How does SD-WAN manage IP addressing and NAT in an overlay?

SD-WAN overlays carry traffic between sites using private, virtual addresses inside the tunnel, so each site can connect without coordinating public IPs. The overlay tunnels wrap the traffic with these internal addresses, while the underlay transport can be anything from private networks to the public Internet. NAT is applied at the edge devices or security gateways according to policy to translate those private overlay addresses to routable addresses (public or other site-reachable) as traffic crosses site boundaries. This per‑policy translation ensures reachability and correct address mapping across sites and to cloud or Internet destinations, while preserving isolation and control over how traffic is exposed externally. Using public addresses for all sites would create conflicts and complexity, NAT being limited only to the cloud provider would miss inter-site translation, and overlay addressing is not restricted to static assignments in dynamic SD-WAN deployments.