Back to Blog
โ˜…โ˜…โ˜…Advanced๐ŸŒ WAN / Service Provider
SD-WANVeloCloudVMwareWANDMPOQoSEnterprise Network

SD-WAN from Scratch: VeloCloud Architecture Explained

April 9, 2026ยท8 min read

Overview

VeloCloud SD-WAN (now VMware SD-WAN by Broadcom) is the platform deployed across my current network โ€” 42 countries, multi-cloud, multi-ISP. After years of managing it in production, this post covers how it actually works, not just what the marketing slides say.

The core promise of SD-WAN is: transport independence. Your application traffic should work over any available underlay โ€” MPLS, broadband, LTE, satellite โ€” and the network should route it intelligently based on real-time path performance, not static routing tables. VeloCloud delivers this through Dynamic Multi-Path Optimization (DMPO) and a clean separation between the data plane (Edges), control plane (Controllers), and management plane (Orchestrator).

// VeloCloud SD-WAN Architecture VCO โ€” Orchestrator Policy ยท Monitoring ยท ZTP VCC Controller 1 US-East PoP VCC Controller 2 EU-West PoP HTTPS mgmt VCE โ€” HQ 3x WAN links VCE โ€” DC MPLS + Internet VCE โ€” Branch Broadband + LTE VCE โ€” Remote LTE only Cloud GW AWS / Azure DMPO tunnels Internet / MPLS

The Three Planes

Management Plane โ€” VeloCloud Orchestrator (VCO)

The Orchestrator is the single pane of glass. Everything you configure lives here โ€” profiles, policies, segment definitions, business policies, firewall rules. The VCO never touches forwarding; it pushes configuration to Edges via the Controller and exposes real-time monitoring, path analytics, and alerts.

What the VCO manages:

  • Zero Touch Provisioning (ZTP) โ€” Edges activate by calling home to the VCO
  • Network segmentation โ€” create isolated segments (like VRFs)
  • Business policies โ€” map applications to transport preferences
  • Firewall rules โ€” stateful + application-aware
  • Monitoring โ€” path quality metrics, top talkers, SLA dashboards

VCO can be cloud-hosted (VMware-hosted SaaS), on-prem (VCO appliance in your DC), or hybrid.

Control Plane โ€” VeloCloud Controller (VCC)

The Controller handles routing. Every Edge establishes a persistent VCMP (VeloCloud Management Protocol) tunnel to two Controllers for redundancy. The Controller distributes routes between Edges โ€” it knows every Edge's subnets, dynamically exchanges prefixes, and builds the overlay routing table.

The Controller does not forward user traffic. Traffic flows Edge-to-Edge (or Edge-to-Gateway) directly โ€” the Controller only tells each Edge where to find everything else.

Data Plane โ€” VeloCloud Edge (VCE)

The Edge is the CPE device at each site. It handles actual packet forwarding, encryption, QoS, and the DMPO logic. Every Edge builds encrypted VCMP tunnels to other Edges (hub-and-spoke or full-mesh depending on the profile), probes each path continuously, and steers traffic onto the best path in real time.

Dynamic Multi-Path Optimization (DMPO)

DMPO is what separates VeloCloud from a simple VPN overlay. Here's how it works:

Continuous path probing: Every Edge sends probes to all peers over every available WAN link every 100ms. It measures latency, jitter, and packet loss for each path independently.

Per-packet or per-flow steering: Based on business policy, VeloCloud can steer different application flows onto different WAN links simultaneously. A voice call goes via MPLS (low jitter), a file backup goes via broadband (high throughput, cost-effective), and a video stream goes via whichever path currently has the best characteristics.

Forward Error Correction (FEC): On links with measurable packet loss, the Edge can transmit redundant FEC packets to reconstruct lost data without retransmission. This is critical for voice/video over broadband or LTE where loss spikes occur.

Remediation: When a path degrades, VeloCloud moves flows off it within milliseconds โ€” far faster than BGP reconvergence.

Path ConditionDMPO ResponseMechanism
Jitter spike on MPLSMove voice flows to broadbandReal-time path scoring, per-flow steering
Packet loss on broadbandEnable FEC, or move to MPLSLoss detection every 100ms; FEC threshold configurable
Full WAN link failureImmediate failover to remaining pathsBFD on WAN links, sub-second detection
Asymmetric jitterReorder packets at receiving EdgePacket reordering buffer per tunnel
Brownout (high loss / high latency)De-preference path before full failureSLA thresholds defined in business policy

Business Policies and Application Steering

Business policies are the heart of VeloCloud's value. They define: which applications go over which transport, under what conditions.

A policy is structured as: Match (application/destination) โ†’ Action (transport preference + QoS).

# Example Business Policy โ€” as seen in VCO config export (YAML)
businessPolicies:
  - name: "VoIP-Priority"
    match:
      application: "MICROSOFT_TEAMS"   # App-aware โ€” Deep Packet Inspection
    action:
      linkSteering: "MPLS_FIRST"       # Prefer MPLS; fallback to broadband
      qos:
        dscp: "EF"                     # Mark Expedited Forwarding
        priority: HIGH
      slaThreshold:
        latencyMs: 150
        jitterMs: 30
        lossPercent: 1

  - name: "Backup-Traffic"
    match:
      application: "VEEAM_BACKUP"
    action:
      linkSteering: "BROADBAND_ONLY"   # Keep backups off expensive MPLS
      qos:
        priority: LOW
      rateLimit: "50Mbps"

  - name: "Default-Internet"
    match:
      destination: "0.0.0.0/0"
    action:
      linkSteering: "COST_OPTIMIZED"  # Cheapest available path

WAN Transport Design

Each VeloCloud Edge supports up to 4 WAN links. Best practice for enterprise:

Site TypeWAN 1WAN 2WAN 3Notes
HQ / DCMPLS PrimaryMPLS SecondaryBroadband InternetDual MPLS for voice/data; broadband for internet breakout
Large BranchMPLSBroadbandLTE (backup)LTE only activates when both wired links fail
Small BranchBroadband PrimaryLTE Backupโ€”Cost-optimized; MPLS not justified for site size
Remote / KioskLTE PrimaryLTE Secondary (different carrier)โ€”Dual-carrier LTE for availability; no wired option
Cloud GatewayAWS Direct ConnectInternet (IPsec)โ€”Gateway Edge deployed in VPC; connects to branch Edges

Segmentation

VeloCloud supports network segmentation via Segments โ€” effectively VRFs in the overlay. A segment is a logically isolated network with its own routing table, firewall policy, and set of Edges. Traffic between segments requires explicit inter-segment policy.

Common segmentation patterns:

  • Corporate โ€” internal user traffic, ERP, intranet
  • Guest โ€” internet-only, isolated from corporate
  • PCI โ€” cardholder data environment, strict firewall rules, dedicated MPLS path
  • OT/IoT โ€” operational technology, air-gapped from corporate segment

Each segment maps to a VLAN on the LAN side of the Edge. The Edge applies the segment's routing and policy to that VLAN's traffic.

Monitoring Key Metrics in Production

These are the metrics I watch daily in the VCO dashboard:

MetricHealthy RangeAlert ThresholdAction if Exceeded
WAN link loss0%> 1%Check ISP circuit; check SFP/cable
WAN latency (MPLS)< 30ms domestic> 100msOpen ISP ticket; check route changes
WAN latency (broadband)< 80ms> 200msCheck ISP utilization; consider policy change
Tunnel availability100%< 99.9%Investigate Edge connectivity; check ZN reachability
Edge CPU< 60%> 85%Review active flows; consider hardware upgrade
FEC activation rate0%> 5% sustainedUnderlying link quality degrading โ€” proactive ISP engagement

Common Operational Issues

SymptomCauseFix
Edge offline โ€” "VC_TUNNEL_ERROR"Controller unreachable โ€” ISP blocking UDP 2426Open UDP 2426 outbound on ISP CPE or upstream firewall
Application not matching policyDPI fingerprint miss โ€” unknown applicationUse IP/port match as fallback; submit application fingerprint to VMware
Voice quality poor despite MPLS policyMPLS link has hidden jitter โ€” probe interval too slowReduce probe interval; check if DSCP EF is being honored by ISP
Backup link never usedLink steering set to MPLS-only, not fallbackChange link steering to "MPLS_FIRST" (not MPLS_ONLY) in business policy
Segment routing leakInter-segment policy too permissiveAudit inter-segment firewall rules; use explicit permit/deny
ZTP failed โ€” Edge not activatingDNS resolution fails for VCO hostnameVerify Edge WAN interface has correct DNS servers; test from Edge console