Barracuda Networks inched closer to realizing its secure access service edge (SASE) aspirations today with the launch of its CloudGen WAN platform. Built on Microsoft Azure Virtual WAN, the SD-WAN offering fills a gap in Barracuda's emerging SASE platform.

The service can be deployed directly from the Azure marketplace and is designed to tie into Barracuda's existing next-generation firewalls at the edge.

"Azure has been a great partner for Barracuda for many years," said Tim Jefferson, SVP of engineering at Barracuda, in an interview with SDxCentral. "When they launched the [virtual WAN] product, we saw that as an interesting construct that we could use to solve customer problems together."

Unlike a traditional SD-WAN deployment, once traffic reaches the nearest Azure data center, it's routed across the cloud provider's network to its destination. Barracuda claims that this cloud-based architecture eliminates the need for expensive and rigid MPLS circuits and allows the network to be sized in accordance with demand.

"Now you can build your WAN dynamically," he said. "Because we were able to partner with Microsoft and deploy that natively, that removes a lot of the deployment and management friction."

SD-WAN-like functionality isn't actually new for Barracuda. The company is already generating IPsec tunnels between its firewall appliances using its Tina protocol, according to Jefferson. However, he said this approach has become something of an "anti-pattern" as customers continue to switch to software-as-a-service applications (SaaS).

"The big pivot that we did see happening in the market was around SASE, and this highly-accelerated adoption that customers are having with SaaS applications," said Jefferson, adding that many customers that are resistant to this move are being forced to adapt as software vendors make the leap to SaaS models.

This cloud-based approach to SD-WAN is better suited to address the needs of customers today, Jefferson said.

While many SASE vendors, including VMware and Palo Alto Networks, have pushed much of their security stack into the service edge — the distributed network of points of presence in which the SASE architecture is hosted — Barracuda believes there is still a need to enforce security and routing policy at the branch.

"Instead of routing all traffic back to a cloud point — again, this is an anti-pattern for a lot of the SaaS providers — we wanted to combine the best of the SASE model while embracing the modern security principles around pushing controls out to the edge," Jefferson said. "It allows policy to be built and managed centrally, but now the enforcement, because we've got a next-generation firewall, we can enforce a lot of policies at the edge."

This is just one of the scenarios Barracuda is pursuing. The company also sees a future in which its SASE offering can be deployed entirely in software where a customer could spin up the SD-WAN environment from the Azure marketplace. Ultimately, deploying security functionality to the branch using virtual machines instead of hardware is the future, Jefferson said.