Earlier this month at Networking Field Day 39, I had the chance to meet Graphiant — a Silicon-Valley–based Network-as-a-Service (NaaS) provider that’s taking a different approach to enterprise and B2B connectivity. Their architecture stood out because it doesn’t simply upgrade SD-WAN or copy MPLS — it redesigns the WAN entirely using metadata-driven routing, stateless forwarding, and edge-to-edge encryption, all delivered as a service..
Who Is Graphiant?
Graphiant is a Silicon Valley networking company founded by Khalid Raza, the co-founder of Viptela and widely considered the father of SD-WAN. The company focuses on providing a private, programmable, globally distributed NaaS platform built to support AI workloads, multi-cloud, B2B data exchange, and modern distributed applications.
Graphiant delivers this service through four major components:
Graphiant Edge — a software-based edge router/firewall deployed on x86 hardware, hypervisors, or the cloud.
Graphiant Stateless Core — a private backbone that performs pure packet forwarding without customer state.
Graphiant Gateways — cloud and service onboarding points.
Graphiant Portal — a cloud-based control and management plane.
What Does Graphiant Offer?
Graphiant provides a Network-as-a-Service that gives enterprises:
- High-performance, SLA-based private connectivity
- Edge-to-edge encryption with no decryption inside the core
- Hybrid and multi-cloud networking
- B2B data exchange without DMZ complexity
- Built-in data assurance and policy governance
- AI-ready data mobility
Unlike traditional WAN architectures, Graphiant eliminates tunnel sprawl, removes routing state from the core, and uses a metadata-programmed forwarding model to control traffic flow.
Understanding Graphiant’s Network-as-a-Service (NaaS)
Graphiant builds its service on a few foundational principles. First, the network isn’t something customers assemble from scratch—the backbone already exists. Enterprises simply attach their edges to the Graphiant fabric and provision everything through a cloud-based portal, similar to subscribing to a cloud service.
Another key principle is the separation of control and data planes. All policy management, metadata programming, key exchange, and analytics happen in the cloud, while the actual data traffic flows through the edges and the stateless core. This keeps the control layer flexible and centralized, while the data plane remains fast and efficient.
Finally, the core itself is intentionally stateless. Unlike MPLS or SD-WAN designs that rely on customer-specific routes, VRFs, and tunnel state embedded in the backbone, Graphiant removes all of that complexity. The core forwards packets purely based on metadata, which makes the entire system far more scalable, predictable, and simple to operate.
How Graphiant Handles the Control Plane
Graphiant’s control plane lives entirely in the cloud through the Graphiant Portal and Controller. It maintains secure tunnels to every edge device, pushes down metadata and policy updates, and orchestrates the behavior of the data plane—without ever touching or inspecting customer payloads.
A key part of this system is how edges join the network. Each device authenticates using TPM/HSM-backed certificates, eliminating the need for pre-shared keys or manual key handling. Once onboarded, the edge relies on the cloud control plane for ongoing policy and metadata instructions, while the encrypted traffic itself flows independently through the stateless core.
How Graphiant Handles Encryption
Graphiant’s encryption model is one of the clearest ways it breaks from traditional SD-WAN. Instead of relying on IPsec tunnels, all encryption happens edge-to-edge, and the core never decrypts traffic. Key exchange is handled entirely through the control plane, which keeps encryption independent of any tunnel mechanics.
At a low level, the process works like this: when a packet arrives at the Graphiant Edge, it is encrypted once using ESPv3 with a pairwise key—there’s no end-to-end tunnel to maintain. After encryption, the edge builds a lightweight outer header stack that includes:
- a Graphiant-assigned IPv6 header
- metadata labels that describe the packet’s SLA and handling
- an Authentication Header (AH) to ensure integrity
How Graphiant Handles the Data Plane
Instead of relying on traditional routing, Graphiant’s data plane uses metadata-based forwarding. When a packet reaches the edge, it’s encrypted once, wrapped with a Graphiant-assigned IPv6 header, tagged with metadata, and protected with an integrity header before being sent to the nearest core node. The core never decrypts the payload—it simply reads the metadata and forwards the packet along the appropriate SLA-defined path.
This is where the “stateless” part comes in. The core doesn’t hold customer routes, VRFs, tunnels, or flow state, and it has no visibility into internal IP addressing. Its entire job is to switch packets based on labels and metadata, making routing decisions without carrying any customer-specific state.
Putting It All Together
From a fundamentals standpoint, Graphiant is solving long-standing WAN problems:
| Traditional Problem | How Graphiant Addresses It |
|---|---|
| Full mesh tunnel sprawl | No tunnels; metadata-based forwarding |
| Core overloaded with VRF/state | Stateless core decouples data + control |
| Repeated encryption hops | One-time edge encryption |
| Complex SD-WAN overlays | Network is pre-built; edges simply join |
| Hard-to-manage B2B extranets | NAT + metadata-based segmentation |
| Inconsistent public-internet MTU | Predictable header overhead |
Ending thoughts
Graphiant represents a significant shift in how we think about WAN architecture. Instead of stitching tunnels across unreliable transports, or building massive VRF-heavy backbones, Graphiant provides:
- A predictable, encrypted, private, global stateless core
- A service-based consumption model
- A metadata-programmable data plane
- A cloud-based control plane
- A secure foundation for AI data mobility, multi-cloud, and B2B exchanges
For enterprises struggling with multi-cloud sprawl, complex B2B networking, or AI data governance, this architecture provides a modern alternative to SD-WAN and MPLS — without inheriting their limitations.
For more details on Graphiant’s presentation and NFD39, you can explore:
- About Graphiant NaaS with Arsalan Khan
- Graphiant Use Cases with Arsalan Khan
- Graphiant: The AI Strategy
- Graphiant Demos with Vinay Prabhu
- Networking Field Day 39
Disclosure: I occasionally attend events like Tech Field Day. While that might include some small perks such as travel assistance or swag from vendors, what I write and think is always 100% my own.
Ctrl+Alt+Route 
Leave a comment