Some organisations question whether they need SD-WAN at all. If sites already have direct internet access and cloud applications work fine over a simple broadband connection then the value of SD-WAN is not immediately obvious. The answer depends on how many sites you have, whether you need site-to-site connectivity, what level of security and visibility you require, and whether you need centralised policy management. This page provides a direct comparison between SD-WAN and standalone Direct Internet Access (DIA) to help determine which is the right fit.
Use our pricing calculator to compare SD-WAN configurations and costs for your network.
Open the BT SD-WAN Pricing Calculator →
SD-WAN vs DIA: Side-by-Side Comparison
| Capability | DIA (Broadband + Firewall) | BT SD-WAN |
|---|---|---|
| Internet access | Yes | Yes |
| Site-to-site VPN | Manual IPsec configuration per pair | Automatic full-mesh overlay |
| Application-aware routing | No (static routes only) | Yes (per-application path selection) |
| Automatic failover | Basic (VRRP or manual) | Active-active with sub-second path switching |
| QoS / traffic prioritisation | Limited to local interface QoS | End-to-end per-application QoS across overlay |
| Centralised management | No (each device managed separately) | Yes (single dashboard for all sites) |
| Zero-touch provisioning | No | Yes |
| Application visibility | Per-device only (if firewall supports it) | Network-wide per-application traffic analytics |
| Security | Depends on local firewall (self-managed) | Integrated NGFW with centralised policy (BT managed) |
| Managed service | Self-managed (or third-party MSP) | BT 24/7 NOC monitoring and support |
| Monthly cost per site | £30-£100 (circuit + basic firewall) | £100-£600+ (circuit + appliance + licence + management) |
When DIA Is Enough
DIA with a standalone firewall can work for organisations that meet all of the following criteria:
- Single site or a small number of sites (1-3) with no requirement for site-to-site connectivity
- All applications are cloud-based (no on-premises servers or data centre resources)
- No need for centralised network policy management
- In-house IT team capable of managing individual firewalls at each location
- No compliance requirement for centralised logging, reporting or consistent security policy across sites
- Acceptable risk of extended downtime during WAN failures (no automated failover needed)
When You Need SD-WAN
SD-WAN becomes necessary when any of these conditions apply:
- 4+ sites that need to communicate with each other or share access to centralised resources
- Mixed application landscape with both cloud and on-premises applications requiring different routing policies
- Voice and video traffic that requires QoS and prioritisation across the WAN
- Multi-circuit sites where automatic failover between primary and backup connections is required
- Centralised security policy enforced consistently across all branches from a single dashboard
- No in-house network team and a preference for a fully managed service with 24/7 monitoring
- Regulatory compliance requiring centralised audit trails, consistent security controls and reporting across all locations
Hybrid Approach: SD-WAN for Key Sites, DIA for the Rest
Not every site needs to be on the SD-WAN overlay. A common approach is to deploy SD-WAN at sites that need site-to-site connectivity, QoS and managed security while using standalone DIA at smaller locations that only need internet access.
| Site Type | Connection | Justification |
|---|---|---|
| HQ and data centres | SD-WAN (leased line + backup) | Central hub for overlay, hosts shared resources, requires full resilience |
| Regional offices (20+ users) | SD-WAN (FTTP + 4G backup) | Needs site-to-site VPN, voice QoS and managed security |
| Small branches (5-10 users) | SD-WAN (SoGEA + 4G backup) | Part of overlay for VPN access but lower-cost circuits |
| Micro-sites (1-3 users) | DIA only | Cloud-only apps, no site-to-site need, VPN via client if required |
| Home workers | DIA + SASE/VPN client | FortiClient or Cisco Secure Client connects to SASE PoP for zero trust access |
Total Cost of Ownership Comparison
DIA appears cheaper per site but the total cost of ownership must account for management overhead, security tooling and incident response.
| Cost Factor | DIA (10 sites) | SD-WAN (10 sites) |
|---|---|---|
| Monthly circuit costs | £300-£600 | £300-£600 (same circuits) |
| Firewall hardware (amortised) | £100-£300/month (self-purchased) | Included in managed service |
| Firewall licence subscriptions | £200-£500/month | Included |
| Management/monitoring | In-house staff or MSP (£500-£2000/month) | Included (BT 24/7 NOC) |
| Site-to-site VPN management | Manual config per pair (45 tunnel pairs for 10 sites) | Automatic full mesh |
| Estimated total (10 sites) | £1100-£3400/month | £1000-£3000/month |
At scale (10+ sites) the total cost of SD-WAN with BT’s managed service is often comparable to or lower than self-managed DIA when all costs are accounted for.
Scalability Comparison
As your organisation grows the management overhead of DIA increases linearly while SD-WAN management overhead stays relatively flat due to centralised policy and zero-touch provisioning.
| Sites | DIA Management Effort | SD-WAN Management Effort | VPN Tunnels (Full Mesh) |
|---|---|---|---|
| 3 | Low (3 firewalls to manage) | Low | 3 |
| 10 | Medium (10 firewalls, 45 VPN pairs) | Low (one template) | 45 |
| 25 | High (25 firewalls, 300 VPN pairs) | Low-medium | 300 |
| 50 | Very high (50 firewalls, 1225 VPN pairs) | Medium | 1225 |
| 100 | Unmanageable without automation | Medium (template-based) | 4950 |
The VPN tunnel count for a full mesh follows the formula n(n-1)/2. At 100 sites that is 4950 individual tunnel pairs. SD-WAN handles this automatically through the controller. With DIA you would need to configure and maintain each tunnel manually or build custom automation.
Decision Framework
- 1-3 sites, cloud-only apps, no site-to-site need — DIA is likely sufficient. Keep it simple.
- 4-10 sites, some site-to-site traffic, voice/video — SD-WAN provides significant operational benefit and better user experience.
- 10+ sites, mixed applications, compliance requirements — SD-WAN is the clear choice. The centralised management, security and visibility justify the additional per-site cost.
- Any size with no in-house network team — BT managed SD-WAN removes the need for network engineering staff. DIA requires self-management.
