Home » SD-WAN Architecture: Overlay, Underlay, Orchestrator และ Vendors
SD-WAN Architecture: Overlay, Underlay, Orchestrator และ Vendors
SD-WAN Architecture: Overlay, Underlay, Orchestrator และ Vendors
SD-WAN (Software-Defined WAN) เป็น technology ที่ abstract WAN transport layer ออกจาก physical circuits ทำให้สามารถใช้ multiple WAN links (MPLS, broadband, LTE, 5G) ร่วมกันอย่างชาญฉลาด Overlay network สร้าง encrypted tunnels บน underlay transports และ centralized orchestrator ควบคุม policy, routing และ security จาก single pane of glass
Traditional WAN ใช้ MPLS เป็นหลัก ซึ่งแพงและ provision ช้า (หลายสัปดาห์-เดือน) SD-WAN แก้ปัญหานี้: ใช้ broadband internet ร่วมกับ MPLS, application-aware routing ส่ง critical apps ผ่าน best path, zero-touch provisioning deploy สาขาใหม่ภายในนาที และ centralized management ลดความซับซ้อน
SD-WAN Components
| Component |
Role |
| vEdge / Edge Device |
CPE (Customer Premises Equipment) ที่สาขา — สร้าง overlay tunnels |
| Orchestrator / Controller |
Central management plane — push policies, monitor, configure |
| Gateway |
Hub site หรือ cloud gateway สำหรับ internet breakout / DC access |
| Underlay |
Physical WAN transports: MPLS, broadband, LTE, 5G, satellite |
| Overlay |
Encrypted tunnels (IPsec/GRE) บน underlay — logical mesh/hub-spoke |
Overlay vs Underlay
| Feature |
Underlay |
Overlay |
| คืออะไร |
Physical WAN circuits (MPLS, internet, LTE) |
Logical tunnels สร้างบน underlay |
| Control |
ISP manages |
Organization controls (policy-based) |
| Encryption |
Depends (MPLS = no, internet = no) |
Always encrypted (IPsec AES-256) |
| Topology |
Physical (point-to-point, hub-spoke) |
Logical (full mesh, partial mesh, hub-spoke) |
| Path Selection |
ISP routing (BGP, OSPF) |
Application-aware routing (latency, jitter, loss) |
Key Features
| Feature |
รายละเอียด |
| Application-Aware Routing |
Identify apps (DPI) → route via best path based on SLA (latency, jitter, loss) |
| Transport Independence |
ใช้ MPLS + broadband + LTE ร่วมกัน (active-active) |
| Zero-Touch Provisioning (ZTP) |
Ship edge device → plug in → auto-connect to orchestrator → get config |
| Centralized Policy |
Define policy once at orchestrator → push to all edges |
| Direct Internet Access (DIA) |
Local internet breakout ที่สาขา (ไม่ต้อง backhaul ไป DC) |
| Segmentation |
VRF-based segmentation (guest, corporate, IoT แยก traffic) |
| Built-in Security |
Firewall, IPS, URL filtering, malware protection ที่ edge |
Application-Aware Routing
| SLA Parameter |
วัดอะไร |
Threshold ตัวอย่าง |
| Latency |
Round-trip time |
Voice: < 150ms, Video: < 200ms |
| Jitter |
Variation in latency |
Voice: < 30ms |
| Packet Loss |
% of packets lost |
Voice: < 1%, Video: < 0.5% |
| Bandwidth |
Available throughput |
Video: > 5 Mbps |
SD-WAN Vendors
| Vendor |
Product |
จุดเด่น |
| Cisco |
Catalyst SD-WAN (Viptela) |
Largest market share, deep Cisco integration, Meraki option |
| Fortinet |
FortiGate SD-WAN |
Best security integration (NGFW built-in), cost-effective |
| VMware |
VeloCloud SD-WAN |
Strong multi-cloud, gateway network, acquired by Broadcom |
| Palo Alto |
Prisma SD-WAN (CloudGenix) |
AI/ML-based, strong SASE integration |
| HPE Aruba |
EdgeConnect SD-WAN (Silver Peak) |
WAN optimization built-in, Unity Boost |
| Versa Networks |
Versa SASE |
Integrated SD-WAN + SASE, multi-tenant |
| Juniper |
Session Smart Router (128T) |
Tunnel-free, session-based routing |
SD-WAN vs Traditional WAN
| Feature |
Traditional WAN |
SD-WAN |
| Primary Transport |
MPLS (expensive) |
MPLS + broadband + LTE (flexible) |
| Deployment |
Weeks-months (MPLS provisioning) |
Hours-days (ZTP + broadband) |
| Management |
CLI per device |
Centralized orchestrator (GUI/API) |
| Path Selection |
Static (primary/backup) |
Dynamic, application-aware |
| Internet Access |
Backhaul to DC → internet |
Direct Internet Access (DIA) at branch |
| Cost |
High (MPLS circuits) |
Lower (augment/replace MPLS with broadband) |
| Cloud Access |
Hairpin through DC |
Direct cloud on-ramp (AWS, Azure, GCP) |
SD-WAN + SASE
| Component |
Function |
| SD-WAN |
WAN connectivity + application routing |
| SWG (Secure Web Gateway) |
URL filtering + malware scanning สำหรับ web traffic |
| CASB |
Cloud Access Security Broker → control SaaS usage |
| ZTNA |
Zero Trust Network Access → replace traditional VPN |
| FWaaS |
Firewall as a Service → cloud-based firewall |
Deployment Best Practices
| Practice |
รายละเอียด |
| Start with hybrid |
Keep MPLS สำหรับ critical + add broadband (don’t rip-and-replace) |
| Define SLA policies |
Map applications to SLA requirements (voice, video, data, best-effort) |
| Security first |
Enable encryption + segmentation + DIA security from day 1 |
| Pilot first |
Deploy 2-3 pilot sites → validate → roll out |
| Monitor continuously |
Use orchestrator analytics สำหรับ WAN health + app performance |
| Plan for cloud |
Consider cloud on-ramp (AWS TGW, Azure vWAN integration) |
ทิ้งท้าย: SD-WAN = Intelligent WAN + Centralized Control
SD-WAN Overlay (encrypted tunnels) บน underlay (MPLS + broadband + LTE) Application-aware routing: route apps based on SLA (latency, jitter, loss) ZTP: ship → plug → auto-config (deploy branches in hours) DIA: local internet breakout ที่สาขา (ไม่ต้อง backhaul) SD-WAN + SASE = complete branch solution (networking + security)
อ่านเพิ่มเติมเกี่ยวกับ MPLS VPN และ Zero Trust ZTNA ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
