COVID-19 aid for pfSense software users LEARN MORE

Netgate Blog

Cintra Chooses pfSense® Software for AWS and Oracle Cloud Access

Digital transformation - the use of digital technologies to create new, or modify existing, business processes to improve customer experience, drive out cost, or facilitate scale - is everywhere. Cloud computing and remote access figure prominently - for obvious reasons. But transformation doesn’t happen overnight, and it’s easy to fall prey to expensive hype.

Companies looking for help with digital transformation are likely to come across Cintra. Cintra has been helping big names in financial services, retail, aviation, healthcare, and gaming for over 20 years. Cintra designs, builds and supports business-critical information management solutions.

The cloud engineering team at Cintra, led by Mattia Rossi, is chartered with designing, deploying, and maintaining cloud architectures - including connectivity to customer premises and Cintra-hosted environments.

Mattia’s primary focus is creating best practices for deploying and maintaining these environments, including finding cost-effective solutions that provide users with secure, controlled, and monitored remote access. Cintra needed a cloud-based OpenVPN concentrator. Incumbent solutions from Checkpoint® and Fortinet® were becoming too expensive to maintain - and were really only needed for specialized security integrations. Cintra needed a better approach for high-volume remote access.

Like many of our enterprise users, Mattia had been using pfSense software professionally for business premises deployments (as well as personally in his home) since 2009. It was an easy decision to consider inserting pfSense software for cloud needs. He also figured his team could be onboarded quickly, as pfSense software is not only comprehensive in its feature set, but also straightforward for IT teams to install, configure and manage.

But, he knew his team would view a low-cost alternative as short-sighted if it could not address key operating requirements:

  1. Must be able to stand up and support complex network scenarios involving multiple LAN/WAN interfaces with failover and high availability
  2. Must be able to rapidly deploy IPSec tunnels
  3. Must be able to quickly stand up VPN concentrators integrated with existing Radius/AD environment, including 2FA scenarios

pfSense covers these bases with ease. With core requirements addressed, Mattia selected pfSense software over alternatives due to product ease of use, familiarity, cost, feature add flexibility, and the ability to purchase support from Netgate where needed.

The next question was which AWS and Oracle® cloud compute instance(s) would be the right choice? Three factors would inform that answer:

  • Scale Flexibility: Cintra prefers to deploy cloud solutions with maximum ‘scale out’ (larger number of less powerful VMs). When that isn’t architecturally feasible, they leverage ‘scale up’ (smaller number of more powerful VMs).
  • Number of interfaces required: The typical cloud-hosted networking VM scales interface connectivity and throughput proportionally to the number of allocated vCPUs
  • Level of Encryption (IPSec/OpenVPN): The greater the encrypted processing load, the more important CPU attributes, e.g., clock speed, number of cores become.

For an OpenVPN concentrator, the best instance choice would optimize for encryption performance and bandwidth. With that in mind, Cintra settled on 4-8 vCPU compute instances with a minimum network bandwidth guarantee of 2 Gbps bidirectional. The scale policy would be once a compute instance hit 70% of its bandwidth capability, a second instance would be commissioned.

In the end, it’s about business results. Cintra has reduced both its cloud infrastructure costs and total cost of ownership through simple deployment and management.

Netgate is proud to count Cintra amongst its thousands of businesses, government agencies, and educational institutions using pfSense software in the cloud. Contact us to discuss how we can address your cloud secure networking needs.