Zscaler Blog

Get the latest Zscaler blog updates in your inbox

News & Announcements

Access to AWS and Azure: Are Users Falling by the Wayside?

November 30, 2017 - 5 min read

As the cloud continues to conquer the world, user numbers are booming for Amazon Web Services (AWS), Azure, and Office 365. The question is no longer whether cloud services will be adopted by companies, but how quickly the solutions are implemented. Speed has two connotations here: the speed of implementation, which affects how quickly a project is realized, and speedy access to the cloud for all users, no matter where they are. Some cloud projects are implemented in a confusing, complex manner, reducing the benefits of speed that users should reap from the cloud.

How do companies implement their cloud projects?

Many companies outsource some applications from their own data centers to AWS. To ensure rapid cloud implementation, data is moved to the cloud. At the same time, a dedicated connection is established from the company data center to AWS. However, this approach doesn’t work best for all users. This type of network architecture provides cloud access to employees at the company’s headquarters – while those at other locations and branches, and employees who need access to data from anywhere, don’t get the same benefit.

Remote access is more complex than ever before, pushing up prices and increasing latency. Before the cloud was introduced, an employee in a company’s Italian branch would access data by sending a request to the data center in the head office via the MPLS network. The data would be collected and returned to the employee. In the new cloud setup, an additional step has been added. When an employee in Italy sends a request to the data center in the head office, it is passed on to the application in AWS by means of a dedicated connection, and returned via the same route using the MPLS.

Users who want to access data in the cloud when on the move must complete yet another step. From their hotel or airport, they have to access the closest dial-in node on the company network via VPN. Their request will first be sent from the data center to the cloud via the dedicated connection before the relevant data is returned via the same laborious route. Architecture of this kind is undoubtedly quick to implement, but it isn’t quick (or easy) to use.

The classic RAS VPN must be replaced

Companies can save themselves the cost of a dedicated connection between their data center and AWS. Regardless of their location, users should have direct access to AWS, Azure, or other services hosting an application in the cloud. Not only can mobile users benefit from increased speed offered by quick routing to AWS, companies can reduce the burden on the MPLS network and reduce costs.

However, a direct route to data requires a new Remote Access Services (RAS) approach. With a classic RAS VPN model, direct access to AWS is extremely complex and requires intensive management. While this type of direct access setup allows users to access AWS, IT departments worry about providing access for a wide range of applications, users, and locations. The problem: connecting a specific user to a dedicated application without granting access to the entire network, or implementing complex workarounds.

RAS VPNs were originally developed to expand the company network for users who needed access from external locations. This approach was based on trust, and devices that were granted external access to the entire network were classified as trustworthy. In a second step, security precautions such as firewalls and DDoS mechanisms were incorporated alongside the VPN concentrator to further restrict access rights. The main drawback of this approach was that the user had to establish the tunnel manually.

RAS VPNs were initially developed to connect a computer with a network. But widespread use of the cloud has postponed the need to connect multiple networks with the user. Road warriors want to access both their company networks and their applications on AWS or Azure and work with Office 365 as well. Because of remote users’ needs, access has become more complex, and the user experience has suffered. Additional technologies and steps are added to the original RAS approach, rendering it too convoluted for users.

Current requirements for RAS VPN access to the cloud

Gaining access to cloud-based applications is part of our working lives – and it should be a fast and easy process. Ideally, users shouldn’t even notice where applications and data are hosted. Whether on the company network or in the cloud, the experience should be the same. Users should have full access to all work environments without the need for manual interaction. An RAS VPN must therefore provide the following capabilities:


  1. Every user in every branch must be able to access the Internet directly without detouring through security infrastructure at the company headquarters.
  2. Users must be able to connect directly with the cloud service, not via an RAS VPN gateway on the company network.
  3. Users must be able to establish simultaneous connections with different services without initiating a VPN connection every time.
  4. Direct access is also available on the cloud. Users can run parallel networks (such as their own LANs) in order to work on both company and business partner networks or in the cloud.

What’s needed is a technology that offers users one gateway to the cloud no matter where they are or what network they’re on, with no obstacles in the way and no manual steps needed. This is the vision of “no user left behind.”

Such technology already exists. To learn more about it, read the latest Microsoft Azure blog post: Azure Networking announcements for Ignite 2017.

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.