The SSE service is delivered from a globally distributed network designed for scale, resiliency, and proximity. It operates across more than 500 on-ramps worldwide and over 30 enforcement locations, ensuring traffic can be terminated and inspected close to its point of origin. When an IPsec tunnel is configured to the SSE, the tunnel definition is automatically distributed across all SSE nodes in the global fabric. This allows branch gateways to independently select the optimal termination point (or multiple points for redundancy) based on proximity, performance, or availability, without requiring per-location configuration changes.

Geographical Location via DNS

To further simplify deployment, the service exposes a pair of global FQDNs that represent the SSE termination endpoints. Branch gateways can establish IPsec tunnels using these FQDNs, enabling automatic connection to the closest available SSE node and seamless failover as network conditions change. The global FQDNs used for IPsec termination rely on DNS geolocation to dynamically direct branch gateways to the most appropriate SSE nodes.

The global FQDNs are as follows:

• hpe-sse-ipsec-sea-geo.axisapps.io
• hpe-sse-ipsec-sky-geo.axisapps.io

When a branch gateway resolves one of these FQDNs, the DNS service returns the IP addresses of the closest SSE nodes based on the geographic location of the resolver. Each global FQDN resolves to two IP addresses, corresponding to the nearest available SSE nodes. This allows branch gateways to establish redundant IPsec tunnels while maintaining optimal proximity and performance. If network conditions or node availability change, subsequent DNS resolutions automatically steer new tunnel establishments to alternative nearby nodes, without requiring configuration updates on the branch gateway.
This approach simplifies deployment and operations by eliminating the need to manually select regional endpoints, while still ensuring low latency, high availability, and alignment with the globally distributed SSE architecture.

Individual IPsec Termination Points

In addition to the global FQDNs, the SSE service exposes a set of region-specific FQDNs that can be used to terminate IPsec tunnels. These FQDNs correspond to primary SSE enforcement locations and are provided to give customers explicit control over where their traffic is processed. They allow customers to override the region where traffic is sent when proximity alone is not the desired decision factor. This flexibility is particularly relevant in scenarios driven by geopolitical considerations, hyperscaler preference, regulatory requirements, or other organizational constraints that DNS-based steering cannot account for.

📘

Note

Even though each region-specific FQDN maps to a defined enforcement location, the associated IP addresses anycast addresses offered by the cloud providers. This allows traffic to enter the SSE fabric through more than 500 cloud on-ramps worldwide, combining deterministic region selection with optimal ingress proximity, resiliency, and scale.

For more information on FQDNs used for IPsec tunnel termination, see Region-Specific FQDNs for IPsec Tunnel Termination.