Cintra needed a cloud-based OpenVPN concentrator to address their growing high-volume remote access needs. Incumbent solutions from Checkpoint® and Fortinet® were becoming too expensive to maintain.
Solution: Router, VPN
Product: pfSense Plus
Deployment: AWS Cloud
Cintra has been designing, building, and supporting business-critical information management solutions for 20+ years.
- Founded: 1996
- Employees: 50
- Headquarters: New York, NY
- Business: Information Technology Services
- Design, deploy and maintain new cloud architectures that connect customer premises to their Cintra-hosted cloud environments
- Find an affordable VPN concentrator replacement for their increasingly expensive Checkpoint and Fortinet solutions
- Ensure the new networking solution can support complex network scenarios involving multiple LAN/WAN interfaces with failover and high availability, and be able to rapidly deploy new IPsec VPN connections and services
- Use pfSense Plus software so the networking team could quickly get onboarded due to the software’s straightforward installation, configuration, and management
- Utilized AWS and Oracle Cloud environments to ensure their cloud-hosted networking VM scales interface connectivity and throughput proportionally to the number of allocated vCPUs. Whether they want to ‘scale-out’ or ‘scale-up’ they can do this with their pfSense instances in the cloud
- Cintra has reduced both its cloud infrastructure costs and total cost of ownership through simple deployment and management of pfSense software in the cloud
Companies looking for help with digital transformation are likely to come across Cintra. Cintra has been helping big names in financial services, retail, aviation, healthcare, and gaming for over 20 years. Cintra designs, builds and supports business-critical information management solutions.
The cloud engineering team at Cintra, led by Mattia Rossi, is chartered with designing, deploying, and maintaining cloud architectures - including connectivity to customer premises and Cintra-hosted environments.
Mattia’s primary focus is creating best practices for deploying and maintaining these environments, including finding cost-effective solutions that provide users with secure, controlled, and monitored remote access. Cintra needed a cloud-based OpenVPN concentrator. Incumbent solutions from Checkpoint® and Fortinet® were becoming too expensive to maintain - and were really only needed for specialized security integrations. Cintra needed a better approach for high-volume remote access.
Like many of our enterprise users, Mattia had been using pfSense software professionally for business premises deployments (as well as personally in his home) since 2009. It was an easy decision to consider inserting pfSense software for cloud needs. He also figured his team could be onboarded quickly, as pfSense software is not only comprehensive in its feature set, but also straightforward for IT teams to install, configure and manage.
But, he knew his team would view a low-cost alternative as short-sighted if it could not address key operating requirements:
- Must be able to stand up and support complex network scenarios involving multiple LAN/WAN interfaces with failover and high availability
- Must be able to rapidly deploy IPSec tunnels
- Must be able to quickly stand up VPN concentrators integrated with existing Radius/AD environment, including 2FA scenarios
pfSense covers these bases with ease. With core requirements addressed, Mattia selected pfSense software over alternatives due to product ease of use, familiarity, cost, feature add flexibility, and the ability to purchase support from Netgate where needed.
The next question was which AWS and Oracle® cloud compute instance(s) would be the right choice? Three factors would inform that answer:
- Scale Flexibility: Cintra prefers to deploy cloud solutions with maximum ‘scale out’ (larger number of less powerful VMs). When that isn’t architecturally feasible, they leverage ‘scale up’ (smaller number of more powerful VMs).
- Number of interfaces required: The typical cloud-hosted networking VM scales interface connectivity and throughput proportionally to the number of allocated vCPUs
- Level of Encryption (IPSec/OpenVPN): The greater the encrypted processing load, the more important CPU attributes, e.g., clock speed, number of cores become.
For an OpenVPN concentrator, the best instance choice would optimize for encryption performance and bandwidth. With that in mind, Cintra settled on 4-8 vCPU compute instances with a minimum network bandwidth guarantee of 2 Gbps bidirectional. The scale policy would be once a compute instance hit 70% of its bandwidth capability, a second instance would be commissioned.
In the end, it’s about business results. Cintra has reduced both its cloud infrastructure costs and total cost of ownership through simple deployment and management.
Learn more about
Explore pfSense Plus in the Cloud
Get started with pfSense Plus the world’s leading open-source driven firewall, router, and VPN solution for network edge and cloud secure networking.