SD-WAN vs VPN: How Do They Compare?

One thing I learned from BioIVT’s transition from Internet-based VPN (Virtual Private Network) to cloud-based SD-WAN is selecting the right networking solution for the use case can have tremendous business impact. In their case, time spent provisioning new locations was reduced by months.

Internet-based VPN, which is the use of IPsec tunnels (or similar encryption methods) and physical or virtual VPN appliances to securely connect multiple sites on a WAN over the public Internet, has been a staple on corporate WANs for years. By providing enterprises a means to reduce bandwidth costs, albeit, with some reliability and performance tradeoffs, Internet-based VPN has served as an alternative to MPLS (Multiprotocol Label Switching) for select WAN connectivity use cases. 

While Internet-based VPN vs MPLS was the debate for some time, WAN technology has evolved in recent years. During that time, SD-WAN has emerged as an enterprise WAN connectivity solution that provides a combination of cost efficiency, agility, and cloud-friendliness that neither MPLS nor Internet-based VPN can match. Cloud-based SD-WAN, in particular, has proven to be a game-changer by adding reliability and baked-in security features to the mix. 

With all the moving parts involved in making a decision, how can you determine if Internet-based VPN or SD-WAN makes sense for your organization’s use case? We’ll answer that question here.

SD-WAN vs VPN: Benefits and Limitations

When comparing WAN connectivity solutions, cost, performance, reliability, and configuration & maintenance are important to consider. Let’s see how the SD-WAN vs VPN debate stacks up in those categories.

SD-WAN vs VPN: Cost

Both Internet-based VPN and SD-WAN enable enterprises to leverage affordable public-Internet bandwidth. In small deployments, VPN can be an inexpensive solution for a few sites and simple WAN topology. For example, a simple site-to-site connection can be achieved using commodity servers and open source software like Openswan. However, as we saw with BioIVT, the complexity and bottlenecks created by the scaling VPN-based networks can outweigh upfront cost savings by a wide margin.

SD-WAN vs VPN: Performance

Internet-based VPN is inherently tied to the public Internet from a performance perspective. Beyond spikes in congestion impacting performance, traversing long geographical distances generally comes with significant latency on VPN-based WANs.  

Further, VPN lacks performance optimization features like dynamic path selection, QoS (Quality of Service), and application-aware routing that help ensure applications like VoIP and telepresence deliver the required levels of performance. SD-WAN delivers these features, and with cloud-based SD-WAN, latency over significant geographical distances becomes a non-issue. Cato’s SLA-backed global private backbone consists of over 45 PoPs (Points of Presence) around the world. As traffic is routed to the nearest PoP and over Cato’s high-speed backbone, the performance issues associated with the public Internet in the middle-mile are averted. 

SD-WAN vs VPN: Reliability

Before the dust settled on the SD-WAN vs MPLS debate, a common argument against both appliance-based SD-WAN and VPN was the lack of an SLA with the public Internet. Enterprises demand predictable, reliable performance. VPN is still reliant upon the public-Internet, but Cato’s SLA-backed global backbone is connected by multiple Tier-1 providers across the globe. This enables the Cato Cloud to deliver predictable service and reliability at levels that meet or exceed MPLS.

SD-WAN vs VPN: Configuration & Maintenance

VPN configuration often entails extensive manual work. IPsec tunneling, IKE (Internet Key Exchange), and NAT-T (Network Address Translation Traversal) require a high level of expertise to configure securely and scale. As more and more sites are added to a WAN, maintaining the network becomes increasingly difficult. This, in turn, leads to performance issues and a disjointed WAN infrastructure. 

Paysafe Financial Services experienced the issues associated with scaling VPN first-hand. After multiple mergers and acquisitions, Paysafe was left with a backbone made up of MPLS circuits and Internet-based VPN connections. To create a truly meshed network using Internet-based VPN, Paysafe would have required 210 VPN tunnels, a massive investment of time and resources. According to Stuart Gall, then Infrastructure Architect at Payscale, VPN, in particular, was a pain point on their WAN. In regards to their VPN connectivity, Gall said, “Invariably we’d have someone at a site needing connectivity to a different location, forcing a reprovisioning process. That could take weeks of work with approvals and all.”

The solution Paysafe found for their challenges? Cato Cloud. With Cato, Payscale was able to benefit from automatic, scalable, policy-based configurations and the scalability of a cloud-based service model. As a result, Paysafe was able to streamline WAN configurations and provisioning time and reduce latency by 45% when compared to VPN. Just how much faster was configuration with Cato? According to Gall, “Instead of spending weeks bringing up a new site on MPLS or even a VPN, Cato Socket deployment takes no more than 30 minutes — including unboxing.” 

Additionally, while Paysafe adopted discrete security solutions before switching to Cato, the enterprise-grade security features built-in to the Cato network helped to ensure secure scalability without the need to configure additional security appliances like NGFWs (next-generation firewalls).

Decision Time

So, with all that in mind, how do you make a decision on SD-WAN vs VPN? If you’re a small enterprise that only needs to connect a handful of sites, an Internet-based VPN can make sense. However, for use cases where scalability, performance, reliability, and operational agility matter, cloud-based SD-WAN wins the day. Not only does this hold true when comparing features on paper, but Cato customers like Payscale and BioIVT also prove it in the real world.

If you’d like to learn more about what Cato Cloud can do for your enterprise, contact us today or subscribe to our blog. If you’d like to see Cato Cloud in action, take a look at this demo and sign up for one of your own.