1.

SD-WAN connectivity with AWS Transit Gateway Connect attachments

Reference Architectures for
2. SD-WAN connectivity with AWS Site-to-Site VPN
Implementing SD-WAN
3. SD-WAN connectivity with VPC attachments
Solutions on AWS
4. SD-WAN devices integration with AWS Transit Gateway and AWS Direct Connect

Reviewed for technical accuracy April 27, 2022

© 2021,
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture
 Traffic initiated from an Amazon Elastic
1
SD-WAN Connectivity with AWS Transit Gateway Connect
Compute Cloud (Amazon EC2) instance in the
Spoke VPC A and destined for the corporate
data center is routed to the transit gateway
Use AWS Transit Gateway Connect attachments to connect your software defined-wide area network (SD-WAN) to Transit Gateway, and simplify your elastic network interface (TGW ENI) as per the
route management across hybrid cloud environments. The SD-WAN headend peers with the Transit Gateway over a Generic Routing Encapsulation spoke VPC A route table.
(GRE) tunnel, allowing this design to take advantage of the higher border gateway protocol (BGP) prefix limit of Transit Gateway. Additionally, with a
single Transit Gateway Connect attachment, you will be able to scale horizontally the bandwidth of your connection up to 20 Gbps. Traffic is forwarded to AWS Transit Gateway.
2 As per the spoke VPC route table, the traffic is
routed to the appliance virtual private cloud
SD-WAN overlay
(VPC) via the Transit Gateway connect
AWS Region Spoke VPC A route table attachment.
GRE tunnel
Spoke VPC A Destination Target Appliance VPC Public route table
The Transit Gateway connect attachment uses
10.0.0.0/16
Destination Target
BGP peering 3 the VPC attachment as transport, and connects
10.0.0.0/16 local
Availability Zone A
Transit Gateway to the third-party appliance in
0.0.0.0/0 tgw-id 10.2.0.0/16 local the appliance VPC using GRE tunneling and
workload subnet BGP.
10.0.1.0/24 192.168.0.0/24 vgw-id
EC2 4 The third-party virtual appliance encapsulates
instance 1
VPC 0.0.0.0/0 igw-id
corporate
4 the traffic, which uses the SD-WAN overlay – on
association
AWS Transit Gateway 192.168.0.0/24 top of the AWS Direct Connect link – to reach
TGW subnet
10.0.0.0/24 Appliance VPC the corporate data center.
Spoke VPC route table virtual private
10.2.0.0/16
gateway AWS Direct Traffic from branches outside AWS destined to
TGW CIDR Attachment
ENI
2 Availability Zone A Connect A the spoke VPC B reaches the internet gateway
0.0.0.0/0 TGW connect of the appliance VPC via the SD-WAN overlay -
TGW subnet public subnet
10.2.1.0/24
on top of the internet.
3 10.2.0.0/24
Appliance VPC route table
Spoke VPC B connect The third-party virtual appliance in the Connect
10.1.0.0/16 CIDR Attachment attachment
internet
branch
B VPC forwards the traffic to the Transit
B third-party internet Gateway via the connect attachment.
VPC 10.0.0.0/24 Spoke VPC A TGW ENI
Availability Zone A association virtual appliance gateway A
VPC
TGW subnet 10.1.0.0/24 Spoke VPC B association As per the Transit Gateway appliance VPC
10.1.0.0/24
C (transit) C route table, the traffic is forwarded to the
Appliance VPC TGW route table spoke VPC B attachment.
TGW
ENI Destination Target The Transit Gateway ENI of the spoke VPC B
workload subnet Spoke VPC B route table D forwards the traffic to the destination.
10.1.1.0/24 10.2.0.0/16 local
Destination Target
EC2 D internet
For more information about AWS Transit
instance 10.1.0.0/16 local branch Gateway Connect attachments and SD-WAN
0.0.0.0/0 tgw-id connectivity, refer to: Simplify SD-WAN
connectivity with AWS Transit Gateway Connect.

Reviewed for technical accuracy April 27, 2022 To check an example of this architecture in
2021, Amazon
© 2022, AmazonWeb
WebServices,
Services,Inc.
Inc.ororitsitsaffiliates.
affiliates.
AllAll rights
rights reserved.
reserved. AWS Reference Architecture Terraform, check AWS Hub and Spoke with
Transit Gateway Connect VPC.
 Traffic initiated from an instance in the
SD-WAN connectivity with AWS Site-to-Site VPN 1 spoke VPC A and destined to the corporate
data center is routed to the TGW ENI as
If your third-party virtual appliance does not support GRE, you can still integrate your SD-WAN network to AWS Transit Gateway by creating an AWS per the spoke VPC A route table.
Site-to-Site VPN connection, peering the SD-WAN headend with the Transit Gateway using IPSec tunnels. The SD-WAN headend can use BGP to peer
with the Transit Gateway to exchange route prefixes. If you want to increase the bandwidth to more than the 1.25 Gbps limit of one single Site-to- Traffic is forwarded to the Transit
Site VPN connection, additional IPSec VPN connections can be used with Transit Gateway’s support for Equal-Cost Multi-Path (ECMP). 2 Gateway. As per the spoke VPC route
table, the traffic is routed to the appliance
VPC via the Site-to-Site VPN attachment.
SD-WAN overlay
AWS Region Spoke VPC A route table
The traffic is routed between the Transit
Spoke VPC A Destination Target Appliance VPC Public route table 3 Gateway and the third-party virtual
10.0.0.0/16 appliance between a Site-to-Site VPN
10.0.0.0/16 local Destination Target
connection.
Availability Zone A 4
0.0.0.0/0 tgw-id 10.2.0.0/16 local
workload subnet The third-party virtual appliance
corporate
10.0.1.0/24 192.168.0.0/24 vgw-id 192.168.0.0/24 4 encapsulates the traffic, which uses the
EC2 SD-WAN overlay – on top of the AWS
instance 1 0.0.0.0/0 igw-id
VPC
Direct Connect link – to reach the
AWS Transit Gateway
TGW subnet association corporate data center.
10.0.0.0/24 appliance VPC AWS Direct
Spoke VPC route table 10.2.0.0/16 virtual private Connect
gateway Traffic from branches outside AWS
TGW 2 CIDR Attachment Availability Zone A
A destined to the spoke VPC B reaches the
ENI
Internet gateway of the appliance VPC via
0.0.0.0/0 Site-to-Site VPN public subnet
10.2.0.0/24 the SD-WAN overlay - on top of the
Appliance VPC route table 3 internet.
Spoke VPC B VPC
10.1.0.0/16 association C
CIDR Attachment B The third-party virtual appliance in the
third-party internet
Availability Zone A virtual appliance 2 internet A branch B appliance VPC forwards the traffic to the
10.0.0.0/24 Spoke VPC A gateway
TGW subnet
Transit Gateway via the Site-to-Site VPN
10.1.0.0/24 10.1.0.0/24 Spoke VPC B connection.
AWS Site-to-Site
TGW VPN
ENI association As per the Transit Gateway appliance VPC
D
Spoke VPC B route table
C route table, the traffic is forwarded to the
workload subnet
spoke VPC B attachment.
10.1.1.0/24
Destination Target internet
branch
EC2 The TGW ENI of the spoke VPC B forwards
10.1.0.0/16 local D
instance the traffic to the destination.
0.0.0.0/0 tgw-id

Reviewed for technical accuracy April 27, 2022

2021, Amazon
© 2022, AmazonWeb
WebServices,
Services,Inc.
Inc.ororitsitsaffiliates.
affiliates.
AllAll rights
rights reserved.
reserved. AWS Reference Architecture
 Traffic initiated from an instance in the
SD-WAN connectivity with VPC attachments 1 Spoke VPC A and destined to the branches
outside AWS is routed to the TGW ENI as
If your third-party virtual appliance does not support GRE and you don’t want to manage IPsec VPN connections, you can integrate your SD-WAN per the Spoke VPC A route table.
network to AWS Transit Gateway with a VPC attachment. This option will require a more complex setup with VPC and Transit Gateway route tables,
as the SD-WAN headend and the Transit Gateway are not peered. Traffic is forwarded to the Transit
2
Gateway. As per the Spoke VPC route
table, the traffic is routed to the appliance
SD-WAN overlay
VPC via the appliance VPC attachment.
AWS Region Spoke VPC A route table Appliance VPC public route table

Destination Target The traffic is sent to the appliance VPC by

Spoke VPC A Destination Target 3 the Transit Gateway. As per the appliance
10.0.0.0/16
10.0.0.0/16 local 10.2.0.0/16 local VPC TGW route table, traffic is redirected
Availability Zone A to the third-party virtual appliance.
0.0.0.0/0 tgw-id 10.0.0.0/16 tgw-id
workload subnet
10.0.1.0/24
10.1.0.0/16 tgw-id The third-party virtual appliance
4 encapsulates the traffic, which uses the
EC2
instance 1
VPC 0.0.0.0/0 igw-id SD-WAN overlay – on top of the internet –
association
to reach the corporate data center.
TGW subnet
AWS Transit Gateway appliance VPC
10.0.0.0/24 4
10.2.0.0/16 Traffic from branches outside AWS
TGW
Spoke VPC route table internet A destined to the spoke VPC B reaches the
2 Availability Zone A branch
ENI CIDR Attachment internet gateway of the appliance VPC via
TGW subnet public subnet the SD-WAN overlay - on top of the
0.0.0.0/0 appliance VPC 10.2.0.0/24 10.2.1.0/24 internet.
3
Spoke VPC B Appliance VPC route table
10.1.0.0/16 B The third-party virtual appliance in the
CIDR Attachment third-party internet B appliance VPC forwards the traffic to the
VPC TGW ENI
Availability Zone A virtual appliance gateway A
10.0.0.0/24 Spoke VPC A association TGW ENI as per the appliance VPC public
TGW subnet route table. Traffic is sent to the Transit
10.1.0.0/24 C VPC 10.1.0.0/24 Spoke VPC B
association Appliance VPC TGW route table internet
Gateway.
TGW branch
ENI Destination Target As per the Transit Gateway appliance VPC
workload subnet
Spoke VPC B route table C route table, the traffic is forwarded to the
10.2.0.0/16 local
10.1.1.0/24
Destination Target spoke VPC B attachment.
0.0.0.0/0 eni-id
EC2 10.1.0.0/16 local
D The TGW ENI of the spoke VPC B forwards
instance
D the traffic to the destination.
0.0.0.0/0 tgw-id

Reviewed for technical accuracy April 27, 2022

2021, Amazon
© 2022, AmazonWeb
WebServices,
Services,Inc.
Inc.ororitsitsaffiliates.
affiliates.
AllAll rights
rights reserved.
reserved. AWS Reference Architecture
 Traffic initiated from an instance in the
SD-WAN device integration with AWS Transit Gateway and 1 spoke VPC A and destined to the corporate
data center SD-WAN device is routed to

AWS Direct Connect the TGW ENI as per the spoke VPC A Route
Table.
Use AWS Transit Gateway Connect attachments and AWS Direct Connect to extend and segment your SD-WAN traffic to AWS without adding extra
infrastructure. Each Transit Gateway Connect Peer can have its own Transit Gateway Route Table and BGP peer to extend an on-premises VRF if Traffic is forwarded to the Transit
required.
2 Gateway. As per the spoke VPC route
table, the traffic is routed to the corporate
AWS Region
data center via the Transit Gateway
Spoke VPC A route table GRE tunnel connect attachment.
Spoke VPC A Destination Target
10.0.0.0/16 BGP peering The Transit Gateway connect attachment
10.0.0.0/16 local 3 uses the Direct Connect connection as
Availability Zone A
0.0.0.0/0 tgw-id transport, and connects the Transit
workload subnet Gateway to the corporate data center SD-
10.0.1.0/24
WAN device using GRE tunneling and BGP
EC2
VPC
instance 1 association Traffic from the corporate data center SD-
TGW subnet corporate data center A WAN device destined to the spoke VPC B is
10.0.0.0/24 AWS Transit Gateway 192.168.0.0/16
forwarded to the Transit Gateway via the
A GRE tunnel of the Transit Gateway
TGW Spoke VPC route table DX location
2
3 attachment – over the Direct Connect link.
ENI
CIDR Attachment
connect customer As per the Transit Gateway connect route
192.168.0.0/16 TGW connect attachment
gateway B table, the traffic is forwarded to the spoke
Spoke VPC B VPC B attachment.
Connect route table
10.1.0.0/16 Direct Connect DX router transit VIF
CIDR Attachment gateway corporate SD-WAN
Availability Zone A
VPC
DX gateway device The TGW ENI of the spoke VPC B forwards
association
10.0.0.0/24 Spoke VPC A association C the traffic to the destination.
TGW subnet
10.1.0.0/24 B 10.1.0.0/24 Spoke VPC B
TGW AWS Direct
ENI Connect
Spoke VPC B route table
workload subnet
10.1.1.0/24 Destination Target
EC2 C 10.1.0.0/16 local
instance
0.0.0.0/0 tgw-id For more information about how to integrate
your on-premises SD-WAN devices using AWS
Reviewed for technical accuracy April 27, 2022 Transit Gateway and AWS Direct Connect, refer
2021, Amazon
© 2022, AmazonWeb
WebServices,
Services,Inc.
Inc.ororitsitsaffiliates.
affiliates.
AllAll rights
rights reserved.
reserved. AWS Reference Architecture to: Integrate SD-WAN devices with AWS Transit
Gateway and AWS Direct Connect