SASE only works as well as your underlay
Trusted Advisor for IT & Telecommunications Sourcing
Get SASE off to the right start: Why underlay determines success
Increasing demands on performance, security and availability meet distributed locations, cloud applications and hybrid work. This is exactly what SASE is supposed to solve – but it often fails due to unstable or inconsistent connectivity. The problem is not SASE, but underlay.
What this means for you
- Poor user experience despite modern SASE architecture
- Voice, video & SaaS react sensitively to latency, jitter & packet loss
- Security policies lose effect with unstable transport
- Fault clearance takes longer with fragmented providers & SLAs
What this article is about
This article shows why a stable, resilient underlay is the basis for a functioning SASE. The role connectivity plays for performance, security and operation becomes clear – and why sequence determines success.
>20%
Savings
99,99%
Availability
24/7
Support
Why the path to the Secure Access Service Edge (SASE) doesn’t start with the vendor pitch – but with connectivity, resilience and transparency
- SASE bundles network and security functions cloud-natively – but it doesn’t automatically make bad lines better.
- If your underlay (access/transport) fluctuates, is fragmented or fails, user experience, security policy effectiveness and operation will suffer.
- The first step towards SASE is therefore: check the underlay, standardize it and make it resilient – then set up the overlay (SD-WAN/SASE) on top.
Why so many companies are relying on SASE right now
Hybrid work, multi-cloud and distributed applications have pushed the edge of the network: Users, devices and workloads are everywhere. At the same time, the threat landscape is growing – and security must work in-line without destroying performance. SASE addresses exactly this by providing network performance and security functions as a unified cloud service – independent of location and scalable.
SASE explained in brief:
What is in the architecture?
SASE typically combines the following components:
Network/control
- SD-WAN (policy-based path control, app awareness, encryption)
Security services
- SWG (Secure Web Gateway)
- CASB (Cloud Access Security Broker)
- FWaaS (Firewall as a Service)
- ZTNA (Zero Trust Network Access)
The goal: secure, high-performance access to applications – no matter where users and workloads are located.
The most common mistake in SASE projects
Many organizations start with the tool selection: “Which SASE provider? Which ZTNA solution? Which SD-WAN?” What is often missing: an honest inventory of the global underlay network. If the quality of your underlay varies from region to region or if SLAs and fault clearance processes vary from provider to provider, then your SASE rollout will exacerbate these problems – not solve them.
The first question before every SASE rollout: Is our underlay SASE-ready?
Use this checklist as a starting point:
- Do we have consistent connectivity across all regions?
- Are there locations that are based on consumer-grade access?
- Do we achieve low latency and high availability where it counts (voice/video/real-time)?
- Is resilience planned (redundancy, various paths, fast failover)?
- How quickly can we isolate and rectify underlay faults?
- Are there standardized SLAs/escalation paths or is there uncontrolled growth?
If you say “not sure” more than once here: Underlay first.
Underlay vs. overlay – the difference that determines success
Underlay (the “road”)
The underlay is the physical transport layer: fiber optic/DIA, Ethernet, MPLS, fixed wireless, satellite/LEO – including last mile, providers, handovers and SLAs.
Overlay (the “intelligence”)
The overlay is the virtual control layer on top: SD-WAN tunnels, app routing, encryption and policies – plus cloud-based security services in the SASE model.
Important: An overlay cannot turn bad roads into highways. At most, it can take more intelligent evasive action – if alternatives exist.
What a weak underlay does in practice with SASE
An unstable underlay often leads to:
- Unpredictable latency: poor voice/video quality, sluggish SaaS apps
- Packet loss and jitter: Policies work, but the experience breaks down
- Longer MTTRs (Mean Time to Repair): because troubleshooting between providers/regions becomes slow
- Higher operating costs: more tickets, more escalations, more “fire department”
- Frustrated end users: SASE is perceived as a problem instead of a solution
What does a SASE-compatible underlay really look like?
1) Resilience by design (not by hope)
- Primary: Fiber optics/DIA for critical locations
- Secondary: Fixed wireless or LEO as an independent backup path (or for locations that are difficult to access)
- Goal: fast failover without users noticing
2) Consistency across countries and providers
- Standardized performance targets (latency/jitter/loss)
- Standardized SLAs and escalation processes
- Less provider proliferation = faster fault clearance
3) End-to-end transparency
Without monitoring, your SASE policy stack is flying blind. Underlay telemetry for all links creates clarity and makes it possible to measure what the user is really experiencing – and whether a problem comes from security or transport.
Change of perspective: from product to customer reality
Before talking about SASE features, it is worth taking a look at the reality in the company: Where do most tickets arise today – performance, security, provider coordination or remote sites? What is the real driver: cloud migration, hybrid work, compliance, cost pressure or standardization? When the “why” is clear, SASE becomes a business enabler rather than a tool project.
Typical stumbling blocks: talking about specific products or carriers too early. The motive for the purchase and the need are decisive first – only then does the right solution follow.
How Savecall supports you
Savecall works vendor-neutral: i.e. we compare location options across the market (carrier, last mile, SLA and costs) and turn fragmentation into a controllable platform.
Our typical approach:
- Underlay audit: performance, availability, risk, provider landscape, dependencies
- Target image and standards: SLA framework, redundancy principle,
location classes (HQ/Branch/Remote) - Sourcing and design: suitable connectivity per location (DIA/Fiber/FWA/LEO/Mix)
- Operating model and monitoring: clear processes, escalation, transparency
- Then overlay: Roll out SD-WAN/SASE in such a way that security and user experience win
Conclusion: Underlay first – then SASE delivers the promised effect
SASE can massively accelerate cloud, hybrid work and security – if the foundation is right. A well-designed underlay provides stability, predictable performance and fast fault clearance. A SASE overlay can play to its strengths: secure, scalable, everywhere.
Customers
Why
Telecom & IT sourcing. Worldwide. Carrier-independent.
Selection & operation of worldwide connectivity & cloud infrastructure. Without vendor risk & unnecessary costs.
- 80+ carriers worldwide
- One point of contact
- One SLA
- One portal: mySAVECALL
- Min. 20% savings
25+
years of experience
40+
Employees
80+
Partner
1400+ Clients
Trusted Advisor for IT & Telecommunications Sourcing
What drives you forward – & what drives
Book a free expert consultation
One Contact. ALL Carriers.
+FAQ
You ask.
