Article

SD-WAN vs MPLS — Honest UK Comparison for Multi-Site Businesses

·8 min read·VantagePoint Networks

MPLS used to be the default WAN choice for any UK business with more than three sites. SD-WAN has reversed that — but the marketing has been heavy enough that the actual trade-offs get lost.

This is the unmarketed comparison: when SD-WAN genuinely beats MPLS, when MPLS still wins, and how to decide for your business without falling for either side's pitch.

The five-second summary

SD-WAN typically beats MPLS on cost, flexibility, and SaaS performance. MPLS still beats SD-WAN on guaranteed latency for real-time workloads, multi-vendor blame games (one carrier owns the whole circuit), and any compliance regime that explicitly excludes public-internet transport. For most UK businesses with 5+ sites and Microsoft 365 / Salesforce / Teams in their stack, SD-WAN is the right answer.

Where SD-WAN wins

Cost is the headline win. MPLS bandwidth pricing is at least 5–10× internet-grade fibre. A 100 Mbps MPLS circuit might cost £450/month; the same speed on FTTC or business broadband is £40–80/month. Multiplied across a 30-site estate, the bandwidth cost difference funds the SD-WAN appliances and ongoing licensing many times over.

SaaS application performance is the second win. With MPLS, all sites typically backhaul through a central HQ firewall to reach the internet, adding latency to every Microsoft 365 or Salesforce session. SD-WAN platforms send M365 traffic direct from each site via local internet breakout, with intelligent path selection across multiple uplinks based on real-time jitter, loss, and latency.

Centralised management is the third. Pushing a firewall rule or QoS change to 50 sites takes 10 minutes from an SD-WAN dashboard. The same change in MPLS-era networks meant per-site CLI work or expensive carrier change requests.

Where MPLS still wins

Guaranteed latency for real-time workloads. If you run trading systems, broadcast media, or large-scale VoIP across sites and your operating model depends on consistent sub-20ms latency, MPLS gives you a contractually guaranteed performance SLA. SD-WAN over public internet can match it most of the time — but "most of the time" is not the same as guaranteed.

Single-throat-to-choke procurement. MPLS is one carrier, one bill, one phone number when something breaks. SD-WAN over multiple internet circuits per site is fundamentally a multi-carrier deployment — you're managing your own end-to-end performance because no single carrier owns it.

Compliance regimes that mandate private circuits. Some regulated environments (a small subset of financial services and government work) explicitly require private connectivity, not internet-with-encryption. Always read the actual regulation — many people assume this applies when it doesn't.

A practical decision framework

Use this rough decision matrix for UK multi-site businesses:

  • Under 5 sites: probably keep simple IPsec mesh on internet circuits. Both MPLS and SD-WAN are overkill.
  • 5–10 sites with M365/SaaS-heavy workloads: SD-WAN is almost always the answer.
  • 10–50 sites currently on MPLS: SD-WAN with hybrid (MPLS as one path + internet as another) is a low-risk migration. Decommission MPLS gradually.
  • 50+ sites: SD-WAN is essentially mandatory because MPLS at that scale is cost-prohibitive.
  • Real-time workloads (trading, broadcast, niche VoIP grids): keep MPLS or use a private SD-WAN backbone provider.

Migration approach when replacing MPLS

The successful migration pattern is wave-based. Pilot 2–3 sites for a month while keeping MPLS as fallback. Decommission MPLS at piloted sites once you're confident. Roll out the next wave (typically 5–10 sites). Keep MPLS at HQ as a fallback path until the entire estate is on SD-WAN, then cancel.

Most projects we run cut over a 30-site estate in 6–10 weeks total — design phase 2–3 weeks, rollout 1–2 sites per week per engineer.

Frequently asked

Is SD-WAN secure if it runs over public internet?

Yes, when designed correctly. All site-to-site traffic is IPsec-encrypted by default. Modern SD-WAN platforms include integrated security stacks (firewall, IPS, web filtering, optional SASE). The "public internet" concern is about bandwidth contention, not encryption — and SD-WAN handles that with multiple uplinks and intelligent path selection.

How long does an MPLS-to-SD-WAN migration take?

Design phase: 2–3 weeks for 10 sites, 4–6 weeks for 50+. Rollout: typically 1–2 sites per week per engineer working in change windows. A 30-site estate is usually live on SD-WAN end-to-end within 8–10 weeks.

Should we use Fortinet, Meraki, Cisco, or Aruba SD-WAN?

Fortinet Secure SD-WAN is excellent if you already run FortiGate firewalls. Meraki is great for simplicity at small-to-mid scale. Cisco Catalyst SD-WAN (Viptela) is the enterprise heavyweight. Aruba EdgeConnect leads on application performance. The right choice depends on your existing kit, scale, and security needs — not on which vendor has the loudest marketing.

Can we keep some MPLS as a backup path?

Yes — and we often recommend this for the first 6 months. A "hybrid SD-WAN" overlays your existing MPLS plus internet circuits, with the SD-WAN intelligently choosing paths. This de-risks the migration and gives you a fallback. After 6 months of stable SD-WAN performance, most clients cancel MPLS.

What about latency-sensitive workloads like VoIP?

Modern SD-WAN handles voice well thanks to per-packet path selection and forward error correction. Voice quality is usually as good or better than over MPLS, except in the rare case where one site has only a single mediocre internet circuit. If you have 4G/5G as a backup uplink, voice continues during fibre outages.

Related reading

SD-WAN Design ServiceNetwork Topology Design GuideZero Trust Architecture

Design your own network

VP Compass is a free interactive topology designer. Pick a template, customise, export.

Open VP Compass →
← Back to Blog