Logo Teldat
boton
Contact us

• Cybersecurity Glossary

What is SD-WAN?

SD-WAN (Software Defined Wide Area Network) is a networking technology that applies software defined networking principles to manage wide area networks. It separates the control plane from the data plane, enabling centralized management, dynamic traffic steering across multiple transport links and application aware routing. SD-WAN replaces rigid, MPLS centric WAN architectures with a flexible virtual overlay that uses any combination of broadband, LTE/5G and MPLS connections to optimize performance, reduce cost and integrate security. It is the foundational networking layer of SASE (Secure Access Service Edge) and a core enabler of enterprise digital transformation.

1SD-WAN definition2SD-WAN architecture and components3SD-WAN vs. traditional WAN and MPLS4Key benefits of SD-WAN5SD-WAN and security6Deployment models and use cases7Teldat CNM SD-WAN Suite8Frequently asked questions – (FAQ’s)

SD-WAN definition

SD-WAN (Software Defined Wide Area Network) is a virtual WAN architecture that uses software to manage and optimize network connections across geographically distributed locations. It applies the principles of Software Defined Networking (SDN) to wide area networks by separating the control plane (where routing decisions are made) from the data plane (where traffic is forwarded). This separation allows network behavior to be defined centrally through software policies rather than configured manually on each individual device.

Traditional WANs relied on dedicated MPLS circuits to connect branch offices to a central data center. This worked when applications were hosted on premises, but the shift to cloud computing, SaaS applications and remote work has made the data center centric model inefficient. Backhauling all traffic through a central site adds latency, wastes bandwidth and degrades the performance of cloud applications that users access directly from the internet.

SD-WAN solves this by creating an intelligent overlay network across any available transport: broadband internet, MPLS, LTE, 5G or any combination. The overlay monitors real time network conditions (latency, jitter, packet loss) and dynamically steers application traffic across the best available path. This approach delivers better performance at lower cost while enabling direct cloud access from every branch location.

SD-WAN architecture and components

SD-WAN architecture is built around the separation of control and data planes. The control plane defines network behavior through centralized policies; the data plane forwards traffic at each edge device according to those policies. This architecture enables centralized management of distributed networks at any scale.

1
SD-WAN edge devices
Physical or virtual appliances deployed at branch offices, data centers and cloud locations. Edge devices are the enforcement points of the SD-WAN fabric: they establish encrypted overlay tunnels, forward traffic based on centralized policies and measure link health in real time. Teldat provides a range of edge devices from compact branch routers (M2, M10-Smart) to high performance data center concentrators (SDE-20K series scaling to 40 Gbps).
2
Centralized controller
The administrative hub that provides network wide visibility and policy definition. Operators use the controller to define how applications and traffic should be treated across the entire WAN. The controller distributes routing policies, segmentation rules and SLA parameters to all edge devices. Teldat CNM Controller manages these functions through a graphical interface with REST API integration.
3
Orchestrator
Manages lifecycle operations including Zero Touch Provisioning (ZTP), firmware distribution and mass configuration. The orchestrator ensures that all edge devices remain in a consistent state and that changes propagate automatically across the network. Teldat CNM Provisioner provides template based ZTP that has been validated at scale across 2,700 branch deployments.
4
Transport layer (underlay)
The physical network connections over which the SD-WAN overlay operates: broadband internet, MPLS, LTE/5G, satellite or any IP based transport. SD-WAN is transport agnostic, meaning it can use any combination of links and switch between them dynamically. Teldat SD-WAN supports multiple underlay lines from different carriers within the same deployment.
5
Overlay network
The virtual fabric that SD-WAN constructs on top of the underlay transport. Overlay tunnels are encrypted (typically using IPsec) and managed centrally. The overlay abstracts the physical network complexity, enabling consistent policy enforcement regardless of the underlying transport type. Star, mesh or hybrid topologies can be configured through the controller.
6
Monitoring and analytics
Real time and historical visibility into application performance, link health, traffic patterns and SLA compliance. Teldat CNM Visualizer provides application level traffic monitoring and analysis, giving administrators detailed information about how users consume services and how the network responds to changing conditions.

SD-WAN vs Traditional WAN and MPLS

SD-WAN and MPLS are not competing technologies in the same category. MPLS is a transport service; SD-WAN is a software architecture that can use MPLS as one of several underlay links. However, the practical effect of SD-WAN adoption is a reduction in MPLS dependency and cost, with equal or better application performance.

Dimension Traditional WAN / MPLS SD-WAN
Architecture Hub and spoke; all traffic backhauled to central data center Any topology: star, mesh or hybrid; direct cloud access from branches
Transport Single dedicated MPLS circuit per site; expensive, long lead times Any combination of broadband, MPLS, LTE/5G; transport agnostic
Cost High: MPLS circuits carry significant per site monthly cost Lower: broadband substitution reduces circuit costs by 50 to 90 percent
Deployment speed Weeks to months for MPLS circuit provisioning Minutes to hours with Zero Touch Provisioning
Cloud access Traffic must traverse central data center before reaching cloud (trombone effect) Direct internet breakout at each branch; optimized SaaS performance
Traffic steering Static routing; manual failover to backup link Dynamic path selection based on real time application SLA requirements
Scalability Limited by MPLS circuit availability and cost Horizontal scaling; add sites with broadband and ZTP
Visibility Per device monitoring; limited application awareness Centralized, application level analytics across entire WAN
Security Relies on centralized security stack at data center Integrated security at each edge; SASE integration for cloud delivered protection
Management Device by device CLI configuration Centralized controller with policy based management and REST APIs

The migration reality: most enterprises do not eliminate MPLS overnight. Instead, they use SD-WAN to create a hybrid architecture where MPLS carries the most sensitive traffic while broadband and LTE handle the rest. Over time, as confidence in the SD-WAN overlay grows, organizations progressively reduce MPLS circuits and shift to internet based transport. Teldat CNM SD-WAN Suite supports this hybrid migration path with active active link utilization and automatic failover.

Key benefits of SD-WAN

SD-WAN delivers measurable improvements across cost, performance, management complexity and security. These benefits compound as the network grows, making SD-WAN increasingly valuable for organizations with distributed branch architectures.

1
Reduced WAN cost
SD-WAN enables organizations to replace or supplement expensive MPLS circuits with lower cost broadband and LTE connections. The overlay ensures that application performance is maintained regardless of the underlying transport. Many organizations report WAN cost reductions of 50 to 90 percent after SD-WAN migration while maintaining or improving application performance.
2
Improved application performance
Application aware routing monitors real time link conditions (latency, jitter, packet loss) and steers each application to the best available path based on its SLA requirements. Voice and video traffic uses the lowest latency link; bulk data transfers use the highest bandwidth link. Direct internet breakout eliminates the trombone effect for cloud and SaaS applications.
3
Centralized management and visibility
A single management console provides policy definition, configuration deployment and performance monitoring across the entire WAN. Changes propagate to all edge devices automatically. Application level analytics give administrators visibility into how every application performs at every location. Teldat CNM provides this through a graphical interface with REST API integration for automation.
4
Zero Touch Provisioning
New branch offices can be deployed without skilled technicians on site. Devices ship preconfigured, connect to the controller automatically and receive their full configuration via templates. This reduces deployment time from weeks to hours and eliminates the cost of sending engineers to remote locations. Teldat has validated this capability at scale with 2,700 branches for the Junta de Andalucia.
5
Business agility and scalability
Adding new sites requires only a broadband connection and a preconfigured edge device. SD-WAN scales horizontally without the bandwidth constraints and lead times of MPLS provisioning. Network changes that previously required coordinated manual updates across dozens of devices can be implemented centrally in minutes.
6
Foundation for SASE
SD-WAN provides the networking layer of Secure Access Service Edge (SASE) architecture. By integrating SD-WAN with cloud delivered security services (SWG, CASB, ZTNA, NGFW), organizations can enforce consistent security policies across all locations without deploying standalone security appliances at each branch. Teldat SD-WAN integrates with be.Safe Pro SSE for a complete SASE deployment.

SD-WAN and security

Security is not an optional add on to SD-WAN; it is an integral part of the architecture. As SD-WAN moves traffic from private MPLS circuits to public internet, the overlay must provide equivalent or better security. Modern SD-WAN platforms integrate security at multiple layers.

1
Encrypted overlay tunnels
All traffic between SD-WAN edge devices travels through encrypted tunnels, typically using IPsec. This provides confidentiality and integrity even over public internet connections, making broadband links as secure as dedicated private circuits for overlay traffic.
2
Network segmentation
SD-WAN enables logical segmentation of the network by application, user role, department or compliance zone. Segmented traffic remains isolated, preventing lateral movement and containing potential breaches. Teldat CNM supports granular segmentation policies managed centrally.
3
Integrated Next Generation Firewall
Teldat edge devices include embedded NGFW capabilities providing intrusion prevention, application control and threat intelligence at each network node. This eliminates the need for standalone security appliances at branch locations and ensures consistent security enforcement at the network edge.
4
SASE integration with be.Safe Pro SSE
Teldat’s cloud delivered SASE platform extends security beyond the SD-WAN edge with Secure Web Gateway, CASB, ZTNA and NGFW services. Over 15,000 IPS signatures and 4,000 application decoders provide granular access control and threat prevention integrated into the SD-WAN fabric.
5
XDR for network threat detection
Teldat be.Safe XDR provides AI powered extended detection and response with real time anomaly detection in encrypted traffic, behavioral analytics and automated incident response. Combined with SD-WAN visibility, XDR delivers threat detection that spans the entire network from branch edge to cloud.
6
Centralized security policy enforcement
Security policies defined in the SD-WAN controller apply consistently across all edge devices, cloud gateways and remote access points. There is no gap between the security posture at headquarters and the security posture at a remote branch, because both are governed by the same centralized policy.

Deployment models and Use Cases

SD-WAN can be deployed on premises, as a cloud enabled service or as a managed offering from a service provider. The technology adapts to organizations of any size, from a handful of branch offices to thousands of distributed locations.

1
Branch office connectivity
The primary SD-WAN use case: connecting distributed branch offices to data centers and cloud applications with optimized performance, centralized management and lower cost than MPLS. Teldat SD-WAN supports any branch size from small retail locations (M2 router) to large regional offices (Atlas-840, RXL15000) with a consistent management experience.
2
MPLS to broadband migration
Organizations reducing MPLS dependency deploy SD-WAN to create a hybrid overlay where broadband and LTE carry the majority of traffic while MPLS handles the most sensitive workloads. The SD-WAN controller manages failover, load balancing and SLA enforcement across all transport types. Migration can be phased site by site without disrupting production traffic.
3
Direct cloud and SaaS access
SD-WAN enables local internet breakout at each branch, sending cloud and SaaS traffic directly to the internet without backhauling through the data center. This eliminates the trombone effect, reduces latency for applications like Microsoft 365, Salesforce and SAP, and frees up WAN bandwidth for internal traffic.
4
Multi cloud connectivity
Organizations using multiple cloud providers (AWS, Azure, GCP) deploy SD-WAN gateways in each cloud environment to optimize traffic between cloud workloads and branch locations. The SD-WAN overlay provides consistent routing policies and security enforcement across hybrid and multi cloud architectures.
5
Secure remote access and SASE
SD-WAN combined with SASE delivers secure access for remote users and branch offices through a unified architecture. Teldat SD-WAN with be.Safe Pro SSE provides SWG, CASB, ZTNA and NGFW as cloud delivered services, enforcing consistent security policies regardless of where users connect from.
6
Industrial and OT environments
SD-WAN extends to industrial environments where operational technology (OT) networks require secure, reliable connectivity. Teldat provides purpose built hardware for Smart Grids (Regesta series), railways (H5 Rail) and vehicles (H5 Automotive+, Celer 5G), all managed through the same CNM platform as enterprise SD-WAN.

Teldat CNM SD-WAN Suite

Teldat provides a complete, European sovereign SD-WAN solution through its CNM SD-WAN Suite. Designed for organizations of any size, from mid market enterprises to large public sector deployments, the platform combines networking, security and management in a single integrated offering.

1
CNM SD-WAN Suite
A comprehensive platform for configuring and managing enterprise SD-WAN and hybrid networks. Includes CNM Controller (centralized policy management), CNM Provisioner (Zero Touch Provisioning), CNM Visualizer (application level traffic analytics) and CNM Servicer (third party service integration). The entire solution is configurable through guided graphical interfaces with REST API support for automation.
2
Proven at European scale
Teldat operates the largest SD-WAN and XDR deployment in Europe at the Junta de Andalucia, covering 2,700 branches with centralized management, AI powered threat detection and automated incident response. This reference deployment demonstrates enterprise scale capability with a single European vendor.
3
Transport agnostic architecture
Teldat SD-WAN supports any combination of transport links: broadband, MPLS, LTE, 5G, satellite or dedicated lines. Multiple underlay connections from different carriers can operate simultaneously within the same deployment. Active active high availability ensures immediate, transparent failover between links.
4
Integrated cybersecurity
Teldat SD-WAN integrates with the complete be.Safe cybersecurity suite: embedded NGFW at each edge, be.Safe Pro SSE for cloud delivered SASE (SWG, CASB, ZTNA), and be.Safe XDR for AI powered threat detection and automated response. Security policies are managed from the same console as network policies.
5
Flexible topology support
Star, mesh or hybrid topologies can be configured through the controller. The overlay construction is generated automatically and transparent to the user. Adding advanced routing functionalities, segmentation, QoS and high availability is straightforward through the centralized management interface.
6
European sovereignty
As a European manufacturer, Teldat designs and operates its SD-WAN platform entirely under EU jurisdiction. CPSTIC certified at ENS Alta level, with the “Cybersecurity Made in Europe label”. No extraterritorial legal exposure, no non EU parent company, no foreign government access to network management or traffic data.

The Teldat SD-WAN advantage: Teldat is one of the few vendors that manufactures both the SD-WAN hardware and the software platform. Edge routers, data center concentrators and the CNM management suite are all designed and built by Teldat under European jurisdiction. This vertical integration means faster innovation, tighter security integration and a single point of responsibility for the entire SD-WAN lifecycle, from hardware design through deployment to ongoing operation.

Frequently asked questions about SD-WAN – (FAQ’s)

❯ What is SD-WAN in simple terms?

SD-WAN (Software Defined Wide Area Network) is a technology that uses software to manage and optimize network connections between branch offices, data centers and cloud applications. Instead of relying on a single expensive MPLS circuit, SD-WAN creates an intelligent overlay across multiple transport links (broadband, LTE/5G, MPLS) and automatically routes traffic based on application requirements and real time network conditions. It is managed from a centralized controller, making it faster to deploy, easier to change and less expensive than traditional WAN architectures.

❯ What is the difference between SD-WAN and MPLS?

MPLS is a dedicated, carrier managed circuit that provides reliable but expensive connectivity with fixed bandwidth. SD-WAN is a software overlay that can use any combination of transport links, including MPLS, broadband and cellular. SD-WAN offers dynamic path selection based on application requirements, centralized management, lower cost through broadband substitution, direct cloud access without backhauling, and integrated security. Many organizations use SD-WAN to reduce MPLS dependency while maintaining or improving application performance.

❯ What are the main components of SD-WAN architecture?

SD-WAN architecture has four main components. The edge devices (physical or virtual appliances at branch offices and data centers) forward traffic and enforce policies. The controller provides centralized visibility and policy definition. The orchestrator manages lifecycle operations including zero touch provisioning and configuration distribution. The transport layer consists of the underlay connections (broadband, MPLS, LTE/5G) over which the SD-WAN overlay builds encrypted tunnels. Some architectures also include cloud gateways or points of presence for optimized cloud connectivity.

❯ How does SD-WAN improve security?

SD-WAN improves security through encrypted overlay tunnels (typically IPsec) across all transport links, network segmentation that isolates traffic by application or user role, centralized policy enforcement, and integration with security services including next generation firewall, intrusion prevention, secure web gateway and ZTNA. When combined with SASE (Secure Access Service Edge), SD-WAN extends security to cloud delivered services. Teldat SD-WAN integrates with be.Safe Pro SSE for SASE and be.Safe XDR for AI powered threat detection.

❯ What is Zero Touch Provisioning in SD-WAN?

Zero Touch Provisioning (ZTP) is the ability to ship an SD-WAN device to a remote location, power it on and have it automatically configure itself without manual intervention. The device contacts the centralized controller, downloads its configuration template, establishes overlay tunnels and joins the SD-WAN fabric. ZTP eliminates the need for skilled technicians at remote sites and enables large scale network deployments in days rather than months. Teldat CNM SD-WAN Suite provides advanced ZTP with template based deployment that has been proven at scale across 2,700 branches.

❯ Why choose Teldat for SD-WAN?

Teldat is a European network hardware manufacturer that provides a complete SD-WAN solution through its CNM SD-WAN Suite. Key differentiators include European sovereignty (designed and operated under EU jurisdiction), proven scale (2,700 branch deployment at the Junta de Andalucia, the largest SD-WAN and XDR implementation in Europe), integrated security (be.Safe Pro SSE for SASE and be.Safe XDR for threat detection), CPSTIC certification at ENS Alta level, support for any topology (star, mesh, hybrid), active active high availability, and application aware routing with SLA management through a single management console.

Transform your WAN with Teldat SD-WAN

From Zero Touch Provisioning to integrated SASE and XDR, Teldat CNM SD-WAN Suite delivers enterprise networking and security from a single European platform. Proven at scale across 2,700 branches.