SD-WAN Analytics: What It Is, Key Metrics, and Monitoring Use Cases
SD-WAN promised simpler WAN operations, better application performance, and the flexibility to use multiple transports (MPLS, DIA, broadband, LTE/5G). But once policies, overlays, and cloud paths are in motion, it becomes easy to lose visibility into what users are actually experiencing and why.
That’s where SD-WAN analytics comes in. It helps NetOps teams prove that the SD-WAN is delivering the performance, reliability, and security outcomes it was designed to achieve, across branches, clouds, and remote users.
SD-WAN analytics at a glance
- Definition: The collection and analysis of SD-WAN data to measure application experience, validate routing and policy decisions, and troubleshoot performance across the WAN
- Key data sources: Flow records, tunnel/overlay telemetry, underlay circuit metrics, synthetic tests, and control-plane signals
- Core questions it answers: Which applications are affected? Is the problem in the underlay or overlay? Did a policy change cause the issue? Is the problem at a branch, provider, or cloud region?
- Why vendor-neutral matters: SD-WAN controllers show their own view. Network intelligence platforms like Kentik provide an independent, cross-vendor perspective
- Connection to broader observability: SD-WAN analytics is most valuable when correlated with cloud, internet, and data center visibility in the same platform
What is SD-WAN Analytics?
SD-WAN analytics is the collection, correlation, and analysis of SD-WAN data (flow, tunnel/overlay telemetry, underlay circuit metrics, and control-plane signals) to measure application experience, validate routing and policy decisions, and troubleshoot performance or availability issues across the WAN.
In practice, SD-WAN analytics answers questions like:
- Which applications are affected, and at which sites?
- Is the problem in the underlay (ISP/circuit loss, latency, jitter) or the overlay (tunnel health, path selection, policy)?
- Did a policy change shift traffic onto an unexpected transport or region?
- Are performance issues localized to a branch, a provider, a cloud region, or a specific path?
- Is the SD-WAN vendor delivering the SLA they committed to across each transport?
The most useful SD-WAN analytics platforms provide underlay and overlay visibility together, so teams can connect user-impacting symptoms (slow apps, voice jitter, SaaS timeouts) to the actual path, transport, and policy behavior driving them.
Kentik in brief: Kentik is a network intelligence platform that provides SD-WAN analytics across overlay and underlay by correlating traffic, circuit health metrics, and performance tests. Monitor MPLS, DIA, and broadband side-by-side, validate steering policies to SaaS and cloud apps, and quickly pinpoint whether an issue is policy, transport, provider, or upstream path behavior.
Learn how AI-powered insights help you predict issues, optimize performance, reduce costs, and enhance security.
Why SD-WAN needs deeper analytics than traditional WAN
Traditional WANs were straightforward to monitor because they were straightforward to operate: a small number of MPLS circuits, predictable traffic patterns, and most applications hosted in a corporate data center. Basic metrics like packet loss and latency per link were often enough to spot trouble.
SD-WAN broke that simplicity in three important ways. First, applications moved to the cloud and to SaaS, which means user experience now depends on internet paths, cloud regions, and third-party providers that the SD-WAN controller has limited visibility into. Second, traffic is steered dynamically across multiple transports based on application identity, policy, and real-time conditions — so the path a flow takes today may not be the path it took yesterday. Third, the overlay abstracts the underlay, which is operationally helpful but makes troubleshooting harder when symptoms appear in the overlay but root causes live in the underlay or upstream.
In other words, SD-WAN analytics is the only way to know whether an SD-WAN is actually delivering on the agility and performance it was deployed to provide. Without deep visibility, an underperforming SD-WAN can look healthy in the controller while users experience degraded SaaS, voice, or video performance for reasons the controller can’t see.
Core SD-WAN analytics workflows
SD-WAN analytics is about translating SD-WAN data into operational outcomes. The workflows below cover the most common questions NetOps teams need to answer day to day.
Monitor SD-WAN health and application performance across branches
Track underlay and overlay visibility in a single platform — transport status, tunnel behavior, and per-application traffic across branch sites — so you can monitor both SD-WAN health and application performance without switching tools. Kentik supports this with unified underlay/overlay dashboards and flow analytics across all branch sites.
Validate SD-WAN policy changes before rollout
Analyze current traffic flows and overlay-to-underlay mappings before a change goes live to predict how policies will shift traffic and ensure capacity and paths align with intent. Kentik supports this with synthetic testing agents that can simulate traffic behavior and anticipate the impact of policy changes before they reach production.
Validate SD-WAN underlay vs. overlay performance
Compare how policies are using transports, whether overlays are sending traffic over the best-performing underlays, and whether observed performance issues map to underlay limitations or overlay misconfigurations. Kentik supports this by showing underlay circuit metrics and overlay traffic behavior side by side.
Monitor MPLS, DIA, and broadband circuits in one platform
Consolidate visibility across all transport types — MPLS, DIA, broadband, and hybrid links — by ingesting traffic and telemetry data into a single analytics platform regardless of provider or technology. Kentik normalizes flow and device data so teams can monitor every WAN link side by side, without per-vendor tool sprawl.
Verify SD-WAN vendor SLAs across diverse links
Independent analytics let teams hold both the SD-WAN vendor and the underlying transport providers accountable to their commitments. Measure availability, latency, jitter, and loss per circuit and per overlay — and correlate against contracted SLAs — using a vendor-neutral platform rather than the vendor’s own dashboard. Kentik supports this by collecting flow, telemetry, and synthetic-test data outside the SD-WAN control plane, so SLA reporting reflects what’s actually happening on the wire.
Validate QoS and class-of-service policies end-to-end
Confirm that the traffic classes you care about — voice, video, business-critical SaaS — maintain acceptable latency, jitter, loss, and throughput across each segment of the WAN. Kentik supports this by correlating QoS markings, flow telemetry, and synthetic tests so teams can verify whether configured policy is delivering the intended application experience in practice.
SD-WAN, SASE, and the SaaS path
Most modern SD-WANs no longer end at the branch router. They extend into SASE (Secure Access Service Edge) architectures, into local internet breakout for SaaS applications, and into remote-worker overlays that span home networks. Each of these expansions makes SD-WAN analytics more important, not less.
Optimizing SaaS breakout at branch locations
Direct internet breakout for SaaS — sending traffic for Microsoft 365, Salesforce, Zoom, and similar applications straight out to the internet from a branch instead of backhauling it through a data center — is one of the most common SD-WAN use cases. But local breakout introduces new visibility questions: Which ISP path is each branch using to reach a given SaaS provider? Is the local breakout actually faster than backhauling? Are some branches getting much worse SaaS performance than others, and why?
Effective SaaS breakout analytics requires visibility into the internet path beyond the branch egress point — including ISP routing behavior, intermediate AS paths, and the SaaS provider’s own ingress points. Kentik supports this by combining branch flow data with internet path intelligence and synthetic tests from each branch, so NetOps teams can compare actual SaaS path performance across sites and detect ISP- or provider-side regressions.
Monitoring SASE connectivity and performance
SASE platforms (Zscaler, Netskope, Palo Alto Prisma Access, Cisco Umbrella, Cloudflare, and others) sit between the SD-WAN edge and the internet, adding a layer of cloud-delivered security and policy enforcement. They also add a new performance-critical hop. SASE-aware analytics need to answer: Is the SASE PoP itself healthy? Are users routing to the optimal PoP? Is added latency from the SASE layer acceptable for the application?
Vendor-neutral analytics platforms can monitor SASE PoP performance from synthetic agents, correlate SASE traffic with underlying transport behavior, and identify whether application slowness originates in the branch, the SASE provider, the upstream internet path, or the destination. Kentik supports this by treating SASE PoPs as monitorable destinations and correlating their performance with the rest of the SD-WAN and internet path.
Including remote workers in the SD-WAN picture
Remote and home users connect through SD-WAN edges, managed client VPNs, and SASE platforms that may all route through your monitored infrastructure. When their traffic enters the same analytics pipeline as branch and data center traffic, you get a unified view of WAN behavior — useful for sizing capacity, troubleshooting individual user complaints, and understanding aggregate remote-work experience.
SD-WAN analytics with Kentik
Today’s cloud-centric enterprise WAN landscape demands more than just deployment. It requires deep awareness, comprehensive visibility, and proactive network monitoring. Kentik helps with SD-WAN monitoring and enterprise WAN optimization — improving routing, security, and network operations across any SD-WAN vendor.
Related Kentipedia articles and Kentik solutions
- SD-WAN (Software-Defined Wide Area Network) Explained
- Network Performance Monitoring (NPM)
- What is Network Observability?
- Latency vs Throughput vs Bandwidth
- Bandwidth Utilization Monitoring
- Optimize Enterprise WAN
FAQs about SD-WAN Analytics
What is the difference between SD-WAN monitoring and SD-WAN analytics?
SD-WAN monitoring tracks the health and status of WAN components — link up/down, tunnel state, utilization, and alert thresholds. SD-WAN analytics goes deeper by correlating multiple data sources (flow, overlay telemetry, underlay metrics, synthetic tests) to explain why performance is the way it is and whether policies are delivering intended outcomes.
Why do teams need vendor-neutral SD-WAN analytics in addition to their SD-WAN controller?
SD-WAN controllers (Cisco vManage, VMware Orchestrator, Fortinet Manager, etc.) show the overlay from their own perspective — tunnel status, policy state, and basic transport health. But they typically lack visibility into what’s happening outside the overlay: internet path behavior, upstream provider issues, cloud connectivity, and cross-vendor WAN context. Vendor-neutral analytics platforms provide an independent view that correlates overlay behavior with the full underlay and internet path picture.
How does SD-WAN analytics connect to broader network observability?
SD-WAN is one segment of a larger network that includes data centers, clouds, the internet, and remote access. Problems that appear to be SD-WAN issues often originate elsewhere — a cloud provider latency spike, an internet routing change, or a congested data center link. SD-WAN analytics is most valuable when it shares a platform with cloud, internet, and data center visibility so teams can trace issues across boundaries.
How do I monitor SD-WAN health and application performance across branches?
Track underlay transport status (link health, bandwidth, utilization) and overlay traffic behavior (tunnel state, per-application flows) from all branch sites in a unified view, so you can see both SD-WAN health and application performance without switching tools. Kentik supports this with underlay/overlay dashboards and flow analytics across all sites.
How do I validate SD-WAN policy changes before rollout?
Analyze current traffic flows and overlay-to-underlay mappings before a change goes live to predict how policies will shift traffic, and confirm that capacity and paths align with intent. Kentik supports this with synthetic testing agents that can simulate traffic behavior and anticipate the impact of policy changes before they reach production.
What techniques help validate underlay vs overlay performance in SD-WAN?
Measure each layer independently, then correlate results: check underlay health (loss, latency, jitter, errors per circuit) and compare it to overlay tunnel behavior and policy steering outcomes to determine where degradation begins. Kentik supports this by showing underlay circuits and overlay tunnels side by side so teams can pinpoint whether issues are transport-related, overlay-related, or policy-related.
How do I monitor MPLS, DIA, and broadband circuits in one platform?
Consolidate transport-type visibility by ingesting traffic and telemetry data across all circuit types into a single analytics platform, regardless of provider or technology. Kentik supports this by normalizing flow and device data from MPLS, DIA, broadband, and hybrid transport into unified dashboards where all WAN links can be monitored side by side.
What strategies help optimize SaaS breakout at branch locations?
Effective SaaS breakout requires visibility into the internet path beyond the branch egress point: which ISP each branch is using to reach a given SaaS provider, whether the chosen path is actually faster than backhaul, and whether some branches are seeing degraded SaaS performance for ISP- or provider-related reasons. Combine flow data with internet path intelligence and per-branch synthetic tests so you can compare SaaS path performance across sites and adjust breakout policies based on real performance data. Kentik supports this by correlating branch flow telemetry with internet path data and synthetic tests from each site.
What is the best way to monitor SASE connectivity and performance?
Monitor SASE the same way you’d monitor any critical hop in the path: measure availability, latency, and loss to and through the SASE PoP, correlate SASE behavior with underlying transport health, and run synthetic tests from branches and remote endpoints to representative SaaS and internet destinations through the SASE platform. This makes it possible to determine whether application performance issues originate at the branch, in the SASE provider’s PoP, in the upstream internet path, or at the destination. Kentik supports this by treating SASE PoPs as monitorable destinations and correlating SASE-routed traffic with the rest of the SD-WAN and internet path.
How do I ensure branch sites have optimal paths to critical SaaS apps?
Continuously test the path from each branch to the SaaS applications that matter most, using synthetic agents that measure latency, loss, and reachability through whichever transport and policy combination is currently active. Compare results across branches to identify outliers and across time to detect regressions. Kentik supports this with branch-deployed synthetic agents and per-app, per-site path performance analytics that flag SaaS access problems early.
How do I verify SD-WAN vendor SLAs across diverse links?
Use a vendor-neutral analytics platform that collects flow, telemetry, and synthetic-test data independently of the SD-WAN control plane, so SLA reporting reflects what’s actually happening on the wire — not just what the vendor’s own dashboard reports. Measure availability, latency, jitter, and loss per circuit and per overlay, then compare against contracted SLA thresholds. Kentik supports this with independent measurement, historical data retention, and customizable reporting against any SLA definition.
How do I monitor performance for remote workforces and home networks?
Monitor the VPN gateways, SD-WAN edges, and cloud entry points that remote workers connect through, and run synthetic tests from those edges to SaaS and ISP endpoints to determine whether problems are in your infrastructure, the user’s ISP, or the SaaS path. Kentik supports this by including remote-worker traffic in the same analytics pipeline as branch and data center traffic.
What’s the best way to monitor satellite and wireless WAN links?
If your satellite or wireless WAN devices export flow or telemetry data (or are part of your SD-WAN underlay/overlay), treat them like any other transport link — ingest their data into the same analytics platform for unified monitoring. Kentik supports this by normalizing satellite and wireless link data alongside MPLS and broadband circuits in a single dashboard.
How do I get visibility into overlay tunnels and underlay health simultaneously?
Correlate overlay tunnel telemetry and control-plane signals with underlay circuit metrics and real traffic flows so you can see whether problems originate in the physical transport or the logical SD-WAN overlay. Kentik supports this by showing underlay circuits and overlay tunnels side by side and correlating both layers with real traffic so teams can troubleshoot performance issues and validate steering intent.
How do I validate QoS and class-of-service policies end-to-end?
Validate QoS by measuring outcomes, not just configuration intent: confirm that the traffic classes you care about maintain acceptable latency, jitter, loss, and throughput across each segment, and correlate regressions with path, congestion, or policy changes. Kentik supports this by correlating SD-WAN analytics, traffic telemetry, and experience tests so teams can verify whether policy decisions are delivering the intended application experience in practice.
What are the best SD-WAN analytics tools in 2026?
The best SD-WAN analytics tools depend on whether you need vendor-native or vendor-neutral visibility. SD-WAN controller dashboards (Cisco vManage, VMware Orchestrator, Fortinet Manager) provide overlay-centric analytics tied to their own platform. For vendor-neutral analytics that correlates overlay, underlay, internet, and cloud visibility across any SD-WAN vendor, network intelligence platforms like Kentik provide an independent perspective that controller-native tools don’t offer.
Monitor and optimize SD-WAN with Kentik
Kentik is the network intelligence platform that gives SD-WAN teams vendor-neutral visibility into overlay and underlay performance, application experience, and the internet and cloud paths that SD-WAN depends on.
- Get a demo — See Kentik’s SD-WAN analytics across any vendor
- SD-WAN Monitoring — Overlay/underlay correlation for Cisco, VMware, Fortinet, and more
- Optimize Enterprise WAN — Improve performance and reduce costs across your WAN
- Synthetic Monitoring — Test application performance across branches, clouds, and remote sites
- Kentik AI Advisor — Investigate SD-WAN issues with natural language
