Concerned about VPN vulnerabilities? Learn how you can benefit from our VPN migration offer including 60 days free service.

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Products & Solutions

Protecting your SD-WAN internet breakouts with cloud-based security


The transformation of IT with the rapid migration of apps and services to the cloud has changed the usual ways of connecting, computing, and doing business. Many large enterprises are now turning to the software-defined wide-area network (SD-WAN) to streamline operations and reduce transmission costs, especially for those organizations with hundreds or thousands of branch offices using expensive MPLS connections. Issues related to securing these internet breakouts with traditional solutions, however, can outweigh SD-WAN benefits—which is a good reason to let the cloud solve this challenge.

SD-WAN technology is one of several onramp models to enable internet breakouts. It provides a cloud-based, policy-driven centralized controller that allows the use of multiple connection types (MPLS, 4G/LTE, and broadband).

In addition, SD-WAN improves efficiency by simplifying IT operations, configurations, and management of the network, and that saves money. And it improves the user experience—especially for cloud applications.

SD-WAN supports changes in enterprise traffic

About half of enterprise WAN traffic is destined for internet services, so the SD-WAN’s architecture must make access to cloud apps and services as efficient as possible. The traditional hub-and-spoke architecture defeats this goal by creating latency. It routes all branch traffic to the central IT hub before it can break out to the internet, and then back through the hub again before returning to the branch office. SD-WAN, on the other hand, lets internet traffic go directly to the internet, enabling much faster performance.

All this is familiar ground for network architects. However, enforcing security on an SD-WAN requires a change from the typical approach in the branch.

Security for branches is usually implemented exactly as it occurs on hub-and-spoke WANs. Each branch requires the standard “stack” of security-related services, such as:


Historically, security services like these were run on local appliances or servers, or as virtual instances spun up in hybrid or public cloud infrastructures. But this model can lead to trouble for securing SD-WAN deployments.

Securing your SD-WAN environment

Traditional hub-and-spoke architectures and security technologies are not built for an all-cloud architecture or cloud apps due to three core issues: 1. Replicating the network security stack at every branch is prohibitively expensive. 2. Scaling the use of legacy security adds to the management burden. 3. And trying to meld legacy security with SD-WAN increases complexity. At best, such an approach results in compromises, leaving users at branches vulnerable to attacks.

Some organizations have found themselves deploying smaller appliances in branches, or virtual instances of next-generation firewalls. But these approaches result in latency and leave branches vulnerable, and they create the need to continually pay for additional boxes or services to meet rising traffic volumes. Legacy security solutions cannot scale the way cloud can.

Zscaler believes there is a simpler and better approach for securing SD-WAN. Instead of your organization having to manually build and maintain security at each branch, we suggest you move security into the cloud and deploy it as a service.

This is a transformative step for SD-WAN, because using a cloud-based security service like Zscaler will globally secure every branch with the entire security stack: proxy, firewall, advanced threat protection, and robust protection for corporate apps and data.

Other benefits of moving security to the cloud include:

  • Faster user experience (from direct-to-internet architecture)
  • Reduced cost and complexity (by optimizing backhaul costs and eliminating the need to buy and maintain security appliances)
  • Simplified branch IT operations (with no virtual machines or security hardware to deploy and manage)
  • Better security (via the entire security stack delivered as a cloud service; no compromises)

Zscaler integrates with leading SD-WAN solutions

As you consider moving security to the cloud, be sure that your solution integrates with your SD-WAN provider. Zscaler has partnered with SD-WAN leaders to secure local breakouts and help organizations securely transform from a hub-and-spoke to a direct-to-internet architecture.


To get further down the path of cloud transformation, there are two things to remember: SD-WAN makes local internet breakouts easy and Zscaler makes them secure. Let us know how we can help!

To learn more about how you can establish secure local breakouts and route branch traffic direct-to-internet, read our Definitive Guide to Branch Transformation or visit


form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.