Blogs

Cloud WAN brings a Secure MPLS-like Experience to AWS

By Frederick posted Dec 02, 2021 10:39 AM

  

By: Aidan Walden, Director, Public Cloud Architecture & Engineering at Fortinet

It’s no coincidence that SD-WAN adoption has grown rapidly with increasing cloud consumption by enterprises. After all, the primary use case for SD-WAN is to provide fast and resilient connectivity to cloud services. While the SD-WAN migration has been driven by cost savings, faster time to provision, and more application control, there have been some trade-offs. MPLS provides granular control of routing domains and segmentation, and centralized Internet breakout for consistent egress security and partner interconnection. MPLS’s traffic-engineered paths provide end-to-end low network latency and a high quality of service. The launch of AWS’s Cloud WAN provides, for the first time in the AWS cloud, the opportunity to realize the benefits of an MPLS-like core network with the advantages of SD-WAN cloud on-ramps from many on-premises locations.

AWS Cloud WAN builds on Transit Gateway Connect by allowing users to define a Core Network subdivided into segments. Each segment is a globally synchronized isolated layer 3 segment, similar to IP VPNs, or VRFs, and provides an isolated routing domain within the user’s AWS account. Remote endpoints are connected to the Core Network at Core Network Edge locations.  

With AWS Cloud WAN, segments represent natural isolation boundaries where the application of security inspection is applied. Fortinet’s FortiGate virtual NGFW helps organizations maintain segment integrity as a policy enforcement point for applying zero trust filtering and inspection of user and application traffic. In addition to that it also offers SD-WAN capabilities. FortiGate virtual NGFW with Cloud WAN provides security users with the ability to seamlessly protect multiple segments, both from each other (inter-segment) and for egress connectivity. By combining this architecture with the AWS Gateway Load Balancer, security providers can offer flexible and scalable security inspection no matter the needs of individual business units. Fortinet has led the way in providing Secure SD-WAN and carrier-grade MPLS protection for organizations of all sizes. Combining FortiGate physical appliances at on-premises locations and virtual appliances in the AWS cloud with AWS Cloud WAN makes hybrid cloud networking on AWS more secure and flexible than ever before.

Use Case 1: Single Region Per-Segment Inspection

The figure above depicts multiple segments in a single region (AWS Cloud WAN will not support multiregion initially). Each segment, as shown, could belong to a separate customer, to an internal business unit of a single organization, or support a service provider service offering. For secure egress Internet access each segment has access to the Shared Services Segment. A default route is propagated from the Shared Services Segment allow traffic to default route from the application VPC via the segment’s Core Network Edge (CNE) to the Security VPC. Using the GWLB in this example, inspection policy is applied specific to the segment, user, or application and returned to the GWLB to its original path.

Use Case 2: Single Region Service Provider Extranet

Expanding the example to include the remote SD-WAN devices, consider the use case you might typically see from an MPLS service provider. For example, a service provider might provide VoIP services, Secure Internet Access, or provider extranet access (VRF route leaking). Here SD-WAN sites connected to AWS via the CNE could be analogous to the traditional MPLS CE-PE links. Routes for the attached segments would propagate to the remote sites. Default routing the remote sites through the AWS Security VPC would be similar to using an MPLS network’s shared Secure Internet Access (SIA) connection. In this case traffic sourced from the SD-WAN sites would egress directly from the FortiGate virtual appliances to the IGW. Because each segment is a unique routing domain and NAT is handled by the GWLB, each segment need not worry about IP overlap limitations with the FortiGate providing transparent, bump-in-the-wire security insertion.

By supporting Cloud WAN, Fortinet continues to evolve customer cloud edge use cases with advanced network security that is flexible, well architected, and cloud native. Fortinet’s FortiGate NGFW together with AWS Cloud WAN delivers carrier-class performance, security, and reliability for cloud networking to enable enterprises accomplish their Digital acceleration goals.

Permalink