What is SD-WAN?

A software-defined wide area network (SD-WAN) connects local area networks (LANs) across large distances using controlling software that works with a variety of networking hardware.

Learning Objectives

After reading this article you will be able to:

  • Explain what SD-WAN is
  • Contrast SD-WANs with traditional WANs
  • Compare SD-WAN with NaaS

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is SD-WAN?

Software-defined wide area networking (SD-WAN) is a flexible approach to offering network connectivity across multiple locations. It relies on software-defined networking (SDN) concepts to manage the network. Many organizations find that SD-WAN supports cloud computing and hybrid workforces better than legacy networking models.

How does SD-WAN work?

A wide area network (WAN) is a network that connects local area networks (LANs) across long distances. Large organizations use WANs for branch networking, connecting their various branch offices and locations to the central corporate network. In traditional WANs, the software that defines how traffic flows in the network is tightly integrated with the hardware that actually directs the traffic. Typically this software/hardware combination is purchased from a single networking vendor. Also typically, connections between branch offices have used multiprotocol label switching (MPLS) to establish static, clearly defined network paths to centralized data centers and to each other.

A software-defined WAN (SD-WAN) is a more flexible WAN architecture that can take advantage of multiple hardware platforms and connectivity options. The controlling software works with a variety of networking hardware. SD-WANs can use a range of networking methods for branch connectivity, from virtual private networks (VPNs) to the public Internet to MPLS (although organizations are often looking to transition away from MPLS when adopting SD-WAN). This makes SD-WANs cheaper, more flexible, and more scalable than traditional WANs. It also allows them to dynamically route traffic based on network conditions for better performance.

SD-WAN with multiple connection methods and network types

SD-WAN is often purchased from a single vendor as a managed service; however, the cost savings still apply.

SD-WAN architecture components

  • SD-WAN controller: This centralized component controls policy decisions, such as how traffic should be managed and which routes should be used.
  • SD-WAN edge: This is the point where the SD-WAN intersects with local networks (e.g., a branch location's WiFi network). The edge receives instructions and enforces policies from the controller. The edge often includes security protections such as firewalls.
  • SD-WAN orchestrator: This component coordinates across the SD-WAN, pushing out policies from the controller. It allows administrators to manage the whole network (including local network policies) from one dashboard instead of several.

What are some of the advantages of using SD-WAN?

  • Flexibility: SD-WAN can use a variety of approaches for routing, even legacy methods used by traditional WANs. MPLS, wireless links, VPNs, broadband, and the public Internet can all provide network connections in an SD-WAN.
  • Cost savings: SD-WAN can use regular Internet connections rather than multiprotocol label switching (MPLS) connections, which are more expensive.
  • Scalability: SD-WANs can easily scale up or down to meet business needs. The use of regular Internet connections makes it simpler to add or remove sites and expand bandwidth.

What is software-defined networking (SDN)?

Software-defined networking (SDN) refers to a category of technologies that make it possible to manage a network and adjust network topology via software. SD-WANs are one of the ways that the principles of SDN can be applied. All SD-WANs use SDN; not all networks constructed with SDN are SD-WANs.

Is SD-WAN part of a network modernization strategy?

Network modernization is the process of replacing or augmenting legacy network equipment with cloud-delivered services. A modernized network architecture can rely on a number of different networking models for branch and remote connectivity, so this can include SD-WAN.

SD-WAN vs. network-as-a-service (NaaS)

Network-as-a-service (NaaS) is a model in which networking services are purchased from a cloud provider, as opposed to an organization configuring their own network.

For NaaS, an organization only needs Internet connectivity to configure and use their internal network. Depending on how the service is configured, NaaS may offer greater flexibility and more cost savings compared to SD-WAN, just as other cloud service models like SaaS and IaaS do compared to traditional on-premise computing. (Cloudflare Magic WAN is one example of the NaaS model.)

However, as organizations modernize their networks, they may take several intermediary steps in transitioning from legacy WANs to NaaS or other more flexible models. To maintain business continuity, some may prefer a careful approach instead of a hard cutover to a completely new networking model.

SD-WAN and Zero Trust

With potentially multiple connectivity methods used in an SD-WAN, traffic may flow in directions not anticipated by traditional security measures that assume they are placed on the edge of a network and are defending that network's perimeter. SD-WAN implementations may also increase the attack surface due to using a wider range of hardware and wider types of connections involved.

For these reasons, traditional security measures may be ill-suited to defend SD-WANs against attacks. Zero Trust security, in contrast, is designed to verify legitimate traffic and block malicious traffic no matter its origin. Zero Trust security requires strict identity verification for anything trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter. While classic IT network security trusts anything inside the network, a Zero Trust architecture implicitly trusts no one.

An SD-WAN and Zero Trust integration is therefore often desirable for organizations that want flexible connectivity combined with strict network security. Rather than knitting together two disparate solutions, ideally an SD-WAN provider natively includes Zero Trust security measures. Learn how such a deployment works.