ESG Validation

ESG Lab Validation: SD-WAN Integration with Amazon Web Services - A Buyer's Guide

Co-Author(s): Alex Arcilla


The goal of this buyer’s guide is to educate customers on the capabilities of nine SD-WAN vendors working with Amazon Web Services (AWS). In the guide, ESG describes each vendor’s solution and highlights the business value it can deliver to customers via its integration with AWS. Readers should use this guide as a starting point when investigating how they can leverage the combination of AWS and SD-WAN solutions for business advantage.


Software-defined wide-area networking (SD-WAN) is built on the same principles as software-defined networking (SDN): It abstracts the wide-area network to a set of capabilities that is independent of how those capabilities are provided. SD-WAN connects organizations’ data centers, branch offices, and cloud environments. As a network architecture, SD-WAN disaggregates the control of the network from the data flow while simultaneously aggregating multiple physical and/or virtual devices into a single logical network. The control plane should be agile to enable dynamic adjustment of network-wide traffic flows to meet changing needs, and all devices should be centrally manageable.

The SD-WAN solutions offered by various vendors provide some combination of WAN functions. First, they may offer virtual overlay networks, which aggregate an organization’s disparate networks—including classic multiprotocol label switching (MPLS) networks, carrier Ethernet, T3, and public Internet—into a single logical network. Another SD-WAN function is path selection to route packets properly when using multiple connections to a branch office. SD-WAN solutions may also offer simultaneous load balancing and cost optimization of the data transport, and service insertions such as firewalls, VPNs, load balancers, or other services relevant to branch offices or cloud environments. Finally, they often supply the network automation to make it all work together.

Cloud computing has become a transformative force in the IT world. ESG research conducted earlier this year on cloud computing reported that 78% of the 641 respondents are actively using public cloud services for varying combinations of software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), or platform-as-a-service (PaaS).1 In another survey, ESG asked respondents to identify the ways public cloud computing services have affected their organization’s networking strategy, and the most reported impact, selected by 38% of respondents, was that organizations have integrated data center and WAN links to create a seamless network that connects on-premises and off-premises resources.2

Given that most organizations using cloud services still have on-premises resources, it makes sense that organizations would strive to ensure ubiquitous connectivity and create a seamless experience for employees and customers. As a result, many organizations are considering SD-WAN to help consolidate their networking visibility and management of cloud and on-premises usage. In fact, when organizations were asked to identify the most compelling reasons to adopt or consider SD-WAN, simplified management, automation, and increasing public cloud utilization, along with centralized control/configuration, and management/monitoring, were all among the top ten most-cited responses.3

One of the choices in the move toward deploying solutions “as-a-service” is how something as fundamental as network services will be delivered. Unlike software, it’s obvious that some equipment is necessary at all locations, but with virtual customer premises equipment (vCPE), it’s possible to have much of the intelligence pushed out to the central office or to the cloud as virtualized services.

SD-WAN is one of the areas where the two worlds of on-premises and cloud intersect, as the ability to run network services in the cloud enables an end-to-end solution where a variety of services are offered to SD-WAN customers. Many of these network services, such as load balancers, application delivery controllers, or firewalls, are already offered by either cloud service providers or as virtual network functions from network or security vendors.

Testing Methodology

ESG and AWS created a test plan in two sections: a questionnaire to assess SD-WAN features and capabilities,4 and test scenarios for assessing SD-WAN tunnel performance (throughput) and availability (failover and convergence time between SD-WAN instances). Nine SD-WAN vendors agreed to assess their solution’s capabilities and levels of integration with AWS. ESG met with each vendor independently, conducted interviews, and investigated test scenarios onsite at each vendor’s facility.

AWS provided cloud resources for the test environment for each vendor, while the SD-WAN vendors provided software licenses and facilities (e.g., broadband connections and devices). Vendors could choose not to answer specific questions or conduct certain tests; in those cases, participation was at AWS’s discretion.

Test Scenarios:

  • Demonstrate the ease of implementation and installation of Amazon Machine Images (AMIs) and virtual private network (VPN) creation. This is important to reduce the amount of time it takes to procure and then configure SD-WAN solutions for AWS customers.
  • Demonstrate multiple Availability Zones (AZs) support. This is important because it is a best practice for all customer deployments to be multi-AZs, which implies that SD-WAN products will support this.
  • Demonstrate that the solution supports a high-availability deployment on AWS. Measure failover/convergence times for traffic between customer premises and AWS as well as for traffic between instances inside AWS. This is important because network availability is both business- and mission-critical in modern environments with highly distributed resources and workforces.
  • Demonstrate the performance throughput of the solution. This is important because consistently high-performance networks are essential for modern enterprise computing. Every aspect of business is impacted by network health and functionality, as employees and customers access data and applications from multiple locations, on multiple devices.
  • Demonstrate the management, visibility, and monitoring capabilities of the system, including statistics, monitoring, and AWS visibility (Amazon Virtual Private Cloud [VPC], subnet, Amazon CloudWatch metrics, and flow logs). This is important because today’s dynamic IT environments demand the ability to quickly and easily monitor and manage services to meet the demands of the business. Organizations need flexible, easy-to-use tools that enable efficient monitoring and management of cloud environments with minimal effort.

For the test scenarios, ESG Lab stresses that any performance and failover time measurements should not be used as a sole basis for comparison. Although ESG and AWS defined the testing topology and scenarios, test conditions and instance types differed, which led to different results across all SD-WAN vendors for the same test. For example, when measuring throughput between on-premises instances and instances in Amazon VPCs in different regions, other traffic present on the vendor’s Internet connection, which is not under the vendor’s control, can affect the result.

ESG Lab did note some consistent responses across all vendors, including:

  • All SD-WAN vendors support some type of bootstrapping. Differences emerged in the type of files or processes used by each vendor.
  • All SD-WAN vendors supported encryption over all supported link types.
  • All SD-WAN vendors supported AES 256 as their default encryption mode.
  • All SD-WAN vendors performed some level of traffic throttling or shaping via QoS metrics.
  • All SD-WAN vendors supported IAM roles to secure access to the solution’s controller/orchestrator. Some vendors also supported access keys.

Vendors were given the option to generate traffic using iPerf (for Linux), NTttcp (for Windows), or a dedicated traffic generation tool (such as Ixia) to generate test traffic and measure connection throughput and availability. The test traffic originated from testing instances located behind the Amazon VPC and SD-WAN instances. ESG allowed each vendor to choose packet size and number of streams generated by the testing instances and reported those parameters for each vendor.

The test topology shown in Figure 2 was used as the template for each vendor’s test environment. This topology was designed to enable assessment of the performance and availability of connections between on-premises and cloud SD-WAN instances and between AWS Regions. While ESG suggested a set of instance types5 to be used for testing, not all SD-WAN vendors supported those specific instances. ESG noted the specific instance used during each test. In almost all cases, the vendor deployed an SD-WAN instance or device in their lab, which represented a branch office. Each vendor set up a tunnel between the “branch” and SD-WAN instances deployed in two Amazon VPCs deployed on AWS US-East and US-West Regions. These connections represented a typical SD-WAN customer network—a mix of broadband Internet, mobile Internet, and private MPLS connections between on-premises and cloud environments.

Within both regions, the vendors created redundant instances. The vendors placed the primary and redundant instances in different AZs within the US-East and US-West Regions. The vendors connected both the primary and redundant instances of each region to each other in a full mesh and connected the redundant instances in the US-East Region to a virtual private gateway on AWS.

The following sections discuss the highlights of ESG Lab’s onsite testing with nine SD-WAN vendors. The goal of each vendor summary is to highlight the solution and the unique problems it focuses on solving, and to describe its integration with AWS. If a “yes” response to a specific question appears in multiple vendor profiles, it does not necessarily mean that all of the vendors have implemented the capability or feature in the same way. A “yes” response only indicates that the capability exists.

Aviatrix Cloud Interconnect for AWS

Aviatrix Cloud Interconnect is a cloud-native SD-WAN solution designed to enable customers to connect all sites within their enterprises—data centers, Amazon VPCs, and branches. By focusing on automation and integration using APIs created on AWS, Aviatrix enables use of simple workflows to leverage its SD-WAN capabilities. The solution enables all enterprise sites to be interconnected via encrypted IPSec tunnels, either in a mesh or hub-and-spoke topology. It abstracts routing information about sites to be connected and designs the peering relationships between each site pair. Also, customers can use Cloud Interconnect to connect remote users via VPN tunnels to the desired Amazon VPCs under management using the Aviatrix Cloud Controller (ACC). Organizations that rely on cloud service providers (CSPs) to build out IT infrastructure or those considering hybrid infrastructure environments may benefit most from this solution.

The two components of this solution consist of the ACC and the Aviatrix Gateway (AGW). Once the Controller is deployed in an Amazon VPC with a public subnet, the user deploys the AGWs via the Controller. These AGWs go into the enterprise site and Amazon VPCs that the user wants to interconnect. Once these locations are visible in the Controller, the user clicks on a checkbox next to the locations that are to be connected via tunnels. For high-availability purposes, the user can create redundant tunnels from a site’s AGW to a pair of AGWs deployed on AWS.

To connect remote workers, the user adds their profiles to an AGW while the workers install client software. After the profiles are verified via security certificates, the user connects the workers via the Controller to the AGW. These connections are VPN tunnels. The Controller’s dashboard enables the customer to manage its Amazon VPCs, their subnets, and the traffic flow. Additionally, the Controller allows the user to collect data regarding packets in/out of Amazon VPCs and inspect Amazon VPC configuration. Figure 3 highlights Aviatrix Cloud Interconnect components and how they integrate with AWS.

ESG Lab Highlights

ESG validated how Cloud Interconnect integrates with AWS and explored additional capabilities. Features include:

  • Aviatrix delivers its SD-WAN solution via virtual appliance or as an AMI on AWS; no hardware appliances are required.
  • Cloud Interconnect supports single root I/O virtualization (SR-IOV), which allows higher I/O performance on network interfaces with lower central processing unit (CPU) utilization. Thus, the SD-WAN instance can deliver higher throughput, decreasing latencies between SR-IOV-enabled instances. Aviatrix supports SR-IOV on allowable C3 and C4 instances within the list of allowable Aviatrix instances on AWS Marketplace.
  • Aviatrix Cloud Interconnect supports numerous T2, M3, C3, and C4 instances to ensure a range of cost options. Organizations can use a larger instance with more interfaces and support for many network services (e.g., firewall, management, and demilitarized zone [DMZ]) should they require it.
  • Using iPerf3, ESG measured link performance between instances deployed in two Amazon VPCs located in the US-East and US-West Regions. We measured traffic over the link using a single c4.large instance as the gateway and c4.8xlarge for a Linux client. The client instances ran 20 streams of AES 256-encrypted traffic to simulate multiple machines within each Amazon VPC using the iPerf default maximum segment size (MSS) of 1,460 bytes. ESG Lab observed that the throughput over the tunnel between the instances measured between 650-800 Mb/sec in each direction for the duration of the test, with a bidirectional aggregate averaging between 1.2 and 1.5 Gb/sec.
  • Cloud Interconnect supports instance high-availability deployments via route shifting. ESG conducted a high-availability test to observe failover time between gateways within an Amazon VPC. Using the same c4.large instances, we created backups for each gateway with the Amazon VPCs in US-East and US-West. We manually stopped the primary gateway in one region to test how long the traffic would stop before being picked up by the backup gateway; in our tests, the failover time was less than 3 seconds.
  • Cloud Interconnect can interoperate with the virtual private gateway on AWS as well as third-party edge routers. This offers customers the flexibility to integrate existing network services.
  • Cloud Interconnect provides an operations dashboard to centrally visualize all Amazon VPCs, their subnets, and the traffic flow. Aviatrix Cloud Interconnect provides a unified system to capture packets in/out of Amazon VPCs, to inspect VPC configuration, to run utilities such as traceroute, and to collect the software logs for analysis.

Why This Matters

Creating a hybrid infrastructure environment using traditional networking presents numerous challenges. IT/network professionals must manage multiple IP addresses of an organization’s sites—offices, data centers, cloud platforms, etc.—to construct a highly available mesh network. Individually monitoring and managing these sites drives up costs.

ESG Lab confirmed that Aviatrix Cloud Interconnect enables its customers to create and manage a hybrid infrastructure environment that integrates with AWS by abstracting IP addresses, automating connections, and providing complete visibility into the network with a single management interface.

Aviatrix Cloud Interconnect Marketplace Listing on AWS Marketplace

Direct sales contact: +1.844.262.3100 INFO@AVIATRIX.COM

Barracuda NextGen Firewall F-Series (NGF)

The Barracuda NextGen Firewall F-Series combines its application-aware security with SD-WAN features, specifically dynamic WAN link selection based on application and/or traffic policies. In addition to its firewall and WAN optimization features, Barracuda uses a proprietary IPSec protocol called Transport Independent Network Architecture (TINA) to set up tunnels between WAN sites. According to the company, TINA offers benefits over standard IPSec such as WAN optimization, transport load balancing, and connection failover. The Barracuda solution is well suited for organizations with many locations that share similar network policies and are looking to offload part of their network traffic onto the cloud.

The two components of this SD-WAN solution are the Next Generation Firewall (NGF) and the Next Generation Control Center (NGCC). The NGCC acts as the central point of administration, management, and monitoring for all NGFs deployed within the enterprise hybrid network. Organizations can deploy the NGCC in the cloud or on-premises before deploying the NGFs in the desired Amazon VPCs, then assist in setting up site-to-site or client-to-site tunnels. Barracuda recommends that organizations deploy the NGCC in an Amazon VPC. When an administrator wants to deploy NGFs, the NGCC will receive configuration files for the instances and establish communication. Once communication is established, the NGFs will obtain specific configurations while the NGCC establishes site-to-site or client-to-site TINA VPN tunnels. Figure 4 highlights the components of the Barracuda SD-WAN solution and how they are integrated with AWS.

ESG Lab Highlights

ESG validated the integration of the Barracuda solution with AWS and explored additional capabilities.

  • Barracuda Networks is available on AWS Marketplace. For deployments on AWS, administrators can either deploy one instance by passing Amazon Elastic Compute Cloud (Amazon EC2) data to a provisioning shell script, or leverage Barracuda’s command line tools for NGF configuration. When deploying multiple NGFs, Barracuda offers AWS CloudFormation templates to ensure consistent NGF configuration, minimizing the chances of deployment errors.
  • The NGF is currently supported on selected T2, M3, M4, and C4 instances. This solution also supports single root I/O virtualization (SR-IOV), which allows higher I/O performance on network interfaces with lower CPU utilization. Organizations that already have an NGF license may purchase instances based on the number of additional vCPUs (1, 2, 4, or 8).
  • For instances deployed on-premises, the NGF can support a maximum of 24 uplinks, which can be any mix of transport options including Internet broadband, mobile Internet, or AWS Direct Connect. The support for multiple links enables organizations to leverage multiple types of transport from different ISPs. Also, organizations can combine multiple links for failover, load balancing, or traffic duplication should sites require higher throughput or availability.
  • ESG Lab measured the failover time between client instances deployed in Amazon VPCs in the US-East and US-West Regions. To ensure high availability, Barracuda deploys two NGF instances in the same Amazon VPC but different AZs, and establishes a tunnel between the NGFs to create a cluster with NGFs in active/standby mode. Using m3.xlarge instances for the NGF, we used iperf3 to generate traffic from the US-West client to the US-East client, and then forced a reboot of the US-East NGF to initiate a failover. ESG Lab observed that the maximum failover time was approximately 3 seconds. Barracuda noted that failover time is typically three seconds but can be as much as 10, primarily due to route shifting.
  • ESG Lab also measured the throughput of connections between two NGFs on AWS using iPerf3. We deployed two c4.2xlarge instances in two different Amazon VPCs within one region. We set up two unencrypted tunnels between the NGFs and generated traffic between them using iPerf with the default MSS of 1,460 bytes. Aggregate throughput between the NGFs was approximately 1.8 Gb/sec unidirectionally. We also observed that the NGF split the traffic evenly between the two tunnels, each running approximately 960 - 970 Mb/sec.
  • ESG Lab also examined the NGCC console to examine the options for setting rules and policies. Administrators first set transport policies to optimize for throughput or latency, and can then set both the firewall and application rules to further define how certain traffic is treated. The console also integrates well with the AWS GUI, including showing the route tables for the NGF instances. The NGCC will also monitor packet loss, latency, and throughput continuously and can initiate failover based on user preference. Administrators can also view Amazon CloudWatch logs as well as standard and custom metrics that are integrated into the NGCC console.

Why This Matters

Ensuring security using a variety of methods is extremely important as threats continue to increase. As enterprises implement SD-WAN, they must continually manage connections to maximize availability and performance without sacrificing network security. The issue becomes more intense when extending the enterprise network into the cloud.

ESG Lab confirmed that the Barracuda Networks NGF extends its firewall capabilities to provide a secure SD-WAN solution that integrates with AWS. We observed well-integrated SD-WAN functionality, providing organizations with numerous options to set rules and policies that can secure their SD-WANs from transport, firewall, and application perspectives.

Barracuda NextGen Firewall Marketplace Listing on AWS Marketplace

Direct sales contact: 877 372 2804 or

Cisco SD-WAN Solution

The Cisco SD-WAN Solution (acquired from Viptela) focuses on providing organizations with a streamlined workflow to connect with deployed applications on AWS. The solution consists of three components: the vEdge Router, vSmart Controller, and vManage Network Management System (NMS).

Organizations deploy the vEdge Router in a software or hardware form factor at their enterprise sites—branches, remote sites, and data centers. The vEdge router connects branches and application VPCs via a gateway VPC, a private VPC containing a pair of vEdge cloud instances. The gateway VPC enables the administrator to easily scale up the VPC environment, since this approach reduces the number of point-to-point tunnels between enterprise sites and host VPCs. Not only is WAN management simplified, but cloud-related costs and deployment time can decrease.

This gateway VPC can be used as a regional point of access, offering organizations two key benefits. First, this supports workload segmentation, especially when an enterprise deploys application VPCs across multiple regions. This can improve the ability to manage and monitor the AWS environment. Second, organizations can leverage the access point to contain potential security breaches, directing customer traffic via the gateway VPC away from the threat.

The vManage NMS helps customers orchestrate the WAN sites and Amazon VPCs so that connectivity is quick and easy to establish. Also, vManage provides full lifecycle management and network-wide visibility into the customer’s SD-WAN. The Cisco SD-WAN Solution can particularly help enterprises whose application developers and DevOps engineers want to spin up and tear down development environments in the AWS Cloud easily.

To ensure cloud application performance, the Cisco SD-WAN Solution offers application-aware routing. This feature will choose the best path for delivering application packets over the available network transports. Organizations can benefit by setting up the appropriate environment to meet application service level agreements (SLAs). Figure 5 highlights the components of the Cisco SD-WAN Solution and how they are integrated with AWS.

ESG Lab Highlights

ESG validated the Cisco SD-WAN Solution’s integration with AWS and explored additional capabilities. Features include:

  • For the gateway VPC, organizations can use c4.large, c4.xlarge and c4.2xlarge, c3.large, c3.xlarge, and c3.2xlarge instances, choosing the instance size during the workflow to deploy the solution. They purchase vEdge Routers through AWS Marketplace. Depending on the region in which customers deploy vEdge Routers, various instances can be supported (e.g., M3 and M4, and C3 and C4).
  • Currently, the Cisco SD-WAN Solution does not support single root I/O virtualization (SR-IOV), which would allow higher I/O performance on network interfaces with lower CPU utilization or Elastic Network Adapter.
  • The Cisco SD-WAN Solution supports API keys that can be associated with roles. Cisco uses this approach to provide secure access whether the controller is deployed in the cloud or on-premises at a customer site.
  • ESG Lab measured link performance between instances deployed in two Amazon VPCs. Cisco simulated bidirectional traffic by leveraging instances in three gateway VPCs, two in the US-East Region and one in the US-West Region. Each gateway VPC contained a pair of vEdge cloud instances deployed on c4.4xlarge instances. Cisco deployed Ubuntu virtual machines behind each of the gateway VPCs and measured bidirectional traffic on one Ubuntu server in US-East. Using iPerf3, we generated 10 traffic streams from this server to another server behind the second gateway VPC in US-East using the default iPerf MSS of 1,460 bytes. Simultaneously, we generated 10 traffic streams from the Ubuntu server in US-West to the server from which traffic was generated. After running the test for five minutes, we achieved a maximum total throughput of 500 Mb/sec. Cisco noted that they have achieved higher throughput in internal testing and connection segments that run over the Internet can present a bottleneck.
  • ESG Lab also observed failover times between gateways deployed within the gateway VPC. We initiated traffic via iPerf3 from the on-premises instance to one gateway deployed in the second US-East Amazon VPC. We then shut down the gateway to initiate failover. Failover time was approximately nine seconds.
  • vManage will monitor tunnel conditions—packet loss, latency, link flapping, BGP/neighbor changes, and black-holed traffic—and initiate failover when customer-defined conditions are met. Organizations can also set thresholds on a per-application basis to trigger failover. Cisco stated that vManage will also allow IT administrators to monitor application utilization from the network across an organization’s hybrid WAN.
  • Currently, the Cisco SD-WAN Solution does not support AWS Auto Scaling, Elastic Load Balancing, or transit VPC on AWS. The solution offers alternative native approaches to provide these types of functionality.

Why This Matters

Scaling out an AWS environment to extend your WAN can create manageability, cost, workload segmentation, and security challenges. Supporting multiple point-to-point tunnels between enterprise sites and Amazon VPCs can prevent application developers and DevOps from fully taking advantage of AWS.

ESG Lab confirmed that the Cisco SD-WAN Solution allows an enterprise to leverage Amazon VPCs in multiple regions via its gateway VPC implementation. Organizations can map multiple host VPCs to a gateway VPC, then leverage the gateway VPC to set up connections between the enterprise sites and the host VPCs. Using the gateway VPC allows the organization to scale up the number of host VPCs as needed while segmenting and isolating workloads for easier management, application quality monitoring, and security.

Cisco SD-WAN Listing on AWS Marketplace

Direct sales contact:

Citrix NetScaler SD-WAN

The Citrix NetScaler SD-WAN solution focuses on maximizing application performance and availability over software-defined links between an enterprise data center and/or cloud provider and branches within the enterprise WAN. The solution integrates edge routing, firewall capability, and WAN optimization that enable secure and optimized application delivery over the available links in the enterprise’s network infrastructure. The NetScaler SD-WAN is well suited for medium and large enterprises that are managing enterprise-wide application deployments.

Citrix leverages two key features to optimize application performance. Intelligent path selection allows NetScaler SD-WAN to choose the best path to transmit individual application packets in real time. Unlike other SD-WAN solutions, all available connections out of the branch offices (e.g., MPLS, Internet, wireless, and Direct Connect) are active. Because NetScaler monitors the health of all links bidirectionally, it can use any link at any given time to send application packets. Should business needs require, traffic need not be sent and received on the same link. NetScaler will also allow that, depending on the application, it maintains application packet sequence to enable consistent performance, specifically for voice and video.

The NetScaler SD-WAN also allows QoS policies to be defined on a per-application-packet basis. IT can define these policies for applications and their components (e.g., individual applications such as Word and Excel in the Office 365 Suite) using predefined priorities or application classes. Additionally, IT can specify when individual packets of an application are sent over multiple WAN links simultaneously, duplicated and transmitted over two different links, or simply sent over one path consistently. NetScaler enables IT to define QoS policies for more than 4,000 applications to date. Figure 6 highlights the components of the NetScaler solution and how they integrate into AWS.

ESG Lab Highlights

ESG validated NetScaler’s integration with AWS and explored additional capabilities. We learned the following:

  • Citrix currently offers two options on AWS Marketplace—the Standard Edition that includes SD-WAN, edge routing and firewall capabilities, and the WAN Optimization Edition.
  • ESG Lab observed the deployment of a NetScaler SD-WAN instance on AWS using the Single Click Deployment feature within the SD-WAN Center console, Citrix’s cloud-based console for WAN configuration, management, troubleshooting, and analytics. We clicked the Enable button to begin the process, chose the instance’s region and entered both an SSH key and trusted role before deploying the instance. Spinning up an SD-WAN instance took approximately 15 minutes. Alternatively, a customer can use the Configuration Editor in SD-WAN Center to set up multiple instances within the WAN by using either a template and applying it to multiple physical locations or the NetScaler cloning feature. Both approaches reduce the chances of error and can speed up deployment.
  • NetScaler SD-WAN supports single root I/O virtualization (SR-IOV), which allows higher I/O performance on network interfaces with lower CPU utilization. Latencies decrease between SR-IOV-enabled instances. NetScaler supports SR-IOV on allowable M4 and C4 instance types.
  • NetScaler SD-WAN allows upload and download throughput to be asymmetrical on a single link. A customer can apply this when wanting to limit specific traffic to a single physical connection as well as the upload and download speeds. NetScaler SD-WAN also enables higher throughput via link bonding for a single application flow.
  • Using iPerf3 and the default iPerf MSS of 1,460 bytes, ESG Lab verified that the one-way throughput of a link between SD-WAN instances deployed in the US-East and US-West AZs using m4.4xlarge instances is approximately 850-950 Gb/sec. ESG Lab observed this throughput in both directions between the AZs. We measured that the default instance type for NetScaler SD-WAN, m4.2xlarge, sustained throughput of approximately 850 Mb/sec. For the m4.4xlarge instance, Citrix stated that it can achieve a maximum throughput of 1 Gb/sec in one direction, with a total maximum throughput of 2 Gb/sec.
  • ESG Lab measured the failover time between redundant instances in the same region at approximately 11-13 seconds. While the redundant links in a single instance are active/active, the instances are active/standby and the interfaces must move. Citrix explained that AWS requires time to move the link interfaces to the standby instance in a different region. Otherwise, the failover would only require a few hundred milliseconds for instances or appliances deployed at the same location.
  • ESG Lab observed that the SD-WAN Center collects extensive statistics for a wide variety of categories including applications, tunnels, WAN links, and MPLS queues. The console can also create graphs over a select time interval. It also allows the user to play back with DVR-like capability how the statistics increased or decreased over time to improve troubleshooting. The SD-WAN center also compiles basic Amazon CloudWatch metrics, such as bandwidth in and out, network in and out, and CPU load of SD-WAN instance. Citrix also states that the SD-WAN Center can collect performance statistics on XenApp/XenDesktop applications.
  • Today, Citrix offers a workaround for transit VPC on AWS, using routing domains and network address translation (NAT) features.

Why This Matters

Enabling consistent application performance is critical when an enterprise deploys applications across multiple locations in the enterprise WAN. Ultimately, ensuring such consistency supports business continuity and user productivity. When an enterprise leverages AWS as its underlying IT infrastructure, this consistency becomes paramount to maintain.

ESG Lab confirmed that Citrix NetScaler SD-WAN provides integration into AWS and enables organizations to connect branches (e.g., remote offices and retail outlets) to the AWS Cloud, while maintaining consistent performance for multiple applications using virtual WAN links leveraging diverse network connections.

Citrix NetScaler Marketplace Listing on AWS Marketplace

Direct sales contact: 1 866 NETSCALER or

CloudGenix Instant-On Network (ION)

The CloudGenix Instant-On Network (ION) is an SD-WAN solution for connecting enterprise branches and remote sites to data centers and public infrastructure-as-a-service (IaaS) providers. ION focuses on application-centric forwarding, which is different from other solutions that use deep packet inspection (DPI) to route unencrypted application packets individually at each network juncture. Instead, ION will create encrypted traffic “sessions” between endpoints (e.g., application origination and termination points) based on business rules or service level agreements (SLAs) defined by the customer. ION sees these traffic flows as applications and sub-applications (e.g., Office365 with Word, Excel, PowerPoint, etc.). With ION, application packet forwarding is based on business needs, not primarily network policies using traditional routing protocols. ION particularly benefits enterprises that focus on SD-WAN application quality of service (QoS) and security in mixed deployments of on-premises, cloud-based, and SaaS applications.

The solution consists of a Central Controller and ION Elements. The Controller is the central point for ION Element control and management; organizations deploy ION Elements at branches, data centers, and Amazon VPCs. Organizations leverage the Controller to set application QoS and security policies, real-time analytics, and reporting. ION Elements forwards packets on any WAN link based on policies defined by business rules and SLAs. ION accomplishes this by ensuring that all links originating from any branch operate in active/active mode.

The deployed ION Elements create the ION Fabric, the network overlay that abstracts the underlying physical WAN links. All traffic flowing across the fabric is encrypted with AES 256. Customers can create virtual fabrics that internal organizations use to define specific business rules and policies, with additional policy granularity to accommodate specific needs (such as regional physical connectivity options). Figure 7 highlights the components of ION and how they are integrated with AWS.

ESG Lab Highlights

ESG validated the integration of ION with AWS and explored additional capabilities. Features include:

  • The ION solution is not yet available on AWS Marketplace (it has been submitted for AWS approval). Organizations install the Controller either as a virtual machine (VM) in the local enterprise network, on an x86 server in the data center, or in the cloud. The server will run the ION Element software as a VM deployed at branches, headquarters, co-locations, and cloud providers.
  • Deploying ION Elements via EC2 instance requires taking user data in config.ini, JSON, or yaml format, then manually configuring a secure process that reveals the location of the Central Controller with which ION Element instances can register. ION Element instances will only forward traffic once a device has been claimed as part of the WAN.
  • ION supports single root I/O virtualization (SR-IOV), which allows higher I/O performance on network interfaces with lower CPU utilization, decreasing latencies between SR-IOV enabled-instances. CloudGenix supports SR-IOV on m4 instances 2xl and above. CloudGenix states that ENA Driver support, which will support higher I/O performance than SR-IOV, is planned for a December 2017 release.
  • This solution does not support VPC-to-VPC connectivity (e.g., Transit VPC). ION views the Amazon VPC as another data center to which branches can connect. One use case for the transit VPC is the management of overlapping IP addresses. ION does address this issue at the branch level, if unique IP addresses are available for Network Address Translation (NAT).
  • ION instances only support role-based access and do not support access keys. CloudGenix chose this because the company believes that this is the more secure way to access ION.
  • Rather than use AWS CloudFormation templates, CloudGenix leverages Ansible scripts that can help organizations deploy multiple ION elements and minimize configuration error.
  • In addition to leveraging any available link to forward application packets (as defined by policy), ION Elements will forward traffic even if the Controller fails. CloudGenix accomplishes this by separating control plane and data plane traffic. ION Elements forwards traffic using the latest policies deployed by the Controller before going offline.
  • Using iPerf3, ESG measured link performance between instances deployed in two Amazon VPCs located in the US-East and US-West Regions. We measured traffic over the link using m4.2xlarge instances as the ION elements. We ran 20 streams of AES 256-encrypted traffic to simulate multiple machines within each Amazon VPC using the iPerf default MSS of 1,460 bytes. ESG Lab observed that the throughput over the tunnel between the instances measured between 500-750 Mb/sec for the duration of the test.
  • ESG performed failover testing between ION elements deployed in two AZs. An ION element was deployed in the US-West VPC. Using iPerf3, we generated traffic from the branch ION element (i.e., CloudGenix headquarters) to the ION element deployed in one AZ within the US-West VPC. We then failed that Amazon VPC instance, and the failover time to the redundant ION element in another AZ in the US-West VPC was almost instantaneous.
  • The ION solution is cloud-managed, and AWS collects and stores all data that CloudGenix uses to calculate metrics and statistics pertaining to the customer’s SD-WAN. CloudGenix provides a portal for monitoring and managing traffic flows and sessions on link, application, and instance levels. The portal also generates analytics from multiple perspectives, such as application, media (voice, video), link quality (per AZ and bidirectionally), and traffic flow. The granular monitoring can help customers reduce troubleshooting times.

Why This Matters

As enterprises increasingly use both on-premises and cloud-based and/or SaaS applications, allowing reliable application delivery to their branches becomes critical. It no longer makes sense to rely on routing protocols to direct traffic on a packet-by-packet basis. By treating application packets on an end-to-end traffic flow basis, organizations can direct application traffic using business rules and policies, instead of using standard routing protocols that do not account for business priorities.

ESG Lab confirmed the CloudGenix ION solution allows an organization to integrate its SD-WAN with AWS while monitoring and managing applications on an end-to-end traffic flow basis, leveraging all available links at the branch level for reliable application delivery.

AWS Marketplace Homepage

Direct sales contact: or 1.844.800.CGNX (1.844.800.2469)

Nuage Networks Virtualized Service Platform (VSP)

The Nuage Networks Virtualized Service Platform (VSP) is an SD-WAN solution that helps organizations apply traffic and service policies consistently across a wide-area network (WAN) spanning on-premises locations and the cloud. Along with setting up virtual paths between sites regardless of the underlying transport, VSP focuses on deploying business-level policies based on network tiers to decrease configuration errors and speed time to deployment. Organizations that would derive value from this solution include multinational service providers that manage many customers, and large enterprises with numerous sites that share similar policies.

In addition to dynamic path selection, the Nuage Networks solution helps organizations leverage SD-WAN with its approach to setting business rules for network traffic. The VSP steers away from applying traffic rules at a network element level (e.g., ports, IP addresses, or virtual local area networks [VLANs]). Instead, the VSP enables administrators to apply policies according to three tiers: domain, zone, and subnet. The domain defines the overall policy and rules that are to be applied to any traffic it forwards. The zones exist underneath the domain and correspond to the WAN sites. Subnets exist underneath zones and correspond to services such as voice, data, video, and guest wireless access. While the policies of the highest tier apply to zones and subnets by default, administrators can modify policies of each zone or subnet individually. This method enables consistency in policy assignment, decreasing configuration errors. It also helps to decrease time for deploying and modifying policies, enabling administrators to quickly respond to business needs.

The Nuage Networks VSP consists of three components: The Virtualized Services Directory (VSD), the Virtualized Services Controller (VSC), and the Networks Services Gateway (NSG). The Virtualized Services Directory (VSD) is a programmable policy and analytics engine, providing a flexible and hierarchical network policy framework that allows IT administrators to define and enforce resource policies. The NSG forwards traffic according to traffic policies set using the VSD. Any site in which an administrator deploys an NSG is considered a branch, regardless of whether the site is an office, data center, or Amazon VPC. The VSC abstracts route tables of the NSGs to define the allowable paths between them, leveraging OpenFlow, a communications protocol used with software-defined networking (SDN).

Figure 8 highlights the components of the Nuage Networks’ SD-WAN solution and how they are integrated with AWS.

ESG Lab Highlights

ESG validated the integration of the Nuage Networks solution with AWS and explored additional capabilities. Features include:

  • Nuage Networks currently delivers its solution both physically and virtually. However, all NSGs are configured and deployed via private AMI. For sites that have little IT support, Nuage Networks recommends deploying a physical NSG, while administrators can configure and connect it to the WAN remotely.
  • The NSG can be deployed on select C4, M4, P2, I2, and R3 instances. The default instance for the NSG is m4.xlarge.
  • Nuage Networks declined to submit performance or HA test results for this report.
  • The VSP supports three levels of bootstrapping to accommodate NSG deployments. For NSG instances that are brought up using USB, CD-ROM, or YAML script, the VSP employs zero-factor bootstrapping. The VSP also supports one-factor (email authentication) and two-factor (email and SMS authentication) bootstrapping, specifically for on-premises devices.
  • ESG Lab examined how administrators can set NSG policies. The console displays the WAN as a block diagram, showing how domains, zones, and subnets are related. We observed how individual zone- and subnet-level policies can be overridden by the domain policy. The administrator can also set policy between specific endpoints within the block diagram to define or modify granular traffic or service policies as business needs dictate, without having to reconfigure each device individually.

Why This Matters

Organizations that leverage SD-WAN solutions need easy workflows for defining traffic policies according to business requirements. This is especially critical when deploying multiple SD-WAN instances so that configuration errors are minimized. Solutions that offer easy and consistent configuration will help to minimize errors and ensure business continuity.

ESG Lab confirmed that Nuage Networks VSP allows organizations to apply business-level policies to network traffic as they integrate their SD-WAN solution into AWS. By viewing the WAN in a domain-zone-subnet construct, administrators can apply global policies at the domain level, then modify them at the zone and subnet levels as business needs dictate.

AWS Marketplace Homepage

Direct sales contact: 650-623-3444 or

Riverbed SteelConnect

Riverbed developed the SteelConnect SD-WAN solution to help customers enable “application-aware” networking. In addition to SD-WAN functionality, Riverbed has integrated functionalities of its other products, specifically the WAN optimization and application performance monitoring, into SteelConnect. The SteelConnect Gateway can assist enterprises with many domestic and/or international sites that seek SD-WAN solutions with proven features for optimizing application delivery and performance.

The main components of this SD-WAN solution include SteelConnect Manager, SteelConnect Gateway, and SteelConnect LAN Switches and Access Points (optional). The SteelConnect Manager acts as the central point of provisioning, deployment, monitoring, and control for the hybrid WAN, and works with the Gateway to provide connectivity between branches and Amazon VPCs. Administrators can deploy the switches and access points in branches and remote sites.

Deploying Riverbed SteelConnect SD-WAN instances in Amazon VPCs should not disrupt existing deployments on AWS. Rather than having customers risk making configuration or deployment mistakes when deploying an SD-WAN instance into an Amazon VPC, they deploy a SteelConnect Gateway via its “SteelConnect Stack.”

Before deploying the stack, organizations input information about branch offices and Amazon VPCs into the Manager. Once the Manager learns the route tables associated with the Amazon VPCs to be connected to the WAN, it locates a “free” network within an AZ of an Amazon VPC, then splits the network into two subnets. The Manager then deploys a Gateway with one subnet facing the branch offices and the other subnet facing the organization’s VPC. The Manager will assign an elastic IP address to the branch-facing subnet and an elastic network interface (ENI) to the Amazon VPC-facing subnet. The two subnets and the Gateway are collectively called the “SteelConnect Stack.” The Manager will work with the SteelConnect Stack acting as the intermediary to dynamically route traffic, using application-level policies and traffic path rules, between the enterprise and the Amazon VPCs.

Figure 9 highlights the components of Riverbed SteelConnect and how they are integrated with AWS.

ESG Lab Highlights

ESG validated the integration of the Riverbed solution with AWS and explored additional capabilities. Features include:

  • The SteelConnect Gateway is available on AWS Marketplace. When deploying on AWS, a customer can deploy a Gateway using either AWS Marketplace or the SteelConnect Manager console. The Manager accepts and processes user data to create and deploy a Gateway instance via automated processes. Riverbed offers AWS CloudFormation templates to ensure that the Gateways are configured in the same way, thus minimizing the chances of deployment errors. Also, Riverbed uses these templates extensively to support the automation we observed in spinning up instances and creating the tunnels between the branches and the Amazon VPCs.
  • The Gateway is currently supported on selected C4 instances. This solution also supports single root I/O virtualization (SR-IOV), which allows higher I/O performance on network interfaces with lower CPU utilization. SteelConnect supports SR-IOV on C4 instances.
  • The SteelConnect Gateway supports overlapping IP addresses, such as when two companies merge and devices share IP addresses, leading to network configuration and management issues. AWS addresses this issue with the transit VPC on AWS. Riverbed addresses this issue specifically by having its gateway talk to the virtual gateway on AWS (i.e., a one-to-one Network Address Translation [NAT] replacement).
  • ESG Lab measured the throughput of a VPN connection between a Linux on-premises client and the SteelConnect Gateway deployed in the US-East Region. We used a c4.large instance for the Gateway and a c4.8xlarge for the Linux client. iPerf3 was used with the default MSS of 1,460 bytes to generate traffic over an encrypted link for 10 minutes and observed steady-state throughput between 400 and 500 Mb/sec unidirectionally. We tested with five, 10, and 40 threads and observed similar throughput.
  • ESG Lab then inserted a virtual instance of SteelHead, Riverbed’s WAN optimization product, to see how throughput would be affected. We found inserting a Steelhead instance was easy to execute, as the Manager provides the SteelHead instance creation as an option when deploying a SteelConnect Gateway. The Manager will deploy the Steelhead instance into the Amazon VPC-facing subnet of the SteelConnect Stack. Using a c4.4xlarge for SteelHead, we generated five threads of traffic with the default MSS of 1,460 bytes and observed throughput of 1.03 Gb/sec unidirectionally.
  • ESG Lab also examined the console of the SteelConnect Manager. By leveraging APIs on AWS, a customer can easily deploy instances, obtain information about the AWS environment, and create tunnels between enterprise branches and Amazon VPCs. The Manager also retrieves Amazon CloudWatch metrics that allow a customer to monitor the SD-WAN at the VPC, subnet, and instance levels.

Why This Matters

Enterprises that integrate cloud resources into existing WANs face challenges when establishing connections at scale quickly and optimizing application delivery. An SD-WAN solution that can address both challenges will help organizations maintain business continuity while altering the underlying IT infrastructure as business requirements change.

ESG Lab confirmed that the Riverbed SteelConnect Gateway and Manager extensively leverage APIs on AWS and AWS CloudFormation templates to automate the SD-WAN deployment process. Customers can also leverage Riverbed’s experience in WAN optimization to maximize throughput when business needs dictate.

Riverbed SteelConnect Marketplace Listing on AWS Marketplace

Direct sales contact:

VeloCloud Cloud-Delivered SD-WAN

VeloCloud Cloud-Delivered SD-WAN enables customers to leverage SD-WAN capabilities as both an on-premises and cloud-based offering. Organizations can implement the solution themselves or purchase it from a service provider as a managed service. The company deploys its VeloCloud Cloud Gateways in various regions, allowing enterprises to connect their branches to SaaS providers and Amazon VPCs. The VeloCloud Gateway Service reduces the number of tunnels that organizations must create to connect their branches to their Amazon VPCs. The gateway service acts as a hub for an organization’s WAN within AWS. Minimizing the number of tunnels created can decrease both cloud infrastructure costs and time spent on provisioning and managing SD-WAN connections. Organizations with a small number of sites can connect those sites with public or private links to virtual edges deployed in their Amazon VPCs.

Service providers (SPs) and VeloCloud partners (e.g., SaaS providers) can leverage VeloCloud’s managed service to enhance their offerings. When an SP such as AT&T connects its AWS private network to VeloCloud’s gateways via Direct Connect, it can guarantee last-mile and mid-mile traffic SLAs for customers connecting to the private network. Partners and SPs can also leverage the VeloCloud Gateways to allow their customers direct cloud access. Not only can partners and SPs optimize application delivery, but they can also allow customers to leverage multiple cloud offerings and build a hybrid infrastructure environment.

The other key component of VeloCloud’s solution is the Orchestrator. Deployed on AWS, the Orchestrator facilitates Edge configuration, WAN management, real-time visibility, and traffic flow management. VeloCloud customers configure the traffic policies that dictate how and when application packets are transmitted between VeloCloud Edges. Currently, VeloCloud has deployed multiple Orchestrators and Cloud Gateways across multiple AWS Regions to service its global customer base.

To optimize application delivery between VeloCloud Edges, VeloCloud offers Dynamic Multi-Path Optimization (DMPO). The VeloCloud Orchestrator will continuously monitor application delivery and link quality between two VeloCloud endpoints. Should link conditions change that may degrade application performance, the VeloCloud endpoints will redirect traffic, on a packet-by-packet basis, to those links best suited for delivering traffic. If the Edges determine that traffic cannot switch over to another link, they will duplicate and retransmit packets. Reassembly according to time-stamps on the packets will occur once the packets reach their destinations. Figure 10 highlights the components of the VeloCloud solution and how they integrate into AWS.

ESG Lab Highlights

  • VeloCloud’s Virtual Edge is available on AWS Marketplace. Currently, the Virtual Edge can be deployed on select C4 and M4 instances, which also support single root I/O virtualization (SR-IOV). SR-IOV allows higher I/O performance on network interfaces and lower CPU utilization, decreasing latencies between SR-IOV enabled-instances. The solution also supports the ENA driver for organizations that want to achieve higher throughput.
  • ESG Lab measured the failover time between SD-WAN instances running on c4.large instances deployed in the US-East and US-West Regions to be approximately three seconds.
  • ESG observed link performance between instances deployed in two Amazon VPCs in the same region. Using c4.8xlarge instances VeloCloud sustained 4.5 Gb/sec of bidirectional, encrypted throughput with an MSS of 1,400 bytes.
  • VeloCloud’s solution supports resource-aware clustering. The solution will assign branch offices to gateway resources dynamically based on resource utilization within the gateways. This optimizes the organization’s consumption of gateway resources, scales throughput linearly, and continuously rebalances traffic to ensure application delivery according to business policy. Throughput licenses are available as low as 30 Mb/sec so scaling is very granular.
  • The VeloCloud solution can manage overlapping IP addresses both via the transit VPC on AWS and the VeloCloud segmentation feature. Segmentation allows the solution to separate the WAN so that an administrator can apply different security and access policies, yet still adhere to business policy when delivering application traffic.
  • The VeloCloud Orchestrator collects multiple data types to monitor application, traffic, and tunnel conditions. No plug-ins are required to take full advantage of all capabilities. The administrator can perform the tasks needed to deploy and manage an SD-WAN, such as Virtual Edge instance or device deployment, automated VPN tunnel creation, branch routing, and business policy creation. Policy creation is key since this enables the solution to select the optimal gateway to ensure application performance. VeloCloud recognizes over 2,500 applications and their components.

Why This Matters

An organization that considers embracing the cloud must consider both the cost and time it will take to connect its WAN to IaaS providers. The biggest concern, however, is ensuring that a solution is optimized to deliver cloud-based applications to maintain business continuity. Organizations have a choice of numerous SD-WAN solutions, but these choices primarily require some level of setup and management. While many solutions embrace automation to ease the deployment of an SD-WAN, organizations may want a solution that allows the SD-WAN overlay to assume more responsibility in optimizing application performance and delivery.

ESG Lab verified that the VeloCloud Cloud-Delivered SD-WAN integrates tightly with AWS while enabling organizations to leverage SD-WAN capabilities either on-premises or via AWS. The VeloCloud solution enables enterprises to connect their sites to each other or to their cloud resources, whether it is deployed on-premises or using VeloCloud Hosted Gateways. SPs (IaaS or SaaS) can leverage VeloCloud Partner Gateways to enable enterprise customers to connect their branches to these cloud-based resources. All VeloCloud deployments ensure that business policies translate into the appropriate network and security requirements relevant to ensuring an organization’s business continuity.

VeloCloud Cloud-Delivered SD-WAN Listing on AWS Marketplace

Direct sales contact:

Versa Networks FlexVNF

Versa FlexVNF is a multitenant software platform that integrates multiple network services within its architecture, such as routing functionality, next-generation firewall (NGFW), and unified threat management (UTM). FlexVNF supports service chaining, which allows organizations to integrate third-party physical and virtual appliances. The platform leverages an integrated KVM hypervisor that enables the service chaining. Versa Networks streamlines packet-processing for routing, SD-WAN, and security with native support for all services, thus reducing latency by minimizing the inspection points for each packet in the flow. In traditional deployments, packets passing through separate appliances (virtual or physical) add latency because each hop is required to process packets at both the ingress and egress.

Multitenancy allows one FlexVNF to serve multiple customers without the need to create multiple individual instances. The multitenancy makes the solution ideal for service providers that want to offer managed SD-WAN services at larger scale while reducing costs for additional infrastructure. Large enterprises that require complex routing integration with their existing branch networks can also use FlexVNF.

The solution’s head-end consists of the Director, Controller, and Analytics cluster. The Director makes the API calls, enabling the network professional to automate, configure, deploy, and manage the FlexVNF branches. IKE-based IPSec tunnels connect the branches to the Controller. Based on the open source Cassandra database, the Analytics platform provides the network professional with several metrics and statistics, particularly related to routing, to support monitoring and troubleshooting. The head-end resides in a private subnet. Figure 11 highlights the components of the Versa SD-WAN solution and how they are integrated with AWS.

ESG Lab Highlights

ESG validated the integration of the Versa Networks’ solution with AWS and explored additional capabilities. Features include:

  • Versa Networks delivers its SD-WAN solution either virtually (on VMware, KVM, or AWS) or physically via bare metal servers or appliances. Multitenancy is a native part of the Versa solution regardless of the deployment mode.
  • FlexVNF is currently available only as a private AMI. The solution runs on a minimum c3.xlarge instance, to provide three interfaces and four vCPUs.
  • FlexVNF supports single root I/O virtualization (SR-IOV), which allows higher I/O performance on network interfaces with lower CPU utilization. Thus, the SD-WAN instance can deliver faster performance, and higher bandwidth speeds and performance, decreasing latencies between SR-IOV-enabled instances. FlexVNF supports SR-IOV on instances larger than or equal to c3.xlarge.
  • Versa Networks employs AWS CloudFormation templates for automated configuration. Administrators can create branch deployments and VPNs via the Director, with the option to create a mesh or hub-and-spoke model between deployed instances.
  • Versa Networks has added a routing capability, Virtual Router Redundancy Protocol (VRRP), that is not native to AWS. In a traditional WAN, this capability allows a network administrator to assign a virtual IP to a group of routers, with one designated as the master router and the others as backup routers. When the master router fails, a backup will continue to forward traffic. On AWS, organizations can spin up master and backup branches in an AZ. Versa Networks developed this capability to help customers ease the transition to AWS by maintaining capabilities that they were already leveraging.
  • ESG measured link performance between instances deployed in two Amazon VPCs in the US-West Region. Using c4.4xlarge instances, we used iPerf3 with the default MSS of 1,460 bytes to generate traffic over the link. ESG observed that the maximum bidirectional encrypted throughput between the instances was 2.45 Gb/sec—1.22 8Gb/sec in each direction. We also noted that the instance CPU utilization was less than 40% while RAM utilization was less than 4%. Low instance utilization translates into additional processing resources to support multiple user traffic streams. A Versa customer can decrease network complexity, thus lowering management and cloud-related costs.
  • FlexVNF supports routing between Amazon VPCs both natively and via support for the transit VPC on AWS. The native functionality is automated with FlexVNF. Organizations can use the available AWS CloudFormation template to implement the transit VPC.
  • The Director Dashboard allows the user to create policies to enable application steering over available WAN links. For example, an administrator can set up a Service Level Agreement (SLA) profile that monitors link latency and initiates a failover to another link if a threshold is reached. These policies can also be created to react to other triggers such as link failures or static policies.

Why This Matters

Deploying SD-WAN for multiple users can become costly and harder to manage. Scaling the underlying network means purchasing more and disparate hardware components and their related management systems. Network administrators must also consider inserting other network services, specifically security, into the network. The downside is that large, complex networks add latency, thus decreasing network performance. To address both scalability and performance, SD-WAN solutions enable support for multiple users via virtualization while integrating routing and network services to expedite secure packet forwarding.

ESG confirmed that Versa FlexVNF integrates with AWS and allows the creation of a high-performance SD-WAN while minimizing CPU and RAM utilization. Conserving compute resources allows the support of multiple users on the same FlexVNF instance via virtualization.

AWS Marketplace Homepage

Direct sales contact: Gaurav Prashad – Director, Enterprise Sales,, (925) 348-1533

The Bigger Truth

SD-WAN implementations generically offer some combination of multiple WAN functions, including: virtual overlay networks, which aggregate all of an organization’s disparate networks into a single logical network; path selection, to route packets properly when using multiple connections to a branch office; the ability to combine multiple physical networks—including classic MPLS networks, carrier Ethernet, T3, and public Internet—into one virtual network, enabling simultaneous load balancing and cost optimization of the data transport; service insertion, such as firewalls, VPNs, load balancers, or other services relevant to branch offices or cloud environments; and network automation to make it all work together.

Cloud computing has become a transformative force in the IT world. Recent ESG research found that 78% of respondents are actively using public clouds for varying combinations of software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), or platform-as-a-service (PaaS).6 In a different survey, ESG asked respondents to identify the ways public cloud computing services have affected their organization’s networking strategy, and the most commonly reported impact, selected by 38% of respondents, was that organizations have integrated data center and WAN links to create a seamless network that connects on-premises and off-premises resources.7

Recognizing the need for simplicity in network resource integration and management, AWS is in the process of building a network competency to certify that networking vendors can integrate with AWS in a consistent, centrally manageable, highly available manner.

ESG Lab has validated that all nine of the vendors evaluated in this report provide a baseline level of integration with AWS, including bootstrapping options for deployment, AES 256 encryption over all link types, traffic shaping controls, and IAM role-based access for security. All vendors supported additional features and functionality above and beyond this baseline of support, based on their target market and use cases.

ESG Lab recommends that organizations that need to provide seamless access and connectivity, for their users or customers, to applications or geographically dispersed locations—whether on-premises or in the cloud—should seriously consider SD-WAN to integrate their networks and provide universal access. The data collected in this report can be used to better understand the offerings presented by the vendors profiled here and narrow the field of consideration based on your individual business needs and use cases.


Questionnaire Sent to SD-WAN vendors

  • Bootstrapping—Can the instance take in and process EC2 user-data? ( Any testing should demonstrate all types of data supported by the SD-WAN vendor, e.g., shell scripts and/or cloud-init directives. Other options: plain text, as a file (useful for launching instances via the command line tools), or as base64-encoded text (for API calls).
  • Enhanced networking support using single root I/O virtualization (SR-IOV) to provide high-performance networking capabilities on supported instance types. A performance comparison can be made between an instance running SR-IOV and an identical instance running a traditional virtualized interface.
  • ENA Driver support -
  • Encryption:
    • Is encryption supported? (Y/N)?
    • Encryption of traffic supported over all link types (Y/N)?
  • AWS EC2 API Support / Command line tools support (Y/N)?
  • Does the instance support roles, access keys, or both?
  • For deployment, are there CloudFormation or other automation tools available?
  • Does the instance support overlapping IP addresses? (VGW Transit VPC support)
  • Is the solution on AWS Marketplace or a private AMI?
  • Does the system monitor these conditions to handle failover?
    • Packet loss
    • Blackholed traffic
    • BGP/neighbor changes
    • Link flapping
    • Latency
  • Can the instance policy-route traffic over Direct Connect versus VPN?
    • Can the instance route certain types of traffic over different links, e.g., voice over Direct Connect, SSL over the Internet, etc.
    • Can the instance create a VPN backup for Direct Connect?
  • Does the instance do Quality of Service or preferential traffic throttling/shaping?
  • Does the instance do any WAN acceleration for high latencies?
  • Can the instance be placed behind Elastic Load Balancing (ELB/ALB)?
  • Can the instance load-balance traffic over multiple VPNs?
  • What APIs or level of APIs are available with the solution?
  • What automation tools have support and/or example code?
    • AWS CloudFormation, Terraform, Puppet, Chef, Ansible, SaltStack, others?

Test Plan Sent to SD-WAN Vendors

  • Demonstrate ease of implementation and installation of AMIs and VPN creation
  • Multiple Availability Zone support
    • Demonstrate the ability to support and leverage multiple availability zones.
  • Auto Scaling support – can the product scale out and scale in on AWS?
  • Compatibility with the Virtual Private Gateway (VGW)
    • Configure a VPN to the VGW, test that it works.
      • This can be optionally removed if the vendor prefers direct VPN to their instances.
    • Support for BGP with the VGW
  • High Availability – does the SD-WAN product support a high-availability deployment on AWS?
    • Inside to outside – route shifting or ENI shifting
      • Measure the failover time for these failure modes
        • Measurement can use ping or any other availability check between the test instances. The traffic must be initiated by the us-east-1 testing instance.
        • The primary SD-WAN instance for a region is shut down, and connectivity is tested from us-east-1 to the lab.
        • Network ACL is applied to deny all traffic to the primary subnet, and connectivity is tested from us-east-1 to the lab.
    • Outside to inside
      • Measure the failover time for these failure modes
        • When the primary SD-WAN instance is shut down from the lab to the test instance in us-east-1.
        • When the VPN or BGP session is deleted for the primary instance.
  • Performance – Throughput performance testing
    • All SD-WAN vendors will execute tests in the same manner and with the same parameters using common tools (iPerf3 for Linux, NTttcp for Windows).
    • Performance will be tested in these scenarios for both m4.xlarge, m4.16xlarge, and c4.8xlarge instance types (if supported, otherwise performance tests can be conducted against supported instance types).
      • The branch instance to us-east-1 testing instance
      • The branch instance to us-west-1 testing instance
      • The us-east-1 testing instance to the us-west-1 testing instance
    • Note: The m4.xlarge and c4.8xlarge support the ixgbevf driver (Intel 82599) and the m4.16xl supports the Elastic Network Adapter (ENA) driver.
  • Visibility and Monitoring
    • What statistics are available?
    • What level of monitoring is available?
    • What type of AWS visibility is available?
      • VPC
      • Subnet
      • CloudWatch metrics
      • Flow Logs

1. Source: ESG Research Report, 2017 Public Cloud Computing Trends, April 2017.
2. Source: ESG Survey, Network Modernization Trends, July 2017.
3. Source: Ibid.
4. A complete list of questions and vendor responses can be found in the Appendix.
5. The list of instance types can be found in the Appendix.
6. Source: ESG Research Report, Public Cloud Computing Trends, April 2017.
7. Source: ESG Survey, Network Modernization Trends, July 2017.
This ESG Lab Report was commissioned by Amazon Web Services (AWS) and is distributed under license from ESG.

ESG Lab Reports

The goal of ESG Validation reports is to educate IT professionals about information technology solutions for companies of all types and sizes. ESG Validation reports are not meant to replace the evaluation process that should be conducted before making purchasing decisions, but rather to provide insight into these emerging technologies. Our objectives are to explore some of the more valuable features and functions of products, show how they can be used to solve real customer problems, and identify any areas needing improvement. The ESG Validation team's expert third-party perspective is based on our own hands-on testing as well as on interviews with customers who use these products in production environments.

Topics: Networking Cloud Services & Orchestration