Product & Engineering

Versa SASE Fabric  

Gartner termed “SASE” to define an optimal approach to networking and security as companies moved their workloads to the cloud. Since then, SASE vendors have taken different approaches to how they architect their services. 

The Versa SASE Fabric, a part of the Versa Secure Access Fabric, is an interconnected, policy-aware, distributed system where networking, security, identity, analytics, and orchestration operate as a single unified platform. Learn why it’s based on an optimal architecture and what sets it apart. 

SASE Evolution 

SD-WAN introduced a means of providing quality point to multi-point connectivity over best effort Internet with security inspection at the site level. SSE brought security inspection to the cloud edge as enterprises moved workloads to the cloud and away from centralized internet security. 

SASE combines both technologies, moving protection to the cloud edge while giving remote users secure anywhere access. Yet once traffic is inspected at the cloud edge, the manner in which it reaches its destination varies by SASE vendor architecture. 

SASE Architectures 

While SASE requirements are well defined, vendor architectures to deliver it vary. 

1. Single vendor versus multi-vendor – in an earlier blog “Essential benefits of single vendor SASE” we looked at the merits of vendors that developed unified SASE, with SD-WAN and SSE integrated in their own code base, versus SD-WAN vendors that added security by gluing on an acquired SSE solution, or vendors that try to tunnel an acquired SD-WAN solution into their security platform. 

2. Private network versus best effort public internet
   1. On one end of the spectrum, cloud-focused vendors took the approach of post security inspection, “dumping” traffic off for the best effort internet to route it over the “best available path”. This approach misses the opportunity to optimize performance in transit. 
   2. On the other end some vendors built their own expensive proprietary private backbones. Yet traffic is at the mercy of their private network circuits.  Also, east-west traffic must hairpin through their cloud adding latency and cost for service contracts which are all metered according to bandwidth consumption. 

3. Versa SASE Fabric – takes an optimal approach. It is based on a single unified SASE service which combines the best of both approaches with a dynamic secure architecture. 

Versa SASE Fabric 

The fabric control plane is based on Versa Secure SD-WAN; a best-in-class solution named a leader in the Gartner SD-WAN Magic Quadrant 5 years in a row. It includes an array of features to boost performance and optimize access to Private Apps, SaaS, Web, and Hyperscalers. Through peering and transit agreements, Versa SASE Fabric provides the best paths, over routes from Tier 1 service providers. 

It operates on two distinct network layers. The underlay network is based on native routes available via an IGP or EGP. While Overlay network routes, centrally managed by SD-WAN, are dynamic and paths are driven based on performance metrics like loss, latency, or jitter not static metrics. 

The Route Overlays 

Customer tenants enjoy the same Versa Secure SD-WAN technology to optimize their network and their overlay. 

Their overlay routes are distributed across the fabric in isolated virtual routing and forwarding instances (VRFs) making the Versa SASE Fabric an extension of their network.  

Versa customer tenant SD-WAN site CPEs and the Versa SASE Fabric exchange overlay routes using the MP‑BGP protocol, allowing enterprise site prefixes and SASE service prefixes to be dynamically distributed across the fabric to other sites.  

This provides optimized delivery across the fabric for customers to reach both their corporate sites and cloud resources while security inspection continues to take place in SASE Gateways at the fabric edge. 

At the same time remote users connecting through Versa Secure Private Access (VSPA), Versa’s optimzed ZTNA service, connect to their nearest SASE Gateway and enjoy optimized flow transport across the fabric to reach target resources. 

Key Use Cases 

Remote/Branch to SaaS: the Versa SASE Client directs users’ Internet traffic to the nearest Versa SASE gateway. That gateway then uses SD-WAN telemetry to pick the optimal path to the SaaS application across the fabric, rerouting dynamically if performance degrades. This ensures even distant users get fast, reliable access to cloud apps. 

Remote/Branch to Private Data Centers: for enterprise-hosted apps, user traffic similarly enters via the closest Versa SASE Gateway. The Versa fabric extends back to the private data center or branch, creating an end-to-end QoS-aware connection. The SD-WAN overlay chooses the best route to reach the internal application. 

Multi-Cloud Connectivity: Many organizations have workloads across AWS, Azure, GCP, etc. Versa runs SASE gateways inside each major cloud, creating on-ramps from every cloud environment. Its full-mesh SD-WAN backbone links clouds and sites over the best-performing paths. By peering directly with cloud and SaaS providers, Versa minimizes hops and latency for inter-cloud traffic. 

Summary 

Versa SASE Fabric provides a unified, globally distributed architecture that seamlessly integrates security services into a single routing fabric, enabling consistent security policy, optimal traffic steering, and simplified operations across users, branches, and applications.  

Visit the Versa SASE Fabric white paper to learn more or see it for yourself with a demonstration from a Versa SASE Fabric expert.