Professional services firms used to design networks around a simple idea. Everyone worked in the office, applications lived in the data centre, and the internet was something you visited through a controlled front door. That world has been replaced by cloud services, hybrid work, and clients who expect seamless delivery whether your team is in a CBD office, at home, or in transit. In Australia, the shift is not theoretical. The Australian Bureau of Statistics reported that in August 2025, 36% of employed people usually worked from home. That is a big signal that work is now distributed by default, not by exception.
This is exactly why SD-WAN has moved from nice-to-have to baseline. The reason is not hype. It is architecture. Microsoft’s guidance for Microsoft 365 networking is explicit that the optimum model is local egress at the user’s location, including remote locations like homes, hotels, coffee shops, and airports. It also calls out that network hairpins and backhauling introduce latency and degrade the user experience.
For Microsoft-centric professional services firms, modernising the WAN is less about chasing a new acronym and more about removing the friction that quietly drains billable time. The goal is simple. Better performance, better resilience, and better security, without creating a fresh set of risks along the way.
The traditional head office network worked because traffic patterns were predictable. Branch users accessed central apps. Remote users dialled into head office. Security controls lived in one place, so almost everything was forced through it.
Cloud-first operations break that model. Microsoft notes that adopting SaaS shifts services and data outside the network perimeter. If you keep treating head office as the centre of gravity, you get longer paths, more inspection bottlenecks, and routing that is optimised for yesterday’s world.
That is why firms are moving away from rigid WAN designs, including pure hub-and-spoke VPN patterns, and towards Secure SD-WAN platforms. In practice, that often means an SD-WAN edge that can intelligently steer traffic, plus deeper integration into cloud networking so cloud workloads behave like first-class network destinations. Microsoft’s reference architectures for connecting SD-WAN to Azure Virtual WAN hubs show exactly this kind of model, using IPsec connectivity from branch SD-WAN devices into Virtual WAN.
A legacy WAN is not “bad”. It is just mismatched. It was engineered for centralised applications, a small number of fixed sites, and predictable growth. Cloud-first professional services firms rarely tick those boxes now.
Cloud Hair pinning and Latency
Inconsistent User Experience
VPN Bottlenecks for Hybrid Work
MPLS Cost and Inflexibility
Limited Visibility
What SD-WAN changes
SD-WAN replaces rigid, site-to-site routing with a policy-driven fabric that can adapt to real conditions. Gartner describes SD-WAN as providing dynamic, policy-based, application path selection across multiple WAN connections. That one sentence captures why professional services firms care. It is not just another WAN. It is a different operating model.
At a practical level, SD-WAN platforms are designed to do a few critical things well.
They continuously measure path quality and link health, then steer applications based on service level objectives. Cisco’s application-aware routing documentation, for example, describes tracking characteristics like packet loss, latency, and jitter and using that information to compute optimal paths for traffic. Hewlett Packard Enterprise also explains SD-WAN as continuously evaluating link performance and routing based on real-time conditions and business policies.
They centralise policy and make it easier to push consistent intent across sites. This is a core part of how SD-WAN is commonly explained, including the idea of centralised policy management that can be applied across locations.
They support local internet breakout in a controlled way, which aligns directly with Microsoft 365’s preferred connectivity model. Microsoft explicitly recommends local egress and prioritising direct internet access for Microsoft 365 domains, reducing reliance on WAN backhauling and avoiding network hairpins. Microsoft also describes SD-WAN as a practical way to provide local branch egress for key Microsoft 365 endpoint categories.
What this means in practice for professional services firms
Direct, optimised cloud access
Local breakout is not a buzzword. It is Microsoft’s recommended connectivity posture for Microsoft 365, including for users in remote locations. The goal is to let user traffic reach the nearest service entry points with local egress and local DNS resolution, rather than forcing it through a central site. That is the difference between “cloud-first” and “cloud-fights-you”.
This is where endpoint awareness matters. Microsoft classifies endpoints into categories like Optimize, Allow, and Default, and it specifically recommends direct internet egress for the vital few endpoints in the Optimize and Allow categories. It also publishes an IP and URL web service so network teams can manage these endpoints over time. That matters because endpoints change regularly and poor change management can cause blocking or performance degradation.
Resilience and uptime through diversity
SD-WAN designs commonly use multiple transports per site. Broadband, fibre, and wireless links can all be part of the same policy-driven fabric. When one path degrades, the platform can steer critical applications onto better-performing links based on measured conditions.
The core mechanism, again, is continuous measurement plus policy-based steering.
For professional services, the benefit is straightforward. Fewer dropped calls, fewer mid-meeting reconnects, and fewer “can you hear me now” moments that make your firm look less polished than it actually is. The network becomes less brittle because it is not betting everything on a single circuit behaving perfectly.
Application-aware performance for collaboration and line-of-business tools
Real-time collaboration traffic and large file transfers have very different needs. Microsoft’s own documentation frames quality issues for real-time collaboration in terms of latency, jitter, and packet loss. SD-WAN platforms are built to treat those flows differently, prioritising what matters and de-prioritising what does not, based on measured conditions.
If you are serious about voice and video quality, Microsoft also provides Quality of Service guidance for Teams and the operational tooling to analyse call quality. SD-WAN is not a substitute for QoS, but it can complement it by ensuring the best available path is used for the right traffic at the right time.
Cost optimisation with realistic expectations
The financial case is often compelling, but it needs adult supervision. Industry comparisons commonly position SD-WAN as reducing transport cost by leveraging broadband rather than relying exclusively on private circuits, while acknowledging that SD-WAN performance depends on the quality of the underlying links. A sensible business case factors in licensing, operations, and security controls, not just circuit prices.
The operational gain is often just as important as the cost line. If provisioning a traditional circuit can take weeks or months, that slows down office openings, project sites, and acquisitions. In faster-moving firms, the network should not be the critical path for business change.
Built-in security, if you design it properly
Professional services firms cannot trade performance for security. Microsoft’s own networking guidance acknowledges that certain security patterns, including intrusive inspection and proxy processing, can increase latency and degrade user experience. It recommends bypassing proxy or inspection devices for direct Microsoft 365 requests in some scenarios, alongside appropriate allow-listing and endpoint management. That is not Microsoft saying “turn security off”. It is Microsoft saying “apply the right controls in the right place”.
This is why the market has moved towards Secure SD-WAN, which blends WAN control with security controls at the edge, rather than forcing every flow through a single location. Fortinet, for example, positions its approach as combining SD-WAN with security-driven capabilities and visibility when paired with its management and analytics tooling.
Real-world impact
An engineering consultancy moving large design artefacts and collaborating in real time typically feels the pain of unnecessary backhaul quickly. If large file sync and real-time meetings share a constrained path, the meeting experience degrades first because real-time media is sensitive to jitter, packet loss, and latency. An SD-WAN design that measures path quality and steers traffic accordingly directly targets that failure mode.
An accounting firm heavily reliant on Microsoft 365 often sees the most improvement from local egress and sane endpoint management. Microsoft’s own “local egress at the user’s location” model plus its Optimize and Allow endpoint categories are designed to help network teams prioritise the traffic that is both high volume and performance-sensitive. SD-WAN at branches is explicitly called out by Microsoft as a way to provide local branch egress for these key endpoint categories.
A legal or advisory practice with heavy remote work tends to hit VPN friction first. Microsoft’s VPN split tunnelling guidance and Teams media guidance exist to reduce unnecessary hairpinning of cloud traffic through VPN paths, while still keeping security considerations in view. A WAN design that still assumes “everything goes through head office” is increasingly misaligned with how these teams actually operate.
Why firms are standardising on Secure SD-WAN
This shift is not about adopting new technology for its own sake. It is about aligning network architecture with operating reality. Hybrid work is widespread. SaaS traffic is business-critical. Client expectations keep rising. Cybersecurity requirements do not politely wait for your MPLS renewal date.
Secure SD-WAN has become the practical default because it brings together the outcomes professional services firms actually need: consistent application experience, resilience through path diversity, central policy control, and better visibility into what the network is doing. Those capabilities are widely reflected in how analysts and major vendors define and implement SD-WAN, particularly the emphasis on application-aware path selection across multiple connections.
When firms are Microsoft-centric and also want tighter cloud integration, Azure Virtual WAN becomes part of the conversation. Microsoft’s documentation lays out SD-WAN connectivity architectures where branch SD-WAN devices connect directly to Virtual WAN hubs over IPsec, and it also describes third-party integrations and deployment models inside Virtual WAN. In practical terms, Azure can be treated less like “somewhere else” and more like a connected part of the WAN fabric.
Where to from here?
If your firm is seeing slow Microsoft 365 performance outside head office, instability under VPN load, rising costs for fixed connectivity, or inconsistent user experience across offices and remote staff, it is a strong signal that your WAN design is out of date, not that your people need to “try turning it off and on again”. Microsoft’s guidance is clear that local egress close to the user and avoiding hairpins is the optimum model for Microsoft 365 connectivity, and it provides concrete tools and endpoint taxonomies to implement that safely.
At Inlight IT, we design and deploy Secure SD-WAN architectures using Fortinet with deep integration into Azure, supporting accounting, engineering, legal, and advisory firms. The head office network era is ending because the head office is no longer where work happens. The distributed, cloud-ready network is already here. Now is the time to make sure your WAN is helping your firm bill time, not burn it.
Ready to safeguard your business? Inlight IT can Help
Book a consultation with our engineers below or explore our SD-WAN, Managed IT Services, HCI, Connectivity, and Security solutions
.png){kind=small}
