Licensing Models and Subscription Tiers

Section 1 — License Tiers

EdgeConnect software is licensed along two largely independent axes. The first axis is the feature tier, which determines what the software can do: this is where EdgeConnect Base and EdgeConnect Advanced live. The second axis is bandwidth, which determines how much WAN throughput the appliance is allowed to process (Section 2). On top of both sits the optional Boost license, which unlocks classic WAN optimization. Keeping these axes separate is the single most useful habit when reasoning about EdgeConnect licensing.

Analogy. Think of a streaming service. The plan tier (Standard vs. Premium) decides which features you get — that is Base vs. Advanced. Separately, your internet speed decides how smoothly any of it plays — that is the bandwidth license. And an optional sports add-on you can bolt onto either plan is Boost. You choose each independently.

EdgeConnect Base entitlements

Base is the entry feature tier and the foundation of every deployment — a complete, production-grade SD-WAN feature set. A Base site can run a fully meshed, secure, application-aware WAN. Base typically includes:

• Full SD-WAN fabric and overlays — IPsec-encrypted tunnels forming the secure overlay.
• Dynamic path control across MPLS, broadband, and LTE/5G, with per-application steering on latency, loss, jitter, and MOS.
• Application-aware routing via deep packet inspection, including SaaS/IaaS awareness.
• Standard routing — BGP, OSPF, static, plus VRRP and HA designs.
• Segmentation — zone/segment policies giving VRF-like isolation.
• Integrated stateful firewall — basic L3/L4 enforcement at the WAN edge.
• Basic internet breakout, baseline (manual) service chaining, ZTP, and central management via Aruba Orchestrator.

The one thing Base does not include is WAN optimization. Gains come purely from SD-WAN techniques (path conditioning, FEC where supported). For classic WAN optimization you must add Boost.

EdgeConnect Advanced

Advanced is a superset of Base: everything in Base, plus richer security, cloud, and analytics. Relative to Base it adds:

• Advanced security service chaining — deeper, automated, multi-provider steering with pre-built templates for Zscaler, Netskope, Prisma, Check Point. This is the headline differentiator.
• Larger-scale, more granular segmentation for large enterprise and multi-tenant environments.
• Advanced SaaS and multi-cloud steering — nearest-entry routing and hub-build wizards for AWS/Azure/GCP.
• Richer analytics and automation — longer retention, more KPIs, expanded REST API/telemetry (with a higher Orchestrator tier).

Like Base, Advanced still does not automatically include WAN optimization — Boost remains a separate add-on regardless of tier. Advanced is, however, often chosen for hub/data-center roles because those sites tend to need heavy chaining and Boost.

Add-ons: Boost and security chaining

The Boost license is classic WAN optimization, applied to a Base- or Advanced-licensed appliance. When licensed and enabled it adds TCP acceleration, data reduction (dedup/compression), and application/protocol acceleration (e.g., SMB/CIFS). Two facts to memorize: it is licensed in Mbps of optimized traffic (never bundled by default), and it degrades gracefully — excess flows still get full SD-WAN treatment, nothing is dropped.

On security chaining: Base supports manual chaining (build a tunnel, write a policy); Advanced supports integrated, automated, multi-provider chaining with vendor templates. Both can chain; Advanced makes it scalable.

Figure 7.1: EdgeConnect feature-tier comparison. (Verify exact entitlements against the current Aruba EdgeConnect data sheet, as packaging changes between releases.)

Section 2 — Subscription and Consumption Models

Term-based subscription licensing

A subscription is the right to run the software at a specified feature tier and bandwidth for a fixed term — commonly 1, 3, or 5 years — bundling four things: a time period (expiry date), a feature tier (Base/Advanced + any Boost), a bandwidth entitlement, and software updates plus TAC support. This is an OPEX shift away from perpetual licensing. Three consequences follow:

• Expiry behavior. At term end without renewal, the box may downgrade, enter grace, or be flagged non-compliant. Never plan on grace — treat expiry as a hard deadline.
• Co-terming. Align all end-dates so renewals happen in one event; mid-cycle add-ons are often sold on a shorter term to co-terminate.
• Renewal risk. Large pools should start renewal months early — a lapsed pool can put many appliances out of compliance at once.

Bandwidth tiers per appliance

The bandwidth tier caps WAN-side throughput under SD-WAN (encrypted overlays, encapsulation, QoS all count). Three rules: (1) it measures aggregate WAN throughput, the sum across all WAN interfaces, not per-link; (2) it is enforced in software — traffic above the rate is shaped/throttled; (3) you cannot license above hardware capability — "Unlimited" on a small box does not yield multi-gigabit performance.

Figure 7.2: Commonly-cited EdgeConnect bandwidth tiers (representative — verify against the official Aruba data sheet).

Pooled / FlexLicense and portability

In traditional licensing, each appliance is bought with a fixed tier; upgrades buy an upgrade license for that box, and a closed site's license is stranded. FlexLicense replaces this with a pooled bandwidth model: you buy a single aggregate pool for the estate (e.g., 5 Gbps, Advanced, 3-year term), and Orchestrator allocates slices to appliances. This is license pooling.

How the pool works: a purchase produces an entitlement in Aruba's backend, which you sync into Orchestrator (showing total pool, allocated, and remaining). Each appliance is assigned a bandwidth value that decrements the pool; you can raise or lower it later. The core rule: the sum of all per-appliance assignments must be ≤ the total pool — Orchestrator blocks or flags over-allocation.

Worked example — pool arithmetic. A 3-year, 2 Gbps pool: HQ 1G + DC 500M + Branch A 200M + Branch B 100M = 1,800 Mbps allocated, 200 free. Bump Branch A to 300M → 1,900 allocated, 100 free. Try to raise Branch B 100→300M (+200): that totals 2,100, over the 2,000 pool, so Orchestrator refuses until you buy more capacity.

The decisive advantage is portability — the license is tied to the estate, not a serial number. Adding a branch, upgrading a branch, decommissioning a site (capacity returns to the pool), and replacing hardware all become reallocations rather than purchases. Throughout, Orchestrator is the system of record for pool size, term, allocation, and compliance.

Figure 7.3: FlexLicense (pooled) vs. fixed per-appliance subscriptions.

Section 3 — Planning and Compliance

Right-sizing licenses to bandwidth

Oversizing wastes money; undersizing throttles production. License to real, measured demand plus headroom: (1) measure at least a week (ideally 30 days) of per-circuit throughput, capturing peak and 95th-percentile and the up/down split; (2) compute peak aggregate (sum simultaneous peaks for active/active; active link for active/standby); (3) add 30–50% headroom for growth and overhead; (4) map to the nearest tier covering peak × headroom, then validate against the model's performance limit.

Worked example — sizing a branch. Two 25 Mbps active/active links peaking ~30 Mbps aggregate. 30 × 1.5 = 45 Mbps → smallest covering tier is 50M. A DC with multiple 1 Gbps links peaking 1.2–1.5 Gbps and growing toward 2–2.5 Gbps maps to 2G or Unlimited.

Boost is sized differently. Size only for traffic you intend to optimize (file shares, backup/replication, chatty apps), estimate max simultaneous optimized traffic, add ~20–30% overhead, choose the nearest tier. Both ends of an optimized path need Boost licensed and enabled. Mild undersizing is acceptable (graceful degradation). Boost adds little on pure internet/SaaS or very high-bandwidth low-latency links; it pays off on high-latency, constrained links (MPLS, long-haul, satellite). A sensible FlexLicense strategy is to start conservative and upgrade later.

License portability when replacing hardware

With fixed per-appliance licensing, the entitlement is bound to a device, so replacement can require re-licensing the new unit. With FlexLicense: zero the failed box's allocation (bandwidth returns to the pool), onboard the replacement, and assign it the same bandwidth. No new SKU is consumed — the pool total is unchanged. Platform upgrades and relocations become routine reallocations too.

Worked example — RMA under FlexLicense. A 200M branch fails Friday. In Orchestrator you remove its allocation; 200 Mbps drops back into the pool. The replacement is onboarded via ZTP, and you assign it 200 Mbps. Total pool consumption is identical — no procurement ticket needed.

Support and software entitlement

The subscription is also your entitlement to support and software maintenance for the term: Aruba TAC support, software updates/upgrades (releases, fixes, security patches), and the legal right to operate at the licensed tier and bandwidth. The compliance implication is direct — when a subscription lapses, you lose not only feature/bandwidth entitlement but also the right to open TAC cases and download updates. This is why renewals should be managed proactively and licenses co-termed.