TTechclick ⚡ XP 0% All lessons
Versa · Secure SD-WAN · ArchitectureInteractive · L1 / L2 / L3

Versa SD-WAN Architecture — Director, Controller, Analytics & VOS

Versa Secure SD-WAN is four building blocks mapped to four planes: the Director orchestrates, the Controller distributes routes, Analytics watches everything, and the VOS branch device actually forwards traffic. This lesson maps each component, shows which plane it owns, and nails the one fact interviewers chase — only VOS is in the data path; everything else is an out-of-band brain.

📅 2026-06-18 · ⏱ 16 min · 5 infographics · live packet demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to Versa Secure SD-WAN architecture (2026): the four building blocks mapped to four planes — Versa Director (management), Versa Controller (control), Versa Analytics (analytics) and the VOS branch device (data plane) — plus where Concerto, headends and control connections fit, and why only VOS sits in the data path.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Four planes

One product, four building blocks, four planes.

 2

Director & Controller

Management orchestration and the control plane.

 3

Analytics & VOS

Telemetry plane and the data-plane branch.

 4

Bring-up & deploy

Day-0 to Day-2, Concerto, headends, scale.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Is Versa SD-WAN a single appliance you drop on the network?

Answered in Four planes.

2. Which component distributes SD-WAN routes between branches?

Answered in Director & Controller.

3. Which component actually forwards your traffic?

Answered in Analytics & VOS.

Most engineers think…

Most people picture SD-WAN as 'a magic box at each branch that picks the best link'. That mental model is half right and it sinks you in an interview.

Versa Secure SD-WAN is a distributed system of four components mapped to four planes: the Director orchestrates and manages, the Controller is the control plane that distributes routes like a route reflector, Analytics is the telemetry plane that collects and visualises everything, and the VOS branch device is the data plane that actually forwards traffic and runs security on it. The key fact: only VOS is in the data path. Director, Controller and Analytics are out-of-band brains — your traffic never flows through them. Knowing that split lets you place components correctly, secure the control connections, and scale each plane on its own.

① What Versa SD-WAN actually is — four planes, not one box

The single most important idea: Versa Secure SD-WAN is four building blocks that map to four planes, not one device. You manage from one place, control routing from another, watch everything from a third, and only the branch device forwards real packets.

The four planes are the management plane (Versa Director), the control plane (Versa Controller), the analytics plane (Versa Analytics), and the data plane (VOS on the branch device).

The interview line: only the VOS branch device is in the data path. Director, Controller and Analytics are out-of-band — your packets never pass through them.

Figure 1 — Four planes, four components
Versa SD-WAN splits cleanly into four planes — only the last one touches your packets.Four planes, four componentsManagementVersa DirectorControlVersa ControllerAnalyticsVersa AnalyticsData pathVOS branch device
Versa SD-WAN splits cleanly into four planes — only the last one touches your packets.
Quick check · Q1 of 10 · Understand

Versa Secure SD-WAN is best described as…

Correct: b. Versa SD-WAN is a distributed system: Director (management), Controller (control), Analytics (analytics) and the VOS branch device (data plane). Only VOS sits in the data path; the other three are out-of-band brains.
👉 So far: Versa SD-WAN = four components on four planes — Director (management), Controller (control), Analytics (analytics) and VOS (data). Only VOS is in the data path.

② Director and Controller — the manager and the route reflector

Versa Director is the management and orchestration plane. It is the single pane of glass: config templates, device onboarding and lifecycle (Day-0 / Day-1 / Day-2), multi-tenant organizations, software upgrades and REST APIs for automation. Crucially, the Director does not sit in the data path.

What the Controller does

Versa Controller is the control plane. It establishes secure control connections to every branch VOS and acts as a route reflector, distributing SD-WAN reachability and routes between sites. Like the Director, it stays out of the data path. You run multiple Controllers for high availability and scale.

Figure 2 — Director vs Controller
Two out-of-band brains with very different jobs — manager vs route reflector.Director vs ControllerVersa DirectorManagement / orchestrationTemplates & Day-0/1/2Multi-tenant organizationsREST APIs & upgradesNot in the data pathVersa ControllerControl planeSecure control connectionsRoute reflector for branchesMultiple for HA / scaleNot in the data path
Two out-of-band brains with very different jobs — manager vs route reflector.
🗂️
Versa Director
tap to flip

Management / orchestration plane — single pane of glass, templates, Day-0/1/2 lifecycle, multi-tenant organizations, REST APIs and upgrades. Not in the data path.

🧭
Versa Controller
tap to flip

Control plane — builds secure control connections to every branch and acts as a route reflector distributing SD-WAN routes. Run multiple for HA. Not in the data path.

📊
Versa Analytics
tap to flip

Analytics plane — collects logs, telemetry and IPFIX flow records from VOS, giving dashboards, reporting and forensics. Usually a cluster.

🔀
VOS branch device
tap to flip

Data plane — FlexVNF / CSG / uCPE / cloud. The only component in the data path; runs routing, the SD-WAN overlay and integrated security on real traffic.

Name the four planes, then the data path

In an interview, list the four components and the plane each owns — Director (management), Controller (control), Analytics (analytics), VOS (data) — then add the killer line: only VOS is in the data path; the other three are out-of-band. That one sentence shows you actually understand the architecture.

Quick check · Q2 of 10 · Remember

Which component acts as a route reflector that distributes SD-WAN routes between branches?

Correct: a. The Controller is the control plane: it opens secure control connections to every branch VOS and reflects SD-WAN reachability/routes between sites. The Director manages, Analytics observes — neither distributes routes.
👉 So far: Director = single pane of glass for templates, lifecycle and APIs; Controller = control plane that reflects SD-WAN routes over secure control connections. Neither is in the data path.

③ Analytics and VOS — the watcher and the forwarder

Versa Analytics is the analytics plane. It collects logs, telemetry and IPFIX flow records from the VOS devices and turns them into dashboards, reporting, monitoring and forensic visibility. It is usually deployed as a cluster — Analytics nodes plus search / log-collector nodes — so it scales with the number of branches.

The VOS branch device

The VOS branch device is the data plane and the only component in the data path. It runs as FlexVNF software, a CSG appliance, a uCPE host or a cloud instance. It runs the routing, the SD-WAN overlay and the integrated security services (firewall, IPS, URL filtering) on the actual traffic.

Figure 3 — Where each plane lives in the data path
Only the VOS branch device handles real traffic; the other three planes stay out-of-band.Where each plane lives in the data pathManagement planeDirector — orchestration, out-of-bandControl planeController — route reflector, out-of-bandAnalytics planeAnalytics — telemetry & IPFIX, out-of-bandData planeVOS branch — the only one in the data path
Only the VOS branch device handles real traffic; the other three planes stay out-of-band.
Figure 4 — Branches around the Versa control brains
Every branch VOS opens secure control connections to the Controller and Director; Analytics collects from all of them.Branches around the Versa control brainsDirector +Controller + AnalyticsBranch VOS (Mumbai)Branch VOS (Pune)Branch VOS (Delhi)Headend VOS (DC)Cloud VOSuCPE branch
Every branch VOS opens secure control connections to the Controller and Director; Analytics collects from all of them.
'The Controller carries my traffic' mix-up

The Controller is a route reflector on the control plane — it distributes routes, it does not forward user packets. Branch-to-branch traffic rides VOS-to-VOS overlay tunnels (or via a headend VOS), never through the Controller or Director. Confusing control plane with data plane is the classic SD-WAN interview trap.

▶ Watch a new branch come online and start forwarding

How the four planes hand off to bring a site up end-to-end. Press Play for the healthy path, then Break it to see the classic failure.

① Control connectionThe branch VOS boots and opens a secure control connection (TLS / IKE-IPsec) to the Controller and Director, authenticated by certificate.
② OnboardThe Director pushes the templated Day-0/1 config — interfaces, the SD-WAN policy and security profile — down to the VOS.
③ Route reflectThe Controller reflects SD-WAN routes so this branch learns the others and is learned by them — no full mesh of peerings needed.
④ Forward + observeVOS builds overlay tunnels and forwards user traffic; Analytics collects the IPFIX flow records for dashboards and forensics.
Press Play to step through a healthy branch bring-up. Then press Break it.
Quick check · Q3 of 10 · Apply

You need the device that actually forwards user traffic and runs branch security. Which is it?

Correct: c. Only the VOS branch device (FlexVNF / CSG / uCPE / cloud) is in the data path — it runs routing, the SD-WAN overlay and integrated security on real traffic. Director, Controller and Analytics are out-of-band.
👉 So far: Analytics = telemetry plane collecting logs and IPFIX into dashboards; VOS (FlexVNF / CSG / uCPE / cloud) = the only data-plane component that forwards traffic and runs security.

④ Bringing up a branch — and deploying without surprises

Put the planes together and a new branch comes up like this: the VOS device boots and opens a secure control connection to the Controller and Director; the Director pushes the templated config (Day-0/1); the Controller reflects routes so the new site learns and is learned by the others; and from then on the VOS forwards traffic while Analytics records every flow.

Deploy sanely

Run the Director and Controllers as redundant, out-of-band brains in a data center or cloud; deploy multiple Controllers for HA and scale; and place headend VOS instances at the hub to terminate branch tunnels. At SASE scale, Versa Concerto becomes the cloud orchestration layer above the Director.

Figure 5 — How a new branch comes online
From boot to forwarding — the four planes hand off in order, then VOS carries the traffic.How a new branch comes onlineBootVOS opens control connOnboardDirector pushes configRoutesController reflectsForwardVOS carries trafficObserveAnalytics recordsflows
From boot to forwarding — the four planes hand off in order, then VOS carries the traffic.

Rohit at a Hyderabad retail chain faces this

A newly shipped branch boots but its sites cannot reach each other over SD-WAN, even though the box is online and pingable on its WAN link.

Likely cause

The VOS opened a control connection to the Director but a firewall is blocking the Controller's control-connection port, so the branch never learns or advertises routes.

Diagnosis

In the Director, the device shows as reachable but the Controller peering for this site is down; Analytics shows no overlay flows from the branch.

Director ▸ Monitor ▸ Devices ▸ Control Connections (Controller status)
Fix

Open the Controller control-connection ports (TLS / IKE-IPsec) through the branch firewall and confirm the certificate trust; the Controller then reflects routes and the overlay comes up.

Verify

Re-check: the Controller connection is green, the branch learns peer routes, and Analytics starts recording branch-to-branch overlay flows.

Prove it from control-connection status

Never guess why a branch is isolated. The Director's control-connection view shows whether the VOS reached the Controller and Director; Analytics shows whether real flows exist. Those two reads tell you if it is a control-plane problem or a data-plane one — without poking the live traffic.

Quick check · Q4 of 10 · Analyze

An interviewer asks what is true of Director, Controller and Analytics. Best answer?

Correct: d. Director (management), Controller (control) and Analytics (analytics) are all out-of-band. They orchestrate, distribute routes and observe, but user traffic only ever flows through VOS branch devices.
👉 So far: A branch boots, opens a secure control connection, gets config from the Director and routes from the Controller, then VOS forwards traffic while Analytics watches. Concerto orchestrates at SASE scale.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which Versa component is the management and orchestration plane?

Correct: a. The Director is the single pane of glass for templates, the Day-0/1/2 lifecycle, multi-tenant organizations, upgrades and REST APIs. The Controller controls routing, Analytics observes, VOS forwards.
Q6 · Understand

Versa Analytics primarily provides which capability?

Correct: c. Analytics is the analytics plane: it collects logs, telemetry and IPFIX flow records from VOS devices and turns them into dashboards, reporting and forensic visibility. It never forwards traffic or distributes routes.
Q7 · Apply

A branch needs to learn routes to every other site without a full mesh of peerings. Which component makes that work?

Correct: b. The Controller is the control plane and acts as a route reflector — branches peer to the Controller, which re-advertises SD-WAN reachability, so no branch-to-branch full mesh of control sessions is required.
Q8 · Analyze

Which statement about the Versa data path is correct?

Correct: d. Director (management), Controller (control) and Analytics (analytics) are out-of-band brains. Only VOS — on the branch, headend or cloud — actually forwards user traffic and runs security on it.
Q9 · Evaluate

An interviewer asks how to scale and harden the Versa control layer. Best answer?

Correct: b. You scale the control plane by running multiple Controllers for HA and capacity, and you harden it by securing the certificate-based control connections (TLS / IKE-IPsec). The Director and Analytics stay out-of-band.
Q10 · Evaluate

Where does Versa Concerto fit relative to the four components?

Correct: c. Concerto is the cloud orchestration layer used for Versa SASE / unified management at scale — the SASE-era orchestrator above the Director. It is not in the data path, not the Controller, and not the flow collector.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why is Versa SD-WAN called 'four planes' rather than 'one box'? Then compare with the expert version.

Expert version: Because each of the four components owns a different plane and stays in its lane. The Director is the management plane (orchestration, templates, lifecycle, APIs), the Controller is the control plane (secure control connections and route reflection between branches), Analytics is the analytics plane (logs, telemetry and IPFIX into dashboards and forensics), and the VOS branch device is the data plane that actually forwards traffic and runs security. Only VOS is in the data path; Director, Controller and Analytics are out-of-band brains. That separation is exactly why you can scale each plane independently — multiple Controllers, an Analytics cluster, headend VOS at the hub — and why Concerto can sit above it all to orchestrate Versa SASE at scale.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Versa Director
The management and orchestration plane — single pane of glass for templates, Day-0/1/2 lifecycle, multi-tenant organizations, upgrades and REST APIs. Out-of-band; not in the data path.
Versa Controller
The control plane — establishes secure control connections to every branch VOS and acts as a route reflector distributing SD-WAN routes. Run multiple for HA. Not in the data path.
Versa Analytics
The analytics plane — collects logs, telemetry and IPFIX flow records from VOS devices and provides dashboards, reporting and forensics. Usually a cluster.
VOS / FlexVNF
The Versa Operating System on the branch device (FlexVNF software, CSG appliance, uCPE or cloud) — the data plane that forwards traffic and runs the SD-WAN overlay and security.
Control connection
The secure, certificate-authenticated session (TLS / IKE-IPsec) a branch VOS opens to the Controller and Director for control and management traffic.
Route reflector
A node that learns routes from all branches and re-advertises them, so sites exchange reachability without a full mesh of peerings — the Controller's role.
Headend VOS
VOS instances in the data center or cloud that terminate branch overlay tunnels in hub-and-spoke SD-WAN designs.
Versa Concerto
The cloud orchestration layer for unified Versa SASE / SD-WAN management at scale — the SASE-era orchestrator above the Director.

📚 Sources

  1. Versa Networks — Versa Secure SD-WAN product page and architecture overview. versa-networks.com
  2. Versa Networks Docs — Versa Director: orchestration, templates and Day-0/1/2 lifecycle. docs.versa-networks.com
  3. Versa Networks Docs — Versa Controller: control connections and route reflection. docs.versa-networks.com
  4. Versa Networks Docs — Versa Analytics: log collection, IPFIX and dashboards. docs.versa-networks.com
  5. Versa Networks Docs — VOS / FlexVNF branch deployment (CSG, uCPE, cloud). docs.versa-networks.com
  6. Versa Networks — Versa Concerto: cloud orchestration for Versa SASE at scale. versa-networks.com

What's next?

Got the four planes? Next, go deep on the Versa SD-WAN overlay itself — how VOS branches build IPsec tunnels, run SD-WAN traffic steering and apply SLA-based path selection across MPLS, broadband and LTE.

Next · All interview lessons → Practice on exam.techclick.in →