App VPNs versus App Wans

I am looking for a simple explanation of the difference between an App VPN versus and App WAN.

I sort of understand… but… I am unsure of the specifics how an App WAN is better.


VPNs are generally point-to-point structures. One logs in and connects to a VPN aggregator or gateway, and then has access to the network “behind” that gateway. These create a few problems, they don’t scale particularly well, as many organizations found in the early days of the pandemic. Both the aggregation hardware and the physical layer for network connectivity can easily become bottlenecks. They are also difficult to manage well;.often, the attachment to a VPN grants a significant amount of trust to the attached device, allowing them free access to large parts of the organization’s network. Lastly, we have seen many different VPNs fail in the last several years as applicaitons. The fact that they are connect before authenticate allows attacks like directory traversal and others that have exposed a lot of orgs. AppWANs, on the other hand, are easily configurable with layers of services and endpoints bound together in many to many relationships, allowing very granular control easily. Other than the controller, the system is decentralized, and decentralization is currently being worked on to allow for more resilience there. Even in the current state, it is cloud-based, with hyperscaler resources for quick upsizing and more network connectivity than it could use, as it is not a part of the data plane. The lack of dataplane aggregation allows data traffic to take whatever paths it needs to minimize latency, and “spread the load” from a capacity standpoint, removing bottlenecks.

The long and the short of it is that VPN’s connect users and devices to networks. AppWANs connect endpoint to services. The differences spelled out above and many others are very advantageous to those making the switch.

1 Like

Thanks for your summary. This is a really nice comparison.

If possible, I have a few more points that I am wrestling with.

  1. the impact of serverless architectures if any, as this is all the rage.
  2. alternatives being used to avoid App VPNs and their associated limitations


I can take a crack at (1).

Serverless is a cloud computing execution model in which the cloud provider allocates machine resources on-demand, taking care of the servers on behalf of their customers. This would normally present a BIG challenge to VPNs or frankly any private network approach which operates likely at the network layer, at best host OS. Serverless does not provide a network or host OS to deploy any private network agent onto. If you are in AWS, for example, you either expose your serverless workloads to the public internet or you need to use AWS PrivateLink to connect it back over private IPs to your VPC where you then have to set up your VPN/private network approach. This adds complexity, fragility, insecurity and cost. NetFoundry and OpenZiti on the other hand provide SDKs that can be compiled into the application which runs in a serverless environment thus allowing anyone to apply zero trust network access to any serverless environment and remove exposure to networks. Any NF construct, including AppWANs, can thus be applied to serverless architecture.

1 Like

Thanks @philip.griffiths… this helps a lot.

It’s all starting to sink in now… its a paradigm shift is away from VPN / private networks…(the old way of working)… to an identity / service model. (the new way of working). offering more flexibility… and more granular security implementations.