A KSA tier-1 bank with 80 branches across the Kingdom replaces aging MPLS with SD-WAN. The project is one part architecture, one part change management, one part regulatory work. Done right, it modernizes branch connectivity and reduces network costs by 30-50%. Done wrong, branches go dark during cutover and SAMA examiners file findings.
Here’s the case pattern that works.
Month 1-2: Architecture and vendor selection
Define requirements: bandwidth per branch (typically 10-100 Mbps depending on transactions), latency (under 100ms to core systems), reliability (99.99%+ for critical apps), security (SAMA Cybersecurity Framework alignment), reporting (audit logs).
Vendor evaluation: Cisco Catalyst SD-WAN, Fortinet Secure SD-WAN, HPE Aruba EdgeConnect, Cato Networks (SASE).
For most KSA banks, Cisco SD-WAN wins on Cisco-incumbent networks; Fortinet on cost-conscious deployments where SD-WAN+security in one box matters; Aruba EdgeConnect on bandwidth-optimization-heavy workloads.
Month 3: Pilot phase (3-5 branches)
Pilot a representative sample: one large branch, one mid-size, one small, plus headquarters. Validate architecture in real conditions before mass rollout.
Discovery: which apps actually run on the network, what bandwidth do they really need, where does latency actually matter.
Month 4-6: Expansion phase (15-20 branches)
Deploy to 15-20 branches. Standardize the deployment runbook. Build the migration playbook (parallel run period, cutover window, fallback procedure).
Month 7-9: Mass deployment (50-65 branches)
Five branches per week typical pace. Weekend cutovers minimize disruption. Standard runbook prevents surprises.
Month 10: Stabilization
All branches migrated. Decommissioning legacy MPLS where retained. Operational handover to NOC.
SAMA reporting alignment
Throughout the project, SAMA-aligned audit logging is built in:
- All inter-site traffic encrypted (IPsec)
- Centralized logging (NetFlow, IPFIX, syslog)
- Authentication logs for all infrastructure changes
- Quarterly reports in SAMA Cybersecurity Framework format
When the SAMA examiner arrives, the SD-WAN deployment is documented evidence rather than a discovery.
Common slip-points
Underestimated bandwidth at small branches — branch banking apps are heavy. Specify 50% headroom.
Latency-sensitive apps — core banking, ATM transactions need MPLS or guaranteed-bandwidth paths. SD-WAN intelligent routing keeps these on best path.
Security overlay configuration — firewall rules, NAT, encryption keys all need testing.
Operational handover — the NOC must be trained on SD-WAN before go-live. Plan training in pilot phase.
Cost reality
A typical 80-branch SD-WAN modernization in KSA: SAR 12-20M project cost. MPLS savings: SAR 8-15M annually. Payback typically 18-24 months, with continued savings thereafter.