GCP – Announcing cloud-native integration of security service edge (SSE) with Cloud WAN

Last week at Google Cloud Next 25, we announced Cloud WAN, a fully managed, reliable, and secure solution for enterprise wide area network (WAN) architectures that’s built on Google’s planet-scale network. Today, we begin a series of deep dives into the products that power Cloud WAN, starting with NCC Gateway, a new regionally managed spoke of Network Connectivity Center (NCC) that integrates cloud-native security services, starting with third-party security service edge (SSE) solutions.

Securing the modern hybrid workforce is complex, driven by the surge of SaaS and remote work. In fact, many enterprises still employ disparate security stacks for on-premises and remote users. For on-prem deployments — especially for branches and campuses — a common approach is to use a colocation-based architecture, in which regional branches aggregate traffic in a colo using SD-WAN headends or VPN concentrators, and firewalls secure user traffic. However, remote users often connect via SSE, resulting in inconsistent security enforcement policies for remote and on-prem users. 

To state the obvious, managing separate solutions for on-prem and remote user access to public and private applications can be challenging for security administrators.

For on-prem users and applications:

• There’s no good scalable and cost-efficient way to send aggregated traffic from a colocation facility to SSE, so organizations continue to use firewalls to secure access to public and private applications. This results in complex configurations, lengthy onboarding processes, and costly infrastructure upgrades.

• Firewalls in colocation facilities need to be sized for peak capacity and high availability, increasing total cost of ownership (TCO).

Remote users:

• Disjointed security approaches across SSE and colocation firewalls creates inconsistencies between remote and on-prem users’ security postures.

• Using VPN tunnels or application connectors for remote access to cloud resources introduces considerable overhead. This stems from the performance limitations of these connections and the operational complexity of managing numerous tunnels, resulting in higher latency for remote users.

The cloud-first era demands simpler, cloud-delivered security, without the complexity of traditional on-prem routing. Critically, businesses need a single, cloud-native security approach that delivers consistent controls and policies across every application and user, spanning cloud, on-prem, and SaaS environments. Cloud WAN using NCC Gateway is the first major cloud solution to offer managed integration of security service edge (SSE) for users accessing private and public applications. With integration to SSE solutions like Palo Alto Networks Prisma Access and Broadcom Cloud SWG, NCC Gateway offers enterprises a streamlined approach to securing their distributed workforce and applications using the provider of their choice.

What is NCC Gateway?

For organizations managing complex hybrid and multi-cloud environments, Google Cloud’s Network Connectivity Center has long provided a simplified, unified management experience powered by Google’s global infrastructure. Now, we’re thrilled to announce an evolution that takes security to the next level with NCC Gateway.

Imagine a unified security solution that protects all your users, regardless of their location or how they connect — whether it’s through Cloud Interconnect, SD-WAN, Cloud VPN, or even the public internet. With NCC Gateway’s managed integration of third-party SSE, secure access to your private, public, and Google Cloud APIs is now a reality across your entire distributed infrastructure.

NCC Gateway does all this by eliminating the complexities of traditional IPSec tunnel management and traffic steering, enabling rapid onboarding of branch locations and helping to optimize performance for high-bandwidth applications. This ensures that user traffic is securely routed through the chosen SSE stack, while maintaining privacy and integrity within Google Cloud’s private network to minimize latency and enhance the overall user experience.

Key use cases

Here are three key use cases where NCC Gateway simplifies your network security and boosts performance:

1. Streamlined, high-bandwidth on-ramp for branch users

NCC Gateway provides a high-performance on-ramp for branch users connecting over 10 or 100 Gbps Cloud Interconnect, a substantial improvement over single-gigabit IPsec tunnels. This ensures dedicated, high-throughput connectivity, for optimal application performance. Then, following SSE inspection, traffic is efficiently routed to public applications on the internet, to private applications over the Google backbone, or to applications in other clouds via Cross-Cloud Interconnect.

2. High-performance, private off-ramp to private applications for remote users

NCC Gateway natively integrates third-party SSE stacks within Google Cloud’s private backbone. This removes the need for internet-based encryption, while maintaining privacy and integrity with higher performance. For applications running in other clouds, customers can leverage private connectivity with dedicated bandwidth through Cross-Cloud Interconnect backed with an SLA.

3. Protected application access to the internet

NCC Gateway provides a unified secure internet gateway for users and applications that are on-prem or in other clouds, while offering streamlined multi-gigabit onboarding with minimal configuration, eliminating complex tunnel management, and enabling rapid, secure deployment. For internet-bound SaaS traffic, Google’s Premium Tier network sends data to the best peering location, for optimized and secure access.

Key benefits of Cloud WAN with NCC Gateway

The addition of NCC Gateway to Cloud WAN brings a number of advantages:

• Unified security posture: Enhance your security posture by consolidating your security stack and minimizing the attack surface. NCC Gateway enforces consistent ingress and egress security through Cloud WAN, providing a uniform security experience for all users, regardless of location or device, with your preferred SSE provider.

• Improved application experience: Deliver a superior user experience with lower latency for both SaaS and private applications, powered by our premium backbone and native encryption. Cloud WAN provides up to 40% improved performance compared to the public internet.¹

• Lower costs: Achieve significant cost savings by streamlining multi-cloud connectivity and adopting a consumption-based model. Cloud WAN provides up to a 40% savings in total cost of ownership (TCO) over a customer-managed WAN solution.²

What our partners are saying

This is what our SSE partners had to say about NCC Gateway integration.

Palo Alto Networks:

“The integration of Prisma SASE with Cloud WAN unlocks new possibilities for customers, offering a high-bandwidth on-ramp to Prisma Access from large branches and campuses, while providing a high-performance private off-ramp to optimize secure access to private applications in Google Cloud or any other clouds.” – Anupam Upadhyaya, Vice President, Product Management, Palo Alto Networks

Broadcom: 

“In an age where enterprises demand cutting-edge security at line speed, we’re proud to partner with Google Cloud to deliver a game-changing solution: Symantec Security Service Edge (SSE) natively integrated into Cloud WAN via Symantec Cloud SWG Express Connect. This gives our joint customers a secure express lane to critical data and seamless access to world-class AI capabilities. It’s another major step in our mission to bring enterprise-grade security to all.” – Jason Rolleston, General Manager, Enterprise Security Group, Broadcom

Learn more

Be among the first to experience the power of NCC Gateway, which will be available in preview in Q2 ‘25. You can learn more about Cloud WAN on the Cross-Cloud Network solution page.

<sup>1. During testing, network latency was more than 40% lower when traffic to a target traveled over the Cross-Cloud Network compared to when traffic to the same target traveled across the public internet.
2. Architecture includes SD-WAN and 3rd party firewalls, and compares a customer-managed WAN using multi-site colocation facilities to a WAN managed and hosted by Google Cloud.</sup>