• BigPicture

SDWAN Series 2019 - Velocloud

Velocloud, now part of VMware, market their SD-WAN platform with the VMware NSX product portfolio. The NSX SD-WAN architecture consists of 3 key components:

  • NSX SD-WAN Orchestrator

  • NSX SD-WAN Cloud Gateway

  • NSX SD-WAN Edge

Velocloud Architecture

The Orchestrator is the window into the SDWAN network and provides fabric control, management and visibility. This is where the administrators onboard devices, define templates and configure business policy such as security and QoS. The Cloud Gateways are provided by Velocloud and are embedded controllers at global points of presence (POP). The Cloud Gateway is managed and maintained by Velocloud or a service provider, meaning clients do not need to invest in resources to maintain hardware and software for gateway access to hub locations and SaaS providers. This is a great option to optimize onRamp to providers and SaaS with scalability monitored and managed by Velocloud or the service provider. Edge devices are the customer premise equipment and are either physical and virtual. These are deployed at branch, hub and enterprise data centres. These are interconnected by public internet and private WAN networks such as MPLS.

Cloud Gateway Global POP Locations

Evaluation and Assessment


On-boarding a device involves a few simple steps. First the administrator adds the device to the orchestrator, generates an activation key that is emailed to the onsite contact. The onsite contact powers up the device can connects the NSX Edge device to the internet then connects to the NSX Edge SSID and clicks on the email link provided by the administrator. The key includes the base configuration profile of device characteristics and how it should behave on the wider network and will include templates for business policy, site specific device setting such as LAN IP address, security configuration.

The following video provides a demonstration of on-boarding a NSX SDWAN device.

Velocloud NSX SDWAN provides dynamic integration with MPLS providers with BGP. Routing on the local networks is provided by OSPF and for first hop routing HA configurations, Velocloud provide virtual router redundancy protocol (VRRP). Similar to both Viptela and Versa, Velocloud also provide active/active configuration with all links configurable to route traffic including the "secondary" device in a HA configuration.

Velocloud also provides visibility of MPLS Class of Service allowing organizations the ability to define policy over private MPLS network services in addition to the overlay management.

A great feature is Cloud VPN that with a single click you are able to enable site to cloud or non Velocloud SDWAN enabled locations and also provide real time monitoring of the health of the connection.

Cloud VPN Single-Click

Similar to all the other SD-WAN providers reviewed as part of this series, Velocloud provide an open RESTful API interface to allow organisations to integrate with other OSS platforms and enable a dynamic programmable network.


A single Velocloud Orchestrator tenancy will scale to more than 8000 edge devices. Cloud Gateways which are provided and fully managed and maintained by Velocloud at more than 30+ locations globally and with service providers enabling cloud gateways, the scale is significantly more. The controllers implemented at the Velocloud gateway locations have a capacity that can scale to 10^6 devices which is one of the key reason for the interest from service providers looking to deploy at scale. In addition to tunnel termination for VPN setup, the NSX Edge devices are also capable of large scale deployment with the ability to dynamically create tunnels with other NSX Edges. These tunnels are only created when there is a need for direct site to site communication. At the hub locations such as a data centre or regional hubs, NSX Edges provide clustering technology allowing a single cluster to scale and create tunnels with up to 2000 NSX Edge devices.

Velocloud's SD-WAN solution is being recognized by telco/service providers and large enterprises for good reason. Dynamic Multi Path Optimization (DMPO) and Velocloud see this as a key differentiator.

  • Continuous monitoring

  • Dynamic application steering

  • On Demand Remediation

Continuous monitoring includes performing ongoing automatic capacity testing, continuous link and path quality assessment plus awareness of MPLS class of service.

Velocloud provides advanced capability with dynamic application steering on a per packet basis. I really like the idea of per packet as it is most likely to provide the most flexibility with sub second steering around link and path performance issues. This is also comparable to Versa's approach to traffic management and ability to steer around poorly performing transport paths. This also relates to the ability to aggregate bandwidth for a single flow providing additional bandwidth to bigger flows and improving the overall performance of the application responsiveness. This does however, have a reliance on the likes of the Cloud gateway/hub to reassemble/reorder packets but the performance of the systems as part of the platform does not have any noticeable impact.

The On demand remediation capability provides forward error correction and jitter correction for single link performance and automatically steering around "brown out" and "black out" conditions with multiple link deployments.

Velocloud SD-WAN will classify links, identify the service provider and determine how they are performing, time stamping for information that will be used for dynamic traffic engineering with deep packet inspection and steering decisions based on application characteristics such as delay, jitter and loss.

Dynamic Traffic Engineering

Dynamic path selection and link steering is configurable, by transports groups, interface, WAN link, service provider and utilising the app-awareness to select and prioritize traffic based on business policy. This allows application aware split tunnel policies, direct internet access, multi-path over private and internet services and policies to back haul certain traffic to the data centre if required.


Velocloud has a strong focus on optimisation of voice and video but also provide some core on board security capability and also security flexibility with integration of 3rd party security providers. The key security features include:

  • Stateful Firewall that is context aware identifying application, user-id, device type and OS

  • URL filtering

  • Global segmentation

  • NFV integration 3rd party firewall providers

  • Integration with 3rd party cloud service providers

  • IPSec

Segmentation is a key overlay feature that is VRF/IPVPN like capability. This provides end to end traffic segmentation and organization can separate traffic across an enterprise's WAN network. An example is to segment traffic that relates to PCI and isolate and encrypt traffic transport from a retail location to the PCI controlled systems. Another use case is to segment the traffic to a hub/central location and filter traffic through a 3rd party security platform such as a firewall or IPS/IDS system.

Network Wide Segmentation

For advanced internet security features Velocloud provide built in capability to connect directly to Cloud Security Service Providers such as Zscaler ZIA. Access is optimised using the Velocloud Gateway and is also configurable directly to the cloud security provider from a branch location.

Cloud Security Service Providers

In addition to Cloud Security Providers, Velocloud provide edge devices that support 3rd party VNF functions such as next generation firewalls. This allows an organisation that has a preference for a specific firewall vendor to also integrate the firewall VNF whilst also reducing the number of devices at a branch location. A full list of supported partners is provided here.

3rd Party Firewall VNF

Control tunnels known as VCMP tunnels to NSX SD-WAN Gateways and NSX SD-WAN Edges will use UDP port 2426 whilst all connections to the NSX SD-WAN Orchestrator are provided using TCP port 443 and TLS1.2. Velocloud also provide the option to use certificates for communication between the infrastructure components.

Simplicity and Visibility

The dashboard is very intuitive, probably more so than Viptela and Versa and almost as intuitive as Cato Networks. Administrators will be up and running in no time at all and with the ability to build configuration for key 3rd party vendor products for IPsec connectivity integration is simplified too.

Velocloud can identify 3000+ applications through its deep application recognition (DAR) engine. This is accomplished using certificates, URL names, well know prefixes, application ports and the heuristics of a flow. The result is cached for subsequent flows thereby improving the "first packet" performance for client experience.

There are some basic monitoring features provided out of the box allowing a topological view and drill down on device and location for more details traffic and application analytics.

Velocloud Edge Topology

Velocloud provide a very good representation and visibility of path performance with the ability to determine the suitability of a path based on the traffic type, voice, video or transactional data with a performance score. This also provides identification of the carrier allowing the administrator to work with their providers for optimisation of transports services.

DMPO Path Performance Reporting


Velocloud provides an excellent platform that provides sophisticated features for QoS and path performance monitoring that they call Velocloud Quality Scores (VQS). Combined with its simplicity, dynamic multi-path optimization, definition of business profiles and VQS are probably all key reasons major carriers are integrating Velocloud into their service platforms. Like many SD-WAN solutions there is a need to combine with cloud security providers for end to end protection of the SD-WAN and access to the Internet, SaaS and cloud providers. Integrating with these providers, Velocloud has a great solution for enterprises and cloud providers.

References: Images and media courtesy of Velocloud. Retrieved from https://www.velocloud.com/


Recent Posts

See All