CloudConnexa FAQ

CloudConnexa is a cloud-delivered service that provides a secure networking and remote access solution. It includes essential features for implementing a zero-trust solution, enabling a smooth transition from perimeter security to zero-trust network access. The service is accessible by connecting to one of CloudConnexa's worldwide Points of Presence (PoPs).

It operates as a multi-tenant service, creating a virtual private overlay network that spans all PoPs to provide connectivity and access to various entities, such as users, private network applications, or IoT devices. CloudConnexa also features vertically integrated security, including content filtering and Intrusion Detection/Prevention Systems (IDS/IPS), referred to as Cyber Shield.

CloudConnexa is a cloud-delivered service that provides a robust solution for secure networking and remote access, incorporating essential features to implement a zero-trust solution. It is specifically designed to facilitate a smooth transition from traditional perimeter security models to Zero Trust Network Access (ZTNA).

As a multi-tenant service, CloudConnexa creates a virtual private overlay network that spans its global Points of Presence (PoPs), also referred to as Regions. This overlay network enables secure connectivity and access for various entities, including users, private network applications, and IoT devices.

Furthermore, CloudConnexa boasts all the functionality needed to provide zero-trust network access, such as:

CloudConnexa's global infrastructure consists of Points of Presence (PoPs), referred to as Regions, where its high-performance, multi-tenant, and kernel-optimized servers are hosted. These Regions are interconnected using a full-mesh topology, which ensures direct connectivity between any two Regions to minimize latency and provide redundant routes.

Examples of CloudConnexa Regions span across continents, including cities like London (England), Helsinki (Finland), Frankfurt (Germany), Sydney (Australia), Mumbai (India), Tokyo (Japan), Republic of Singapore (Singapore), Tel Aviv (Israel), Johannesburg (South Africa), and São Paulo (Brazil).

CloudConnexa Regions are the geographic areas that serve as CloudConnexa Points of Presence (PoPs). Each Region hosts a group of high-performance, multi-tenant servers within multiple data centers. All CloudConnexa Regions are interconnected using a full-mesh topology, which ensures direct connectivity between Regions, reducing latency, and providing redundant routes for increased data throughput.

Devices, Networks, and Hosts must connect to a Region to join your WPC, and it is recommended to choose the one geographically closest to your connection endpoint for optimal performance. The health status of all CloudConnexa Regions and services can be checked on the dedicated status page.

When you sign up for CloudConnexa, a virtually dedicated worldwide private network is immediately created for your exclusive use, known as a Wide-area Private Cloud (WPC).

Your WPC is identified by a unique Cloud ID that you choose during the signup process, which cannot be changed later. This Cloud ID forms a URL (e.g., https://[company_name].openvpn.com) used to access the Administration Portal and import connection configuration files into clients.

Conceptually, you can think of your CloudConnexa WPC as a virtual distributed router and a powerful next-generation firewall located in the cloud, with the 30+ worldwide Regions serving as its virtual ports.

Connectors are essential components that enable private networks and application servers to interface with CloudConnexa, allowing access to their services and applications. They are designed to establish an always-on connection to CloudConnexa.

There are two primary types of Connectors:

CloudConnexa Network Connectors: These are associated with entire networks and can be deployed on various platforms including OpenVPN-compatible routers (e.g., DD-WRT, OpenWrt, PfSense, Teltonika, Ubiquiti EdgeMAX), Virtual Private Servers (VPS) from providers like DigitalOcean and Kamatera, and IaaS platforms such as AWS, Azure, and Google Cloud Platform (GCP). They support both OpenVPN and IPsec tunneling protocols.

CloudConnexa Host Connectors: These connect individual computing devices like application servers, computers, or IoT devices directly to CloudConnexa, making the services on that specific host accessible without connecting the entire private network.

Multiple Connectors can be deployed for a single Network or Host to provide geographic redundancy, increase throughput, and enhance fault tolerance.

CloudConnexa allows for the configuration of various network access scenarios through its intuitive Network Wizard:

Remote Access: Connects your physical private network to CloudConnexa, enabling users to securely access private applications and resources.

Secure Internet Access: Routes all internet traffic from specified User Groups, Networks, or Hosts through a connected private network acting as an Internet Gateway. This allows for centralized security enforcement and masking of source IP addresses.

Secure Internet Access to Select Internet Destinations: Directs traffic only to specific internet applications (identified by domain names) or IP Services through CloudConnexa, while other internet traffic uses the local internet.

Site-to-Site Connectivity: Establishes secure communication between multiple private networks at different geographical locations, supporting Full-Mesh connectivity for direct communication between sites.

Users connect to CloudConnexa using the OpenVPN Connect Application. This application is available for various operating systems, including Windows, macOS, iOS, Android, and ChromeOS. For Linux users, the open-source openvpn3 client is recommended, which supports Data Channel Offload (DCO) for improved data throughput.

Users can download and install the Connect app on their device and import their connection profile using their unique Cloud ID URL (e.g., https://[company_name].openvpn.com). After authentication, the user is asked to choose one of the CloudConnexa Regions. The user should choose the closest one based on their location. The configuration profile for that Region is imported into the Connect App. Upon connection, the user can access all resources to which they are authorized, regardless of the CloudConnexa Region that connects the destination network.

CloudConnexa supports three primary authentication methods for users: built-in CloudConnexa username/password authentication (default), SAML Single Sign-On (SSO), and private LDAP. Only one form of user authentication can be active at a time.

Additionally, two-factor authentication (2FA) provided by CloudConnexa can be enabled for users utilizing LDAP or username/password authentication. If SAML is used, the 2FA configuration is handled by the SAML Identity Provider.

The "Connect Auth" policy determines if and when a user is prompted for credentials during a WPC connection attempt; options include "No" (never prompted), "On prior auth timeout" (not prompted for 12 hours after successful auth, default), or "Every time" (always prompted).

User Groups allow a set of Users to share common settings, such as type of internet access, connection authentication mode, and access control. This facilitates differentiating between sets of Users who require different configurations. New Users are initially added to a "Default" User Group. A User can belong to a primary User Group (PUG) and multiple secondary User Groups, where the PUG defines the inherited group configuration settings. User Group mapping rules can automatically assign CloudConnexa User Groups based on identity attributes from external Identity Providers (IdP) like SAML or LDAP

A Device is any computing entity, such as a desktop, smartphone, or IoT device, with an installed OpenVPN client that accesses the WPC. Devices consume services by connecting to the WPC, and CloudConnexa can also facilitate communication between connected devices. Device entries are automatically created for a user in CloudConnexa upon successful authentication and profile import (default mode), but administrators can also manually add devices for stricter control or offline profile distribution, especially when Device Identity Verification & Enforcement (DIVE) is enabled.

CloudConnexa addresses the challenge of overlapping IP address subnets in private networks through Application Domain-based Routing. Instead of relying on IP address-based routing, this feature uses unique domain names assigned to applications within those networks as routes. This capability helps cloak private IP addresses and contributes to network segmentation, minimizing the overall attack surface. This allows traffic to be directed to the correct application even if its underlying IP address range conflicts with another network. For this feature to function, the CloudConnexa DNS Proxy setting must be enabled.

It also supports creating Fully Qualified Domain Names (FQDNs) with embedded IP addresses for devices (especially useful for IoT networks), allowing direct access via a domain name that includes the IP address without requiring a separate DNS record.

Access Groups are fundamental to CloudConnexa's zero-trust implementation. They define granular access control configurations by specifying explicit permissions between "Sources" (e.g., Users, Networks, Hosts) and "Destinations" (e.g., Applications, IP Services). When the Wide-area Private Cloud (WPC) topology is set to "Custom," a default-deny policy is enforced, meaning all access is implicitly blocked unless explicitly allowed by an Access Group, adhering strictly to the least privilege paradigm. Access Groups can provide fine-grained control, allowing access to specific application protocols and ports.

Device Posture strengthens ZTNA by allowing CloudConnexa to verify the compliance status of connecting devices. Only devices that meet predefined security-compliant criteria are permitted to connect and maintain connectivity to CloudConnexa. Device posture policies can incorporate various device attributes for checks:

Operating System and Operating System Version: Ensures connections are allowed only if the OS version meets specified requirements.

Antivirus Software: Verifies the presence of a running antivirus solution from a list of supported vendors (e.g., CrowdStrike Falcon, Microsoft Defender).

Client Certificate: Mandates that only authorized, company-owned devices possessing a matching digital certificate can connect.

Disk Encryption: Confirms whether the device's disk is encrypted.

For a connection to be accepted, a device must successfully pass all checks defined in its associated Device Posture policy. These policies are assignable to User Groups.

Location Context policies in CloudConnexa enable administrators to enforce security rules or add contextual information to zero-trust policies based on a device's geographical location or IP address ranges. For instance, a company can implement a policy dictating that all data communications must originate from devices within a specific country (e.g., France). Alternatively, a Location Context policy can add a layer of security for privileged user groups, allowing their connections only from the IP address ranges of designated office locations. This enhances control by limiting access based on physical or network location context.

CloudConnexa's Internet Access settings centrally control how internet traffic is routed for User Groups, Networks, and Hosts. These settings allow organizations to achieve different levels of internet security:

Split Tunnel On (Level-1 Security): This is the default setting where private network traffic and specifically configured "trusted internet traffic" (defined as specific internet Applications or IP Services) are tunneled through CloudConnexa. All other general internet traffic, however, exits directly via the user's local internet connection. Cyber Shield Domain Filtering remains effective with this setting.

Split Tunnel Off (Level-2 Security): With this setting, all internet traffic originating from a User, Network, or Host is tunneled through CloudConnexa. This traffic then exits to the internet from one or more designated Internet Gateways (private networks configured as the exit point for WPC internet traffic). This enables centralized inspection of all internet traffic for threats using third-party security solutions deployed on your network. Both Cyber Shield Domain Filtering and Traffic Filtering (IDS/IPS) are fully effective.

Restricted Internet (Level-3 Security): This is the strictest security level where all internet access is blocked by default, except for traffic explicitly destined for private applications and pre-defined "trusted internet destinations" (configured as Applications or IP Services). Traffic to these trusted destinations is tunneled through CloudConnexa. This option enhances cyber safety by preventing access to untrusted content, enforces strict web browsing policies, and minimizes the need for additional security devices by limiting communication to only trusted resources.

CloudConnexa offers built-in security features, notably Cyber Shield, which includes Domain Filtering and Traffic Filtering (IDS/IPS).

Domain Filtering (DNS-based content filtering) protects users from malicious and suspicious websites even when internet traffic isn't tunneled through the WPC. It can block domain name resolutions for undesirable or unsafe categories, with 43 content categories organized into eight groups, and allows for Allow and Block Lists for specific domains.

Traffic Filtering (IDS/IPS) monitors and can block malicious traffic, such as malware, intrusion activity, and denial of service attacks, that flows through CloudConnexa. It classifies threats into three priority levels: Critical, High, and Medium. Blocking Priority Critical traffic is recommended as a minimum for threats like malware, trojans, worms, and specific intrusion activity.

Cyber Shield is a powerful, built-in security feature of CloudConnexa designed to protect your network and users from cyber threats. Its core functionalities include:

Domain Filtering (Content Filtering): Provides DNS-based content filtering to safeguard users from malicious and suspicious websites, even when internet traffic is not routed through the WPC.

Traffic Filtering (IDS/IPS): Offers a built-in Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) to monitor and block malicious traffic flowing through CloudConnexa.

Cyber Shield Domain Filtering offers DNS-based content filtering that classifies web content into 43 categories (grouped into 8 broader categories) based on their domain names. It enables you to block access to undesirable or unsafe content categories, or simply monitor DNS queries without blocking. Key aspects include: Protection Levels: Predefined levels like Basic Protection (blocks malicious domains), Safe Browsing (includes adult and aggressive content), and High Productivity (blocks all eight category groups) allow for convenient policy setup. A Custom level allows granular selection of individual categories.

Allow List: Enables administrators to define specific domains that are always permitted, overriding any blocked content categories.

Block List: Allows for blocking access to specific domain names and their subdomains, creating custom filtering rules.

Data reporting provides statistics on observed and blocked domain name queries, with drill-down capabilities by User or Device, and detailed reports via CSV.

Cyber Shield Traffic Filtering integrates an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) to safeguard against network threats.

Monitoring (IDS): When activated, it monitors traffic flowing through CloudConnexa and provides detailed statistics on identified threats such as malware, intrusion activity, and denial of service (DoS) attacks.

Blocking (IPS): For active threat prevention, Traffic Filtering can be configured to drop packets that match specific malicious traffic signatures or threat patterns. Traffic is categorized by threat priority levels (Critical, High, Medium) and into nine specific threat categories (e.g., Malware and Ransomware, Intrusion Activity, Phishing, Denial of Service, Cryptojacking). Blocking Priority Critical traffic is highly recommended, particularly when CloudConnexa serves as the egress route for all internet traffic.

Access Visibility is a crucial CloudConnexa feature that provides observability into the traffic flowing through your WPC. It helps administrators answer vital questions for zero-trust framework implementation, such as:

Which private applications are users accessing, and when?

How to discover internal private applications for which access policies are not yet set?

Are the configured access policies working as intended?

Access Visibility analyzes traffic flow logs to provide statistics on allowed and blocked access events between traffic sources and destinations. It allows checking the enforcement of Access Groups and per-application firewalls, identifying internet access via Internet Gateways, determining legitimate or malicious intent behind blocked traffic, and troubleshooting unexpected routing issues.

CloudConnexa provides comprehensive logging features essential for auditing, monitoring user activity, and maintaining security visibility:

Audit Log: This log records all configuration changes made within CloudConnexa, whether performed manually via the Administration Portal or programmatically through the API. It tracks "who" made the change and "when," ensuring accountability.

DNS Log: Provides administrators with reports and statistics on all DNS requests initiated by Users, Networks, and Hosts. It offers aggregated statistics at both the registered domain and subdomain levels, detailing the requestor's identity, resolved IP addresses, and whether the requests were blocked (by Cyber Shield) or failed. The DNS log can also aid in discovering unsanctioned SaaS applications.

Log Streaming: This feature enables you to collect CloudConnexa logs (including DNS logs, successful/failed OpenVPN tunnel connections, and Cyber Shield blocked events) and stream them to third-party Security Information and Event Management (SIEM) or Extended Detection and Response (XDR) tools. Logs are written in JSON format to your configured AWS S3 bucket, facilitating a unified view of your IT environment for security and operational analysis.

CloudConnexa offers flexible integration with existing identity providers to manage user authentication, centralizing identity management for secure remote access and ZTNA. It supports:

SAML (Security Assertion Markup Language): Allows CloudConnexa to authenticate users via SAML 2.0 compliant Identity Providers (IdPs) such as Azure Active Directory (Microsoft Entra ID), G Suite, Keycloak, Okta, and OneLogin. This includes mapping SAML attributes to CloudConnexa User Groups for role-based access control.

LDAP (Lightweight Directory Access Protocol): Supports authentication with private LDAP servers, enabling synchronization of user attributes and User Group mapping rules from your LDAP directory to CloudConnexa. Additionally, Two-Factor Authentication (2FA) can be enabled for increased security.

AppHub is a feature that enables you to securely share your private applications not only with other Wide-area Private Clouds (WPCs) you own but also with trusted third-party businesses. This functionality effectively replaces traditional, less secure extranet solutions by allowing a private inventory application, for example, to be shared from one WPC (e.g., an auto parts manufacturer) to another (e.g., an auto parts retail store), where the retail store's workforce can then securely access the application via their own WPC. Shared applications appear as a selectable destination in Access Groups for control.

CloudConnexa supports automation for configuration and management, which is crucial for DevOps workflows and large-scale deployments. This can be achieved through:

CloudConnexa API: A comprehensive Public API allows for programmatic configuration and management of various CloudConnexa entities. This includes creating and managing Access Groups, Applications, Connectors, Hosts, Networks, DNS Records, and performing bulk user additions, as well as managing Cyber Shield Allow and Block lists and Device Posture policies. You can create API credentials and enable API access.

Terraform CloudConnexa Provider: For infrastructure-as-code approaches, CloudConnexa can be automated using the Terraform CloudConnexa Provider.

CloudConnexa's DIVE feature is designed to reduce your attack surface by linking the CloudConnexa connection profile (containing the digital certificate) to the device's unique identity (UUID), allowing only authorized devices to connect to your WPC. This ensures that only trusted devices (e.g., company-owned or approved devices) can establish a connection and that the connection profile linked to an authorized device cannot be used on another device. DIVE functionality requires specific minimum versions of the OpenVPN Connect client.

Device Posture policies leverage device attributes shared by the OpenVPN Connect app (such as Operating System Version, Antivirus presence, Client Certificate, and Disk Encryption status) to evaluate a device's security and compliance posture. Based on this evaluation, CloudConnexa determines if the device is safe to connect and remain connected.

Location Context policies allow administrators to control connections to CloudConnexa based on the IP address of the connecting device. These policies can be configured to either allow or block connections based on whether the device's IP address matches a specified range of IP addresses or a particular country (determined via IP address geolocation).

These policies are frequently used to enhance security and ensure compliance with regulations.

A CloudConnexa Network is a representation of your actual physical private network. It encompasses the routes to your physical network and the accessible applications and IP Services within it, including general internet access, private applications, and public applications. Physical private networks are connected to your WPC using Connectors, which establish outbound, unattended, and always-on tunnels to a chosen CloudConnexa Region

Connectors are used by private networks and application servers to interface with CloudConnexa, allowing services and applications reachable or hosted on them to be accessed. They establish a persistent, always-on connection to CloudConnexa. Fundamentally, Connectors are OpenVPN and/or IPsec protocol-compatible clients that make an outbound connection to a CloudConnexa Region. There are two main types of Connectors:

Network Connector: Connects an entire private network to CloudConnexa and must act as a router. It can provide inbound access from the WPC to the private network, outbound access for devices on the private network to the WPC, and can be configured as an Internet Gateway. Network Connectors can use both IPsec and OpenVPN protocols.

Host Connector: Connects a specific application server (e.g., FTP, remote desktop, NAS) to the CloudConnexa WPC. Unlike Network Connectors, a Host Connector does not act as a router and can only provide access to private applications running on the device it is installed on. Host Connectors must use the OpenVPN protocol and not IPsec.

CloudConnexa offers a Network Configuration Wizard to guide you through setting up networks for common use cases. These include:

Remote Access: Providing secure access to your private networks and resources for remote employees.

Secure Internet Access (all traffic): Configuring a private network as an Internet Gateway to route all internet traffic for your WPC through it, allowing for inspection and policy application.

Secure Internet Access (select destinations): Steering traffic only to specific internet destinations (e.g., SaaS applications) through CloudConnexa, while other internet traffic uses local internet.

Site-to-site connectivity: Establishing private connectivity between multiple sites or networks, often with full-mesh communication between them.

CloudConnexa offers various deployment options for OpenVPN Connectors:

Operating Systems (OS Connectors): Available for Windows, macOS, and Linux. For Windows and macOS, the OpenVPN Connect app is used, often bundled with the connection profile. For Linux, a specific script is generated for installing the OpenVPN 3 client and obtaining the profile using a token.

Public Cloud IaaS Connectors: Supported for AWS, Azure, and Google Cloud Platform (GCP). Deployment often involves using cloud-specific templates (e.g., AWS CloudFormation, Azure Resource Manager ARM templates) or installing on a Linux VM.

Virtual Private Server (VPS) Connectors: Options for providers like DigitalOcean and Kamatera. Generated scripts are provided for installation during VPS creation. Note that VPS is exclusively for Network Connectors.

Router Connectors: Compatible with various OpenVPN-compatible routers (e.g., DD-WRT, OpenWrt, PfSense, Teltonika, Ubiquiti). The OpenVPN profile is downloaded as a .ovpn file for configuration.

There are three main steps to get an OpenVPN Connector operational:

1.Install an OpenVPN client if not already present.

2.Obtain and use the Connector's OpenVPN connection profile (either as a .ovpn file or a token).

3.For a Network Connector, enable NAT and routing on the device where the Connector is installed. Note that for Linux VMs, the install scripts include commands to enable IP forwarding (routing) and NAT by default.

Application Domain-based Routing is a key feature that allows CloudConnexa to network together private networks that use overlapping IP address subnets. Instead of relying on IP address-based routes (which would conflict with overlapping subnets), CloudConnexa uses the domain names of applications within those networks as routes to correctly steer traffic.

CloudConnexa acts as a proxy DNS server for all DNS lookups; when a configured application's domain name is queried, it responds with an intermediary IP address from the WPC Domain Routing range instead of the actual destination IP and ensures that traffic is routed through CloudConnexa to the correct private network and application, even if IP addresses overlap. This functionality requires the CloudConnexa DNS Proxy setting to be ON.

It also enables a shortcut to access devices by their private IP addresses (e.g., 192-168-0-100.store2.control.com) by embedding the IP into a domain name, provided Allow Embedded IP is enabled for the network's domain name.

For granular access control, the WPC Topology must be set to 'Custom'. When set to 'Custom', CloudConnexa enforces a 'deny by default' approach, meaning access between connected entities is blocked unless explicitly allowed.

To allow specific access, Access Groups must be configured. Access Groups define the permitted communication between specified sources (users, hosts, networks) and destinations (hosts, networks, applications, IP services). Access Groups are bidirectional.

Access decisions can also be based on device identity, device posture, and location context.

CloudConnexa integrates Cyber Shield as a core security feature. It provides:

DNS-based content filtering: This feature protects users from malicious and undesirable content by blocking access to categorized domains (e.g., malware, hacking). It works by securing DNS queries through the CloudConnexa tunnel, bypassing local DNS servers, and applies even if full internet traffic isn't routed through CloudConnexa.

Intrusion Detection/Prevention System (IDS/IPS): This monitors for and blocks malicious traffic and attacks on any traffic passing through CloudConnexa. It's particularly useful when CloudConnexa serves as an egress route for internet traffic

CloudConnexa's WPC Switcher feature allows you to create and manage multiple independent Wide-area Private Clouds (WPCs) using the same account. This enables complete isolation and segmentation of networks, which can be useful for dedicating WPCs to specific use cases (e.g., IoT devices) or different departments. You can seamlessly switch between WPCs from the Account Menu or the Switch Cloud ID Menu in the Administration Portal.

CloudConnexa provides an API (Application Programming Interface) that allows you to programmatically configure and manage your WPC. You can create API credentials, enable API access, and view Swagger documentation directly from the Administration Portal. The API endpoint is unique to your WPC (e.g., [company_name].api.openvpn.com). Additionally, CloudConnexa can be automated using the Terraform CloudConnexa Provider.

CloudConnexa provides email alerts (notifications) to the WPC's Owner and Administrators for various events of interest. These include:

High subscription usage and subscription limit exceeded.

Connector status changes (e.g., a Connector going offline).

LDAP Server connectivity issues and offline status.

Log Streaming status changes and high usage.

You can turn these notifications on or off and configure related parameters within the Settings & Notifications section of the Administration Portal.