What is an SD-WAN?

A software-defined wide area network (SD-WAN) connects local area networks (LANs) across large distances using controlling software that works with a variety of networking hardware.

Learning Objectives

After reading this article you will be able to:

  • Explain what an SD-WAN is
  • Contrast SD-WANs with traditional WANs
  • Compare SD-WAN with NaaS

Related Content

Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is an SD-WAN?

A wide area network (WAN) is a network that connects local area networks (LANs) across long distances. Large organizations often use a WAN to connect their various branch offices and locations to the central corporate network. In traditional WANs, the software that defines how traffic flows in the network is tightly integrated with the hardware that actually directs the traffic. Typically this software/hardware combination is purchased from a single networking vendor.

A software-defined WAN (SD-WAN) is a more flexible WAN architecture that can take advantage of multiple hardware platforms and connectivity options. The controlling software works with any networking hardware. An organization can set up an SD-WAN using off-the-shelf hardware rather than specialized hardware. This makes SD-WANs cheaper, more flexible, and more scalable than traditional WANs.

SD-WAN with multiple connection methods and network types

Think about the difference between a desktop computer that runs a proprietary operating system and a desktop computer that runs an operating system that works with a variety of computers, for instance Linux. For the first desktop computer, the software and the hardware are tightly integrated. The operating system and the hardware on which it runs must be purchased together. In contrast, Linux operating systems can run on many types of desktop computers from various vendors. Someone who wants a computer that runs Linux can choose from a wide range of computers, from cheaper models to expensive high-end gaming computers, or they can build their own computer from off-the-shelf hardware components.

While the pros and cons associated with this choice in desktop computers are not related to the pros and cons associated with traditional WANs versus SD-WANs, a similar principle applies: as with Linux operating systems, SD-WAN software is decoupled from the underlying hardware, giving organizations more choices for what hardware they will use.

How do SD-WANs work?

SD-WANs are made possible by separating the control plane from the data plane. In networking, the control plane refers to all elements that direct where data goes. The data plane forwards data as directed by the control plane.

Historically, the control plane and the data plane were coupled tightly using vendor-specific hardware appliances. SD-WANs separate the software-based control plane from the hardware-based data plane, enabling routing to occur in software that runs on commodity hardware rather than in specialized hardware routers.

What are some of the advantages of using an SD-WAN?

  • Flexibility: SD-WANs can use a variety of approaches for routing, even legacy methods used by traditional WANs. SD-WANs can be provisioned more easily — by purchasing commodity hardware as necessary rather than being dependent on one networking vendor.
  • Cost savings: Because organizations are not locked in to purchasing both software and hardware from the same vendor, they can buy cheaper hardware that costs less to maintain. In addition, SD-WANs can use regular Internet connections rather than multiprotocol label switching (MPLS) connections, which are more expensive (compare SD-WANs vs. MPLS in more depth).
  • Scalability: SD-WANs can easily scale up or down to meet business needs. The use of regular Internet connections makes it simpler to add or remove sites and expand bandwidth.

What is software-defined networking (SDN)?

Software-defined networking (SDN) refers to a category of technologies that make it possible to manage a network and adjust network topology via software. SD-WANs are one of the ways that the principles of SDN can be applied. All SD-WANs use SDN; not all networks constructed with SDN are SD-WANs.

SD-WAN vs. network-as-a-service (NaaS)

Network-as-a-service (NaaS) is a model in which networking services are purchased from a cloud provider, as opposed to an organization configuring their own network.

For NaaS, an organization only needs Internet connectivity to configure and use their internal network. Depending on how the service is configured, NaaS may offer greater flexibility and more cost savings compared to SD-WANs, just as other cloud service models like SaaS and IaaS do compared to traditional on-premise computing.

Cloudflare Magic WAN is one example of the NaaS model. Magic WAN is designed to replace hardware appliances and expensive, proprietary circuits with the Cloudflare global network. Learn more about Magic WAN, or about NaaS.

SD-WAN and Zero Trust

With potentially multiple connectivity methods used in an SD-WAN, traffic may flow in directions not anticipated by traditional security measures that assume they are placed on the edge of a network and are defending that network's perimeter. SD-WAN implementations may also increase the attack surface due to using a wider range of hardware and wider types of connections involved.

For these reasons, traditional security measures may be ill-suited to defend SD-WANs against attacks. Zero Trust security, in contrast, is designed to verify legitimate traffic and block malicious traffic no matter its origin. Zero Trust security requires strict identity verification for anything trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter. While classic IT network security trusts anything inside the network, a Zero Trust architecture implicitly trusts no one.

An SD-WAN and Zero Trust integration is therefore often desirable for organizations that want flexible connectivity combined with strict network security. Rather than knitting together two disparate solutions, ideally an SD-WAN provider natively includes Zero Trust security measures. Learn how such a deployment works.

Is SD-WAN Dead?

The growing need for organizations to support a “work-from-anywhere” model has led IT teams to modernize the corporate network. Is MPLS flexible and secure enough to scale? Is SD-WAN the best solution to meet business requirements? Read current Gartner® research on the future of SD-WAN and understand how:

  • “Demand for lighter-weight and lower-cost SD-WAN functionality is growing to address “coffee shop networking.”
  • “Remote-only users rarely need SD-WAN functionality”
  • ”Stand-alone SD-WAN products that don’t address security are effectively dead. SD-WAN functionality is increasingly delivered as part of a broader security offering such as next-generation firewall (NGFW) or SASE.”
Read the research.