Examine the pros and cons of including SD-WAN in SASE, and consider the impact on connectivity, security, and overall network performance if SD-WAN were excluded from a SASE architecture.
Is SD-WAN part of SASE? Understanding its critical role in secure access
Is SD-WAN truly an intrinsic component of secure access service edge (SASE), or simply a complementary technology? There are those who believe SD-WAN is integral to SASE because it facilitates cloud connectivity. Conversely, some maintain that SASE’s primary focus is security, whereas SD-WAN is centered on connectivity. To clarify this issue, let’s explore both sides of the argument and provide a summary to help resolve the debate.
1. Pros: SD-WAN, a full component of SASE
SASE is the convergence of networking and security into a unified, cloud-delivered service. SD-WAN naturally fits into this definition because it addresses one of the fundamental building blocks of SASE: the wide area network and cloud connectivity.
SD-WAN ensures reliable, high performance connectivity by bonding multiple transport types—MPLS, broadband, LTE/5G, and even satellite. It applies dynamic path selection, tunnel bonding, and error correction techniques that minimize packet loss, latency, and jitter. SD-WAN intelligently steers traffic to the cloud without backhauling cloud-destined traffic to the data center. These features are essential for today’s SaaS and cloud workloads, where user experience is directly tied to the stability of the WAN.
Modern SD-WAN has evolved beyond transport optimization into a security platform. Features such as next-generation firewall (NGFW), intrusion detection and prevention (IDS/IPS), and distributed denial of service (DDoS) defense allow SD-WAN appliances to act as the first line of defense at the branch. They perform secure internet breakouts, identify thousands of applications on the first packet, and enforce security policies without backhauling traffic through the data center.
A secure SD-WAN also supports role-based segmentation, enabling enterprises to enforce zero trust principles across both LAN and WAN. With IoT proliferation, this is especially critical—agentless devices can be isolated from sensitive resources and contained if compromised.
From this perspective, excluding SD-WAN from SASE seems counterintuitive. Without it, the framework would lack the connectivity layer that makes cloud-first networking seamless.
2. Cons: SD-WAN is about connectivity, not security
On the other side of the debate lies the argument that SD-WAN is not essential to SASE but instead a separate technology that solves a narrower problem: connecting branch locations to headquarters and cloud.
In its early days, SD-WAN was purely about transport abstraction. It allowed enterprises to cut costs by supplementing or replacing expensive MPLS with broadband. But it did not inherently solve for security. Security functions were often bolted on later or offloaded to dedicated appliances and cloud services.
SASE, by contrast, is fundamentally security-led. It encompasses zero trust network access (ZTNA), secure web gateway (SWG), cloud access security broker (CASB), and data loss prevention (DLP). Its focus is on enabling secure access for users and devices from anywhere, not only from branches. From this lens, SD-WAN is not the cornerstone of SASE but an edge connectivity option—useful for site-to-site networking but not mandatory for implementing SASE principles.
With hybrid and remote work, many organizations are shifting away from branch-centric architectures. Users connect directly from laptops, tablets, and smartphones to cloud services through security service edge (SSE). In these cases, SD-WAN plays no role. A SASE architecture can, in theory, be built entirely on SSE without deploying a single SD-WAN appliance.
3. Summary: SASE is incomplete without SD-WAN
Both perspectives highlight valid truths. SD-WAN in isolation cannot deliver the holistic security required in today’s environments, and SSE alone cannot ensure the optimized connectivity needed for critical workloads.
A secure SD-WAN—one that integrates NGFW, IDS/IPS, DDoS protection, and zero trust segmentation—is the missing piece that completes SASE.
Figure 1. SASE encompasses both SD-WAN and SSE
Without SD-WAN, SSE-based SASE deployments risk suboptimal performance. SaaS applications may be routed inefficiently, on-premises workloads may be inaccessible, and branch offices may remain vulnerable to attacks. Without SSE, SD-WAN lacks the full cloud-native security stack that modern enterprises demand. Together, they provide both optimized connectivity and cloud-delivered security.
This is why SD-WAN and SSE integration simplifies management, ensures policy consistency, and eliminates the complexity of stitching together disparate networking and security products.
Exploring a hypothetical scenario where SASE excludes SD-WAN reveals what organizations would lose:
- Lack of flexibility
By adopting SD-WAN, organizations can reduce their reliance on MPLS and take advantage of cost-effective internet connections, utilizing advanced optimization methods such as forward error correction and tunnel bonding. This approach also streamlines the rapid deployment of new branch locations, offering greater flexibility.
- Poor hybrid cloud support
Relying solely on SSE means all network traffic is directed to the cloud, even when some should stay local. This approach can negatively impact user experience and reduce flexibility for organizations with sensitive workloads hosted on-premises or in private clouds. In contrast, SD-WAN provides intelligent traffic steering by keeping local traffic within the local network, sending cloud-destined traffic directly to the cloud or to an SSE solution without unnecessary detours through the data center, and routing data center traffic straight to its destination.
- No bandwidth optimization by application
Traffic prioritization would vanish. Business-critical workloads such as ERP or telemedicine would compete equally with recreational traffic, risking productivity losses and even safety concerns in industries like healthcare or manufacturing.
- Limited path selection
Organizations would lose the ability to dynamically choose or combine network paths. In a multicloud environment, this would result in subpar performance and resilience.
- Equipment sprawl in branches
Branch offices would remain reliant on disparate routers, firewalls, and WAN optimization devices, increasing operational complexity and cost, while secure SD-WANs with a built-in next-generation firewall and features such as IDS/IPS, DDoS protection, and role-based segmentation can seamlessly replace branch firewalls. Centralized management and rapid policy propagation would also be absent without SD-WAN.
In short, removing SD-WAN from SASE would hollow out the architecture, leaving gaps in both performance and protection.
Conclusion
The debate over whether SD-WAN is part of SASE underscores a broader reality: enterprises need both optimized connectivity and cloud-delivered security to thrive in a cloud-first world. SD-WAN on its own is not SASE, and SSE on its own is not enough either.
When combined, however, secure SD-WAN and SSE form a true SASE architecture—one that unifies performance and protection under a single framework. SD-WAN will increasingly be delivered as part of SASE because organizations cannot afford to compromise on either connectivity or security.
The answer to the question “Is SD-WAN part of SASE?” is clear: yes—because without it, SASE is incomplete.
HPE Networking delivers a comprehensive portfolio of SD-WAN, SSE, and firewall solutions. HPE Aruba Networking EdgeConnect SD-WAN is a secure SD-WAN with advanced optimization techniques such as path conditioning and tunnel bonding, as well as a built-in next-generation firewall with IDS/IPS, adaptive DDoS, URL filtering, and role-based segmentation. HPE Aruba Networking SSE is a cloud-native SSE solution encompassing in a single platform, capabilities such as ZTNA, SWG, and CASB. HPE Juniper Networking is a hybrid mesh firewall providing scalability and a single management platform.
To learn more about SASE, visit our website.
References
- What is SASE video
- HPE Aruba Networking EdgeConnect SD-WAN webpage
- HPE Aruba Networking SSE
- HPE Juniper Networking SRX firewall webpage
Meet the author:
Gabriel Gomane, Sr Product Marketing Manager
linkedin.com/in/gabriel-gomane-mba-b751b79/
Gabriel_Gomane
Gabriel Gomane has more than 15 years of experience in product marketing and product management, focusing primarily on networking, security and digital transformation. He has broad international experience, having held marketing positions based in Europe and in the US. Before joining HPE Aruba Networking, Gabriel worked for various high tech companies including Meru Networks and MEGA International. Gabriel holds a BS in engineering from Grenoble INP and an MBA from HEC Paris.
