Architecting an Application-Driven WAN Edge

Enterprise momentum behind digital transformation and the continued rise of cloud-hosted applications challenge the effectiveness and need for a traditional router-centric WAN architecture.

These trends are driving traffic pattern shifts, increased bandwidth requirements and an increased reliance on broadband connectivity that legacy WAN architectures were never designed to support. Backhauling internet-bound traffic from the branch, back to headquarters and then out to the internet to access SaaS or web applications is both inefficient and ineffective in connecting a distributed workforce to the cloud.

For faster and secure access to applications, traffic must be dynamically sent directly and securely to its ultimate destination, whether applications are hosted in the cloud or in the data center. This requires a dynamic software-driven WAN edge architecture that is about routing—or steering—traffic intelligently based on application-driven policies. It’s not about deploying traditional routers that route based on IP subnets. Software-defined WAN (SD-WAN) solutions have emerged to empower geographically distributed enterprises with a new WAN edge architecture that yields consistent application performance, robust security and operational efficiencies.

The time has come to move beyond the manual device-by-device configuration of traditional routers with an arcane CLI toward a centralized, simplified and automated GUI-based point-and-click approach in which you configure once and deploy across all sites. An advanced SD-WAN solution makes the traditional router obsolete, eliminating their associated rigidity, complexity and expense.

An application-driven SD-WAN edge architecture moves beyond the router to consolidate foundational network functions at the branch into a single, centrally managed solution. By actively using all WAN transport services including consumer broadband, an advanced SD-WAN solution dramatically improves application performance and availability. The result: lower costs, enhanced productivity and greater business agility.

Traditional Branch WAN Architecture

Traditional router-centric WAN architectures are network-driven as illustrated in Figure 1. They were architected in an era when applications were hosted exclusively in the data center. Legacy WAN architectures make the process of deploying new applications or provisioning new policies or making policy changes an arduous task. Configuration, deployment and management requires specialized on-premise IT expertise at each location to manually configure each router using a CLI that was invented in the 1980s. This process is lengthy, complex, error-prone, costly and inefficient.

For example, the task of connecting branch offices under the traditional model requires manual configuration of the BGP routing protocol at each site. The rigidity of the BGP protocol results in the manual reprogramming of every branch router whenever traffic patterns or application QoS and/ or security policies change. Enterprises experience further delays in cases where they outsource the management of WAN infrastructure and rely on a third-party that hasn’t adopted SD-WAN technologies to implement moves, adds and changes to application policies. In some cases, changes can take weeks to fully implement.

BGP was never designed to address WAN transport brownouts caused by congestion or packet loss or blackouts in the event of a complete link failure. Re-convergence times and application recovery can take tens of seconds and sometimes minutes resulting in application interruption which impairs end user productivity and business agility. In cases where capabilities are added to optimize for application routing and performance, the outcome is not optimal and complex to implement and manage.

Even though branch traffic is usually backhauled to the corporate data center for advanced security inspection, separate firewalls must be configured and deployed at each branch location to protect from any inbound attacks. This adds an additional physical device and layer of configuration, deployment and management complexity for every location.

Geographically distributed enterprises often also require a WAN optimization solution to address latency and ensure acceptable application performance when distance is a factor between sites. To support WAN optimization, traditional WAN architectures require yet another physical device, adding yet another layer of complexity.

What is the end result? A disparate infrastructure stack consisting of multiple devices that must be configured, deployed and managed individually across every branch location, requiring multiple management tools and interfaces that are complex, rigid and expensive to manage and operate.

Figure 1: Rigid branch WAN architecture based on legacy routers is expensive and complex to manage

Moving Beyond the Router to an Application-driven WAN Edge

Basic SD-WAN solutions introduced over the past two years enable enterprises to introduce economical broadband to augment MPLS, steer traffic in accordance with application requirements and centralize management to gain greater efficiencies. Advanced SD-WAN solutions, such as Silver Peak Unity EdgeConnect, dramatically simplify WAN architecture by consolidating and orchestrating essential network functions that render the branch office router obsolete.

An application-aware SD-WAN overlay model automatically steers traffic to its destination based on QoS and security policies according to business intent rather than relying on complex, inflexible routing protocols. However, to steer traffic granularly and to its correct destination, applications must be identified on the first packet. Silver Peak First-packet iQ incorporates a dynamic map of the internet to identify and classify more than 10,000 SaaS applications and 300 million web domains on the very first packet. This enables EdgeConnect to intelligently direct traffic to the correct SD-WAN overlay in compliance with business intent. Trusted SaaS traffic can be directed to the internet while unknown or suspicious traffic can be directed to more advanced security resources. Enterprise data center-hosted application traffic will traverse its assigned SD-WAN virtual overlay based on QoS and security policies rather than relying on an antiquated Access Control List (ACL) model employed by traditional branch routers.

An advanced application-driven SD-WAN can simplify the branch WAN edge architecture through the consolidation and centralized orchestration of network services encompassing SD-WAN, WAN optimization, routing and a stateful firewall. Edge- Connect integrates these core functions into a single, complete SD-WAN solution to enable a “thin branch” architecture; see Figure 2. Silver Peak Unity Orchestrator centralizes and automates the management of these functions through a single pane of glass.

While “routing” is still required to ensure interoperability with branches not yet migrated to an SD-WAN model, a physical router is no longer required with the EdgeConnect SD-WAN solution. BGP routing is no longer required between SD-WAN-connected branches since encrypted overlays transport traffic efficiently based on application requirements. However, built-in Layer 2 and Layer 3 capabilities, including BGP and OSPF protocol interoperability, assure seamless communications with other devices and non-SD-WAN-based branch offices.

Figure 2: EdgeConnect thin branch architecture integrates SD-WAN, WAN optimization, routing and stateful firewall functionality into a single, fully integrated solution, simplifying and consolidating the WAN edge and increasing operational efficiency

EdgeConnect enables network managers to quickly and easily apply robust security policies to applications or application groups whether they reside in the data center or the cloud. EdgeConnect incorporates a stateful firewall to support secure, direct internet breakout for trusted SaaS and web applications. Unknown or suspicious application traffic can be quickly and easily service chained to next-generation firewalls or cloud-based security services for further inspection. This model applies the appropriate level of security at the branch to lower costs and apply sophisticated security resources only where they are absolutely required.

While organizations are increasingly migrating applications to the cloud, a subset of applications will continue to be hosted from corporate data centers. As enterprises add higher bandwidth broadband services into the WAN transport pool, they must take into account that latency-sensitive applications will continue to require protocol acceleration to achieve peak performance between sites separated by long distances. Data deduplication and compression techniques significantly reduce data transfer times. Silver Peak Unity Boost, an optional WAN optimization software performance pack, can be applied with a single mouse click to optimize the performance of latency-sensitive applications.

WAN optimization may be applied on an application-by-application or site-by-site basis only when and where it’s required. Boost is fully integrated with EdgeConnect software, delivered and managed as a single solution in contrast to the existing router-centric model which requires a separate WAN optimization appliance at every location.

Seamless Migration

Enterprises typically refresh branch office routers every three to five years. Large enterprises phase refresh cycles – some branches in year one, more in year two, and others in year three. Therefore, interoperability with existing WAN edge infrastructure is critical when implementing a migration strategy to an application-driven WAN edge.

While EdgeConnect can completely replace traditional routers at the branch, a flexible deployment model, fully compatible with routers, firewalls or other pre-existing devices at the branch, enables enterprises to transition to a thin branch without branch routers at their own pace. BGP and OSPF routing protocol support assures interoperability with branch offices that have not yet migrated to an SD-WAN solution; see Figure 3.

Figure 3: EdgeConnect flexible deployment model and routing interoperability assures seamless migration to the application-driven WAN edge

Business Outcomes

The EdgeConnect thin branch architecture simplifies and consolidates the critical WAN edge network functions of routing, WAN optimization, stateful firewall and SD-WAN into a single fully integrated software instance, reducing the branch infrastructure footprint by up to 75 percent. Centralized orchestration of all functions from a single pane of glass with Unity Orchestrator streamlines management and administration tasks, resulting in greater operational efficiencies.

By migrating to a Silver Peak EdgeConnect application-driven WAN edge solution, geographically distributed enterprises can accelerate application performance up to 40X. A thin branch WAN edge drives greater business productivity and agility with 100X faster deployments through centralized management, eliminating the requirement for specialized IT expertise at each branch location.


According to Gartner vice president and distinguished analyst Joe Skorupa, “By 2020, more than 50 percent of WAN edge infrastructure refresh initiatives will be based on SD-WAN versus traditional routers.”1 Organizations facing recurring router refresh cycles now have a powerful alternative, an application driven WAN architecture that can greatly simplify the WAN edge, deliver superior application performance and dramatically reduce equipment and operational costs.

The Silver Peak EdgeConnect SD-WAN solution enables distributed enterprises to build an intelligent, application-driven WAN Edge and migrate to an SD-WAN at their own pace. With EdgeConnect, organizations across all industry segments and of all sizes can connect users to applications with the flexibility to use any combination of underlying transport technologies without compromising network or application performance. The result, dramatically lower CAPEX and OPEX costs and ROI, improved user productivity, an enhanced customer experience, increased business agility and accelerated time-to-revenue—all by implementing an application-driven WAN edge with Silver Peak EdgeConnect.


Appliance, Broadband, EdgeConnect, Hybrid WAN, MPLS, Routing, SD-WAN, Security, Thin Branch, Unity Boost