SD-WAN vs VPN: How Do They Compare?

SD-WAN vs VPN: How Do They Compare?

One thing I learned from BioIVT’s transition from Internet-based VPN (Virtual Private Network) to cloud-based SD-WAN is selecting the right networking solution for the use case can have tremendous business impact. In their case, time spent provisioning new locations was reduced by months.

Internet-based VPN, which is the use of IPsec tunnels (or similar encryption methods) and physical or virtual VPN appliances to securely connect multiple sites on a WAN over the public Internet, has been a staple on corporate WANs for years. By providing enterprises a means to reduce bandwidth costs, albeit, with some reliability and performance tradeoffs, Internet-based VPN has served as an alternative to MPLS (Multiprotocol Label Switching) for select WAN connectivity use cases.

While Internet-based VPN vs MPLS was the debate for some time, WAN technology has evolved in recent years. During that time, SD-WAN has emerged as an enterprise WAN connectivity solution that provides a combination of cost efficiency, agility, and cloud-friendliness that neither MPLS nor Internet-based VPN can match. Cloud-based SD-WAN, in particular, has proven to be a game-changer by adding reliability and baked-in security features to the mix.

With all the moving parts involved in making a decision, how can you determine if Internet-based VPN or SD-WAN makes sense for your organization’s use case? We’ll answer that question here.

SD-WAN vs VPN: Benefits and Limitations

When comparing WAN connectivity solutions, cost, performance, reliability, and configuration & maintenance are important to consider. Let’s see how the SD-WAN vs VPN debate stacks up in those categories.

SD-WAN vs VPN: Cost

Both Internet-based VPN and SD-WAN enable enterprises to leverage affordable public-Internet bandwidth. In small deployments, VPN can be an inexpensive solution for a few sites and simple WAN topology. For example, a simple site-to-site connection can be achieved using commodity servers and open source software like Openswan. However, as we saw with BioIVT, the complexity and bottlenecks created by the scaling VPN-based networks can outweigh upfront cost savings by a wide margin.

SD-WAN vs VPN: Performance

Internet-based VPN is inherently tied to the public Internet from a performance perspective. Beyond spikes in congestion impacting performance, traversing long geographical distances generally comes with significant latency on VPN-based WANs.

Further, VPN lacks performance optimization features like dynamic path selection, QoS (Quality of Service), and application-aware routing that help ensure applications like VoIP and telepresence deliver the required levels of performance. SD-WAN delivers these features, and with cloud-based SD-WAN, latency over significant geographical distances becomes a non-issue. Cato’s SLA-backed global private backbone consists of over 45 PoPs (Points of Presence) around the world. As traffic is routed to the nearest PoP and over Cato’s high-speed backbone, the performance issues associated with the public Internet in the middle-mile are averted.

SD-WAN vs VPN: Reliability

Before the dust settled on the SD-WAN vs MPLS debate, a common argument against both appliance-based SD-WAN and VPN was the lack of an SLA with the public Internet. Enterprises demand predictable, reliable performance. VPN is still reliant upon the public-Internet, but Cato’s SLA-backed global backbone is connected by multiple Tier-1 providers across the globe. This enables the Cato Cloud to deliver predictable service and reliability at levels that meet or exceed MPLS.

SD-WAN vs VPN: Configuration & Maintenance

VPN configuration often entails extensive manual work. IPsec tunneling, IKE (Internet Key Exchange), and NAT-T (Network Address Translation Traversal) require a high level of expertise to configure securely and scale. As more and more sites are added to a WAN, maintaining the network becomes increasingly difficult. This, in turn, leads to performance issues and a disjointed WAN infrastructure.

Paysafe Financial Services experienced the issues associated with scaling VPN first-hand. After multiple mergers and acquisitions, Paysafe was left with a backbone made up of MPLS circuits and Internet-based VPN connections. To create a truly meshed network using Internet-based VPN, Paysafe would have required 210 VPN tunnels, a massive investment of time and resources. According to Stuart Gall, then Infrastructure Architect at Payscale, VPN, in particular, was a pain point on their WAN. In regards to their VPN connectivity, Gall said, “Invariably we’d have someone at a site needing connectivity to a different location, forcing a reprovisioning process. That could take weeks of work with approvals and all.”

The solution Paysafe found for their challenges? Cato Cloud. With Cato, Payscale was able to benefit from automatic, scalable, policy-based configurations and the scalability of a cloud-based service model. As a result, Paysafe was able to streamline WAN configurations and provisioning time and reduce latency by 45% when compared to VPN. Just how much faster was configuration with Cato? According to Gall, “Instead of spending weeks bringing up a new site on MPLS or even a VPN, Cato Socket deployment takes no more than 30 minutes — including unboxing.” 

Additionally, while Paysafe adopted discrete security solutions before switching to Cato, the enterprise-grade security features built-in to the Cato network helped to ensure secure scalability without the need to configure additional security appliances like NGFWs (next-generation firewalls).

Decision Time

So, with all that in mind, how do you make a decision on SD-WAN vs VPN? If you’re a small enterprise that only needs to connect a handful of sites, an Internet-based VPN can make sense. However, for use cases where scalability, performance, reliability, and operational agility matter, cloud-based SD-WAN wins the day. Not only does this hold true when comparing features on paper, but Cato customers like Payscale and BioIVT also prove it in the real world.

If you’d like to learn more about what Cato Cloud can do for your enterprise, contact us today or subscribe to our blog. If you’d like to see Cato Cloud in action, take a look at this demo and sign up for one of your own.


  • What is SD-WAN?

    Software-defined Wide Area Network (SD-WAN) devices sit in company locations and form an encrypted overlay between themselves across any underlying transport service including MPLS, LTE, and broadband Internet services.

  • What are the benefits of SD-WAN?

    Reduced Bandwidth Costs: MPLS bandwidth is expensive. On a “dollar per bit” basis, MPLS is significantly higher than public Internet bandwidth. Exactly how much more expensive will depend on a number of variables, not the least of which is location. However, the costs of MPLS aren’t just a result of significantly higher bandwidth charges. Provisioning an MPLS link often takes weeks or months, while a comparable SD-WAN deployment can often be completed in days. In business, time is money, and removing the WAN as a bottleneck can be a huge competitive advantage.
    Reliable Network Across the Unreliable Internet: The ability to connect locations with multiple data services running in active/active configurations. Sub-second network failover allows sessions to move to new transports in the event of downtime without disrupting the application.
    Secure Communications: Encrypted connectivity secures traffic in transit across any transport.
    Bandwidth on Demand: The capability to immediately scale bandwidth up or down, so you can ensure that critical applications receive the bandwidth they need when they need it.
    Immediate Site Activation: Bring up a new office in minutes, instead of weeks and months that it takes with MPLS. SD-WAN nodes configure themselves and can use 4G/LTE for instant deployment.

  • What are the key trends driving SD-WAN adoption?

    Enterprises built their networks using legacy carrier services, such a managed MPLS service. These services are expensive, require weeks to months to activate sits, and require waiting for the service provider to make even the simplest of changes.
    SD-WAN offers an escape from that bringing agility and cost efficiencies to IT networking. The SD-WAN connects locations with several Internet connections, aggregating them together with an encrypted overlay. Policies, application-aware routing, and dynamic link assessment in the overlay allow for the optimum use of the underlying Internet connections.
    Ultimately, SD-WAN delivers the right performance and uptime characteristics by taking advantage of the inexpensive public Internet with the security and availability needed by the enterprise.

  • What are the limitations of SD-WAN?

    Lack of a global backbone: SD-WAN appliances sit atop the underlying network infrastructure. This means the need for a performant and reliable network backbone is left unaddressed by SD-WAN appliances alone.
    Lack of advanced security features: SD-WAN appliances help address many modern networking use cases, but don’t help with security requirements. As a result, enterprises often need to manage a patchwork of security and networking appliances from different vendors (Like CASBs) to meet their needs. This in turn leads to increased network cost and complexity as each appliance must be sourced, provisioned, and managed by in-house IT or an MSP.
    No support for the mobile workforce: By design, SD-WAN appliances are built for site-to-site connectivity. Securely connecting mobile users is left unaddressed by SD-WAN appliances.