Fortinet black logo

SD-WAN Architecture for Enterprise

Home FortiGate / FortiOS 7.0.0 SD-WAN Architecture for Enterprise
7.0.0
7.2.0
7.0.0

Traffic flow

Traffic flow

Once all the routes have been distributed across all the sites, the application traffic flow can be controlled by SD-WAN rules according to the design principles described in the previous chapter. SD-WAN rules may dictate how traffic is steered based on the business requirement and desired redundancy.

  • Direct internet access (DIA): used when local internet breakout at a location is required. In this scenario, the business application(s), such as a SaaS application or website, is located on the internet, and the SD-WAN appliance is needed to decide the best path between multiple WAN links.

    Traffic is routed directly to the internet by using the preferred method in the SD-WAN rule.

  • Branch to primary datacenter: used when branch users require connectivity to an application or workload located behind the gateway at the primary datacenter. The secondary gateway located in the secondary datacenter will only be used as a backup. The branch SD-WAN device should monitor all available overlay links, and choose the best path according the business requirements.

  • Branch to secondary datacenter (geo-redundant datacenter failover): A catastrophic failover at the primary datacenter location causes traffic to route through the gateway located in the secondary datacenter. In this scenario, the desired application either lives in both datacenter locations, or the gateway has an alternative path to the primary datacenter.

  • Branch to Datacenter1 or 2 LAN access: It is common for redundant datacenter locations to host applications or services locally. In this scenario, Datacenter 1 has its own network space that is advertised to all branch locations with applications and services being offered. Datacenter2 also has its own network space with application and services that are independent from Datacenter1. Branch users require access to both at any given time and must use the optimal path to access their resources.

  • Branch to branch: when ADVPN is used for dynamic branch-to-branch communication, both gateways may provide the routing and IPsec tunnel information necessary for direct communication. The gateway selected by the SD-WAN rule will dictate who becomes the ADVPN Sender. In this example, the gateway at our primary datacenter is the ADVPN sender under normal conditions.

    In the event of a major failure at the primary datacenter, the branch SD-WAN will send traffic to the secondary datacenter, which will then become the ADVPN sender.

Previous
Next

Traffic flow

Once all the routes have been distributed across all the sites, the application traffic flow can be controlled by SD-WAN rules according to the design principles described in the previous chapter. SD-WAN rules may dictate how traffic is steered based on the business requirement and desired redundancy.

  • Direct internet access (DIA): used when local internet breakout at a location is required. In this scenario, the business application(s), such as a SaaS application or website, is located on the internet, and the SD-WAN appliance is needed to decide the best path between multiple WAN links.

    Traffic is routed directly to the internet by using the preferred method in the SD-WAN rule.

  • Branch to primary datacenter: used when branch users require connectivity to an application or workload located behind the gateway at the primary datacenter. The secondary gateway located in the secondary datacenter will only be used as a backup. The branch SD-WAN device should monitor all available overlay links, and choose the best path according the business requirements.

  • Branch to secondary datacenter (geo-redundant datacenter failover): A catastrophic failover at the primary datacenter location causes traffic to route through the gateway located in the secondary datacenter. In this scenario, the desired application either lives in both datacenter locations, or the gateway has an alternative path to the primary datacenter.

  • Branch to Datacenter1 or 2 LAN access: It is common for redundant datacenter locations to host applications or services locally. In this scenario, Datacenter 1 has its own network space that is advertised to all branch locations with applications and services being offered. Datacenter2 also has its own network space with application and services that are independent from Datacenter1. Branch users require access to both at any given time and must use the optimal path to access their resources.

  • Branch to branch: when ADVPN is used for dynamic branch-to-branch communication, both gateways may provide the routing and IPsec tunnel information necessary for direct communication. The gateway selected by the SD-WAN rule will dictate who becomes the ADVPN Sender. In this example, the gateway at our primary datacenter is the ADVPN sender under normal conditions.

    In the event of a major failure at the primary datacenter, the branch SD-WAN will send traffic to the secondary datacenter, which will then become the ADVPN sender.

Previous
Next