1. Products
  2. Network Security
  3. Barracuda CloudGen WAN
  4. Features

Barracuda CloudGen WAN

Introducing the first secure SD-WAN service built natively on Azure.

Connectivity and SD-WAN

CloudGen WAN brings full SD-WAN functionality to Azure Virtual WAN, Microsoft’s native hybrid cloud service. Secure SD-WAN dynamically selects the most suitable uplink for each application in real time, based on traffic characteristics, available bandwidth, and latency between VPN endpoints. This lets you replace MPLS lines by globally connecting your sites via the Microsoft Global Network, the world’s fasted private network. Purpose-built for the cloud, CloudGen WAN provides seamless, automated access to your business-critical resourses, leveraging a rich feature-set including:

  • Adaptive bandwidth protection
  • Adaptive session balancing
  • Forward error correction (FEC)
  • SD-WAN breakout
  • Dynamic bandwidth and latency detection
  • Performance-based transport selection
  • TINA—Barracuda’s proprietary VPN protocol
  • Site-to-site connectivity
  • Failover link support
  • Dynamic quality of service
  • WAN compression

Directly deployed from Azure marketplace, the CloudGen WAN gateway becomes a part of Microsoft’s Azure Virtual Hub and, together with CloudGen WAN site devices, ensures optimized connectivity from every branch office to the nearest Azure Cloud entry point. Barracuda supports dynamic path selection across multiple ISPs for Azure Virtual WAN, giving you failsafe, always-on cloud connectivity. The close integration with native Azure services seamlessly integrates Barracuda CloudGen WAN into your Azure cloud infrastructure.

To achieve the best possible user experience across the WAN, CloudGen WAN onsite devices proactively measure the available bandwidths and quality of all internet uplinks and between VPN endpoints. The results are directly available to the security and SD-WAN policy engine to select the best suitable uplink per application or to disqualify an uplink if the bandwidth or latency fall outside of acceptable limits.

A unique combination of next-generation security and adaptive WAN routing technology allows Barracuda CloudGen WAN to dynamically assign available bandwidth, uplink, and routing information based on protocol, user, location, and content as well as application, application categories, and even web content categories. This keeps expensive, highly available lines free for business- and mission-critical applications, while significantly reducing response times and freeing up additional bandwidth.

To view a current list of applications and sub-applications that ClouGen WAN recognizes for application-based routing, please visit the Online Application Explorer.

Barracuda CloudGen WAN uses dynamic bandwidth and latency detection to automatically balance existing sessions inside logical VPN tunnels across all available uplinks. This real-time balancing optimizes network efficiency and bandwidth usage at any given moment.

If dynamic bandwidth and latency detection indicates that the measured bandwidth of an uplink is too low to support certain kinds of business-critical traffic (e.g., VoIP), Barracuda CloudGen WAN automatically shifts sessions for non-business-critical traffic to secondary links to free up bandwidth for critical traffic.

Barracuda CloudGen WAN enhances the WAN performance of cloud-connected network environments by reducing transmission delays and boosting throughput, to improve the availability, performance, and responsiveness of business-critical applications. Using enterprise-grade WAN acceleration features such as forward error correction, data deduplication, traffic compression, and protocol optimization, CloudGen WAN can significantly improve site-to-cloud WAN traffic and accelerate the delivery of business applications.

Secure SD-WAN connections with Barracuda CloudGen WAN are designed for high-speed networking across shared lossy lines such as internet broadband or 4G/5G. The underlying forward error correcting (FEC) technology to remediate packet loss is based on a new set of algorithms in the category of random linear network codes (RLNC). Algorithms based on RLNC codes react much faster to losses, remediate these faster on the fly, requiring fewer packet retransmissions and reducing overhead on the devices. This results in high quality voice and video calls even in high packet loss scenarios and with many subscribers on the shared line.

Secure SD-WAN between Barracuda Networks devices uses TINA (Transport Independent Network Architecture) by default, an enhanced version of the IPsec protocol designed to overcome the inherent limitations of IPsec. The TINA protocol uses a combination of TCP, UDP, and ESP for high-speed VPN connections, substantially improving VPN connectivity. It also adds default endpoint-to-endpoint (not network-to-network) connectivity, built in NAT-friendliness, built in HTTPS and SOCKS4/5 proxy compatibility, dynamic address support, and better VPN tunnel quality via advanced dynamic tunnel heartbeat monitoring.

Personal Access with Barracuda CloudGen WAN is the most convenient way to provide endpoint connectivity to workloads in Azure. Personal Access for CloudGen WAN lets remote users access company resources in Azure over an encrypted VPN tunnel directly from work-at-home environments or on the go. The high-performance TINA VPN protocol allows much more stable and resilient always-on connections from remote devices.

CloudGen WAN Personal Access benefits compared to other client VPN to Azure solutions:

  • No need to deploy additional VPN gateways or services—Personal Access uses the existing CloudGen WAN Gateway infrastructure
  • Fast and easy self-enrollment for end users
  • High-performance connectivity to cloud-hosted resources using TINA protocol—faster, more stable, and more resilient
  • Integration with your existing Azure Active Directory
  • Lower cost compared to built-in Azure Virtual WAN point-to-site connectivity.
  • Lower cost compared to dedicated VPN services—only pay for actual usage

Usually, user-generated office network and web traffic is protected by a CloudGen WAN site device. With site authentication, the identity of the user (and the associated privileges and valid logins) is preserved when switching from a direct remote connection to Azure to the office network. The CloudGen WAN client automatically detects the change and asks for re-authentication. It then updates user information on the CloudGen WAN Gateway accordingly and allows user-based access control.

With the optional USB LTE modem, CloudGen WAN onsite devices can leverage 4G/LTE connectivity and the cellular infrastructure to provide broadband speeds either in failover or load-balancing configuration. For locations without wired broadband options and sufficient cellular connectivity the USB LTE modem may serve as the primary internet connection. The Barracuda USB LTE modem can even be used for zero-touch deployment of CloudGen WAN appliances in areas where wired internet connectivity is not yet available.

To extend the SASE service at line speed to every site device and overcome limitations introduced by traditional SD-WAN technology based on shared uplinks like broadband, CloudGen WAN features uplink optimization technology with Forward Error Correction and self-healing traffic intelligence. This allows using the available physical bandwidth more effectively and expanding the benefits of SD-WAN to sites with single uplinks as well as optimized utilization of shared uplinks.

Adaptive Session Balancing technology ensures using the best available uplink for the application profile, for all encrypted tunnels across SD-WAN sites. If the health state of the initial uplink recovers, encrypted SD-WAN traffic transparently switches back to this uplink. Application-based routing, factoring in the results of Dynamic Bandwidth and Latency Detection, applies the same concept for outbound internet traffic, ensuring that SaaS applications like Office 365 are always leveraging the best available uplink, even when conditions change frequently.

Management and automation

CloudGen WAN is easy to set up and does not require specialized IT skills. Directly deployed from Azure marketplace, the service works out of the box with smart default configuration, suitable for all cloud and SaaS applications. CloudGen WAN runs natively as a SaaS service inside one or multiple Azure Virtual WAN regions and provides easy, automated access to the Microsoft Global Network. The service can either be rolled out to all locations as a pure SD-WAN solution alongside existing firewalls or as a secure SD-WAN solution replacing existing firewalls.

Zero-touch deployment lets you send CloudGen WAN appliances directly from the factory to the desired remote location without the need for on-site IT personnel. Connect the unit and power it up and it automatically requests, receives, and installs its specific configuration file. This makes it extremely easy, fast, and inexpensive to roll out CloudGen WAN devices across widely distributed organizations. For sites in areas where wired internet connectivity is not yet available the optional Barracuda USB LTE modem can be used to facilitate the initial rollout.

Directly managed via the CloudGen WAN management portal for all regions and all sites across your global WAN, regardless of the number of cloud entry points or locations. The central cloud portal offers the highest degree of automation and unparalleled ease of use. CloudGen WAN continuously monitors and optimizes network performance to ensure uninterrupted always-on connectivity and high quality of service levels for your business-critical traffic and applications.

The CloudGen WAN management portal hosts security, networking, and SD-WAN connectivity rules that are applied and enforced automatically across all site devices and endpoints hosted with your CloudGen WAN subscription. Define an SD-WAN or security policy once and CloudGen WAN automatically distributes and enforces it across all locations and users.

For URL filtering, malware protection, SSL inspection, IPS ,and firewall rules (ACLs), users or groups can be defined using inclusion criteria. Allow certain website categories for specific users or groups (e.g., give marketing staff access to Facebook while blocking it for everyone else) or exempt certain users or user groups from IPS or SSL scanning.

Azure Monitor and the underlying Azure Log Analytics is Microsoft’s solution to collect, monitor, analyze, and act on telemetry data from any application hosted in Azure and on-premises environments, and even corresponding networking and security equipment. This allows customers to automate the analysis of the underlying data, set up alerts, and use machine learning-driven insights to quickly identify and resolve problems related to security and connectivity of their cloud infrastructure, without logging into the actual machines or devices. You can configure CloudGen WAN to send relevant log data for security, connectivity, SD-WAN, and point-to-site to Azure Log Analytics for further analysis.

Azure Secured Hub is a secured Azure Virtual WAN hub with associated security and routing policies configured by the Azure Firewall Manager, with outbound security provided by an approved Azure security partner provider service. Barracuda CloudGen WAN is fully compatible for deployment in these scenarios, to provide SD-WAN connectivity and next-generation firewall security to every site and high-performance private access to cloud resources for endpoints.


CloudGen WAN is built on the same technology as CloudGen Firewall, Barracuda’s battle-tested enterprise firewall. Purpose-built for the cloud, CloudGen WAN provides advanced multi-layered security to protect your business-critical resourses, leveraging a rich feature-set including:
  • Advanced Threat Protection
  • Intrusion detection and prevention
  • Malware protection
  • SSL inspection
  • Stateful deep packet inspection
  • Single pass architecture
  • URL filtering--application-based ACL

The URL filtering feature of CloudGen WAN lets you create and enforce effective internet content and access policies by enabling highly granular, real-time visibility into online activity broken down by individual users and applications. It protects user productivity, blocks malware downloads and other web-based threats, and supports compliance by blocking access to unwanted websites and servers, providing an important additional layer of security alongside application control.

Barracuda CloudGen WAN can apply IPS, virus protection, application control, URL filtering, and even Advanced Threat Protection to SSL-encrypted web traffic using the standard 'trusted man-in-the-middle' approach. SSL interception can be fine-tuned to exempt local networks, users/groups, URL filter categories, or custom defined domains from SSL inspection.

Barracuda CloudGen WAN can apply IPS, virus protection, application control, URL filtering, and even Advanced Threat Protection to SSL-encrypted web traffic using the standard 'trusted man-in-the-middle' approach. SSL interception can be fine-tuned to exempt local networks, users/groups, URL filter categories, or custom defined domains from SSL inspection.

The Intrusion Prevention System (IPS) of CloudGen WAN strongly enhances network security by providing comprehensive real-time network protection against a broad range of network threats, hacking, vulnerabilities, exploits, and exposures in operating systems, applications, and databases. It prevents network attacks such as:
  • SQL injections and arbitrary code executions
  • Access control attempts and privilege escalations
  • Cross-site scripting and buffer overflows
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
  • Directory traversal and probing and scanning attempts
  • Backdoor attacks, trojans, rootkits, viruses, worms, and spyware

As a result, Barracuda CloudGen WAN can identify and block advanced evasion attempts and obfuscation techniques that are used by attackers to circumvent and trick traditional intrusion prevention systems.

Automatic signature updates are delivered on a regular schedule or on an emergency basis as new vulnerabilities emerge, to ensure that Barracuda CloudGen WAN is constantly up to date.

CloudGen WAN uses Azure AD as the default authentication service. CloudGen WAN Personal Access, using Barracuda’s VPN client, supports dual-factor authentication that requires the user to confirm loginn via the Microsoft Authenticator app.

CloudGen WAN enforces full security with ACLs, App control, URL filtering, AV and Advanced Threat Protection, enabling network segmentation and control within Azure Virtual WAN. This eliminates the need for Security Groups, Azure Firewall or Azure Security Partners and replacing these with one flexible solution that is easy to use and cost efficient. The CloudGen WAN service additionally provides unprecedented real-time visibility into all traffic entering as well as generating from inside Virtual WAN.


Barracuda CloudGen WAN provides a practical SASE solution that is easy to deploy in Azure. While other SASE vendors use their own cloud and their own network, CloudGen WAN allows leveraging the global presence and power of Azure data centers and Microsoft’s global network. For all organizations leveraging Azure or planning to adopt Azure it makes perfect sense to deploy a SASE offering on the same public cloud platform.

For organizations having certain geopolitical requirements or using applications requiring an organization’s IP address as source IP address, every CloudGen WAN site device serves as a private enforcement node for SWG, FWaaS enforcement and as entry point to the cloud service for remote endpoints. The SASE enforcement points in Azure, as well as the private enforcement points on the site devices, are controlled by security policies defined centrally in the CloudGen WAN management portal, without requiring administrators to know where the traffic enters the service.

Schedule a CloudGen WAN demo

When is a good time for us to call? We will do a brief needs assessment and arrange for the CloudGen WAN demo that best meets those needs.

Do you need immediate assistance?  Chat now or call us at +1 888 329 9049.