SD-WAN: Application & Identity-Driven Policies

Software-Defined Wide Area Networking (SD-WAN) is an innovative new approach to the deployment, management and operation of WANs. In this 5-part series, the key benefits of this exciting new technology will be explored.

WAN connectivity is often a costly investment, whether it’s MPLS, broadband or cellular. Any package purchased through a service provider will be limited in bandwidth, it could be 1Mbps or 1Gbps. Regardless of the available bandwidth, every bit consumed is a $ consumed. If a business does not manage that consumption efficiently, it’s effectively a monetary blackhole. The encryption overhead of a VPN will also rapidly deplete bandwidth if not properly controlled.

In short, it’s vital to any business that WAN and VPN usage is managed efficiently.

Controlling traffic with identity-driven policies

Networks commonly accommodate users with varying roles and identities – staff, guests, contractors, IoT etc. In any environment, the desire is to control network access and usage with a role-based policy. This policy becomes a cornerstone in ensuring appropriate use of the WAN and VPN as it evolves from LAN-facing to WAN-facing.

An example of such a policy is shown below (which takes advantage of link-state monitoring and dynamic path selection discussed in a previous post).

Environments that benefit from unified full-stack management can sometimes streamline this policy creation process with SD-LAN to SD-WAN mapping. This approach provides effective edge-to-core policy enforcement. From a practical standpoint, a user connects to the access layer of the network (Wi-Fi, for example) and their identity is automatically recognized at the WAN layer. With this integration, the administrator can create role-based WAN and VPN policies with little effort.

Identity-driven policies for the WAN can help prevent overutilization and misuse by individuals or devices, increasing link efficiency. That said, the above policies are based solely on identity and do not address application usage or device behavior. What if an extra level of control is required? 

Controlling traffic with application-based policies

Applications absorb bandwidth in different ways – video streaming is a heavy consumer whereas email and web browsing are less demanding. The ability to understand the services and applications in use across the WAN and impose restrictions where needed plays an important role in security enforcement and WAN optimization.

SD-WAN provides the necessary tools for application-based routing policies. The end result is unwanted or potentially harmful applications can be blocked or in some cases restricted to certain WAN links, bandwidth-intensive services can be rate-limited, and collaborative and business-relevant applications can be prioritized.

Ultimately, combining application and identity-driven policies aid efficient use of the WAN. Linkconsumption can be managed appropriately, and security policies more effectively enforced.


SD-WAN routers understand stateful traffic flows. This allows an administrator to use application & identity-driven policies selectively block, restrict, rate-limit or prioritize applications and services for individuals or groups. Additionally, these entities can be dynamically routed across multiple links based on link-state information or restricted to predefined links for traffic segregation.

Leveraging these new capabilities aids appropriate use of the WAN and VPN. With WAN connectivity being one of the costlier elements of a network, SD-WAN reduces monitory waste, improves user experience and puts control of the network back into the hands of the business.

Application & identity-driven policies are only one piece of the puzzle that makes SD-WAN such an exciting new development.

In this series, the following is explored:

SD-WAN Series – Part 1: Centralized Orchestration

SD-WAN Series – Part 2: Policy Unification

SD-WAN Series – Part 3: Link-State Monitoring & Dynamic Path Selection

SD-WAN Series – Part 4: Application & Identity-Driven Policies

SD-WAN Series – Part 5: Zero-Touch Provisioning & Auto-VPN


Nathaniel Moore (CWNE #222) is a Product Marketing Manager for Aerohive Networks with experience as a Systems Engineer in computer networking and wireless systems across multi-vendor solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *