Architecture Overview
Understanding AD-WAN's architecture will help you make better decisions when setting up your organization and configuring services.
Network Topology
AD-WAN is a cloud-managed SD-WAN solution that provides intelligent path selection, centralized policy management, and optimized application performance across distributed locations:
AD-WAN Key Components
- Web Dashboard: Intuitive management interface for network configuration, monitoring, and analytics
- Controller Cluster: High-availability control plane for centralized orchestration and policy management
- Edge Devices: Intelligent appliances with high-performance packet processing and zero-touch provisioning
- Secure Tunneling: WireGuard and IPsec protocols create encrypted overlays over any network infrastructure
- VPN Gateway (AD-HOME): Integrated remote access solution for mobile and remote workers
- Dynamic Routing: Support for BGP and OSPF for intelligent path selection and automatic failover
Security Architecture
AD-WAN implements multiple layers of security to protect your data and ensure secure communications:
Security Features
- FIPS 140-3 Validated Cryptography: All data-in-transit secured using WolfCrypt certified encryption
- Zero-Trust Architecture: Every device and user must authenticate before accessing the network
- End-to-End Encryption: WireGuard and IPsec tunnels protect all site-to-site traffic
- Multi-Factor Authentication: Required for all administrative access
- Certificate-Based Device Authentication: Prevents unauthorized device connections
- Encrypted Configuration Delivery: Per-device RSA encryption ensures configurations remain private
Configuration Flow
This diagram shows how network configurations are deployed from the dashboard to edge devices:
Deployment Architecture
AD-WAN provides a robust, highly available infrastructure:
Infrastructure Features
- Multi-AZ High Availability: Controllers distributed across multiple availability zones
- Automatic Failover: Network Load Balancer ensures continuous device connectivity
- Redundant Data Storage: PostgreSQL Multi-AZ with automatic backup and recovery
- Distributed Session Management: Redis cluster enables seamless controller failover
- Scalable Architecture: Horizontal scaling supports thousands of concurrent device connections
Key Features
High Availability
- Multi-AZ controller deployment across multiple availability zones
- Automatic failover with stateless controller design
- Redundant data storage with PostgreSQL Multi-AZ
- Real-time health monitoring with automatic alerting
Zero-Touch Provisioning
- Automatic device registration on first boot
- Secure configuration delivery with per-device encryption
- Self-configuring tunnels require no manual intervention
- Dynamic routing adapts automatically to network changes
Security
- FIPS 140-3 validated encryption using WolfCrypt module
- WireGuard and IPsec tunneling protocols
- Certificate-based authentication for all devices
- Multi-factor authentication for administrative access
- Zero-trust architecture with end-to-end encryption
Performance
- High-performance data plane with Vector Packet Processing (VPP)
- Direct site-to-site connections for optimal latency
- Dynamic path selection based on performance metrics
- Hardware-accelerated encryption for maximum throughput
Integrated Remote Access
- AD-HOME VPN gateway for remote worker connectivity
- WireGuard-based secure access with modern cryptography
- Seamless integration with SD-WAN mesh network
- Mobile client support for iOS and Android
Network Protocols & Technologies
AD-WAN leverages industry-standard protocols and technologies:
Tunneling Protocols
- WireGuard: Modern, lightweight VPN protocol with state-of-the-art cryptography
- IPsec: Industry-standard secure tunneling with broad compatibility
Routing Protocols
- BGP (Border Gateway Protocol): Dynamic routing and path selection
- OSPF (Open Shortest Path First): Interior gateway protocol for efficient routing
Security Protocols
- TLS 1.3: Secure control plane communications
- FIPS 140-3 Cryptography: Government-validated encryption standards
- WebSocket Secure (WSS): Real-time device communication
Management APIs
- RESTful APIs: Standard HTTP-based configuration and monitoring
- JWT Authentication: Secure token-based API access
Compliance & Standards
AD-WAN adheres to industry security standards and best practices:
Current Certifications
- FIPS 140-3 Validated: WolfCrypt Cryptographic Module for all data-in-motion encryption
- TLS 1.3: Modern secure communication protocols across all control plane traffic
In Progress
- ISO 27001: Currently undergoing formal certification for Information Security Management Standards
Security Best Practices
- Zero-Trust Architecture: All connections authenticated and encrypted
- Defense in Depth: Multiple layers of security controls
- Regular Security Audits: Continuous assessment and improvement
- Secure Development Lifecycle: Security integrated throughout development process
Next Steps
Now that you understand AD-WAN's architecture: