-WAN platform will failover to circuit B, and back if needed. And all of that happens while I’m on the phone, without dropping the call.

Now you can see why scenario 2 would be optimal for accessing business-critical SaaS applications within a given region.

Summary: Gateway-based SD-WAN solutions are great for companies who are using a lot of SaaS applications within a country or region.

POP-based SD-WAN solutions

POP-based SD-WAN solutions look a lot like gateway platforms. The main difference is that instead of gateways, we call them POPs because they are connected by a private network backbone.

Gateway = optimized last mile only

POP = optimized last mile and middle mile

Just like the gateway model, POP-based SD-WAN is great for companies that are using a lot of cloud/SaaS applications. POPs serve as a second, multitenant SD-WAN device to help optimize the traffic between the client site and the cloud.

However, they can be great for site-to-site traffic as well. Here’s why:

Often, POP-based SD-WAN providers have deployed these POPs globally which can be a game-changer for global enterprises with a lot of site-to-site traffic. This is because of the middle mile that’s included in most of these platforms.

Instead of the traffic riding the public internet, hitting a gateway, and then continuing on the Internet to wherever the traffic needs to go, the traffic can now hit the closest POP to the starting site and ride the private network backbone (think of this like MPLS) to the POP closest to the destination.

This means that if a user in Europe needs to access an application hosted in the USA, they can use that middle mile to give them the most efficient route possible to get there. This is a common scenario we run into: POP-based solutions are especially valuable globally, between countries or continents, where the Internet backbone is not as reliable.

This is also one of the few instances where SD-WAN can be useful with just one circuit. Even with one circuit, the traffic is optimized over the middle mile, because of the network backbone.

Summary: POP-based SD-WAN solutions are great for clients who are using a lot of SaaS applications and/or have dispersed site-to-site traffic.

–> Read more: Interested in POP-based SD-WAN solutions that include next-gen firewall? That’s called SASE (Secure Access Service Edge) and I have a post that goes into a lot of detail around this technology <–

Edge-based Technologies Deployed as Gateways or POPs

Now that we have a good understanding of the three different types of SD-WAN platforms, I’m going to make it confusing again!

Some providers have deployed edge-based SD-WAN platforms into the cloud, essentially turning them into a gateway- or a POP-based SD-WAN solution. I’ll show specific examples in the next section, but I’ve seen this with Fortinet, Cisco Viptela, and others. These providers have offered a unique solution in a sea of “me too” offerings.

This can be a great solution for companies interested in the features of a particular edge-based platform, but looking for a gateway/POP solution to optimize SaaS.

However, are these as good as native “born in the cloud” options? I could argue both sides. Most of the providers who have done this are carriers, so they have a lot of experience with network deployments and the middle mile they use should be reliable. That said, one could argue that these edge-based technologies simply weren’t built for the cloud.

Are they simply cobbling a solution together or have they built a robust SD-WAN platform that can accommodate an influx of customers, large bandwidth usage, and technology innovation? That might be something to explore with each provider individually.

Specific Technologies and Where They Fall

Here are examples of specific technologies/providers and which architecture bucket they fall in.

Edge-based SD-WAN platforms:

  • Cisco Meraki
  • Cisco Viptela
  • Versa Secure SD-WAN
  • Juniper (128T)
  • Aruba (Silver Peak)
  • Oracle Talari
  • Barracuda
  • Fortinet
  • Palo Alto Prisma (CloudGenix)

Gateway-based SD-WAN platforms:

  • Public VeloCloud (i.e., providers that use VeloCloud’s federated/shared gateways)
  • Citrix

POP-based SD-WAN platforms:

  • Aryaka
  • Cato Networks
  • Masergy
  • Bigleaf Networks
  • Private VeloCloud (i.e., providers who have built their own VeloCloud gateways, on their network backbone: Windstream, Airespring, MetTel, AT&T, etc.)
  • Fortinet deployed by Windstream or GTT
  • Barracuda, Versa, or Cisco Viptela deployed by Nitel