How does SD-WAN support hub-and-spoke versus partial-mesh topologies, and what are the trade-offs?

SD-WAN traffic routing topology defines how tunnels are built and how data moves between sites. In a hub-and-spoke setup, all traffic from branches is routed through a central hub, where policy enforcement, security, and optimization decisions are applied. This makes management and monitoring straightforward and gives a single control point, but inter-site traffic often travels back to the hub, which can add latency, consume more bandwidth on hub links, and create a potential bottleneck or single point of failure if the hub or its uplinks... Partial-mesh, by contrast, allows some sites to establish direct tunnels to each other. This reduces backhaul and lets inter-site traffic take the most direct path, improving latency and WAN efficiency and offering more flexible failover options. The trade-offs are more complex policy and route management, larger tunnel state, and higher orchestration overhead to keep the direct paths consistent and secure across the WAN. So the correct idea is that hub-and-spoke centralizes traffic through hubs with simpler management but possible latency and scalability limits, while partial-mesh enables direct site-to-site paths with better performance at the cost of added complexity. Note that SD-WAN deployments can mix approaches and do not mandate that all sites connect only to a central hub, nor do they require hub-and-spoke to be the sole scalable model.