Integrating SD-WAN with vCD


SD-WAN is a highly-available, well-established, carrier class solution that facilitates on-demand, seamless and secure connectivity between any two points in a network. It is typically sold as a service with centralized, cloud-hosted orchestration and life-cycle management with zero touch deployment for rapid expansion of service footprint. SD-WAN is a disruptive technology that has the power to transform more than just branch connectivity. This article explains the overall architecture and benefits of integrating SD-WAN solutions into a vCD (vCloud Director) environment from both a provider and consumer perspective. Please see “why SD-WAN for hybrid cloud” for more information on the benefits of SD-WAN for enabling hybrid / multi-cloud.

Architecture overview

VMware SD-WAN from VeloCloud has three main components, an orchestrator, gateways and edges / hubs. Orchestrator is a centralized, multi-tenant, cloud-hosted platform that provides roles-based access to a single pane of glass for deployment, configuration, life-cycle management and transparency in SD-WAN network operations. The gateway is also multi-tenant and can be deployed and hosted in the cloud and optionally on-premise data centers. It is the primary component of the control plane and facilitates route exchanges for the SD-WAN network. The gateway also allows connectivity to legacy data-centers that support traditional site-to-site IPSec VPN’s. The third component is a software defined edge that is deployed on dedicated, pre-qualified hardware at the branch site or as software on existing compute / storage resources. The VeloCloud edge (VCE) is not multi-tenant and deployed one per branch, establishes secure management plane connectivity to the orchestrator and control plane connectivity to the gateway. It builds on-demand, secure tunnels to other branches and hubs, enforces business policies and is the primary component of the data plane in the SD-WAN network.

In the diagram above, there is one VCE per organization VDC. The VCE terminates tunnels from remote branches and allows secure access to services / assets within the VDC. Remote branches could be other private data-centers or public cloud instances such as EC2 on AWS or Azure. The VCE is deployed and managed by the provider / partner north of the org-vdc and does not count against tenant quota. SD-WAN is sold as a managed service to the tenants.

Why do it?

SD-WAN is the underlying technology that allows the tenant Org-VDC in a publicly hosted VCD environment (VCPP partners) to become part of the customers digital transformation journey to hybrid / multi-cloud.

What’s in it for the provider / partner?

  • Extend service footprint to remote branches at a reduced cost
    • Build customer loyalty
    • Workload migration
  • Additional revenue stream from existing customer base
    • Branch connectivity and hybrid cloud as a service
    • New service insertion at the branch like cloud security, L2/L3 VPN’s
  • Invest in your customers’ business outcomes
    • Offer services that are relevant to customer business
  • Seamless integration with public cloud
    • Help customers take advantage of public cloud
    • Seasonal elasticity / backup / disaster recovery
  • Single pane of glass for network management, branch deployment and policy
    • Centralized policy configuration with immediate enforcement at branch sites
    • Rapid zero touch deployment of new sites (matter of hours)

What’s in it for the tenant?

  • Single partner owns both data center and branch connectivity
    • Partner owns both ends of the SLA
    • Single point of contact – no finger pointing
    • Flexibility to migrate workloads to cloud provider or public cloud
  • Network and services are more relevant to their business outcome
    • Appropriate services inserted at the branch
    • Application awareness and prioritization
    • Consistent Security policy for both public SaaS and hosted applications
  • Reduced cost for remote connectivity
    • MPLS only used for backup or when SLA’s violated
    • Multiple broadband links for greater bandwidth
  • Better service assurance and availability (Application performance)
    • Brownout detection for service degradation
    • Automatic reroute of service requests based on monitoring KPI’s
    • Improved performance of SaaS applications (VoIP / Video calling)