Aruba’s Wi‑Fi, dynamic segmentation, and role-based access controls are widely known — but what often goes unnoticed is the orchestration layer that ties everything together. At the core of that is the SD‑Branch Orchestrator — the engine behind tunnel automation, routing intelligence, and policy consistency across WAN and LAN. It’s not just about security — it’s about making the entire network stack smarter and easier to operate at scale.
If you’re not too familiar with how it works — or where to start — you’re in the right place. This article kicks off a series focused on the networking side of SD-Branch. In the series, we’ll talk about how Tunnel Orchestrator and Route Orchestrator work, how survivability is handled when Central isn’t available, and later on, how this fits into different network topologies. But first, let’s answer the obvious question: why SD‑Branch?
1. Why SD‑Branch Matters
Branches today aren’t just remote sites anymore — they’re full extensions of the enterprise network, and they need to meet the same expectations for performance, security, and operational simplicity. The challenge? A lot of traditional SD‑WAN solutions stop at building tunnels. Leaving the rest — routing, segmentation, LAN configuration — to be handled manually.
HPE Aruba Networking’s SD‑Branch changes that by bringing WAN and LAN orchestration into a single system. Tunnel creation, routing distribution, and segmentation policies are all managed from a single control plane.
The HPE Aruba Networking SD‑Branch Orchestrator is a cloud-native service that automates how secure tunnels and routes are managed across distributed branch and data center environments. Unlike traditional overlay configurations that require manual tuning of IKE/IPsec parameters, route-maps, or static tunnel endpoints, the Orchestrator automates both the establishment of secure WAN tunnels and the distribution of routing information across all branch and data center gateways. With this dual-plane orchestration model — combining the Tunnel Orchestrator and Route Orchestrator — HPE Aruba Networking enables you to deploy and maintain highly scalable overlay networks without the operational burden, freeing network engineers from the tedious setup, maintenance, and troubleshooting that have traditionally accompanied overlay networks.
Importantly, this orchestration is not just about provisioning. It extends into runtime optimization and resiliency. To ensure operational continuity in all scenarios — including during planned maintenance or unexpected network disruptions — the SD‑Branch Orchestrator decouples the overlay control plane from the HPE Aruba Networking Central management plane. Tunnel establishment and routing updates operate through a dedicated gRPC channel, separate from the centralized UI and provisioning functions. This architecture allows secure tunnels and dynamic routing to remain fully functional and self-sustaining, even if connectivity to the management interface is temporarily interrupted. The result is a resilient, high-availability design that maintains branch connectivity without sacrificing orchestration flexibility.
HPE Aruba Networking’s solution embraces open standards such as IPsec and BGP, ensuring compatibility with a wide range of network environments. But what sets it apart is the orchestration-driven model that replaces static configurations and CLI-intensive workflows with dynamic, intent-based automation. The system continuously adapts to changes in link availability, topology, and routing policy — simplifying operations while maintaining robust control. This shift enables organizations to move faster, scale confidently, and reduce the operational burden of managing distributed branch environments. And that’s what SD‑Branch is really about: orchestrating both the WAN and LAN as a unified system, where intelligence is distributed but policy is centralized.
2. Tunnel Orchestrator – Automating Secure Overlay Connectivity
One of the foundational tasks in any SD-WAN deployment is establishing secure tunnels across WAN links. Traditionally, this involves manually configuring IPsec parameters, defining peer IPs, and applying topology logic on a device-by-device basis. HPE Aruba Networking’s Tunnel Orchestrator completely removes this complexity by dynamically building and managing the overlay fabric — using a declarative, label-based model.
When a gateway device boots up and connects to HPE Aruba Networking Central, it advertises its WAN uplinks, including metadata such as interface labels (e.g., INET, MPLS), public IPs, and WAN label. The Tunnel Orchestrator uses this information to automatically determine tunnel peers based on the desired topology: Hub-and-Spoke, Hub Mesh, or Branch Mesh. No static IP definitions or pre-shared key configurations are required — tunnel negotiation is handled dynamically, including key exchange, path matching, and high-availability pairing.
This orchestration logic is not limited to initial deployment. If a new VPN Concentrator (VPNC) is added or a link label is modified, the Orchestrator recalculates tunnel pairings in real time, ensuring that the overlay remains aligned with the intended design — even as infrastructure evolves.
High availability is also orchestrated. Gateways configured in clusters automatically synchronize tunnel configurations and share tunnel states to ensure uninterrupted operation. Failover between nodes or uplinks does not require external intervention.
To further enhance operational resilience, the SD-Branch overlay includes a dedicated survivability mode designed to maintain overlay stability even when connectivity to Tunnel Orchestrator is temporarily lost. In this mode, branch gateways transition to using their on-board Trusted Platform Module (TPM) to securely retain and regenerate IPsec tunnel keys. This allows the gateways to continue establishing and rekeying tunnels autonomously, without needing active contact with the Tunnel Orchestrator service. All tunnel configurations and peer relationships remain intact, and key rotation proceeds securely until full orchestration connectivity is restored.
For enterprises deploying at scale — from dozens to tens-of-thousands of branches — this model transforms tunnel setup from a manual, error-prone process into a fully orchestrated, self-maintaining system. It reduces time to deploy, simplifies maintenance, and ensures every branch stays connected under varying WAN conditions — all while aligning with zero-touch provisioning workflows.
3. Route Orchestrator – Dynamic Control‑Plane Intelligence
Beyond tunnel connectivity, a modern SD‑WAN solution must ensure that routing information is distributed intelligently and efficiently across all branches and data centers. HPE Aruba Networking’s Route Orchestrator is designed to meet this need by acting as a centralized yet scalable control-plane service that automates the flow of routes throughout the SD‑Branch fabric — without relying on traditional hop-by-hop routing propagation.
The Route Orchestrator runs as a cloud-native service and communicates with gateways using a lightweight, secure protocol called Overlay Agent Protocol (OAP), transported over a dedicated gRPC channel. This protocol is used to publish and subscribe to route updates between branch gateways (BGWs) and VPN Concentrators (VPNCs), enabling the Orchestrator to build a global, real-time view of the overlay network.
Routing decisions are computed dynamically by the Orchestrator, which takes into account VPNC/Hub preference values, and overlay topology intent to determine the most efficient and policy-aligned path for every prefix. These routes are then selectively advertised to the appropriate devices, depending on their role and location within the SD‑WAN fabric. This model avoids the pitfalls of excessive flooding or stale state and instead delivers highly optimized, directed route propagation.
At the data center, VPNCs act as border redistribution points, translating overlay routes into underlay protocols like BGP or OSPF. HPE Aruba Networking provides fine-grained control over how routes are redistributed using match rules, route-maps, and summarization policies, ensuring that only the necessary prefixes are injected into the fabric. In dual-hub or multi-region designs, VPNC/Hub preference values allow administrators to steer traffic toward the most appropriate hub while preserving failover logic.
Unlike traditional routing architectures, where each device maintains full routing adjacency with every other, HPE Aruba Networking’s Route Orchestrator abstracts and centralizes control. Yet it does so without becoming a single point of failure. Each gateway caches its routing state locally and continues to make forwarding decisions based on the last known topology until updates resume.
This orchestration-based routing model greatly simplifies operations across large, distributed environments. Route propagation becomes intent-driven and topology-aware, and changes to topology or configuration — such as adding a new gateway or interface — are automatically reflected across the entire overlay. The result is a system where routing convergence is fast, controlled, and aligned with business intent, all without requiring full-mesh iBGP adjacencies or manual configuration.
4. SD‑Branch = SD‑WAN + SD‑LAN
What sets HPE Aruba Networking’s SD‑Branch architecture apart is that it doesn’t stop at SD‑WAN. While many solutions focus solely on WAN optimization and tunnel orchestration, HPE Aruba Networking extends the same automation principles to the local area network — creating a unified platform that seamlessly integrates WAN and LAN orchestration under a single control framework.
This convergence is especially powerful in environments where secure segmentation, role-based access, and dynamic policy enforcement are critical. Through its orchestrators, both the wide-area and local networks are treated as parts of the same system — driven by intent, and visualized in a single topology-aware interface.
The Tunnel and Route Orchestrators are used not only to build overlays between branch gateways and data center hubs, but also to establish tunnels from APs to local gateways in LAN environments. This enables centralized policy enforcement at the gateway, with dynamic tunneling to create a powerful dynamic segmentation framework. Segmentation is policy driven and it can be aligned by VLAN, device profile, or user role, consistent with your organization’s zero trust policy — all orchestrated automatically without manual tunnel configuration.
This architecture also supports the transport of Group-Based Policies (GBP) across both WAN and LAN overlays. As users move between locations, their roles and access policies remain consistent, carried seamlessly over the orchestrated tunnels. Whether the user is at corporate headquarters, a remote branch or even their home office, the SD‑Branch fabric ensures that segmentation and enforcement are preserved end-to-end.
Gateways deployed at the branch serve dual roles — functioning both as SD‑WAN edge nodes and as SD‑LAN policy anchors. When combined with HPE Aruba Networking CX switches and APs, they enable dynamic role assignment, policy enforcement, and segment-aware traffic handling across the entire network edge. Traffic classification and segmentation follow users and devices as they move — even across sites — and policies are applied consistently, regardless of the underlying transport.
This unified fabric approach eliminates traditional boundaries between network layers and reduces operational friction. It allows IT teams to deploy a unified full-stack branch architecture: one or two gateways, a few switches, and access points — all centrally orchestrated and fully integrated with security, routing, and overlay logic.
For organizations looking to modernize their infrastructure, HPE Aruba Networking SD‑Branch provides a clear path to consolidate multiple networking functions — WAN routing, LAN switching, wireless, segmentation, and security — into a single, orchestrated architecture that is scalable, secure, and adaptable by design.
The HPE Aruba Networking SD‑Branch Orchestrator is more than a control-plane utility — it’s the backbone of a fully orchestrated, cloud-native networking architecture. By automating the establishment of secure IPsec tunnels, dynamically distributing routing intelligence, and extending policy enforcement across both WAN and LAN environments, it eliminates the operational burden traditionally associated with managing distributed networks.
With its dual-plane orchestration model — Tunnel and Route Orchestrators — HPE Aruba Networking enables intent-based networking at scale, backed by resilient communication channels that preserve connectivity even when the management plane is unreachable. This ensures business continuity, simplifies deployment workflows, and reduces the risk of misconfiguration across thousands of sites.
Not only does Aruba SD‑Branch deliver consistent segmentation and dynamic access control — which, as noted earlier, most people are already familiar with — but it also enables simplified edge-to-cloud connectivity, all orchestrated from the cloud, yet resilient by design.
From a deployment perspective, having both WAN and LAN orchestrated through the same control plane reduces complexity, eliminates redundant configs, and makes it easier to scale consistently — without losing control at the edge
Next up, in the next article, we’ll take a closer look at how the Tunnel Orchestrator works — how it builds the overlay fabric and simplifies secure tunnel setup across your branches. Stay tuned!