How To Best Design Your WAN for Accessing AWS, Azure, and the Cloud

Listen to post:
Getting your Trinity Audio player ready...

In 2014, Gartner analysts wrote a Foundational Report (G00260732, Communication Hubs Improve WAN Performance) providing guidance to customers on deploying communication hubs, or cloud-based network hubs, outside the enterprise data center. Five years later, that recommendation is more important than ever, as current enterprise computing strategies dictate the need for a modern WAN architecture.

What is a communication hub?

A communication hub is essentially a datacenter in the cloud, with an emphasis on connectivity to other communication hubs, cloud data centers, and cloud applications. Hubs house racks of switching equipment in major colocation datacenters around the world, and together they form a series of regional Points of Presence (PoPs). These PoPs are interconnected with high-capacity, low-latency circuits that create a high-performance core network. Communication hubs also have peering relationships with public cloud data centers such as those from Amazon, Microsoft and Google, and major cloud applications from Microsoft, NetSuite, Salesforce and more. This helps deliver predictable network performance.

At the edge of this network, customers can connect their branch locations, corporate data centers, mobile and remote users to the core network via their preferred carrier services (MPLS, broadband, LTE, etc.) using secure tunnels. Each entity connects to the communication hub nearest them to reduce latency.

Communication hubs also host regionalized security stacks so that traffic going to/coming from the Internet and external clouds can be inspected thoroughly for threats. This eliminates or vastly reduces the need for customer locations to host security appliances of their own.

The need for communication hubs, and the benefits they provide

According to the Gartner report, the primary reasons for developing a WAN architecture based on communication hubs are the same reasons Cato has been articulating for years:


  • Cloud services are responsible for moving more applications out of the corporate datacenter and onto IaaS and SaaS platforms. This need to send traffic directly into the cloud requires the core WAN backbone based on the hubs to become the new corporate LAN.
  • An increasing number of mobile users needing access to enterprise applications want a high-quality user experience, without the latency of backhauling their traffic to a corporate data center.
  • Voice and video traffic is on the rise, and it requires high bandwidth, low latency transport. Also, companies need the ability to prioritize certain types of traffic across the WAN.


We would add to this list the need to distribute security to the regional locations close to where the users are, without having to have hardware appliances in the branches.

The Gartner report notes that creating a WAN backbone architecture based on communication hubs connected with high-speed links provides many benefits to the enterprise, including:


  • Minimize Network Latency — This type of architecture ensures the fastest network path between an enterprise’s strategic sites, which include data centers, branch locations, cloud providers and a large population of the enterprise’s customer base.
  • Keep Traffic Regionalized — Minimize the backhauling of traffic into a corporate datacenter when it has to go from the enterprise network to the Internet, or for audio/Web/video collaboration.
  • Utilize Ethernet for Cloud Connectivity — Cloud services can be accessed via private connectivity via Ethernet and MPLS, providing more predictable performance.
  • Provide On-Demand FlexibilityEasily and quickly modify bandwidth as business needs change by provisioning new circuits within days via self-service.

Cato Cloud is the ultimate network of communication hubs

From the very beginning, Cato’s unique vision has been very similar to the WAN architecture described in Gartner’s report. Cato has built a global network of PoPs – our term for “communication hubs” – where each PoP runs an integrated network and security stack. At this writing, there are more than 40 PoPs covering virtually all regions of the world. Our goal is to place a PoP within 25 milliseconds of wherever businesses work.

The PoPs are interconnected with multiple tier-1 carriers that provide SLAs around long-haul latency and packet loss, forming a speedy and robust core network. The PoP software selects the best route for each packet across those carriers, ensuring maximum uptime and best end-to-end performance. The design offers an immediate improvement in network quality over the unpredictable Internet links at a significant cost reduction over MPLS.

All customer entities connect to the Cato Cloud backbone using secure tunnels that can be done in a couple of ways. Cato can establish an IPsec tunnel from customers’ existing equipment such as a firewall in a datacenter or branch location. A second way is to use a Cato Socket, a zero touch SD-WAN device to manage traffic across the last mile from a branch office. Mobile users can connect via a Cato Client on their device. Thus, every customer location and user can connect easily and securely to the WAN.

Cato applies a layer of optimization at the cloud, for both cloud data centers and cloud applications. For cloud applications, Cato can set egress points on its global network to get the Internet traffic for specific apps to exit at the Cato PoP closest to the customer’s instance of that app; for example, for Office 365. For cloud data centers, the Cato PoPs co-locate data centers directly connected to the Internet exchange points as the leading IaaS providers such as AWS and Azure. Cato is dropping the traffic right in the cloud’s data center, the same way a premium connection like Direct Connect and ExpressRoute would. These services are no longer needed when using Cato Cloud.

In short, Cato’s unique multi-segment acceleration combines both edge and global backbone and allows Cato to maximize throughput end-to-end to both WAN and cloud destinations. This is the crux of the argument for communication hubs.

Security is an integral component of Cato’s global network. Convergence of the networking and security pillars into a single platform enables Cato to collapse multiple security solutions such as a next-generation firewall, secure web gateway, anti-malware, and IPS into a cloud service that enforces a unified policy across all corporate locations, users and data. Cato’s holistic approach to security is found everywhere throughout the Cato Cloud platform.

Communication hubs provide a flexible WAN architecture with significant benefits. Companies can choose to build their own network of hubs at great expense, or they can plug into the Cato Cloud and enjoy all the benefits of a modern WAN from day one.