Hybrid Cloud Firewall

Network Edge works with Equinix FabricEquinix Fabric is an advanced interconnection solution that improves performance by providing a direct, private network connection. to provide a virtual cloud on-ramp that can be spun up in minutes. This provides low-latency hybrid multi-cloud access for a variety of applications. If applications are multi-tiered or latency-sensitive and need access to enterprise resources, they can be implemented using a virtual security device deployed on Network Edge at a single control point.


The hybrid multi-cloud topology in this reference architecture scenario has a web tier deployed in one cloud provider and a database tier deployed with another cloud provider in the same region. The only publicly accessible componentA piece of an overall solution that can be built individually or as part of a larger end-to-end solution for users. The same as microservice. of the application is the web tier. All other components must be secured, including the Enterprise infrastructure which also provides services to the application and must be near the other components due to latency requirements.

This solution reduces the number of deployed devices and creates a single security control point between all the application tiers. For enterprises, network complexity is reduced, which, lowers costs for cloud-to-cloud connectivity and enhances security.

Network communication between the application tiers is provided by direct private Layer 2 interconnections over the Equinix Fabric, with the Network Edge device providing Layer 3 routing and security services. The Network Edge device is a virtual network function (VNF) that is hosted by the Network Edge network function virtualization (NFVNetwork Functions Virtualization is the result of turning network activities, protocols, traffic flow, and design into a software service or code. At Equinix, we refer to designing and configuring network solutions using our platform and software, regardless of the device, object, component, or vendor.) platform.

Equinix Components

  • Equinix Fabric – Equinix Fabric is a switching platform that provides private connectivity to a wide selection of providers that are participants on the Fabric. Virtual circuits are provisioned on the Fabric using software-defined networking to establish connectivity to providers that are connected to the Fabric. Virtual connections can be created using the Fabric Portal or APIs.

  • Equinix Network EdgeEquinix Network Edge enables you to deploy and manage your network in near real time. – Network Edge is an ETSI-compliant NFV platform that hosts VNFs (routers, firewalls, and SD-WAN) from various vendors such as Cisco, Juniper, Palo Alto, Fortinet, Versa, Silver Peak, and Checkpoint. VNFs can be deployed in real-time and, once deployed, you can start building virtual connections to providers on the Fabric.

Application Components


These recommendations provide a starting point. Customer requirements might differ from this list.

  • Choice of location – This architecture example shows connections between the same region. Depending on the region for deployment, latency will vary, which is an important consideration when designing applications with stringent latency requirements. However, some applications might require inter-region connectivity. In those cases, use the global reach of Equinix Fabric to create those connections.

  • High Availability – This architecture shows a single-threaded deployment with no fault-tolerance. Equinix recommends that customers deploy the level of fault -tolerance needed for their business requirements. Network Edge can be deployed with redundant devices or, in the case of some vendors, devices be deployed as a high-availability pair.

  • Network addressing – For connections to private services over a private virtual interface, customers can use private IP addressing. For some public services, the customer’s own public IP addresses and NAT might be required for the Network Edge device. Because each CSP is different when it comes to public addressing requirements, research is required before trying to create public connections. For the web tier, customers can either bring their own IP addresses that meet internet advertisement requirements, or use provider-assigned addressing.


When implementing this architecture, consider the following factors.


In addition to latency, bandwidth between the components and device throughput must is important. The virtual circuits must be sized appropriately, and the devices must support the desired throughput.


Private interconnections on the Fabric to the cloud provider are not encrypted. An application that requires encryption must encrypt either at the application layer, or at the network layer where IPSEC tunnels can be built between the Network Edge device and a cloud gateway. IPSEC tunnels involve overhead, which also affects the device selection. This solution deploys a virtual security device at a single control point that intersects all traffic flows between the application tiers.

Equinix Costs

CSP Costs

  • Egress Charges – Charged by some service providers based on the amount of data that is transmitted over the private interconnection. These charges vary based on the provider. Using a private interconnection reduces the egress charges when compared to the Internet.

  • Fixed Port Charges – Charged by some providers based on the circuit size, in addition to the egress charges. Both egress and fixed port charges factor into your application design.

By deploying a virtual security device on Network Edge, customers can consolidate hybrid multi-cloud connections at a single security control point, while maximizing application performance and enhancing security.

Related Topics

Network Edge Architecting for Resiliency

Networking for Nerds: Deconstructive Interconnection to the Cloud (Blog)