SD-WAN vs MPLS: Cost, Performance, and Security Compared
Is MPLS Still Worth the Cost?
For over two decades, Multiprotocol Label Switching (MPLS) has been the gold standard for enterprise wide-area networking. It offered guaranteed quality of service, predictable latency, and carrier-managed reliability. But in 2024, Australian businesses are paying a significant premium for those guarantees — and many are discovering that SD-WAN delivers comparable or better outcomes at a fraction of the cost.
According to Telstra's enterprise pricing disclosures, a typical 50 Mbps MPLS circuit in Australia costs between $1,200 and $2,500 per month depending on the tail and SLA. An equivalent SD-WAN deployment using two diverse broadband links and a 4G backup can deliver 200+ Mbps of usable bandwidth for $400-$800 per month — including the managed service.
That is not a minor difference. For a business with 20 sites, the annual saving can exceed $300,000.
How Does MPLS Actually Work?
MPLS works by creating label-switched paths (LSPs) through a carrier's private network. Each packet is tagged with a label at the ingress point, forwarded along a predetermined path, and delivered to the destination with guaranteed bandwidth and latency.
The key advantages of MPLS are:
- Guaranteed bandwidth — the circuit delivers exactly what you pay for
- Low and predictable latency — traffic stays within the carrier's backbone
- Inherent privacy — traffic is isolated from the public internet
- Quality of Service (QoS) — carriers can prioritise voice and video traffic
These are genuine strengths. But they come with significant trade-offs that are increasingly difficult to justify.
What Are the Real Costs of MPLS in Australia?
The sticker price of an MPLS circuit only tells part of the story. The total cost of ownership includes several hidden factors that inflate the real expense.
Circuit costs
MPLS pricing in Australia typically falls between $20 and $50 per Mbps per month for metropolitan circuits, and significantly more for regional and remote sites. A 100 Mbps MPLS circuit in Sydney might cost $2,000 per month, while the same capacity to a regional town in Queensland could exceed $4,000.
Deployment lead times
MPLS circuits require physical infrastructure provisioning. In metropolitan areas, expect 30-60 days for a new circuit. In regional Australia, lead times of 90-120 days are common — and some locations simply cannot be served at all. Every day without connectivity is a day your new site cannot operate.
Bandwidth rigidity
MPLS circuits are provisioned at fixed capacities. Upgrading from 50 Mbps to 100 Mbps requires a new order, a new contract, and potentially new infrastructure. Downgrading is often contractually impossible within the term. This rigidity means businesses routinely over-provision MPLS circuits "just in case" — paying for bandwidth they rarely use.
Single carrier dependency
By definition, each MPLS circuit is delivered by a single carrier. If that carrier experiences a network outage, your site goes down. Adding a second carrier for redundancy means doubling the circuit cost.
How Does SD-WAN Compare on Cost?
SD-WAN fundamentally changes the cost equation by separating the network overlay from the underlay transport. Instead of paying premium prices for dedicated circuits, businesses use commodity broadband, Ethernet, and mobile connections — managed by intelligent software that delivers enterprise-grade performance.
| Cost Factor | MPLS | SD-WAN |
|---|---|---|
| Per-site monthly cost (metro) | $1,200 - $2,500 | $300 - $800 |
| Per-site monthly cost (regional) | $2,500 - $5,000+ | $400 - $1,000 |
| Deployment lead time | 30-120 days | 5-15 days |
| Bandwidth upgrade | New order, 30+ days | Instant policy change |
| Redundancy cost | 2x circuit cost | Built into base cost |
| Security (firewall) | Separate appliance required | Integrated in SD-WAN appliance |
| Typical 20-site annual cost | $480,000 - $720,000 | $120,000 - $240,000 |
The cost difference is stark. But cost alone does not tell the whole story — performance and security matter equally.
How Do SD-WAN and MPLS Compare on Performance?
Latency and jitter
MPLS delivers consistently low latency because traffic traverses a private backbone. SD-WAN traffic travels across the public internet, which introduces variability. However, modern SD-WAN platforms like Fortinet FortiGate use real-time path monitoring and application-aware routing to select the best-performing link for each application. In practice, Fortinet's own testing data shows that FortiGate SD-WAN maintains sub-50ms latency for voice traffic across Australian metro links 99.7% of the time.
Bandwidth and throughput
This is where SD-WAN excels. By bonding multiple links in active-active configuration, SD-WAN delivers aggregate bandwidth that far exceeds what most businesses can afford with MPLS. Two 100 Mbps broadband links plus a 50 Mbps 4G backup give a site 250 Mbps of available bandwidth — at a fraction of the cost of a single 100 Mbps MPLS circuit.
Cloud application performance
MPLS was designed for hub-and-spoke traffic patterns — site-to-data-centre connectivity. But with 92% of Australian enterprises now using at least one cloud service (ACSC, 2024), this architecture creates a bottleneck. All cloud traffic must be backhauled through the data centre, adding latency and consuming expensive MPLS bandwidth.
SD-WAN solves this with direct cloud breakout. Microsoft 365 traffic goes directly to Microsoft's nearest point of presence. Salesforce traffic goes directly to Salesforce. The result is faster application performance and lower WAN costs.
Application-aware routing
| Capability | MPLS | SD-WAN |
|---|---|---|
| Path selection | Static, carrier-managed | Dynamic, application-aware |
| Failover time | Minutes (carrier-dependent) | Sub-second (automatic) |
| Cloud optimisation | Backhauled through DC | Direct cloud breakout |
| Bandwidth aggregation | Single circuit | Multiple links bonded |
| Real-time monitoring | Carrier SLA reporting | Per-application, per-link metrics |
What About Security?
This is perhaps the most misunderstood aspect of the MPLS vs SD-WAN debate.
MPLS provides privacy — your traffic is logically separated from other customers on the carrier's network. But MPLS does not provide encryption. If an attacker gains access to the carrier's infrastructure, MPLS traffic can be intercepted in clear text.
SD-WAN, by contrast, encrypts all traffic between sites using IPsec or similar protocols. Every packet is encrypted regardless of the underlying transport. With platforms like Fortinet FortiGate, the SD-WAN appliance also functions as a next-generation firewall — providing intrusion prevention, application control, web filtering, and threat intelligence in the same device.
The Australian Cyber Security Centre (ACSC) recommends encryption for all inter-site traffic, regardless of whether it traverses public or private networks. SD-WAN meets this requirement by default; MPLS does not.
When Does MPLS Still Make Sense?
Despite SD-WAN's advantages, there are scenarios where MPLS remains the right choice:
- Ultra-low-latency applications — real-time trading platforms, certain industrial control systems, and applications that require sub-10ms latency with zero tolerance for jitter
- Regulatory requirements — some industries have compliance frameworks that specifically mandate private circuits
- Legacy application dependencies — applications that cannot tolerate any packet loss or reordering
For most Australian businesses, however, these scenarios are the exception rather than the rule. The majority of enterprise workloads — including voice, video, cloud applications, and data replication — perform well on a properly configured SD-WAN deployment.
Can You Run SD-WAN and MPLS Together?
Yes, and this is a common transition strategy. Many businesses use MPLS as one of the underlay transports within their SD-WAN fabric. This approach preserves the MPLS investment while gaining the benefits of SD-WAN orchestration, failover, and cloud optimisation.
At PCONNECT, we regularly deploy hybrid architectures where critical sites retain an MPLS circuit alongside broadband and 4G links — all managed through the FortiGate SD-WAN overlay. As confidence grows, businesses typically phase out MPLS circuits at renewal, replacing them with diverse broadband connections and reallocating the budget to higher-bandwidth services.
Frequently Asked Questions
Can SD-WAN match MPLS quality of service for voice and video?
Yes, in most deployments. Modern SD-WAN platforms use application-aware QoS policies that prioritise voice and video traffic across all available links. Fortinet FortiGate SD-WAN, for example, continuously monitors latency, jitter, and packet loss on every link and steers real-time traffic to the best-performing path. For the vast majority of Australian business sites, this delivers call quality that meets or exceeds MPLS.
How much can we save by switching from MPLS to SD-WAN?
Most businesses see a 40-60% reduction in WAN costs when migrating from MPLS to managed SD-WAN. The exact saving depends on the number of sites, current MPLS pricing, and bandwidth requirements. A business with 20 metropolitan sites on 50 Mbps MPLS circuits can typically expect annual savings of $200,000-$400,000 while also gaining more bandwidth and better redundancy.
Is SD-WAN reliable enough to replace MPLS entirely?
For most business workloads, yes. SD-WAN achieves reliability through diversity — multiple links from multiple carriers provide redundancy that a single MPLS circuit cannot match. PCONNECT's managed SD-WAN deployments across Aussie Broadband, AAPT/VOCUS, and Telstra underlay services consistently deliver 99.99% uptime across the overlay network.
What happens during the migration from MPLS to SD-WAN?
A well-planned migration involves no downtime. The SD-WAN overlay is deployed alongside existing MPLS circuits, traffic is gradually migrated, and MPLS circuits are decommissioned only after the SD-WAN fabric is proven stable. Most migrations take 4-8 weeks for 10-30 sites.
Do we need to change our internet provider to use SD-WAN?
Not necessarily. SD-WAN works across any IP transport, so your existing broadband or Ethernet services can be incorporated into the SD-WAN fabric. However, for optimal redundancy, we recommend using at least two diverse carriers per site — which may involve adding a second connection rather than replacing what you have.