Solution Brief

2GC CloudBridge Global Network is a QUIC-first, hostname-aware, Zero-Trust overlay for connecting users, sites, clouds, and edge nodes over the Internet.

What is it?

2GC CloudBridge Global Network is a QUIC-first, hostname-aware, Zero-Trust overlay for connecting users, sites, clouds, and edge nodes over the Internet. The network prefers direct P2P paths (ICE/STUN/TURN) and automatically fallbacks to HTTP/3 MASQUE tunnels (CONNECT-UDP / CONNECT-IP) on port 443 if UDP or P2P is blocked.

Key Features

  • QUIC-first protocol with HTTP/3 MASQUE fallback
  • Hostname-aware routing and access control
  • Zero-Trust architecture by default
  • P2P paths with ICE/STUN/TURN support
  • Automatic fallback to HTTP/3 tunnels
  • Port 443 bypass for corporate firewalls

Technical Benefits

  • 1-RTT connection establishment
  • 0-RTT connection resumption
  • MASQUE tunneling for bypassing restrictions
  • ICE/STUN for NAT traversal
  • Connection migration for mobility
  • Multiplexed streams over single connection

What Problems Does It Solve?

Addresses key challenges in modern networking with QUIC-first, hostname-aware, Zero-Trust overlay technology.

UDP Blocking/Unstable VPN

QUIC operates over UDP, but if UDP is blocked, it "travels" inside HTTP/3 via MASQUE, which is better for corporate proxies/firewalls. Standardized tunnels over proprietary solutions.

  • HTTP/3 MASQUE tunnels
  • Port 443 bypass blocks
  • Standardized over proprietary

NAT/CGNAT and Complex P2P

ICE with STUN/TURN, with automatic relay in case of failure. Full support for NAT traversal and automatic peer discovery.

  • ICE Protocol Interactive Connectivity Establishment
  • STUN/TURN NAT traversal and relay servers
  • Automatic relay Fallback on P2P failure

Fragile IP-ACL

Hostname-based routing and policies are added (dynamic "synthetic IP"/initially-resolved IP) for scalable access control.

  • Hostname-aware Hostname-based routing
  • Synthetic IP Dynamic IPs from CGNAT range
  • Scalable control Effective access management

Zero-day Risks in Classic VPN Gateways

Eliminates exposed VPN portal and uses standard HTTPS mechanisms along with protocol-level QUIC/MASQUE protections.

  • No VPN portal Elimination of single point of failure
  • HTTPS mechanisms Standard protocols
  • Protocol-level QUIC/MASQUE protections

How It Works (Briefly)

The network automatically selects the best available transport method based on network conditions and restrictions.

P2P First
ICE/STUN

Direct peer-to-peer connections

Fallback
HTTP/3

MASQUE tunnels on port 443

Routing
Hostname

FQDN-based access control

Key Components

Data Plane Protocols

CONNECT-UDP (RFC 9298): UDP tunneling
HTTP Datagrams (RFC 9297): Datagram transport
QUIC DATAGRAM (RFC 9221): Reliable datagrams
CONNECT-IP (RFC 9484): IP tunneling

Control Plane

Multi-tenant registration/discovery
IdP-integration for authentication
Policies and access control
Observability and monitoring

Why QUIC/HTTP-3 + MASQUE?

QUIC Performance Features

  • Multiplexed streams over single connection
  • 1-RTT (0-RTT) connection establishment
  • Connection migration for mobility
  • Congestion control and flow control
  • Built-in encryption with TLS 1.3

MASQUE Tunneling Benefits

  • UDP/HTTP/3 MASQUE for bypassing firewalls/proxies
  • NAT/CGNAT traversal with ICE/STUN/TURN
  • Automatic relay fallback mechanisms
  • Hostname-based routing with synthetic IP
  • Zero-day risk mitigation in VPNs

Security (Zero Trust by Default)

QUIC Security Features

Built-in security mechanisms provide comprehensive protection against various attack vectors and ensure secure communication.

Protocol-Level Security

  • Address validation prevents amplification attacks
  • Retry mechanism for connection validation
  • Anti-amplification limit protects against DDoS
  • TLS 1.3 encryption by default
  • Perfect Forward Secrecy key exchange
  • Connection ID for privacy protection

Zero Trust Architecture

  • Never trust, always verify principle
  • Identity-based access control
  • Least privilege access model
  • Continuous monitoring and validation
  • Micro-segmentation of network traffic
  • Encrypted communication end-to-end

Key Capabilities

Any-to-Any P2P-mesh

  • RFC 9443 compliant connections
  • Direct peer communication
  • Automatic discovery and routing
  • Fault tolerance and redundancy
  • Geographic distribution support

Hostname-based Access

  • FQDN/wildcards for access policies
  • Synthetic IP dynamic allocation
  • Scalable enforcement mechanisms
  • CGNAT range IP management
  • Policy-based access control

Full & Per-App Tunnels

  • CONNECT-IP full tunnel support
  • CONNECT-UDP per-app tunneling
  • Flexible deployment options
  • Application-specific routing
  • Granular control over traffic

Priority Scenarios

Zero-Trust Private Access

Secure remote access: ✓ Implemented
Identity-based policies: ✓ Implemented
Micro-segmentation: ✓ Implemented
Continuous monitoring: ✓ Implemented
Least privilege access: ✓ Implemented

Multi-Cloud / VPC-stitching

Cross-cloud connectivity: ✓ Implemented
VPC integration: ✓ Implemented
Hybrid cloud support: ✓ Implemented
Edge-to-cloud: ✓ Implemented
IoT/Edge/Branches: ✓ Implemented

What Makes Us Different

Unique Value Proposition

Our solution combines the best of modern networking protocols with innovative approaches to solve real-world connectivity challenges.

Protocol Innovation

  • QUIC-first approach: Modern protocol with HTTP/3 fallback
  • MASQUE tunneling: Standardized bypass mechanisms
  • ICE/STUN/TURN: Comprehensive NAT traversal
  • Connection migration: Seamless mobility support

Architecture Benefits

  • Hostname-aware routing: FQDN-based access control
  • Synthetic IP management: Dynamic CGNAT allocation
  • Zero-Trust by default: Built-in security model
  • Any-to-Any P2P: RFC 9443 compliant mesh

Transport Resilience

Multiple transport options ensure connectivity even in restricted network environments.

QUIC/HTTP-3
Primary

Modern protocol with built-in security

WebSocket
H2/H3

HTTP-based fallback transport

TCP
Legacy

Traditional reliable transport

Mesh Topology

P2P Mesh WireGuard Network Configuration

Network Configuration:
  • Subnet: 10.0.0.0/24
  • Mask: 255.255.255.0
  • Protocol: WireGuard (UDP/51820)
  • Encryption: ChaCha20-Poly1305
Connection Topology:
  • Type: Fully-connected Mesh
  • Discovery: Auto-discovery
  • Routing: Dynamic routing
  • Fault Tolerance: High
RELAY Base Station 10.0.0.10 10 Gbps 10 Gbps 10 Gbps 10 Gbps Internet 100 Gbps Corporate 50 Gbps Edge 25 Gbps Backup 20 Gbps A Server A 10.0.0.1 B Server B 10.0.0.2 C Server C 10.0.0.3 D Server D 10.0.0.4 2ms 1ms 3ms 2ms

P2P WireGuard Connection Details

Relay connections:
  • A → Relay: 10.0.0.1 → 10.0.0.10 (Primary)
  • B → Relay: 10.0.0.2 → 10.0.0.10 (Hub)
  • C → Relay: 10.0.0.3 → 10.0.0.10 (Secondary)
  • D → Relay: 10.0.0.4 → 10.0.0.10 (Backup)
  • Relay → All: Centralized routing
Technical specifications:
  • Protocol: WireGuard (UDP/51820)
  • Encryption: ChaCha20-Poly1305
  • Speed: 10 Gbps per link
  • Latency: 1-3ms
  • Relay IP: 10.0.0.10

The Relay server in the center acts as a "base station" for the entire network. All servers connect to the Relay through encrypted WireGuard tunnels at 10 Gbps speed. The Relay provides centralized routing, load balancing, and automatic failover. The system automatically selects optimal routes and ensures minimal latency of 1-3ms.

Use Cases

Enterprise Networks

  • • Connecting remote offices
  • • Access to corporate resources
  • • Backup communication channels
  • • Global branch network

Cloud Services

  • • Connecting cloud providers
  • • Multi-cloud architectures
  • • Edge computing deployments
  • • IoT devices and sensors

Expected Performance

Performance Metrics

Based on QUIC protocol capabilities and modern networking standards, we expect the following performance characteristics.

Connection Performance

  • 1-RTT connection: Fast initial connection establishment
  • 0-RTT resumption: Instant reconnection for returning users
  • Connection migration: Seamless handoffs between networks
  • Multiplexed streams: Multiple data streams over single connection
  • Congestion control: Adaptive bandwidth utilization
  • Flow control: Efficient data transfer management

Network Efficiency

  • P2P optimization: Direct peer-to-peer connections when possible
  • Automatic fallback: HTTP/3 MASQUE tunnels for restricted networks
  • NAT traversal: ICE/STUN/TURN for complex network topologies
  • Relay fallback: Automatic relay selection for failed P2P
  • Hostname routing: Efficient FQDN-based access control
  • Synthetic IP: Dynamic IP allocation from CGNAT ranges

P2P vs Traditional Client-Server

Client-Server

  • • Centralized architecture
  • • Single point of failure
  • • Higher latency
  • • Limited scalability
  • • Bottleneck issues

P2P Network

  • • Decentralized architecture
  • • No single point of failure
  • • Lower latency
  • • Unlimited scalability
  • • Direct connections

Hybrid Approach

  • • Best of both worlds
  • • Edge + P2P combination
  • • Optimal performance
  • • Maximum reliability
  • • Flexible deployment

P2P Network Architecture

Network Components

Edge Servers: ✓ Entry Points
Relay Servers: ✓ P2P Peers
Client Applications: ✓ End Users
Management System: ✓ Orchestration
Monitoring: ✓ Health Checks

Performance Metrics

Connection Speed: 10 Gbps+
Latency: < 5ms
Uptime: 99.99%
Peers: Unlimited
Regions: Global

Deployment and Integration

Deployment Options

  • SaaS + Self-managed: Flexible deployment models
  • K8s relays: Containerized relay deployment
  • IdP integration: Seamless identity provider integration
  • Coexistence: Works alongside WireGuard/IPsec
  • Hybrid approach: Best of both worlds

Integration Capabilities

  • Multi-tenant support: Isolated tenant environments
  • API integration: RESTful APIs for system integration
  • Webhook system: Real-time event notifications
  • Rate limiting: Built-in traffic management
  • Monitoring: Comprehensive observability

Development & Integration

Integrations

Supported integrations via desktop client, CLI and partner connectors

  • • Authentication & Authorization
  • • Multi-tenant support
  • • Webhook system
  • • Rate limiting

Desktop Client

Cross-platform desktop application

  • • High-performance native app
  • • System integration
  • • Secure token storage
  • • Auto-updates

Monitoring

Real-time monitoring and analytics

  • • Performance metrics
  • • Security events
  • • ✓ Health Checks
  • • Alert system
View Full Documentation