Security "Bits"

How to Quickly Integrate your SD-WAN with Bitglass

By Amit Singh | March 9, 2021 at 5:00 AM
Bitglass SD-WAN

As the only SASE platform built on a Polyscale public cloud architecture, Bitglass leverages AWS Transit Gateway Connect to seamlessly integrate with SD-WAN solutions. Traffic from branch routers is seamlessly routed to Bitglass for real-time security. This flexible, plug-and-play approach is markedly different from that of competitors, who are limited to specific SD-WAN partners for whom they build and maintain piecemeal integrations.

By integrating with AWS Transit Gateway (TGW) and using it as an exchange, Bitglass provides a simplified way to connect Bitglass security services using the customers’ existing SD-WAN networks. AWS Transit Gateway (AWS TGW) simplifies branch connectivity through native integration with a wide variety of Software-Defined Wide Area Network (SD-WAN) vendors and appliances. This blog provides a short overview of how this is quickly configured and deployed.


Supported Vendors:

This integration alleviates the need for testing the solution with every single SD-WAN vendor and provides customers pre-built configurations to connect to Bitglass services through their SD-WAN vendor of choice.

Bitglass will support every vendor that supports integration with AWS TGW, including Aruba, 128 Technology, Silver Peak, Citrix, Arista Networks, Aviatrix, Sophos, Cisco, Alkira, Aryaka, Palo Alto Networks, Versa Networks, and more. 

Sample configuration will be provided via the AWS Site to Site VPN configuration section.


Sample IPSEC Configuration:

set security ike proposal ike-prop-vpn-0679b50-1 authentication-method pre-shared-keys 

set security ike proposal ike-prop-vpn-0679b50-1 authentication-algorithm sha1

set security ike proposal ike-prop-vpn-0679b50-1 encryption-algorithm aes-128-cbc

set security ike proposal ike-prop-vpn-0679b50-1 lifetime-seconds 28800

set security ike proposal ike-prop-vpn-0679b50-1 dh-group group2


# An IKE policy is established to associate a Pre Shared Key with the  

# defined proposal.


set security ike policy ike-pol-vpn-0679b50-1 mode main 

set security ike policy ike-pol-vpn-0679b50-1 proposals ike-prop-vpn-0679b50-1

set security ike policy ike-pol-vpn-0679b50-1 pre-shared-key ascii-text <key>


# The IKE gateway is defined to be the Virtual Private Gateway. The gateway 

# configuration associates a local interface, remote IP address, and

# IKE policy.


# This example shows the outside of the tunnel as interface ge-0/0/0.0.

# This should be set to the interface that IP address 52.9.x.x is

# associated with.

# This address is configured with the setup for your Customer Gateway.


# If the address changes, the Customer Gateway and VPN Connection must be recreated.


set security ike gateway gw-vpn-0679b50-1 ike-policy ike-pol-vpn-0679b50-1

set security ike gateway gw-vpn-0679b50-1 external-interface ge-0/0/0.0

set security ike gateway gw-vpn-0679b50-1 address 52.9.x.x

set security ike gateway gw-vpn-0679b50-1 no-nat-traversal



Latency issues associated with hub and spoke designs of existing SD-WAN solutions would be addressed by using AWS global accelerator to provide local tunnel endpoints.


Solution Overview:

A typical user flow would look like this, with Bitglass connecting to the TGW and providing an exit point for all web traffic.

  • When the user tries to access a Cloud application, the traffic is routed via the local LAN and then to the SD-WAN network
  • We would connect to the Enterprise SD-WAN Network via AWS TGW
  • SD-WAN Vendor would also connect to the AWS TGW
  • Bitglass will connect to the AWS TGW using IPSEC (connectivity options provided by AWS)
  • Bitglass will Implement Dynamic Routing capabilities with BGP to peer with AWS TGW, and advertise itself as the default gateway, to accept all Internet traffic (Dynamic Routing will also provide load balancing and redundancy capabilities using ECMP)
  • All Internet web Traffic will reach Bitglass from the customer SD-WAN Network either via GRE or IPSEC to Bitglass Data Plane through the TGW 
  • Depending on the implementation, Bitglass will be required to implement GRE and IPSEC termination endpoint capabilities and expose the configuration via the UI
  • SASE services to be provided would include the ability to enforce SWG, ZTNA and CASB policies

On the Bitglass MGMT portal, Bitglass would provide the following Information to the end user.

Sample SD-WAN Vendor Configuration, as shown above, will be downloadable through the Bitglass MGMT portal.

  • Outside IP Address (CGW IP address)
  • Authentication Method: Pre-shared Key
  • Inside IPv4 CIDR for Tunnel 1 (Will become BGP Neighbor1)
  • Pre-Shared Key for Tunnel 1
  • Inside IPv4 CIDR for Tunnel 2 (Will become BGP Neighbor2)
  • Pre-shared key for Tunnel 2
  • BGP AS Number (Use Private AS Numbers)


To learn more about integrating SD-WAN with Bitglass, download the solution brief below, or reach out to your Bitglass representative.

Download the Brief



see all