SD-WAN Solutions Comparison: Failover Architecture

Your company is in the market for an SD-WAN or SASE solution, but you need redundancy, because network availability is a huge requirement.

In this video, I cover the best failover architecture for SD-WAN or SASE.

Want my recommendations on the best SD-WAN & SASE solutions that your company should quote? Ask me today.

About Me

Mike Smith has been helping companies select the best telecom, WAN, security, and cloud services since 1999. He founded AeroCom in 2003, and has been the recipient of numerous business telecommunications industry awards, including being recognized as one of the top 40 business people in tech-heavy Orange County, CA. Follow Mike on YouTube, LinkedIn, Reddit and SpiceWorks.

Transcript

Key Takeaway

Network availability is non-negotiable when evaluating SD-WAN or SASE solutions, and redundancy must be designed the right way. Running multiple SD-WAN platforms side by side creates more problems than it solves. Instead, high availability appliances, diverse ISP circuits, and carefully planned backup paths like MPLS or IPsec VPNs provide reliable failover without complexity. The strongest architectures account for hardware failures, carrier outages, and even SD-WAN cloud disruptions while maintaining consistent security controls throughout the transition.

Table of Contents

• Why Using Two SD-WAN Solutions Is a Mistake
• High Availability Appliances for SD-WAN and SASE
• Using Multiple ISPs for WAN Redundancy
• Protecting Against SD-WAN Provider Outages
• Security Considerations During Failover

Why Using Two SD-WAN Solutions Is a Mistake

A common misconception is that running two different SD-WAN or SASE solutions creates redundancy. In reality, it introduces unnecessary risk and complexity. Different SD-WAN platforms have different feature sets, application-prioritization logic, and traffic-steering behavior. Failing from one solution to another often results in inconsistent performance and unpredictable application behavior.

Another issue is application prioritization. Some vendors steer traffic based on congestion, while others rely on packet loss or latency metrics. Switching between two platforms means switching traffic logic midstream, which can quickly become a management nightmare. Security models also vary significantly between vendors, including where inspection occurs and how policies are enforced. Combining two solutions ultimately makes the network harder to manage and less reliable, not more.

My Recommendations

Well, I’m a broker for all the major SD WAN service providers, so I have a pretty good idea of where to start because this is my job. Every day I’m like, okay, well, there’s hundreds of options. Which ones are the best fit for this? Said customer? So I have some different ways that I kind of filter through the SD WAN service providers and narrow them down.

And so today I’m going to tell you five quick ways to narrow down your search in terms of comparing SD WAN vendors. But before I get too far ahead of myself. A couple of quick plugs. If you want my recommendations on the best SD WAN vendors for your company and you’d like help getting quotes, things like that, reach out, email me or call me (714.593.0011). That’s my job. I’m a broker for all these service providers. I’ll make sure you get paired up with the right vendors, get the best pricing from them, talk to the best reps at each vendor in. The nice thing is, is my service is free to you. You don’t have to pay me a thing. So absolutely no reason not to at least reach out and give it a try. More information on that at the end of the video.

High Availability Appliances for SD-WAN and SASE

A better approach starts with high availability at the appliance level. Most SD-WAN and SASE vendors support redundant on-site hardware using either cold-spare or hot-spare configurations. A cold spare remains idle until needed, while a hot spare is active and ready to take over instantly.

This type of high availability protects against local hardware failures and ensures that a single device outage does not take down an entire site. It is one of the most fundamental and effective redundancy strategies and should be considered a baseline requirement for any production SD-WAN or SASE deployment.

Using Multiple ISPs for WAN Redundancy

Redundancy on the wide area network side is achieved by using multiple internet circuits from different providers. When one ISP experiences an outage or degradation, traffic can automatically shift to the secondary provider. SD-WAN platforms are designed to take advantage of multiple links and dynamically route traffic based on performance.

Deploying dual ISPs at every location dramatically increases overall network resilience. This approach protects against carrier outages and last-mile failures while allowing the SD-WAN solution to optimize performance across all available paths.

Protecting Against SD-WAN Provider Outages

Even with redundant hardware and ISPs, organizations often ask what happens if the SD-WAN provider’s core network goes down. One effective safeguard is retaining an MPLS network as a backup path. Many SD-WAN and SASE solutions allow MPLS circuits to be integrated and used as an alternate transport.

Another option is configuring the SD-WAN appliance to fail over to an IPsec VPN if the SD-WAN fabric becomes unavailable. In this scenario, the device automatically establishes VPN connectivity to maintain network access until the SD-WAN service is restored. Both approaches provide a way to bypass the SD-WAN cloud while keeping the business online.

Security Considerations During Failover

Security is a major concern during failover, especially with SASE solutions where security services are delivered from the cloud. If traffic shifts to an IPsec VPN during an outage, the SD-WAN appliance can enforce security locally using its built-in stateful firewall.

This ensures that traffic remains protected even when cloud-based security services are temporarily unavailable. Properly designed architectures account for these scenarios in advance, so security controls remain consistent regardless of which backup path is in use.

Still confused? Reach out and contact me

So just something else that you want to know that might help you narrow down your options there. I hope that was helpful information. Those are five ways to narrow down your SD WAN service provider options, your vendor options when it comes to SC win.

I’ve been a broker for this type of stuff for over 20 years, so I know the whole landscape of SD WAN vendors. I know all of your options out there and I’ll ask you some questions about your companies requirements and based on your answers to those questions, all narrowed down the landscape for you and tell you, Hey, if I were you, I’d quote these 2 to 3 service providers for SD WAN.

And not only that, I’ll introduce you to them or introduce you to the right reps to talk to you with those service providers that I’ve worked with before that I trust that I think will do a good job or I’ll be on the calls with you as they explain their solution. Also oversee the whole quoting process to make sure your company gets the best pricing.

And the nice thing is, is you don’t have to pay me anything. The service providers, the vendors themselves pay me my broker fee. So there’s absolutely no excuse not to at least reach out, give me a call, send me an email, you know, give me a try and it won’t cost anything and see what I have to come up with.

I can definitely help you and hopefully you’ll reach out, email me or call me (714.593.0011) for some quotes. And I’d love to help.