Fortinet white logo
Fortinet white logo

SD-WAN Architecture for Enterprise

7.2.0

Introduction

Introduction

The intention of this reference architecture is to provide an overview of Fortinet SD-WAN solution, along with the components and architectures to satisfy common use cases. This document will cover the Fortinet technology involved in deploying various types of SD-WAN designs, along with considerations and best practices. Our intention is to design a highly scalable, redundant, and secure SD-WAN design that is practical for your organizational requirements.

This document is not intended to be a step-by-step configuration guide. Instead, it is meant to be the starting point in your network design, where you begin to draw out the architecture that will be used to meet your specific needs. Fortinet’s SD-WAN Deployment Guide will cover the how-to configuration for some of the common architectures and designs covered in this document.

For more information and documentation about the topics covered in this document, please see the Fortinet Document Library at https://docs.fortinet.com.

Executive summary

The following image illustrates a modernized SD-WAN branch edge solution that manages a hybrid architecture inclusive of both private WAN (MPLS) and broadband internet connectivity.

First, the branch has multiple transports, or connectivity options. In this example, the corporate WAN MPLS network remains, but this organization has introduced a single broadband connection to provide direct internet access (DIA) from the branch. In addition, the organization has established an overlay network using Internet Protocol security (IPsec) tunnels between branches and the datacenter over the broadband internet transport. The result is that multiple paths are possible from the branch to both the datacenter and a multi-cloud environment.

Compare this with legacy single-path architecture with a switch connected to a simple router that has one connection to a private WAN. Essentially, there is only one option for egress traffic. But introducing DIA inherently provides for a redundant connectivity architecture. In terms of datacenter connectivity, the overlay network (IPsec tunnel) delivers an alternative path for critical applications that would normally traverse the MPLS. In the same way, the private WAN path will continue to provide its path to the internet, but is now superseded by the DIA connection.

This section includes the following topics:

Introduction

Introduction

The intention of this reference architecture is to provide an overview of Fortinet SD-WAN solution, along with the components and architectures to satisfy common use cases. This document will cover the Fortinet technology involved in deploying various types of SD-WAN designs, along with considerations and best practices. Our intention is to design a highly scalable, redundant, and secure SD-WAN design that is practical for your organizational requirements.

This document is not intended to be a step-by-step configuration guide. Instead, it is meant to be the starting point in your network design, where you begin to draw out the architecture that will be used to meet your specific needs. Fortinet’s SD-WAN Deployment Guide will cover the how-to configuration for some of the common architectures and designs covered in this document.

For more information and documentation about the topics covered in this document, please see the Fortinet Document Library at https://docs.fortinet.com.

Executive summary

The following image illustrates a modernized SD-WAN branch edge solution that manages a hybrid architecture inclusive of both private WAN (MPLS) and broadband internet connectivity.

First, the branch has multiple transports, or connectivity options. In this example, the corporate WAN MPLS network remains, but this organization has introduced a single broadband connection to provide direct internet access (DIA) from the branch. In addition, the organization has established an overlay network using Internet Protocol security (IPsec) tunnels between branches and the datacenter over the broadband internet transport. The result is that multiple paths are possible from the branch to both the datacenter and a multi-cloud environment.

Compare this with legacy single-path architecture with a switch connected to a simple router that has one connection to a private WAN. Essentially, there is only one option for egress traffic. But introducing DIA inherently provides for a redundant connectivity architecture. In terms of datacenter connectivity, the overlay network (IPsec tunnel) delivers an alternative path for critical applications that would normally traverse the MPLS. In the same way, the private WAN path will continue to provide its path to the internet, but is now superseded by the DIA connection.

This section includes the following topics: