Solution Design
The SASE architecture resulting from integrating SD-Branch and Microbranch with HPE Aruba Networking SSE can address different use cases. It goes from the redirection of Internet traffic through the Secure Web Gateway (SWG) to managing all access to public and private corporate applications. This section first outlines the different use cases then details the reference architectures validated by HPE Aruba Networking.
Note: The integration of SD-Branch or Microbranch with HPE Aruba Networking SSE can apply to any deployment type, from SD-WAN networks with 1000s of nodes, to an individual Branch Gateway or Microbranch AP that may not even be attached to any SD-WAN overlay.
Table of contents
Use Cases
Secure Internet and SaaS access via HPE Aruba Networking SSE
When integrated with HPE Aruba Networking SSE, SD-Branch Gateways and Microbranch APs can forward user traffic to SSE Points of Presence (PoPs). This enables the enforcement of Secure Web Gateway (SWG) policies including Web Content Filtering, Threat Intelligence Protection, File Scanning, Sandboxing and Data Loss Prevention.
This allows companies to establish a common Internet and SaaS access policy for all users, whether on campus, at a branch, or anywhere else. As an additional benefit, since traffic exits through a cloud gateway, the branch network remains obfuscated, reducing the corporate attack surface.
Access to private applications via HPE Aruba Networking SSE
Just as in the case of Internet and SaaS applications, private applications defined in HPE Aruba Networking SSE as part of the Zero Trust Network Access (ZTNA) capabilities can be reached through the IPsec tunnels connecting branch locations and the SSE PoPs. This applies to corporate clients that may be running the Atmos agent as well as to other devices (BYOD, IoT, etc.) that may not have the agent. As long as traffic gets forwarded through the SSE, ZTNA policies will take effect.
This allows for companies to establish a unified access policy for public (SaaS, internal), or private applications hosted in a VPC or data center. This type of deployment could replace the SD-WAN Overlay in some cases where communications are predominantly of the client to application type. Companies that are in the process of having internal applications delivered as SaaS can accelerate that strategy by simply leveraging the ZTNA technology.
Many enterprises will still need an SD-WAN overlay; either for quality of service (where a bookended SD-WAN ensures reliable communications) or due to the nature of their traffic flows. When using HPE Aruba Networking SSE combined with an SD-WAN Overlay (in this case with SD-Branch or Microbranch), traditional applications can continue communicating through the SD-WAN Overlay, while Internet, SaaS or private applications accessible via ZTNA can be reached through the SSE.
Reference Architectures
The following architectures have been validated by HPE Aruba Networking and would be equally applicable to both use cases described below; access to Internet and SaaS applications, as well as access to private applications hosted in an IaaS VPC or in a Data Center.
Microbranch integration with HPE Aruba Networking SSE
The Cloud Connect service in Central can orchestrate tunnels from Microbranch APs to HPE Aruba Networking SSE PoPs. Cloud Connect will build tunnels to the nearest and second-nearest SSE nodes. To send client traffic via the SSE cloud, simply apply a PBR policy to forward the desired traffic through the corresponding IPsec next-hops.
Note: Integration of Microbranch APs with SSE requires Advanced subscriptions.
Branch Gateway integration with HPE Aruba Networking SSE
As with Microbranch, the Cloud Connect service in Central can orchestrate tunnels from Branch Gateways to HPE Aruba Networking SSE PoPs. Cloud Connect will build tunnels to the nearest and second-nearest SSE nodes. To send client traffic via the SSE cloud, simply apply a PBR policy to forward the desired traffic through the corresponding IPsec next-hops. In addition to that, branch gateways can also communicate with ZTNA services by configuring static routes pointing to SSE tunnels.
Headend Gateway integration with HPE Aruba Networking SSE
Branch traffic is sometimes aggregated at a local hub before being routed to the Internet or to other corporate resources. This case is most common when using private WAN in branch locations, but scenarios may differ. In such scenarios, Headend Gateways (VPNCs) can set up tunnels to the nearest SSE PoPs. To send client traffic via the SSE cloud, simply apply a PBR policy to the SD-WAN overlay to forward the desired traffic through the corresponding IPsec next-hops. In addition to that, Gateways can also communicate with ZTNA services by configuring static routes pointing to SSE tunnels.
