Which US SD WAN vendors offer the top/best solutions?

Find Your SD WAN & SASE/SSE Top 3 Match In 90 Seconds

  • Use our Compare the Market tool to create your shortlist across 100+ solutions
  • Includes vendors, managed service providers, integrators and resellers
  • From Gartner leaders to niche players and startups
  • Get a free bespoke RFP template based on your requirements

Answer a handful of questions to compare North American, UK and Global SD WAN solutions.

Compare Cybersecurity Compare SD WAN Visit Marketplace

Who are the top/best US SD WAN vendors? Netify recommend considering Aryaka, Cato, Cisco SD WAN, Meraki, Citrix, Oracle, Palo Alto, Silver Peak, Versa and VeloCloud. In this article, we cover each service offering in more detail and the benefits of each vendor & provider.

A decade ago, vendors told us that SDN would revolutionize data center networking. That didn't happen, but the intervening years have network virtualization and software control have reshaped enterprise WAN edge networks in many ways. Nowhere has the influence of software been more profound than with SD WAN, which has never been more necessary than in pandemic-riddled 2020 after offices emptied and employees began spending their days remotely tethered to company Slack channels and Zoom meetings.

SD WANs will become the norm in most enterprises, with Gartner projecting that the share of enterprises implementing SD WAN will double from 30 to 60 percent between 2020 and 2024.”

Gartner says that 30 percent of enterprise locations will be served solely by broadband.

SD WAN was initially conceived to expand service options and lower the costs of WAN provisioning by substituting consumer-grade broadband or wireless service for expensive enterprise MPLS or T-carrier circuits. Over time, SD WAN features and provisioning models have expanded via security and content delivery features using standalone appliances, user-managed software or cloud-based services.

Interest in DIY, co-Managed and fully managed SD WAN vendor services has likewise grown, with multiple firms, for example, herehere and here, estimating total SD WAN solution sales at around $1 billion and doubling every 18 to 30 months (30 to 50 percent CAGR) throughout this decade. Security is the hottest sub-segment of the SD WAN market, with the emerging SASE market, which adds security features to an SD WAN solution, expected to more than double annually over the next several years, reaching 60 percent of SD WAN deployments by 2024 according to Gartner.

Leverage free Netify tools to compare vendors in realtime or complete our quick assessment to instantly display recommended SD WAN solutions. Learn more →

Consequently, SD WANs will become the norm in most enterprises, with Gartner projecting that the share of enterprises implementing SD WAN will double from 30 to 60 percent between 2020 and 2024. Indeed, by 2023, Gartner says that 30 percent of enterprise locations will be served solely by broadband Internet services connected to an SD WAN service provider backbone with some hybrid WAN circuits retained to meet business needs.

The nexus of a relatively small, but rapidly growing market, served primarily by smaller firms and startups specializing in SD WAN technology fueled rapid consolidation over the past few years as established firms like Cisco (Viptela and Meraki), Palo Alto Networks (CloudGenix), Oracle (Talari) and VMware (VeloCloud) entered the market via acquisition. The resulting battles for customers in both enterprises and service providers have created a broad set of products, services and pricing models, but not as much feature differentiation.

What are the primary features of SD WAN?

As the name suggests, SD WAN uses SDN techniques to segregate network control from data and create a virtual network overlay to configure and manage multiple physical WAN circuits. By interposing an abstraction layer between physical and logical networks, an SD WAN platform can combine multiple physical links into a single virtual network and micro-manage packet flow over each to improve both aggregate and application-specific performance, availability and security.

SD WAN works with any type of wired or wireless Internet connection and provides channel bonding, redundancy, load balancing and dynamic path selection based on network congestion and quality. Virtual connections are an inherently secure encrypted tunnel, typically using IPSec or HTTP/TLS, with firewall-type ACLs controlling access and traffic flow. The centralized SD WAN control plane can set and enforce traffic routing and security policies for all of an organization's remote links.

Other typical SD WAN architecture features, in rough order of availability, are:

  • Packet and application-layer traffic routing, management and optimization features derived from the WAN optimization appliances where many vendors got their start. These include data compression, error correction, application identification and QoS prioritization.
  • central management interface providing consistent configuration, security and usage policies across sites, users/groups and applications. SD WAN security controls typically exploit SSO capabilities provided by an external IDM or IAM service.that authenticates identities and manages credentials. The management system also aggregates monitoring logs and alerts that are used to create summary dashboards and detailed data visualizations of system status, performance and availability.
    • Management systems provide multiple ways to automate administrative tasks using CLI scripts and API calls. Many of these have been wrapped into language-specific libraries by third parties. For example, the silverpeak_python package simplifies using the Silver Peak API in python scripts.
    • An emergent feature in both general-purpose network management software and SD WAN provider products is use of higher-level Intent-based management semantics. These allow specifying the desired network behavior using a DSL (domain-specific language) which the system translates into detailed configuration parameters and security policies. The IBN (Intent-based management) system then monitors the SD WAN for deviations from the desired policy that it either flags via alerts or automatically remediates to restore the network to its design state.
  • Zero-touch automated configuration of remote devices (CPE) to simplify deployment at home and branch locations. Auto-setup is a prerequisite for service providers and long been used for consumer CPE like cable/DSL modems and routers, however, most enterprise SD WAN company products also provide the feature.
  • Support for inserting virtual services (VNFs) into logical links. Popular services include next-generation firewalls, VPN gateways/termination, content distribution and management (e.g. caching and filtering) and APM (application performance management).
  • Supports both physical (embedded hardware) and virtual (x86 server) endpoint appliances. Hardware appliances are the traditional way of distributing network access and security functionality to small sites and home offices. However, larger branches and retail locations increasingly combine compute, storage and network services onto standard x86 servers which can run Software Defined WAN endpoint software as a virtual appliance on a local hypervisor.

Consequently, much like buying a car, where the vast majority of features are the same, product evaluation comes down to focusing on feature implementation, not checklists.”

There is a need for businesses to understand on how features provide a tangible business benefit.

What is the evaluation criteria across SD WAN solutions?

SD WAN is a sufficiently mature technology and product category that competing products often are more alike than different. Consequently, much like buying a car, where the vast majority of features are the same, product evaluation comes down to focusing on feature implementation, not checklists. Furthermore, since each organization's needs are unique, evaluations must start by prioritizing the importance of various features and weighting each vendor's execution and limitations.

Factors to consider when comparing an SD WAN offering to traditional WAN services include:

  • Design for scalability and reliability with support for various network topologies. Another design consideration is support for a variety of WAN circuit types and carriers, including broadband, T-carrier, MPLS connection, Metro Ethernet and both LTE and 5G cellular. If wireless connectivity is critical, investigate support and optimization for advanced 5G technologies like MIMO, beamforming and millimeter wave (ultra-wideband) radio frequencies.
  • Cloud connectivity including the list of supported IaaS and SaaS vendors, integration between on-premises and cloud applications with the ability to create multi-cloud fabrics.
  • Management features and design for usability and task automation, including the completeness of built-in auto-configuration and optimization modules and the vendor's API and CLI, availability of language libraries and packages. Award bonus points for the availability of AI-based automation using machine learning and data analysis to optimize WAN performance configurations. Also note the availability and completeness of intent-based configuration semantics.
  • WAN traffic monitoring, reporting and visualization features including the ability to dynamically generate custom dashboards and network performance charts. Also consider supported integrations with external, third-party systems like IDM, APM, SIEM and log analysis products.
  • Security features and integration into a SASE solution. Note whether SASE features are included in the base product or treated as an add-on option. Also consider support for application- or workload-based network microsegmentation and policy migration and enforcement as applications move to different networks.
  • Application performance management (APM) and bandwidth QoS features including the ability to automatically identify popular applications via packet inspection, support for application-aware routing and support for application templates or profiles. Ensure that any application-specific features work with both installed software and SaaS.
  • SD WAN Deployment and pricing model. For installed software, note support for a variety of hardware and OS configurations including standard servers (using VMs and software appliances) and hardware appliances with a range of user and throughput capacity. For remote offices, consider the support for both embedded appliances and virtual CPE on an existing client. Also note the availability of PC and mobile client endpoints for WFH employees.
    • For purchased software, consider purchase options including up-front licensing and a usage- or user-based service.
    • For managed network-as-a-service, evaluate the pricing parameters and whether it is based per user, total or user throughput or a combination. Also, look for discount options for upfront payments.

Who are the top/best SD WAN vendors and providers?

SD WAN products and services are available from dozens of vendors, although many service providers use one of the small number of products designed for the needs of large, multi-tenant installations. Indeed, some startups like Ananda, Nebula and Twingate that have focused on secure access for remote workers don't use the label even though they provide much of the base SD WAN capability and functionality. Given such a large universe of potential products, our survey is necessarily not comprehensive, however the following is a summary of product offerings and features from popular SD WAN software and services vendors.

SD WAN products and services are available from dozens of vendors, although many service providers use one of the small number of products designed for the needs of large, multi-tenant installations.

Netify state that most companies struggle with the research and data points required to complete effective vendor procurement.

Aryaka (Smart portfolio)

Aryaka Logo-1

Aryaka, which was arguably the original NaaS, has evolved a multifaceted portfolio around core connectivity, cloud interconnect, security and network analysis services. The company's NaaS service, which includes core SD WAN features, called SmartConnect is available with either global or regional connectivity. To this, Aryaka developed the following complementary services:

SmartCloud, a multi-cloud backbone with direct connections to AWS, Azure, Google Cloud and Oracle and accelerations for SaaS applications.

SmartSecure, a SASE tier with a firewall, micro-segmentation and remote access VPN.

SmartOptimize providing WAN and application-specific acceleration

SmartManage and SmartInsights management portal and APM

Source: Aryaka

Cato Networks (Cato Cloud portfolio)

CATO Networks

Like Aryaka, Cato Networks is another cloud-based NaaS that was one of the first to develop and promote a set of integrated security services that we later dubbed SASE. As a NaaS, Cato operates a global backbone with more than 50 POPs that uses proprietary routing and traffic management software to improve performance and availability. Other Cato services build off the backbone foundation, these include:

WAN Edge infrastructure which uses a hardware SD WAN appliance to provide SD WAN service to enterprise branch office locations.

SASE provides firewall, IPS, secure Web gateway and malware scanning services. 

Remote access with authenticated access to a private network supporting SSO and MFA.

Multi-cloud access with direct connections to AWS, Azure/O365, Box and other IaaS and SaaS properties.

Managed SD WAN service with Cato support for SD WAN underlay service providers.

Cisco SD WAN (Viptela)


Cisco's core SD WAN product, by way of the Viptela acquisition and dubbed a Secure Extensible Network (SEN), has four components:

The vManage centralized management system for configuration and monitoring.

A centralized virtual network vSmart Controller to route traffic, authenticate and interconnect edge devices and enforce network policies and security.

The vBond Orchestrator to automate the installation and configuration of controllers and edge devices and provide redundancy and load balancing in environments with multiple vSmart Controllers.

Remote site vEdge Routers, which can be either a virtual or hardware appliance, that terminate SD WANs and provides standard router functions like VLAN tagging, QoS, and ACL-base policies.

Source: Cisco documentation

Cisco-Meraki SD WAN

Cisco Meraki-1

Some of Cisco's Meraki wireless products like the MX appliances with SD WAN provide VPN and SD WAN services such as support for IKE/IPSec tunnels, L2TP termination, VPN link redundancy, policy-based-routing, dynamic path selection, support for application-layer performance profiles and automatic provisioning. The MX devices also include UTM security features such as a firewall, IPS, content filtering and malware scanning.



Citrix SD WAN, formerly Netscaler, provides the core set of SD WAN features and is available as either a DIY or MSP service. An Advanced option provides edge security including IDS/IPS, content filtering and malware protection, while a Premium edition adds WAN optimization features. Citrix provides application-specific optimizations including QoS, packet-based traffic steering, packet duplication, and sub-second link failover for more than 4,500 titles. Citrix's cloud-hosted service also includes Internet bypass links to AWS DirectConnect and Azure ExpressRoute.

Oracle (was Talari)


Like other integrated IT providers, Oracle built an SD WAN portfolio via acquiring Talari Networks and its solution provides the standard features using a centralized control plane and management portal with remote physical or virtual appliances. Oracles SD WAN edge appliances can provide security service by forwarding traffic to a Zscaler secure cloud gateway and running a Palo Alto Next-Gen Firewall (NGFW). SD WAN appliances can also run on AWS, Azure or Oracle Cloud (OCI) instances to provide cloud connectivity.

Palo Alto (CloudGenix)


Continuing our products-by-acquisition theme, in early 2020 Palo Alto Networks absorbed and integrated the CloudGenix SD WAN product into its Prisma Access SASE product. CloudGenix is available as a cloud service, as a virtual x86 appliance or as an add-on to Palo Alto's Next NGFW firewalls and differentiates itself with application-specific policies, performance optimizations and analytics including response time, app reachability, server response time and total roundtrip time. Like competitors, CloudGenix integrates with leading IaaS, SaaS and co-location providers to bypass Internet bottlenecks.

Silver Peak

Silver Peak Logo Netify

Silver Peak was one of the first WAN acceleration and optimization specialists that expanded into SD WAN via its Unity EdgeConnect products which provide a typical SD WAN overlay network managed by a central controller (Unity Orchestrator) that links remote virtual or physical appliances (EdgeConnect). Silver Peak's WAN optimization features are available as an option (Unity Boost) and SASE is available via a partnership with Zscaler. Silver Peak provides cloud connectivity via packages on the major cloud marketplaces including AWS, Azure, GCP and OCI that run on VM instances.


Versa SD WAN Logo

Versa Secure SD WAN platform focuses on the core elements of SASE by building a next-generation firewall (NGFW), secure remote access, and unified threat management (UTM) services into its Versa VOS SD WAN platform. Its security features, along with robust network and control-plane separation in multi-tenant environments, make Versa popular with MSPs and carriers offering SD WAN services. Besides its software product, Versa Titan is the company's cloud NaaS tailored to SMBs that prefer a managed service.

VMware SD WAN / VeloCloud


VMware bought and incorporated VeloCloud's product as the foundation of its Virtual Cloud Network portfolio, which includes NSX, software-defined security (firewall, IDS/IPS) and public cloud connectivity (NSX Cloud). VMware SD WAN uses a central orchestrator to control network connections to VeloCloud edge sites, with dozens of managed cloud gateways (POPs) and VMware's managed cloud security services. The cloud gateways also provide low-latency direct connections to major cloud providers in all regions.

Source: VMware documentation


WIth all SD WAN vendors providing the basics, selecting one involves looking beyond feature checklists. Instead, consider the following.

  • Need for the control of a DIY system using installed software versus a managed service.
  • Availability and maturity of SASE security services and remote client availability in the WFH era.
  • Existing vendor relationships and network equipment.
  • Importance of cloud connectivity that incorporates IaaS and SaaS environments into an SD WAN fabric.
Visit our Knowledge article which will walk you step-by-step through how to use our free comparison tool to compare vendors and providers.
Learn more →

Suggested Posts

Search for Articles

Looking for something specific? Enter your search below to find information from all of Netify.

Explore Topics

Popular Article Topics

Find articles and helpful resources about any of the following:

Subscribe to Notifications

The Netify Learning Center

Provider and Vendor comparison advice across SD WAN, MPLS, UCAAS and Cloud Voice.

See All Articles

Forbes Netify Badge


Find Your SD WAN & SASE/SSE Cybersecurity Top 3 Match In 90 Seconds

Compare the market across 100+ SD WAN & SASE/SSE Cybersecurity solutions in less than 90 seconds.
And receive our top 10 vendor and managed provider guides.