← Concepts
Security ArchitectureSY0-701 · Task 3.2

SD-WAN and SASE — SY0-701

SD-WAN and SASE for Security+ SY0-701: how software-defined WANs and cloud-delivered security converge to replace the legacy perimeter model.

WHAT IT IS

SD-WAN (Software-Defined Wide Area Network) is an approach to managing a wide area network — defined in NIST SP 800-215 — in which control and data planes are decoupled so that routing, traffic prioritization, and policy are driven by software rather than by per-device configuration. A WAN itself is "a physical or logical network that provides data communications to a larger number of independent users than are typically served by a local area network (LAN) and that is usually spread over a larger geographic area than that of a LAN" (NIST SP 800-82r3).

SASE (Secure Access Service Edge) is an architecture referenced in NIST SP 800-215 that converges wide-area networking capabilities with a comprehensive set of cloud-delivered security services — including a secure web gateway (SWG), cloud access security broker (CASB), and zero trust network access (ZTNA) — into a unified service delivered from the cloud rather than from on-premises appliances. Security inspection is co-located with the network fabric rather than backhauled to a data center.

Mental model

Picture two lineages that SASE merges:

  • SD-WAN lineage: takes the WAN (connecting branch offices, data centers, and cloud workloads across geography) and makes it software-controlled, so traffic routing and policy can be centrally orchestrated.
  • Cloud security lineage: takes the stack of security appliances that once sat at a corporate data-center perimeter — firewalls, proxies, access brokers — and delivers them as distributed cloud services.

SASE is the architectural answer to: what happens when the workforce is mobile, applications are in the cloud, and the old castle-and-moat perimeter no longer exists? It relocates both the WAN control plane and security inspection to wherever the user and cloud resource meet.

Zero trust is the policy philosophy underneath. NIST SP 800-207 defines zero trust as "a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised." SASE provides a delivery model that makes zero trust enforcement feasible at the edge.

When to use it

ScenarioSD-WAN aloneSASE
Connect branch offices over commodity internetYes — SD-WAN optimizes transport across multiple underlay linksYes — SASE includes SD-WAN capabilities plus integrated security
Enforce security policy for remote/mobile users who never reach a branchLimited — SD-WAN is primarily a branch/site technologyYes — SASE security services follow user identity regardless of location
Replace legacy MPLS with more flexible transportYes — primary SD-WAN use caseYes — SASE inherits this
Enforce per-request least-privilege access to SaaS appsNo — SD-WAN does not perform identity-aware access brokeringYes — ZTNA and CASB components within SASE address this
Traditional hub-and-spoke VPN with on-prem firewall inspectionNo — this is the legacy model SD-WAN and SASE are contrasted againstNo — SASE distributes inspection to the cloud edge

A VPN, per NIST SP 800-77r1, is "a virtual network built on top of existing networks that can provide a secure communications mechanism for data and IP information transmitted between networks." A VPN creates an encrypted tunnel but does not by itself apply identity-aware, per-request policy or deliver cloud-native security services — that gap is what SASE addresses.

COMMON MISCONCEPTION

The trap: SASE = SD-WAN with encryption bolted on.

Candidates sometimes treat SASE as merely "SD-WAN plus a VPN" — a faster, more flexible transport that still terminates at an on-premises security appliance. This is wrong in two important ways.

First, the security stack in SASE is architecturally cloud-delivered and distributed. NIST SP 800-207 describes zero trust as moving "defenses from static, network-based perimeters to focus on users, assets, and resources" — an on-premises firewall choke point is the model SASE replaces, not what it describes.

Second, SASE incorporates identity-aware access controls aligned with zero trust principles. NIST SP 800-207 states zero trust eliminates "implicit trust granted to assets or user accounts based solely on their physical or network location." A VPN tends to grant broad network access once a tunnel is established — the opposite of least-privilege per-request enforcement.

The specific misconception that appears in exam scenarios: a remote workforce needing secure access to cloud applications — selecting "VPN concentrator at HQ" describes the legacy perimeter model, not SASE.

How it shows up on the exam

The cognitive target is apply and analyze: given a described environment, identify which architecture — SD-WAN, SASE, traditional VPN, or perimeter firewall — best fits the stated security requirement.

Signal phrases to recognize:

  • "Cloud-delivered security services" — points toward SASE, not standalone SD-WAN.
  • "Distributed workforce connecting directly to SaaS" — the canonical SASE scenario; backhauling traffic to a corporate data center is the wrong answer.
  • "Converges networking and security at the edge" — definitional for SASE.
  • "Software-defined" + "WAN" + "multiple transport links" — SD-WAN transport optimization, which may or may not involve a full SASE stack.
  • "Implicit trust" or "network location as the trust boundary" — this is the legacy model that zero trust (and by extension SASE) is designed to replace, per NIST SP 800-207.

Candidates often confuse SASE with a VPN-based remote-access solution because both address the "remote user needs access" problem. The architectural distinction is where and how policy is enforced: a VPN enforces access at a fixed network endpoint after establishing a tunnel; SASE enforces least-privilege, identity-aware policy at every access request regardless of physical location, consistent with zero trust principles described in NIST SP 800-207.

Related concepts

  • Failure modes — understanding how SD-WAN's use of multiple underlay transports provides resilience against individual link failures.
  • Jump server — a legacy access-control pattern (a hardened bastion host) that illustrates what SASE's zero trust network access is designed to supersede or supplement.
  • Intrusion detection and prevention — IDS/IPS capabilities are among the security functions that SASE architectures deliver as cloud services rather than on-premises appliances.

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.