Are you ready for Microsoft to become your WAN and network security provider?

At the end of 2018 I wrote an article titled "Will Amazon, Microsoft or Google replace your global MPLS WAN?" as I could see a broad set of enterprise networking offerings arriving on the market from these cloud giants. The vast global networks operated by the major CSPs were starting to be offered as a better way of establishing inter-continental traffic flows, especially if users were accessing workloads that sat in the public cloud.

So much has changed since then, most notably the industry's shift towards the convergence of network and security. Microsoft clearly has very ambitious plans that don't just threaten traditional telco backbone offerings, but now extend to secure web gateway and zero-trust network access functionality. The unique licensing position that Microsoft has with most large businesses means that many CIOs will need to make some quick decisions because the commercials can be very attractive. How can you best take advantage of these new offerings, and is your business ready for them?

Microsoft's backbone as your WAN

Azure Virtual WAN continues to mature, and is now positioned by Microsoft as the best way for a global user base to access Azure workloads. The premise is straightforward - you can access PoPs on the Microsoft backbone using an SD-WAN appliance, DirectConnect links or an end-user device, and then build secure connections over this network back to Azure infrastructure or your own data centers.

This works well for simple topologies, but integrating this with alternative backbones and providing inter-region resilience can become extremely complex. Traditional routing functionality that many large enterprises depend on is often not yet implemented, or only offered in a limited form. That type of topology isn't an edge case - egress charges can really add up, so it usually makes sense to consider alternative options alongside Virtual WAN for traffic flows that don't start or end in Azure.

Can Entra become your Security Service Edge?

We've had some time to understand the scope and capabilities of Microsoft's networking offerings, but the announcement of Microsoft Entra's SSE offering in July 2023 caught many people by surprise. Within days, our team at Coevolve started to receive questions from clients about this product and whether it could be relevant for them.

There are two components that make up Microsoft Entra SSE:

• Secure Web Gateway
• Zero Trust Network Access

If these sound familiar, it's because they are two core pieces of functionality offered by almost all SASE and SSE providers - including VMware, Zscaler, Palo Alto, Fortinet, Cisco, Cato Networks, Netskope and many others. For some vendors - Zscaler, for example - this represents their core business, so there will be a lot of focus on this product as it continues to mature.

The most important things to point about about Entra SSE are that you can't buy it yet, and there is no public data available on pricing for either of the above components. Microsoft does have a good level of credibility in the security space through its various Defender offerings, and already operates cloud-scale security functionality in Microsoft 365.

Most SSE products work in a similar way - IPsec, GRE or dTLS tunnels are established between the WAN and the SSE provider's PoPs, relevant traffic is steered over these tunnels, and traffic is inspected and filtered according to your enterprise policies. Remote users can have the same security policies applied to their browsing traffic, and use a connector to securely access internal applications and resources through a "zero trust" model.

The available documentation on Entra SSE appears to show that this product will provide comparable functionality, but it remains to be seen how easily it can be integrated into existing enterprise networks. Integrations with Azure Virtual WAN will also be critical as this could eliminate the need for additional tunnels and simplify the topology.

Microsoft's licensing advantage

One of the interesting tools that Microsoft has at its disposal is the Microsoft 365 Enterprise E5 license. This license has become a way for Microsoft to bundle its advanced security offerings into a single per-user charge (currently just under US$60 / month / user at list prices) that also includes all of the other components of the Microsoft 365 suite.

The range of Defender components offered in this license, in addition to the identity management component of Entra, may indicate that Microsoft will add more of its SSE functionality on a per-user basis as the product reaches general availability.

Many enterprises operate under an Enterprise Agreement with Microsoft, allowing for very attractive pricing on cloud-delivered services, with a range of incentives to migrate away from on-premises offerings. With Microsoft holding such a dominant market position with Microsoft 365, we could see a more aggressive push to implement Entra SSE without significantly impacting costs.

Where's the service?

Of course, most enterprises historically have not bought network and security offerings as self-service SaaS offerings. These services form the digital foundation of many enterprises. This requires logging, monitoring, incident and problem management, release management, change control and access to engineering resources that don't just understand the products, but the context of the enterprise's environment.

The announcement of a promising new product from a major vendor like Microsoft cannot be ignored. When we founded Coevolve, one of our original principles was that we would help enterprises bridge from legacy technologies to relevant modern solutions, using a range of vendors and tools. Microsoft's emerging networking and security capabilities will undoubtedly be required by many large enterprises, given their existing investments in the Microsoft ecosystem. The role of specialist providers like Coevolve is to use products like these as the foundation for high-quality, technology-enabled co-managed services that meet - or exceed - the expectations of the global enterprise.

Our real strength is in multi-vendor, tightly-integrated solutions. We're already using Azure Virtual WAN in production for our global clients today, and seeing very positive outcomes. As Virtual WAN and Entra SSE continue to evolve, so too will our offerings, ensuring we continue to be a valuable partner to our clients. If you're considering these technologies as part of your cloud adoption strategy, let me know - I'd love to see how we can help!