When we released the Cloud Router in January of this year, our immediate goal was to make L2 and L3 hybrid cloud, intra-cloud and multi-cloud connectivity easy and scalable, with carrier-class reliability and performance. But this was just the first step in the journey towards a vision of any-to-any, carrier-class connectivity across an ever-expanding scope of providers, colocation data centers, and enterprise sites.
In May, we expanded the scalability of Cloud Router with support for 100G dedicated cloud connections. Today, we’re happy to share that we’ve taken another significant step in expanding the scope of what Cloud Router can bring together in that any-to-any vision, with native support for IPsec site-to-site VPNs and NAT.
Cloud Router IPsec VPN Tunnels
Cloud Router now features IPsec VPN tunnel termination as a supported connection type. IPsec is a valuable tool for building network architectures. It securely connects routing domains “Over The Top” of other IP infrastructure. While there is a lot of industry debate about the long term futures of IPv6 or other IPv4 tunneling technologies with more enhanced security and scalability, IPsec is still a widely used tool for this functionality.
In a PacketFabric customer context, a single IPsec VPN connection can simultaneously provide:
- Secure branch access to Enterprise private resources in any multi-tenant colocation facility on our fabric.
- Secure and cost effective (reduced data egress charges) access to all major public cloud providers (AWS, Google, Microsoft Azure, Oracle, IBM) from branch office locations with low and stable latency.
- Acceleration of connectivity to multiple popular Enterprise SaaS applications.
IPsec tunnels are priced like any other Cloud Router connection, with a maximum bandwidth capacity of 2Gbps for now. Check out on our pricing page for more details.
Accelerating and Expanding Branch to Cloud Connectivity
Many enterprises are shifting to a colocation-centric WAN architecture, where colocation data centers and network PoPs are set up as regional hubs for branch offices to connect to the WAN in order to give them access to cloud and SaaS resources. One of the things we’ve heard for a while is that the wait for new last-mile telco connectivity to the colocation sites (which can be months in some cases) is an obstacle enterprise IT teams and users really want to overcome. Most branch offices today have some sort of Internet connection, either DIA or broadband. As more of our customers adopt PacketFabric Cloud Router to connect their colocation sites to multiple cloud provider instances, VPN support offers a way to immediately get those branches connected via Cloud Router to the new hybrid and multi-cloud WAN architecture, while you wait for a physical last-mile connection.
In addition to accelerating branch to cloud connections, Cloud Router IPsec VPN support also offers a new, cloud-native connectivity option for smaller branch locations that don’t justify a dedicated last-mile connection. The advantage of this approach is that you can use existing branch office routers and firewalls, without needing to upgrade or take on new licensing or software deployments.
Many branch firewall, branch router and SD-WAN branch CPE providers (though these connections are not part of their auto-tunnel creation for full mesh connectivity) as well as desktop/laptop/phone software providers support IPsec.
You can find a list of verified compatible devices and other Cloud Router VPN service information in our knowledge base. If you have devices that you’d like to use to connect via Cloud Router IPsec tunnels, consult your PacketFabric solutions engineer, or customer support.
Cloud Router NAT Unlocks Private SaaS and S3 Connectivity
At the simplest level, whenever you connect a private address space (e.g. RFC 1918 reserved addresses) to a public space, you will need to NAT your private space into a publicly reachable IP address. At this level, the functionality of NAT is public IP space preservation.
Over time we’ve heard many customers request to extend connectivity from their private cloud over a private connection to a public cloud provider’s publicly addressed resource. The two most common use cases we’ve heard are connecting to an AWS public VIF and Azure public IP support (for Microsoft SaaS applications).
- The AWS recommended method of accessing an S3 resource via Direct Connect is via a Public VIF (Virtual Interface), making the S3 resource reachable via its public IP address(es).
- Similarly, if you were to use an ExpressRoute connection to Azure to also connect to O365 or Microsoft Dynamics, NAT would be required if your organization doesn’t have a public IP address of its own that it can dedicate to the connection (Microsoft requires that any IP used for the connection NOT be advertised to the public Internet).
NAT can also be used to mitigate IP address overlap, for example – in a multi-cloud scenario, your AWS and GCP resources may have overlapping IP addresses.
Our Cloud Router logically provides the private connection to public clouds and the Cloud Router NAT function can be used to enable bi-directional connectivity between overlapping IP address space or transitions between public and private spaces (using a PacketFabric provided public IP address where necessary).
Powering a More Expansive Cloud Core
With Cloud Router’s new VPN and NAT capabilities, we’ve made it possible to connect a broader scope of providers, SaaS applications, cloud storage, and enterprise locations via unified and carrier-class service. As seen in Figure 1, you can now build and enhance an end-to-end, colocation and cloud-centric WAN architecture.
The Dedicated AWS Direct Connect Option
While partner-hosted direct connect is super easy and fast, sometimes 10G just isn’t enough. With PacketFabric, you can also get dedicated AWS Direct Connect (and GCP) ports with link aggregation group support, up to 100G. Learn more about hosted versus dedicated cloud connections. Even though you can get a Direct Connection directly from AWS, many PacketFabric customers choose to connect via our network because it allows them to manage many different types of connectivity, including multi-cloud connections and data center interconnection, from a single portal and vendor. In addition, with PacketFabric, you can contract on a monthly basis for all these services, giving you tremendous flexibility to change your network as requirements shift over time.
Learn More, Get Started
Cloud Router VPN and NAT support enable a broader range of connectivity for your IT cloud core, with new applications and architectural options.
If you’re already a customer, check out the new capabilities in the portal or dig into more information in our knowledge base. If you’re new to PacketFabric, learn more about our platform and our on-demand, cloud-scale connectivity services including point-to-point connectivity between locations in our network, hybrid cloud connectivity, and multi-cloud routing. If you’re ready to get next-generation cloud connectivity, you can request a demo, or just register in our self-service portal and get started.