Putting tech to the test: Where SD-WAN falls short

In the first of a series of articles highlighting where tech is failing to make the grade, Galeal Zino, CEO at NetFoundry, sets his sights on SD-WAN. Can the much-vaunted networking tech bridge the growing divide between networking and application needs?

SD-WAN does its job – it connects WAN sites to other WAN sites extremely well. So, why are there increasing concerns about SD-WAN, namely security problemshigher than expected costs and complexity?

Companies such as Netflix and Walmart can deploy code thousands of times per day. Thousands of times per day! How can we accurately update our network configurations and firewalls thousands of times per day? How can we instantly provision private circuits and SD-WAN CPE from IoT to cloud, and everything in between?

This is the mismatch. We are moving towards agile, cloud-native, DevOps automated continuous development and deployment, while the network still relies on manual configurations, siloed, separated groups and slow provisioning processes.

Connectivity-as-Code

We need to run our apps anywhere– across Internet, edges, clouds, service meshes, mobile user and IoT devices — in a programmable, automated manner. We need to enable developers and apps to programmatically define the networking and security they need. We need ‘Connectivity-as-Code’.

Connectivity-as-Code is the natural next step after the success of Infrastructure-as-Code (IaC). Just as IaC relieves developers from underlying infrastructure considerations (e.g. bare metal, virtualised or containerised), Connectivity-as-Code abstracts developers, DevOps and cloud architects from underlying networks (Internet, SD-WAN, MPLS-WAN). Just as IaC addressed speed and agility (enabling continuous deployment), reduced costs and decreased the security risks of manual configurations, Connectivity-as-Code will enable developers to automate the deployment of secure-by-design apps, without requiring expensive hardware, circuits or VPNs.

In a nutshell, Connectivity-as-Code helps underlying networks (such as SD-WANs) avoid falling short of expectations. The WAN focuses on its job — connecting sites — while the apps become inherently secure, reliable and automated over any WAN or Internet connection.

The emergence of DevSecOps

Just as Connectivity-as-Code is the follow-up to Infrastructure-as-Code, DevSecOps is the follow-up to DevOps. In the words of Red Hat, DevSecOps focuses on thinking about application and infrastructure security from the start of the dev process.

To enable DevSecOps architectures, we need Connectivity-as-Code and application-specific networking to enable developers, administrators and architects to programmatically define the networking and security they need from the start. Connectivity becomes part of the solution, rather than causing deployment and delivery cycles to rewind back to the long cycles of monolithic applications, private data centres and firewall rules.

Spin up connections in minutes via tools such as Jenkins, Kubernetes, Terraform

The litmus test of Connectivity-as-Code and DevSecOps is agility, speed and automation.  NetFoundry enables you to use your DevOps or cloud orchestration tool of choice to also spin up zero trust, high-performance connectivity over any Internet or WAN.

We can now embed connectivity inside CI/CD pipelines. This connectivity can be as ephemeral as your test environment, if that’s what’s required. Yes, spin up and down secure connectivity to your environment or app, automatically, without VPNs, bastion hosts or MPLS circuits.

 

Watch here as Naomi, an IBM Watson Voice robot, talks with NetFoundry APIs via voice commands in order to instantly grant and remove secure access between an IoT environment and its analytics application, based on IAM and business policies. Forget about speech-to-text! This is speech-driven, automated zero trust (least privileged access, software-defined perimeter) connectivity.

Remember the mismatch between continuous development and deployment, and the configurations, processes, provisioning and multiple teams required for SD-WAN to try to keep pace? NetFoundry and other Connectivity-as-Code solutions bridge the gap. Talk to Naomi instead of trying to match your firewall rules and cloud connectivity to your rapidly changing, massively distributed, DevSecOps paradigm application environment. You can now innovate with connectivity the same way you can innovate with applications.

Edge innovation

Our need to innovate with software and applications continues to skyrocket. Businesses will win or lose based on software innovation and agility. In order to prevent the underlying infrastructure and networks from being barriers to this innovation, we need to abstract our teams from the complexities and differences of the underlying infrastructure (Infrastructure-as-Code) and networks (Connectivity-as-Code).

At the same time, we need to ensure security (secure-by-design, zero trust security frameworks), reliability and performance, across clouds, service meshes, Internets and WANs. This is why SD-WAN is suddenly falling short – not because it isn’t doing a good job connecting sites, but because it is the apps — end-to-end and programmatically — which now need to control the network.

Developers and architects in DevOps and DevSecOps teams can now programmatically define what the network needs to deliver, rather than be constrained by what has been pre-provisioned on a network, or rely on the network itself to provide security, reliability or performance.

Organisations get centralised visibility and control of all application connections, regardless of what WANs or clouds they traverse, while the edge innovators in those organisations are free to use their existing DevOps, application and service mesh orchestration tools to meet their connectivity needs. Control is managed by software, rather than the handcuffs of proprietary networking, manual configuration, private circuits and separated teams.