Cloud onRamp for SaaS
Cloud OnRamp for SaaS


As more applications move to the cloud, the traditional approach of backhauling traffic over expensive WAN circuits to the data center or a centralized Internet gateway via a hub-and-spoke architecture is no longer relevant. Traditional WAN infrastructure was not designed for accessing applications in the cloud. It is expensive and introduces unnecessary latency that degrades the user experience. As enterprises aggressively adopt SaaS applications such as Office 365, Salesforce, and Box, the legacy network architecture poses major problems related to complexity and user experience. In many cases, network administrators have limited or even no visibility into the network performance characteristics between the end user and cloud SaaS applications.

Massive transformations are occurring in enterprise networking as network architects are reevaluating the design of their WANs to support a cloud transition while ensuring an excellent user experience. These architects are turning to Software-Defined WAN (SD-WAN) to take advantage of inexpensive broadband Internet services and to find ways to intelligently route Internet-bound traffic from remote branches.

Cisco® SD-WAN fabric is an industry-leading platform that delivers an elegant and simplified secure, end-to-end WAN solution. A fundamental tenet of the Cisco SD-WAN fabric is connecting users at the branch to applications in the cloud in a seamless, secure, and reliable fashion. Cisco delivers this comprehensive capability for Software-as-a-Service (SaaS) applications with the Cloud onRamp for SaaS capabilities.

With Cloud OnRamp for SaaS, the SD-WAN fabric continuously measures the performance of a designated SaaS application through all permissible paths from a branch. For each path, the fabric computes a quality-of-experience score ranging from 0 to 10, with 10 being the best performance. This score gives network administrators visibility into application performance that has never before been available. Most importantly, the fabric automatically makes real-time decisions to choose the best-performing path between the end users at a remote branch and the cloud SaaS application. Enterprises have the flexibility to deploy this capability in multiple ways, according to their business needs and security requirements.

Use case 1: Direct cloud access from a remote branch

Enterprises using multiple inexpensive broadband Internet circuits at remote sites can enable Cloud onRamp on the branch router to permit traffic from designated SaaS applications to break out directly to the Internet. Only traffic from these SaaS applications will be allowed a secure local breakout, while all other Internet-bound traffic will follow its usual path. Cloud onRamp dynamically chooses the most optimized local breakout for the cloud application’s traffic and provides a fallback path to the data center or the regional hub (Figure 1).

Use case 2: Cloud access through the most optimal regional hub

Some enterprises avoid having Internet access at each remote branch and instead opt to use regional hubs (DMZs) to serve Internet-bound traffic. These hubs can be hosted in third-party colocation facilities (colos) or Carrier-Neutral Facilities (CNFs), and they serve as regional Internet exit points with Next-Generation Firewall (NGFW) or Unified Threat Management (UTM) security capabilities. In such deployments, Cloud onRamp can be deployed in a gateway mode, and it helps ensure that the optimal regional gateway is dynamically chosen for the traffic for each SaaS application (Figure 2).


  • Cisco SD-WAN technology enables enterprises to build a scalable and carrier-neutral WAN infrastructure, allowing them to reduce WAN transport costs and network operational expenses.
  • Enterprises can leverage Cisco’s Cloud onRamp for SaaS capabilities to intelligently route cloud SaaS application traffic, providing a fast, secure, and reliable end-user experience.
  • All paths to designated SaaS applications will be monitored continuously for performance, and the application traffic will be dynamically routed to the best-performing path, without requiring human intervention.
  • Cloud onRamp for SaaS provides network administrators superior real-time and historical visibility into the SaaS application performance through a quality-of-experience metric.

Use case 3: Direct cloud access through Secure Web Gateways (SWGs)

In some deployments, enterprises connect remote branches to the SD-WAN fabric using inexpensive broadband Internet circuits, and they choose to enforce their IT security policies through a Secure Web Gateway (SWG) or Cloud Access Security Broker (CASB) point of presence. In such scenarios, Cloud onRamp for SaaS can be set up to dynamically choose the optimal path from among the multiple paths to the SWG (Figure 3).