Home » SD-WAN Architecture: Overlay, Underlay, Orchestrator, SLA Policy และ Migration
SD-WAN Architecture: Overlay, Underlay, Orchestrator, SLA Policy และ Migration
SD-WAN Architecture: Overlay, Underlay, Orchestrator, SLA Policy และ Migration
SD-WAN (Software-Defined Wide Area Network) เปลี่ยน WAN จาก hardware-centric เป็น software-defined Overlay คือ virtual network ที่สร้างบน underlay transports, Underlay คือ physical WAN links (MPLS, Internet, LTE), Orchestrator เป็น central management + policy engine, SLA Policy กำหนด application requirements และ steer traffic ตาม real-time performance และ Migration Strategy วางแผนการเปลี่ยนจาก traditional WAN ไป SD-WAN
Enterprise WAN แบบเดิมใช้ MPLS เป็นหลัก ซึ่งแพง (10-100× ต่อ Mbps เทียบกับ Internet), inflexible (เปลี่ยน bandwidth ใช้เวลาสัปดาห์-เดือน), cloud-unfriendly (traffic ต้อง backhaul ไป HQ ก่อนออก Internet) SD-WAN แก้ทุกปัญหา: ใช้ cheap Internet links + intelligent routing + direct cloud access
SD-WAN Architecture Components
| Component |
Role |
| vEdge / Edge Device |
CPE ที่ branch — สร้าง overlay tunnels, apply policies, forward traffic |
| Orchestrator / Controller |
Central management — push policies, monitor health, manage topology |
| Gateway |
Hub site / data center / cloud gateway — aggregate branch connections |
| Overlay |
IPsec tunnels ข้าม underlay links — encrypted, application-aware |
| Underlay |
Physical WAN transports: MPLS, broadband Internet, LTE/5G, satellite |
Overlay vs Underlay
| Feature |
Overlay |
Underlay |
| คืออะไร |
Virtual tunnels (IPsec/GRE) ที่สร้างบน underlay |
Physical WAN links ที่ carry overlay traffic |
| Encryption |
End-to-end encrypted (IPsec AES-256) |
Depends on transport (MPLS = not encrypted, Internet = not encrypted) |
| Topology |
Full-mesh, hub-spoke, partial-mesh (software-defined) |
Whatever ISP provides |
| Control |
SD-WAN controller manages overlay |
ISP manages underlay |
| Failover |
Sub-second (SD-WAN detects + switches) |
Minutes-hours (ISP SLA) |
SLA Policy / Application Steering
| Feature |
รายละเอียด |
| Application Recognition |
DPI (Deep Packet Inspection) ระบุ application (Zoom, Teams, SAP, etc.) |
| SLA Metrics |
Latency, jitter, packet loss — วัด real-time ต่อ overlay tunnel |
| Policy Example |
Voice: latency < 150ms, jitter < 30ms → prefer MPLS, failover to Internet |
| Dynamic Steering |
ถ้า MPLS latency เกิน threshold → automatic steer ไป Internet link |
| Direct Internet Access |
SaaS traffic (O365, Salesforce) ออก Internet ตรงจาก branch (ไม่ backhaul) |
| QoS |
Prioritize voice/video บน overlay → DSCP marking → underlay QoS |
SD-WAN Vendors
| Vendor |
Product |
จุดเด่น |
| Cisco |
Catalyst SD-WAN (Viptela) |
Largest market share, Cisco ecosystem integration, ThousandEyes |
| Fortinet |
FortiGate SD-WAN |
Built-in NGFW security, best security + SD-WAN integration |
| Palo Alto |
Prisma SD-WAN (CloudGenix) |
AI/ML-driven, application-centric, Prisma SASE integration |
| VMware |
VeloCloud SD-WAN |
Cloud-first, gateway network, multi-cloud optimization |
| HPE Aruba |
EdgeConnect SD-WAN |
WAN optimization built-in, strong branch networking |
| Versa |
Versa SASE |
Single software stack (SD-WAN + security + analytics in one) |
SD-WAN vs MPLS
| Feature |
SD-WAN |
MPLS |
| Cost |
ถูก 50-70% (ใช้ Internet links) |
แพง (dedicated circuits) |
| Bandwidth |
ปรับง่าย (add Internet link) |
ปรับช้า (weeks-months provisioning) |
| SLA |
Software-based SLA (measure + steer) |
ISP-guaranteed SLA |
| Reliability |
Multiple links + fast failover |
Single link (high reliability per link) |
| Cloud Access |
Direct Internet Access (DIA) จาก branch |
Backhaul to HQ → Internet (suboptimal) |
| Security |
IPsec encryption + integrated NGFW |
Not encrypted (แต่ private network) |
| Management |
Central orchestrator (easy, template-based) |
Device-by-device หรือ ISP managed |
SASE (Secure Access Service Edge)
| Component |
Function |
| SD-WAN |
WAN connectivity + application steering |
| ZTNA |
Zero Trust Network Access (replace VPN) |
| CASB |
Cloud Access Security Broker (control SaaS usage) |
| SWG |
Secure Web Gateway (URL filtering, malware protection) |
| FWaaS |
Firewall as a Service (cloud-delivered NGFW) |
| DLP |
Data Loss Prevention (prevent sensitive data leaks) |
Migration Strategy
| Phase |
Action |
| 1. Assessment |
Inventory sites, applications, current WAN, bandwidth requirements |
| 2. Pilot |
Deploy SD-WAN ที่ 3-5 sites (alongside MPLS — hybrid) |
| 3. Hybrid |
SD-WAN + MPLS ทำงานคู่กัน (MPLS for critical, Internet for others) |
| 4. Expand |
Roll out ไปทุก branch sites → verify application performance |
| 5. Optimize |
Reduce MPLS bandwidth (or eliminate) → direct cloud access |
| 6. SASE |
Add security services (ZTNA, SWG, CASB) → full SASE |
ทิ้งท้าย: SD-WAN = Intelligent, Cost-Effective WAN
SD-WAN Architecture Components: edge devices + orchestrator + gateway + overlay tunnels + underlay transports Overlay: IPsec tunnels (encrypted, application-aware) over any underlay (MPLS, Internet, LTE) SLA Policy: measure latency/jitter/loss per tunnel → steer apps to best path in real-time vs MPLS: 50-70% cheaper, faster to deploy, direct cloud access, multi-link failover Vendors: Cisco (market leader), Fortinet (best security), VMware, Palo Alto, HPE Aruba SASE: SD-WAN + ZTNA + CASB + SWG + FWaaS (converged networking + security) Migration: assessment → pilot → hybrid (SD-WAN + MPLS) → expand → optimize → SASE
อ่านเพิ่มเติมเกี่ยวกับ MPLS Deep Dive Labels LSP LDP และ VPN Technologies IPsec WireGuard ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
