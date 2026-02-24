Traditional wide area networks (WANs) were designed for a world where applications ran in corporate data centers and employees worked from offices. These architectures rely on private circuits like Multiprotocol Label Switching (MPLS), hub-and-spoke routing through central data centers, and dedicated hardware at every branch.

As organizations adopt cloud services and support remote work, this model creates bottlenecks. Backhauling traffic to a central data center adds latency for cloud-bound traffic, and branch hardware requires ongoing maintenance and capital investment. WAN transformation replaces this architecture with cloud-native Network-as-a-Service (NaaS), routing traffic through a global network instead of private circuits.

With Cloudflare One, your corporate WAN runs over Cloudflare's global network. You connect sites through anycast IPsec or GRE tunnels, and Cloudflare handles routing, security inspection, and traffic optimization at the nearest point of presence.

Why transform your WAN

Reduce cost and rigidity

MPLS circuits require multi-year contracts and take weeks or months to provision. Adding a new site means ordering a new circuit. Cloudflare One uses standard Internet circuits with anycast tunnels — you can connect a new site in minutes using any Internet connection and any device that supports IPsec or GRE.

Eliminate Internet breakout tradeoffs

With traditional WANs, you have two options for Internet-bound traffic: backhaul it to a central data center for security inspection (adding latency), or break out directly at the branch (bypassing security controls). Cloudflare One eliminates this tradeoff. Traffic from every site reaches the nearest Cloudflare data center, where security policies are applied without the backhaul penalty.

Avoid vendor lock-in

Proprietary SD-WAN appliances create dependency on a single vendor's hardware and software ecosystem. Cloudflare One uses open standards — IPsec, GRE, and BGP — and works with your existing third-party routers and firewalls. You can also use the Cloudflare One Appliance for zero-touch provisioning at branch sites.

Simplify operations

On-premises network and security appliances require manual firmware updates, patching, and capacity planning at every location. With Cloudflare One, networking and security services run in the cloud. Cloudflare manages updates and scaling globally, reducing the operational burden on your team.

Compare WAN approaches

Traditional WAN (MPLS) SD-WAN Cloudflare One Performance Predictable but limited to circuit capacity. High latency for cloud-bound traffic due to backhauling. Improved path selection across multiple links. Still relies on branch appliances for processing. Traffic routed to the nearest Cloudflare data center. Cloud-bound traffic egresses locally without backhauling. Cost model High fixed costs. Multi-year contracts for private circuits. Per-site hardware investment. Lower circuit costs (uses Internet links). Per-site appliance licensing and hardware costs remain. Internet circuit costs only. No per-site hardware required (optional). Pay-as-you-grow model. Agility Weeks to months to provision new circuits. Rigid topology changes. Faster site deployment over Internet circuits. Still requires appliance staging and configuration. Connect a new site in minutes. Tunnels auto-establish from any Internet connection. Security Security applied at central data center or per-site firewalls. Varies by vendor. Some offer integrated security, others require separate appliances. Integrated security at every data center — firewall, secure web gateway, and Zero Trust policies applied inline. Management Separate management for WAN circuits, routers, and security appliances. Single console for WAN, but security often managed separately. Single dashboard for network connectivity, routing, firewall rules, and security policies.

Plan your migration

WAN transformation is not an all-or-nothing change. Most organizations follow an incremental approach, adding capabilities over time while decommissioning legacy infrastructure as each phase proves out.

1. Secure user access

Start by replacing VPN concentrators with Zero Trust Network Access (ZTNA). Deploy the WARP client on user devices and use Cloudflare Access to enforce identity-based policies for application access. This step secures remote and hybrid workers without changing your existing network infrastructure.

For more information, refer to Cloudflare One.

2. Connect your networks

Set up site-to-site connectivity by establishing IPsec or GRE tunnels from your existing routers, deploying the Cloudflare One Appliance at branch locations, or using Cloudflare Network Interconnect for private connectivity. Your sites communicate through Cloudflare's network, and you manage routing through the dashboard or API.

Get started with Cloudflare WAN

Review connectivity options to choose the right on-ramp

Explore all available on-ramps

3. Secure Internet egress

Enable Cloudflare Gateway to apply secure web gateway (SWG) policies to Internet-bound traffic from your sites. Add Cloudflare Network Firewall rules to enforce packet-level filtering. Traffic from every site is inspected at the nearest Cloudflare data center — no backhaul required.

For more information, refer to Cloudflare Gateway and Cloudflare Network Firewall.

4. Reduce infrastructure

As Cloudflare handles routing and security in the cloud, you can begin decommissioning branch firewalls, VPN concentrators, and MPLS circuits. The end state is what some call "coffee shop networking" — every location, whether a corporate office, a home office, or a coffee shop, provides the same secure, performant experience. The network is managed centrally through Cloudflare, and local infrastructure is minimal.

Next steps