Discover what’s really driving the shift toward unified security
Discover how geopolitical tensions are fueling advanced cyber campaigns
Is the Quantum Threat Closer Than You Think?
Table of Contents

What Is SD-WAN? [Starter Guide]

12 min. read
Table of Contents

SD-WAN (software-defined wide area network) is a type of networking technology that uses software-defined networking (SDN) principles to manage and optimize wide area network (WAN) performance.

It gives organizations the ability to securely connect users, applications and data across multiple locations. Plus, it improves performance, reliability and scalability.

SD-WAN also simplifies WAN management by providing centralized control and visibility over the entire network.

 

What created the need for SD-WAN?

Businesses need SD-WAN because traditional wide area networks can’t keep up with how modern organizations operate, connect, and use applications.

More specifically: 

The way businesses operate—and where their applications live—has changed. Most organizations no longer rely solely on centralized data centers to host their systems. Instead, applications are now distributed across public cloud platforms, SaaS environments, and hybrid infrastructures.

"92% of workloads are now hosted on some form of cloud platform, indicating a significant shift from traditional on-premises solutions. Only 8% of workloads remain solely on-premises, showing a substantial move towards cloud-based infrastructure across various industries."
-Rackspace, The 2025 State of Cloud Report

That shift has made it harder for traditional WAN architectures to keep up.

The diagram titled 'Corporate connectivity pre and post-SaaS' shows the difference in network connections before and after implementing SaaS. The 'Before' section depicts a branch office connecting to the headquarters (HQ) through a single network link. The 'After' section shows the branch office connected to HQ via multiple network links, which in turn connect to various cloud services such as AWS, Azure, Google Drive, Salesforce, and Microsoft, indicating SaaS integration. Additionally, the 'After' section includes connections to social media and other internet services like TikTok, YouTube, Instagram, and Facebook, labeled as 'Best effort.'

Here’s why.

Legacy WANs were designed around predictable traffic patterns. They assumed most application traffic would flow between branch offices and a main data center. So they centralized connectivity and security.

Traditional WAN architecture diagram outlining the connections between a headquarters and a branch office. Both locations are represented by gray building icons labeled 'HQ (Data center or cloud)' and 'Branch office,' positioned at the left and right sides of the diagram, respectively. Between the buildings, three lines depict different connectivity types: a blue line for DSL, a red line for Fiber, and a yellow line for LTE. At the ends of each line, near the buildings, are blue rectangles representing traditional WAN routers, each adorned with network symbols.

That worked when applications and data mostly lived in one place. But it creates challenges when applications are hosted in multiple clouds and users work from anywhere.

At the same time, internet usage has surged. Branches and remote locations now rely heavily on cloud-based apps and services. This results in more direct-to-internet traffic, which doesn’t align well with older WAN models that route everything through a central hub. The result is often unnecessary delays, congestion, and cost.

Another factor is workforce distribution. Hybrid work has become standard in many industries. Employees connect from offices, homes, shared spaces—even while traveling. These patterns demand more flexible connectivity across varied locations, networks, and devices. Traditional WANs aren’t built for that level of dynamism.

Deloitte's 2024 Global Workforce Trends Report indicates that 80% of organizations allow some level of remote and hybrid work.

The increase in applications and endpoints has also made networks more complex. IT teams are expected to maintain visibility and control across a broader attack surface. That becomes harder when network traffic is scattered and legacy infrastructure lacks centralized insight.

Architecture diagram titled 'Limitations of traditional WAN' shows multiple network paths converging through a central data center. On the left, a user icon is connected to a VPN, which leads to the internet. Three separate branch icons labeled Branch, Branch #2, and Branch #3 each connect to the central element labeled 'Oversaturated data center' in red. The Branch icon also passes through a router icon. The oversaturated data center connects to both cloud apps and local apps on the right, illustrating indirect traffic flow through the central hub. The internet and data center are also directly connected.

In short:

The combination of decentralized applications, distributed users, and growing network complexity has created a gap that traditional WANs can’t easily fill. That gap is what led to the need for SD-WAN.

The diagram titled 'App connectivity pre and post-SD-WAN' illustrates network connections for distributed applications. In the 'From' section, a branch office connects to the headquarters (HQ) via MPLS, and the HQ connects to cloud services like AWS, Azure, Google Drive, Salesforce, and Microsoft, as well as social media platforms such as TikTok, YouTube, Instagram, and Facebook. In the 'To' section, the branch office connects to MPLS/5G/broadband, which directly connects to cloud services, social media platforms, and SaaS applications, bypassing the HQ for certain connections.

Businesses needed a new way to support modern workflows, without relying on outdated assumptions about how and where people connect.

 

How does SD-WAN work?

SD-WAN is a virtualized networking approach that extends enterprise connectivity across multiple sites.

Diagram titled 'Basic SD-WAN appliance operation' showing an SD-WAN appliance at a branch site on the left, connected to an SD-WAN controller in the center via Wireless WAN, Internet, and Private MPLS connections. The SD-WAN controller interfaces with various cloud services (AWS, Azure, Google Cloud) and is linked to an enterprise data center on the right. The connections indicate dynamic multipath optimization between the branch site and the data center.

It works by using different types of connections. For example: MPLS, broadband, wireless links, VPNs, and public internet. This allows users at branch locations and remote sites to reach enterprise applications and systems. Which supports work from anywhere without needing a centralized access point.

Diagram titled 'SD-WAN connects to multiple transport services' illustrating a central data center connected to various branch offices. The data center, depicted as a blue box with server icons, is centrally located and linked to branch offices through different colored lines representing MPLS (blue), 4G/5G LTE (purple), and broadband (yellow). Each branch office is depicted as a building icon, connected to the data center via these transport services. The internet is represented as a network icon above the data center, indicating its role in connecting the entire setup.

Here’s how it manages traffic:

SD-WAN constantly checks the performance of each WAN link. It monitors for things like latency, jitter, and packet loss. Then it uses that information to decide how traffic should flow—based on current network conditions.

Like this:

The diagram illustrates centralized management in SD-WAN. It shows an SD-WAN controller at the center, managing data flows between the MPLS network, the internet, and cloud services. On the left, a branch office connects to the SD-WAN controller through traditional WAN routers. The middle section displays various types of connectivity, including fiber, dedicated internet access, MPLS, and 4G, all managed by the SD-WAN controller. On the right, the HQ/DC/DR is also connected via traditional WAN routers. Control plane data paths are indicated by yellow dashed lines, while data plane paths are shown as solid red lines.

SD-WAN manages routing through software instead of relying on static device configurations.

It evaluates traffic conditions in real time. Then it makes decisions based on predefined rules and current network performance.

Policies are created centrally. Administrators use a controller to define how traffic should be handled across different paths.

Those policies are then pushed out to all sites. Which allows updates and changes to be applied consistently throughout the network. And that means no manual configuration needed at each location.

The result is dynamic, policy-based routing that adapts to changing conditions while staying aligned with business priorities.

Here’s how it works:

The diagram titled 'SD-WAN dynamic path selection and traffic steering' shows a branch office connected to various network interfaces. The branch office connects to two virtual interfaces: the VPN virtual interface (IPSec interfaces) depicted in orange and the DIA virtual interface (Ethernet interfaces) depicted in blue. SD-WAN traffic steering includes session load distribution, path quality profile, and traffic distribution profile. Path quality is assessed based on latency, jitter, and packet loss, with a top-down priority for traffic distribution. The VPN interface leads to a private network connecting to headquarters, while the DIA interface connects to the public internet, indicating connections to Internet/SaaS services. Application thresholds are shown at the top left, linking to the branch office through the SD-WAN traffic steering components.

A single update can be pushed to all connected sites without manually touching every device. That saves time and reduces the chance of misconfiguration.

The architecture is based on a centralized control plane. The control plane manages how data is forwarded through the network. Local SD-WAN appliances follow instructions from this central controller. So instead of routing decisions being made locally, they follow global policies.

The diagram illustrates centralized management in SD-WAN. It shows an SD-WAN controller at the center, managing data flows between the MPLS network, the internet, and cloud services. On the left, a branch office connects to the SD-WAN controller through traditional WAN routers. The middle section displays various types of connectivity, including fiber, dedicated internet access, MPLS, and 4G, all managed by the SD-WAN controller. On the right, the HQ/DC/DR is also connected via traditional WAN routers. Control plane data paths are indicated by yellow dashed lines, while data plane paths are shown as solid red lines.

Decoupling of the control and data planes is what makes SD-WAN easier to manage. It also supports more consistent performance, especially as networks grow or change.

SD-WAN also helps address common WAN challenges. It can detect problems like congestion or degraded links. Then it automatically reroutes traffic to maintain service levels.

In other words:

It turns the WAN into a more adaptive, responsive part of the network. Without relying solely on physical infrastructure or static routing rules.

| Further reading: What Is an SD-WAN Appliance? | SD-WAN Hardware & Equipment

 

What is SD-WAN architecture?

The architecture of a software-defined wide area network is the conceptual structure and logical organization of SD-WAN.

SD-WAN architecture diagram, featuring a central data center connected to four branch locations, represented as gray building icons. These connections are color-coded to indicate different types of internet connections: MPLS in red, cellular connections in green, and broadband in orange. Surrounding the central network diagram are logos of various internet and cloud services, such as AWS, Azure, Google, Dropbox, Salesforce, Workday, and YouTube, implying their integration or accessibility through this network architecture.

It defines how the system is built, how the different components interact, and how traffic is routed and managed across the network. Understanding the architecture helps clarify what SD-WAN does—and how it works behind the scenes.

Also, architecture isn’t just about the physical setup. It’s about how the SD-WAN solution is designed to support centralized control, dynamic traffic steering, and flexible deployment.

Let’s break it down:

This section explains both the key components that make up SD-WAN and the different architectural models used to deploy it.

Components of SD-WAN architecture

The diagram shows an SD-WAN architecture with labeled components and connections. At the top, two blue boxes represent the 'SD-WAN orchestrator' and 'SD-WAN controller,' stacked vertically and connected by a line. Below them, two blue cube icons labeled 'SD-WAN edge' sit on either side of the diagram, connected by a red dotted line labeled 'Tunnel virtual connection.' These edge components flank two gray circular network icons labeled 'Internet' and 'CE/MPLS.' The diagram includes a small building icon representing a branch site connected to the left SD-WAN edge. On the right, a text list titled 'SD-WAN components' describes each part: 'SD-WAN edge' as physical or virtual, 'SD-WAN controller' as centralized management of SD-WAN edges and gateways, and 'SD-WAN orchestrator' as lifecycle service orchestration of SD-WAN and other services.

SD-WAN is made up of several core components that work together to provide centralized control, efficient traffic routing, and flexible deployment across locations.

SD-WAN edge

The edge is where the SD-WAN connects to the physical network. It typically sits at branch offices, remote sites, or cloud environments. This is the point where data enters and exits the SD-WAN fabric. It handles traffic forwarding and enforces policies locally, based on instructions received from the controller.

SD-WAN orchestrator

The orchestrator provides centralized coordination for the SD-WAN environment. It applies configuration templates, manages updates, and ensures policies are pushed out across all sites. This component simplifies operations by reducing manual effort and allowing administrators to manage the network through a single interface.

SD-WAN controller

The controller is responsible for centralized policy and control decisions. It maintains visibility across the network and communicates with edge devices to distribute instructions. Operators use the controller to define how traffic should be treated, and which paths should be used based on application requirements or network conditions.

Virtual or physical nodes

Some SD-WAN architectures include additional nodes deployed at specific points in the network. These can be either virtual or physical. They help extend coverage, add capacity, or introduce specialized capabilities. In some environments, these nodes support scalability by helping route traffic more efficiently between key locations.

Types of SD-WAN architecture

The diagram shows an types of SD-WAN architecture.

SD-WAN can be deployed in different ways depending on how the network is built and what requirements it needs to meet. 

Each type offers a different approach to routing, control, and cloud integration.

On-premises SD-WAN

This deployment places the SD-WAN appliance directly at each site. It operates locally and gives network teams direct control over the device. The configuration and policy enforcement happen within the site itself. This setup can support more control over traffic handling and may be preferred when data sensitivity is a primary concern.

Cloud-enabled SD-WAN

In this architecture, the SD-WAN connects through a virtual gateway hosted in the cloud. The connection happens over the public internet. This allows branch locations to reach cloud services more efficiently. It can also help improve how traffic is routed to applications that are hosted in distributed environments.

Cloud-enabled SD-WAN with backbone

This model adds a regional point of presence—or PoP—between the branch and destination. Traffic is first sent to the nearest PoP, where it can then be routed over a private backbone instead of relying entirely on the public internet. This setup can help reduce latency, improve reliability, and support failover if a direct connection is degraded or unavailable.

| Further reading:

 

What are the benefits of SD-WAN?

The image displays six benefits of SD-WAN in a two-column layout, with three rows of paired blue square icons and black text. On the left side, a vertical title reads 'Benefits of SD-WAN' in bold. In the top-left, an icon of a briefcase with gears represents 'Operational simplicity.' Directly across, a bar chart icon signifies 'Enhanced application performance.' In the middle-left, an icon of a hand holding a coin represents 'Transport flexibility & cost efficiency,' paired with three cloud icons on the right labeled 'Cloud optimized routing.' At the bottom-left, a padlock icon denotes 'Improved security,' aligned with a square icon showing a SASE label and a plus symbol labeled 'Supports SASE adoption.'

  • Operational simplicity: SD-WAN centralizes network management through a single controller. This enables zero-touch provisioning, automated configuration, and policy enforcement across all sites. By reducing manual work, it shortens deployment times and lowers the risk of misconfigurations. The result is a more efficient way to maintain and scale distributed networks.

  • Transport flexibility and cost efficiency: Again, SD-WAN supports a mix of public and private connections, including broadband, 5G, and satellite. This allows organizations to select the most cost-effective provider at each site without sacrificing performance. SD-WAN also helps reduce vendor lock-in by supporting a range of transport providers, which can simplify procurement and improve pricing leverage across locations. These capabilities often lead to reduced operating costs and better return on investment.

  • Improved security: As discussed, SD-WAN provides encrypted connectivity between sites and enables centralized policy enforcement across the network. It can also integrate with advanced security services such as secure web gateways and cloud access security brokers. This flexibility helps extend consistent security policies to remote locations and cloud environments. With growing use of IoT and distributed users, SD-WAN helps maintain visibility and control across the expanding attack surface.

  • Enhanced application performance: As explained earlier, SD-WAN uses real-time traffic monitoring and application-aware routing to maintain consistent performance for critical applications. Since it adjusts paths dynamically, applications that require low latency—such as voice or video—can be prioritized to ensure reliable delivery. This reduces disruptions and supports a better experience for users.

  • Cloud optimized routing: Like we outlined above, traditional WAN architectures often backhaul traffic through a central data center, increasing latency for cloud-based applications. SD-WAN enables direct access to cloud services from branch locations. It selects the best available path in real time, based on current network conditions. This helps improve performance for SaaS and cloud-hosted workloads.

  • Supports SASE adoption: SD-WAN provides the connectivity layer for secure access service edge (SASE) architectures. As organizations move toward cloud-based security models, SD-WAN helps ensure reliable, policy-driven traffic handling. Its centralized control and cloud integration capabilities align with SASE principles. This makes SD-WAN a foundational part of long-term network and security convergence.

| Further reading:

 

What are the challenges associated with SD-WAN?

The image is titled 'Challenges of SD-WAN' and is divided into two vertical columns with four rows. On the left side, a gray background contains the title in bold black text, with a horizontal gray line beneath it. Each row in the left column features an orange square icon with a white graphic and label: a storefront icon labeled 'Finding the right vendor,' a crossed wrench and screwdriver labeled 'Determining underlay provisioning needs,' a cloud with three dots underneath labeled 'Navigating cloud connectivity options,' and a dollar sign inside a circular arrow labeled 'Quantifying cost reduction accurately.' The right column on a white background includes three orange square icons with white graphics and labels: a gear and wrench icon labeled 'Troubleshooting issues,' a line graph icon labeled 'Addressing security & visibility limitations,' and a scale icon labeled 'Choosing the right management model.'

  • Finding the right vendor: With many SD-WAN providers on the market, it can be tough to evaluate offerings that look similar on the surface. Organizations need to align vendor capabilities with specific network goals, infrastructure requirements, and long-term support expectations.

  • Determining underlay provisioning needs: The underlay directly impacts SD-WAN performance and reliability. Choosing between public internet, MPLS, or hybrid approaches requires a careful evaluation of application demands, geographic needs, and provider service levels.

  • Navigating cloud connectivity options: SD-WAN solutions offer varying levels of integration with public cloud providers. Selecting the right model—native, vendor-provided, or self-managed—requires balancing performance, cost, and operational complexity.

  • Quantifying cost reduction accurately: While SD-WAN can reduce network costs, measuring ROI isn't always straightforward. Organizations must consider not just circuit savings but also factors like downtime reduction, feature consolidation, and operational efficiency.

  • Troubleshooting issues: SD-WAN environments can be difficult to troubleshoot due to dynamic routing, policy complexity, and vendor-specific implementations. Without sufficient visibility and monitoring tools, pinpointing the root cause of an issue is often challenging.

  • Addressing security and visibility limitations: Decentralized traffic and internet breakouts at branch sites can increase the attack surface. Maintaining end-to-end visibility and consistent security enforcement requires proper planning and integration with other tools or frameworks like SASE.

  • Choosing the right management model: SD-WAN deployments can be fully managed, co-managed, or DIY. Each model offers different levels of control, complexity, and support—so organizations need to assess internal capabilities before deciding.

| Further reading:

 

What are the different types of SD-WAN deployment models?

Architecture diagram titled 'Types of SD-WAN deployment models' displays six deployment model types arranged in two vertical columns. On the left, three blue squares each contain a white icon and label: 'Fully managed SD-WAN' with interconnected nodes, 'Comanaged (hybrid) SD-WAN' with two hands and a gear, and 'Managed CPE SD-WAN' with a hardware device icon. On the right, three blue squares contain icons and labels for: 'SDWANaaS' with multiple interconnected endpoints, 'DIY SD-WAN' with a person using a laptop, and no icon is shown for this label. The background is split between a light gray left column and a white right column.

Different SD-WAN deployment models offer varying levels of control, flexibility, and operational responsibility.

Choosing the right one depends on your organization’s internal capabilities, resources, and business goals.

DIY SD-WAN

DIY, or do-it-yourself, SD-WAN puts full control of the SD-WAN infrastructure in the hands of your internal IT team. You handle everything from design and implementation to monitoring and ongoing management.

This approach typically involves deploying SD-WAN appliances at each site and configuring them to support the desired traffic flow, security policies, and performance needs. The team manages policies, optimizes performance, and integrates the SD-WAN with any existing technologies.

DIY SD-WAN offers maximum flexibility. But it also requires deep expertise and significant internal resources. It’s generally best suited for larger organizations with strong network teams and complex customization needs.

Fully managed SD-WAN

Architecture diagram illustrating managed SD-WAN architecture. The left section shows a 'Branch' with a 'Controller' and 'Orchestrator' connected to an 'SD-WAN CPE,' maintained and managed by an MSP. Connections from the branch lead to a central node labeled 'MPLS/Broadband 4G/5G.' From there, arrows extend to 'HQ' and 'SaaS' services (Google, Microsoft, Salesforce) and another path to 'Best effort' services (TikTok, YouTube, Instagram, Facebook). Additionally, an arrow from 'HQ' connects to cloud providers AWS and Azure.

Fully managed SD-WAN outsources all aspects of network management to a service provider. The provider takes care of initial deployment, configuration, monitoring, troubleshooting, and optimization.

In this model, your organization relies on the provider to maintain uptime, enforce policies, and keep the SD-WAN functioning smoothly. It usually includes performance SLAs, centralized visibility, and expert support.

Fully managed SD-WAN is a good fit for organizations with limited IT resources or those looking to simplify operations. It offloads the day-to-day responsibility and provides access to expert help.

Co-managed SD-WAN

Co-managed SD-WAN architecture diagram. At the top, a connection flows from the 'Provider edge' to the 'Customer edge,' representing a handoff between the provider and customer network, which leads to the public internet, indicated by an icon with interconnected nodes. Below this, the 'Managed' section shows layers of the 'Customer network.' From top to bottom, the layers are: 'Outside switch' (in gray), 'Firewall' (in red with a flame icon), 'Inside switch' (in gray), 'Core switch' (in gray), and 'Campus switching' at the bottom with empty gray boxes. These layers represent different network components, with the firewall highlighted. The diagram shows how these components are segmented in the customer network under a co-managed SD-WAN model.

Co-managed SD-WAN is a shared responsibility model. Your internal team handles some aspects of the network, while a provider manages others.

For example: The provider may oversee initial deployment, major updates, and proactive monitoring. Your team may retain control of policy updates or site-specific changes. This gives you access to expert support without giving up visibility or oversight.

Co-managed SD-WAN is ideal for organizations that want a balance between control and external assistance. It works well when internal resources are available, but not sufficient to manage everything alone.

Managed CPE SD-WAN

Architecture diagram titled 'Managed CPE SD-WAN' depicts a network setup where branch locations connect to the cloud via managed infrastructure. On the left, two branch icons connect to their respective 'CPE router' devices. Both CPE routers are linked to an MSP (Managed Service Provider) device in the center, which manages the network traffic. From the MSP, a VPN tunnel extends to a VFW (Virtual Firewall) in the cloud on the right. The VFW connects to a VPC (Virtual Private Cloud), which contains cloud applications stacked vertically, labeled 'Cloud apps.' The image highlights the managed infrastructure components such as the CPE routers, MSP, VPN, VFW, and VPCs used in a Managed CPE SD-WAN deployment.

Managed CPE SD-WAN focuses on the physical devices deployed at your locations. In this model, a provider manages the customer premises equipment (CPE), including configuration, updates, and troubleshooting.

Your internal team might still define policies or handle other parts of the network, but the provider takes responsibility for keeping the edge hardware running smoothly.

This model is a good option when you need physical SD-WAN appliances for compliance or performance but want to offload the hardware lifecycle management.

SD-WAN as a service (SD-WANaaS)

SD-WAN as a service architecture diagram illustrating the architecture of an SD-WANaaS solution. At the top left, there is a 'Customer web portal' that connects to the 'Business support system.' This system includes a 'Service orchestrator' and an 'SD-WAN controller,' which manage the network. Below, the diagram shows two 'SD-WAN edge' components connected to the internet and to a 'CE/MPLS' network. These edges facilitate connections to various cloud service providers (CSP) backbones, including AWS, Google Cloud, and Azure, depicted on the right side. Additionally, the edges connect to an 'SD-WAN gateway,' which interfaces with an 'External network' shown at the bottom right. Tunnel virtual connections link the SD-WAN edges and gateway, indicating secure communication paths. The entire architecture emphasizes the integration of cloud services, centralized management, and secure connectivity within an SD-WANaaS framework.

SD-WANaaS delivers SD-WAN capabilities as a cloud-based service. The provider hosts the infrastructure and manages core operations. Your team accesses and controls the network through a centralized, cloud-delivered interface.

The provider handles performance optimization, routing, and security services. No on-premises controller is needed, and updates happen in the cloud.

SD-WANaaS is useful for organizations with limited IT resources, multi-site environments, or cloud-first strategies. It offers scalability and simplicity with minimal hardware requirements.

| Further reading: Types of SD-WAN Deployment Models: A Complete Guide

 

How secure is SD-WAN?

Traditional SD-WAN isn’t inherently secure. It improves performance and routing efficiency–and does include some basic security features–but doesn’t offer the advanced protections needed to guard against today’s cyber threats.

Architecture diagram illustrating the security risks associated with direct internet access at branch locations. It features a branch connected to an SD-WAN router, which is shown in the center. The SD-WAN router connects to a data center at HQ and branches off to the Internet. A switch and firewall are depicted under the branch, indicating additional network components. To the right, 'Attackers' are illustrated as a potential threat, emphasizing the exposure of network traffic to security risks. The title above the diagram notes that this direct access introduces vulnerabilities to the network.
Diagram illustrating the challenges of monitoring in an SD-WAN environment due to dynamic path selection. It shows a branch connected to an SD-WAN fabric, represented in the center. An arrow points to a label indicating 'Blindspot internet traffic,' which signifies unmonitored traffic flowing to the Internet. To the left, an access control list is depicted, accompanied by a note on 'Improper configuration on access control list,' highlighting a potential issue. On the right, HQ is illustrated as a connection point. The title at the bottom notes that dynamic path selection complicates the monitoring process, resulting in blind spots.

With that said, the security level of an SD-WAN solution depends on how it’s designed and deployed. That’s why many organizations either layer in security tools separately or adopt secure SD-WAN solutions that integrate them by default.

Architecture diagram illustrating security integration in an SD-WAN environment. It features a branch on the left connected to a next-generation firewall (NGFW), which is indicated by an orange circle. The NGFW connects to an SD-WAN router, shown in blue at the center of the diagram. Above the SD-WAN router, several security features are displayed within a red-bordered box, including IDS/IPS, ATP, UTM, DLP, and SSL. The SD-WAN router connects to HQ and the Internet, with threat feeds depicted to the right of the Internet. The data center and SIEM/SOAR are also shown as endpoints connected to the SD-WAN router. The title 'Security integration in SD-WAN' is prominently displayed at the top, highlighting the focus on enhancing security measures within the SD-WAN architecture.

Secure SD-WAN includes features like next-generation firewalls, intrusion prevention, and SSL inspection—built directly into the SD-WAN infrastructure. It also enables centralized policy management, which reduces the risk of configuration errors across distributed locations. 

Ultimately, with the right security measures in place, SD-WAN can support strong, consistent protection across the WAN. It just doesn’t qualify as a security solution on its own.

| Further reading:

 

How to choose the best SD-WAN vendor for your business (and what to look for)

The image is a flowchart titled 'How to choose the best SD-WAN vendor for your business (and what to look for),' consisting of 15 numbered steps arranged in a winding path from top right to bottom left. Each step includes a black number, a gray circular icon, and a short description in black text. Step 1 is 'Define your network requirements upfront,' followed by Step 2, 'Prioritize compatibility with existing systems,' Step 3, 'Validate vendor claims with real-world examples,' and Step 4, 'Check for centralized, policy-based management.' Steps 5 through 8 are 'Assess built-in cloud connectivity options,' 'Determine underlay support expectations,' 'Confirm support for scale and global coverage,' and 'Evaluate the integrated security capabilities.' Steps 9 through 12 are 'Make sure network visibility tools are included,' 'Understand the available deployment & support models,' 'Review service-level guarantees and escalation paths,' and 'Calculate long-term total cost of ownership.' Steps 13 to 15 are 'Check appliance availability and shipping timelines,' 'Ask about roadmap & future capabilities,' and 'Evaluate their partner and services ecosystem.' The diagram is branded with the Palo Alto Networks logo in the bottom left corner.

Choosing the right SD-WAN vendor involves more than just comparing features. It requires evaluating how well a vendor aligns with your network goals, architecture, and support needs.

Here are the top recommendations to guide your evaluation:

  • Define your network requirements upfront: Identify your existing challenges, architecture, and business goals. This sets the baseline for evaluating whether a vendor can meet your needs.
    Tip:
    Include non-technical stakeholders early. Business unit input can surface priorities IT might otherwise miss.
  • Prioritize compatibility with existing systems: Ensure the vendor supports your current security stack, cloud platforms, and underlay providers to avoid unnecessary replacement or complexity.
    Tip:
    Some vendors advertise “universal compatibility,” but that often comes with limitations. Dig into version-level and feature-specific support to confirm.
  • Validate vendor claims with real-world examples: Review case studies or independent evaluations—ideally from organizations with similar environments—to assess how the solution performs in practice.
    Tip:
    Request a customer reference call. Direct conversations can reveal insights not covered in formal case studies.
  • Check for centralized, policy-based management: A good SD-WAN platform should allow you to manage configurations and performance from one interface across all locations.
  • Assess built-in cloud connectivity options: Look for native integration with major cloud providers or direct cloud gateways to support high-performance access.
  • Determine underlay support expectations: Some vendors manage the underlay network. Others expect you to. Be clear on who handles what.
  • Confirm support for scale and global coverage: Vendors should offer global reach, middle-mile optimization, and scalable design options if your network is distributed or growing.
    Tip:
    Some vendors rely on third-party PoPs for global reach. Check how much of the infrastructure they actually operate—and where.
  • Evaluate the integrated security capabilities: Look for features like traffic segmentation, encrypted internet breakout, and support for your existing security controls.
  • Make sure network visibility tools are included: Choose a vendor that offers clear telemetry and diagnostics for application performance and troubleshooting.
    Tip:
    Test the troubleshooting flow in a live demo or POC. Seeing how quickly you can isolate a real issue can reveal a lot about the product's usability.
  • Understand the available deployment and support models: Whether DIY, managed, or co-managed, the vendor should offer a model that fits your team's capabilities and staffing.
  • Review service-level guarantees and escalation paths: Look for SLAs that address uptime, latency, and response time, backed by a clear support structure.
    Tip:
    Ask to see a sample escalation workflow. It helps to know what to expect before an incident occurs.
  • Calculate long-term total cost of ownership: Consider hardware, licensing, support, and connectivity costs—not just the platform itself.
  • Check appliance availability and shipping timelines: Especially for larger rollouts, make sure the vendor can deliver hardware without supply chain delays.
  • Ask about roadmap and future capabilities: Ensure the vendor is actively evolving their product, especially around automation, application awareness, and hybrid work support.
    Tip:
    Find out what percentage of the roadmap is driven by customer feedback. Vendors that truly listen often iterate faster and more usefully.
  • Evaluate their partner and services ecosystem: A strong vendor ecosystem can simplify deployment, integration, and ongoing operations.
| Further reading: How to Execute an MPLS to SD-WAN Migration Step-by-Step

 

Top 10 SD-WAN best practices, tips, and tricks

Vertically oriented infographic titled 'Top 10 SD-WAN best practices,' with ten blue diamond-shaped icons aligned in a single vertical column, each containing a white line icon representing a specific practice. Each diamond is paired with a black number and a brief label in black text, listed in descending order from top to bottom. Number 1 is 'Plan for the long term.' Number 2 is 'Coordinate across teams.' Number 3 is 'Monitor performance continuously.' Number 4 is 'Test failover regularly.' Number 5 is 'Refine path policies based on data.' Number 6 is 'Tune QoS by traffic behavior.' Number 7 is 'Use consistent naming.' Number 8 is 'Secure the control and data planes.' Number 9 is 'Rely on analytics for optimization.' Number 10 is 'Document everything.' The graphic uses a light gray background, and the Palo Alto Networks logo appears in the bottom right corner.

Once SD-WAN is up and running, keeping it optimized takes ongoing work.

Here are ten key best practices to help you get the most out of your SD-WAN deployment:

  1. Plan for the long term: Design your SD-WAN to support future growth. Anticipate changing traffic patterns and evolving business needs so your architecture stays relevant.
  2. Coordinate across teams: Make sure networking, security, and application teams stay aligned. This ensures policies don't conflict and changes don't break something unexpected.
    Tip:
    Create a change control process that includes stakeholders from each team. This reduces the risk of policy conflicts.
  3. Monitor performance continuously: Watch metrics like latency, jitter, and packet loss in real time. Visibility into both the overlay and underlay helps pinpoint problems faster.
    Tip:
    Use synthetic probes or telemetry from multiple perspectives (user, app, path) to get a fuller picture of performance.
  4. Test failover regularly: Failover only helps if it actually works. Simulate outages and link failures to confirm automatic rerouting performs correctly.
    Tip:
    Include cloud-hosted apps in your failover tests—not just connectivity to other sites.
  5. Refine path policies based on data: Don't set and forget your routing logic. Review policies periodically to reflect how applications behave and where performance matters.
    Tip:
    Use flow analysis to identify applications that are misclassified or not being routed optimally.
  6. Tune QoS by traffic behavior: Use real usage patterns—not just static app types—to decide which traffic gets priority. Accurate QoS improves application performance.
    Tip:
    Validate your QoS effectiveness by monitoring real-time queuing and drop rates under load.
  7. Use consistent naming: Label circuits, tunnels, and sites clearly and uniformly. This avoids confusion during troubleshooting and policy updates.
  8. Secure the control and data planes: Lock down access, rotate credentials, and enforce segmentation. Proper zoning and rule enforcement keep your network harder to attack.
    Tip:
    Rotate credentials and API tokens on a defined schedule. Automate this if possible.
  9. Use analytics for optimization: Look at trends in historical traffic and performance data. Use those insights to adjust routing, allocate bandwidth, and plan upgrades.
  10. Document everything: Keep detailed, up-to-date records of your configuration and changes. It helps with audits, onboarding, and troubleshooting later on.

 

What is the role of SD-WAN in SASE?

"By 2027, 65% of new SD-WAN purchases will be part of a single-vendor secure access service edge (SASE) offering, an increase from 20% in 2024."
-Gartner Research, “2024 Gartner® Magic Quadrant™ for SD-WAN,” September 30, 2024.

SD-WAN is a core component of secure access service edge (SASE). It provides the networking layer that connects users, devices, and locations across multiple WAN links.

Graphic listing the components of SASE (Secure Access Service Edge), each represented by an icon and a brief description. At the center is SD-WAN (Software-defined, wide-area network), symbolized by a gear and network icon. Flanking this are five other elements: ZTNA (Zero Trust Network Access), depicted with a shield and lock icon; SWG (Secure Web Gateway), illustrated with a cloud and lock icon; FWaaS (Firewall as a Service), shown with a firewall icon; and CASB (Cloud Access Security Broker), represented by a cloud and shield icon. Each component is clearly labeled to define its role within the SASE framework, emphasizing the integrated approach to network and security management.

In a SASE architecture, SD-WAN manages how traffic flows between endpoints and cloud applications, ensuring efficient and policy-based routing.

SASE architecture diagram laid out to show how it integrates different components and locations. On the left, labeled 'Your users' and 'Traffic sources,' are icons for Mobile/Computer, Branch/Retail, and Home, representing various user environments. The central part of the diagram lists components of 'SSE' (Secure Service Edge) including FWaaS (Firewall as a Service), SWG (Secure Web Gateway), CASB (Cloud Access Security Broker), and ZTNA (Zero Trust Network Access). To the right, labeled 'Your data' and 'Traffic destinations,' are icons for HQ/Data Center, SaaS applications, and Public Cloud, indicating where the data resides and is managed. At the top of the central section, 'SSE' is linked with 'A' representing the network access, which includes SD-WAN (Software-Defined Wide Area Network) and Internet Global Networks, collectively underlining the comprehensive network and security coverage SASE provides across varied locations and data pathways.

Functionally, SASE depends on SD-WAN to deliver application-aware connectivity across distributed environments.;

While SASE unifies networking and security in the cloud, SD-WAN handles the transport—making it a foundational part of SASE infrastructure. Without SD-WAN, SASE lacks the dynamic, software-defined routing needed to optimize network traffic.

The combination allows organizations to shift away from data center–centric designs. It supports direct-to-cloud access, enhances scalability, and helps enforce consistent security policies at every edge.

| Further reading:

 

How is AI used in SD-WAN?

Artificial intelligence (AI) is becoming a core capability in SD-WAN solutions. It's being applied across the full network lifecycle—from initial setup to long-term management. And it's not just a bonus feature anymore. AI is starting to shape how SD-WAN is configured, maintained, and optimized.

AI and machine learning (ML) are already being used to simplify configuration, automate routine tasks, and reduce operational overhead. That includes things like dynamic traffic routing, intelligent alerting, and faster problem resolution. These capabilities can reduce the time it takes to deploy, adjust, and troubleshoot the network.

AI is also helping improve visibility and performance. Some solutions now offer AI-driven analytics to detect anomalies, recommend policy changes, and predict potential issues before they affect users. This shift toward self-healing and self-optimizing networks is aimed at reducing manual intervention and improving end-user experience.

"By 2027, 70% of network operations personnel will rely on generative AI for Day 2 SD-WAN management, up from less than 5% in early 2024."
-Gartner Research, “2024 Gartner® Magic Quadrant™ for SD-WAN,” September 30, 2024.

Longer term, AI is expected to play an even greater role in how SD-WAN evolves. Many organizations will lean on AI not just for efficiency, but also to support broader shifts like hybrid work, multicloud environments, and integrated security. The challenge will be balancing automation with trust—and ensuring AI adds value without introducing new risks.

| Further reading:

 

How SD-WAN works with complementary technologies

SD-WAN is designed to work alongside other technologies to deliver both performance and security.

Let's take a closer look at how SD-WAN interacts with two key technologies: firewalls and 5G.

SD-WAN and firewalls

Firewalls and SD-WAN serve different functions but can work together as part of a unified solution. SD-WAN focuses on optimizing and routing network traffic, while firewalls inspect and enforce policies to protect that traffic.

The two are commonly integrated to secure distributed environments without compromising performance.

Architecture diagram depicting a secure SD-WAN deployment. It shows two branch retail locations, each with an NGFW, connected to a colocation hub via LTE, cable, and MPLS. The colocation hub, also with an NGFW, connects to centralized security management, linking to the public cloud, SaaS, and the internet.

When firewalls are built into or deployed alongside SD-WAN, organizations gain centralized control over both routing and security. That means consistent policy enforcement across all sites, better protection against threats, and simplified management. 

It also reduces the risk of misconfigurations that can happen when networking and security tools operate separately.

SD-WAN and 5G

Use cases for SD-WAN and 5G, including work from home, network slicing, edge computing, Internet of Things (IoT), accessing rural or remote locations, enhanced mobile connectivity, and temporary and pop-up sites, with each use case accompanied by relevant icons.

The relationship between SD-WAN and 5G is still evolving. SD-WAN is well positioned to make use of 5G as an additional transport option—just like broadband or MPLS. The idea is to dynamically steer traffic across all available connections, including 5G, to improve performance and redundancy.

However, the pairing is still in its early stages. 5G infrastructure is still being built out, and practical enterprise use cases are limited. 

That said, SD-WAN's ability to manage multiple links could help businesses experiment with 5G connectivity, especially in mobile, remote, or temporary environments where wired options aren't viable.

| Further reading:

 

Comparing SD-WAN with other security and technology solutions

SD-WAN doesn't operate in isolation. It overlaps with—and is often compared to—a range of networking and security technologies.

Understanding how SD-WAN stacks up across key categories like performance, scalability, and security can help clarify its role in modern infrastructure.

Below is a side-by-side breakdown to help distinguish where SD-WAN fits and how it differs from other solutions.

Scroll the table to read further.
Feature SD-WAN MPLS VPN SSE SDN NaaS Traditional WAN
Network architecture Software-defined overlay across multiple WAN links (MPLS, broadband, LTE) Private circuit-based WAN using label switching Encrypted tunnels over public internet Cloud-delivered security without network transport Control plane separated from data plane for LAN/DC networks Network delivered as a service via cloud provider Point-to-point circuits, hardware-based routing
Traffic management Dynamic path selection and application-aware routing Static routing with QoS for guaranteed paths Single-path static routing Secures user-to-app traffic via PoPs Central controller programs switches Managed service provider handles traffic policies Static routes; traffic flows to central data center
Performance Low latency and optimized for cloud apps High performance, but limited cloud optimization Performance varies by internet conditions Improves app access without SD-WAN path control Optimized within data centers or telco networks Performance varies by provider SLAs Latency-prone for cloud apps
Security Integrated security (NGFW, encryption, SASE-ready) Private but lacks built-in threat prevention Encrypts data but limited inspection or segmentation Zero Trust, SWG, CASB, DLP, FWaaS Requires integration with external security Provider-managed security policies Separate firewalls and security layers needed
Cost structure Reduces costs by leveraging cheaper connections Expensive circuits with higher operational costs Low-cost, suitable for simple remote access Subscription pricing; no network components CapEx-driven; savings in operational agility Subscription-based with flexible pricing Costly MPLS; complex to maintain
Scalability Highly scalable with centralized policy deployment Scaling requires provisioning new circuits Basic scalability; adds complexity at scale Scales by adding users/apps; no physical constraints Highly programmable, abstracted infrastructure On-demand scale via service catalog Difficult to expand and scale quickly
Management and visibility Centralized control with visibility into app and network performance Limited visibility; managed by service providers Minimal monitoring; limited visibility Centralized cloud-based security visibility Deep visibility into network flows Visibility limited to provider dashboard Low visibility; fragmented management
Deployment flexibility Physical, virtual, and cloud-based deployment Physical links managed by telcos Client-based or site-to-site configurations Requires integration with existing network Software-based control of physical/virtual devices No hardware required; fully cloud-delivered Physical site installs, centralized topology
Primary use cases Cloud access, branch connectivity, app performance, security Private WAN connectivity, real-time app SLAs Remote access and secure point-to-point connections Secure web access, cloud security, ZTNA Data center automation, service provider core Outsourced network ops, remote work enablement Hub-and-spoke networks, site-to-site connectivity
| Further reading:

The image is a blue rectangular CTA banner featuring a white open book icon inside a dotted circle on the left side. To the right of the icon, white text reads: 'Learn how to secure and streamline branch networks, featuring 'Zero Trust Branch and SD-WAN for Dummies.'' Below the text is a white outlined button with the label 'Download eBook' in white font.

 

SD-WAN FAQs

SD-WAN manages and optimizes traffic across multiple WAN links using software-defined controls. It improves performance, simplifies management, and provides secure, centralized connectivity across distributed sites.
Traditional WANs use fixed paths and centralized routing, often relying on MPLS. SD-WAN uses software-defined control to dynamically route traffic across multiple connections, improving agility, performance, and cloud access.
An enterprise uses SD-WAN to connect its branch offices to cloud applications via broadband and 5G while prioritizing video traffic and enforcing security policies—all managed centrally.
Yes. SD-WAN remains essential for hybrid work, multicloud access, and SASE adoption. It provides modern connectivity with centralized control and performance optimization.
SD-WAN optimizes application performance, simplifies network management, enables secure remote access, and provides transport flexibility across broadband, MPLS, and wireless links.
SD-WAN isn’t inherently secure and can be complex to troubleshoot without visibility tools. Its effectiveness also depends on the underlying network (underlay).
No. While both encrypt traffic, SD-WAN adds centralized management, dynamic path selection, and application-aware routing across multiple links—capabilities a basic VPN lacks.
Use SD-WAN when you need secure, reliable, and centrally managed connectivity across branches, cloud apps, and remote workers with diverse transport options.
Branch sites with direct internet access can expand the attack surface. Without integrated security, SD-WAN alone may not provide sufficient protection.
Yes, in many cases. SD-WAN appliances handle routing and more, such as application policies and encryption. But core routing functions may still be needed in complex networks.
Challenges include underlay dependence, vendor complexity, limited visibility without proper tools, and security gaps if not integrated with advanced protections.
Challenges include underlay dependence, vendor complexity, limited visibility without proper tools, and security gaps if not integrated with advanced protections.
Its main advantage is dynamic, application-aware traffic routing that improves performance and simplifies management across diverse connections and locations.
To modernize WAN connectivity for cloud access, hybrid work, and application performance—while gaining centralized visibility, control, and operational efficiency.
SD-WAN can be safe when integrated with security features like encryption, firewalls, and policy enforcement. Traditional SD-WAN alone lacks full protection.
MPLS is private but lacks threat protection. SD-WAN with integrated security (like secure web gateways or NGFWs) offers more comprehensive, adaptable protection.
It lacks built-in advanced security and requires strong visibility tools for troubleshooting dynamic traffic paths effectively.
SD-WAN replaced traditional WAN architectures built around MPLS and static routing, which struggled with cloud apps, hybrid work, and modern traffic patterns.
Related content
eBook: The Branch of the Future, Today
Find out how to securely enable branch modernization with Prisma SD-WAN.
eBook: The Power of Zero Trust Branch
Learn more about delivering Zero Trust branches with simplicity, security, and visibility.
eBook: Why Next-Gen SD-WAN Is the Solution for You
Discover how integrated next-gen SD-WAN improves user experience, control, and visibility.
eBook: Set a Secure Foundation for a New World of Possibilities with Prisma SASE
See how AI-powered Prisma SASE supports today’s modern hybrid workforce needs.
Next How SD-WAN helps Today’s IoT

Get the latest news, invites to events, and threat alerts