- BigPicture
Secure Cloud Hub - Cato Networks
Challenge
Organizations interconnecting their cloud service provider (CSP) resources are faced with the challenge of securing private cloud connectivity and also securely accessing SaaS providers. There are many approaches to securing one CSP to another and also securing accounts within the same CSP as well as connecting to SaaS providers. The following provides one solution to solve this challenge.
Scenario
Your organization has a number of AWS VPCs in separate accounts and located in two different regions, plus Azure VNETs located in the same regions as AWS. You have a requirement to provide secure communication between the resources in each AWS account and also between AWS and Azure. In addition your organisation has plans to move to Office 365 and Salesforce. You are looking to minimize any co-location requirements and are therefore considering cloud services where possible.
Solution Components
Cato Networks Converged Platform
AWS VPCs and VGWs
Azure VNET and VPN gateway
Office 365
Salesforce
Extended solution component
Megaport VXC
Solution Overview
Cato Networks provide a global platform that comprises of points of presence (POP) located at the "front door" of cloud service providers and SaaS providers. These POPs are integrated with a service level backed global private WAN comprising multiple tier 1 providers. For more detailed information on the Cato platform please review my article SDWAN Vendor Series 2019 - Cato Networks .
The following diagram provides a high level view of the Cato platform architecture and the security and optimized connectivity capability.

The platform is a multi-tenanted platform and organisations are provided with their own management environment to configure, monitor and analyze network, application and service performance. Connectivity is provided globally and access to resources from the Cato POP is provided by the POP that is geographical closest to the user and resource.
An organisation can connect to their cloud VPCs and VNETs from the likes of AWS and Azure using IPsec. This is a local connection due to the proximity of the POP to cloud provider. Each VPC and VNET is treated just like a site connecting to the Cato platform and with that connection comes a security profile and routing policy. VPC to VPC communication within a region routes to the Cato POP in that region and a security policy is applied between the VPCs based on organisational requirement. For a VPC in one region communicating to a VPC in another region, traffic is routed to the local POP and then carried over the Cato global private SLA backed WAN and exits at the POP closest to the destination VPC. Traversing a private WAN rather than the public cloud, for the global communications, provides predictable traffic transport performance compared to the Internet.

This approach can be expanded to Azure and SaaS providers such as Microsoft O365 and Salesforce. The Cato platform will route to the closest O365 or Salesforce POP providing a performance optimized solution to SaaS providers. Azure is treated exactly the same as AWS. VPCs and Azure VNET is connected to the closest Cato POP and based on security and routing policy communication between AWS both locally or globally is provided.

Cato can extend connectivity to a customers data centre using a Cato Socketh, however, for the expanded solution this example uses a Megaport to AWS direct connect and a Megaport virtual connection back to the data centre. This includes Megaport for direct connect and utilizing a detached AWS VGW. IPsec is configured from the Cato platform to the detached VGW and virtual connections are provided from Megaport to on-premise router/switch and detached VGW.

The benefits of this solution include:
Quick access to a global backbone
Simple integration with cloud service providers such as AWS, Azure and Google
Secure Optimized access to SaaS providers
Predictable global traffic performance
Reliable and highly available connectivity locally and globally
Secure cloud VPC and VNET communications
Secure access to data centre/on-premise resources
No requirement for addition co-locations facilities (rack space, cross connects, network hardware)
Resources