SD-WAN / SSE / branch technology vendor
HPE Aruba Networking
HPE positions EdgeConnect SD-WAN as secure SD-WAN and foundation for single-vendor SASE; docs cover orchestrator, appliances and advanced security.
Netify profile
HPE Aruba Networking in depth
Platform and architecture
HPE Aruba Networking's SD-WAN is EdgeConnect (from Silver Peak): physical and virtual appliances with WAN optimisation heritage, tunnel bonding, dynamic path conditioning and sub-second failover. Aruba Central provides cloud management with AIOps across WAN, wired and wireless, and Orchestrator handles advanced WAN policy. Cloud on-ramps cover the major hyperscalers. Following the Juniper acquisition, HPE now fields both EdgeConnect and Mist-based WAN portfolios.
Security and SASE capability
Aruba's SASE combines EdgeConnect SD-WAN with HPE Aruba Networking SSE (from the Axis Security acquisition): ZTNA, SWG, CASB and DLP delivered from a global edge. EdgeConnect also integrates tightly with third-party SSE including Zscaler and Netskope, a genuine strength for dual-vendor SASE designs. On-appliance security covers zone-based firewalling and segmentation with IDS/IPS.
Service, support and channel
Strong UK channel through HPE partners and MSPs, with managed EdgeConnect offers from carriers and integrators. HPE support runs 24x7 with professional services for migration, and co-managed models are common. Aruba Central's multi-tenant design supports MSP delivery well.
Commercials and the Netify verdict
Subscription licensing by bandwidth tier and appliance class, quote based, with SSE per user. The Netify verdict: shortlist HPE Aruba when link quality is poor or variable (the path conditioning heritage still leads), when you want first-class freedom to pair best-of-breed SSE, or when an Aruba campus estate makes Central the natural console. Clarify the EdgeConnect and Mist roadmap question directly with HPE during selection.
Questions
HPE Aruba Networking: common buyer questions
Is EdgeConnect still strong on degraded links?
Yes. Forward error correction, packet order correction and tunnel bonding from the Silver Peak heritage remain differentiators, keeping voice and video usable on lossy broadband or LTE where simpler SD-WANs degrade.
Can EdgeConnect pair with Zscaler or Netskope instead of Aruba SSE?
Yes, and the integrations are first class: automated tunnel orchestration into third-party SSE clouds is a supported, documented pattern. That makes EdgeConnect a safe network layer for dual-vendor SASE.
How does the Juniper acquisition affect Aruba EdgeConnect buyers?
HPE operates both portfolios today, with consolidation expected over time. Existing EdgeConnect deployments continue to be sold and supported; ask HPE for written roadmap commitments as part of any large procurement.
Key differentiators
- EdgeConnect SD-WAN (acquired with Silver Peak) is positioned as the foundation for single-vendor SASE alongside Aruba SSE.
- Strong heritage in WAN optimisation and packet-level performance engineering.
- Tight integration with the broader Aruba campus and branch portfolio (LAN, Wi-Fi, NAC) for buyers consolidating end-to-end networking.
Best fit for
- Enterprises already running Aruba LAN/Wi-Fi who want WAN and SASE under the same operational tooling.
- Buyers prioritising application performance and WAN optimisation in addition to standard SD-WAN routing.
- Distributed organisations with branch-heavy footprints where Aruba campus presence is already established.
Watch-outs
- Aruba SSE is newer than the SSE leaders (Zscaler, Netskope); buyers wanting best-of-breed SASE should evaluate the SSE capability set carefully.
- Managed delivery is partner-led rather than from HPE directly.
- Private global backbone is not vendor-owned; SASE transport uses public cloud gateways.
40 features, 6 categories
Capability matrix
Each capability is graded against public source evidence. Hover any status grade for a definition. Where evidence is limited, the grade reflects that uncertainty rather than assuming the capability is present.
Service delivery and operating model
| # | Capability | Status | Definition |
|---|---|---|---|
| F01 | Fully managed service | Partner / integrated | Provider designs, deploys, monitors, changes, supports and reports on the service. |
| F02 | DIY / self-managed model | Yes | Customer operates SD-WAN controller, policies, updates and incident response. |
| F03 | Co-managed service | Partner / integrated | Provider runs platform/support while customer retains selected policy or change rights. |
| F04 | Multi-tenant MSP / white-label support | Partner / integrated | Tenant isolation, delegated administration, branded portals, templates and service-provider scale. |
| F05 | Professional services and migration support | Partner / integrated | Discovery, design, pilot, staging, migration runbooks, rollback and training. |
| F06 | Last-mile circuit management | Partner / integrated | Sourcing, monitoring and support for broadband, DIA, LTE/5G, MPLS and cross-connects. |
| F07 | Lifecycle management | Partner / integrated | Hardware replacement, firmware upgrades, patching, renewals and EoL planning. |
| F08 | Flexible commercial model | Yes | Per-site, per-bandwidth, per-user, per-device, consumption, NaaS or bundled pricing. |
Network architecture and transport
| # | Capability | Status | Definition |
|---|---|---|---|
| F09 | Encrypted overlay fabric | Yes | Secure tunnels across broadband, DIA, MPLS, LTE/5G, satellite or private WAN. |
| F10 | Dynamic path selection | Yes | Real-time routing based on latency, jitter, packet loss, brownouts, MOS and policy. |
| F11 | Active-active link utilisation | Yes | Use multiple links concurrently rather than passive backup only. |
| F12 | Application-aware routing | Yes | Identification and routing for SaaS, UCaaS, ERP and custom applications. |
| F13 | QoS and traffic shaping | Yes | Per-application and per-class prioritisation, reservation and policing. |
| F14 | Packet loss remediation | Yes | FEC, packet duplication, jitter buffering, TCP optimisation and WAN optimisation. |
| F15 | Local internet breakout | Yes | Secure direct internet access from branch sites. |
| F16 | MPLS coexistence and migration | Yes | Hybrid MPLS/internet/cellular during transition. |
| F17 | Cellular and 5G support | Partial | Integrated/external modem, SIM management, signal monitoring and failover. |
| F18 | Cloud on-ramp | Yes | Automated/simplified connectivity to AWS, Azure, Google Cloud, Oracle, Equinix, Megaport and SaaS. |
Gateway, PoP and backbone design
| # | Capability | Status | Definition |
|---|---|---|---|
| F19 | Public cloud gateways | Partial | Vendor-operated gateways/PoPs for SaaS optimisation, remote access or security enforcement. |
| F20 | Private PoPs / dedicated PoPs | Unknown | Customer-hosted, dedicated or sovereign PoP options. |
| F21 | Private global backbone | Unknown | Vendor-owned or controlled backbone between PoPs. |
| F22 | Regional breakout and data residency | Yes | Pin traffic to countries, regions or approved inspection locations. |
| F23 | Multi-cloud transit fabric | Yes | Branch-to-cloud, cloud-to-cloud and user-to-cloud connectivity under common policy. |
| F24 | Flexible edge form factors | Yes | Physical, virtual, cloud marketplace, container or uCPE. |
| F25 | High availability design | Yes | Dual appliances, dual circuits, dual power, HA clustering and gateway redundancy. |
| F26 | SLA-backed service fabric | Partner / integrated | SLA for uptime, response, change handling and possibly latency/jitter/loss. |
Security and SASE capability
| # | Capability | Status | Definition |
|---|---|---|---|
| F27 | Integrated next-generation firewall | Partial | Stateful firewall, app control, IPS/IDS, malware inspection and URL filtering. |
| F28 | Full SASE platform | Yes | SD-WAN plus SWG, CASB, ZTNA, FWaaS, DLP, RBI, DNS security and threat prevention. |
| F29 | SSE ecosystem integration | Yes | Interoperation with Zscaler, Netskope, Palo Alto Prisma Access, Cisco Secure Access, Cloudflare etc. |
| F30 | Zero Trust Network Access | Yes | Identity and posture-based access to private applications. |
| F31 | Secure web gateway | Yes | URL filtering, SSL inspection, malware scanning and acceptable-use controls. |
| F32 | CASB capability | Yes | SaaS discovery, sanctioned/unsanctioned app control and SaaS policy enforcement. |
| F33 | Data loss prevention | Partial | Data classification, inspection, blocking, alerting and exception workflow. |
| F34 | Remote user access | Yes | Client or clientless access for remote workers, contractors and mobile users. |
| F35 | SOC/SIEM/SOAR integration | Yes | Syslog, APIs, event export, threat intelligence and workflow integration. |
Operations, assurance and automation
| # | Capability | Status | Definition |
|---|---|---|---|
| F36 | Centralised orchestration | Yes | Templates, intent-based policy, zero-touch provisioning and configuration compliance. |
| F37 | Customer portal and RBAC | Yes | Real-time status, role-based access, reporting, tickets and change requests. |
| F38 | Observability and digital experience monitoring | Yes | App experience, user experience, device health, SaaS telemetry and path analytics. |
| F39 | APIs and automation | Yes | REST APIs, Terraform, webhooks, event streaming and ITSM integration. |
| F40 | Managed service assurance | Partner / integrated | 24/7 NOC/SOC, proactive monitoring, incident ownership, RCA, service reviews and change governance. |
Commercial
Cost model and pricing visibility
Public pricing visibility
Quote-based. No complete public enterprise price was found in reviewed sources.
Cost model
Quote-based subscription/appliance/support; MSP-managed options available through partners/providers.
Evidence
Primary sources
Every capability grade traces back to one of these sources. Reviewed 2026-05-22.
Verification notes
Capability matrix sourced from Netify internal vendor research (May 2026). Status grades reflect public source evidence only. Confirm via RFP. Qualitative fields (differentiators, best fit, watch-outs) are Netify editorial synthesis based on the evidence summary and capability profile; review before publishing. Extended dimensions (regions, clouds, AI, resilience, deployment speed, sectors, organisation fit, identity, platforms, support, logging) are indicative desk research grades from June 2026; confirm via RFP.