SD-WAN: What is Software-Defined WAN?

Software-Defined Wan

Software-Defined Wide-Area-Network (SD-WAN) is defined as a virtual WAN architecture that allows enterprises to securely and efficiently connect users to applications. This technology solution brings unparalleled agility and cost savings to networking.

With SD-WAN, organizations can deliver more responsive, more predictable applications at a lower cost in less time than the managed MPLS services traditionally used by the enterprise. IT becomes far more agile, deploying sites in minutes; leveraging any available data service such as MPLS, dedicated Internet access (DIA), broadband, or wireless; being able to reconfigure sites instantly, and more easily supporting migration to hybrid cloud.

SD-WAN does this by separating applications from the underlying network services with a policy-based, virtual overlay. This overlay monitors the real-time performance characteristics of the underlying networks and selects the optimum network for each application based on configuration policies.


What is SD-WAN Technology?

SD-WAN technology is a new way to manage and optimize a wide area network. It is designed to address the changing use of enterprise networks due to the growth of cloud computing and mobile devices. It is a more flexible solution than MPLS, better supporting a distributed and mobile workforce, and is more reliable and scalable than VPN-based WAN.

SD-WAN is implemented as a network of SD-WAN appliances connected by encrypted tunnels. Each SD-WAN appliance is connected to a set of network services (typically MPLS and some Internet services) and monitors the current availability and performance of each of these services. Traffic reaching an SD-WAN appliance is classified based upon application and prioritized using a set of centrally-managed priorities before being sent out over the best available network link.

SD-WAN makes it possible to replace MPLS, which is expensive and time-consuming to connect to new locations. It also allows security functionality to be distributed to the network edge, making it unnecessary to send all traffic through the enterprise data center for scanning before forwarding it to cloud services, a practice that degrades latency and performance.
By converging networking and security functionality, an SD-WAN can eliminate the need to deploy expensive point security products at branch locations. An SD-WAN with a large network of globally-distributed points-of-presence (PoPs) can provide high-performance, secure networking with centralized management and visibility.
What is Software-Defined WAN and what does solution does it provide

What’s the Difference between SD-WAN and SDN?

SD-WANs implement software-defined networking (SDN) principles to connect locations. SDNs first were introduced in the data center with the goal of increasing network by separating the data plane from the control plane. The policies and routing intelligence would run in one or more servers (“controllers”), which would instruct the networking elements forwarding the packets (switches and routers).
SDN created an overlay across the local network, opening up a world of possibilities in efficiency and agility. SD-WAN creates an overlay across the wide-area network also bringing incredible efficiency and agility gains.

Why Do Enterprises Need SD-WAN?

The cloud and high levels of mobility characterize how people use networks today. WANs, however, were designed in an era in which the focus was on linking physical locations. Using the old approach to support the new needs results in expensive global connectivity, complex topologies and widely dispersed “point products” that are difficult to maintain and secure.

The unending and cumbersome cycle of patching, updating and upgrading requires skilled techs, an increasingly scarce commodity. That’s especially distressing because all this complexity is an inviting target for hackers, who can exploit misconfigurations, software vulnerabilities, and other attack surfaces.

There are several reasons that legacy WANs no longer are up to the job. MPLS, the focal point of the old approach, is expensive and requires long lead times for deployment to new locations. Legacy WANs only touch the Internet at secure Web portals, usually at the data center. This leads to the “trombone” effect of sending Web data back and forth across networks. The result is added latency and exhaustion of the supply of MPLS links as Internet traffic increases. Direct Internet access, which would link branch offices to the Internet, is expensive and could overwhelm rudimentary branch hardware. Finally, the WAN was designed when the emphasis was on linking physical assets such as offices and data centers. This approach isn’t ideal for this new and varied world.

What are the Limitations of SD-WANs?

Though SD-WAN brings many benefits, there are also key limitations. Extending the SD-WAN to the cloud requires installing an SD-WAN in or near the cloud provider’s data center, a complicated if not impossible task. Mobile users are entirely ignored by SD-WAN.

And while traffic is encrypted, exposing branches to the Internet raises the threat of malware, phishing emails, and other attacks. Deploying security appliances at the branch means that continuing with the costs of purchasing, sizing, and maintenance associated with security appliances continues. Enterprises are still forced into upgrading appliances, and IT need to apply the full range of security functions, as traffic volumes grow. Finally, troubleshooting is also made more difficult as personnel has to jump between networking and security consoles to reach the root cause. This is inefficient and can lead to errors and overlooked information about the problem at hand.

How Do Cloud-based SD-WAN Services Address Those Challenges?

The emerging option is to converge security and networking functions together into cloud-scale software. All Internet and WAN traffic is sent to and received from the provider’s point of presence (PoP) running the software. PoPs, in turn, communicate over their own backbone, avoiding the performance problems associated with the Internet core. This approach is known as SD-WAN as a service or SD-WAN 3.0.

The important point is that the challenges of running both networking and security stacks at the branch office are alleviated. The SD-WAN devices in this case form from a “thin edge” with minimal processing. The main task that these devices perform is to assess packets to determine whether they should be sent to the Internet, to the MPLS links or elsewhere. With the core security and networking process done in the cloud, SD-WAN as a service can continue to inspect traffic at line rate regardless of the traffic volumes or enabled features.

What are SD-WAN Services?

An SD-WAN managed service is a carrier- or service provider-based SD-WAN offering. It guarantees the organization a certain level of performance across its network. The carrier provides the transport and connects the enterprise to real and virtual technology at the carrier data center and perhaps in third-party clouds.

SD-WAN managed services don’t answer the question of how to secure branch-based Internet access. They are simply a different business and management approach to the same technological infrastructure.

How does SD-WAN Work?

Software-defined WAN (SD-WAN) is designed to solve many of the challenges associated with traditional WAN design. SD-WAN abstracts away the details of the networking layer, allowing the WAN to use a variety of different connection types interchangeably, including LTE, MPLS, and broadband Internet.  This abstraction can improve network bandwidth, performance, and redundancy and enables centralized management and orchestration.

SD-WAN works by creating a network of SD-WAN appliances connected by encrypted tunnels. Each site on the WAN has its own SD-WAN appliance, and all traffic flows through that appliance. Since all appliances are centrally managed, consistent networking policies can be enforced throughout the organization. When traffic enters an SD-WAN appliance, the appliance determines the type of application traffic and routes it to its destination based upon existing policies and the availability and performance of different network links.

Traditional SD-WAN is hardly perfect. Many SD-WANs do not include integrated security, so each branch location must deploy its own standalone security products. SD-WAN also includes the deployment of an SD-WAN appliance at each endpoint, which makes it difficult or impossible to use it for cloud and mobile traffic. Finally, SD-WAN often relies upon public Internet, which can cause reliability concerns.  However, many of these problems are solved with secure access service edge (SASE) platforms.

How SD-WAN Works

How SD-WAN works

Top 5 SD-WAN benefits explained

Designed to provide an alternative to traditional MPLS-based WAN, Software-defined WAN (SD-WAN) provides organizations with five major benefits when compared to MPLS.

1. Reduced WAN costs

MPLS bandwidth is expensive, and it can take weeks or months to provision a new MPLS link, compared to days with SD-WAN. Both in cost of operation and in lost business opportunity, MPLS is inferior to SD-WAN.

2. Enhanced WAN performance

MPLS is very effective at routing traffic between two static locations, but the growth of the cloud makes this less useful to businesses. SD-WAN’s policy-based routing allows traffic to be optimally sent through the network based upon the needs of the underlying application.

3. Improved WAN agility

SD-WAN also provides much more agile networking than MPLS. With SD-WAN, the network layer is abstracted away, allowing the use of a variety of different transport mechanisms throughout the WAN.

4. Simplified WAN management

With MPLS, an organization may need to deploy a variety of standalone appliances to manage WAN optimization and security. With SD-WAN, these operations can be centralized, allowing organizations to scalably manage growing networks.

5. Increased WAN availability

Finally, SD-WAN can provide dramatic redundancy and availability improvements over MPLS. With MPLS, adding redundant links can be expensive. SD-WAN, on the other hand, can route traffic over a different transport mechanism in the case of an outage.

Learn more about SD-WAN benefits

How to Connect Multiple Offices

WAN connections to branch offices have a variety of different constraints: they must be secure, reliable, affordable, and offer enterprise-level network performance. Several different solutions exist, but many of them have their issues.

A common solution to connecting branch locations is the use of VPNs over the public Internet. While these can provide the security that an organization may require, they are often difficult to set up and may not meet the organization’s needs. Mobile VPN clients are non-existent or clunky, and physical VPN appliances can be time-consuming to deploy and may not meet the needs of a mobile workforce. The dependence of VPN upon the public Internet means that VPNs may also not provide the reliability that the enterprise requires.

While MPLS provides more reliable, high-performance network connections, MPLS connections are slow to deploy, and MPLS bandwidth is expensive. The technology is also ill-suited to mobile and cloud users and lacks built-in security.

Cloud-based software-defined WAN (SD-WAN) provides a solution to the challenges of branch networking. Cloud-based points-of-presence (PoPs) connected by layer-1 network connections backed by SLAs provide high-performance, reliable, and affordable networking. The network of cloud-based PoPs makes it possible for users to connect from anywhere with minimal latency, and an integrated security stack provides security throughout the network.

Learn more about connecting multiple offices

SD-WAN Security

MPLS and appliance-based software-defined WAN (SD-WAN) can both provide an organization with the networking capabilities needed for a WAN. However, they often have significant security shortcomings. MPLS lacks any encryption of its circuits, and both MPLS and appliance-based SD-WAN may have no built-in security. As a result, many organizations using these systems deploy standalone security appliances at each location to provide the necessary cybersecurity protections.

However, this approach to WAN security can be complex, unscalable, and expensive since each new location requires another set of security appliances. Each of these appliances must be individually purchased, configured, monitored, and managed, which creates significant costs throughout their lifetimes. This approach also does not work for the cloud and mobile, where security appliances cannot be deployed on-site.

Cloud-based SD-WAN provides a solution to this problem. By placing points-of-presence (PoPs) in the cloud, they can achieve global coverage, allowing users to connect via a nearby PoP and use the SD-WAN with minimal latency impacts. These PoPs can also have integrated security functionality, removing the need to deploy standalone appliances at each location and enabling centralized networking and security visibility across the enterprise WAN. Networking and security integration can also improve performance since networking and security appliances can be optimized to interoperate with one another.

Learn more about SD-WAN security

SD-WAN vs. MPLS: The Pros and Cons?

As global organizations become more common, the need to connect geographically-distributed LANs via a WAN becomes extremely important. In order to compete effectively, organizations need access to stable, high-performance WAN at an affordable price. Three options exist for providing this: the public Internet, MPLS, and software-defined WAN (SD-WAN).

The first option for an enterprise is to route internal traffic over the public Internet. The two primary advantages of this approach are quick setup and relatively low costs since broadband Internet is widely accessible and typically affordable. However, these advantages come at the cost of unstable performance, volatile latency, and a lack of end-to-end management.

MPLS is designed to provide high-performance and reliable network connections backed by SLAs guaranteeing latency, packet delivery, and availability. However, these high-performance connections are expensive and extremely slow to deploy (taking weeks or months). MPLS connections are also ill-suited to cloud computing since traffic must be pulled back to a centralized access point before being sent out to its destination.

SD-WAN provides the best of both worlds by abstracting away the details of the network infrastructure. By choosing the optimal route from a collection of public Internet connections and MPLS links, SD-WAN can balance performance and cost on a per-application basis. Cloud-based SD-WAN provides additional benefits, including integrated security, support for mobile and cloud users, and predictable latency and packet loss.

SD-WAN vs. MPLS vs. public internet

Learn more about SD-WAN vs. MPLS

MPLS Alternative

MPLS, a common choice for enterprises that need high-speed, reliable network connections, provides guaranteed availability, packet loss, and latency backed by SLAs.

Yet while the technology is indeed mature and built for the enterprise, it also has its disadvantages. The guaranteed features of MPLS mean that MPLS bandwidth is expensive, not to mention that changing MPLS connections is difficult as new connections can take weeks or months to deploy. This affects the ability to set up new branch locations, expand bandwidth at existing locations, and other network changes.

Software-defined WAN (SD-WAN) is designed to provide an alternative to MPLS that addresses these challenges. SD-WAN, which consists of a network of SD-WAN appliances that are connected via tunnels over multiple transport media, abstracts away the network layer and optimally routes traffic over a variety of different data services depending on the type of application traffic. As a result, it can reduce the cost of networking and allows rapid deployment.

And yet, SD-WAN is not a perfect solution. Its reliance upon existing communications links means that MPLS may still be needed for certain applications, and SD-WAN appliances often do not have security built-in by default. Addressing these issues, and expanding coverage to mobile and cloud users, requires cloud-based SD-WAN.

Learn more about MPLS alternatives

SD-WAN Redundancy vs MPLS Redundancy

Redundancy is vital for the enterprise WAN. Network outages are a leading cause of downtime, so redundant network connections are needed to minimize downtime. Software-defined WAN (SD-WAN) is a viable alternative to MPLS for enterprise WAN, but reliability and redundancy can be an issue. However, if implemented properly, SD-WAN can offer better redundancy than MPLS.

MPLS is well-known for its middle-mile reliability. However, the same level of reliability is often not attainable for last-mile connections. MPLS bandwidth is expensive, so the price of last-mile redundancy can be prohibitive. As a result, downtime can be easily caused by events that terminate this last-mile connection. Last-mile redundancy requires dual-homed connections that are routed in different ways to different providers. Typically, MPLS offers active-passive redundancy with failover based upon route or DNS convergence.

SD-WAN is designed to abstract away the network layer and allow traffic to be routed over a variety of different connections. Therefore, all SD-WAN connections are in active use at all times, with real-time availability and performance monitoring. This not only improves the bandwidth and reliability of WAN connectivity but also enables active-active redundancy. In the case of an outage in one transport method, data can seamlessly be routed via an alternative connection. Thus, in addition to providing high middle-mile redundancy, SD-WAN can also provide better last-mile redundancy than MPLS.

Learn more about SD-WAN redundancy vs. MPLS redundancy

SD-WAN vs VPN: How Do They Compare?

Internet-based VPNs and cloud-based software-defined WAN (SD-WAN) are two options for an enterprise WAN, both offering much lower cost and higher flexibility than MPLS. In the SD-WAN vs VPN comparison, cost, performance, reliability, and configuration & maintenance are important factors to consider.

The costs associated with the enterprise WAN boil down to the costs associated with acquiring the necessary hardware or software and the costs of deploying, configuring, maintaining, and monitoring it. Acquiring SD-WAN hardware incurs some costs, but the costs of operating and maintaining it are relatively low. With VPN, software can be cheap or even free, but the complexity of maintaining a VPN-based WAN can be significant.

The performance of a VPN is limited by the public Internet that it runs on, which can create significant latency for long-distance connections. A cloud-based SD-WAN running over a private backbone, on the other hand, has high performance regardless of connection distance. The reliance of VPNs upon the public Internet also hurt them in terms of reliability, where links can go down unexpectedly. An SLA-backed cloud-based SD-WAN running on Tier-1 private links has much higher reliability.

Finally, VPN-based WANs can have significant configuration and maintenance costs due to the complexity of creating different encrypted tunnels for each point-to-point connection. These connections also lack centralized visibility and monitoring, making them more complex to secure. A cloud-based SD-WAN can be easily deployed to a site and is centrally managed, minimizing configuration and maintenance costs.

SD-WAN vs VPN: How Do They Compare?

SD-WAN vs VPN: How Do They Compare?

SD-WAN as a Service

SD-WAN as a Service extends the core capabilities of traditional SD-WAN. It converges the WAN edge, a global backbone and a full network security stack into a unified cloud-native platform. Known as SASE (or the Secure Access Service Edge) it is built to optimally connect and secure all enterprise resources; physical locations, cloud datacenters, and the mobile workforce. By integrating SD-WAN into SASE, enterprises can gradually transform their WAN to address the full WAN transformation journey, without deploying multiple point solutions.

Learn more about SD-WAN as a Service

Last Mile Constraints

MPLS is well-known for middle-mile reliability; however, the same is not true for last-mile. The cost of MPLS bandwidth often makes deploying redundant last-mile connections cost-prohibitive, leading organizations to seek alternative solutions.

Two early methods for dealing with the last-mile reliability problem are the use of a backup Internet connection and link-bonding. While a backup Internet connection can help to deal with MPLS outages, the failover process is slow and often results in a loss of current connections. Link-bonding attempted to solve the problem of last-mile reliability by aggregating multiple different last-mile transport services. While this positively impacted last-mile bandwidth and reliability, it did nothing to help the middle-mile.

Software-defined WAN (SD-WAN) takes the concept of link-bonding a step further. By abstracting away the network details, SD-WAN is able to present a range of transport options as a single pipe to an application and perform traffic routing behind the scenes.

This allows SD-WAN to provide numerous advantages for an enterprise WAN. The last mile can be optimized using policy-based routing, hybrid WAN support, active/active links, packet loss mitigation, and QoS (upstream and downstream). With cloud-based SD-WAN, where the middle mile is composed of private Tier-1 backbones, it is also possible to perform middle-mile optimization, allowing SD-WAN to compete with MPLS with regard to middle-mile network reliability and performance.

Learn more about Last Mile constraints

A History of SD-WAN

Software-defined WAN (SD-WAN) brings the abstraction of SDN to the WAN; however, it is only the latest in a series of transformations of WAN.

The very first stage of WAN, in the 1980s, used point-to-point (PPP) lines to connect different LANs. The price and efficiency of these connections were improved with the introduction of Frame Relay in the early 1990s. Instead of requiring a direct PPP connection between each pair of communicating parties, Frame Relay allowed connection to a “cloud” from a service provider, allowing shared last-mile link bandwidth and the use of less expensive router hardware.

The next stage was the introduction of Multiprotocol Label Switching (MPLS), which provided an IP-based means of carrying voice, video, and data on the same network. MPLS provides dependable network connections protected by SLAs but is expensive and slow to provision.

In 2013, SD-WAN emerged, showing the potential to be a viable and cost-effective alternative to MPLS – making it the logical next step in WAN technology. By abstracting away the network layer and routing traffic based upon a collection of centrally defined and managed policies, SD-WAN is able to optimize routing and prioritization of various types of application traffic. The flexibility provided by SD-WAN also allows it to better meet the needs of cloud and mobile users. As this type of use is becoming more common, it is unsurprising that many organizations are anticipated to adopt SD-WAN.

Learn more about the history of SD-WAN

The Evolution of SD-WAN

SD-WAN 1.0: Hungry for bandwidth

The first stage of SD-WAN evolution was focused on solving the issues of availability and last-mile bandwidth. New MPLS links are expensive and slow to provision, and the use of an Internet backup meant that the backup was only used in the case of an outage. Using link-bonding, an SD-WAN predecessor could combine multiple different types of connections at the link level, improving last-mile bandwidth.

SD-WAN 2.0: The rise of SD-WAN startups

The limitation of link bonding is that it only improved last-mile performance. Achieving improved performance throughout the WAN required routing awareness throughout the path. Early SD-WAN solutions offered virtualization failover/failback and application-aware routing. With application-aware routing, SD-WAN could move away from being fully reliant on MPLS links and optimally route traffic based upon the application type.

SD-WAN 3.0: Reaching out

The latest stage of SD-WAN evolution focuses on going beyond networking branch locations. As organizations increasingly move resources to the cloud, SD-WAN provides a solution for securely connecting these cloud deployments to the enterprise WAN.

Learn more about the evolution of SD-WAN

Learn More About WAN in a Hybrid Environment

Discover additional concepts related to networking and infrastructure management in the world of hybrid cloud.

Hybrid IT

Learn about hybrid IT infrastructure that merges on-premise and cloud.

Hybrid Cloud Management

Learn about management and security considerations in hybrid cloud deployments.

Virtual Desktop Infrastructure

Learn about VDI, used to deploy virtual desktops on-premises and in the cloud.


  • What is SD-WAN?

    Software-defined Wide Area Network (SD-WAN) devices sit in company locations and form an encrypted overlay between themselves across any underlying transport service including MPLS, LTE, and broadband Internet services.

  • What are the benefits of SD-WAN?

    Reduced Bandwidth Costs: MPLS bandwidth is expensive. On a “dollar per bit” basis, MPLS is significantly higher than public Internet bandwidth. Exactly how much more expensive will depend on a number of variables, not the least of which is location. However, the costs of MPLS aren’t just a result of significantly higher bandwidth charges. Provisioning an MPLS link often takes weeks or months, while a comparable SD-WAN deployment can often be completed in days. In business, time is money, and removing the WAN as a bottleneck can be a huge competitive advantage.
    Reliable Network Across the Unreliable Internet: The ability to connect locations with multiple data services running in active/active configurations. Sub-second network failover allows sessions to move to new transports in the event of downtime without disrupting the application.
    Secure Communications: Encrypted connectivity secures traffic in transit across any transport.
    Bandwidth on Demand: The capability to immediately scale bandwidth up or down, so you can ensure that critical applications receive the bandwidth they need when they need it.
    Immediate Site Activation: Bring up a new office in minutes, instead of weeks and months that it takes with MPLS. SD-WAN nodes configure themselves and can use 4G/LTE for instant deployment.

  • What are the key trends driving SD-WAN adoption?

    Enterprises built their networks using legacy carrier services, such a managed MPLS service. These services are expensive, require weeks to months to activate sits, and require waiting for the service provider to make even the simplest of changes.
    SD-WAN offers an escape from that bringing agility and cost efficiencies to IT networking. The SD-WAN connects locations with several Internet connections, aggregating them together with an encrypted overlay. Policies, application-aware routing, and dynamic link assessment in the overlay allow for the optimum use of the underlying Internet connections.
    Ultimately, SD-WAN delivers the right performance and uptime characteristics by taking advantage of the inexpensive public Internet with the security and availability needed by the enterprise.

  • What are the limitations of SD-WAN?

    Lack of a global backbone: SD-WAN appliances sit atop the underlying network infrastructure. This means the need for a performant and reliable network backbone is left unaddressed by SD-WAN appliances alone.
    Lack of advanced security features: SD-WAN appliances help address many modern networking use cases, but don’t help with security requirements. As a result, enterprises often need to manage a patchwork of security and networking appliances from different vendors (Like CASBs) to meet their needs. This in turn leads to increased network cost and complexity as each appliance must be sourced, provisioned, and managed by in-house IT or an MSP.
    No support for the mobile workforce: By design, SD-WAN appliances are built for site-to-site connectivity. Securely connecting mobile users is left unaddressed by SD-WAN appliances.

5 Things SASE Covers that SD-WAN Doesn’t