Site networking: VPN, SD-WAN or leased line – which fits when?

Site networking means connecting several company locations so that employees everywhere can access the same applications, servers and data as at headquarters. This applies to branches, plants, distribution centres, home-office workstations and often the company's own or an external data centre.

Technically it comes down to two questions. First: how do the data packets get safely and quickly from site A to site B? Second: how is that traffic encrypted, prioritised and monitored? VPN, SD-WAN and leased line are three different answers to this – they do not exclude each other but can be combined.

What matters for the decision is to think from the need, not from the technology. The key factors are the number of sites, the applications running between them, the tolerable downtime and the budget. Only then can you seriously say which technology fits.

A site-to-site VPN sets up an encrypted tunnel over the ordinary internet, usually with IPsec and AES-256. Each site's existing internet line is used; additional leased lines are not needed. This makes a VPN the cheapest option and the fastest to implement.

A VPN fits when you are connecting two or a few sites, when data volumes are manageable and when occasional fluctuations in speed or latency are not a problem. Typical cases: a second small site, individual home-office workstations or occasional access by field staff to central systems.

The limit of the VPN lies where guaranteed performance matters. Over the open internet there is no assurance for bandwidth, latency or availability – you share the line with everyone else. For real-time applications such as telephony or video conferencing this can cause dropouts. Managing many tunnels centrally also becomes confusing from roughly five to ten sites onwards.

SD-WAN (software-defined wide area network) is essentially an intelligent control layer over your lines. Instead of hard-wiring a single connection, SD-WAN bundles several links per site – for example a fibre line plus a 5G fallback – and decides per data packet which path is currently best.

The decisive advantage is prioritisation. With Quality of Service (QoS), voice, video and ordinary data traffic can be handled separately. An important ERP or VoIP packet is given priority while a large file download waits in the background. If a line fails, SD-WAN switches automatically to the second one, often without any noticeable interruption.

SD-WAN is worthwhile from several sites that should be managed centrally, and wherever telephony, video conferencing or cloud-based applications are business-critical. Another plus: you are not tied to a single carrier. Per site you can choose the cheapest or most available provider without rebuilding the entire architecture.

The price of this flexibility is a little more complexity in setup and operation. SD-WAN requires suitable hardware at each site and a well-thought-out rule set. However, this effort usually pays off from just a handful of sites onwards – through fewer outages, better voice quality and simpler management.

A leased line is a permanently rented, dedicated connection between two points. You share the line with no one. The carrier guarantees bandwidth, latency and availability contractually through a service level agreement (SLA) – often with a guaranteed 99.9 percent or more. The top tier is dark fibre: your own unlit optical fibre whose capacity and technology you control entirely yourself.

A leased line is the right choice when very large volumes of data must flow continuously between two fixed sites with predictable, low latency. Typical cases: coupling two data centres, mirroring production data in real time, or a main site where an outage costs measurable money every hour.

The downside is cost and lead time. Leased lines are significantly more expensive than internet connections and must be physically available; a new route can mean weeks to months of construction time [to be confirmed: specific delivery and construction times per site and carrier]. That is why leased lines are deployed deliberately for the one truly critical link – while the remaining sites are connected more cheaply via SD-WAN or VPN.

As a benchmark for what highly available, dedicated coupling can deliver: the two data centres of ITS AG in Frankfurt am Main are about ten kilometres apart and redundantly coupled over several 100-gigabit connections. Exactly this design – several physically separate paths instead of a single line – is the core of real fault tolerance.

Four questions are decisive. How many sites are you connecting today, and how many in three years? Which applications run between the sites, and how sensitive are they to delay – telephony and real-time mirroring are tricky, a nightly backup is not? How long may a connection fail at worst? And what budget stands against the damage of an outage?

The answers usually produce a clear picture. Few sites, non-critical applications, small budget: VPN. Several sites with telephony and cloud, central management desired: SD-WAN. Two fixed points with guaranteed performance and very large data volumes: leased line. In many mid-market networks the most viable solution is a combination – SD-WAN as control over a mix of business internet and a deliberately placed leased line for the most critical path.

Just as important as the technology is the question of redundancy. A single connection is always a risk, no matter how good it is. At least a second, independent path per critical site makes sense – for example a second line from a different carrier or a 5G fallback that steps in automatically and is tested regularly.

Finally, watch out for vendor lock-in and operations. Classic MPLS often ties you to a single carrier for years and makes any change expensive. Layer-3-based, carrier-independent architectures allow a provider switch per site. And regardless of the technology: complete network documentation, a clear IP plan and a defined contact person for incidents decide more about actual availability in an emergency than the data sheet does.