Network Resilience & Security Transformation Leveraging SD-WAN

May 5, 2025

As organizations modernize their wide area networks (WANs), SD-WAN is emerging not only as a performance and cost optimization tool but also as a strategic enabler of segmentation, cloud adoption, and Zero Trust security.

In this blog, we’ll walk through real-world deployments where SD-WAN architectures were used to increase network resilience, simplify operations, and improve security posture.

We’ll also highlight case studies across state government, municipal, and oil and gas sectors—covering multiple vendors and technologies, and the lessons we learned along the way.

Internet Concept of Global Business, glowing lines

Why SD-WAN?

Legacy router-by-router architectures are giving way to centralized, software-defined approaches that improve agility and reduce operational complexity. With SD-WAN, organizations benefit from:

  • Centralized Management: Unified visibility and control across all network edges.
  • Transport Independence: Leverage MPLS, broadband, 5G, or satellite (e.g., Starlink) for flexible connectivity.
  • Separation of Control and Data Planes: Simplifies routing and enhances performance.
  • Built-in Encryption: Site-to-site encryption for compliance, especially in public sector environments.
  • Advanced Segmentation: Leverage VRFs and VLANs to implement Zero Trust principles at the network layer—without endpoint agents.

SD-WAN + SSE: Better Together

Organizations can pair an SD-WAN solution (e.g., Cisco SD-WAN, Aruba EdgeConnect) with a leading SSE platform (e.g., Palo Alto Prisma Access, Zscaler, Netskope) to enforce security policy.  Features such as cloud firewalling, secure web gateways, and CASBs can be deployed—all powered by decryption in the cloud.  They can also leverage a platform approach and use singe vendor SASE from leading vendors such as Cisco Systems, HPE Aruba Networks, and Palo Alto Networks.

SASE and SD-WAN

Key Capabilities Driving Transformation

  • Resilient Connectivity: Combine wired and wireless circuits (including Starlink or 5G) to support rural or high-priority sites with dual path redundancy.
  • Macro-Segmentation: Use VRFs to isolate traffic across departments, user groups, or IoT devices—ideal for the foundation of Zero Trust models.
  • Cloud Integration: Deploy SD-WAN head-ends in AWS or Azure by integrating native cloud networking components such as Transit Gateways and dynamic routing with BGP.
  • Security Enforcement: Seamless integration with NGFWs and SSE tools allows for threat inspection, traffic shaping, and policy enforcement at scale.

Case Study 1: State Government Transformation

Challenge: A state agency with 800+ sites, 30,000+ employees, and multiple data centers needed to modernize its MPLS-heavy network, maintain agency-level segmentation, and comply with CJIS encryption mandates.

Solution:

  • Deployed Cisco SD-WAN across sites using existing ISR routers, flipping them from autonomous to controller mode.
  • Integrated with Palo Alto NGFWs using virtual systems (vSYS) to enforce departmental security zones.
  • Used multiple transports (MPLS, Metro-E, 5G, Starlink) across remote locations.
  • Achieved granular segmentation using VRFs and firewall zoning across agencies.

Lessons Learned:

  • Transitioning from a 15-year-old MPLS architecture required significant change management.
  • Centralized policies improved consistency, but collaboration with the agency’s security organization led to heavily firewalled designs.
  • Comprehensive documentation of applications helped accelerate policy creation and avoid service disruptions.

Case Study 2: Oil & Gas Company with Cloud-Native Edge

Challenge: An onshore drilling firm with no on-prem data centers wanted resilient, cloud-first WAN connectivity, optimized for remote sites in areas with limited infrastructure.

Solution:

  • Deployed Aruba EdgeConnect (formerly Silver Peak) with head-ends in AWS using Transit Gateways.
  • Integrated segmentation with Palo Alto VM-Series firewalls and leveraged application-aware routing.
  • Supported Starlink and 4G LTE circuits in rural areas.
  • Enabled local internet breakout at remote sites to avoid hair-pinning through a central DC.
  • Unique Feature: Used built-in WAN optimization (Boost) to improve performance over low-bandwidth satellite links, similar to legacy Riverbed acceleration techniques.

Lessons Learned:

  • AWS networking required custom tunneling and GRE overlays for complex peering scenarios.
  • Asymmetric routing introduced challenges for firewall state tracking—resolved through precise path pinning and firewall placement.

Case Study 3: City Government Pursuing Zero Trust

Challenge: A city serving over 200,000 residents needed to improve network segmentation, support encrypted communications, and prepare for cloud migration.

Solution:

  • Deployed Cisco SD-WAN across 50+ sites.
  • Used hybrid centralized firewalling with Palo Alto NGFWs to enforce internal segmentation policies.
  • Enabled micro-segmentation of users, IoT devices, and third-party vendors using VRFs.
  • Leveraged 5G and DIA for resilient connectivity alongside municipal dark fiber.

Lessons Learned:

  • Careful performance testing was needed when introducing security inspection into legacy application flows.
  • Encryption added security but required thoughtful sensor placement to preserve visibility.
  • Centralizing firewall enforcement simplified management but added latency to certain flows—offset by high-speed fiber investments.

What We’ve Learned: Best Practices for SD-WAN Deployments

  1. Start with a Design Workshop: Involve all stakeholders—network, security, cloud teams—to align on requirements and architecture.
  2. Document Applications and Flows: A well-defined application catalog accelerates policy creation and testing.
  3. Plan for Routing Complexity: Especially in cloud or multi-transport environments, expect BGP peering and asymmetric path considerations.
  4. Segment Early and Often: VRFs and virtual firewalls are your friends for Zero Trust enablement.
  5. Avoid One-Size-Fits-All: Tailor SD-WAN and SSE pairings to your use case—some sites may need full-stack SSE, others just routing resiliency.

Closing Thoughts 

SD-WAN is not just a networking refresh—it’s a catalyst for secure transformation. When paired with security enforcement, cloud connectivity, and intelligent segmentation, it becomes the foundation of a modern, resilient infrastructure. Whether your organization is rural or urban, cloud-first or hybrid, SD-WAN can unlock both agility and control while reducing complexity across the board.

Matt Martinez

Matt Martinez

VP, Engineering | CCIE R&S #42200

Matt Martinez is an IT and Cybersecurity professional who has 15 years of experience designing, deploying, troubleshooting, and optimizing  critical systems.  His background is heavy in consulting, with emphasis in large scale, multi-discipline projects such as infrastructure transformation, data center consolidation/migration, and security architecture.  He has holistic expertise in network, security, and data center infrastructure technologies.  Software-Defined Network technologies such as SD-WAN and Cisco’s Application Centric Infrastructure are some of his specialties, as well as security technologies such as Next-Generation Firewalls (NGFW) and Security Services Edge (SSE) from multiple OEMs.

At ANM he is the VP of Engineering, where he and his team focus on multi-discipline client architectures as well a strategic initiatives such as developing ANM’s Zero Trust Architecture services.  He also leads the charge in ANM’s Network Practice, where he and the team are continually defining and refining ANM’s portfolio in this solution space, where he is constantly vetting and putting technologies to the test, especially newer products. 

Wi-Fi 7: The Next Leap in Wireless Speed, Efficiency & Security

Wi-Fi 7: The Next Leap in Wireless Speed, Efficiency & Security

The evolution of Wi-Fi has been relentless over the past 25 years, and 2024 marked a transformative milestone with the arrival of Wi-Fi 7 (802.11be). As more devices compete for bandwidth and users expect uninterrupted, real-time performance, Wi-Fi 7 delivers a...