Software-defined. Security-driven. Cloud-delivered.

Cradlepoint NetCloud Engine logo


Cradlepoint NetCloud Perimeter


Creating a Software-Defined Perimeter

Enterprises use NetCloud Perimeter, a service that leverages Software-Defined Perimeter technology, to spin up virtual networks in the cloud that protect IoT devices.

These invitation-only overlay networks utilize a private address space, eliminating the need for routable IPs on the Internet and obscuring them from the reach of potential hackers. They also isolate IoT traffic from different devices and from trusted networks (example: keeping IoT devices off the corporate WAN).  The “cloud” is how Cradlepoint orchestrates, deploys, and manages its perimeter-secured overlays, which can reach anywhere across the Internet.

In IoT use cases—especially utilizing sensors—data must be securely and directly connected to the cloud so it can be leveraged to inform business decisions and boost efficiencies. Device-to-cloud overlay networks are what communicate the connection between IoT devices and the cloud. This is the “why” behind perimeter-secured overlay networks.  

NetCloud Perimeter is deployed directly on IoT devices, laptops, tablets, and smartphones that run Linux, OS-X, Windows, Android, or iOS with the NetCloud Client. A NetCloud Gateway is deployed into a NetCloud Perimeter when a Cradlepoint router (or other physical or virtual Linux server) runs the NetCloud Client in gateway mode. With a NetCloud Gateway, any IP-based device (e.g. printers, NAS, cameras, sensors, etc.) can be connected to the overlay network without the NetCloud Client installed.  




Enterprises use NetCloud Perimeter to create one or more perimeter-secured overlay networks for IoT deployments.

  • Micro-segmentation of users, groups, applications and resources with simple policies
  • Invitation-only security/Private IP Addressing
  • Fully encrypted transactions

Connect IP-Enabled Devices to a Secure Network

NetCloud Perimeter provides several layers of protection for devices connected over the Internet and other untrusted networks.  To protect IoT devices, NetCloud Perimeter’s approach reduces the potential for attacks through isolation and obfuscation.

NetCloud Perimeter’s designed supports the unique security requirements of IoT and connected device applications. The natural Security Policy management built into NetCloud Perimeter makes it easy to enforce network-wide firewall and access controls and to micro-segment users, applications and devices to access only appropriate resources. Extending Active Directory additionally strengthens domain security.


  • Secure Internet Access to send traffic to and from target IoT devices through private IP address space
  • Micro-segmentation with device-level SSL encryption
  • Machine-level authentication designed for embedded devices, kiosks, etc.
  • Extend Active Directory domains to maintain security


  • Private IP address space and outbound connections eliminate the need for expensive public IP addresses and on-premise firewall changes to keep devices from being reached across the Internet.
  • Unsupported devices, such as IoT sensors or security cameras, connect into the perimeter network behind a Cradlepoint router acting as a NetCloud Gateway, adding a layer of security, reducing the attack surface, and implementing policies.


Invitation-Only Security

NetCloud Perimeter’s security foundation is a multi-layer, network-based approach to security that protects users, devices, and workloads wherever they are deployed. NetCloud Perimeter uses invitations to add users, ensuring only pre-authorized users or devices are added to the network. . And, all transactions are fully encrypted using the AES 256-bit standard encryption algorithm.  Because the virtual overlay network is effectively cloaked from underlaying untrusted networks, it is impervious to traditional address-borne attacks.  Further, machine-level authentication is designed for embedded devices like kiosks. 


  • Multi-layer Authentication: device, virtual network, domain and certificate level
  • Micro-segmentation enables zero-trust WANs
  • End-to-end 256-bit encryption with device and X.509 certificate (PKI) authentication
  • Secure overlay through the abstraction of logical network and address space from the Internet


  • Private IP address space
  • Protect the edge from network-based attacks
  • Virtual overlay (cloud-based) network with micro-segmentation to isolate threats
  • No data stored in the cloud

Cradlepoint NetCloud Perimeter Devices screen shot





  • Encrypted data-in-transit (256-bit AES)
  • No data stored in cloud
  • Private IP address space
  • Enables micro-segmentation for zero-trust WANs
  • Certificate-based Auto-PKI (X.509 CA)



  • Runs on top-tier cloud providers around the world
  • Fully redundant architecture
  • Self-healing, self-optimizing
  • Seamless failover


OS Support

  • Windows 7, 8
  • Windows Server 2008r2, 2012r2, 2016
  • Mac OS X 10.7 - 10.14
  • Apple iOS 10.3 - 12.1.1
  • Android 4.3 to 7.0
  • Linux Ubuntu 14.04
  • Linux CentOS 6



Functionality included in all NetCloud Solution Packages - Essentials
OS Client or Whitelist Devices
Secure Overlay Connection
Remote Access
MPKI-as-a-Service included
GeoView Pro
Port/Protocol ACLs
Application Firewall
Access Control
Secure Internet Access
Usage Monitor
Virtual Gateways



How to Buy

How to Buy

New Customers

If you are a new customer, please contact your Approved Cradlepoint Partner.



Product Requirements

Cradlepoint’s NetCloud Perimeter Gateway is included in all NetCloud Solution Packages.  Additional NetCloud Perimeter Client licenses can be purchased separately.  For a NetCloud Perimeter Gateway, the following routers are supported and firmware version 6.2.0 or higher is required.


Supported Cradlepoint Routers


Supported Operating Systems for NetCloud Perimeter Client

Android, iOS, Windows, MAC, Linux, Docker

Part Numbers

NetCloud Perimeter Client for Customer Devices

Supports Gateway for Cradlepoint Routers

Product Name Part No. Description
NetCloud Client 1-yr NCE-CLNPRM-CCNCE-1YR 1-yr NetCloud Perimeter Client, SaaS License with Support
NetCloud Client 3-yr NCE-CLNPRM-CCNCE-3YR 3-yr NetCloud Perimeter Client, SaaS License with Support
NetCloud Client 5-yr NCE-CLNPRM-CCNCE-5YR 5-yr NetCloud Perimeter Client, SaaS License with Support