Describe the EdgeConnect appliance, the Orchestrator, and the Unity Cloud Portal, and explain how these three components interact to form a managed SD-WAN.
Explain the distinct roles of the management plane, the control plane, and the data plane in the Silver Peak (now Aruba/HPE EdgeConnect) fabric, and predict how the system behaves when one of them is disrupted.
Diagram a basic Silver Peak SD-WAN topology, distinguishing the physical underlay transports from the logical overlays built on top of them.
Pre-Quiz — The Three Pillars
A retail company ships a brand-new physical EdgeConnect to a store, and a non-technical clerk racks and powers it on. Which pillar is responsible for the appliance learning which Orchestrator to join?
The Orchestrator, because it manages all configurationThe Unity Cloud Portal, during phone-home onboardingThe EdgeConnect appliance itself, using local CLIThe MPLS carrier, via the underlay routing table
Why is it accurate to say the Orchestrator "is not in the data path"?
It only runs as a cloud SaaS instance, never on-premIt configures and monitors appliances, but user packets never flow through itIt forwards packets only during ZTP, then steps asideIt encrypts all traffic before the appliances see it
An EdgeConnect virtual appliance runs inside an Azure tenant while a physical one sits in a branch store. What is true of their logical roles?
The cloud appliance only handles licensing; the physical one forwards trafficThey are the same logical component playing the same role, regardless of form factorThe virtual appliance cannot build IPsec tunnelsThe physical appliance must be managed by a separate Orchestrator
After a branch appliance has been adopted by its Orchestrator, how does day-to-day configuration and telemetry travel?
Through the Cloud Portal, which relays it to the OrchestratorDirectly between the appliance and the OrchestratorOnly over the MPLS underlay, never broadbandThrough a peer appliance acting as a proxy
What does the optional Boost license add to an EdgeConnect appliance?
WAN optimization — TCP acceleration, deduplication, and compressionThe ability to phone home to the Cloud PortalPermission to run OSPF and BGP routingA second Orchestrator for redundancy
The Three Pillars
Key Points
Every EdgeConnect deployment rests on three pillars: the EdgeConnect appliance (per-site device that forwards traffic), the Orchestrator (central management, formerly GMS), and the Unity Cloud Portal (cloud onboarding and licensing).
The appliance comes in three form factors — physical, virtual, and cloud — all playing the same logical role.
The Orchestrator defines policy and monitors the fabric but is never in the data path; user packets never flow through it.
The Cloud Portal matters at onboarding and licensing time; afterward config and telemetry flow directly between appliance and Orchestrator.
The Boost license adds WAN optimization (TCP acceleration, deduplication, compression).
Every Silver Peak EdgeConnect SD-WAN deployment rests on three logical components. The three pillars are the EdgeConnect appliance (the device at each site that actually moves traffic), the Orchestrator (the central brain where administrators define policy and watch the network), and the Unity Cloud Portal (the cloud service that handles onboarding and licensing).
A useful analogy: think of a national delivery company. The EdgeConnect appliances are the local depots in each city. The Orchestrator is the head-office operations center that sets the rules. The Unity Cloud Portal is the corporate registration desk where a new depot is enrolled, given credentials, and told which operations center it reports to. Once running, a depot talks to operations daily; it only revisits the registration desk for licensing and account matters.
EdgeConnect Appliances: Physical, Virtual, and Cloud
The EdgeConnect appliance is the SD-WAN endpoint deployed at every location. It comes in three form factors so the same logical role can be filled anywhere:
Physical appliances — purpose-built hardware for branches, retail stores, and data centers.
Virtual appliances — software images on a hypervisor (VMware ESXi, KVM, Hyper-V) on a customer's own server.
Cloud appliances — images deployed inside public cloud (AWS, Azure, GCP) so cloud workloads join the same fabric.
Regardless of form factor, the appliance terminates WAN underlay links, builds encrypted overlay (IPsec) tunnels, runs local routing (static, OSPF, BGP), enforces intent-based policy with DPI classification, and performs path conditioning and optimization (FEC, packet order correction, jitter buffering). With the optional Boost license it adds WAN optimization — TCP acceleration, deduplication, and compression.
Orchestrator: The Management Plane (Formerly GMS)
The Orchestrator is the centralized management system — the "single pane of glass" through which administrators configure, monitor, and troubleshoot every appliance. It was originally the Global Management System (GMS) under the Silver Peak brand; after the HPE/Aruba acquisition it was renamed Orchestrator. The two names refer to the same thing.
The Orchestrator can run on-premises as a VM, in cloud IaaS, or as a vendor-hosted SaaS instance. Its responsibilities include intent-based policy management via Business Intent Overlays (BIOs), zero-touch provisioning (ZTP), monitoring and analytics, lifecycle management (image management, templates, backup/restore, RBAC, multi-tenancy), and integrations (Syslog, SNMP, REST APIs). A defining property: the Orchestrator is not in the data path — user packets never flow through it.
Unity Cloud Portal: Onboarding and Cloud Services
The Unity Cloud Portal is a vendor-operated cloud service that acts as the "phone-home" front end. Its primary jobs are zero-touch onboarding (a new appliance authenticates with serial number + activation token and receives its license status and the address of the Orchestrator to join), license and subscription management (the central pool of appliance, Boost, and feature licenses), and Orchestrator-as-a-Service access for SaaS deployments. The key idea: the Cloud Portal is mostly involved at onboarding and licensing time; once adopted, day-to-day traffic flows directly between appliance and Orchestrator.
Animation: The Three Pillars Assembling
Figure 2.1: The Three Pillars and Their Interactions.
flowchart LR
subgraph Sites["Customer Sites"]
EC1["EdgeConnect Appliance: Branch A"]
EC2["EdgeConnect Appliance: Branch B"]
end
ORCH["Orchestrator: central management plane (formerly GMS)"]
PORTAL["Unity Cloud Portal: cloud onboarding and licensing"]
EC1 -->|"1. Phone home for license + Orchestrator address"| PORTAL
EC2 -->|"1. Phone home for license + Orchestrator address"| PORTAL
EC1 <-->|"2. Config down, telemetry up (ongoing)"| ORCH
EC2 <-->|"2. Config down, telemetry up (ongoing)"| ORCH
PORTAL <-->|"Appliance-to-Orchestrator mapping, licensing"| ORCH
Key Takeaway
Silver Peak EdgeConnect rests on three pillars — the appliance (per-site forwarding), the Orchestrator (central policy and monitoring, never carries user data), and the Cloud Portal (onboarding and licensing). The Cloud Portal matters at enrollment; the Orchestrator matters every day; the appliance does the real work.
Post-Quiz — The Three Pillars
A retail company ships a brand-new physical EdgeConnect to a store, and a non-technical clerk racks and powers it on. Which pillar is responsible for the appliance learning which Orchestrator to join?
The Orchestrator, because it manages all configurationThe Unity Cloud Portal, during phone-home onboardingThe EdgeConnect appliance itself, using local CLIThe MPLS carrier, via the underlay routing table
Why is it accurate to say the Orchestrator "is not in the data path"?
It only runs as a cloud SaaS instance, never on-premIt configures and monitors appliances, but user packets never flow through itIt forwards packets only during ZTP, then steps asideIt encrypts all traffic before the appliances see it
An EdgeConnect virtual appliance runs inside an Azure tenant while a physical one sits in a branch store. What is true of their logical roles?
The cloud appliance only handles licensing; the physical one forwards trafficThey are the same logical component playing the same role, regardless of form factorThe virtual appliance cannot build IPsec tunnelsThe physical appliance must be managed by a separate Orchestrator
After a branch appliance has been adopted by its Orchestrator, how does day-to-day configuration and telemetry travel?
Through the Cloud Portal, which relays it to the OrchestratorDirectly between the appliance and the OrchestratorOnly over the MPLS underlay, never broadbandThrough a peer appliance acting as a proxy
What does the optional Boost license add to an EdgeConnect appliance?
WAN optimization — TCP acceleration, deduplication, and compressionThe ability to phone home to the Cloud PortalPermission to run OSPF and BGP routingA second Orchestrator for redundancy
Pre-Quiz — Planes of Operation
Users at a branch report everything works fine, yet the Orchestrator dashboard shows the appliance as offline. What does this pattern most strongly suggest?
The data plane has failed and traffic is being droppedA management-path problem (firewall, DNS, NTP/certificate) is breaking the session to the OrchestratorThe underlay MPLS circuit is downThe appliance has lost all its IPsec tunnels
In EdgeConnect, where do real-time, packet-by-packet path decisions actually get made?
In the Orchestrator, which computes every path centrallyIn the Cloud Portal during phone-homeLocally, in the control plane distributed across the appliancesIn the carrier's MPLS routers
The Orchestrator becomes unreachable for two hours. What happens to existing branch traffic?
All traffic stops until the Orchestrator returnsTraffic keeps flowing on last-known policy; only new config and fresh analytics are lostAppliances fail over to the Cloud Portal for forwarding decisionsAll tunnels are torn down and rebuilt from scratch
According to the plane-based model, in what order should you troubleshoot a misbehaving site?
Data plane, then control plane, then management planeManagement plane, then control plane, then data planeControl plane, then data plane, then management planeWhichever plane the alarm names, in isolation
What role does the Orchestrator play with respect to the control plane?
It makes every individual path decision in real timeIt shapes control-plane behavior (topology, overlays, SLA thresholds) but does not pick each packet's pathIt has no involvement with the control plane at allIt forwards routing protocol packets between appliances
Planes of Operation
Key Points
The management plane (configure, monitor, ZTP, lifecycle, RBAC) lives in the Orchestrator and is not in the packet path.
The control plane (tunnel discovery, routing exchange, real-time path selection) is distributed across all appliances; the Orchestrator supplies policy and topology but not per-packet decisions.
The data plane (forwarding, DPI, QoS, optimization, encryption) runs only on the appliances.
Because management is out of the data path, an Orchestrator or Cloud Portal outage stops new config and visibility but never stops existing traffic — "resilience through independence."
Troubleshoot in plane order: management → control → data.
Network architectures are described in three planes — management, control, and data. The model separates who decides what from what actually moves packets. In EdgeConnect each plane lives in a specific place, and that placement tells you exactly how the network behaves under failure.
The management plane is where the network is configured, monitored, and maintained — it lives almost entirely in the Orchestrator. The control plane decides how to reach destinations and which path to use; in EdgeConnect it is distributed across the appliances, each maintaining its tunnels, running routing protocols, measuring path quality, and selecting paths in real time. The Orchestrator shapes control-plane behavior but does not make the packet-by-packet decision. The data plane forwards user traffic and runs only on the appliances; the Orchestrator is never in the data path.
Plane
Primary job
Where it lives
In the packet path?
What breaks if it is lost
Management
Configuration, monitoring, ZTP, lifecycle, RBAC
Orchestrator (plus local UI on appliances)
No
New config pushes and central visibility; existing traffic continues
Bringing a new branch online ties all three planes together:
Management plane — bootstrap and ZTP. The appliance boots, gets an IP (usually via DHCP), phones home to the Cloud Portal, learns its Orchestrator address, and opens a secure session. The Orchestrator authenticates it, assigns a site name and role, and pushes a configuration template plus site-specific policy (BIOs, segmentation, security).
Control plane — build overlays and learn routes. Using that policy, the appliance forms IPsec tunnels, establishes BGP/OSPF sessions, learns local prefixes, advertises them, and installs remote prefixes.
Data plane — forward traffic. Users generate traffic; the appliance classifies each flow, applies the overlay policy, and forwards onto the chosen path(s).
The key consequence is resilience through independence: because the management plane is out of the data path, if the Orchestrator or Cloud Portal becomes unreachable, the existing control and data planes keep operating on last-known policy. You lose new configuration and fresh analytics, but traffic keeps flowing.
Zero-Touch Provisioning Flow
Zero-touch provisioning (ZTP) lets a non-technical person stand up an appliance without touching a command line. The orchestrated flow: ship preloaded with defaults → rack, cable, power on, reach the Internet → contact the Cloud Portal (serial + token) → portal validates license and returns the target Orchestrator address → appliance opens a secure session to that Orchestrator, which pushes full configuration → appliance builds tunnels and forwards. ZTP failures usually fall on the Cloud Portal/ZTP side (unregistered/unlicensed device, wrong key, blocked DNS/HTTPS, NTP/clock causing TLS cert failures) or the Orchestrator side (unreachable, license/capacity limit, mapped to the wrong Orchestrator).
Animation: Zero-Touch Provisioning Flow
Figure 2.2: Zero-Touch Provisioning Sequence.
sequenceDiagram
participant A as EdgeConnect Appliance
participant N as Internet / DHCP
participant P as Unity Cloud Portal
participant O as Orchestrator
A->>N: 1. Power on, request IP address (DHCP)
N-->>A: Assign IP, gateway, DNS
A->>P: 2. Phone home (serial number + activation token)
P->>P: 3. Validate license and entitlement
P-->>A: 4. Return target Orchestrator address
A->>O: 5. Open secure management session
O-->>A: 6. Push full configuration (BIOs, segmentation, security)
Note over A,O: Appliance builds tunnels and begins forwarding (fully operational)
Key Takeaway
EdgeConnect cleanly separates the management plane (Orchestrator), the control plane (distributed across appliances), and the data plane (appliances only). Because management is out of the data path, an Orchestrator or Cloud Portal outage stops new configuration and visibility but never stops existing traffic — and that dictates the management-then-control-then-data troubleshooting order.
Post-Quiz — Planes of Operation
Users at a branch report everything works fine, yet the Orchestrator dashboard shows the appliance as offline. What does this pattern most strongly suggest?
The data plane has failed and traffic is being droppedA management-path problem (firewall, DNS, NTP/certificate) is breaking the session to the OrchestratorThe underlay MPLS circuit is downThe appliance has lost all its IPsec tunnels
In EdgeConnect, where do real-time, packet-by-packet path decisions actually get made?
In the Orchestrator, which computes every path centrallyIn the Cloud Portal during phone-homeLocally, in the control plane distributed across the appliancesIn the carrier's MPLS routers
The Orchestrator becomes unreachable for two hours. What happens to existing branch traffic?
All traffic stops until the Orchestrator returnsTraffic keeps flowing on last-known policy; only new config and fresh analytics are lostAppliances fail over to the Cloud Portal for forwarding decisionsAll tunnels are torn down and rebuilt from scratch
According to the plane-based model, in what order should you troubleshoot a misbehaving site?
Data plane, then control plane, then management planeManagement plane, then control plane, then data planeControl plane, then data plane, then management planeWhichever plane the alarm names, in isolation
What role does the Orchestrator play with respect to the control plane?
It makes every individual path decision in real timeIt shapes control-plane behavior (topology, overlays, SLA thresholds) but does not pick each packet's pathIt has no involvement with the control plane at allIt forwards routing protocol packets between appliances
Pre-Quiz — Overlays and Underlays
A branch's broadband circuit is up but suffering 1% loss and high jitter. The MPLS↔MPLS tunnel is fine. What happens to the broadband (Internet↔Internet) tunnel?
The tunnel goes down because the underlay is degradedThe tunnel stays up but is flagged as not meeting SLA, so the fabric can prefer the healthier tunnelThe Orchestrator forwards the traffic itself until the link recoversAll BIOs immediately stop using the appliance
Why is a Business Intent Overlay (BIO) best described as a logical fabric rather than a tunnel?
Each BIO is its own dedicated IPsec tunnelMultiple BIOs share the same physical tunnels, kept separate by policy, QoS, and zonesA BIO only exists inside the underlayBIOs are built by the carrier, not the Orchestrator
An administrator wants voice traffic to behave differently — preferring MPLS and failing to Internet with packet duplication. What should they change?
The underlay carrier circuitsThe Business Intent Overlay for voice, in the OrchestratorThe Cloud Portal license poolThe physical cabling at the branch
A firewall on the path is blocking UDP 4500 between two WAN IPs. What is the consequence?
Tunnels still form but run unencryptedThe overlay IPsec tunnel cannot form over that pathThe Orchestrator automatically reroutes through the Cloud PortalOnly the management plane is affected; tunnels are fine
In the end-to-end example, MPLS starts dropping packets during a voice call. How does the flow move to the Internet tunnel even if the Orchestrator is unreachable at that moment?
The Cloud Portal reroutes the callThe appliance's local control plane detects the SLA violation and shifts the flow within the overlayThe carrier's MPLS router redirects the trafficThe call drops and must be redialed once the Orchestrator returns
Overlays and Underlays
Key Points
The underlay is the real physical/IP transport (MPLS, broadband, LTE/5G, Ethernet, satellite). EdgeConnect uses it but does not change how it works.
If underlay reachability is broken (routing, ACL, NAT, blocked UDP 4500), overlay tunnels cannot form over that path.
The overlay is the virtual network of IPsec tunnels plus the logical topologies and policies on them.
A Business Intent Overlay (BIO) is a logical fabric — multiple BIOs share the same physical tunnels, kept separate by policy, QoS, and zones.
Tunnels are auto-built and continuously probed by the Orchestrator (latency, jitter, loss, MOS for voice). Fix path behavior by changing the BIO, not the underlay.
The final architectural idea is the separation of the physical network you rent from carriers (the underlay) from the intelligent virtual network EdgeConnect builds on top (the overlay).
Underlay Transports: MPLS, Broadband, and LTE
The underlay provides basic reachability between appliances — transport types (MPLS, broadband, private Ethernet, LTE/5G, satellite), the IP layer (WAN interface addresses and ISP routing), and measurable characteristics (bandwidth, latency, jitter, loss, MTU, CIR). Two essential facts: EdgeConnect does not change how the underlay works (it uses whatever IP connectivity exists), and if underlay reachability is broken — by routing, an ACL, NAT, or a blocked port — overlay tunnels cannot form over that path. A common gotcha: tunnels use IPsec, so underlay firewalls/NAT must permit UDP 4500 and related IPsec packets between WAN IPs.
Business Intent Overlays as Logical Fabrics
The overlay is the virtual SD-WAN network: encrypted IPsec tunnels plus the logical topologies and policies that ride them. A Business Intent Overlay (BIO) answers one question: given a type of traffic, how should the fabric treat it? Each BIO defines traffic classification (via DPI, subnets, ports, user groups), topology (full mesh, hub-and-spoke, regional mesh), path preferences and SLA thresholds, QoS treatment (DSCP, prioritization, bandwidth guarantees), and security/segmentation. A crucial subtlety: multiple BIOs share the same physical tunnels — a BIO is not a separate tunnel, it is a logical overlay distinguished by policy and segmentation. The "Voice" and "Backup" BIOs may both ride the same Internet-to-Internet tunnel. The whole system — every appliance, tunnel, and BIO — is the SD-WAN fabric: one transport-independent virtual WAN with centralized control and distributed enforcement.
The analogy worth remembering: the underlay is the roads (MPLS, Internet, LTE), and the overlay is the set of virtual lanes painted on top, each carrying a different class of traffic under different rules.
Aspect
Underlay
Overlay
What it is
Physical/IP transport circuits
Encrypted virtual SD-WAN network
Examples
MPLS, broadband, LTE/5G, Ethernet
IPsec tunnels, Business Intent Overlays
Built and owned by
Carriers / ISPs
EdgeConnect fabric (defined in Orchestrator)
Provides
Raw reachability and bandwidth
Path selection, QoS, security, segmentation
Analogy
The roads
The virtual lanes painted on them
If it fails
Tunnels over that path go down
Policy reroutes traffic to a healthy tunnel
Fabric Tunnels Between EdgeConnect Nodes
A tunnel is an IPsec-encrypted overlay connection between two appliances, anchored on a specific local and remote WAN interface. Typically there is one tunnel per transport pair (MPLS↔MPLS, Internet↔Internet, LTE↔LTE), with cross-transport tunnels if configured. Tunnels are auto-discovered and auto-built by the Orchestrator once sites and WAN links are defined, then continuously probed for latency, jitter, loss, and (for voice) a Mean Opinion Score (MOS). If the underlay loses IP connectivity, the tunnel goes down; if the underlay is up but degraded, the tunnel stays up but flagged as not meeting SLA, letting the fabric prefer a healthier tunnel.
End-to-end example. HQ (50 Mbps MPLS, 200 Mbps broadband) and Branch A (10 Mbps MPLS, 100 Mbps broadband). The Orchestrator auto-builds an MPLS↔MPLS tunnel (~20 ms, <0.1% loss) and an Internet↔Internet tunnel (~40 ms, occasional 1% loss). A "Real-Time Voice" BIO prefers MPLS while latency stays under 50 ms and loss under 0.5%, with the Internet tunnel as backup using packet duplication. If MPLS later drops packets, the appliance's local control plane detects the SLA violation and shifts the flow to the Internet tunnel with packet duplication — all within the overlay, without touching a carrier router, and even if the Orchestrator happens to be unreachable.
Figure 2.3: Basic SD-WAN Topology with Overlays and Underlays.
flowchart TB
subgraph Overlay["Overlay: logical Business Intent Overlays (Voice, Backup, Guest)"]
BIO["BIOs share the same tunnels, separated by policy, QoS, and zones"]
end
subgraph Tunnels["Overlay Tunnels: IPsec, auto-built and probed"]
T1["MPLS to MPLS tunnel (~20 ms, low loss)"]
T2["Internet to Internet tunnel (~40 ms, occasional loss)"]
end
subgraph HQ["HQ EdgeConnect"]
HQ_MPLS["WAN: MPLS 50 Mbps"]
HQ_BB["WAN: Broadband 200 Mbps"]
end
subgraph BR["Branch A EdgeConnect"]
BR_MPLS["WAN: MPLS 10 Mbps"]
BR_BB["WAN: Broadband 100 Mbps"]
end
BIO --> T1
BIO --> T2
T1 --- HQ_MPLS
T1 --- BR_MPLS
T2 --- HQ_BB
T2 --- BR_BB
Key Takeaway
The underlay is the physical transport that provides raw reachability; the overlay is the encrypted IPsec fabric built on top. Tunnels are per-transport IPsec connections the Orchestrator auto-builds and probes; BIOs are logical fabrics mapping each traffic class to paths, QoS, and security — many BIOs sharing the same tunnels. Fix path behavior by changing the BIO, not the underlay.
Post-Quiz — Overlays and Underlays
A branch's broadband circuit is up but suffering 1% loss and high jitter. The MPLS↔MPLS tunnel is fine. What happens to the broadband (Internet↔Internet) tunnel?
The tunnel goes down because the underlay is degradedThe tunnel stays up but is flagged as not meeting SLA, so the fabric can prefer the healthier tunnelThe Orchestrator forwards the traffic itself until the link recoversAll BIOs immediately stop using the appliance
Why is a Business Intent Overlay (BIO) best described as a logical fabric rather than a tunnel?
Each BIO is its own dedicated IPsec tunnelMultiple BIOs share the same physical tunnels, kept separate by policy, QoS, and zonesA BIO only exists inside the underlayBIOs are built by the carrier, not the Orchestrator
An administrator wants voice traffic to behave differently — preferring MPLS and failing to Internet with packet duplication. What should they change?
The underlay carrier circuitsThe Business Intent Overlay for voice, in the OrchestratorThe Cloud Portal license poolThe physical cabling at the branch
A firewall on the path is blocking UDP 4500 between two WAN IPs. What is the consequence?
Tunnels still form but run unencryptedThe overlay IPsec tunnel cannot form over that pathThe Orchestrator automatically reroutes through the Cloud PortalOnly the management plane is affected; tunnels are fine
In the end-to-end example, MPLS starts dropping packets during a voice call. How does the flow move to the Internet tunnel even if the Orchestrator is unreachable at that moment?
The Cloud Portal reroutes the callThe appliance's local control plane detects the SLA violation and shifts the flow within the overlayThe carrier's MPLS router redirects the trafficThe call drops and must be redialed once the Orchestrator returns