UniFi Cloud Gateway Ultra — Case Study Blog Post

The UniFi Cloud Gateway Ultra occupies a unique position in Ubiquiti’s lineup: essentially, it pairs enterprise-grade security and routing features with a palm-sized form factor and a price point accessible to small businesses and advanced home networks alike.

The Challenge It Solves

Small-to-medium businesses and remote offices face a persistent dilemma. On one hand, they need real network security — intrusion detection, application-aware firewalling, VPN connectivity, and traffic segmentation. On the other hand, they can’t justify the cost, power draw, or rack space of traditional enterprise appliances. Consequently, many end up relying on consumer-grade routers that offer minimal visibility and virtually no threat protection.

However, the Cloud Gateway Ultra bridges this gap effectively. It runs the full UniFi Network application, manages over 30 UniFi devices and 300+ simultaneous clients, and delivers 1 Gbps routing throughput with IDS/IPS active — all from a device smaller than most paperback books.

Hardware at a Glance

Weighing just 520 g, the UCG-Ultra uses a fanless, passively-cooled polycarbonate enclosure that operates silently in any environment. Whether placed on a reception desk or tucked into a server closet, the device remains completely unobtrusive. On top of that, a 0.96-inch LCM display on the front panel provides at-a-glance status without needing to log into the dashboard.

Port Layout & Connectivity

The dedicated WAN port supports 2.5 Gigabit Ethernet, which means it accommodates high-speed ISP connections straight out of the box. Moreover, up to three of the four LAN ports can be remapped to WAN, enabling multi-WAN load balancing or failover across up to four separate internet connections — a critical capability for any business where downtime means lost revenue.

Security & Threat Protection

This is where the UCG-Ultra truly punches above its weight class. In particular, it packages a comprehensive security stack that many organisations would typically expect only from far more expensive appliances.

The signature-based IDS/IPS engine processes traffic at line rate, drawing on over 55,000 threat signatures when paired with Ubiquiti’s CyberSecure subscription. Furthermore, application-aware Layer 7 rules let administrators create granular policies — such as blocking specific applications, restricting access by geographic region, or filtering content categories — all managed from the unified UniFi dashboard.

VPN & SD-WAN

Remote access and site-to-site connectivity are first-class features on the UCG-Ultra, not afterthoughts. Notably, the device supports an unusually broad range of VPN protocols and also includes Ubiquiti’s license-free SD-WAN — meaning there are no recurring fees to maintain encrypted connectivity between offices.

Ubiquiti’s Teleport feature is particularly noteworthy for distributed teams, because it provides zero-configuration VPN access for remote workers who simply need to connect back to the office network without wrestling with client configurations or certificates. In addition, WireGuard support ensures modern, high-performance encrypted tunnels for more demanding use cases.

Advanced Networking

Beyond basic routing, the UCG-Ultra also supports a mature set of networking features that give administrators precise control over traffic behaviour.

For example, policy-based routing allows traffic from specific VLANs, devices, or application types to be directed through designated WAN links or VPN tunnels. This is ideal for environments where VoIP traffic should always use the primary ISP connection while general web browsing is load-balanced across both. Similarly, the integrated RADIUS server with TLS support eliminates the need for an external authentication appliance in many deployments.

Deployment Scenario: Small Hotel Guest WiFi

To illustrate the UCG-Ultra’s capabilities in practice, consider a deployment in a 20-room boutique hotel. In this scenario, the property needs reliable, high-speed WiFi for guests across multiple floors, a branded captive portal for check-in, network segmentation to keep guest traffic isolated from back-office systems, and the ability to manage everything from a single dashboard — all without a dedicated IT team on site.

Therefore, the solution centres on three UniFi products working together in concert: the Cloud Gateway Ultra as the network brain, the USW-Flex-2.5G-8 switch as the wired backbone, and U7 Long-Range access points delivering WiFi 7 coverage to every room and common area.

The Network Stack

UniFi Cloud Gateway Ultra (UCG-Ultra) — this device sits between the hotel’s ISP connection and the rest of the network. Its 2.5 GbE WAN port connects to the ISP modem, while a LAN port feeds into the switch. As the central brain, the UCG-Ultra handles all routing, firewall rules, VLAN configuration, and runs the UniFi Network application that manages every device on site. Moreover, with multi-WAN support, the hotel can connect a secondary ISP or 4G/5G backup for automatic failover — ensuring guests never lose connectivity, even during an ISP outage.

Switching & Wireless Coverage

USW-Flex-2.5G-8 Switch — next in the chain, the compact 8-port 2.5 GbE managed switch distributes connectivity from the gateway to the access points, front desk workstation, back-office network, and any IP-based devices such as CCTV or a smart TV system. With a 60 Gbps switching capacity and 10 GbE SFP+/RJ45 uplink, it therefore provides headroom well beyond the hotel’s current needs. Its compact form factor — just 212.9 × 76 × 33.5 mm — means it can be wall-mounted in a service cupboard without requiring a rack. Additionally, the PoE variant (USW-Flex-2.5G-8-PoE) can power the access points directly over Ethernet, eliminating the need for separate power adapters at each AP location.

U7 Long-Range Access Points (U7-LR) — finally, WiFi 7 ceiling-mount access points complete the stack, each covering up to 160 m² with support for 300+ simultaneous clients. With 5 spatial streams, MU-MIMO, and beamforming, the U7-LR delivers aggregate throughput of up to 4.9 Gbps across the 2.4 GHz and 5 GHz bands. As a result, two or three units strategically placed in corridors or common areas can blanket an entire small hotel. Their 2.5 GbE uplink connects directly to the Flex switch, ensuring the wired backhaul doesn’t bottleneck the wireless performance. Meanwhile, band steering automatically pushes capable devices to the faster 5 GHz band, while fast roaming ensures seamless handoff as guests move between areas.

Guest WiFi with UniFi Hotspot Portal

The real power of this deployment lies in UniFi’s built-in software tools. Importantly, the UCG-Ultra’s UniFi Network application includes a full Hotspot Portal system purpose-built for hospitality environments — so there’s no need for additional hardware, licensing, or third-party subscriptions.

VLAN segmentation — first, the hotel creates separate VLANs for guest WiFi, staff devices, and back-office systems. As a result, the UCG-Ultra’s zone-based firewall automatically isolates guest traffic from internal networks. This means guests can browse the internet freely but cannot reach the front desk PC, payment terminal, or any management interfaces. Furthermore, client device isolation goes a step further, preventing guests from seeing or communicating with each other’s devices — which is essential for security in any shared-access environment.

Branded captive portal — when guests connect to the hotel’s WiFi SSID, they’re greeted with a custom-branded landing page featuring the hotel’s logo, welcome message, and terms of service. In addition, UniFi’s portal editor supports full colour scheme customisation, so the WiFi experience matches the hotel’s branding. Authentication options include simple password entry, acceptance of terms, or voucher-based access.

Voucher system — alongside the portal, the hotel generates unique, single-use WiFi voucher codes directly from the UniFi dashboard. Reception staff can then print batches of vouchers with configurable durations (check-in to check-out, 24-hour, or weekly) and optional bandwidth limits. Guests simply enter their code on the captive portal to activate their session. As a result, the hotel maintains complete control over who accesses the network and for how long, while still providing a professional, guest-friendly experience.

Bandwidth Control & Network Protection

Bandwidth management — by using UniFi’s QoS profiles and per-client rate limiting, the hotel can cap guest bandwidth (for example, 25 Mbps down / 10 Mbps up per device) to ensure fair usage across all rooms. In addition, the UCG-Ultra’s application-aware Layer 7 firewall can also prioritise or deprioritise specific traffic types — for instance, ensuring video conferencing remains smooth while large file downloads are throttled during peak hours.

WiFi scheduling — beyond bandwidth controls, the hotel can also configure the guest SSID to broadcast only during specific hours, or leave it available around the clock. Meanwhile, content filtering and ad blocking, both built into the UCG-Ultra, provide an additional layer of protection — keeping guests safe from malicious sites without any client-side software.

Beyond Hospitality

Of course, the same architecture scales naturally to other environments. For instance, a 10–25 person consultancy, design studio, or retail location can use the UCG-Ultra as its sole gateway, providing full routing, security, and VPN access with room to spare. For multi-site businesses, Site Magic and IPsec site-to-site VPN allow branch offices to maintain persistent encrypted links back to a central location — and when combined with the license-free SD-WAN and multi-WAN failover, this creates a resilient inter-office fabric without recurring licensing costs.

Likewise, home lab enthusiasts and power users find value in the UCG-Ultra as a compact edge router for testing network topologies, running VLANs, and experimenting with IDS/IPS rules — all at a power draw that barely registers on an energy bill.

Environmental & Compliance

Notably, NDAA compliance is a particularly important checkbox for government contractors and organisations subject to federal procurement regulations. In addition, the wide operating temperature range and noncondensing humidity tolerance make the device suitable for deployments in less controlled environments, such as retail stockrooms or light industrial settings.