PacketFabric Adds IPsec VPN and NAT to Cloud Router


By: R. Scott Raynovich

PacketFabric, a popular multi-cloud networking solution used by many enterprises to connect to cloud services, has added Virtual Private Networking (VPN) and Network Address Translation (NAT) capabilities to its Cloud Router product, meeting two rising needs for multi-cloud network connectivity.

PacketFabric announced Cloud Router in January, and then boosted its capacity to 100 Gbit/s in April. The network-as-a-service (NaaS) solution can be used to instantly link networks across multi-cloud environments, such as linking organizations directly to Amazon Web Services (AWS) and Google Cloud Platform (GCP). PacketFabric says the goal is to make L2 and L3 hybrid cloud, intra-cloud, and multi-cloud connectivity easy and scalable, with carrier-class reliability and performance.

The latest iteration of Cloud Router includes native support for IPsec site-to-site VPNs and Network Address Translation (NAT), two popular needs for multi-cloud networking (MCN).

Targeting IPsec VPN Tunnels

IPsec is one of the most popular methods for creating secure, encrypted network “overlays” to connect networks or clouds. Cloud Router now features IPsec VPN tunnel termination as a supported connection type.

VPNs are growing in demand. The proliferation of cloud services and interconnection needs, as well as work mobility through Work from Anywhere (WFA), spurs demand for quick ways to create secure, virtual networks over the Internet. VPNs are a complex market that is being subsumed by a variety of Zero Trust Network Access (ZTNA) approaches, as profiled in our recent ZTNA report. A wide range of VPN technologies exists, including Secure Sockets Layer (SSL) and Transport Layer Security (TLS), but IPsec is still a widely used tool to install a simple, secure network VPN.

PacketFabric says its single IPsec VPN connection can provide:

  • Secure branch access to enterprise private resources in any multi-tenant colocation facility on the vendor's fabric.
  • Secure and cost-effective (reduced data egress charges) access to all major public cloud providers (AWS, Google, Microsoft Azure, Oracle, IBM) from branch office locations with low and stable latency.
  • Acceleration of connectivity to multiple popular enterprise SaaS applications.

Cloud Router IPsec VPN support also offers a cloud-native connectivity option for smaller branch locations that don’t justify a dedicated last-mile connection, according to PacketFabric. The advantage of this approach is that a customer can use existing branch office routers and firewalls without needing to upgrade or take on new licensing or software deployments.

With this functionality, PacketFabric is targeting ease of use -- for example, connecting a WAN to a cloud colocation service without waiting for a complicated telecom service or installing new hardware. Rather, by running a VPN overlay using the Internet, a private connection can be established to connect colocation sites to multiple cloud provider instances.

Adding NAT

NAT is another key functionality that is being provided by Cloud Router. Many network operators suffer NAT headaches because if they connect to a cloud service using a set of public IP addresses, they often need to make internal IP addresses private using NAT -- translating them to another set of virtual addresses. In addition, because of the proliferation of Internet providers using the same batch of IP addresses for multiple cloud services or customers, there's the challenge of what's known in the industry of "overlapping IP addresses."

PacketFabric says customers frequently request to extend connectivity from their private cloud over a private connection to a public cloud provider’s publicly addressed resource. The most common use cases are using AWS public Virtual interface (VIF) and Azure public IP support (for Microsoft SaaS applications). Overlapping IP can emerge, for example, if a customer is using the same address to connect in multiple cloud instances. NAT can be used to mitigate IP address overlap by creating a different, “virtual IP address” that is mapped to the original address.

It should be noted that this feature is included in other MCN products. This is a use case addressed by other multi-cloud vendors such as Aviatrix, which has explained the problem well here. But PacketFabric's addition of features shows that this market is gaining interest as many technology providers beef up their MCN functionality.

Overall, PacketFabric’s addition shows it's expanding the features and functionality to follow the needs of the multi-cloud networking market, which is heating up with the proliferation of SaaS and public cloud services.