All Services Back

Why Schools Are Moving Away from MPLS to SD-WAN / VPN (and What It Means for You)

Why Schools Are Moving Away from MPLS — and What to Do Instead

For years, MPLS was the go-to for linking school sites together. It did the job — stable, predictable, and secure.

But things have changed.

Schools are now running cloud systems, staff are working across multiple sites, and trusts are growing quickly. MPLS hasn’t kept up. It’s expensive, slow to adapt, and doesn’t give you the flexibility modern schools need.

We’re seeing a clear shift toward internet-based connectivity with secure VPNs — and for most schools, it’s a better fit.

What’s replacing MPLS?

Instead of a private MPLS network, schools are moving to:

  • Business-grade internet connections (FTTP, leased lines)
  • Firewalls at each site
  • Secure site-to-site VPNs (often called Branch Office VPNs)

Solutions like WatchGuard make it straightforward to build secure tunnels between sites, without the cost and rigidity of MPLS.

What is a Branch Office VPN?

In simple terms, it securely links your school sites over the internet so they behave like one network.

Your primary site becomes the “hub”, and all other schools connect into it. Traffic between sites is encrypted, so it’s just as secure as MPLS, but far more flexible.

The real benefits for schools

1. Cost savings (and they’re not small)
MPLS circuits are expensive and often overkill. Moving to standard internet connections with VPN can reduce costs significantly, especially across multiple sites.

2. Faster to deploy and scale
Adding a new school to an MPLS network can take months. With VPN, it’s days. That matters when trusts are growing or taking on new schools.

3. Built for cloud-first environments
Most school systems now live in Microsoft 365 or Google. Backhauling everything through MPLS doesn’t make sense anymore. VPN-based setups allow direct internet breakout where needed, improving performance.

4. Resilience and failover
You can easily introduce backup connections (4G, Starlink, secondary broadband). If one link drops, traffic reroutes automatically. MPLS typically doesn’t give you that flexibility without added cost.

One tenant, multiple schools — how it should work

This is where things get interesting.

When set up properly, a multi-site network doesn’t feel like separate schools. It feels like one environment.

With a single tenant (whether that’s Microsoft 365 or Google), you can:

  • Provide staff with one login across all sites
  • Access shared drives, systems, and resources from anywhere
  • Apply consistent safeguarding, filtering, and security policies
  • Centrally manage users, devices, and permissions

The network underpins all of this.

Using a hub-and-spoke VPN model, you can:

  • Route traffic between schools securely
  • Control access between sites (e.g. restrict student networks, allow staff access)
  • Apply filtering and monitoring consistently across every location

Done right, it removes the “this only works at that school” problem.

Where most setups go wrong

We often see:

  • Flat networks with no segmentation between sites
  • Inconsistent filtering and safeguarding
  • No visibility of traffic between schools
  • Poor failover design

A VPN alone doesn’t fix these, the design around it matters.

The bottom line

MPLS had its place, but most schools don’t need it anymore.

A well-designed VPN setup gives you:

  • Lower cost
  • More flexibility
  • Better performance for cloud systems
  • A proper foundation for multi-site working

More importantly, it sets you up to run your schools as a single, joined-up environment — not a collection of disconnected sites.

If you’re unsure whether your current setup is holding you back, it’s worth reviewing. Most schools we speak to are paying more than they need to, for less than they should be getting

.

Other services