Enterprise Wide Area Networking (WAN) has transformed dramatically in the past decade. The classic hub-and-spoke WAN centered on private MPLS links is giving way to a new paradigm driven by cloud connectivity, software-defined networking, and integrated security.
Table of Contents
Evolution Over the Last 10 Years
From MPLS to SD-WAN
Ten years ago, MPLS networks dominated enterprise WANs, offering private, reliable connectivity with end-to-end service guarantees. But they came at high cost and were often inflexible.
The mid-2010s saw the rise of Software-Defined WAN (SD-WAN) as an overlay technology that could use ordinary internet links to connect sites with comparable performance and greater agility. High-speed broadband became widely available, enabling enterprises to carry site-to-site traffic securely over the public internet at far lower cost. In fact, a broadband link combined with SD-WAN software can be 50–60% cheaper than a comparable MPLS circuit.
Cost savings, along with the need for flexibility, drove many organizations to trial and adopt SD-WAN. Over the course of the 2010s, enterprises with generic WAN requirements increasingly turned down MPLS in favor of internet underlays with SD-WAN overlays.
By 2022, nearly 90% of enterprises had rolled out some form of SD-WAN in their environment, a stunning adoption rate that highlights how quickly SD-WAN moved from emerging tech to mainstream.
Impact of Cloud Adoption
As companies embraced cloud services (SaaS, IaaS, and PaaS), traffic patterns shifted. No longer was all application traffic destined for a centralized data center – instead, nearly half of enterprise WAN traffic now goes to external cloud or SaaS providers.
A 2019 survey found the average enterprise already traced 48% of its WAN traffic to external cloud/SaaS, and that percentage has only grown since. Backhauling all that cloud-bound traffic over MPLS to a central HQ for internet egress made little sense in terms of latency or cost.
Enterprises began enabling local internet breakouts at branches and using direct cloud connectivity options. Hybrid cloud architectures (mixing on-prem and cloud) became common, with IT teams re-architecting WANs to connect branch users directly to cloud apps.
This cloud-driven demand was one of the top drivers for WAN transformation in the last decade. It also introduced new challenges around ensuring security and performance for distributed, internet-based traffic – challenges that helped spur technologies like SD-WAN (for intelligent path selection to cloud) and cloud-based security services.
Rise of SASE
In 2019, Gartner introduced the concept of Secure Access Service Edge (SASE) – a cloud-based architecture converging SD-WAN networking with network security functions like secure web gateways, CASB, firewall-as-a-service, and Zero Trust access. The idea was to deliver both connectivity and security as an integrated cloud service.
Over the past few years, SASE has evolved from a buzzword into a guiding architecture for many enterprises. It aims to solve the problem of securing an ever more distributed network (branches, remote users, cloud resources) by shifting security controls to a unified cloud edge.
The growth of SASE has been fueled by the same trends that drove SD-WAN: widespread cloud adoption, more internet-based WAN connectivity, and a need for simpler management. We’ve seen leading SD-WAN vendors incorporate security-as-a-service into their offerings, while traditional security vendors have added SD-WAN capabilities, all in pursuit of the SASE vision.
By 2024, 53% of enterprises had adopted at least some elements of the SASE framework, indicating that more than half of organizations are on the path toward converging networking and security. SASE’s emergence is a direct response to the evolving enterprise perimeter – or rather, the disappearance of a traditional network perimeter altogether.
Internet as the New Corporate Network
Perhaps the most fundamental change in the last decade is that the public internet has effectively become the new enterprise WAN backbone. Whereas in 2013 many IT teams were wary of running critical traffic over the internet, today it’s routine.
The quality and bandwidth of business internet services improved greatly, while costs fell. This made it feasible and attractive to replace or augment expensive private circuits with business broadband or dedicated internet access.
By 2020, enterprises were relying far less on MPLS and far more on the internet for WAN connectivity. TeleGeography data shows that in 2018, 82% of enterprise sites were on MPLS, but by 2020 that had fallen to 58% as internet (DIA and broadband) gained ground.
And in 2024, a survey confirmed that internet (DIA) now connects a larger share of sites (49%) than MPLS (41%) in the average enterprise WAN
The trend of the last decade has been a shift from private networks to internet-based networks. This shift was accelerated by cloud/SaaS uptake and by the needs of a more decentralized workforce (especially post-2020 with the rise of remote work). SD-WAN has been the key enabling technology, providing an overlay to manage and secure traffic across these multiple internet links.
The net result is that the enterprise WAN of 2025 is a very different beast than that of 2015 – it’s software-defined, heavily internet-reliant, and built with cloud in mind.
Current State of Enterprise WAN
So what does the enterprise WAN landscape look like today? In a word: hybrid.
Most large organizations now run a mix of connectivity types and technologies, blending old and new. Here are the major aspects of the current state:
SD-WAN: The New Normal
SD-WAN is no longer a niche or next-big-thing; it’s a standard component of modern WANs. Industry surveys show that about two-thirds of companies have deployed SD-WAN overlays on at least part of their network, and over half have it in wide use across all or most sites.
This means branch offices and even remote workers are often connected via software-defined edge devices (or clients) that intelligently route traffic. SD-WAN devices can dynamically choose between multiple links (MPLS, cable, 4G/5G, etc.) based on real-time performance, and they prioritize critical applications to maintain quality of service.
They also simplify management through centralized controllers and orchestration – network teams can configure policies centrally and push them out to all edges. The capabilities of SD-WAN have expanded in recent years to include integrated security (firewalling, URL filtering), direct cloud on-ramps, and granular application analytics.
Essentially, SD-WAN has become the de facto WAN edge architecture for enterprises, displacing traditional router-centric designs. Organizations that have not adopted SD-WAN at all are now the exception rather than the rule. Even where legacy MPLS networks persist, they are often augmented by an SD-WAN layer or being migrated to one.
Secure Access Service Edge (SASE) Adoption
Alongside SD-WAN, SASE has gained significant traction as companies seek to merge their networking and security strategies. In the current state of WAN, many enterprises are in the process of rolling out SASE or at least evaluating it. As noted, over half of organizations have started adopting SASE components.
What this looks like in practice is the deployment of cloud-based security stacks that users connect to, no matter where they are. For example, a branch office may have an SD-WAN device that not only routes traffic but also tunnels it to a cloud security service for threat scanning and access control. Remote users might use a lightweight agent that sends their traffic to the nearest SASE point of presence, where zero-trust network access (ZTNA) policies are enforced.
The convergence of WAN and security is a defining feature of the current enterprise WAN. Networking teams and security teams are working more closely, often under a SASE project, to ensure that as the network perimeter extends to anywhere the internet reaches, security remains consistently applied.
SASE is helping organizations replace or supplement traditional VPNs and on-premises security appliances with a unified cloud-based solution. That said, fully realizing SASE is a journey – many enterprises are at an intermediate stage (e.g., using SD-WAN plus a couple of cloud security services, but not yet a single integrated solution).
The current state is one of active convergence, guided by frameworks like SASE and Zero Trust, as companies try to protect users and data across an “internet-first” network architecture.
MPLS: Still Present, But Diminished
Despite a clear trend away from MPLS, it has by no means vanished in 2025. MPLS remains relevant in certain use cases and industries. Many enterprises continue to maintain some MPLS circuits, especially for sites that require guaranteed performance (e.g. latency-sensitive trading applications or voice traffic in markets with unreliable broadband) or in regions where internet quality is inconsistent.
MPLS still offers a gold standard for predictable latency, jitter, and packet loss, backed by strong SLAs from providers. Some companies also use MPLS to carry internal core network traffic or data center interconnects, keeping that traffic off the public internet for privacy or regulatory reasons.
As one analysis noted, many companies will continue to use MPLS in the data center to support basic network services (like authentication, DNS, etc.) and as a backbone for certain critical applications.
However, the overall footprint of MPLS in the average WAN is shrinking. It’s often part of a hybrid WAN, paired with internet links. For example, a branch might have one MPLS line and one broadband line, with SD-WAN using the MPLS primarily for high-priority traffic or as a failover. In other cases, legacy MPLS networks are in slow decline as contracts expire. Recent data confirms MPLS port counts and bandwidth share are dropping year over year.
So while MPLS isn’t dead, it’s no longer the default choice – it’s now a specialized component, used when its advantages are truly needed, and otherwise bypassed in favor of more agile internet-based connectivity.
Hybrid WAN and Multi-Cloud Networking
The prevailing architecture for large enterprises today is a hybrid WAN, meaning a mix of transport methods (MPLS + Internet + Wireless) and often a mix of public cloud and private network connectivity. Enterprises are connecting not just branch-to-data-center, but branch-to-cloud and cloud-to-cloud.
Most organizations are now multi-cloud – nearly 75% of WAN managers have two or more cloud IaaS providers in use. This requires the WAN to extend into those cloud environments. In current networks, you’ll commonly find integration with cloud connectivity services: for instance, an SD-WAN hub colocated in an Equinix facility with direct links into AWS, Azure, or Google Cloud, or use of cloud providers’ own WAN-like offerings (Azure Virtual WAN, AWS Cloud WAN) to interconnect sites.
Many enterprises use dedicated cloud interconnects (such as AWS Direct Connect or Azure ExpressRoute) for heavy traffic between their network and the cloud, but they complement these with IPsec VPNs over the public internet for flexibility.
According to research, while dedicated cloud links are popular, over half of companies also use IPsec VPN tunnels to connect to cloud providers, and two in five even use basic public internet connectivity for cloud access. This underscores the hybrid approach: there might be a private fast path for certain applications and an internet VPN for others, all managed under a unified SD-WAN policy.
Additionally, “multi-cloud networking” products have emerged to help abstract connectivity across cloud platforms, giving enterprises a single console to manage networking to, from, and between different clouds.
Bandwidth and Connectivity Trends
Enterprises today demand ever-higher bandwidth on their WAN links, driven by data-heavy applications, video, and replication traffic. The average branch office connection speed has increased significantly – one study noted that over the past five years, ports 50 Mbps and below have shrunk as a share, while all port sizes above 50 Mbps have grown, often dramatically.
Simply put, the era of the 10 Mbps branch is over; many sites now have 100 Mbps, 1 Gbps, or even multi-gig links as standard. This demand is met largely with internet connections, which are far cheaper per Mbps than legacy WAN circuits. Where an MPLS might have been 10 or 20 Mbps due to cost, a business fiber internet line might be 200 Mbps or 500 Mbps for the same budget, improving user experience for cloud and video apps.
Dedicated Internet Access (DIA) services (business-grade internet with SLAs) are common for headquarters and large sites, while broadband and cable internet serve smaller sites.
The use of multiple ISPs is also a trend – enterprises are no longer sourcing all WAN links from one global carrier. Instead, many choose a mix of global and regional providers to optimize cost and coverage. For example, a company might use a Tier-1 ISP or carrier backbone for core sites but leverage local ISPs for branch broadband in each country, all tied together via SD-WAN.
This multi-provider strategy can lower costs but adds management complexity, which managed SD-WAN services aim to address. Additionally, network resiliency through diverse connectivity is a priority: it’s now common to have a primary wired link and a secondary 4G/5G wireless backup at critical sites.
In summary, the current WAN is characterized by fatter pipes and more pipes – more bandwidth and multiple paths per site to ensure performance and uptime.
The Role of ISPs, Colocation, and Peering
As enterprises lean on the internet, they have become more cognizant of how internet traffic is routed and how to optimize it. Many large enterprises are leveraging colocation facilities (like Equinix, Digital Realty, etc.) as strategic network hubs. In these neutral data centers, companies can cross-connect to cloud providers, SaaS providers, and internet exchange points.
Some enterprises join Internet Exchanges or use public peering to exchange traffic directly with major networks, improving performance by shortening paths.
Others turn to “middle-mile” optimization services – for instance, using a global backbone-as-a-service (from providers like Aryaka or Cloudflare) to carry traffic over long distances with better reliability than the public internet. As one analyst noted, once you shift from MPLS to Internet, the performance of the “internet middle mile,” which used to be the telco’s problem on a private network, becomes a concern for the enterprise.
This has led companies to evaluate options like choosing Tier-1 ISPs for better global coverage, using Network-as-a-Service (NaaS) providers or SD-WAN vendors that offer a private cloud backbone, or joining peering exchanges to directly connect with key networks.
The current state of WAN thus includes a growing focus on internet topology and partnerships. Enterprises might purchase IP transit in hub locations or use SaaS-based routing optimizers to ensure their traffic takes the best paths. In essence, the ISP ecosystem and internet infrastructure are now part of the enterprise WAN design, whereas a decade ago they were abstracted away by the MPLS provider.
Major Vendors and Providers in the WAN Ecosystem
The enterprise WAN market in 2025 involves a diverse mix of vendors and service providers, each playing a role in how WANs are built and delivered:
SD-WAN and SASE Vendors
These are the companies providing the core technology for software-defined WAN and integrated security. Key players include Cisco (with its Viptela and Meraki SD-WAN solutions, plus Cisco Umbrella for SASE), VMware (VeloCloud SD-WAN platform), Fortinet (Secure SD-WAN built into FortiGate devices and a SASE offering), Palo Alto Networks (Prisma SD-WAN and Prisma Access SASE), HPE Aruba (EdgeConnect SD-WAN, formerly Silver Peak), Juniper Networks (Session Smart SD-WAN from 128 Technology, plus Mist AI and security integration), Versa Networks (an early SASE pioneer with integrated SD-WAN/security software), and Cato Networks (a cloud-native SASE provider with its own global backbone).
According to industry rankings, the top SD-WAN vendors by market share in recent years have been VMware (now part of Broadcom) and Cisco, with Fortinet, HPE Aruba, and Versa. These vendors differ in approach – some focus on selling appliances and software that enterprises deploy, while others offer cloud-hosted multi-tenant platforms.
SASE has blurred the lines between traditionally separate markets, so we see collaborations too (for example, an SD-WAN vendor partnering with a cloud security vendor to deliver a combined solution).
For WAN professionals, it’s important to keep track of the rapid consolidation and feature expansion in this space – many SD-WAN products now also handle routing, firewalling, and even Wi-Fi management at branches (so-called “SD-Branch”). When selecting vendors, factors like integration capabilities, cloud on-ramp performance, security features, and management simplicity are key differentiators.
Network Hardware and Infrastructure Providers
Underpinning the WAN are the hardware companies supplying routers, switches, and telco equipment. Cisco has long been dominant in enterprise routing – its ISR/ASR routers were the workhorses of MPLS networks, and today its Catalyst and SD-WAN routers continue to be widely used at branch and colocation sites.
Juniper is another major hardware player, especially for service provider core networks and some large enterprises (MX series routers, etc.), and it has moved into SD-WAN software as noted.
Arista Networks is known for data center switching but has also introduced solutions for campus and WAN routing, emphasizing open standards.
Additionally, white-box hardware and network functions virtualization (NFV) have impacted WAN design – some enterprises use generic x86 appliances (uCPE – universal Customer Premises Equipment) to run SD-WAN and firewall software images, rather than proprietary hardware. This has opened opportunities for software-only vendors and lowered dependence on a single hardware vendor.
It’s worth noting that many traditional WAN hardware makers have adapted by offering virtual appliances and cloud instances of their products, to fit into software-defined and cloud-centric environments.
Telecom Carriers and ISPs
These are the providers of the actual connectivity – the underlay networks over which enterprise WANs run. In the MPLS era, enterprises often sourced a global MPLS service from one of the large carriers such as AT&T, Verizon (USA), BT, Orange (Europe), NTT, Tata Communications, Singtel (Asia), etc., or regional carriers in specific markets.
Today, those carriers have all expanded into offering SD-WAN managed services and internet-based VPNs, since demand for traditional MPLS has slowed. Many enterprises still rely on carriers for managed WAN services, where the provider supplies and manages the SD-WAN appliances and connectivity as a package.
Aside from the global telcos, there are the local ISPs and broadband providers – for example, Comcast and Spectrum in the US for cable broadband, various fiber providers in each country, and even cellular carriers for 4G/5G data links.
A big trend is that enterprise WAN teams manage a mix of carriers: they might contract with a primary global carrier for MPLS or backbone connectivity, but also contract directly with local ISPs for internet at branch locations. To simplify this, some turn to aggregators or MSPs who handle multi-provider contracting.
Colocation and cloud connectivity providers form another part of the ecosystem – companies like Equinix, Digital Realty, CoreSite, Colt, Level 3/Lumen provide data center facilities and cloud exchange services that many WAN architectures leverage for interconnection.
There are also specialized cloud networking providers (e.g., Megaport, PacketFabric) that offer on-demand connectivity between colo facilities and clouds, which enterprises use to extend their WAN into multiple clouds quickly. Regionally, the set of available providers can vary widely – for instance, in certain APAC countries or in Africa, one might still lean more on MPLS from incumbent telecom operators due to reliability concerns, whereas in North America or Europe, internet links are robust enough to use for primary connectivity.
Thus, regional differences persist in the WAN provider landscape, often requiring enterprises to adopt a heterogeneous approach (different carriers for different regions, or a hybrid of global and local contracts) to achieve the best combination of cost and performance.
Managed Service Providers and Integrators
Finally, many enterprises work with third-party managed service providers (MSPs), system integrators, or value-added resellers to design and operate their WAN. These players (which include the big telcos’ services divisions as well as specialist firms) often bundle technologies from multiple vendors into a managed offering.
For example, an MSP might deliver a “managed SD-WAN” service using Cisco or Fortinet equipment, plus their own network of cloud gateway hubs, and handle all the configuration and monitoring on the customer’s behalf. The appeal is offloading complexity and getting end-to-end SLAs.
Some notable MSPs in the WAN space include Globalgig, Masergy (now Comcast Business), Aryaka (which provides its own SD-WAN backbone), and the enterprise services arms of carriers like AT&T Business, Verizon Business, NTT Ltd., Orange Business Services, etc.
Cloud providers have also started encroaching here – AWS and Azure now offer managed WAN connectivity services integrated with their cloud, which could be viewed as early steps into “as-a-service” WAN offerings.
The vendor/provider ecosystem is rich: enterprises have more choice than ever, from DIY with best-of-breed SD-WAN and cloud links, to turnkey managed solutions, to emerging cloud-managed network services.
The current trend is toward ecosystem partnerships – SD-WAN vendors partnering with security providers (for SASE), carriers offering vendor-agnostic SD-WAN services, and cloud providers enabling third-party SD-WAN integration – all to give enterprises flexibility in assembling their WAN solution.
Emerging Technologies in WAN
The WAN is continually evolving, and several emerging technologies and approaches are poised to shape its next phase:
AI-Driven Networking and Intent-Based WAN
One of the most talked-about trends is the infusion of artificial intelligence and machine learning into network operations (AIOps for networking).
Modern WAN platforms are beginning to use AI/ML to analyze vast amounts of telemetry data and provide intelligent insights or automated adjustments. AI-based tools can proactively identify an anomaly in WAN performance (like a spike in latency on a path) and either alert operators or automatically reroute traffic.
Cisco has highlighted that AI/ML can help network teams become more proactive and nimble by predicting issues and prioritizing critical events, which is crucial as networks grow more complex.
Juniper’s Mist AI (originally in WLAN, now extending to WAN) and other vendor solutions aim to automatically tune network parameters and even perform self-healing. Intent-Based Networking (IBN) is a related paradigm where network admins define high-level business intent (e.g., “ensure video traffic from branch X to cloud Y has priority and low latency”) and the system automatically configures and maintains the network to fulfill that intent.
While true IBN is still maturing, many SD-WAN systems offer policy abstraction that moves in this direction. In the coming years, we can expect WAN management to become more autonomous, with AI assisting in everything from capacity planning (forecasting where bandwidth needs will grow) to security (identifying suspicious traffic patterns).
The goal is a WAN that is “self-driving” to a greater degree, reducing the human workload for routine tasks. Given that two-thirds of enterprises report IT networking workloads are increasing without commensurate staff growth, this automation is both necessary and welcome. Networking professionals will increasingly work alongside AI-driven tools, supervising and refining intents rather than tweaking router configs by hand.
Network Automation and Orchestration
Hand-in-hand with AI, general network automation and orchestration are transforming how WANs are operated. Traditional WAN change management – opening tickets, manual CLI changes during maintenance windows – is too slow for the digital era.
Instead, enterprises are adopting Infrastructure-as-Code and automation frameworks to manage the WAN. APIs and software-defined controllers allow programmatic control of network devices. An orchestrator can push a new QoS policy across 500 sites in minutes, or automatically instantiate a new branch configuration when a device is plugged in (zero-touch provisioning).
Tools like Ansible, Terraform, and vendor-specific controllers (Cisco vManage, VMware SD-WAN Orchestrator, etc.) are used to treat network configurations similar to code, enabling version control and rapid rollbacks if needed. This is critical in multi-vendor environments – since many WANs have different devices and cloud networking components, automation can glue together configuration tasks across these domains.
We’re also seeing the rise of multi-domain orchestration where a single workflow might provision network changes on the SD-WAN, in the cloud VPC networking, and in security systems simultaneously, ensuring consistency end-to-end. All of this reduces errors (which are common with manual changes) and increases agility.
For enterprise WAN teams, developing automation skillsets and strategies is now a key focus. In fact, some large organizations are implementing NetDevOps practices, bringing development and operations concepts to networking. As this trend continues, we might see fully automated “policy engines” where a desired change (like adding a new branch site or moving an app to a different cloud) triggers a cascade of automated network adjustments across the global WAN.
Zero Trust Security for WAN
Security architecture has undergone a philosophical shift with the rise of Zero Trust. The old model of implicit trust for anything inside the corporate network has been replaced by “trust nothing, verify everything.”
Zero Trust Network Access (ZTNA) solutions are increasingly being layered onto enterprise WANs to secure access to applications. Rather than connect remote users via flat VPN into the network, ZTNA brokers access on an application-by-application basis after verifying user identity, device posture, and context for each session.
Many SASE offerings include zero trust principles at their core – effectively turning the WAN into an authenticated fabric where every connection is strongly authenticated and authorized. As of 2023, roughly 60%+ of organizations have either implemented or are planning to implement a Zero Trust strategy in some form, reflecting broad recognition of its importance.
For the WAN, zero trust means even if a user is “inside” the network (e.g., at a branch), they still must be authenticated to reach a sensitive application, and network segments are tightly controlled. It also means heavy use of encryption; practically all WAN traffic, even over private links, is encrypted (IPsec or TLS) as a baseline security measure.
Emerging tech in this realm includes identity-aware routing, where SD-WAN policies incorporate user identity/groups (not just IPs or subnets), and micro-segmentation extended to WAN – ensuring, for example, an IoT device network at a branch has no ability to talk to corporate HR systems, etc., unless explicitly allowed. We also see integration of SSE (Security Service Edge) platforms – cloud-delivered secure web gateway, CASB, firewall – which complement SD-WAN to form a full SASE solution.
The move to zero trust is an evolving journey, and enterprises are at various stages, but clearly the WAN is no longer considered a “trusted zone” by default. This will only increase with future regulations and threats, making zero trust a cornerstone of WAN architecture going forward.
Edge Computing and WAN Edge Integration
Another trend impacting WAN design is the rise of edge computing. Enterprises are deploying compute and storage resources at the network edge – closer to users or devices – to enable real-time processing for latency-sensitive applications (manufacturing automation, retail analytics, autonomous vehicles, etc.).
This distributed edge cloud approach requires the network to connect potentially thousands of micro-sites or devices with reliable, low-latency links. WAN technologies are adapting to facilitate edge computing. For instance, SD-WAN can be used to connect edge compute nodes (like servers in a factory or an oil rig) back to central cloud or data centers, optimizing the path for speed.
SASE can extend security out to these edge locations so that data processed locally is still protected and compliant. One significant benefit of edge computing is reduced latency by processing data nearer to where it’s generated – but to fully realize this, the WAN between edge and users must be optimized as well.
That has led to interesting deployments like multi-access edge computing (MEC) in 5G networks, where enterprises host applications at a telecom provider’s edge site on the 5G network. The enterprise WAN then needs to integrate with these cellular networks.
We’re seeing early use of private 5G networks for enterprise campuses and IoT, which essentially become new WAN segments that must interconnect with the rest of the corporate network. Going forward, the WAN may extend to connect many more endpoints at the edge, from sensors to autonomous machines, in a scalable way.
Networking professionals will need to handle increased distribution – potentially managing thousands of edge nodes via SD-WAN controllers, ensuring security out to each edge, and providing connectivity that can dynamically adjust as edge workloads move. Some emerging solutions treat edge connectivity as an extension of cloud connectivity, using similar hub-and-spoke or mesh topologies.
Edge computing is pushing the network to be more distributed and cloud-like, and the WAN is the critical backbone tying these edge resources together. Technologies that simplify the provisioning of connectivity and compute together at the edge (for example, deploying an SD-WAN instance and a compute node simultaneously via automation) are likely to develop.
Even the concept of Network-as-a-Service (NaaS) can be seen as part of this edge trend – delivering on-demand network functions at the edge when and where needed. Enterprises embracing edge computing will lean heavily on agile, software-defined WAN solutions to make it feasible and cost-effective.
AI and Intent in the Next-Gen WAN
In addition to current AI ops, looking a bit further, we anticipate even more advanced AI playing a role in WAN optimization. Imagine AI algorithms that learn the normal pattern of traffic between each branch and cloud service and can instantly flag anomalies that might indicate a security breach or a misconfigured application.
Or “intent translators” that allow a network architect to simply specify high-level requirements (e.g., compliance constraints: “All traffic from EU offices to cloud must stay within EU borders”) and the system figures out the network policy to enforce that – including choosing appropriate cloud regions or routing paths that meet the criteria. Early signs of this can be seen in policy-driven orchestration tools and the heavy research investment by network vendors into AI features.
While still emerging, the promise of intent-based, AI-optimized WAN is that networks will become far more adaptive, continuously aligning with business needs without constant human micromanagement.
Contractual and Business Considerations
Alongside technology shifts, enterprises are also navigating changes in WAN economics, contracts, and vendor relationships. Here are some key business-side considerations for modern WANs:
Cost Trends and Optimization
WAN costs have always been a major budget item for large enterprises, and the past decade’s changes were largely motivated by cost reduction. Moving from MPLS to internet-based WAN can dramatically cut expenses – organizations have reported 50% or more cost savings per site by substituting MPLS with broadband and using SD-WAN.
Additionally, the cost per bit of bandwidth continues to decline year over year, enabling companies to upgrade speeds without proportionally increasing spend. However, new services like SASE or premium SD-WAN cloud gateways do add costs in other areas, so optimization is key.
Many enterprises are actively renegotiating contracts and diversifying providers to get better rates. The old practice of signing a single carrier to a long 3-5 year MPLS contract is giving way to shorter-term, more flexible agreements and a mix-and-match approach. An enterprise might negotiate volume discounts with an ISP for many broadband lines, while keeping the option to drop underperforming links without heavy penalties.
The pricing model for WAN is also shifting – some vendors offer subscription-based pricing for SD-WAN as a service, and some cloud providers offer consumption-based network pricing (e.g., pay per GB transferred through a cloud WAN service). Enterprises are exploring these models to see if they provide better alignment with usage.
One notable emerging approach is Network-as-a-Service (NaaS), where instead of buying fixed capacity, a company can essentially rent WAN connectivity on demand. As of 2024, NaaS is still in its infancy with low adoption and some skepticism, but it could be a game-changer in the future, turning WAN into an OPEX utility that scales up or down as needed (similar to cloud computing).
For now, WAN managers focus on cost optimization strategies like: leveraging internet where possible, using SD-WAN to aggregate cheap links, rightsizing bandwidth per site based on actual usage analytics, and continually benchmarking provider prices (e.g., using market data to ensure they pay competitive rates for IP transit or DIA).
We also see enterprises investing in cost visibility tools – knowing the cost per application or per user for WAN transport – to make informed decisions about network investments. The business mandate is clear: provide more capacity and flexibility, but keep costs in check, which drives innovative procurement and design.
Service Level Agreements (SLAs) and Performance Assurance
With MPLS networks, enterprises were used to strict SLAs on metrics like availability (99.9% uptime), latency (e.g., <30ms between core sites), jitter, and packet loss, with penalties if not met.
With the shift to internet-based WAN, enforcing SLAs becomes more challenging. Broadband ISPs often provide “best effort” service with no guarantees on latency or loss. Dedicated Internet Access may come with uptime SLAs, but usually not end-to-end performance guarantees. This lack of guaranteed performance is a concern when moving critical traffic to internet links.
Enterprises are tackling this in several ways. First, many SD-WAN solutions perform constant link monitoring and will dynamically steer traffic away from a degraded path – effectively minimizing the impact of an outage or brownout. While this doesn’t prevent an outage, it can meet application SLAs by instantly using a backup.
Second, some SD-WAN vendors and NaaS providers offer an overlay SLA, where they use their own backbone or a mesh of cloud POPs to ensure a certain quality. An SD-WAN provider might guarantee sub-100ms latency globally by routing through its private network – if the public internet underlay fails, that’s their problem to solve in the background.
Third, enterprises set clear expectations and measurements: they deploy probes or use SaaS monitoring (like ThousandEyes) to continuously measure network performance to all their critical services. If an ISP underperforms consistently, they have data to push for improvements or switch provider.
SLA enforcement in a multi-provider environment can be tricky – when you have numerous local ISPs, you might not have individual SLAs but rely on the SD-WAN to deliver overall performance. Some companies mitigate risk by maintaining a small MPLS backup for absolute mission-critical needs (trading cost for assurance).
Another approach is using Service Level Objectives (SLOs) internally – the network team might set internal SLOs to deliver a certain quality and then design the network and redundancies to meet those (even if provider SLAs are absent).
While formal SLAs from carriers may be less central than before, performance assurance is still front-of-mind, and enterprises achieve it via technology (redundancy, smart routing) and careful provider management. Many WAN contracts now focus on outcome-based metrics – for instance, managed SD-WAN SLAs that guarantee application availability rather than raw circuit metrics. This represents a shift from point-to-point link guarantees to end-to-end service quality focus.
Vendor Lock-In Risks
With the consolidation of networking and security, enterprises sometimes worry about vendor lock-in – becoming too dependent on a single vendor’s ecosystem. If you deploy one SD-WAN vendor’s boxes at all sites, plus their cloud gateways and security, you are effectively tied to that vendor for the long term. This can be risky if the vendor’s strategy changes, prices increase, or technology falls behind.
It’s worth noting that SD-WAN solutions today are often proprietary, with controllers and endpoints tightly coupled, and there are no universal interoperability standards allowing mix-and-match of SD-WAN vendors. (The Metro Ethernet Forum has been working on SD-WAN service standards, but multi-vendor interoperability remains limited.)
Thus, choosing an SD-WAN is a bit like a marriage – it’s hard to unwind. The same goes for SASE: if you rely on a single cloud provider for both networking and security, moving away could be painful. That said, many organizations proceed with a single-vendor solution because the benefits outweigh the risks, but they negotiate contracts carefully to mitigate lock-in.
Strategies include: contractual exit clauses or periodic tech refresh options, avoiding excessively long contracts (e.g., opting for 2-year terms instead of 5), and pilot testing the migration path (can we switch this SD-WAN device to another easily? often the answer is no without full replacement, hence the concern).
Some enterprises keep a multi-vendor stance by using one vendor for SD-WAN edge and a different vendor for cloud security, thus not putting all eggs in one basket (though this can add complexity).
Others insist on the ability to manage at least some functions themselves so they are not fully at the provider’s mercy – for example, retaining control of encryption keys or IP addressing so they can transition to a different service if needed.
As analyst Mary Shacklett noted, since SD-WAN and SASE are delivered by cloud-based providers, “there is also the danger of vendor lock-in” which can make it difficult to migrate to another solution later. Being aware of this, companies are making more strategic procurement decisions, weighing the trade-off between an integrated single-vendor solution (with potentially better integration) versus a best-of-breed multi-vendor approach (with potentially more flexibility).
In response, some vendors pitch the openness of their platform (e.g., API availability, support for standard IPsec tunnels to third-parties, etc.) to alleviate lock-in fears. The reality is that a certain degree of lock-in is almost unavoidable in any complex WAN deployment, so the practical approach is to “lock in wisely” – choose a vendor with a strong roadmap alignment to your needs, negotiate safeguards, and continually evaluate the market for when a change might be warranted.
Regulatory and Compliance Factors
Enterprise WAN contracts and designs are increasingly influenced by regulatory requirements. Data privacy laws like GDPR in Europe impose restrictions on how and where data travels, which can impact WAN routing (for example, a company may need to ensure that EU citizen data is not routed through non-EU locations without safeguards). This can necessitate contracting with local cloud gateways or MPLS in certain regions to keep traffic local.
Some countries have strict telecom regulations (e.g., requiring the use of government-approved providers or prohibiting the use of certain VPNs). For instance, global enterprises operating in China must comply with regulations that prohibit unauthorized VPNs, often leading them to use approved MPLS or SD-WAN services via licensed carriers for connectivity out of China.
Data sovereignty requirements may also drive enterprises to maintain regional breakouts – e.g., deploying local internet gateways in each country so that user traffic doesn’t cross borders unnecessarily. When engaging providers, enterprises must ensure the providers can meet these compliance needs, possibly writing into contracts commitments about data handling (like contractual clauses that cloud-based SASE providers won’t store certain log data outside of specified regions).
Security regulations in industries like finance and healthcare also affect WAN choices: for example, a bank might be required by regulators to maintain dual-network redundancy and specific recovery times, which then must be reflected in service contracts (with stiff SLA penalties for breaches).
There are also emerging regulations around critical infrastructure security – some governments are pushing requirements for Zero Trust adoption or encryption standards for any networks used by government contractors. Enterprise WAN teams need to stay abreast of such changes, as they might necessitate upgrades (say, moving from older encryption to quantum-resistant algorithms in the future) or adding new controls.
Compliance has become a key part of WAN planning, often involving legal and risk teams in what used to be purely an IT decision. Contracts with WAN providers now often include sections on compliance with data protection laws, and failure to meet those can be as critical as failing technical SLAs. This is another reason why many enterprises stick with well-known, reputable providers for WAN services – to ensure they have the necessary certifications and can help meet regulatory audits.
As one example, research by Telindus and Ciena found over half of organizations could be vulnerable to GDPR non-compliance via their WAN if they didn’t encrypt and secure data in transit. Such findings underscore the need to bake compliance into network contracts (e.g., requiring encryption on all WAN links, or using providers that undergo SOC 2, ISO 27001 audits, etc.).
SLA Management and Vendor Accountability
A practical consideration in enterprise WAN is how to manage multiple vendors to deliver a coherent service. If an enterprise sources internet from 5 different ISPs, plus uses a separate cloud security provider, plus an SD-WAN overlay vendor – when something goes wrong (say users at Branch X can’t reach Application Y), troubleshooting and accountability can become a headache.
To address this, some companies opt for a single throat to choke model – e.g., a managed service where one vendor takes end-to-end responsibility. Others build in-house network operations teams with strong monitoring tools to pinpoint issues and then enforce contracts.
It’s important to have clear OLAs (Operational Level Agreements) internally and escalation paths with each provider. For instance, if latency to Office 365 spikes, is it the ISP’s issue or the SASE provider’s? Having data (like probe results) to present to the vendor is vital for quick resolution.
Enterprises are also becoming more savvy in contract negotiations by including specific performance metrics relevant to their business. Instead of generic availability, they might include a clause that, for example, 99% of monthly samples on the core network must show packet loss below 0.1%, or else credits apply.
While providers may push back, it sets expectations. Multi-vendor WAN environments might also employ aggregators or brokers – companies that manage all the supplier relationships for you. This can simplify billing and support, but it’s another layer to consider contractually. All these contractual tactics aim at one thing: ensuring the WAN meets business needs reliably, and that when problems occur, there are predefined remedies and responsibilities.
Challenges and Pain Points in Enterprise WAN
Even with advanced technology, enterprise WAN teams face several ongoing challenges and pain points:
Security Concerns
With the WAN increasingly using the public internet, the attack surface expands. Ensuring security across all those connections is a top challenge. Branch offices connecting directly to the internet are exposed to threats if not properly secured. The sheer volume of cyber threats (malware, DDoS, ransomware) targeting organizations means the WAN must be a security enabler, not a gap. Implementing SASE/Zero Trust helps, but it’s complex. Consistency of security policy across on-prem and cloud is hard to maintain.
Many organizations worry whether their WAN security meets required standards (for example, whether all data in transit is encrypted to prevent breaches – a concern under GDPR) Additionally, remote work has blurred the WAN boundary – home users often bypass corporate networks entirely, or their traffic enters from unpredictable locations, challenging security monitoring.
Protecting a widely distributed, internet-centric WAN is an ongoing battle. Misconfigurations or lack of visibility can lead to breaches. Security is thus both a technical and management challenge – making sure every SD-WAN device has up-to-date firewall rules, every cloud gateway has the latest threat intel, and every user is authenticated. It’s a lot to get right, and the stakes are high.
Performance and Reliability in a Cloud-First Environment
Delivering a consistent, high-performance application experience is another pain point. Cloud applications like Office 365, Salesforce, video conferencing, etc., are bandwidth-hungry and sensitive to latency. If the internet path from a branch to a cloud service is congested or suboptimal, users will notice. Unlike the MPLS days, IT doesn’t control the whole path, so troubleshooting slowness can be tricky.
Performance issues over the internet “middle mile” can significantly impact business operations. Enterprises often invest in WAN optimization or premium routing services to mitigate this, but it adds cost and complexity. Moreover, real-time applications (voice, video) are less forgiving of jitter – ensuring these run well over broadband links remains a challenge, especially in regions with spotty ISP quality.
Reliability is also a concern: while dual internet links are common, simultaneous outages can still occur (for instance, a widespread fiber cut or a major ISP outage can take out multiple connections). Building a truly resilient WAN may require triple redundancy (e.g., MPLS + fiber internet + 4G) which not everyone does.
Cloud provider outages themselves are now an extension of WAN issues – if Salesforce or Azure is down in a region, the WAN might be fine but users perceive a network issue. Network teams thus have to troubleshoot across domains. Ensuring high performance and reliability as apps migrate to cloud is a continuous effort, involving careful capacity planning, routing optimization, and contingency planning for outages.
Complexity of Multi-Vendor, Multi-Cloud Environments
Today’s WANs are an amalgam of many technologies and providers, which introduces significant complexity. Managing a multi-vendor SD-WAN (say, after a merger, a company might have two different SD-WAN solutions in play) can be a nightmare since there’s no standard way to make them work together easily.
Even within one vendor, you have to integrate with cloud services, with existing LAN/Wi-Fi, etc. Additionally, multi-cloud adds complexity – different clouds have different networking constructs (VPCs, VNets, security groups) that need to connect back to the WAN. Each integration point is a potential pain: e.g., connecting Azure Virtual WAN to your SD-WAN might involve managing BGP, firewall rules, IP overlaps, and so on.
Orchestrating changes across this heterogeneous environment is difficult – a simple policy update might need to be applied in an SD-WAN controller and two cloud consoles and maybe a legacy router interface for good measure. Many networking teams cite complexity as a major challenge, noting that operating a multi-vendor SD-WAN and integrating security options are top challenges, along with defining end-to-end SLAs in such environments.
Standardization efforts are lagging behind the pace of innovation, leaving practitioners to be system integrators of sorts. Furthermore, the skill sets required are broader – network engineers now need to know cloud networking, security policies, scripting/automation, etc. Finding or training talent that can cover all bases is tough. This complexity also increases the risk of errors and outages due to misconfigurations. Tools that provide unified visibility and control are improving, but many organizations still juggle 5 different management consoles when troubleshooting an issue. Reducing complexity without sacrificing flexibility is a delicate balance – and one of the WAN manager’s biggest pain points.
Ensuring Resilience and Redundancy
While mentioned under performance, it’s worth singling out resilience as a constant concern. Enterprise WANs must be highly available – downtime means lost productivity or revenue. Traditional WAN design had redundant routers, dual MPLS links, etc., but in the new world, you need redundancy across heterogeneous links and even provider redundancy. Making sure that a failure in one network (like an ISP outage) doesn’t isolate a site involves planning (e.g., different providers on primary vs backup, diverse physical paths where possible). However, some risks are hard to mitigate – e.g., if all your traffic goes through a cloud security node, that node is now a potential single point of failure unless the provider has a strong redundancy architecture.
Resiliency now must account for cloud service outages, undersea cable cuts, BGP routing issues on the internet, and even geopolitical events that could affect networks. Enterprise WAN teams work on architectures like active-active load balancing (using two links simultaneously), rapid failover configurations, and fallback to 4G/5G. They also increasingly think about disaster recovery at the network level – how to reroute traffic if an entire region goes down.
It’s complex, but the expectation from the business is near-zero downtime. Achieving that over the internet means embracing redundancy and smart design. Nonetheless, many cite that fully resilient designs can be cost-prohibitive for every single site, so they tier their network – mission-critical sites get the Cadillac treatment of multiple diverse links and perhaps an MPLS for good measure, whereas smaller sites accept a bit more downtime risk with just dual broadband. The pain point is finding the right level of resilience that justifies the cost and managing all the moving parts of failover when something breaks.
Integration of Networking and Security Teams
Another non-technical challenge is organizational. Historically, network teams and security teams worked somewhat separately – one handled connectivity, the other firewalls and access control. With SASE and zero trust, these teams must work in unison, which can be a cultural shift. There can be friction in who owns what (e.g., the network team might manage SD-WAN devices, but do they also manage the firewall rules on them or is that the security team’s job?).
Aligning policies and tools requires cross-team expertise. Some organizations are creating NetSecOps teams or similar to break down silos. But getting there can be a challenge in itself, requiring new processes and sometimes new management structures.
Even as technology addresses old pain points (like SD-WAN solving some MPLS limitations), new ones arise. The WAN professional’s role has expanded to juggle connectivity, cloud, security, and business continuity, all under increased expectations and tighter budgets. It’s a challenging yet exciting time, as solving these issues often means pioneering new solutions and collaboration methods.
The Future of Enterprise WAN
Looking ahead 5 to 10 years, the enterprise WAN will continue to evolve rapidly. Here are some predictions and expectations for the future:
Continued Decline (but Not Death) of MPLS
We can expect MPLS to further recede. Within the next 5 years, many analysts predict that a majority of enterprises will have fully phased out MPLS or reduced it to a minimal role. Internet-centric WANs augmented by SD-WAN and cloud backbones will dominate.
MPLS likely won’t disappear completely in this timeframe – much like how some legacy technologies persist, MPLS may survive in niche scenarios or specific regions. Certain industries with extreme performance or regulatory demands (e.g., trading networks, defense) might keep private circuits for an added layer of isolation. Also, in parts of the world where the public internet infrastructure is less developed or government policies favor state-run MPLS networks, MPLS could stick around longer. But broadly, MPLS will shift to a “legacy” status, similar to frame relay or ATM in the past – rarely the first choice for new deployments.
Network service providers themselves are transforming their core offerings, perhaps morphing MPLS VPN services into more cloud-like private backbone services that use SDN but still offer SLAs. The concept of an “MPLS replacement” might simply be a telco-managed SD-WAN over their global internet backbone, which feels like MPLS to the customer (in terms of a managed service) but isn’t a traditional MPLS network under the hood.
Full Embrace of SASE and Cloud-Native Networking
In the future WAN, we anticipate that the majority of enterprises will have consolidated networking and security to a cloud-centric SASE model. Gartner forecasts suggest that by mid-decade, a large portion of companies will be well along in this consolidation. We will see more convergence where the distinction between “SD-WAN provider” and “security provider” blurs – most will be offering unified solutions.
The branch of the future might not need any heavy infrastructure beyond perhaps an SD-WAN CPE for local connectivity; all the security filtering and heavy lifting will occur in the cloud. This will simplify branch setups (maybe even push toward “thin branch” with just an ISP modem and everything else in cloud).
The Zero Trust model will be ubiquitous, potentially rendering the idea of an internal trusted network obsolete. Each user/device will essentially be treated as “remote” even if in an office, always authenticating through cloud to get to applications. This, combined with 5G and wireless access, could reduce the need for large campus networks – some envision just providing internet everywhere and layering SASE on top for secure access, eliminating complex internal WAN routing.
AI and Automation Reshaping WAN Management
In 5-10 years, network management will likely be far more automated. We might reach the point of a self-healing WAN, where common issues are detected and resolved by AI without human intervention. An AI system might notice slight packet loss on a path and preemptively shift traffic before users notice. Or automatically open tickets with an ISP when their latency exceeds thresholds, complete with diagnostic info.
The role of the network engineer will shift towards policy definition and exception handling – the mundane tasks of configuration and basic troubleshooting will be heavily automated.
The WAN might also integrate more with application layers; concepts like intent-based APIs could allow an application to request network resources on the fly (e.g., an app could signal the network that it needs a low-latency path for the next hour for a data transfer, and the SD-WAN controller could set that up).
AI could also help with network design, crunching performance data to suggest optimal site-to-cloud connections or predicting where adding a new PoP would improve user experience. We are already seeing early stages of this with AIOps; by 2030 it could be standard to have an “AI Network Assistant” as part of the NOC toolset. One outcome of more automation could be leaner network teams or the ability for teams to handle larger, more complex networks with the same personnel. It might also democratize some network operations – for instance, branch office setups might be handled by non-specialist staff who just plug in a device and the cloud does the rest, guided by AI instructions.
New Connectivity Options and Models
The next decade will also bring new connectivity mediums into the enterprise WAN. LEO satellite networks (like SpaceX Starlink, OneWeb) are maturing – these can provide high-speed internet to remote locations and could serve as a viable backup (or even primary in hard-to-reach sites) for enterprise WAN. As latency improves with dense satellite constellations, some companies might integrate satellite links into their SD-WAN for truly diverse paths (earth and space!).
On the terrestrial side, 5G and eventually 6G wireless will play a bigger role. The promise of 5G – high bandwidth and low latency – means it could become a primary connection for certain use cases, not just backup. The concept of network slicing in 5G could allow enterprises to have a virtual dedicated slice of a carrier’s network for their traffic, mimicking a private WAN.
Private 5G networks on-premise could also integrate with the WAN, extending the enterprise network to IoT devices and factory floors with guaranteed performance.
The NaaS business model might gain traction – instead of procuring circuits or devices, enterprises might buy “WAN as a service” from providers who dynamically provide whatever connectivity is needed at a monthly fee. Think of it as cloud networking: you pay for connectivity between your sites and cloud as you use it, with the ability to scale bandwidth on demand or spin up a connection to a new partner or service in minutes through a portal. This agility could unlock new use cases and faster site deployments (no more waiting 3 months for a circuit install – it could be as quick as connecting to a nearest provider PoP via any available internet and voila, you have a “leased line” on demand).
Simplification and Convergence
Ironically, after years of adding complexity, the end state of all these trends might be a much simpler-looking network from the enterprise perspective. If most functions are delivered via software from the cloud, the enterprise might not need large routing infrastructures or multiple overlay networks. The WAN could converge with other networks – for instance, the distinction between LAN and WAN could blur with secure internet everywhere.
Unified access where users connect securely via whatever network is available (home, office, mobile) into a cloud platform that then handles connectivity to applications – that might be the new enterprise “network”. In that scenario, companies might focus more on policy and identity management and less on physical network engineering. Connectivity becomes more of a commodity (available almost anywhere via many options) and the intelligence is all in software.
Potential Challenges Ahead
Of course, the future WAN will have its own challenges. Security threats will evolve (we may need to deal with quantum computing threats to encryption in 10 years, forcing WAN cryptography upgrades).
The need for standards may become acute as everyone converges – perhaps by 5-10 years we’ll finally see standardized interoperability in SD-WAN/SASE, making it easier to multi-source or switch providers.
Regulatory environments might tighten around networks (for example, more requirements to ensure supply chain security in network equipment, or data localization laws fragmenting the WAN by country).
Another future consideration is sustainability – networks consume power, and there’s growing interest in making IT infrastructure more energy-efficient and environmentally friendly. We might see “green networking” initiatives influencing WAN designs (choosing routes that are more energy-efficient, consolidating infrastructure, etc.).
The enterprise WAN is on a clear trajectory towards being internet-based, software-defined, cloud-delivered, and highly intelligent. The traditional MPLS networks of the past are fading, replaced by agile hybrid networks that can adapt to whatever the business throws at them – whether it’s a new cloud deployment, a sudden shift to remote work, or a need to connect a thousand IoT sensors at the edge.
The next 5-10 years will likely bring an even tighter alignment between the WAN and the rest of IT, possibly making the concept of “WAN” invisible to end-users (it will just be the secure cloud-connected network, everywhere).
For WAN professionals, continuous learning is key – the mix of skills needed is broader (network, cloud, security, automation, analytics). But it’s also an exciting prospect: networks are more critical than ever to business success, and the innovations in this space mean the WAN of the future could deliver levels of flexibility and efficiency we only dreamed of in the past.
The enterprise WAN is indeed changing – and this time, it’s truly different, aligning with fast-changing enterprise needs and setting the stage for the next generation of connectivity solutions.