Contact Us

Cradlepoint NetCloud Perimeter

Creating a Software-Defined Perimeter

Enterprises use NetCloud Perimeter, a service that leverages Software-Defined Perimeter technology, to spin up virtual networks in the cloud that protect IoT devices.

These invitation-only overlay networks utilize a private address space, eliminating the need for routable IPs on the Internet and obscuring them from the reach of potential hackers. They also isolate IoT traffic from different devices and from trusted networks (example: keeping IoT devices off the corporate WAN). The “cloud” is how Cradlepoint orchestrates, deploys, and manages its perimeter-secured overlays, which can reach anywhere across the Internet.

In IoT use cases—especially utilizing sensors—data must be securely and directly connected to the cloud so it can be leveraged to inform business decisions and boost efficiencies. Device-to-cloud overlay networks are what communicate the connection between IoT devices and the cloud. This is the “why” behind perimeter-secured overlay networks.

NetCloud Perimeter is deployed directly on IoT devices, laptops, tablets, and smartphones that run Linux, OS-X, Windows, Android, or iOS with the NetCloud Client. A NetCloud Gateway is deployed into a NetCloud Perimeter when a Cradlepoint router (or other physical or virtual Linux server) runs the NetCloud Client in gateway mode. With a NetCloud Gateway, any IP-based device (e.g. printers, NAS, cameras, sensors, etc.) can be connected to the overlay network without the NetCloud Client installed.



Enterprises use NetCloud Perimeter to create one or more perimeter-secured overlay networks for IoT deployments.

  • Micro-segmentation of users, groups, applications and resources with simple policies

  • Invitation-only security/Private IP Addressing

  • Fully encrypted transactions

  • Connect IP-Enabled Devices to a Secure Network

NetCloud Perimeter provides several layers of protection for devices connected over the Internet and other untrusted networks. To protect IoT devices, NetCloud Perimeter’s approach reduces the potential for attacks through isolation and obfuscation.

NetCloud Perimeter’s designed supports the unique security requirements of IoT and connected device applications. The natural Security Policy management built into NetCloud Perimeter makes it easy to enforce network-wide firewall and access controls and to micro-segment users, applications and devices to access only appropriate resources. Extending Active Directory additionally strengthens domain security.


  • Secure Internet Access to send traffic to and from target IoT devices through private IP address space
  • Micro-segmentation with device-level SSL encryption
  • Machine-level authentication designed for embedded devices, kiosks, etc.
  • Extend Active Directory domains to maintain security


  • Private IP address space and outbound connections eliminate the need for expensive public IP addresses and on premise firewall changes to keep devices from being reached across the Internet.
  • Unsupported devices, such as IoT sensors or security cameras, connect into the perimeter network behind a Cradlepoint router acting as a NetCloud Gateway, adding a layer of security, reducing the attack surface, and implementing policies.

Invitation-Only Security
NetCloud Perimeter’s security foundation is a multi-layer, network-based approach to security that protects users, devices, and workloads wherever they are deployed. NetCloud Perimeter uses invitations to add users, ensuring only pre-authorized users or devices are added to the network. . And, all transactions are fully encrypted using the AES 256-bit standard encryption algorithm. Because the virtual overlay network is effectively cloaked from underlaying untrusted networks, it is impervious to traditional address-borne attacks. Further, machine-level authentication is designed for embedded devices like kiosks.


  • Multi-layer Authentication: device, virtual network, domain and certificate level
  • Micro-segmentation enables zero-trust WANs
  • End-to-end 256-bit encryption with device and X.509 certificate (PKI) authentication
  • Secure overlay through the abstraction of logical network and address space from the Internet


  • Private IP address space
  • Protect the edge from network-based attacks
  • Virtual overlay (cloud-based) network with micro-segmentation to isolate threats
  • No data stored in the cloud



  • Encrypted data-in-transit (256-bit AES)
  • No data stored in cloud
  • Private IP address space
  • Enables micro-segmentation for zero-trust WANs
  • Certificate-based Auto-PKI (X.509 CA)


  • Runs on top-tier cloud providers around the world
  • Fully redundant architecture
  • Self-healing, self-optimizing
  • Seamless failover
  • OS Support

  • Windows 7/8, Mac 10.7+
  • Windows, Android, and iOS phones and tablets
  • Windows 2008R2/2012 and Linux servers
  • Docker containers

    Contact Our Sales Department
    Phone: 800.373.5353 x247
    Business Hours: Monday – Friday 8AM – 5PM


    • Virtual APN: Works with or without a private APN
    • Private IP Addressing: Devices cannot be reached from the Internet.
    • Block Inbound Traffic: Fully routable without a public/static IP or open inbound ports.
    • Micro-segmentation: isolate devices from other devices and networks.
    • Access control: Invite-only authentication and admin-controlled access.


    Security Policy
    Define and enforce network-wide firewall and access controls and restrict user access-from anywhere-by apps, devices and more

    Connect one or more Active Directory servers to your cloud network and extend domain services to remote users and devices, anywhere

    Provide customized fully qualified domain names (FQDNs) and alternative names for all devices

    Get near-real-time visibility into cloud network utilization and see top talkers by user or device

    Geo View
    Get an accurate street-level view of all connected users and devices on your cloud network