Disciplines · 03 · Edge

Your edge isn't a box anymore. It's a set of decisions.

The old perimeter was a wall around a flat network with a gate in it. The modernized perimeter isn't a wall at all — it's identity, device, and context, evaluated on every request, in front of every app. Most of the work we do at the edge is helping clients stop trying to rebuild the wall in the cloud.

How we frame it

Three surfaces. One policy engine.

The modernized perimeter has three surfaces where work actually happens. Separating them helps us talk about edge without defaulting to a product list — and helps you see which one your current architecture is underinvesting in.

Surface 01

Access

How your people reach the apps they need — internal line-of-business software, SaaS, published workloads. Global Secure Access and Application Proxy replace VPN and exposed ports with identity-aware access that follows the user, not the network. If VPN is still your remote access strategy, this is the surface with the most room to move.

Surface 02

Exposure

How the public reaches whatever you've published — web workloads, APIs, custom applications. Front Door, Web Application Firewall, and DDoS sit at this edge. The goal isn't to publish more; it's to publish deliberately, with the right rules in front, and to retire the accidental exposure that creeps in through NAT rules nobody remembers writing.

Surface 03

Policy

The engine that actually decides whether any given request goes through — Conditional Access, device compliance, session controls. It reads from every signal the other two surfaces produce and applies the org's intent. Done well, it's the brain. Done poorly, it gets written like an ACL and throws away most of its value.

The products matter less than the shape. The shape is many gates, one policy engine, no flat inside. Every modernization we do starts by drawing that shape and comparing it to what's actually deployed.

Where most orgs lose it

Two patterns. Same root cause.

The first pattern is castle-and-moat in the cloud. The org moves workloads to Azure and immediately stands up a firewall appliance, builds NAT rules to publish apps, and keeps VPN as the remote access story. The architecture works in the narrow sense — traffic flows — but none of what makes the cloud worth moving to is on. Identity isn't the perimeter. Policy is static. The inside is still flat. Whole categories of modernization stay locked behind a mental model that belongs to a different decade.

The second pattern is Conditional Access as ACL. A policy engine built to evaluate identity, device posture, risk, session context, and location — written as if it were "allow 10.0.0.0/24, deny everyone else." Every signal the engine could be using is ignored. The policy does less than a firewall did, not more.

Underneath both: it's easier to work the way you already work. The cloud showed up and didn't force a new mental model — it just quietly offered one. Nobody defaults to castle-and-moat because it's the best answer; they default to it because nothing in the path actively replaced the old thinking. Unlocking that is most of the work.

Our stance The architecture question at the edge is the easy part. The real work is a conversation that lets the architecture land — with the technical team, with the business stakeholders, with whoever signed the firewall renewal three years ago and is about to sign it again out of habit.
The signature visual

The perimeter changed shape.

Left: the shape most organizations still carry into the cloud. A wall, a gate, a flat inside, a VPN tunnel that drills straight through. Right: the shape of a modernized perimeter. No outer wall. One policy engine. A gate in front of every app that reads identity, device, and context on every request.

Two perimeters compared: the old flat-network model and the modernized, policy-driven model On the left, a single firewall wall around a flat network containing three apps, with a VPN tunnel from an outside user and a NAT arrow from the internet. On the right, three apps each fronted by a small gate, governed by a Conditional Access policy engine at the top, with users connecting directly to each gate. The right side has no outer wall. THE OLD PERIMETER Relocated. user FIREWALL FIREWALL VPN tunnel :443 NAT FLAT NETWORK — EVERYTHING TRUSTS EVERYTHING APP APP APP One wall. One inside. Policy is a NAT rule. THE MODERNIZED PERIMETER Decisions, not walls. CONDITIONAL ACCESS identity · device · risk · context users APP 01 APP 02 APP 03 Gates per app. Identity and device are the boundary.
Same three apps, two different perimeters. The left one works. The right one works and scales, survives a lost laptop, and doesn't require a tunnel to reach.
Two moments, two unlocks

What the work actually looks like.

The first story is what edge modernization feels like when it lands with a client. The second is how we know the shift in thinking is the real unlock — because it happens the same way with experienced consultants as it does with IT leaders seeing the model for the first time.

Access · the modernization

Retiring the VPN and the NAT rules at the same time.

The client ran dozens of custom applications published from on-prem and cloud IIS servers. The path in was the familiar one: VPN for staff, firewall NAT for public users. The quiet problem was what VPN implies — an encrypted tunnel the firewall can't inspect, dropped into a flat internal network, with whatever access the user's account happens to carry. One infected laptop is one ground zero. We replaced the whole pattern with Azure Front Door on the public side and Application Proxy and Global Secure Access on the staff side, MFA on everything, no open ports on the edge firewall. Every app got its own gate. Nobody missed the VPN client.

Policy · the moment it clicks

"Oh — that's why this is better."

The clearest lightbulb moment on this model didn't come from a client; it came from a fellow consultant working through Enterprise Applications in Global Secure Access for the first time. The instant he saw what an identity-aware, agentless publish-and-gate looked like — next to what VPN-plus-NAT had always looked like — the shift was visible. If a seasoned architect takes a minute to feel the difference, the IT director and the CFO deserve the same runway. We build that moment deliberately into every edge engagement. The architecture doesn't stick without it.

What you walk out with

A modernized perimeter and the team to run it.

Most edge engagements move in two stages — options on paper, then a pilot that proves the shape. The goal isn't a box we leave behind; it's a team that can run the model, with us supporting from the back.

  • An honest picture of your current edgeWhat's publishing what, which rules are live, which ones are orphaned, where VPN is still load-bearing, and which Conditional Access policies are doing real work versus ACL-like work
  • Options sized to the businessFull SSE adoption, a targeted replacement of the VPN-plus-NAT pattern, or a phased path — with tradeoffs, costs, and licensing implications made plain
  • A pilot that proves the shapeOne or two apps published through Front Door, App Proxy, or Global Secure Access — running in production, measurably — so the team sees the model work before the full rollout
  • Conditional Access as adaptive policy, not an ACLPolicies written to use identity, device, risk, and session signals — with a naming convention and review cadence that keeps the set clean as it grows
  • Enablement, not dependencyRunbooks, architecture docs, and knowledge transfer so the team owns the model — with FourOneSix available in the back end when questions come up
  • A retirement listThe rules, tunnels, and boxes you can safely turn off once the modernized pattern is carrying the traffic — because the point is not to run both forever
"If your cloud architecture looks like your datacenter architecture, you didn't migrate. You relocated. The work at the edge is unlocking the mental model that makes the difference visible — because the products don't do that on their own." The stance on the modernized perimeter

Connected to

01 · Identity

Identity & zero trust

Conditional Access is the edge's policy engine. It lives here first.

 02 · Infrastructure

Azure landing zones

The edge is the front door of the landing zone — the two are designed together.

 04 · Security

Posture & incident response

Modernizing the perimeter is a security move. Exposure work lives on both pages.

 07 · Devices

Devices & endpoint

Device compliance is the signal the policy engine reads on every request.

Book a call

Still publishing apps through NAT rules? Still calling VPN a strategy?

If the edge architecture in front of your apps was designed for a building you don't work in anymore, the first conversation is the same one: what does a modernized perimeter look like for your business — and what's the smallest pilot that proves the shape.

Book a discovery call

Or reach us directly: info@fouronesixit.ca · (647) 371-0400