DIY vs. Managed SD-WAN: Build or Buy?
The classic IT dilemma. Do you want control, or do you want a throat to choke?
The Three Deployment Models
Before you pick a vendor, you must pick a consumption model. This decision dictates your operational life for the next 5 years.
1. DIY (Do-It-Yourself)
You buy the appliances (CAPEX) and licenses. Your team racks, stacks, configures, and troubleshoots. You own the ISP relationships.
2. Fully Managed
You pay a monthly fee (OPEX). The provider handles everything: box delivery, ISP procurement, configuration, and monitoring. You have "read-only" access.
3. Co-Managed
Shared responsibility. The provider handles the core infrastructure and ISP uptime. You handle day-to-day policy changes (e.g., firewall rules).
The DIY Approach (In-House)
Ideal for: Large enterprises with robust engineering teams, or highly regulated industries requiring absolute control.
Pros
- Control: You can change a routing policy in 5 minutes without opening a ticket.
- Agility: No waiting for an MSP's change window.
- Cost: Generally 30-40% cheaper over 3 years (excluding staff costs).
- Vendor Choice: You pick the exact hardware (e.g., Fortinet, Cisco) you want.
Cons
- ISP Hell: You must manage billing and support for 50 different ISPs across the globe.
- Skill Gap: You need certified engineers on staff who understand BGP and Overlay routing.
- Responsibility: When it breaks at 2 AM, your phone rings.
The Managed Service (MSP / NaaS)
Ideal for: Lean IT teams, global deployments, or companies treating network as a utility.
Pros
- One Bill: The MSP aggregates all ISP bills into a single invoice.
- Global Reach: Players like Aryaka or Cato provide a private global backbone, bypassing the dirty public internet.
- SLA: You get a contractual guarantee on uptime and time-to-repair.
- No CAPEX: Usually $0 upfront; everything is bundled into a monthly fee.
Cons
- Loss of Control: Simple changes (opening a port) might take 24 hours via a ticketing system.
- Vendor Lock-in: It is very painful to leave a managed provider.
- Cost: You pay a premium (margin) on every circuit and device.
The Co-Managed Sweet Spot
Most modern enterprises are moving here. You don't want to debug ISP outages, but you do want to push security policies instantly.
In a Co-Managed model, the MSP monitors the "Green/Red" status of the links and handles the hardware RMA. Your team retains admin access to the dashboard to push policy templates.
Decision Matrix
Score yourself on these criteria. Higher score = Lean towards Managed.
| Criteria | DIY (0 Points) | Managed (1 Point) |
|---|---|---|
| Team Size | > 5 Network Engineers | < 2 Network Engineers |
| Geography | Single Country | Global (20+ Countries) |
| ISP Management | We have a procurement team | Please handle this for us |
| Change Frequency | Daily/Hourly Changes | Set it and forget it |
| Budget Type | CAPEX Heavy | OPEX Preferred |
Score 3-5: Go Managed or Co-Managed.
TCO Comparison: 100 Sites (3 Years)
Estimates based on 2026 market rates.
DIY Cost Structure
- Hardware: $500,000 (Upfront)
- Licenses: $300,000
- Staff Training: $50,000
- ISP Costs: Direct Bill
- Total Admin Overhead: High
Managed Cost Structure
- Hardware: $0 (Included)
- Monthly Service: $30,000/mo
- Management Fee: Included
- ISP Costs: Aggregated + 15% Markup
- Total Admin Overhead: Low
Architect's Recommendation
If you have less than 50 sites, Managed is usually the winner to avoid hiring dedicated staff. If you have 500+ sites, DIY offers massive economies of scale.
For the "messy middle" (50-500 sites), we recommend Co-Managed: let them deal with the ISPs, while you keep the keys to the policy engine.