Professional Documents
Culture Documents
Reviewed for technical accuracy April 27, 2022 To check an example of this architecture in
2021, Amazon
© 2022, AmazonWeb
WebServices,
Services,Inc.
Inc.ororitsitsaffiliates.
affiliates.
AllAll rights
rights reserved.
reserved. AWS Reference Architecture Terraform, check AWS Hub and Spoke with
Transit Gateway Connect VPC.
Traffic initiated from an instance in the
SD-WAN connectivity with AWS Site-to-Site VPN 1 spoke VPC A and destined to the corporate
data center is routed to the TGW ENI as
If your third-party virtual appliance does not support GRE, you can still integrate your SD-WAN network to AWS Transit Gateway by creating an AWS per the spoke VPC A route table.
Site-to-Site VPN connection, peering the SD-WAN headend with the Transit Gateway using IPSec tunnels. The SD-WAN headend can use BGP to peer
with the Transit Gateway to exchange route prefixes. If you want to increase the bandwidth to more than the 1.25 Gbps limit of one single Site-to- Traffic is forwarded to the Transit
Site VPN connection, additional IPSec VPN connections can be used with Transit Gateway’s support for Equal-Cost Multi-Path (ECMP). 2 Gateway. As per the spoke VPC route
table, the traffic is routed to the appliance
VPC via the Site-to-Site VPN attachment.
SD-WAN overlay
AWS Region Spoke VPC A route table
The traffic is routed between the Transit
Spoke VPC A Destination Target Appliance VPC Public route table 3 Gateway and the third-party virtual
10.0.0.0/16 appliance between a Site-to-Site VPN
10.0.0.0/16 local Destination Target
connection.
Availability Zone A 4
0.0.0.0/0 tgw-id 10.2.0.0/16 local
workload subnet The third-party virtual appliance
corporate
10.0.1.0/24 192.168.0.0/24 vgw-id 192.168.0.0/24 4 encapsulates the traffic, which uses the
EC2 SD-WAN overlay – on top of the AWS
instance 1 0.0.0.0/0 igw-id
VPC
Direct Connect link – to reach the
AWS Transit Gateway
TGW subnet association corporate data center.
10.0.0.0/24 appliance VPC AWS Direct
Spoke VPC route table 10.2.0.0/16 virtual private Connect
gateway Traffic from branches outside AWS
TGW 2 CIDR Attachment Availability Zone A
A destined to the spoke VPC B reaches the
ENI
Internet gateway of the appliance VPC via
0.0.0.0/0 Site-to-Site VPN public subnet
10.2.0.0/24 the SD-WAN overlay - on top of the
Appliance VPC route table 3 internet.
Spoke VPC B VPC
10.1.0.0/16 association C
CIDR Attachment B The third-party virtual appliance in the
third-party internet
Availability Zone A virtual appliance 2 internet A branch B appliance VPC forwards the traffic to the
10.0.0.0/24 Spoke VPC A gateway
TGW subnet
Transit Gateway via the Site-to-Site VPN
10.1.0.0/24 10.1.0.0/24 Spoke VPC B connection.
AWS Site-to-Site
TGW VPN
ENI association As per the Transit Gateway appliance VPC
D
Spoke VPC B route table
C route table, the traffic is forwarded to the
workload subnet
spoke VPC B attachment.
10.1.1.0/24
Destination Target internet
branch
EC2 The TGW ENI of the spoke VPC B forwards
10.1.0.0/16 local D
instance the traffic to the destination.
0.0.0.0/0 tgw-id
AWS Direct Connect the TGW ENI as per the spoke VPC A Route
Table.
Use AWS Transit Gateway Connect attachments and AWS Direct Connect to extend and segment your SD-WAN traffic to AWS without adding extra
infrastructure. Each Transit Gateway Connect Peer can have its own Transit Gateway Route Table and BGP peer to extend an on-premises VRF if Traffic is forwarded to the Transit
required.
2 Gateway. As per the spoke VPC route
table, the traffic is routed to the corporate
AWS Region
data center via the Transit Gateway
Spoke VPC A route table GRE tunnel connect attachment.
Spoke VPC A Destination Target
10.0.0.0/16 BGP peering The Transit Gateway connect attachment
10.0.0.0/16 local 3 uses the Direct Connect connection as
Availability Zone A
0.0.0.0/0 tgw-id transport, and connects the Transit
workload subnet Gateway to the corporate data center SD-
10.0.1.0/24
WAN device using GRE tunneling and BGP
EC2
VPC
instance 1 association Traffic from the corporate data center SD-
TGW subnet corporate data center A WAN device destined to the spoke VPC B is
10.0.0.0/24 AWS Transit Gateway 192.168.0.0/16
forwarded to the Transit Gateway via the
A GRE tunnel of the Transit Gateway
TGW Spoke VPC route table DX location
2
3 attachment – over the Direct Connect link.
ENI
CIDR Attachment
connect customer As per the Transit Gateway connect route
192.168.0.0/16 TGW connect attachment
gateway B table, the traffic is forwarded to the spoke
Spoke VPC B VPC B attachment.
Connect route table
10.1.0.0/16 Direct Connect DX router transit VIF
CIDR Attachment gateway corporate SD-WAN
Availability Zone A
VPC
DX gateway device The TGW ENI of the spoke VPC B forwards
association
10.0.0.0/24 Spoke VPC A association C the traffic to the destination.
TGW subnet
10.1.0.0/24 B 10.1.0.0/24 Spoke VPC B
TGW AWS Direct
ENI Connect
Spoke VPC B route table
workload subnet
10.1.1.0/24 Destination Target
EC2 C 10.1.0.0/16 local
instance
0.0.0.0/0 tgw-id For more information about how to integrate
your on-premises SD-WAN devices using AWS
Reviewed for technical accuracy April 27, 2022 Transit Gateway and AWS Direct Connect, refer
2021, Amazon
© 2022, AmazonWeb
WebServices,
Services,Inc.
Inc.ororitsitsaffiliates.
affiliates.
AllAll rights
rights reserved.
reserved. AWS Reference Architecture to: Integrate SD-WAN devices with AWS Transit
Gateway and AWS Direct Connect