TAGS:

Simplify Complex WAN Operations With Next-Gen SD-WAN

Sponsored Blog Posts

This guest post is by Mike Korenbaum, Sr Manager Technical Marketing at Palo Alto Networks. We thank Palo Alto Networks for being a sponsor.


SD-WAN came to market to improve branch and remote office connectivity and application performance by bonding multiple WAN links such as MPLS, broadband Internet, and LTE and sending traffic over the best-performing option. With SD-WAN, organizations can set and enforce WAN policies based on application type and performance requirements.

These benefits are core to SD-WAN, but they aren’t the only ones. SD-WAN can help simplify customers’ complex WAN networks. Palo Alto Networks Prisma SD-WAN embraces automation to let you scale network operations at the speed of business, eases your migration from legacy WANs, and simplifies network troubleshooting.

Automating Operations For Scale And Speed

Automation is critical for a large-scale WAN architecture. It also enables the network to respond quickly to business demands. Prisma SD-WAN was designed from the beginning with a robust API framework to facilitate automation.

This isn’t just a checkbox on a marketing slick: Prisma SD-WAN uses its own APIs to program and configure Prisma SD-WAN ION devices at branch and remote offices. This sets Prisma SD-WAN apart from other SD-WAN platforms that adopted device-centric, CLI-driven configuration models. The API framework enables the controller to scale out to thousands of ION devices. Moreover, an API programmable application flow ensures the best decisions for application traffic without complex overlay routing protocols used by many other vendors.

CloudBlades: Your Automation Swiss Army Knife

Prisma SD-WAN also leverages APIs to integrate with third-party tools and applications via its CloudBlades platform, an API abstraction layer that is cloud-delivered to enable seamless integration with third-party software including commercial software, SaaS applications, and public cloud services.

This abstraction layer allows CloudBlades to run  individual applications that leverage available APIs. Customers can select and deploy a CloudBlade just like you’d add a new app to your smartphone. It also lets Prisma SD-WAN developers create new CloudBlades for new services and use cases, and enhance capabilities to CloudBlades without the need to update the controller or ION device software. This significantly reduces the operational burden for customers.

Simplifying Multi-Cloud Connectivity

Prisma SD-WAN offers CloudBlades that streamlines the deployment of SD-WAN with public clouds. More and more enterprises are developing and deploying public cloud applications for better performance delivery, so companies need the ability to quickly connect branches and end users to these applications.

CloudBlades are available for top cloud providers such as AWS and Google Cloud. These CloudBlades simplify connectivity to these public clouds by automating complex VPC peering operations otherwise done manually. For example, after setting a few basic parameters in the Prisma SD-WAN controller, the CloudBlade for Cloud Gateway Connect automatically deploys Connect VPCs to the specified regions, deploys vION virtual appliances, and configures the connections between the Transit Gateway Connect and each virtual appliance.

In other words, Prisma SD-WAN customers can deploy SD-WAN as a public cloud on-ramp in just a few clicks and extend their SD-WAN fabric to the cloud. Granular business policies ensure that network and application traffic are directed to the appropriate sites, and customers get enhanced visibility into application and network performance to the public cloud.

Smarter Segmentation

Prisma SD-WAN also facilitates the automation of network segmentation, which is essential for companies that have to connect hundreds or thousands of sites.

For example, you might have a policy that says Branch A should never connect to Branch B–except for one or two specific applications. Those one or two exceptions are where the headaches start. You can set up VRF instances in routers at each branch, and then specify the IP addresses that are allowed to exchange connections.

That’s straightforward enough if you’ve got a handful of sites, but the complexity grows exponentially as you add more sites and policies. Documenting all these configurations and handling updates and changes requires a lot of engineering time and effort. Human error can lead to broken connections, hampered productivity, and lost business.

Prisma SD-WAN enables fine-grained connectivity by letting engineers tie application policies to specific network segments and device locations rather than to routing tables and IP addresses. Prisma SD-WAN is application-aware, meaning that branch devices can apply fine-grained policies to specific applications rather than ports and protocols.

Ease Your SD-WAN Migration

As companies deploy SD-WAN, they’ll go through a transition period where some branches and sites are upgraded to SD-WAN and others aren’t. Prisma SD-WAN can help organizations manage this dual mode of operation to ensure that the business continues to run while also speeding the eventual switchover to a fully SD-WAN environment.

For example, customers can continue to use their existing underlay networks at branch and remote sites. The Prisma SD-WAN ION devices support advanced routing protocols, enabling communication with routers and network devices that aren’t yet incorporated into the SD-WAN mesh.

In addition, Prisma SD-WAN supports private links such as MPLS, providing the flexibility of augmenting it with Internet broadband and gradually migrating to Internet only deployments, or retaining hybrid WAN transports based on policy or SLA requirements.

As organizations switch on SD-WAN in their branch and remote sites, Prisma SD-WAN automates the creation of the overlay. This is a bigger deal than you might think at first glance; creating a fabric that incorporates hundreds or thousands of sites would be a monstrous task to manage via individual configuration.

In addition, the SD-WAN controller handles key management and key rotation for the overlay tunnels. The controller automates key rotation every hour by default, ensuring robust security. Note that the controller doesn’t store keys; it shares seeding information with the ION devices, but the devices themselves derive unique keys per tunnel based on this seeding. This provides robust defense for critical encryption and authentication while keeping the overlays alive even if devices lose connectivity to the controller for an extended period of time.

The controller also automates routing operations that allow seamless convergence across a distributed infrastructure. This includes micro-configurations that are required for routing protocol fundamentals such as route aggregation, distribution, and route leaks. These are normally done as CLI configs in legacy networks and other SD-WAN solutions.

Simplified Troubleshooting

SD-WAN can help network engineers troubleshoot because they provide clear visibility into application use and continuously measure link performance.

When a user complains the network is slow, engineers can quickly summon useful information, including applications flows, round trip times, TCP initialization failure rates, out-of-order packets, ping and traceroute results, and other statistics. These data points help engineers identify the application or service being impacted and provide relevant information on specific links that can steer them in the correct direction.

What’s more, because Prisma SD-WAN can collect data on essential application performance metrics such as server response times, engineers can prove that a problem isn’t the network’s fault. Faster mean-time-to-innocence, backed up by data, can save engineers much of the intramural headaches that surround a typical troubleshooting incident.

Prisma SD-WAN extends its troubleshooting capabilities with event correlation powered by machine learning and artificial intelligence. Palo Alto Networks built a data lake of metadata collected from customers’ cloud-based controllers. This benefits every Prisma SD-WAN customer because the larger the data set, the better that Palo Alto Networks can train and refine its machine learning models.

In practice, the correlation engine, which is powered by AIOps, means that a network engineer doesn’t have to sort through reams of events and alarms typically generated by traditional network management systems. Instead, Prisma SD-WAN can correlate alarms and events to help engineers quickly identify the root cause of a problem.

Additionally, engineers can configure the correlation engine regarding how alerts are sent, including how many and how often, the severity, and for specific applications, services, and protocols.

Lastly, Prisma SD-WAN integrates with ITSM applications such as ServiceNow to fully automate incident management and enable a digital IT workflow using the ServiceNow Integration CloudBlades. Rather than dig through multiple tickets, the troubleshooting process is now streamlined because Prisma SD-WAN can identify the failure type and provide relevant data in a ticket, and ensure the right team gets notified.

Once an event is addressed in the SD-WAN controller, tickets can be cleared automatically. This saves engineer time and closes the troubleshooting loop.

Change Management

As WANs grow in size, change management at speed becomes an issue. In Prisma SD-WAN’s architecture, the cloud-based controller serves as the source of truth for every SD-WAN device in the network.

When a new device comes online, it connects to the controller securely via APIs to download its configuration. While engineers can fine-tune individual configurations if they choose, this automated deployment means organizations can bring dozens or even hundreds of sites on line per day.

As mentioned above, all changes are made via the controller, which means there’s no need to rectify potential differences between the actual configuration on a local device and what an engineer assumes the configuration to be. Because all configs go through the controller, diffs and changes are centrally managed, eliminating questions about known-good device states.

Engineers can also save time by using the Prisma SD-WAN controller to provision configurations for similar groups of devices simultaneously (i.e., one configuration for branch offices, a second for warehouses, and a third for retail sites) rather than touching devices one at a time.

A Better Way To WAN

Prisma SD-WAN provides benefits beyond improved connectivity and application-based policy enforcement. Customers can simplify the operation of complex WANs, scale up deployments, and troubleshoot faster.

Find out more in the Top 10 Considerations for Your Next-Gen SD-WAN whitepaper.