How to Set Up SD-WAN for Multi-Site Connectivity

If your business operates across multiple locations — branch offices, warehouses, retail sites, or remote hubs — you already know the pain of keeping them all reliably connected. Traditional networking approaches like MPLS have served UK businesses well for decades, but they were designed for an era when applications lived in your own data centre and cloud was still a buzzword. Today, with the majority of business-critical applications running in the cloud, that model is creaking under the strain.

SD-WAN (Software-Defined Wide Area Network) has emerged as the modern answer to multi-site connectivity. It replaces rigid, expensive legacy architectures with intelligent, application-aware networking that adapts in real time to deliver the best possible performance across every link. But setting it up correctly requires careful planning — get it wrong, and you could end up with a more complex mess than the one you started with.

This guide walks you through everything a UK business needs to know about deploying SD-WAN for multi-site connectivity: the architecture, the vendors, the deployment models, and the practical steps to migrate without disrupting your operations.

What Is SD-WAN and Why Does It Matter for Multi-Site Businesses?

At its core, SD-WAN decouples the network control plane from the underlying transport infrastructure. In plain English, that means your network policies — which applications get priority, how traffic is routed between sites, what happens when a link degrades — are managed centrally through software rather than being hard-coded into individual routers at each location.

For a multi-site UK business, this is transformative. Instead of managing dozens of individual router configurations, dealing with ISP-specific quirks at each branch, and paying premium prices for dedicated MPLS circuits, you get a single pane of glass that orchestrates your entire wide area network intelligently.

The benefits compound as you add more sites. A three-site business might manage with traditional networking. A fifteen-site business with a mix of broadband, leased lines, and 4G/5G backup across different ISPs? That is where SD-WAN becomes not just beneficial but essential.

Understanding SD-WAN Architecture: Overlay vs Underlay

Before diving into deployment, you need to understand the two fundamental layers of any SD-WAN architecture. Getting this conceptual model clear in your head will make every subsequent decision easier.

The Underlay Network

The underlay is your physical connectivity — the actual internet circuits, MPLS links, leased lines, broadband connections, 4G/5G links, or any combination thereof at each site. SD-WAN does not replace these; it rides on top of them. The quality, diversity, and bandwidth of your underlay circuits directly affect what SD-WAN can achieve.

For UK businesses, a typical underlay strategy might include:

• Primary circuit — a dedicated leased line or Ethernet circuit (100Mbps–1Gbps) from a provider like BT, Virgin Media Business, or Colt
• Secondary circuit — a business-grade broadband connection (FTTP or SoGEA) from a different ISP for resilience
• Tertiary/backup — a 4G/5G cellular connection for last-resort failover

The critical principle is transport diversity. Using two circuits from the same ISP that share the same physical path into the building gives you almost no resilience. Ideally, your primary and secondary circuits should enter the building via different routes and terminate on different provider networks.

The Overlay Network

The overlay is the intelligent layer that SD-WAN creates on top of your underlay circuits. It establishes encrypted tunnels (typically IPsec) between your sites, monitors link quality in real time (latency, jitter, packet loss), and dynamically steers traffic based on application requirements and current network conditions.

Think of it this way: the underlay is the road network, and the overlay is the sat-nav system that continuously monitors traffic conditions and reroutes you around congestion or roadworks. The roads themselves do not change, but the intelligence of how you use them transforms the experience.

SD-WAN Vendor Comparison: Finding the Right Platform

The SD-WAN market has matured significantly, but choosing the right vendor remains one of the most consequential decisions in your deployment. Each platform has distinct strengths, and the best choice depends on your existing infrastructure, security requirements, and operational model.

Vendor	Best For	Security Integration	Cloud On-Ramp	UK Support	Typical Per-Site Cost
Fortinet Secure SD-WAN	Security-first organisations with existing FortiGate infrastructure	Native NGFW, IPS, sandboxing built in	Good — Azure, AWS, GCP integrations	Strong UK channel presence	£150–£400/month
Cisco Meraki SD-WAN	Businesses wanting simplicity and cloud-managed networking	Integrated Umbrella DNS security, basic firewall	Excellent — deep Cisco cloud integrations	Extensive UK partner network	£200–£500/month
VMware VeloCloud	Enterprises needing carrier-grade scalability and gateway diversity	Service chaining to third-party security	Excellent — 100+ gateway locations globally	Good via UK MSP partners	£180–£450/month
Cato Networks	Businesses wanting a converged SASE platform (SD-WAN + security)	Full cloud-native security stack (FWaaS, SWG, CASB, ZTNA)	Built-in — global backbone with UK PoPs	Growing UK presence, London PoP	£250–£600/month

Fortinet Secure SD-WAN

Fortinet’s approach is unique in that SD-WAN functionality is built directly into their FortiGate next-generation firewalls. If your business already uses FortiGate appliances for security, adding SD-WAN capability is essentially a licence upgrade rather than a forklift replacement. The security integration is genuinely best-in-class — traffic inspection, intrusion prevention, and sandboxing all happen on the same appliance without the need for service chaining.

For UK SMEs with 5–30 sites, Fortinet often represents the best value proposition, particularly if security is a primary concern. The FortiManager central management platform handles both security policy and SD-WAN orchestration from a single console.

Cisco Meraki SD-WAN

Meraki’s strength is simplicity. The entire platform is cloud-managed through an intuitive dashboard that requires significantly less networking expertise to operate than traditional Cisco IOS. For businesses without deep in-house networking skills, or those using a managed service provider, Meraki’s ease of deployment and management is a genuine differentiator.

The trade-off is flexibility. Meraki is opinionated about how things should be configured, and advanced customisation options are more limited than with Fortinet or VeloCloud. For most UK SMEs, this is actually a benefit — fewer options means fewer opportunities to misconfigure.

VMware VeloCloud (now Broadcom)

VeloCloud excels in large-scale deployments where carrier-grade reliability and a vast network of cloud gateways matter. Its global gateway infrastructure means traffic between your UK sites and cloud services in different regions can be optimised through VMware’s own backbone rather than traversing the public internet end to end.

The platform is commonly offered as a managed service by UK carriers including BT, Vodafone Business, and Virgin Media Business, making it accessible to businesses that prefer a turnkey solution with carrier-grade SLAs.

Cato Networks

Cato takes a fundamentally different approach by converging SD-WAN and security into a single cloud-native platform — what the industry calls SASE (Secure Access Service Edge). Rather than deploying security appliances at each site, all traffic is routed through Cato’s global backbone where security inspection happens in the cloud.

For UK businesses with significant remote and mobile workforces alongside their branch offices, Cato’s approach is compelling because it treats every user — whether in a branch, at home, or on the move — as a first-class citizen on the network.

Comparing Deployment Models: DIY vs Co-Managed vs Fully Managed

How you deploy and operate your SD-WAN is just as important as which vendor you choose. The three primary deployment models each suit different organisational capabilities and risk appetites.

DIY (Do It Yourself) — Your internal IT team handles everything: vendor selection, design, procurement, deployment, and ongoing management. This gives you maximum control but requires significant SD-WAN expertise that most UK SMEs simply do not have in-house. One misconfigured routing policy can take down connectivity across all your sites simultaneously.

Co-Managed — Your internal team retains day-to-day visibility and handles routine changes, while a specialist partner manages the architecture, complex changes, and provides escalation support. This is ideal for mid-sized businesses with competent networking staff who want expert backup without fully outsourcing.

Fully Managed — A specialist managed service provider handles the entire SD-WAN lifecycle from design through to ongoing operations. You get the benefits of SD-WAN without needing to hire or train specialist staff. For most UK SMEs with 5–50 sites, this is the recommended approach.

Application-Aware Routing: The Core of SD-WAN Intelligence

Application-aware routing is what separates SD-WAN from simply having two internet connections with basic failover. It is the feature that delivers the most tangible day-to-day benefit, and configuring it correctly is critical to a successful deployment.

Traditional routers make forwarding decisions based on destination IP addresses. They have no understanding of what application the traffic belongs to or what that application’s performance requirements are. SD-WAN changes this fundamentally by identifying applications through deep packet inspection (DPI) and applying policies based on what the traffic actually is.

Here is how a well-configured application-aware routing policy might work for a typical UK multi-site business:

Application Category	Examples	Preferred Path	Failover Path	SLA Thresholds
Voice & Video (Real-time)	Microsoft Teams, Zoom, VoIP	Leased line (lowest latency)	Broadband (if latency <50ms)	Latency <30ms, Jitter <10ms, Loss <0.5%
Business Critical	ERP, CRM, line-of-business apps	Leased line	Broadband	Latency <100ms, Loss <1%
Cloud Productivity	Microsoft 365, Google Workspace	Direct internet breakout	Via hub site	Latency <150ms, Loss <2%
General Business	Web browsing, email	Broadband	Leased line	Best effort
Bulk/Background	Backups, software updates, file sync	Broadband (rate limited)	Overnight scheduling	Best effort, bandwidth capped

The magic happens when link quality degrades. If your leased line suddenly experiences elevated latency due to a provider issue, SD-WAN detects this within seconds and automatically shifts your Teams calls and VoIP traffic to the broadband circuit — but only if that circuit currently meets the defined SLA thresholds. If neither circuit meets the voice SLA, the system can alert your IT team while still routing traffic over the best available path.

Cloud On-Ramp: Optimising Access to Cloud Services

For most UK businesses, the primary driver for SD-WAN adoption is not site-to-site connectivity — it is optimising access to cloud applications. When 80% of your traffic is destined for Microsoft 365, Azure, AWS, Salesforce, or other SaaS platforms, backhauling that traffic through a central hub site to reach the internet makes no sense. It adds latency, wastes expensive MPLS bandwidth, and creates a single point of failure.

SD-WAN’s cloud on-ramp capability solves this by enabling direct internet breakout at each branch site for trusted cloud applications. Traffic destined for Microsoft 365 exits directly from the branch’s local internet connection, taking the shortest path to Microsoft’s nearest UK data centre. Meanwhile, traffic destined for your internal applications still travels securely through the SD-WAN overlay to your data centre or hub site.

The leading SD-WAN vendors have built specific optimisations for major cloud platforms:

• Microsoft 365 optimisation — automatic identification and prioritisation of Microsoft 365 traffic categories (Optimise, Allow, Default) as defined by Microsoft’s published endpoint lists
• Azure Virtual WAN integration — direct peering with Azure’s backbone network for traffic destined for Azure-hosted workloads
• AWS Transit Gateway — automated tunnel establishment to AWS regions for hybrid cloud connectivity
• SaaS application steering — intelligent routing of SaaS traffic to the nearest cloud PoP based on real-time performance measurements

Security Integration: Protecting the Distributed Network

One of the most important — and frequently overlooked — aspects of SD-WAN deployment is security. When you enable direct internet breakout at each branch, you are effectively creating dozens of potential attack surfaces where previously you had one centralised internet gateway with robust security controls.

There are three primary approaches to securing an SD-WAN deployment:

1. Integrated Security (On-Premises)

Vendors like Fortinet build comprehensive security directly into the SD-WAN appliance. Every packet traversing the device is inspected by a next-generation firewall, intrusion prevention system, antivirus, and web filter — all on the same hardware. This approach minimises complexity and ensures security policy is applied consistently across every site.

2. Cloud-Delivered Security (SASE)

Platforms like Cato Networks and Zscaler route branch internet traffic through cloud-based security inspection points. This model scales effortlessly — adding a new site does not require deploying additional security hardware — and ensures security policies are applied uniformly regardless of where users connect from.

3. Service Chaining

Some SD-WAN platforms allow you to chain traffic through existing security appliances or cloud security services. This is useful if you have invested heavily in a specific security platform and want to preserve that investment while adding SD-WAN overlay capabilities.

SD-WAN Monthly Cost Per Site by Service Tier

Understanding the cost structure is essential for building a business case. Here is what UK businesses can typically expect to pay per site per month, including hardware, licensing, and management (excluding underlay circuit costs).

These figures exclude underlay circuit costs, which vary significantly by location. A leased line in central London might cost £200–£400/month for 100Mbps, while the same circuit in a rural area could be £400–£800/month due to limited infrastructure. Business broadband (FTTP) as a secondary circuit typically adds £30–£80/month per site.

UK SD-WAN Providers: Who to Consider

The UK SD-WAN market is served by a mix of carriers offering their own managed SD-WAN services and specialist managed service providers (MSPs) who work with multiple vendors. Each model has its advantages.

UK Carrier SD-WAN Services

BT SD-WAN — Built primarily on VMware VeloCloud, BT’s offering is well-suited to large enterprises with existing BT connectivity. The advantage is single-vendor accountability for both underlay circuits and overlay SD-WAN. The disadvantage is that you are locked into BT’s ecosystem and pricing.

Virgin Media Business — Offers managed SD-WAN services leveraging their extensive UK fibre network. Particularly strong for businesses with sites concentrated in urban areas where Virgin Media’s network has good coverage.

Vodafone Business SD-WAN — Cisco-based managed SD-WAN with strong international reach. A good choice for UK businesses with European or global branch offices that need consistent management across borders.

Specialist MSP SD-WAN Services

For most UK SMEs, working with a specialist managed service provider like Cloudswitched offers significant advantages over going directly to a carrier. MSPs are vendor-agnostic, meaning they can select the best SD-WAN platform for your specific requirements rather than being constrained to a single vendor’s offering. They also provide more personalised support, faster response times, and the flexibility to mix and match underlay circuits from different ISPs for optimal resilience and value.

SD-WAN Deployment Quality Scorecard

A well-executed SD-WAN deployment should score highly across all of these dimensions. Use this as a benchmark when evaluating your own deployment or your provider’s proposed design.

Migrating from MPLS to SD-WAN: A Practical Roadmap

For many UK businesses, the SD-WAN journey begins with a migration away from MPLS. This is not a rip-and-replace exercise — it is a carefully phased transition that should run MPLS and SD-WAN in parallel during the migration period.

Phase 1: Assessment & Design (Weeks 1–4)

Audit your current WAN: document every site, circuit, bandwidth utilisation, application flows, and existing routing policies. Map your application landscape — which applications are cloud-hosted, which are on-premises, and which need site-to-site connectivity. This phase also includes SD-WAN vendor selection and high-level architecture design.

Phase 2: Underlay Preparation (Weeks 4–12)

Order additional internet circuits where needed. In the UK, leased line lead times range from 30 to 90 working days depending on location and whether new fibre build is required. Business broadband and 4G/5G circuits can typically be provisioned much faster. This is usually the longest phase and should start as early as possible.

Phase 3: Pilot Deployment (Weeks 8–14)

Deploy SD-WAN at 2–3 representative sites while maintaining MPLS connectivity. Run both networks in parallel, gradually shifting application traffic onto the SD-WAN overlay. Monitor performance closely and refine application policies based on real-world data. Choose pilot sites that represent your typical mix — one hub site, one well-connected branch, and one site with challenging connectivity.

Phase 4: Staged Rollout (Weeks 12–24)

With pilot learnings incorporated, deploy to remaining sites in batches. Most SD-WAN platforms support zero-touch provisioning, meaning pre-configured appliances can be shipped directly to branch sites and brought online by non-technical staff simply by connecting power and network cables.

Phase 5: MPLS Decommissioning (Weeks 20–36)

Once all sites are stable on SD-WAN, begin decommissioning MPLS circuits. Check contract termination terms carefully — many UK MPLS contracts have 12–36 month minimum terms and significant early termination charges. Time your SD-WAN migration to align with MPLS contract renewal dates wherever possible.

Phase	Duration	Key Activities	Risk Level
Assessment & Design	4 weeks	WAN audit, application mapping, vendor selection, architecture design	Low
Underlay Preparation	8–12 weeks	Circuit ordering, ISP coordination, diverse routing confirmation	Low–Medium
Pilot Deployment	4–6 weeks	2–3 site deployment, parallel running, policy tuning	Medium
Staged Rollout	8–12 weeks	Remaining sites in batches of 3–5, zero-touch provisioning	Medium
MPLS Decommission	4–12 weeks	Circuit termination, contract management, cost reconciliation	Low

Common SD-WAN Deployment Mistakes to Avoid

Having supported numerous UK businesses through SD-WAN deployments, the team at Cloudswitched has identified the most common pitfalls that derail projects or limit the benefits achieved.

• Underinvesting in the underlay — SD-WAN is only as good as the circuits beneath it. Deploying sophisticated overlay technology on top of unreliable or insufficient broadband connections will not deliver the performance you expect.
• Ignoring security from the outset — Retrofitting security after SD-WAN deployment is significantly more complex and expensive than building it into the initial design. Plan your security model from day one.
• Treating all sites identically — A 5-person satellite office does not need the same SD-WAN configuration as your 200-person headquarters. Right-size your deployment to match each site’s actual requirements.
• Neglecting DNS and DHCP — When you enable direct internet breakout, each site needs properly configured DNS resolution. Many SD-WAN deployments stumble on this seemingly basic requirement.
• Not testing failover thoroughly — The entire point of SD-WAN is resilience. Test every failover scenario before going live: primary circuit failure, secondary circuit degradation, complete site power loss and recovery.
• Forgetting about out-of-band management — If your SD-WAN appliance loses all WAN connectivity, you need an alternative way to reach it for troubleshooting. A 4G management interface provides this capability.

The Business Case: MPLS vs SD-WAN Cost Comparison

For a typical UK business with 10 sites, the financial case for migrating from MPLS to SD-WAN is compelling. Here is a realistic annual cost comparison.

In this example, the SD-WAN solution delivers a £42,000 annual saving (37%) while actually providing better performance for cloud applications, improved resilience through dual diverse circuits, and more granular control over application traffic. The savings are typically even greater for businesses with more sites or those in areas where MPLS circuits command a premium.

Conclusion

SD-WAN is no longer an emerging technology — it is the established standard for multi-site networking in 2026. For UK businesses still running MPLS or relying on basic internet connectivity with VPN overlays between branches, the question is not whether to adopt SD-WAN but how quickly you can get there.

The key to a successful deployment is methodical planning. Choose a vendor that aligns with your security posture and operational model. Invest properly in your underlay circuits with genuine transport diversity. Configure application-aware policies that reflect how your business actually uses its network. And unless you have deep in-house networking expertise, partner with a specialist provider who can design, deploy, and manage the solution on your behalf.

Done right, SD-WAN transforms your wide area network from a rigid, expensive constraint into an agile, intelligent platform that adapts to your business needs in real time. Done poorly, it adds complexity without delivering the promised benefits. The difference almost always comes down to the quality of the design and the expertise behind the deployment.