As an organization expands by adding new branches, its WAN also expands. The larger the WAN grows, the more network traffic needs to flow through MPLS (multi-protocol label switching) circuits, which have much more expensive bandwidth fees than traditional circuits. Some organizations improve their network performance by deploying security appliances at regional data centers, so they don’t need to backhaul traffic through the central firewall, but this only increases MPLS expenses and operating costs. Plus, spinning up each branch takes time, partly because of how long it takes to install a new MPLS circuit, which reduces agility and increases overhead costs.
SD-WAN, or software-defined wide area networking, abstracts WAN management to a separate control plane, streamlining workflows and allowing for a high degree of automation. SD-WAN makes it possible to leverage 5G and other networking technologies to reduce the reliance on MPLS circuits while still applying security policies and controls. With SD-WAN, you can lower your MPLS bandwidth costs, reduce the number of security appliances deployed around the enterprise, and deploy new branches faster.
In this post, we describe how SD-WAN decreases branch networking costs. We also explore strategies to reduce your expenses, providing an SD-WAN ROI calculator for a more personalized estimate of your potential savings.
How SD-WAN reduces branch networking costs
Implementing SD-WAN can result in the following cost reduction benefits.
Decreased MPLS bandwidth expenses
In a traditional WAN architecture, MPLS circuits are installed at each branch to create a semi-private connection back to the primary enterprise network; this traffic isn’t encrypted, but it is partitioned from the public internet and other MPLS customers. MPLS networks are very reliable, but the bandwidth is significantly more expensive than public internet bandwidth. Finding ways to reduce the amount of traffic over MPLS circuits can reduce the ongoing operational costs of each branch.
SD-WAN leverages whatever networks are at its disposal—including MPLS, public ISPs, and 5G/4G cellular—to find the best and most efficient path for branch traffic. An organization can use SD-WAN software to prioritize specific kinds of traffic based on parameters such as the apps or resources being requested, so precious MPLS bandwidth is only used when needed. Many organizations are able to move away from MPLS completely by using SD-WAN. Providers are also required to build their SD-WAN fabric from encrypted tunnels, allowing SD-WAN to direct traffic over the public internet with less risk.
Cost reduction strategy: secure access service edge (SASE)
Even with SD-WAN’s encryption, branch traffic still needs to pass through a security appliance in the central data center so enterprise security policies and controls can be applied, which likely means using the MPLS anyway. Secure access service edge, or SASE, rolls up multiple enterprise security technologies (such as next-generation firewalls (NGFWs) and data loss prevention) into a single solution delivered as a service, which means organizations can deploy it to regional data centers or even the branches themselves. SD-WAN’s intelligent routing feature can determine when branch traffic is destined for cloud or web resources, then direct this traffic through the SASE stack instead of using the MPLS to reach the central firewall. SASE can help eliminate MPLS usage completely while reducing bottlenecks for greater cost savings.
With SD-WAN and SASE, your organization can reduce the ongoing monthly expense of MPLS bandwidth at each branch without sacrificing reliability or security.
Fewer security appliances
To ensure that branch traffic is as secure as the primary enterprise network, teams usually backhaul that traffic through the same central firewall for inspection and policy application. This creates a massive bottleneck that can slow the entire enterprise down, so some organizations choose to deploy security appliances at smaller regional data centers near their branch locations to distribute the load. However, that usually means additional MPLS circuits are provisioned at each data center, increasing startup and bandwidth costs. Plus, there are the hardware, software, and licensing costs for all the additional security appliances.
We’ve already mentioned how SD-WAN leverages alternative networks (as well as encrypted tunnels) to reduce MPLS bandwidth usage and how SASE applies enterprise security controls to branch traffic while bypassing firewalls entirely. These two benefits also result in cost savings from needing to purchase and license fewer security appliances. Since vendors deliver SASE as a service, it doesn’t necessarily require special hardware to run, and some providers even offer it as a managed cloud service, eliminating the hardware cost altogether.
Cost reduction strategy: vendor-neutral solutions
On-premises versions of SASE usually don’t need vendor-specific hardware so you can deploy the software on any available server as a VM. However, many branches lack the extra server storage or computer headroom needed for this kind of deployment. To ensure you can deploy SASE without buying additional resources, consider vendor-neutral branch networking solutions that can directly host and run third-party VMs. That means you can get gateway routing, switching, out-of-band serial console management, and SASE in a single device, consolidating the branch networking stack to reduce hardware expenses and management complexity.
With SD-WAN, SASE, and vendor-neutral solutions, you can streamline your branch deployments to reduce costs and increase efficiency.
Faster branch deployments
Generally speaking, the faster a company can deploy a new branch, the faster it will see a return on investment (ROI). However, getting a new MPLS circuit provisioned can take a long time—several months is typical—which can delay deployment timelines and increase overhead expenses while an organization sits on a non-productive branch.
SD-WAN makes it possible to leverage alternative network technologies to get a branch up and running before the MPLS circuit is ready. For example, SD-WAN can direct branch traffic across a 5G network even before the main fiber or cable connection is installed. When all of the branch circuits are provisioned, SD-WAN can seamlessly incorporate them into its routing policies based on preconfigured policies and automation triggers for a smooth deployment. In short, SD-WAN eliminates the organization’s reliance on MPLS for revenue generation, with branches that can be fully operational as soon as LTE or ISP links are set up.
Cost reduction strategy: zero touch provisioning (ZTP)
Another way to reduce branch spin-up times is with zero touch provisioning, or ZTP. ZTP uses software scripts to execute new device configurations over the network, reducing the need for pre-staging or manual, on-site programming. Typical branch deployments involve sending engineers on-site to manually copy and paste configuration files, which is time consuming and increases the risk of human error. With ZTP, unskilled on-site staff simply plug in new device cables and the configuration scripts are automatically retrieved and executed to fully build the environment without human touch. Plus, ZTP scripts are reusable, so you can use the same ones to deploy many different branches.
With SD-WAN and ZTP, your organization can reduce branch deployment delays and see a faster ROI from new branches.
SD-WAN ROI calculator
ZPE Systems provides vendor-neutral branch networking solutions that can directly host or integrate your choice of SD-WAN and SASE applications. ZPE’s platform also allows you to extend ZTP and other automation to every device in every branch on your network. Check out our SD-WAN ROI calculator for a customized estimate of how much money you can save by deploying SD-WAN on ZPE’s platform.
