Close

SD-WAN is the “Easy Button” for Securing Multi-Cloud Connectivity: Part 1

By Nav Chander, Senior Director of Service Provider Marketing
Share Post

This two-part blog series will provide insights on advanced SD-WAN platform capabilities that can help enterprises simplify their journey towards a better integration of the WAN to multi-cloud providers. Read part two here. 

When the COVID-19 pandemic first hit, companies around the world had to shift their focus toward launching new and expanded digital services to support a fully remote workforce and accelerate the transition to a more cloud-connected world – all virtually overnight. The consequence of the global pandemic exacerbated the importance of accelerating cloud and digital transformation, resulting in more than 90 percent of enterprises purporting to now have a multi-cloud strategy in place, according to the Flexera 2020 State of the Cloud Report.

So, fast forward to today. Have enterprises also considered and adapted their IT and network infrastructure to support applications in a multi-cloud connected environment? Here are five common challenges enterprise IT managers face when it comes to supporting multi-cloud connectivity of applications across the enterprise WAN:

  1. How do I assure the highest levels of performance for mission-critical SaaS applications that are carried over broadband?
  2. How can I integrate and enforce unique security policies for trusted or untrusted cloud-hosted applications with the increased use of broadband?
  3. How can I easily integrate and extend WAN applications to be hosted in public cloud environments?
  4. How can I automate the integration of my SD-WAN with AWS, Azure and GCP public cloud backbone networks?
  5. How can I automate the orchestration of cloud security services hosted by best-of-breed cloud security vendors within my SD-WAN?

When it comes to the enterprise multi-cloud connectivity, there are five pillars of an SD-WAN platform that explicitly address these challenges and form the foundation for enabling an effective multi-cloud enterprise strategy:

1. SaaS Optimization for the Best User Experience

The majority of applications are now delivered as SaaS, so backhauling ALL cloud-destined traffic back to the data center impairs application performance due to added latency.

Aruba SaaS Optimization connects users from branch sites to SaaS applications in a seamless and secure way, while continuously monitoring the SaaS Quality of Experience (QoE). There are a number of capabilities that come together to do this including:

  • First-packet iQ automatically identifies and classifies applications on the first packet, enabling dynamic application traffic steering to the data center, cloud provider or cloud security service. Application-aware traffic steering minimizes latency resulting in better application performance while ensuring enforcement of business-driven security policies.
  • Intelligent Cloud Breakout allows enterprises to deploy virtual EdgeConnect appliances in their public cloud IaaS instances. Connections between branch locations and the cloud benefit from Aruba path conditioning and optional Aruba Boost WAN Optimization. This “ruggedizes” the first mile between the branch and the cloud, providing improved network quality as well as application performance and availability.
  • Microsoft Office 365 API integration ensures secure internet breakout directly from the branch office to the closest Office 365 entry point using the latest Office 365 end-point data. This supports delivery of optimal Office 365 connectivity and performance.

2. Intelligent Local Internet Breakout

The Aruba EdgeConnect SD-WAN edge platform employs a virtual WAN overlay model and enforces end-to-end micro-segmentation to enable differentiated treatment – including security policies and controls – for different classes of applications. A business-driven cloud-app security policy might be defined as:

  • Send all known, trusted business SaaS (Office 365, SAP, Oracle, Zoom) traffic directly to the closest SaaS instance – or doorstep – using the internet as the primary WAN transport service
  • Send “home from work” recreational applications, such as Facebook and YouTube, to a secure web gateway service such as Zscaler, Netskope, McAfee or Symantec for verification
  • Send all untrusted, suspicious or unknown traffic to a hub or headquarters-based next generation firewall

Having a unified zone-based stateful firewall at the WAN edge is essential for a complete, secure local internet breakout solution for direct connectivity to trusted SaaS applications and IaaS from branch offices, blocking any unwanted or unauthorized traffic attempting to enter the branch network from the enterprise LAN. Aruba EdgeConnect overlays allow for easier micro-segmentation based on application characteristics, performance requirements and security policies. This helps with security compliance by taking automatic action to isolate affected branches from the wider network where a security breach is found to have occurred.

So far, we have discovered how easy it is to securely classify, route and breakout cloud-based applications with an advanced SD-WAN platform. In the second part of this blog series, we will examine additional SD-WAN capabilities that help automate WAN connectivity in a multi-cloud environment.