Migrating from MPLS to SASE – notes from the GNX playbook

Our recent article made one thing clear: speed alone doesn’t define network success. Think Formula 1. A car built for the track is blisteringly fast — but would you drive it to the supermarket?

The same goes for MPLS (Multiprotocol Label Switching). For years, it was the “fast lane” of networking, giving packets a dedicated route from A to B and avoiding the jams. For pure speed, it worked brilliantly, leading the pack for decades. (Over 50% of multinationals still have MPLS in the mix.) But it had its limits: the “circuit” is fixed — you can’t easily reroute traffic or change contracts locked in for years. 

Meanwhile, new technologies are winning not just on speed, but flexibility. Which should be a red (or checkered) flag to any CTO: if you’re still MPLS-only, others are overtaking you.

Enter SASE: Secure Access Service Edge. Done right — with the right internet underlay — SASE delivers near-MPLS performance plus a modern security stack: firewall, secure web gateway, identity, and authentication.

Back to the track: MPLS is like racing on a closed circuit. SASE is the autobahn — high-speed roads with on-ramps and exits wherever you need them. That’s why so many are plotting their move from MPLS to SASE.

So, how do you get there? In this article, we’ll outline your MPLS-to-SASE race plan – starting from pole position. 

1. From built to speed, to built for change

Applications are in the cloud. Hybrid work patterns mean there’s no straight line between the workers and their data. Some data centers are still in the basement, but most are elsewhere. Some resources need ringfencing for single-country rules, others need to connect dozens of remote sites worldwide. 

MPLS isn’t ideal for any of these use cases – and with new demands from AI popping up everywhere, a leased line contract of even 12 months may not be flexible enough. 

This is where MPLS shows its age: tech is great, but it was designed for a pre-cloud, pre-AI, pre-hybrid planet. 

SASE, by contrast, is a cloud-first model. Perfect for today’s distributed workforce, SaaS-heavy workflows, and changing conditions. SASE doesn’t just respond to change; it’s built for it, converging network access and secure connectivity into a single cloud-native Network as a Service (NaaS). 

2. The role of SASE in an MPLS migration strategy

While it’s not “WAN in a can” – we all know services are never *quite* turnkey – SASE is very much easier to provision than MPLS, by design. Hardware is simpler, setup is cloud-based, with no need to provision resources on-site at each physical location. You don’t so much build it as connect to it once it’s configured. There are six key parts:

• The internet underlay (of your choice).- Unlike the fixed A-to-B connections of MPLS, the foundation of a SASE-based solution is flexible – including straightforward business internet. With multiple options for diversity and bandwidth guarantees these days, a well-thought-out internet underlay can be competitive with MPLS … especially so when it comes to price.
• SD-WAN (Software Defined Wide Area Network).- The SD-WAN is like your MPLS WAN with flexibility revved to the redline. It’s there not just to direct traffic but to optimize it, finding the best routes over multiple types of connections, dedicated internet and broadband to mobile 4G/5G … even MPLS … and doing it dynamically. A note for your playbook: you don’t have to drop MPLS for SASE. MPLS can provide bandwidth and reliability for SASE, as part of your SD-WAN.
• Secure Web Gateway (SWG).- The SWG is SASE’s border patrol: it decides who and what gets in and out, and blocks anything suspicious. It filters sites and data connections, enforces Acceptable Use policies (no gambling sites on company time, please!), and scans for hidden risks like malware and phishing. It’s your on-ramp to the internet – but there’s a guard post to clear for each and every entry. 
  
  Because it’s built into SASE architecture, there are fewer holes in the security surface than with a solution pieced together from third-parties. Playbook point: MPLS doesn’t do this directly on site ­– its role is to direct your data to the right lane, and it needs a central firewall to enforce restrictions on site.
• Cloud Access Security Broker (CASB).- SASE’s CASB is a control freak’s dream: where SWG decides who’s allowed in, CASB looks at what’s let out – securing access to cloud services like Microsoft 365, Google Workspace, and Salesforce. That means unsanctioned apps and “shadow IT” can be managed as strictly or loosely as you want. (Flexibility again.)
  
  Playbook point: MPLS has no built-in security for managing cloud apps, since it’s not a cloud-first technology – everything securing your apps in an MPLS-only solution was layered on later, with the risks of cracks appearing for bad actors to exploit.
• FWaaS (Firewall-as-a-Service).- A firewall may surround every MPLS WAN, but it can’t surround the public cloud apps many organizations use – meaning another win for SASE. Firewall functions based in the cloud mean whole-network packet filtering, application control, and intrusion prevention, with centralised policy enforcement across all locations. 
  
  There are two more bonuses. Playbook points: there’s no need for on-prem hardware like firewall boxes at the perimeter. And because it sits in the cloud itself, FWaaS can scale globally as you grow and change.
• ZTNA (Zero Trust Network Access).- ZTNA is a core feature in the SASE stack. It makes access to applications identity-based — never trust, always verify. Users authenticate continuously, based on who and where they are, what their device is, and the permissions set for their job role. 
  
  The Playbook point for ZTNA: it’s extremely fine-grained, with access granted for individual applications – it doesn’t hand out access-all-areas passes like confetti, a common problem with MPLS implementations. 

3. Migrating from MPLS to SASE with GNX: a phased approach

The key is to do it in stages – and here’s where GNX comes in to help. Bringing together thousands of connectivity providers worldwide, it lets you build out and cost up a global solution based on your needs and goals – acting as a migration partner between your starting point and finish line. 

• Stage 1: perform an initial assessment. From your early thoughts about what you’re missing from your current MPLS, use GNX (and our platform GNX+) to search for internet services that might fill the gaps – while interoperating just fine with your older solution. You’ll find over 3,000 carriers and ISPs on the platform ready to help. GNX+ can present possible solutions for consideration, tech specs, availability information, and accurate pricing.
• Stage 2: roll out a pilot program. Once you’ve made some decisions, test them with a defined section of your network – usually a single location with gaps worth filling. Is one office consistently complaining about poor connectivity, or latency issues, or is their part of your MPLS not providing enough headroom? Make that your test site.
• Stage 3: switchover to SASE in stages. Another flexibility bonus: with GNX, all your underlay connectivity providers can be covered by a single contract – not a stack of conflicting SLAs. This means the move to SASE isn’t a hold-your-breath-and-hope Day One switchover: you can implement piece by piece without complexity increasing on the way.
• Stage 4: Ease MPLS out of the mix. When still in contract, it’s likely you’ll continue using your MPLS as one part of your SASE solution, its private lane traffic operating alongside broadband, DIA, 5G, even Point-to-Point if those make sense for you. There’s nothing wrong with this – it’s a sign of a cost-effective migration. But as your SASE gets rolling at site after site, it’ll soon be time to imagine a post-MPLS world. So set the dates: as your MPLS contracts end, prepare new connectivity options to take over. And execute, one by one.

Mini-case study: Consolidation across borders

When a multinational telco came to GNX, our team swung into action. Through our platform, we partnered with a list of ISPs in several countries with the right underlay to answer its migration goals.

Solutions spanned bespoke private circuits where minimum latency was critical, and ensuring true diversity (not simply multiple ISP agreements) by checking options that were genuinely separate infrastructure. MPLS wasn’t tossed aside, but became part of the solution, providing bandwidth to the SD-WAN under SASE. A consolidation of many contracts into one – without losing existing MPLS advantages.

4. How GNX+ delivers flexibility and performance in a SASE world

Your successful migration is only part of the playbook. Further improvements come from two sources: the SD-WAN itself (smoothing traffic flows for greater performance on an ongoing basis) and the GNX+ platform (monitoring your underlay to resolve any bottlenecks and providing automated configuration options that meet the goals of your WAN.)

So, as our final playbook point: always remember migrating from MPLS to SASE isn't just about upgrading technology. It’s about building a network foundation capable of adapting to future challenges and opportunities. 

By making flexibility your watchword, your business can unlock the full potential of cloud NaaS, empower a distributed workforce, and stay ahead as the connectivity landscape evolves. Back to our racing metaphor: it puts you in pole position, with the clearest view of the road ahead.