Deploy Bravely — Secure your AI transformation with Prisma AIRS
Table of Contents

What Is SD-WAN Architecture? Components, Types, & Impacts

5 min. read
Table of Contents

SD-WAN architecture is the logical design of a software-defined wide area network that separates the control plane from the data plane.

It defines how network components like controllers, orchestrators, and edge appliances interact to create secure, efficient connections across diverse transport links.

The architecture provides the framework for applying policies, steering traffic, and integrating with cloud or data center environments.

 

What are the main components of SD-WAN architecture?

Diagram labeled 'SD-WAN architecture' showing six branch office icons, three on each side, connected to a central data center box at the bottom. The branches and data center also connect upward to a box labeled 'Internet' that contains cloud service logos including AWS, Azure, Google Cloud, Dropbox, Salesforce, and Workday. Green lines represent MPLS, purple lines represent cellular, and blue lines represent broadband, all shown in the key at the bottom.

The main components of SD-WAN architecture are the data plane and the control plane. Functional components include the edge, controller, orchestrator, and optional gateways or points of presence (PoPs).

Here's how it works.

SD-WAN architecture is built around the separation of planes.

The data plane is where traffic is forwarded. It moves packets across the network based on rules already in place.

Diagram titled 'SD-WAN control plane and data plane' with two labeled sections. On the left under 'Data plane' are four stacked boxes labeled Cloud, DC, Campus, and Branch, each with a blue router icon. These connect through edge routers to three central ovals labeled MPLS, Internet, and 4G/5G. Lines extend from these ovals through green icons labeled 'Smart controllers' to three orange boxes on the right under 'Control plane' labeled Orchestration, Analytics, and Automation.

The control plane is where those rules are defined. It centralizes decision-making and pushes instructions down to the devices that handle the actual traffic.

In other words: The control plane decides, the data plane delivers.

Now to the specific roles these components play in the architecture:

The diagram shows an SD-WAN architecture with labeled components and connections. At the top, two blue boxes represent the 'SD-WAN orchestrator' and 'SD-WAN controller,' stacked vertically and connected by a line. Below them, two blue cube icons labeled 'SD-WAN edge' sit on either side of the diagram, connected by a red dotted line labeled 'Tunnel virtual connection.' These edge components flank two gray circular network icons labeled 'Internet' and 'CE/MPLS.' The diagram includes a small building icon representing a branch site connected to the left SD-WAN edge. On the right, a text list titled 'SD-WAN components' describes each part: 'SD-WAN edge' as physical or virtual, 'SD-WAN controller' as centralized management of SD-WAN edges and gateways, and 'SD-WAN orchestrator' as lifecycle service orchestration of SD-WAN and other services.
  • The SD-WAN edge is the point where the network connects to a branch, a data center, or a cloud location. Edge devices handle policy enforcement and forwarding for the traffic that enters or leaves.
  • The controller provides centralized visibility and policy definition. It's the administrative hub. Operators use it to describe how applications and traffic should be treated across the WAN.
  • The orchestrator focuses on lifecycle management. It applies configurations, distributes updates, and keeps the environment consistent. Important: Controller and orchestrator are often described as separate logical roles, but in practice vendors may combine them into a single function.
  • Points of presence (PoPs) or gateways are optional nodes that extend the network, improve routing, or connect branches to a backbone. For example: A PoP can take branch traffic off the public internet and route it through a private backbone for lower latency. But not all SD-WAN architectures include them.

Each of these elements ties back to the SDN principle of separating logic from forwarding. The edges enforce. The controller defines. The orchestrator maintains. Optional gateways expand reach.

Together, they form a framework that makes SD-WAN flexible, centrally managed, and cloud-ready.

| Further reading:

 

What are the different types of SD-WAN architecture?

SD-WAN architecture can be deployed in different ways depending on where key functions reside, primarily:

  • On-premises
  • Cloud-enabled
  • Cloud-enabled with a backbone

Let's dig into the details of each.

Note:
The categories below describe deployment architectures—where SD-WAN functions such as control and data processing are located. Not to be confused with management models like DIY, co-managed, or fully managed services, which describe who operates and maintains the SD-WAN.

On-premises SD-WAN

The first model is on-premises SD-WAN.

Diagram titled 'On-premises SD-WAN' showing a large box on the left labeled On-premises SD-WAN. Inside are icons representing a desktop computer, a laptop, a printer, and a building connected to a central blue rectangle labeled SD-WAN. A single blue line extends from the SD-WAN rectangle to a circle on the right labeled Internet.

In this setup, the SD-WAN appliance sits directly at the site. It handles routing, policy enforcement, and control locally.

The advantage is direct oversight of data paths. Which means traffic stays within the organization's boundary before reaching the broader network.

However, because control is localized, this model can limit efficiency when workloads are heavily cloud-based or geographically distributed.

Cloud-enabled SD-WAN

The next approach is cloud-enabled SD-WAN.

Diagram titled 'Cloud-based SD-WAN' showing an icon labeled On-premises on the left connected by a blue line to a large box on the right. Inside the box is a blue rectangle labeled SD-WAN, which connects to a smaller section labeled Virtual cloud gateway and an icon labeled Internet at the bottom.

Here, traffic is directed through a virtual gateway hosted in the cloud. This allows branch locations to connect to SaaS or cloud workloads more efficiently.

The control plane can reside in the cloud as well, which provides centralized oversight across sites. The main trade-off is that traffic to cloud services is optimized, but traffic between on-premises sites may not benefit in the same way.

Cloud-enabled SD-WAN with a backbone

Finally, there's cloud-enabled SD-WAN with a backbone.

This model introduces points of presence (PoPs) that connect branches into a private backbone.

PoPs let traffic exit the public internet earlier and ride a more predictable, lower-latency path. For example: a branch can forward traffic to the nearest PoP, which then uses the backbone to reach another region.

This reduces jitter and improves performance for time-sensitive applications. The trade-off is dependency on the backbone provider's coverage.

In summary: Each deployment type reflects where control and data paths intersect—locally on-premises, in the cloud, or through PoPs with a backbone. The right choice depends on whether traffic is primarily site-to-site, cloud-focused, or global in scope.

| Further reading: Types of SD-WAN Deployment Models: A Complete Guide

 

How does SD-WAN architecture affect performance and connectivity?

SD-WAN architecture directly shapes how traffic moves and how applications perform. The design choices behind the architecture determine latency, reliability, and user experience.

Let's start with the underlay and overlay.

The underlay is the physical transport such as MPLS, broadband, or LTE. The overlay is the virtual fabric SD-WAN builds on top.

Why does this matter?

Because the overlay can steer traffic across multiple underlay links and shift flows when conditions change. That flexibility is a core reason SD-WAN can maintain performance during congestion or loss.

Here's how it works:

Diagram titled 'SD-WAN dynamic path selection and traffic steering' showing a branch office at the top connected to two pathways. On the left, application thresholds lead to SD-WAN traffic steering, which includes session load distribution, path quality profile, and traffic distribution profile. These link to a VPN virtual interface labeled IPSec interfaces in red, with arrows pointing through a private network to headquarters. On the right, a DIA virtual interface labeled Ethernet interfaces in blue connects through a private network and the public internet to Internet/SaaS. Labels note metrics such as path latency, jitter, and packet loss, with top down priority indicated in the flow.

Now let's consider the path to applications.

Traditional WANs often backhauled traffic to a central data center before sending it to the cloud. But SD-WAN can instead support direct-to-cloud paths. So latency drops, bandwidth use improves, and SaaS access becomes more predictable.

Diagram titled 'Dynamic path selection in SD-WAN' with two scenarios. In the top section labeled Good path quality, packets flow from Application X through a branch SD-WAN CPE over DSL to an HQ SD-WAN CPE and then to a server, with LTE shown as an alternate path. In the bottom section labeled Bad path quality, packets from Application X flow through the branch SD-WAN CPE where DSL is degraded, triggering dynamic switching to reroute traffic over LTE to the HQ SD-WAN CPE and then to the server.

It's worth noting: The extent of these improvements depends on where the control plane resides and how policies are written.

Points of presence and private backbones add another layer.

If the architecture includes PoPs, branch traffic can exit the public internet earlier. From there, it may traverse a provider's backbone with lower jitter and packet loss. The outcome is a smoother experience for voice, video, and other real-time applications.

However, performance varies depending on the coverage of those PoPs.

Policies tie it all together.

Application-aware routing lets the controller steer flows based on metrics like loss or delay. For example: Business-critical voice may be sent over the lowest-latency link, while bulk file transfers use cheaper bandwidth.

Meanwhile, zero-touch provisioning ensures these policies are deployed consistently, reducing the risk of misconfiguration across sites.

In short: SD-WAN architecture affects performance and connectivity by defining how paths are selected, how traffic is prioritized, and how consistently those rules are applied. The architecture is what turns a mix of underlay transports into a coherent, application-aware network.

Learn more about SD-WAN in action
Get Zero Trust Branch for SD-WAN For Dummies and see how SD-WAN architecture extends into branch security and SASE integration.

Download eBook

 

SD-WAN Architecture Faqs

The main components are the control plane, the data plane, and functional elements such as edge devices, controllers, orchestrators, and optional gateways or points of presence (PoPs). Together, these enable centralized control, policy enforcement, and efficient traffic steering across diverse WAN links.
The basic SD-WAN architecture separates the control plane from the data plane. A centralized controller and orchestrator define policies and distribute them to SD-WAN edge devices, which forward and enforce traffic. Some architectures also integrate cloud gateways or PoPs to optimize connectivity and reduce latency.
No. A load balancer distributes traffic across servers within a data center. SD-WAN dynamically steers traffic across WAN connections based on application policies and network conditions. While both manage traffic distribution, SD-WAN operates at the WAN edge, not the application or server layer.
A router forwards packets based on IP routing tables and static rules. SD-WAN builds an overlay that uses centralized policies and application awareness to direct traffic. Unlike a traditional router, SD-WAN can optimize cloud access, enforce security, and dynamically select the best available path.
SD-WAN is designed to simplify WAN management through centralized orchestration and zero-touch provisioning. Complexity depends on deployment scale and chosen architecture, but compared to manually configured routers, SD-WAN generally provides greater visibility, consistency, and automation, making ongoing management more straightforward for most organizations.
Related Content
eBook: The Branch of the Future, Today
Find out how to securely enable branch modernization with Prisma SD-WAN.
eBook: The Power of Zero Trust Branch
Learn more about delivering Zero Trust branches with simplicity, security, and visibility.
eBook Why Next-Gen SD-WAN Is the Solution for You:
Discover how integrated next-gen SD-WAN improves user experience, control, and visibility.
eBook: Set a Secure Foundation for a New World of Possibilities with Prisma SASE
See how AI-powered Prisma SASE supports today’s modern hybrid workforce needs.

Get the latest news, invites to events, and threat alerts