Cloud Gateway
- A cloud gateway is a network device or service that provides secure connectivity between on-premises networks and cloud services (AWS, Azure, Google Cloud)
- Acts as a translation and aggregation point - converts between different protocols, security models, and network architectures
- Primary function is to extend enterprise networks into cloud environments while maintaining security and performance requirements
Core Functions
- Protocol Translation: Converts between on-premises protocols (MPLS, Frame Relay) and cloud-native protocols (REST APIs, HTTP/HTTPS)
- Security Enforcement: Implements encryption, authentication, and access control policies for cloud traffic
- Traffic Optimization: Provides WAN optimization, caching, and Quality of Service (QoS) for cloud applications
- Network Integration: Bridges different IP address spaces and routing domains between enterprise and cloud
Deployment Models
| Model | Description | Use Case | Example |
|---|---|---|---|
| Hardware Appliance | Physical device in data center | High throughput, dedicated resources | Cisco ASR 1000 series |
| Virtual Appliance | VM running gateway software | Flexible deployment, lower cost | VMware NSX Edge |
| Cloud-Native Service | Provider-managed gateway service | No hardware management needed | AWS Transit Gateway |
| Hybrid Model | Combination of on-premises and cloud components | Best of both worlds | Azure ExpressRoute Gateway |
Key Technologies
- IPSec VPN: Creates encrypted tunnels over internet connections (typically site-to-site VPNs)
- SD-WAN Integration: Provides intelligent path selection and application-aware routing to cloud services
- API Gateway Functions: Manages REST API calls, rate limiting, and authentication for cloud applications
- Direct Connect Services: Uses dedicated circuits (AWS Direct Connect, Azure ExpressRoute) for predictable performance
Vocabulary
- Multi-tenancy: Single gateway instance serving multiple isolated customer environments
- Service Chaining: Linking multiple network services (firewall, load balancer, gateway) in sequence
- Cloud Bursting: Automatically scaling on-premises applications into cloud resources during peak demand
- Hybrid Cloud: Architecture combining private on-premises infrastructure with public cloud services
Configuration Considerations
- Always configure redundant gateways for high availability (active/passive or active/active)
- Bandwidth sizing should account for peak traffic plus 20% overhead for encryption and protocol overhead
- Security policies must be consistent between on-premises firewalls and cloud security groups
- Monitor latency carefully - cloud gateways add 5-15ms depending on geographic distance to cloud region
Common Protocols and Ports
| Protocol | Port | Purpose | Notes |
|---|---|---|---|
| IPSec | UDP 500, 4500 | VPN tunnel establishment | NAT-T uses port 4500 |
| HTTPS | TCP 443 | API calls to cloud services | Most cloud management traffic |
| BGP | TCP 179 | Route exchange with cloud | Used with Direct Connect |
| GRE | IP Protocol 47 | Tunnel encapsulation | Often combined with IPSec |
Notes
- Cloud gateways are single points of failure - always deploy in pairs with automatic failover
- Licensing costs can be per-Mbps or per-connection - understand the pricing model before deployment
- Many cloud providers offer native gateway services that eliminate hardware management (AWS Transit Gateway costs ~$36/month plus data processing fees)
- For CCNA exam: Focus on IPSec VPN configuration and understanding how cloud connectivity integrates with traditional routing protocols
- Performance bottleneck is usually the internet connection bandwidth, not the gateway device itself
- Consider compliance requirements - some industries require dedicated circuits rather than internet-based VPNs for cloud connectivity