How to Orchestrate Unique SD-WAN Configs Across Thousands of Branches

Deploying SD-WAN at scale sounds doable — modern controllers allow you to push config to many routers at once, and almost every SD-WAN vendor out there offers some automation capabilities. But reality isn’t so clean. For most teams, they’re faced with complex, multi-vendor environments, and a challenge that’s difficult to solve: unique configurations.

Many routers need something slightly different: a management IP, a custom policy, a site-specific firewall rule. Multiply that across dozens or hundreds of sites, and suddenly what looked like a repeatable automation problem turns into a massive operational challenge.

For network teams, this is where most SD-WAN deployments get stuck. Most tools aren’t built to handle that level of customization at scale — especially across multiple vendors’ equipment.

In a recent live demo, I showed how we can use the Itential platform to solve this exact challenge. The demo showed this in action with VeloCloud, but the core concepts apply to any SD-WAN environment where repeatable automation collides with the need for individual customization.

Watch the demo below — or keep reading for a deeper look at how to approach this problem in your own environment.

Modern SD-WAN controllers are built to allow users to push config, even to many devices at once. But these controllers are built for a specific vendor, and they don’t allow for pushing unique config to many different routers quickly. Multi-vendor environments are extremely common — as a result, almost every SD-WAN deployment eventually runs into the same problem: not everything fits a template.

Each device you onboard needs at least one unique identifier — usually a management IP address — and often other config elements like firewall or business policy rules that vary per site. When you’re dealing with hundreds or thousands of branches, manually inputting and tracking those unique configs through a vendor portal quickly becomes error-prone and time-consuming.

There’s also the matter of activating those devices, often requiring a network team member or NOC engineer to trigger an action at the right time. In the long term, changes and overrides to site-specific settings can accumulate, and without a system to track those changes in a central, consistent way, operational debt builds fast.

Itential’s multi-vendor SD-WAN orchestration capabilities are designed for teams to solve this challenge. In the demo, I set out to solve this in three phases: provisioning, activation, and ongoing management. Here’s how we approached each one:

1. Provisioning: Bulk Creation with Unique Values
I started with a typical setup: pre-defined profiles in VeloCloud for different site types — data centers, offices, and retail branches. Retail was my focus, since it’s the most common at-scale use case.

To tackle the provisioning problem, I used Itential to build workflows that wrapped the native VeloCloud API. These wrappers handled data formatting, error handling, and standard operations like creating an edge and setting the management IP. Then, I layered those into lifecycle workflows that allow you to track and manage state over time.

For bulk provisioning, I built a simple interface to take in an Excel spreadsheet of sites — names, contact info, unique IPs — and automate the creation of edges. That data was parsed, converted to JSON, and fed into child workflows that created and configured the devices, all while tracking the results in Lifecycle Manager.

What would normally take hours or days of clicking through a UI became a process that ran in minutes. Errors were reduced, and everything was tracked in an easily accessible, central location.

2. Activation: Enabling Self-Service
Once configured, SD-WAN devices still need to be activated — usually by sending an email to a field tech to trigger configuration pull-down. In most environments, this step requires manual action by someone with admin access, which introduces a bottleneck.

In the demo, to address this, I built a workflow in Itential to trigger the activation email automatically. Then, I exposed that workflow via ServiceNow using Itential’s plugin. Now, field techs or authorized users can log into ServiceNow, select the branch site, and send the activation email themselves — no direct access to VeloCloud or Itential needed.

This turns what was a manual, centralized step into a safe, distributed process that fits within existing IT operations.

3. Ongoing Management: Tracking and Controlling Unique Changes
The final challenge is managing SD-WAN deployments long-term — especially as more exceptions creep in over time. Think about things like adding one-off business policy rules for events, VIPs, or special devices at a site. Without visibility, these changes get buried inside multiple UI panels, becoming hard to audit or replicate.

In the example setup in our demo, all these changes are tracked in Lifecycle Manager. Each site has an object model with fields for edge ID, management IP, firewall rules, and business policies. I chose to track only the pieces that are truly variable and hard to manage at scale — keeping the system clean and focused.

I also built a lightweight self-service interface (again surfaced via ServiceNow) to allow select users to prioritize an IP address by applying a business policy rule. That rule is created automatically through the wrapper workflow and recorded in Lifecycle Manager, giving full traceability.

It’s also important to note: in the demo, I designed the service with guardrails: users can only change priority levels and IPs — they don’t have access to modify paths, routing, or any underlying infrastructure.

Orchestrating SD-WAN at scale isn’t just about pushing config — it’s about managing the exception cases without losing control. With Itential, users are able to take what is traditionally a hands-on, error-prone process and turn it into a streamlined, automated workflow that supports:

• Bulk provisioning with unique configuration data.
• Self-service activation using existing IT service tools.
• Long-term visibility and management of site-specific changes.

For teams dealing with thousands of sites, this approach can significantly reduce the operational burden, improve consistency, and enable new services without overwhelming the network team. Most of what I showcased in the demo came together in a matter of hours — and it’s already set up to be a foundation that can scale with future deployments, mirroring the needs of a typical SD-WAN team.

If you’re tackling similar challenges, check out how Itential’s Platform helps teams solve for multi-vendor SD-WAN automation and orchestration. Itential is built to help teams simplify multi-vendor environments, integrate across tools and APIs, and turn complex, site-specific policies into automated, trackable workflows — all while keeping engineers in control.