SD-WAN Concepts

What SD-WAN is

SD-WAN consists of three layers:

1. Edge devices at each site terminate multiple WAN transports (e.g., business cable, fiber, 5G).
2. Overlay tunnels connect each site's edge device to every other site, riding on top of the underlying transports.
3. Centralized control plane distributes policy, monitors link quality, and orchestrates which traffic uses which path.

From the application's perspective, the WAN is one logical network. The complexity of "which transport is up and how do we move traffic to a different one" is hidden behind the overlay.

Application-aware routing

The defining feature of SD-WAN is that routing decisions consider what the traffic is, not just where it's going. Policy can say:

• VoIP and video conferencing → lowest-jitter path.
• Bulk file transfers → highest-bandwidth path.
• Cloud SaaS (Microsoft 365, Google Workspace) → break out locally instead of backhauling to HQ.
• Compliance-sensitive traffic → encrypted-by-policy path only.
• Default → least-cost path (broadband over MPLS, for example).

The controller measures each link continuously and routes accordingly. When a link degrades, voice traffic switches paths transparently mid-call.

The MPLS replacement story

The economics often justify replacement: combining two broadband connections through SD-WAN can match or exceed MPLS reliability at far lower cost per Mbps.

Local internet breakout

Traditional MPLS architectures backhauled all internet traffic to HQ for security inspection before letting it out. This worked when most apps were internal. It is wasteful when most traffic is to cloud SaaS — a branch's Microsoft 365 traffic shouldn't have to traverse MPLS to HQ and back out.

SD-WAN supports local breakout: SaaS-bound traffic exits the local broadband directly, while traffic for internal applications goes over the WAN overlay. This is a major performance and cost improvement.

Forward error correction and packet duplication

Some SD-WAN products implement transport-level resilience tricks:

• Forward Error Correction: add redundancy to each transmission so lost packets can be reconstructed from received ones.
• Packet duplication: send the same packet over two different transports; whichever arrives first is used. Doubles bandwidth use; eliminates retransmission latency.

These are useful for latency-sensitive workloads on lossy links — VoIP over wireless transports, for example.

The control plane

SD-WAN's policy and monitoring are typically managed via a cloud-hosted controller (some vendors offer on-prem options). Operators define policies in a central interface; the controller pushes configuration to all edge devices and aggregates telemetry. Changes that used to require touching every router can now happen with a single policy edit.

SD-WAN vs SASE

SASE (Secure Access Service Edge) extends SD-WAN by adding cloud-delivered security. Traffic from a branch goes to the SASE provider, which inspects it (firewall, IPS, DNS filtering, secure web gateway), then forwards to the destination. SD-WAN handles transport; SASE adds inline security in the same control plane.

For multi-site businesses wanting to consolidate security and networking, SASE is a natural evolution. For single-site shops, the value proposition is weaker — you may already do all of that with a local firewall.

When SD-WAN is overkill

• One office, one or two internet connections. A modern firewall with dual-WAN failover does most of what SD-WAN offers without the licensing cost.
• Pure cloud-native organizations with no internal apps. The WAN doesn't matter; ZTNA and identity-aware proxies cover access.
• Very small businesses where the management overhead exceeds the value.

Implementation considerations

• Vendor lock-in. SD-WAN is an overlay; you can't easily mix vendor A's edges with vendor B's controller.
• Licensing model. Per-site, per-bandwidth, or per-user. Costs vary widely.
• Encryption posture. Most SD-WAN overlays use IPsec or similar. Verify the cipher suite and key management.
• Underlay quality still matters. SD-WAN can route around problems but can't create bandwidth or latency out of thin air. A poor broadband connection is still a poor connection.

Frequently Asked Questions

What is SD-WAN?

Software-Defined Wide Area Network — an architecture where multiple WAN transports (broadband, fiber, LTE, MPLS) are aggregated under one logical overlay, with a centralized policy plane deciding which traffic uses which path. Routing decisions adapt per-application based on link health, latency, and policy, instead of being statically configured on each device.

How is SD-WAN different from regular dual-WAN failover?

Dual-WAN typically operates on a per-flow basis with simple failover — if the primary link is down, traffic moves to the secondary. SD-WAN is application-aware: voice traffic might prefer the low-jitter link while file transfers use the high-bandwidth link, with each measured continuously and routed dynamically. Policies, monitoring, and configuration are centralized rather than per-device.

What is path selection in SD-WAN?

The mechanism by which SD-WAN decides which link to send each packet over. The controller monitors each link's latency, jitter, packet loss, and available bandwidth in real time. Policy defines per-application requirements ("VoIP needs less than 30ms jitter"). The controller picks the path that meets the requirements; if conditions degrade, it switches paths without dropping the session.

Does SD-WAN replace MPLS?

Often, yes — at least partially. Many organizations replace expensive MPLS circuits with cheaper broadband or fiber and use SD-WAN to provide the reliability MPLS used to. Others keep MPLS for some traffic and add broadband to expand capacity. SD-WAN's value is letting you mix transports without managing each statically.

What is SASE?

Secure Access Service Edge — an architecture that combines SD-WAN with cloud-delivered security services (firewall, secure web gateway, ZTNA, CASB). Traffic from branches goes to the cloud SASE provider where security policy is applied centrally, instead of each branch needing its own security stack. SASE is essentially "SD-WAN plus integrated security as a cloud service."