SD-WAN Design using Loopbacks for WANs which Have Only Private Transports

This is one of the simple example design which can be used in case we only have private transports to work with. As an example, IPVPN and MPLS which means no internet transport to reach controllers.

Refer the following diagram.

You can see the controllers are deployed on prem, but it can be deployed in cloud also but the WAN edges have to go through HQ-LAN to reach the cloud. Here you can also notice that HQ is like a single point of failure but in real world there can be 2 routers for redundancy. 

If configured TLOCs using physical interfaces, BR1 and BR2 will never reach Controllers as the control plane traffic will be blocked going through HQ. As a workaround we can configure TLOCs for Loopback interfaces on HQ which then the control traffic from BR1 and BR2 will pass through. 

Also the Gi3 interface should be configured in VPN0 (global VRF in cEdges) while Gi4 is for the Service VPN to carry actual traffic.

In case you have one link, you can create sub interfaces.

Routing should be in place to reach the Loopback interfaces from other routers.

It is always better to use VRFs in LAN side switches to isolate the underlay and overlay traffic.