Network Architecture
AD-WAN implements a cloud-managed SD-WAN architecture that enables secure, scalable connectivity between sites, remote users, and cloud resources across different network environments.
- Data plane: Encrypted site-to-site tunnels (WireGuard / IPsec on edge VPP) carry user traffic.
- Control plane: Edge device-proxy maintains WSS over TCP/443 with device mTLS to the controller cluster (NLB + SNI demux).
- Config plane: Orders and route advertisements flow through USDN Chain authority (gRPC mTLS on :443); edges consume via chain-watcher / chain-bridge — not a legacy edge-to-edge MultiChain mesh.
Overview
The AD-WAN network architecture consists of several key components working together to provide seamless connectivity:
- Web Dashboard: Browser-based interface for network management and monitoring
- Platform API: Backend services for configuration, orchestration, and integration
- Controller Cluster: High-availability infrastructure for device management and coordination
- Edge Devices: Customer premise equipment that provides secure site connectivity
- VPN Gateway (AD-HOME): Remote access solution for mobile and remote workers
- Secure Mesh Network: Encrypted tunnels connecting all sites using WireGuard or IPsec protocols
Network Topology
The following diagram illustrates the AD-WAN network architecture:
Key Components
Web Dashboard
The web-based management interface allows administrators to:
- Monitor network status and device health
- Configure network topology and routing policies
- Manage user access and VPN clients
- View analytics and performance metrics
Platform API
The backend management system provides:
- Centralized device registration and inventory
- Configuration management and deployment
- User authentication and authorization
- Integration with third-party systems
Controller Cluster
The high-availability controller infrastructure serves as the coordination point for the network:
- Terminates device mTLS on TCP/443 (WebSocket events, manifests, health)
- Hosts USDN Chain authority (config streams, route advertisements, stream grants)
- Distributes configuration via authority publish + edge subscribe (chain-watcher)
- Monitors device health and connectivity status
- Provides automatic failover (NLB + stateless controller reconfiguration on reconnect)
Edge Devices
Edge devices deployed at customer sites provide:
- Secure connectivity to the central infrastructure
- High-performance packet processing and routing
- Support for multiple tunneling protocols (WireGuard, IPsec)
- Dynamic routing capabilities (BGP, OSPF)
- NAT and firewall functionality for local networks
- Zero-touch provisioning for easy deployment
VPN Gateway (AD-HOME)
The remote access VPN gateway enables:
- Secure remote access for mobile users
- WireGuard-based VPN connectivity
- Integration with the SD-WAN mesh network
- Seamless access to resources across all sites
Local Networks
End-user devices and applications at each site connect through:
- Standard ethernet or Wi-Fi connections
- Automatic IP addressing (DHCP)
- Transparent access to both local and remote resources
Secure Mesh Connectivity
All sites communicate through:
- Encrypted tunnels using WireGuard or IPsec protocols
- Direct site-to-site connections for optimal performance
- Automatic failover and path optimization
- End-to-end encryption for all data in transit
Configuration Management
AD-WAN uses a secure, automated configuration management system:
Zero-Touch Provisioning
- Device Registration: Edge devices automatically register with the controller cluster upon first boot
- Authentication: Each device authenticates using unique credentials
- Configuration Delivery: The platform securely distributes network configurations to devices
- Automatic Application: Devices automatically apply configurations without manual intervention
Secure Updates
- All configurations are encrypted end-to-end
- Changes are validated before deployment
- Rollback capability ensures network stability
- Real-time monitoring confirms successful application
High Availability
- Controller cluster provides redundancy across multiple availability zones
- Automatic failover ensures continuous operation
- Devices maintain connectivity even if individual controllers become unavailable
Traffic Flow
Site-to-Site Communication
When users at Site A need to access resources at Site B:
- Traffic enters the edge device at Site A from the local network
- The edge device encrypts and routes traffic through the secure tunnel to Site B
- The edge device at Site B decrypts and forwards traffic to the destination
- Return traffic follows the same path in reverse
Remote VPN Access
When remote users connect via AD-HOME:
- VPN client establishes a secure WireGuard tunnel to the VPN gateway
- Traffic is encrypted and sent through the tunnel
- The VPN gateway routes traffic to the appropriate site via the SD-WAN mesh
- Users gain seamless access to resources across all connected sites
Internet Access
Local users at each site can access the internet through:
- Direct internet breakout at their local site
- Centralized internet gateway at a designated site
- Automatic path selection based on policies and performance
Management Traffic
- Edge device-proxy maintains a persistent WSS session to the controller on TCP/443 (mTLS)
- Configuration and route updates are written to USDN Chain authority; edges apply via chain-watcher / chain-bridge
- Devices report health and lifecycle events on the same control channel
- Dashboard and API traffic use HTTPS to
platform-api(separate from device control)
This architecture provides scalable, secure networking with centralized management and distributed high-performance data processing at each site.