Skip to main content

Network Architecture

AD-WAN implements a cloud-managed SD-WAN architecture that enables secure, scalable connectivity between sites, remote users, and cloud resources across different network environments.

Control vs data plane
  • Data plane: Encrypted site-to-site tunnels (WireGuard / IPsec on edge VPP) carry user traffic.
  • Control plane: Edge device-proxy maintains WSS over TCP/443 with device mTLS to the controller cluster (NLB + SNI demux).
  • Config plane: Orders and route advertisements flow through USDN Chain authority (gRPC mTLS on :443); edges consume via chain-watcher / chain-bridge — not a legacy edge-to-edge MultiChain mesh.

Overview

The AD-WAN network architecture consists of several key components working together to provide seamless connectivity:

  • Web Dashboard: Browser-based interface for network management and monitoring
  • Platform API: Backend services for configuration, orchestration, and integration
  • Controller Cluster: High-availability infrastructure for device management and coordination
  • Edge Devices: Customer premise equipment that provides secure site connectivity
  • VPN Gateway (AD-HOME): Remote access solution for mobile and remote workers
  • Secure Mesh Network: Encrypted tunnels connecting all sites using WireGuard or IPsec protocols

Network Topology

The following diagram illustrates the AD-WAN network architecture:

Key Components

Web Dashboard

The web-based management interface allows administrators to:

  • Monitor network status and device health
  • Configure network topology and routing policies
  • Manage user access and VPN clients
  • View analytics and performance metrics

Platform API

The backend management system provides:

  • Centralized device registration and inventory
  • Configuration management and deployment
  • User authentication and authorization
  • Integration with third-party systems

Controller Cluster

The high-availability controller infrastructure serves as the coordination point for the network:

  • Terminates device mTLS on TCP/443 (WebSocket events, manifests, health)
  • Hosts USDN Chain authority (config streams, route advertisements, stream grants)
  • Distributes configuration via authority publish + edge subscribe (chain-watcher)
  • Monitors device health and connectivity status
  • Provides automatic failover (NLB + stateless controller reconfiguration on reconnect)

Edge Devices

Edge devices deployed at customer sites provide:

  • Secure connectivity to the central infrastructure
  • High-performance packet processing and routing
  • Support for multiple tunneling protocols (WireGuard, IPsec)
  • Dynamic routing capabilities (BGP, OSPF)
  • NAT and firewall functionality for local networks
  • Zero-touch provisioning for easy deployment

VPN Gateway (AD-HOME)

The remote access VPN gateway enables:

  • Secure remote access for mobile users
  • WireGuard-based VPN connectivity
  • Integration with the SD-WAN mesh network
  • Seamless access to resources across all sites

Local Networks

End-user devices and applications at each site connect through:

  • Standard ethernet or Wi-Fi connections
  • Automatic IP addressing (DHCP)
  • Transparent access to both local and remote resources

Secure Mesh Connectivity

All sites communicate through:

  • Encrypted tunnels using WireGuard or IPsec protocols
  • Direct site-to-site connections for optimal performance
  • Automatic failover and path optimization
  • End-to-end encryption for all data in transit

Configuration Management

AD-WAN uses a secure, automated configuration management system:

Zero-Touch Provisioning

  1. Device Registration: Edge devices automatically register with the controller cluster upon first boot
  2. Authentication: Each device authenticates using unique credentials
  3. Configuration Delivery: The platform securely distributes network configurations to devices
  4. Automatic Application: Devices automatically apply configurations without manual intervention

Secure Updates

  • All configurations are encrypted end-to-end
  • Changes are validated before deployment
  • Rollback capability ensures network stability
  • Real-time monitoring confirms successful application

High Availability

  • Controller cluster provides redundancy across multiple availability zones
  • Automatic failover ensures continuous operation
  • Devices maintain connectivity even if individual controllers become unavailable

Traffic Flow

Site-to-Site Communication

When users at Site A need to access resources at Site B:

  1. Traffic enters the edge device at Site A from the local network
  2. The edge device encrypts and routes traffic through the secure tunnel to Site B
  3. The edge device at Site B decrypts and forwards traffic to the destination
  4. Return traffic follows the same path in reverse

Remote VPN Access

When remote users connect via AD-HOME:

  1. VPN client establishes a secure WireGuard tunnel to the VPN gateway
  2. Traffic is encrypted and sent through the tunnel
  3. The VPN gateway routes traffic to the appropriate site via the SD-WAN mesh
  4. Users gain seamless access to resources across all connected sites

Internet Access

Local users at each site can access the internet through:

  • Direct internet breakout at their local site
  • Centralized internet gateway at a designated site
  • Automatic path selection based on policies and performance

Management Traffic

  • Edge device-proxy maintains a persistent WSS session to the controller on TCP/443 (mTLS)
  • Configuration and route updates are written to USDN Chain authority; edges apply via chain-watcher / chain-bridge
  • Devices report health and lifecycle events on the same control channel
  • Dashboard and API traffic use HTTPS to platform-api (separate from device control)

This architecture provides scalable, secure networking with centralized management and distributed high-performance data processing at each site.