Azure SD-WAN: Cloud Datacenter Integration with Cato Networks

October 3, 2019

As critical applications migrate into Microsoft Azure, enterprises are challenged with building a WAN that can deliver the necessary cloud performance without dramatically increasing costs and complexity. There’s been no good approach to building an Azure SD-WAN — until now. Cato’s approach to Azure SD-WAN improves performance AND simplifies security, affordably. Let’s see how.

Azure SD-WAN’s MPLS and SD-WAN Problem

When organizations start relying on Azure two problems become increasingly apparent. First, how do you secure your Azure instance? Running virtual firewalls in Azure, adds complexity and considerable expense, necessitating purchase of additional cloud compute resources and third-party licenses. What’s more virtual firewalls are limited in capacity, requiring upgrades as traffic grows. Cloud performance may suddenly decline because the firewall is choking the network. Adding other cloud instances requires additional tools, complicating operation.

You can continue to rely on your centralized security gateway, backhauling traffic from branch offices inspection by the gateway before sending the traffic across the Internet to Azure. You can even improve the connection between the gateway and Azure with a premium connectivity service, such as Azure ExpressRoute. But, and here’s the second issue, how do deal with the connectivity problem?

Branch offices that might otherwise be a short hop away from an Azure entrance point must now send traffic back to the centralized gateway for inspection before reaching Azure. What’s more the approach does nothing for mobile user who sit off of the MPLS network regardless.

And what happens as your cloud strategy evolves and you add other cloud datacenter services, such as Amazon AWS or Google Cloud? Now you need a whole new set of security and connectivity solutions adding even more cost and complexity.

Nor does edge SD-WAN help. There’s no security built into edge SD-WAN, so you haven’t addressed that problem. There’s also no private global network so you’re still reliant on MPLS for predicable connectivity. Edge SD-WAN solutions also require the cost and complexity of deploying additional edge SD-WAN appliances to connect to the Azure cloud. And, again, none of this help with mobile users, which are also out of scope for edge SD-WAN.

How Azure SD-WAN Works to Connect Cato and Azure

Cato address all of the connectivity and security challenges of Azure SD-WAN. Cato’s global private backbone spans more than 45 points of presence (PoPs) across the globe, providing affordable premium connectivity worldwide. Many of those Cato PoPs collocate within the same physical datacenters as entrance points to Azure. Connecting from Azure to Cato is only matter of crossing a fast, LAN connection, giving Cato customers ExpressRoute-like performance at no additional charge.

To take advantage of this Cato’s unique approach, Cato customers do two things. First, to connect Cato and Azure, enterprises take advantage of our agentless configuration, establishing IPsec tunnels between the two services, establishing the PoP as the egress point for Azure traffic. There’s no need to deploy additional agents or virtual appliances. Cato’s will then optimize and route Azure traffic from any Cato PoP along the shortest and fastest path across Cato Cloud to destination PoP.

Second, sites and mobile user send their Azure traffic to Cato by establishing encrypted tunnels across any Internet connection to the nearest Cato PoP. Sites will run a Cato Socket, Cato’s SD-WAN appliance or establish IPsec tunnels from an existing third-party security device, and mobile users run the Cato mobile client on their devices.

How Azure SD-WAN Secures Azure Resources

In addition to connectivity, Cato’s Azure SD-WAN solution secures cloud resource against network-based threats. Every Cato PoP provides Cato complete sure of security services, eliminating the need for backhaul.

Cato Security as a Service is a fully managed suite of enterprise-grade and agile network security capabilities, that currently includes a next-gen firewall/VPN, Secure Web Gateway, Advanced Threat Prevention, Cloud and Mobile Access Protection, and a Managed Threat Detection and Response (MDR) service. Azure instances and all resources connected to Cato, including site, mobile users and other cloud resources, are protected through a common set of security policies, avoiding the complexity that comes with purchasing security tools unique to Azure or other cloud environments.

Azure SD-WAN Benefits

The bottom line is that Azure SD-WAN delivers connectivity and security with minimal complexity and cost:

Superior Microsoft Azure performance

The combination of global Cato PoPs, a global private backbone and Microsoft Azure colocation accelerates Microsoft Azure application performance by up to 20X vs. a typical corporate Internet-based connection. Not only is latency minimized but Cato’s built-in network optimizations further improve data transfer throughput. And all of that is done for branch offices as well as mobile users. The result is a superior user experience without the need for premium cloud provider transport services.

Security and deployment simplicity

With Cato, organizations don’t have to size, procure and manage scores of branch security solutions normally needed for the direct Internet access critical to delivering low latency cloud connectivity. Security is built into Cato Cloud; cloud resources are protected by the same security policy set as any other resource or user on the enterprise backbone. Cato’s agentless configuration also means customers don’t have to install additional SD-WAN appliances in the Azure cloud. These benefits are particularly significant for multi-cloud enabled organizations which normally would require separate connectivity solutions for each private datacenter service.

Networking and security agility

Azure SD-WAN’s simplicity, Azure integration and built-in security stack enable branch offices and mobile users to get connected to Microsoft Azure in minutes or hours vs. weeks or months for branch office appliance-based SD-WAN.

Affordable and fast ROI

Enterprises get superior cloud performance without having to pay the high cost of branch office SD-WAN hardware, carrier SD-WAN services or Microsoft Azure ExpressRoute transport. Nor do companies need to invest in additional security services to protect cloud resources with Cato.

For more information on how Cato integrates with the cloud, contact Cato Networks or check out this eBook on four ways to connect and secure your cloud data center or this webinar on connecting mobile users to multi-cloud datacenters.

Dave Greenfield

Dave Greenfield

Dave Greenfield is a veteran of IT industry. He’s spent more than 20 years as an award-winning journalist and independent technology consultant. Today, he serves as a secure networking evangelist for Cato Networks.