Home » SD-WAN Architecture: Overlay, Underlay, Application-Aware Routing, SASE และ Migration
SD-WAN Architecture: Overlay, Underlay, Application-Aware Routing, SASE และ Migration
SD-WAN Architecture: Overlay, Underlay, Application-Aware Routing, SASE และ Migration
SD-WAN (Software-Defined Wide Area Network) เปลี่ยนการจัดการ WAN จาก hardware-centric เป็น software-defined Overlay สร้าง virtual network บน physical links, Underlay คือ transport ที่อยู่ข้างล่าง (MPLS, Internet, LTE), Application-Aware Routing เลือก path ตาม application requirements, SASE รวม SD-WAN กับ security เป็น cloud-delivered service และ Migration วางแผนย้ายจาก traditional WAN ไป SD-WAN
Traditional WAN ใช้ MPLS ราคาแพง ($500-2000/Mbps/month) สำหรับทุก application: video conference, email, backup ใช้ link เดียวกัน SD-WAN ใช้ multiple transports (MPLS + broadband + LTE) และ route application ไป path ที่เหมาะสม → critical apps ไป MPLS, bulk traffic ไป broadband → ลดค่า WAN 50-70% พร้อมเพิ่ม performance
SD-WAN vs Traditional WAN
| Feature |
Traditional WAN |
SD-WAN |
| Transport |
MPLS (single, expensive) |
Multiple (MPLS + Internet + LTE/5G) |
| Routing |
Destination-based (shortest path) |
Application-aware (best path per app) |
| Management |
Per-device CLI (box-by-box) |
Centralized controller (single pane of glass) |
| Deployment |
Weeks-months (MPLS provisioning) |
Hours-days (zero-touch provisioning) |
| Cost |
สูง (MPLS premium) |
50-70% ถูกกว่า (augment/replace MPLS with broadband) |
| Cloud Access |
Backhaul ไป data center → cloud (hairpin) |
Direct internet breakout at branch → cloud (optimal) |
| Visibility |
Limited (SNMP, basic counters) |
Deep application visibility + analytics |
SD-WAN Components
| Component |
Role |
| vEdge / Edge Device |
CPE at branch — create overlay tunnels, enforce policies, DPI |
| Controller (Orchestrator) |
Centralized management — push policies, monitor, analytics |
| vManage |
Management plane — GUI/API สำหรับ configuration, monitoring, troubleshooting |
| vSmart |
Control plane — distribute routing, policies to edges |
| vBond |
Orchestration plane — authenticate, onboard new edges (zero-touch) |
Overlay and Underlay
| Layer |
Description |
Examples |
| Underlay |
Physical transport ที่ carry traffic จริง |
MPLS, broadband internet, DIA, LTE/5G, satellite |
| Overlay |
Virtual tunnels สร้างบน underlay (encrypted) |
IPsec tunnels, GRE, VXLAN between SD-WAN edges |
| Abstraction |
SD-WAN abstract underlay → applications เห็นแค่ overlay |
App ไม่รู้ว่า traffic ไป MPLS หรือ internet |
| Multi-Transport |
Overlay ใช้หลาย underlay พร้อมกัน |
Active-active: load balance across MPLS + internet |
Application-Aware Routing
| Feature |
How |
| DPI (Deep Packet Inspection) |
Identify application (Zoom, Teams, SAP, YouTube) from first packets |
| SLA Monitoring |
วัด latency, jitter, packet loss ของทุก path แบบ real-time |
| Policy-Based Routing |
Map application → SLA requirement → best path (e.g., Zoom → latency < 50ms → MPLS) |
| Dynamic Path Switching |
ถ้า primary path degrade → switch ไป backup path อัตโนมัติ (sub-second) |
| QoS |
Prioritize critical apps, queue management per application class |
| FEC (Forward Error Correction) |
Add redundant packets → recover from packet loss without retransmission |
| Packet Duplication |
Send same packet on multiple paths → guaranteed delivery for critical apps |
SD-WAN Vendors
| Vendor |
Product |
Strength |
| Cisco |
Catalyst SD-WAN (Viptela) |
Largest install base, Cisco integration, ThousandEyes |
| Fortinet |
FortiGate SD-WAN |
Integrated NGFW + SD-WAN (no separate appliance), best security |
| VMware |
VeloCloud |
Cloud-first, strong multi-cloud integration |
| Palo Alto |
Prisma SD-WAN (CloudGenix) |
AI/ML-based, autonomous networking, Prisma SASE integration |
| HPE/Aruba |
EdgeConnect (Silver Peak) |
Strong WAN optimization, Unity Boost |
| Versa |
Versa SASE |
Single-stack SASE (SD-WAN + security ใน OS เดียว) |
SASE (Secure Access Service Edge)
| Component |
Function |
| SD-WAN |
Intelligent WAN routing, overlay, application-aware |
| SWG (Secure Web Gateway) |
URL filtering, malware scanning สำหรับ web traffic |
| CASB (Cloud Access Security Broker) |
Visibility + control สำหรับ SaaS usage (Shadow IT detection) |
| ZTNA (Zero Trust Network Access) |
Per-application access control (replace VPN) |
| FWaaS (Firewall-as-a-Service) |
Cloud-delivered firewall inspection |
| DLP (Data Loss Prevention) |
Prevent sensitive data exfiltration |
Migration Strategy
| Phase |
Action |
| 1. Assessment |
Audit current WAN: circuits, applications, traffic patterns, costs |
| 2. Design |
Define transport strategy (MPLS + broadband), application policies, security |
| 3. Pilot |
Deploy SD-WAN at 2-3 sites → validate performance, policies, failover |
| 4. Phased Rollout |
Deploy site-by-site (start with less critical → then critical sites) |
| 5. Hybrid Period |
Run SD-WAN + existing WAN in parallel → gradual cutover |
| 6. Optimization |
Fine-tune policies, reduce/eliminate MPLS where possible |
ทิ้งท้าย: SD-WAN = Intelligent, Cost-Effective WAN
SD-WAN Architecture vs Traditional: multi-transport (MPLS+internet+LTE), app-aware routing, centralized mgmt, 50-70% cost reduction Components: edge devices, controller (orchestrator), vManage/vSmart/vBond Overlay/Underlay: encrypted tunnels over any transport, abstraction layer App-Aware: DPI identification, SLA monitoring, dynamic path switching, FEC, packet duplication SASE: SD-WAN + SWG + CASB + ZTNA + FWaaS (converged cloud-delivered) Vendors: Cisco (largest), Fortinet (integrated NGFW), VMware (cloud), Palo Alto (AI) Migration: assess → design → pilot 2-3 sites → phased rollout → hybrid → optimize
อ่านเพิ่มเติมเกี่ยวกับ SASE Architecture Secure Access Service Edge และ Network Load Balancing L4 vs L7 HAProxy ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
