irgNET – LAB 7.0 U3 – VMware SD-WAN
New month; new HomeLab update! This update is about changing my WAN architecture and I will use from now on the SD-WAN solution of VMware. But – What is behind Software-Defined WAN (SD-WAN)? We are not talking about a hardware addition or a software application in vSphere, but about a fundamental modification (improvement) of the WAN.
Software-Defined Wide Area Network (SD-WAN) is a software-based network technology that delivers virtualized resources to wide area network connections over both ordinary broadband Internet and private links. Applying the concepts of software-defined networks to WANs, SD-WAN abstracts traffic management and monitoring from network hardware and applies them to individual applications.
SD-WAN can more effectively route all network traffic between Datacenters, branch offices, and the cloud than traditional WAN routers. SD-WAN dynamically uses multiple available connections to find the best delivery path for traffic across the entire network, eliminating jitter and dropped data packets, to deliver an optimal user experience in even the most far-flung remote offices.
Before we take a look at the GUI of the VMware Cloud Orchestrator, let us talk about the new architecture:
As we can see above, now I have 2 internet connections to enhance availability, performance and load balancing. On the one hand, I have a cable Internet connection as main WAN and a 4G Internet connection as an “offload” WAN, which only steps in, if the main connection fails or no longer delivers the desired performance. Both 1GbE WAN connections meet within a VMware Edge 620 hardware appliance. At the same time, I also use the VMware Edge 620 as a DHCP server for my 10GbE LAN.
VMware SD-WAN Orchestrator provides centralized, enterprise-wide installation, configuration, and real time monitoring, in addition to orchestrating the data flow through the cloud network. We have several VMware Edge appliances there, which are connected by Marc Huppert, Lukasz Baran and me.
Firewall Functionality:
On the VMware SD-WAN Edge, the firewall rules can be configured only on the outbound side. The rules are used to determine which traffic is allowed out from LAN to the Internet, overlay, and between LAN segments. Also we have the possibility to define e.g. port forwarding rules, which in my case is very important for my NGINX reverse proxy.
Business Policy Functionality:
SD-WAN Orchestrator allows you to configure business policy rules at the Profile and Edge levels. Operators, Partners, and Admins of all levels can create a business policy. The business policy matches parameters such as IP addresses, ports, VLAN IDs, interfaces, domain names, protocols, operating system, object groups, applications, and DSCP tags. When a data packet matches the match conditions, the associated action or actions are taken. If a packet matches no parameters, then a default action is taken on the packet.
Load Balancing or Dynamic Multipath Optimization (DMPO) Functionality:
The VMware SD-WAN solution empowers enterprise and service providers to utilize multiple WAN transports simultaneously in order to maximize bandwidth while ensuring application performance. The unique Cloud-Delivered architecture offers these benefits for on-premise and cloud applications (SaaS/IaaS). This requires building an overlay network, which consists of multiple tunnels, monitoring and adapting to the change in the underlying WAN transports in real time. To deliver a very resilient overlay network that takes into account real time performance of the WAN links, VMware SD-WAN has developed Dynamic Multi-path Optimization (DMPO).
In addition to these functionalities, we use a Cloud VPN between my VMware Edge appliance and that of my colleague Lukasz Baran. This is because my VMware Horizon Unified Access Gateway (UAG) is hosted at his Datacenter. All Horizon desktops Requests from outside my LAN comes through Lukasz’s Edge into my Datacenter.
The Cloud Virtual Private Network (VPN) enables a VPNC-compliant IPSec VPN connection that connects VMware and Non SD-WAN Destinations. It also indicates the health of the sites (up or down status) and delivers real-time status of the sites.
Cloud VPN supports the following traffic flows:– Branch to Non SD-WAN Destination via Gateway
– Branch to SD-WAN Hub
– Branch to Branch VPN
– Branch to Non SD-WAN Destination via Edge
So far so good for my VMware SD-WAN implementation. Now let us take an overall look at my two Datacenters. I want to use a new presentation concept from now on, where hardware and applications are separated. So now you will only find an infrastructure picture here:
And an overview of my mainly used applications here:
That is it from this HomeLab update, tell me below in the comments if you like the new concept. 😎