top of page
 100mm (Year_ 1993)_edited.jpg

Private WAN V Hybrid WAN

What is a Traditional Private WAN?

In a traditional WAN environment, each branch office is connected using a single dedicated private network connection that is a point to point between the branch and head office sites.

Occasionally this single private line will be backed up by another link (normally a cheaper commodity connection and often from the same ISP as the main link) that acts as a failover connection, but not always – and certainly not without additional cost.

For example, we can see the head office local area network has two WAN connections. In red, we have a direct to public internet service and in blue, the connection to the managed WAN providers network that subsequently provides routing of traffic to the three remote branch offices (A, B, C)

hybrid wan

It’s important to note that the branch offices do not have a direct internet connection at all. Instead, they each have a single dedicated link back to the head office location, so all internet access at the remote sites passes through the head office public internet link (shown in red).

When we look at the hardware involved to achieve this configuration we might see something like this:


At the head office location, we have two routers, one for public internet access and the other for access to the private WAN. At the branch office location, we have a single router that acts as the default gateway for the LAN clients there and sends all traffic back over the private network to the head office.

Example IP Addressing

To explain this type of configuration further, here is a diagram showing how the IP addressing might be configured for this type of Layer 3 traditional private WAN.

private wan

The head office network has a network subnet of and uses the public internet access router ( as the default gateway. The public internet access router has a static route with a supernet of and the private WAN access router ( as the target. In this way, any traffic destined for the remote branch offices reaches the default gateway router and is then forwarded to the private access router, enabling the sites to communicate with head office in a hub and spoke fashion.

What is a Hybrid WAN?

A Hybrid WAN combines private point-to-point links with public Internet links using encryption to ensure that any traffic sent over the public internet is secure.

old wan
new sd wan

The end result is a Wide Area Network made up of multiple connections between each location that can be actively used at the same time to improve connection reliability and aggregate bandwidth.

It requires the use of multi-WAN routers at each location that is capable of sending traffic securely over multiple WAN links at the same time from a remote branch office that is then also able to combine the traffic again when it reaches the destination.

Our Software Defined Network (SDN/ SD-WAN) and bandwidth bonding technology is the mechanism for creating a Hybrid SD network using multiple private and public links.

multi isp

Hybrid SD WAN Example

If we wanted to use Hybrid SD-WAN technology in our previous example, the high-level design would look like this:

hybrid wan

In this example, the head office network now has three routers. An SD-WAN device has been added to act as the default gateway for the network. This has the public internet access router and the private WAN access router connected to its WAN ports.

The remote branch location also has an additional SD-WAN device. This has the original private WAN router connected to its WAN ports along with new additional public internet access routers.

The two SD-WAN devices create a single logical connection made up of multiple secure connections between each other, across both the public and private networks. Both networks can send and receive traffic at the same time. The benefits to this Hybrid WAN approach are considerable:

  • Additional bandwidth can be added quickly using public internet links that tend to be cheaper with much higher bandwidth than dedicated private WAN links.

  • Using our Software Defined Network (SDN/ SD-WAN) technology, multiple network technology types (Fiber, DSL, Cellular, and even Wi-Fi) can be used at each location and combined to provide resilience.

  • The WAN links at each location do not need to be from the same ISP or managed service provider – allowing for provider diversity.

  • The end result is a more resilient, more agile, higher bandwidth, and secure WAN.

Hybrid WAN IP Addressing Example

The diagram below shows the network diagram for an example Hybrid WAN configuration using the topology from the previous traditional WAN example as a starting point.

Head Office Network

In the head office location, a new SD-WAN router is added that acts as the default gateway for the network. On its WAN1 is the existing public internet access router and on WAN2, it has the existing private WAN access router.

The private WAN access router (shown in blue) is configured with a new LAN IP in a different range than the head office LAN. The original head office LAN IP range ( is maintained on the LAN to reduce the amount of reconfiguration needed on servers and infrastructure at this location.

The Software Defined Network (SDN/ SD-WAN) has an outbound policy added to tell it to route all traffic for the remote private WAN routers (in the remote branch offices) over WAN2. This outbound policy enables traffic to route between the WANs of the remote SD-WAN routers and the one at head office, which in turn enables secure tunnels to be created over the existing private WAN.


ip failover


In the remote branch offices, a new SD Wan router is added to act as the gateway device for the local network and the branch office subnet is changed to be in the 10.12.x.0/24 range.

Note: Any statically assigned network devices – such as printers, VoIP PBX’s or CCTV cameras will need to be reconfigured to connect on the new subnet.

On the WAN1 of the SD-WAN, a public internet connection is added, with the private network access router on WAN2.

Depending on the design used at the remote branch offices up to 32 WAN connections can be used in total which can be a mix of fixed-line, cellular, and point-to-point wireless network connections. Typically we would see a branch location combine existing fiber/cable connectivity from the private WAN with additional public internet connectivity over fiber or xDSL and LTE cellular from different providers. Additional internet connectivity can be added on-demand to the branch office location and included in the Hybrid WAN.

session continuity

With this configuration in place, we have the level topology configured as illustrated.



Hybrid WAN technologies can improve branch office connectivity, resilience, and bandwidth, whilst also reducing costs as well as provide new, more agile ways to deploy and manage branch office connectivity requirements using a mix of internet connectivity types from diverse service providers.

Using Software Defined Network (SDN/ SD-WAN) routers, you can choose to bolt Hybrid WAN connectivity onto the side of existing traditional WAN deployments, combine private and public WANs incrementally as required, and ultimately completely replace the traditional enterprise WAN if desired.

Our Software Defined Network (SDN/ SD-WAN) controller in combination with Hybrid WAN provides agile remote site connectivity options with easy central management and monitoring – greatly simplifying both the initial deployment of Hybrid WAN in the enterprise and its subsequent operational management.

bottom of page