As critical applications migrate into Microsoft Azure, enterprises are challenged with building a WAN that can deliver the necessary cloud performance without dramatically increasing costs and complexity. There’s been no good approach to building an Azure SD-WAN — until now. Cato’s approach to Azure SD-WAN improves performance AND simplifies security, affordably. Let’s see how.
Azure SD-WAN’s MPLS and SD-WAN Problem
When organizations start relying on Azure, two problems become increasingly apparent. First, how do you secure your Azure instance? Running virtual firewalls in Azure adds complexity and considerable expense, necessitating purchase of additional cloud compute resources and third-party licenses. What’s more, virtual firewalls are limited in capacity, requiring upgrades as traffic grows. Cloud performance may suddenly decline because the firewall is choking the network. Adding other cloud instances requires additional tools, complicating operations.
You can continue to rely on your centralized security gateway, backhauling traffic from branch office inspection by the gateway before sending the traffic across the Internet to Azure. You can even improve the connection between the gateway and Azure with a premium connectivity service, such as Azure ExpressRoute. But, and here’s the second issue, how do you deal with the connectivity problem?
Branch offices that might otherwise be a short hop away from an Azure entrance point must now send traffic back to the centralized gateway for inspection before reaching Azure. The approach does nothing for mobile users who sit off the MPLS network regardless.
And what happens as your cloud strategy evolves and you add other cloud datacenter services, such as Amazon AWS or Google Cloud? Now you need a whole new set of security and connectivity solutions adding even more cost and complexity.
Nor does edge SD-WAN help. There’s no security built into edge SD-WAN, so you haven’t addressed that problem. There’s also no private global network so you’re still reliant on MPLS for predicable connectivity. Edge SD-WAN solutions also require the cost and complexity of deploying additional edge SD-WAN appliances to connect to the Azure cloud. And, again, none of this helps with mobile users, which are also out of scope for edge SD-WAN.Migrating your Datacenter Firewall to the Cloud | Download eBook
How Azure SD-WAN Works to Connect Cato and Azure
Cato addresses all of the connectivity and security challenges of Azure SD-WAN. Cato’s global private backbone spans more than 75+ points of presence (PoPs) across the globe, providing affordable premium connectivity worldwide. Many of those Cato PoPs collocate within the same physical datacenters as entrance points to Azure. Connecting from Azure to Cato is only matter of crossing a fast, LAN connection, giving Cato customers ExpressRoute-like performance at no additional charge.
To take advantage of Cato’s unique approach, Cato customers do two things. First, to connect Cato and Azure, enterprises take advantage of our agentless configuration, establishing IPsec tunnels between the two services, establishing the PoP as the egress point for Azure traffic. There’s no need to deploy additional agents or virtual appliances. Cato’s will then optimize and route Azure traffic from any Cato PoP along the shortest and fastest path across Cato Cloud to destination PoP.
Second, sites and mobile users send their Azure traffic to Cato by establishing encrypted tunnels across any Internet connection to the nearest Cato PoP. Sites will run a Cato Socket, Cato’s SD-WAN appliance or establish IPsec tunnels from an existing third-party security device, and mobile users run the Cato mobile client on their devices.
Alternatively, if you’d like to leverage all of Cato’s SD-WAN capabilities in Azure, you can easily deploy Cato’s virtual socket instead of IPsec tunnels, which includes automatic PoP selection, high availability, and automatic failover. The beauty of Cato’s virtual socket is that you can easily deploy it in minutes instead of hours. To get started with Cato virtual socket, search for Cato Networks in the Azure marketplace. Then, click Get It Now, and follow the outlined configuration guidelines.
How Azure SD-WAN Secures Azure Resources
In addition to connectivity, Cato’s Azure SD-WAN solution secures cloud resources against network-based threats. Every Cato PoP provides Cato’s complete suite of security services, eliminating the need for backhauling.
Cato Security as a Service is a fully managed suite of enterprise-grade and agile network security capabilities, that currently includes application-aware next-generation firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), IPS-as-a-Service (IPS), and Cloud Access Security Broker (CASB). Cato can further secure your network with a comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints.
Azure instances and all resources connected to Cato, including site, mobile users and other cloud resources, are protected through a common set of security policies, avoiding the complexity that comes with purchasing security tools unique to Azure or other cloud environments.
Azure SD-WAN Benefits
The bottom line is that Azure SD-WAN delivers connectivity and security with minimal complexity and cost:
Superior Microsoft Azure performance
The combination of global Cato PoPs, a global private backbone and Microsoft Azure colocation accelerates Microsoft Azure application performance by up to 20X vs. a typical corporate Internet-based connection. Not only is latency minimized but Cato’s built-in network optimizations further improve data transfer throughput. And all of that is done for branch offices as well as mobile users. The result is a superior user experience without the need for premium cloud provider transport services.
Security and deployment simplicity
With Cato, organizations don’t have to size, procure and manage scores of branch security solutions normally needed for the direct Internet access critical to delivering low latency cloud connectivity. Security is built into Cato Cloud; cloud resources are protected by the same security policy set as any other resource or user on the enterprise backbone. Cato’s agentless configuration also means customers don’t have to install additional SD-WAN appliances in the Azure cloud. These benefits are particularly significant for multi-cloud enabled organizations which normally would require separate connectivity solutions for each private datacenter service. (However, if you’d like to leverage additional capabilities in Azure, you can deploy the integration in minutes with Cato’s virtual Socket.)
Networking and security agility
Cato’s SD-WAN’s simplicity, Azure integration, and built-in security stack enable branch offices and mobile users to get connected to Microsoft Azure in minutes or hours vs. weeks or months for branch office appliance-based SD-WAN.
Affordable and fast ROI
Enterprises get superior cloud performance without paying for the high-cost cost of branch office SD-WAN hardware, carrier SD-WAN services, or Microsoft Azure ExpressRoute transport. Nor do companies need to invest in additional security services to protect cloud resources with Cato.
For more information on how Cato integrates with the cloud, contact Cato Networks or check out this eBook on Migrating your Datacenter Firewall to the Cloud.