Evolution of Sophisticated Phishing Tactics: The QR Code Phenomenon
Cloud Threats on the Rise: Alert Trends Show Intensified Attacker Focus on IAM, Exfiltration
GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded to the Widespread tj-actions/changed-files Incident: Threat Assessment (Updated 4/2)
See all Unit 42 Threat Research
Table of contents
Network Security

What Is an SD-WAN Gateway? | Definition, Explanation, Use Cases

4 min. read
Table of contents

An SD-WAN gateway is a central hub within an SD-WAN architecture that manages and directs network traffic between branch locations and cloud services. It facilitates traffic routing, ensuring optimized communication across the network.

SD-WAN gateways play a crucial role in maintaining network performance and security.

What are the limitations of hub-and-spoke architecture?

Originally, SD-WAN technology was developed to give organizations the ability to securely connect users, applications, and data flows on-premises or hosted in public or private clouds.

Traditional SD-WAN (software-defined wide area network) setups use point-to-point network setups. Which means an edge device is located at each endpoint, establishing a direct connection to other devices. This results in a hub-and-spoke architecture.

A hub-and-spoke architecture connects all branch sites (spokes) to a central hub, typically located at the headquarters or a data center.

Like this:

Hub-and-spoke topology architecture diagram showing a network design where multiple branches connect to two central data centers or hubs. On the left side, two icons labeled

This configuration has been widely used over time, and to its credit, provides a straightforward way to manage network traffic.

But it also comes with limitations:

Latency

One major limitation is the added latency.

All branch-to-branch and branch-to-cloud communication must first route through the central hub. The detour can significantly slow down traffic, leading to delays and decreased performance— especially when accessing cloud-based services.

Architecture diagram illustrating the latency impact of hub-and-spoke routing, featuring multiple branches connected to a central MPLS (Multiprotocol Label Switching) hub. Each branch displays the time taken for data to travel, indicated in milliseconds (ms), with one branch showing a latency of 30 ms, while the others indicate 50 ms to the MPLS hub. The MPLS hub then connects to a data center with a latency of 60 ms. From the data center, connections to AWS, cloud applications, and the Internet exhibit latencies of 50 ms, 100 ms, and 50 ms, respectively.

As more applications move to the cloud, the extra step becomes increasingly problematic.

Single point of failure

Another issue is the single point of failure inherent in this architecture.

The central hub is responsible for managing and securing all network traffic.

Diagram illustrating a single point of failure in a hub-and-spoke network architecture. It features multiple branches connecting to a central MPLS (Multiprotocol Label Switching) hub. The MPLS hub is depicted as a central node, with an indicator (red circle) showing a failure point. This hub connects to a data center, which in turn links to AWS, cloud applications, and the Internet. The branches show direct connections to the MPLS hub, emphasizing their dependency on this central node for network access.

If the hub experiences an outage or becomes overloaded, the entire network can suffer. And that can lead to downtime, which tends to disrupt business operations and reduce productivity across the organization.

Scalability

Scalability is also a challenge.

As the number of branch sites increases, the central hub must handle more traffic. The added load can strain the hub, requiring costly upgrades or more complex configurations to maintain performance. The architecture’s reliance on a single point of control makes it less adaptable to growing network demands.

Architecture diagram illustrating the scalability challenges of a hub-and-spoke architecture in a network setup. It features multiple branch offices connected to a central MPLS (Multiprotocol Label Switching) hub. The MPLS hub then connects to a data center, which is linked to AWS, cloud applications, and the Internet. The layout highlights the connections between the branch offices, MPLS hub, and data center, emphasizing the centralized structure of the architecture.

In today’s cloud-centric environment, this limitation becomes more apparent.

Modern SD-WAN solutions, including SD-WAN gateways, are designed to overcome these challenges by allowing direct branch-to-branch and branch-to-cloud communication.

This approach reduces latency, distributes traffic management, and enhances the overall efficiency of the network.

What is the purpose of an SD-WAN gateway?

The purpose of an SD-WAN gateway is to function as a central point that manages and directs traffic in an SD-WAN architecture.

Think of it as the hub that connects different branches and cloud services, allowing data flows to travel smoothly and efficiently across the network.

As mentioned, in traditional WAN setups, all traffic would typically pass through a headquarters or central data center. But with the rise of cloud services, the need for direct branch-to-cloud communication is a must—and the old model can create bottlenecks.

An SD-WAN gateway changes the game by intelligently routing traffic. It can be deployed on premises or in the cloud, outside the headquarters. Its job is to handle all the SD-WAN traffic and control.

Like so:

Architecture diagram depicting a hybrid SD-WAN gateway deployment scenario. It features an SD-WAN orchestrator at the top, connecting to various components, including SD-WAN gateways with embedded controllers and legacy enterprise data centers. Below, an edge appliance or virtual device connects to a public internet node and a private circuit. Additionally, private edges are shown linked to a private network/MPLS. To the right, an edge cluster connects to hybrid data centers, which can be either enterprise or cloud-based. The diagram also illustrates connections to software as a service (SaaS) applications such as AWS, Box, and Salesforce.

This way, instead of sending all data back to the central hub, branch offices can communicate directly with each other or with cloud services through the gateway. Which reduces the load on the headquarters network and improves performance overall.

Basically, the SD-WAN gateway is there to optimize how data travels across a network. Especially in environments where cloud services are heavily used.

Note: The concept of an “SD-WAN gateway” as part of an SD-WAN architecture is widely recognized and used in modern networking solutions, though the term isn’t necessarily universally defined. In many cases, this functionality might be integrated into other SD-WAN components, such as edge devices or controllers. The terminology can vary depending on the vendor or specific implementation of the SD-WAN solution.

What are the primary SD-WAN gateway use cases?

SD-WAN gateways work well for organizations with heavy cloud service usage, multiple branches, or complex networking needs. In these scenarios, implementing an SD-WAN gateway can optimize network performance and improve efficiency.

Multiple branch sites or heavy reliance on cloud-based services

SD-WAN gateways are especially useful for organizations with multiple branch sites that need to communicate efficiently. They allow direct communication between sites without relying on a central hub. And this majorly reduces delays.

SD-WAN architecture diagram, featuring a central data center connected to four branch locations, represented as gray building icons. These connections are color-coded to indicate different types of internet connections: MPLS in red, cellular connections in green, and broadband in orange. Surrounding the central network diagram are logos of various internet and cloud services, such as AWS, Azure, Google, Dropbox, Salesforce, Workday, and YouTube, implying their integration or accessibility through this network architecture.

Enterprises that use a variety of cloud applications, like Office 365, Salesforce, or AWS-hosted tools, can benefit from an SD-WAN gateway as well. SD-WAN gateways provide direct connections to cloud services. Which means faster, more reliable access to applications.

Multiple remote sites or sites experiencing high volumes of site-to-site traffic

Businesses with complex network demands—such as those with multiple remote sites or those experiencing high volumes of site-to-site traffic—may also consider an SD-WAN gateway.

SD-WAN cloud connectivity architecture diagram, featuring a central data center connected to four branch locations, represented as gray building icons. These connections are color-coded to indicate different types of internet connections: MPLS in red, cellular connections in green, and broadband in orange. Surrounding the central network diagram are logos of various internet and cloud services, such as AWS, Azure, Google, Dropbox, Salesforce, Workday, and YouTube, implying their integration or accessibility through this network architecture.

As explained, the gateway can offload the burden from a central data center by allowing direct branch-to-branch and branch-to-cloud communication. Which equals better network performance and less strain on headquarters' resources.

Meshed WAN architectures

Organizations with a long-term SD-WAN strategy that involves building a meshed WAN design across all their sites are another key group that would benefit from an SD-WAN gateway.

Architecture diagram illustrating a full mesh topology in a network configuration. It features two data centers or hubs positioned at the center, connected to multiple branch locations represented by blue icons. Each branch is interconnected, indicating that every branch can communicate directly with every other branch and the data centers, demonstrating a comprehensive network architecture that allows for multiple pathways between all nodes. The layout emphasizes the redundancy and direct connectivity characteristic of a full mesh topology.

In these scenarios, a gateway can simplify network management. Plus, it reduces the hardware and operational costs associated with traditional point-to-point architectures.

Further reading:

What are the features of an SD-WAN gateway?

Graphic presenting the features of an SD-WAN gateway, organized in a grid layout. Each feature is represented within a green square. The features listed include dynamic path selection at the top left, centralized management below it, built-in security features at the bottom left, more bandwidth at the top right, and reliability and failover at the bottom right. The title

An SD-WAN gateway offers several key features:

  • Dynamic path selection
  • Centralized management
  • Built-in security features
  • More bandwidth
  • Reliability and failover

Dynamic path selection

First and foremost is dynamic path selection.

This feature allows the gateway to choose the best route for network traffic in real-time. In other words, it dynamically selects the most efficient path for data to travel, avoiding congested or unreliable routes.

Architecture diagram illustrating the dynamic path selection of an SD-WAN gateway. It features branch offices on the left, where policies are deployed to the SD-WAN router. In the center, three types of connections are displayed: MPLS, LTE, and Fiber, represented with green, yellow, and red circles, indicating their status. To the right, cloud services, a data center, and data center applications are shown as destinations for data flow. The SD-WAN gateway is highlighted in blue at the center, managing network policies, traffic routing, and monitoring. Dashed lines indicate control connections, while solid lines represent data flow.

This ensures that traffic flows smoothly, which is particularly important for applications that require consistent, reliable performance.

Centralized management

An SD-WAN gateway provides a single point of control for managing the entire network.

Architecture diagram showing how SD-WAN gateways provide centralized control and management across the network. It features multiple branch locations on the left, connecting to various WAN types in the center, including MPLS, Starlink, LTE, 4G/5G, and DSL. To the right, cloud services, a data center, and data center applications are depicted as endpoints for data flow. At the bottom center, the SD-WAN gateway is illustrated, indicating its roles in security policy management, routing option management, and network orchestration. The layout emphasizes the gateway's central function in managing network policies and connections.

Centralizing control makes it way easier for organizations to monitor, deploy, and update network policies across all locations.

With centralized management, network teams can have deeper visibility into the network. Including access points, switches, and gateways. And that means more granular control over network operations.

Built-in security features

SD-WAN gateways typically include built-in security measures like firewalls, VPNs, and encryption.

These features help protect sensitive data as it moves across the network. So information remains secure from potential threats.

By integrating security directly into the gateway, organizations can somewhat lessen the need for separate security solutions.

Note: While SD-WAN gateways include important security features, these features are not exhaustive. Gateways are designed primarily for traffic management and optimization, not for comprehensive security. They should be part of a broader network security strategy that includes additional protective measures. The same is true for SD-WAN overall, but gateways are even more limited in scope.

WAN aggregation

Additionally, an SD-WAN gateway can improve overall bandwidth by aggregating multiple WAN connections.

Instead of relying on a single connection, the gateway can combine several, increasing the total available bandwidth.

Architecture diagram illustrating WAN aggregation managed by SD-WAN gateways. It features multiple branch locations on the left, which connect to various WAN types in the center, including MPLS, Starlink, LTE, 4G/5G, and DSL. On the right, cloud services, a data center, and data center applications are displayed as endpoints. The SD-WAN gateway is highlighted at the bottom center, indicating its role in managing the aggregation of these WAN connections. The layout emphasizes the connectivity between branches, WANs, and cloud services facilitated by the SD-WAN gateway.

This is particularly useful for organizations with high data transfer needs. Because it helps ensure the network can handle large volumes of traffic without slowing down.

Reliability and failover

Finally, reliability and failover are key features of an SD-WAN gateway.

In the event of a network failure, the gateway can automatically switch to a backup connection. Like a secondary WAN link or a cellular network.

Architecture diagram depicting an SD-WAN gateway performing failover. It shows a WAN connection on the left side leading to the SD-WAN gateway, which is centrally positioned. The primary path to the Internet is indicated by a solid line extending from the SD-WAN gateway, while a secondary path to the Internet is represented by a dashed line. Below the SD-WAN gateway, a failover path is illustrated, indicating alternative connectivity. A backup tunnel is also shown extending from the gateway, signifying a secondary connection option. The overall layout emphasizes the gateway's role in maintaining connectivity during failover scenarios.

The failover capability ensures the network remains operational, even if the primary connection goes down. And that adds up to lower risk of downtime and sustained business continuity.

What are the different types of SD-WAN gateway form factors?

Graphic illustrating the types of SD-WAN gateway form factors, featuring three distinct categories. On the left, a

There are three primary types of SD-WAN gateway form factors: hardware, virtual, and cloud.

Selecting the right form factor depends on your organization's specific needs, including performance requirements, deployment architecture, scalability, and budget considerations.

Hardware SD-WAN gateway

  • Overview: A hardware gateway is a physical SD-WAN appliance, typically installed on-premises in a data center, branch office, or other locations. It manages and directs network traffic locally, often preferred in environments where on-site control and high performance are necessary.
  • Use case: Suitable for organizations that need dedicated hardware for traffic management and prefer physical appliances for security or performance reasons.

Virtual SD-WAN gateway

  • Overview: A software-based solution that runs on virtualized infrastructure. It can be deployed either on-premises (e.g., on a virtual machine) or in a cloud environment. Virtual gateways offer the same functionality as hardware gateways, but they provide greater flexibility when it comes to deployment and scaling.
  • Use case: Ideal for organizations that prefer a more flexible, scalable solution–especially those with hybrid cloud environments or those looking to reduce physical hardware.

SD-WAN cloud gateway

  • Overview: Hosted entirely in the cloud by a service provider, a cloud gateway manages traffic between branch locations and cloud services. This form factor eliminates the need for on-premises hardware.
  • Use case: Best for organizations that are cloud-first or have a significant reliance on cloud services. It provides a managed solution that integrates seamlessly with other cloud services.

 

What are the disadvantages of an SD-WAN gateway?

The main disadvantage of SD-WAN gateways is that they require an additional resource to be hosted, most commonly in the cloud to establish a global point of presence.

For example: An SD-WAN gateway will require a compute resource to host a virtualized SD-WAN gateway appliance, usually in the form of an open virtual appliance (OVA), creating another network device to manage, update and monitor.

It’s worth noting: Many SD-WAN gateway offerings can be hosted by a service provider to facilitate a hybrid SD-WAN model.

 

SD-WAN gateway FAQs

An SD-WAN edge refers to the devices at branch locations that connect to the network, while an SD-WAN gateway is a central point (often in the cloud) that routes and manages traffic between these edge devices and cloud services.
A WAN (wide area network) is a network that connects geographically dispersed locations, while a gateway is a device or node that routes traffic between different networks or parts of a network, such as between a WAN and the cloud.
An SD-WAN gateway manages traffic within an SD-WAN architecture to optimize and direct traffic to cloud services and branch locations, whereas a traditional WAN router primarily routes traffic within a conventional network setup.
No, an SD-WAN gateway cannot replace existing network hardware. It can potentially replace some network hardware by consolidating traffic management and security, but it may need to be integrated with existing infrastructure rather than functioning as a complete replacement.
Traffic is managed through an SD-WAN gateway via dynamic path selection, centralized control, and optimized routing to ensure efficient and secure data flow across the network.
The costs of implementing an SD-WAN gateway can include hardware or software purchases, subscription fees, and potential expenses for integration and ongoing management. The overall cost depends on the chosen gateway form factor and network requirements.

EXPLORE MORE

Get the latest news, invites to events, and threat alerts