Skip to content

SD-WAN Architecture: The Basics and How We Can Help You Improve

SD-WAN Architecture Headline


SD-WAN architecture is a virtual wide area network overlay that supports existing IT infrastructures with an effective networking foundation. In essence, it enables users to connect to applications through MPLS links, LTE or other broadband internet connectivity in a fast, reliable and productive manner.

The architecture is an application-driven solution that organisations can implement. It is especially beneficial to accommodate organisations that require a more streamlined and secure access point for their preferred business applications. The need to send traffic between branches and data centres has rapidly increased, over the past decade, rendering traditional models obsolete because of increased latency issues, hindered application performance, and high security risks.

With several enterprises migrating to cloud-based applications and SaaS subscription-based models, businesses and organisations, especially those with multinational and international branches, can benefit from a cloud-native SD-WAN framework. That is because it delivers optimal application performance, improved business productivity, better customer experiences and profitability. All of this while offering a simplified network solution and reducing network costs. 


The difference between SD-WAN architecture and conventional models is distribution. The latter model distributes main control functions across multiple devices on a particular network, routing Conversely, SD-WAN, such as Gartner’s CATO SASE Cloud, was designed to support cloud-native enterprises (AWS, Azure, Salesforce, Office365), delivering a far superior application quality of experience (QoEx) for all its users. It achieves this in the following ways: 

  • Identifying cloud-based applications   
  • Providing intelligent-aware routing across wide area networks (WAN) 
  • Guaranteeing QoS and enforcing security policies according to business needs 
  • Ensuring the highest levels of cloud performance 
  • Protecting enterprises from security threats and breaches 

Thus, SD-WAN architecture offers network-wide control and visibility through simplified technology and can communicate with all network endpoints without the expense of additional mechanisms.  


There are three main types of SD-WAN architecture: 

  • Premises-based SD-WAN: Ideal for smaller organisations with local branches. Furthermore, this solution involves an installation onsite to deliver SD-WAN functionality. 
  • MPLS-Based SD-WAN: We recommend this solution when several network endpoints require more than one appliance. The process involves creating a virtual IP network between the appliances, allowing end-to-end packet control. 
  • Internet-Based SD-WAN: Using both public internet connectivity and multiple, location-specific appliances to achieve SD-WAN capabilities.  

In 2019, Gartner introduced SASE (security access service edge), which allowed basic SD-WAN functionality to evolve with more advanced security features. The SASE architecture enables high-level security interventions to take place directly on the cloud, delivering better customer experiences while mitigating security risks.


The main benefit of SD-WAN Architecture is primarily security. Other security benefits include the following: 

  • End-to-end encryption 
  • Authenticated devices and endpoints 
  • Optimal software-defined security   
  • Scalability of key-exchange functionality


If you are evaluating your legacy MPLS, VPN or SD-WAN network and potentially looking for a solution, then speak to Cloudbox about CATO SASE (Secure Access Service Edge) network. SASE is a new enterprise networking technology category introduced by Gartner in 2019 and converges the functions of network and security point solutions into a unified, global cloud service. These include SD-WAN, Global Private Backbone, Secure Web Gateway, Firewall as a Service, and more. 

We can deploy CATO SASE to expand or replace legacy networks, MPLS, SD-WAN and VPN solutions, in so doing securely connecting branches, remote users, datacentres and cloud services into a single, cloud-based configuration and management platform. 

Four main attributes mark SASE architecture: Identity driven, cloud-native, supports all edges and globally distributed. Additionally, the benefits of CATO SASE include the following: 

  • Always on VPN 
  • Secure Remote Access
  • MPLS replacement 
  • Zero Trust Network Access
  • Global Private Network 
  • Remove Complexity 
  • Enhanced security 


Four main attributes mark SASE architecture. Firstly, it is identity-driven. Secondly, it is cloud-native. Thirdly, it supports all edges. And fourthly, it is distributed globally.


Cato applies security and networking policies based on user identity rather than IP addresses. This assists in reducing complexity for the end user and reducing network administration while delivering a single set of policies to all users irrespective of device or location.


SASE is a cloud-first and cloud-native architecture, meaning all networking and security functions are implemented in the cloud. Only capabilities that must be deployed at the edge are delivered as simple edge clients. As a result, SASE architecture leverages key cloud capabilities, including elasticity, adaptability, self-healing, and self-maintenance, to deliver security and networking across the enterprise uniformly.

Supports All Edges:

SASE creates one secure network for all company entities – datacentres, branch offices, cloud resources, and mobile users. For example, SD-WAN appliances support physical edges while mobile clients and clientless browser access connect users on the go and while working from home.

Globally Distributed:

To ensure full networking and security capabilities are available everywhere and deliver the best possible experience to all edges, the SASE cloud is globally distributed across dozens of Point of Presence (PoPs). Enterprise edges connect to the nearest PoP. Consequently, this secures and optimises all traffic at the PoP and across the global backbone of PoPs to its destination.


SASE Cloud:

A globally distributed cloud service that delivers networking and security capabilities to all edges. The SASE cloud operates as a single entity, and its internal structure is transparent to the end users.

SASE Edge:

Designed to connect a specific edge to the SASE cloud, SASE clients include SD-WAN appliances for branches, IPSec-enabled firewalls and routers, and device agents for Windows, Mac, iOS, Android, and Linux.


A specific instance within the SASE Cloud that hosts the resources needed to deliver the SASE capabilities, including servers, network connectivity, and software. SASE PoPs are symmetrical, interchangeable, multi-tenant, and mostly stateless. They are built to serve any enterprise edge connected through them as an integral part of that particular enterprise network.

SASE Management:

A cloud-based management application to configure all policies, view network and security analytics and the real-time status.

For more information about CATO SASE and SD-WAN architecture, contact the Cloudbox team at [email protected]. To find out more about our security, automation and general cloud-based solutions, visit our website at  


Back To Top