What is SD-WAN?
Software-Defined Wide Area Network
A virtualized WAN architecture that abstracts transport links (MPLS, broadband, LTE/5G) and uses software-based policy to select the optimal path for each application.
SD-WAN decouples the WAN control plane from the underlying transport, allowing organizations to use a mix of MPLS, broadband internet, and cellular links. A centralized controller pushes application-aware routing policies to edge appliances at each site. The edge devices measure link quality metrics like latency, jitter, and packet loss in real time, steering traffic to the best available path per application SLA.
Key capabilities include zero-touch provisioning (ZTP) for rapid branch deployment, application identification via deep packet inspection, forward error correction (FEC) to compensate for lossy links, and WAN optimization for TCP-heavy workloads. Most SD-WAN platforms also build encrypted overlay tunnels (typically IPsec) across all transports, creating a full mesh or hub-and-spoke topology.
SD-WAN on its own does not provide security inspection. This is why SASE pairs SD-WAN with SSE: traffic is steered by the SD-WAN edge to the nearest PoP for security inspection before reaching its destination. Organizations that deploy SD-WAN without integrated security often end up maintaining separate firewall stacks at every branch, negating the operational simplification that SD-WAN was supposed to deliver.
A cloud-delivered architecture that converges SD-WAN and security services (SWG, CASB, ZTNA, FWaaS) into a single, globally distributed platform.
A WAN transport technology that routes traffic using short path labels rather than IP addresses, providing predictable latency and guaranteed bandwidth through provider-managed circuits.
A geographically distributed data center operated by a SASE/SSE provider where security inspection and traffic optimization occur as close to the user as possible.
A cloud-delivered next-generation firewall that provides IPS, application control, and threat prevention without on-premises hardware, typically running in the provider's PoPs.
One email per publish. Unsubscribe anytime.