The need to establish connectivity between geographically separated branches and offices has led to the rise of Software-Defined Wide Area Networks. The legacy solution for this was to rely on hardware appliances and expensive MPLS connections. Yet, SD WAN enables users to create inter-branch connectivity through commodity internet services without the need for dedicated appliances or specialty connections. This low-cost setup, coupled with the flexibility offered by software-defined services to easily configure and deploy SD WAN appliances in virtualised environments, makes SD WAN the optimal solution to facilitate WAN connectivity.
With the explosive growth of cloud services, more and more organisations have started to rely on cloud services. This is done as either a complete move to a cloud-based architecture or complementing existing on-premise resources with cloud-based resources to provide additional availability and scalability. With that, the need arises for SD WAN services to interact with cloud platforms to ensure connectivity between on-premise resources to the cloud and vice versa. In this article, we will explore the available options for SD WAN providers to connect with the Amazon Web Services cloud platform.
How has AWS become one of the most important nodes on your WAN?
AWS or Amazon Web Services is the market leader of cloud solution providers, offering more than 200+ services from simple virtual machines (EC2) to machine learning resources (SageMaker) and even quantum computing (Amazon Braket). As the most mature cloud platform, AWS has the required capacity and global coverage to cater to any business need.
AWS has enabled businesses to successfully move their workloads to cloud services due to this extensive service offering and global coverage. It has offered many benefits for businesses, such as reduced capital expenditures, reduced maintenance, and management of hardware resources.
Unlike other service providers, AWS offers native support to implement hybrid cloud services. There, some critical workloads reside on an on-premise data center while all other workloads are on AWS or simply utilise AWS to complement existing infrastructure. SD WAN solutions are the backbone that power such implementations. The flexibility offered by an SD WAN allows businesses to configure networks without relying on dedicated hardware using connectivity types such as broadband, 4G/5G, and even legacy MPLS. Thus, combining SD WAN with AWS will enable businesses to create a robust infrastructure solution ready to meet any market demand.
Options for SD WAN vendors to Access AWS
The options and feature set for connecting SD WAN solutions with AWS will depend on the SD WAN provider. In this section, we will look at the available connectivity options for SD WAN providers to connect with AWS.
AWS Transit Gateway Connect
The AWS Transit Gateway, which was introduced in 2020, is the preferred method to connect SD WAN with AWS. It offers SD WAN providers a native method to connect SD WAN infrastructure with AWS.
Previously SD WAN providers had to rely on VPNs and virtual appliances that required complex provisioning and maintenance processes to ensure smooth connectivity. However, that solution was still limited due to restricted feature compatibility, bandwidth, and routing limits. AWS Transit Gateway aims to simplify this connection process by natively integrating with SD WAN providers to extend the infrastructure using standard protocols such as GRE (Generic Routing Protocol) and BGP (Border Gateway Protocol). This eliminates the need for setting up multiple VPN tunnels and strict static routing while supporting dynamic routing. The support for dynamic routing alone greatly simplifies the overall network design leading to a simpler yet robust network topology.
Transit Gateway Connect
The above diagram shows the native method to establish a connection between an SD WAN appliance and AWS Transit Gateway. It eliminates the need for VPC attachment or VPN attachment methods which require extensive manual configurations and have limited throughput.
Transit Gateway Connect Attachment with GRE can scale up to 20Gbps per Connect Attachment and facilitate horizontal scaling for even more capacity. (Maximum capability will depend on the SD WAN provider). Users can also interact with the Transit Gateway Connect Attachment using the REST API or AWS SDK. Some providers like Citrix have integrated this API into their appliances allowing users to provision the complete connection through a single interface.
What are the benefits of AWS Transit Gateway Connect?
- Native Integration - Most SD WAN providers offer AWS Transit Gateway Connect as an integrated option in their SD WAN. This tighter integration enables users to leverage more and more SD WAN features directly while connecting to AWS.
- Simplified Configuration Process - Native integration of AWS Transit Gateway Connect helps users configure connections between on-premise and AWS easily. This can be done through the SD WAN appliance with just a few clicks without the need to configure VPNs or routes in AWS manually.
- Comprehensive Network Monitoring and Management Capability - The integration with Transit Gateway Network Manager shows telemetry and performance data from virtual appliances as well as branch appliances, allowing users to monitor the entire network across AWS and on-premises. Besides, the native integration with SD WAN orchestration platforms enables users to directly update the Transit Gateway route tables to manage and direct traffic.
- Higher Performance - The direct connectivity between appliances and Transit Gateway mitigates the bandwidth limitation issues of IPSec VPN connections with support for up to 20 Gbps per connection attachment.
- Increased Security Posture - Transit Gateway enables users to use private IP ranges in the network appliances to connect to AWS resources, eliminating the need for most publicly routable IP addresses.
- Reduced Management Complexity and Cost - The overall resource usage will be decreased as there is no need to manage static routes or separate VPN connections. This leads to simpler management and maintenance while reducing operational expenditure.
With SD WAN vendors are AWS Transit Gateway Connect Partners?
The following AWS partners provide direct support for AWS Transit Gateway Connect.
- Cisco Systems
- Aruba (HPE) Silver Peak
- Versa Networks
- Palo Alto Networks (CloudGenix, VM series)
- Citrix Aviatrix
- 128 Technology
- Arista Networks
AWS Transit Gateway Network Manager
The Transit Gateway Network Manager is a service provided by AWS to centralise monitoring and management of global infrastructure. It allows users to combine multiple transit gateways with on-premise resources and view eventing within a centralised service.
Cisco, Aruba, Silver Peak, Aviatrix, and Versa Network have integrated the ability to directly connect with AWS Transit Gateway Network Manager in their SD WAN appliances. This will automatically provision AWS Site-to-Site VPN connections from on-premise to AWS.
All these things lead to a unified network view where users can identify network issues and easily respond to network and connectivity on a global scale.
We have discussed more on the services related to AWS Transit Gateway since it is the native AWS service that provides the best connectivity option for connecting to AWS services with SD WAN. Using AWS Transit Gateway is the ideal method to create a stable connection between SD WAN and AWS due to its benefits mentioned above, native integration, scalability, and availability.
Direct VPN and Virtual Network Appliances
In this approach, SD WAN vendors will use VPN connections between on-premise and AWS to facilitate routing to AWS resources. There will be virtual network appliances in both AWS and on-premise to facilitate this VPN solution.
All SD WAN providers offer prebuilt AMI in AWS Marketplace for these types of VPN connections (Customer Managed Site-to-Site VPN) so that users can set up a virtual appliance within a few clicks. These virtual appliances can be configured to connect to AWS Virtual Private Gateways (VGW) or Transit Gateways. All the configurations and management are the sole responsibility of the customer while performance and reliability will depend on the VPN and routing.
Even if you use AWS Transit Gateway with this option, the integration with the network appliance will be limited to VPC or VPN attachment options. The VPC attachment is the simpler option where the appliance can be directly attached to the VPC and only supports static routing, which requires manual intervention for failover.
The VPN attachment option lets users connect the transit gateway and the appliance via a VPN tunnel and use BGP dynamic routing and failover. Yet, the maximum throughput will be limited to 1.25Gbps per attachment, requiring multiple attachments to increase the throughput. All these facts lead to increased complexity in overall network topology.
AWS Direct Connect and AWS Outposts
The Direct Connect option allows users to establish a dedicated private connection between AWS and an on-premise data center. Thus, it eliminates the need to route traffic over the internet and provides speeds up to 100 Gbps. SD WAN providers like Aryaka support Direct Connect so that users can utilise this dedicated connection in their SD WAN architecture.
AWS Outposts is an option to run AWS infrastructure in an on-premise data center. It makes all the capabilities of AWS available within the on-premise data center. Citrix SD WAN is one of the providers validated to use within AWS Outposts. It enables users to create network infrastructure spanning AWS and on-premise with AWS Outposts.
Both these options are only suitable for large-scale enterprises or government projects as they are very cost-prohibitive and require high-level technical expertise to manage.
SD WAN providers offer multiple methods to connect with AWS to enable hybrid network architectures. These methods can range from a simple VPN connection to AWS Direct connect. However, the emergence of AWS Transit Gateway Connect has offered a more simplified method to facilitate this connectivity with minimal manual configuration and tighter integrations across SD WAN providers. Above all, this option is suitable for most use cases.