DOP217 -S

SPONSORED BY CISCO

En t e r p r ise Ne t w o r k in g a n d
SD-WAN w it h Cisco a n d AWS
Nikolai Pit aev Sim arbir Singh
Te chnica l Ma rke t ing Engine e r Te ch n ica l Ma rke t in g En g in e e r
SD-WAN a nd Cloud Virt u a liza t io n a n d SD-WAN
Cisco Cisco

© 2021, Am
Amazon
a zon We
Webb Se
Services,
rvice s, Inc.
Inc.ororitsitsaaffiliates.
ffilia te s. All
All rights
rights re
reserved.
se rve d.
Ag e n d a
Centralized firewall insp ection arch itecture with SD-WAN

Global WAN with Cisco SD-WAN and AWS Cloud WAN

Creating a b rid ge b etween ap p s an d SD-WAN via AWS Cloud Map

Deeper con n ectivity in to th e cloud with Cisco Meraki virtual MX and

AWS Tran sit Gateway

Global WAN with Meraki SD-WAN and AWS Cloud WAN

Securin g th e VPC with SD-WAN and SASE

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Wh a t is SD-WAN n o w ?

Yesterday Today
• Sep aration of control
• IaaS: cloud is just another
an d d ata p lanes
branch/ PoP
• Policy-b ased application
• SaaS with first packet m atch
path selection across
and cloud telem etry
m ultip le WAN connections
• Cloud app detection and
• Service chainin g for
integration into SD-WAN
ad d ition al services

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Wh ich Cisco SD-WAN?

SD-WAN

Maximum versatility with advanced

Simple and secure full -stack IT for
capabilities for sophisticated IT
SD-Branch and lean IT environments
environments

Powered By Powered By

Vipt ela

4
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ce n t ra lize d fire w a ll
in sp e ct io n a n d SD-WAN

© 2021, Am
Amazon
a zon We
Webb Se
Services,
rvice s, Inc.
Inc.ororitsitsaaffiliates.
ffilia te s. All
All rights
rights re
reserved.
se rve d.
Ce n t r a lize d fir e w a ll in sp e ct io n a n d SD-WAN
USE CASE OVERVIEW

AWS us-west Host VPC1 Host VPC2 Requirements

App1 App2 Ea st -we st , n o rt h -so u t h t ra ffic m u st g o
t h ro u g h fire wa ll
Shared services VPC
Benefits
AZ1 • Sca la b le so lu t io n
FTDv-1
AWS TGW
• SD-WAN a n d se cu rit y fro m o n e h a n d
…

Public internet

AWS SD-WAN VPC SD-WAN b ran ch 1

AZ2
GWLB
AZ1 AZ2
FTDv-n SD-WAN fabric
…
c8k-R1 c8k-R2
SD-WAN b ran ch 2

FTDv = Se cure Fire wa ll Thre a t De fe nse Virtua l (a ka FTDv / NGFWv) Ge ne ve = Ge ne ric Ne twork Virtua liza tion Enca p sula tion
GWLB = AWS Ga te wa y Loa d Ba la nce r TGW = AWS Tra nsit Ga te wa y AZ = Ava ila b ility Zone (AWS da ta ce nte r) © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ho st VPC co n n e ct ivit y o p t io n s

AWS us-west Host VPC1 Host VPC2

App1 App2 Design op t ion 1: Host VPC rout e p oin t s t o GLWB en d p oin t
Shared services VPC 1 0 .1 1 1 .0 .0/ 1 6 local
AZ1
0.0.0.0/0 vpce -XYZ FW-Endpoint -Service
FTDv-1
… AWS TGW
Design op t ion 2: Host VPC rout e p oin t s t o AWS TGW

AWS SD-WAN VPC 1 0 .1 1 1 .0 .0/ 1 6 local

AZ2 0.0.0.0/0 tgw -XYZ AWS Transit Gateway
GWLB
AZ1 AZ2
FTDv-n
…
c8k-R1 c8k-R2

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pa ck e t flo w : Sim p lifie d

AWS us-west Host VPC1 Host VPC2 From Host VPC to SD-WAN
App1 App2 Host VPC ➔ AWS TGW ➔ GWLB ➔ FTDv ➔ TGW ➔ SD-WAN
Shared services VPC
Returning traffic
SD-WAN ➔ AWS TGW ➔ GWLB ➔ FTDv ➔ TGW ➔ Host VPC
AZ1

FTDv-1
… AWS TGW

GENEVE protocol for load b alan cing b et ween GWLB an d FTDv

AWS SD-WAN VPC
AZ2
GWLB Appliance mode is req uired for sym m et ric rout in g
AZ1 AZ2
FTDv-n
…
c8k-R1 c8k-R2

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pa ck e t flo w : De t a ils fo r sh a r e d se r vice s VPC
Shared services VPC Shared services VPC
GWLB
GWLB AZ1
endpoint 7
AZ1
endpoint 2 FTDv-1
FTDv-1
FTDv-2
FTDv-2
3 6

GWLB 5 GWLB
4 cross-zone load
cross-zone load
balancing,
balancing,
GENEVE
GENEVE

Step 2: TGW routes to GWLB endpoint – shared services route table Step 5: Firewall decapsulates GENEVE, inspects the
10.102.0.0/ 16 local packet, re-encaps and sends it back to GWLB
0.0.0.0/0 vpce-XYZ FW-Endpoint -Service-AZ1 10.102.3.91
Step 6: GWLB rem oves GENEVE header and forwards
Step 3: GWLB endpoint routes traffic to GWLB using AWS PrivateLink packet to the appropriate GWLB endpoint
Step 4: GWLB routes traffic to a firewall using GENEVE
Target Group: FW-Target -Group-Geneve wit h 4 firewalls: Step 7: GWLB endpoint sends packet to TGW
10.102.3.174 MC-FTD-IFT-1 6081 us-west -AZ1
10.102.13.67 MC-FTD-IFT-2 6081 us-west -AZ1
…

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Co n n e ct in g SD-WAN

AWS us-west Host VPC1 Host VPC2 VPN or connect at t achm ent for SD-WAN VPC
App1 App2

Shared services VPC BGP bet ween AWS TGW and SD-WAN rout ers
AZ1

FTDv-1 Cisco Cat alyst 8000V as SD-WAN rout er

… AWS TGW

Mult i-Region via AWS Cloud WAN – see t he next

AZ2
AWS SD-WAN VPC chapt er!
GWLB
AZ1 AZ2
FTDv-n
…
c8k-R1 c8k-R2
Aut om at ion: Git Hub repo SD-WAN CoR LabInfra

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cisco SD-WAN a n d
AWS Clo u d WAN

© 2021, Am
Amazon
a zon We
Webb Se
Services,
rvice s, Inc.
Inc.ororitsitsaaffiliates.
ffilia te s. All
All rights
rights re
reserved.
se rve d.
Cisco Mu lt iclo u d So lu t io n s fo r AWS
US-We st-1

Ho st VPC Ho st VPC

AWS
TGW
VPN At t ach men t (IPSec) o r
Connect At t achment (GRE)
SD-WAN TVPC

All – aut om at ed in Cisco vMan age!

Branch 1 Branch 2 Branch 3

New!
Bran ch
Co n n ect : Ext ending SD-WAN
Direct IPSec Fabric t o t he cloud
t o AWS TGW

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cisco SD-WAN a n d AWS Clo u d WAN
USE CASE OVERVIEW

Use case Ap p s in
an y region
• Sit e-t o-Cloud VPC

• Sit e-t o-Sit e over AWS Core

YAML file
AWS Core Net work

Benefits
Cisco SD-WAN Fabric
• Easily st it ch SD-WAN & cloud Cisco
across m any region s vMan age
• End-t o-End Segm ent at ion
• Secure, Scalable and On -
Los An geles Lon d on
Dem and Bandwidt h SD-WAN Bran ch SD-WAN Bran ch

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ar ch it e ct u r e
Core Ne t work Policy (CNP):
• Re gion s Region 1 Region 2 Region 3
• Ed ge s VPC VPC VPC VPC VPC VPC

• Se gm e n t s
• Dyn am ic rout in g
• At t ach m e nt s
• Sh arin g (rout e le akin g) CNP AWS Core Network
• Se rvice In se rtion (FW)
CNE-1 CNE-2
CNE-3

TVPC
Cisco CGW
vManage

SD-WAN Cisco SD-WAN Fabric

Policy

Branch 1 Branch 2 Branch 3

Test
Pro d

CNE – Co re Net wo rk Ed g e CNP – Co re Net wo rk Po licy TVPC – Tran sit VPC CGW – Clo ud Gat eway © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cisco SD-WAN o r ch e st r a t io n fo r Clo u d WAN
USE CISCO VMANAGE TO DEPLOY AND MANAGE AWS CLOUD WAN

• Connect SD-WAN branches t o AWS wit h privat e or public connect ions

• Deploy SD-WAN Cloud Gat eway (CGW ) wit h edge services in as m any AWS Regions as required
• AWS core net work will aut om at ically creat e int er-Region core net work edge (CNE) peering in
part icipat ing Regions using AWS backbone
• Ext end SD-WAN segm ent s by discovery and t agging for end-t o-end segm ent at ion across
m ult iple Regions
• Enable Transit Gat eway Connect at t achm ent bet ween SD-WAN edge and CNE for high
bandwidt h requirem ent
• Enable unified end-t o-end net work policy cont rol
• Insert services bet ween segm ent s using business-driven policy int ent

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Wo r k flo w – Cisco vMa n a g e
CLOUD ONRAMP FOR MULTICLOUD

1 .Provide vMa na ge 1.Disco ve r VPCs a cro ss 1 .La u n ch a n SD-WAN 1 . Co n fig u re se g m e n t a t ion

a cce ss pe rm issions AWS Re g io n s clo u d g a t e wa y in
t o your AWS yo u r Re g io n 2 .Se le ct se g m e n t s t o e xt e nd
2.Se le ct VPCs t o co n n e ct t o VPCs
a ccount
yo u r clo u d SD-WAN 2 .De p lo y a n e w AWS
2 .Se le ct ne t wo rk t o Tra n sit Ga t e wa y 3 .St it ch WAN se g m e n t s t o
configura t ion for VPC se g m e n t
3.Ta g VPCs for SD-WAN 3 .Co n n e ct Tra n sit
SD-WAN rout e r
management Ga t e wa y t o SD-WAN
a ct ing a s cloud
ga t e wa y VPC

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ma p p in g SD-WAN a n d clo u d in fr a st r u ct u r e
ONE CLICK IN THE INTENT MANAGEMENT TABLE

Mapping SD-WAN t o host VPCs wit h 1 click!

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Clo u d Ma p a s a
b rid g e b e t w e e n a p p s
a n d SD-WAN n e t w o rk

© 2021, Am
Amazon
a zon We
Webb Se
Services,
rvice s, Inc.
Inc.ororitsitsaaffiliates.
ffilia te s. All
All rights
rights re
reserved.
se rve d.
Cr e a t in g a b r id g e b e t w e e n clo u d a p p s a n d
SD-WAN via AWS Clo u d Ma p
AWS Clo u d Ma p
Ap p
Use case summary DevOp s
“t raffic-p ro file=vid eo ”

DevOp s regist er cloud -based ap p s at AWS

Cloud Map (writ e m et ad at a “t raffic-profile”)

Cloud n at ive WAN-ad ap t er / vMan age

d et ect s cloud -based ap p aut om at ically SD-WAN
fabric
Los An ge le s
Net Op s creat e SD-WAN p olicies an d en sure b ran ch
req uired ap p exp erience in t h e n et work

Net Op s

Det ails: d eveloper.cisco.com/ d ocs/ cloud -n ative-sdwan/ #!cn -wan -ad aptor
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cisco Me ra k i a n d AWS

© 2021, Am
Amazon
a zon We
Webb Se
Services,
rvice s, Inc.
Inc.ororitsitsaaffiliates.
ffilia te s. All
All rights
rights re
reserved.
se rve d.
A p la t fo r m a p p r o a ch t o SD-WAN

OUT - OF - THE - BOX DIGITAL BUSINESS

MANAGEMENT & ANALYTICS P O W E R E D B Y M E R AKI

{ HTTPS } { API }

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cr e a t e t h e fo u n d a t io n fo r
high -quality experience in three clicks

Simple Th e ab ilit y t o con figure sit e -t o-sit e, Laye r 3 IPse c VPN t un n e ls in just three clicks in t h e Cisco Me raki d ash b oard
ove r an y WAN lin k

Automatic VPN con figurat ion ge n e rat ed an d d e ploye d aut om at ically from t h e cloud – cre at e a m e sh or h ub -an d -spoke
t op ology wit h on ly a fe w clicks

Resilient Aut om at ically ad just s t o ch an ge s in ord e r t o m ain t ain se cure con n ect ivit y d uring an ISP or d at ace n t e r out age ,
h ard ware failure, or IP ad d re ss up d at e

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ext e n d se cu r it y d e e p in t o t h e clo u d
MULTI - REGION CONNECTIVITY

Flexib le con n ect ivity

• Virtual MX ( vMX) is a virt ual in st an ce of a Meraki

securit y & SD-WAN ap p lian ce.
• vMX ext en d s op t im ized SD-WAN fab ric t o h yb rid
cloud en viron men ts
• Deep p ub lic cloud con n ectivit y for multi -region
deployments
• AWS Tran sit Gat eway
• AWS Cloud WAN

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cisco Me ra k i vMX a n d
AWS Tra n sit Ga t e w a y

© 2021, Am
Amazon
a zon We
Webb Se
Services,
rvice s, Inc.
Inc.ororitsitsaaffiliates.
ffilia te s. All
All rights
rights re
reserved.
se rve d.
Ext e n d in g SD-WAN t o
AWS Tr a n sit Ga t e w a y
• Ext end your branch SD-WAN deploym ent s t o
applicat ions host ed on AWS
• Highly available archit ect ure for deeper
connect ivit y t o cloud resources via AWS
Transit Gat eway (TGW) using AWS lam bda
• Single-but t on aut om at ed deploym ent via
AWS Quick St art

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cisco Me ra k i vMX a n d
AWS Clo u d WAN

© 2021, Am
Amazon
a zon We
Webb Se
Services,
rvice s, Inc.
Inc.ororitsitsaaffiliates.
ffilia te s. All
All rights
rights re
reserved.
se rve d.
Mu lt i-Re g io n AWS Cloud

d e p lo ym e n t Region Region

u se ca se
SD-WAN VPC SD-WAN VPC

Cisco Cisco SD-WAN

Meraki Meraki t unnels
SD-WAN
vMX vMX
t u n n els
Bran ch
Bran ch sit es sit es
• Cust om e rs a re
Peerin g at t achment s
incre a singly ope ra t ing
TGW TGW
in m ult iple Re gions
wit hin t he cloud Wo rklo ad Wo rkload
VPCs VPCs
• Ma nua lly se t t ing up
m ult iple pe e ring
Region
a t t a chm e nt s a nd la ck of
TGW
a ut om a t ion ca n m a ke it
d ifficult t o sca le
a nd m a na ge SD WAN VPC

Cisco
Meraki
vMX

Wo rklo ad VPCs
SD-WAN
Tunnels

Bran ch sit es
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sim p lifie d m u lt i-Re g io n d e p lo ym e n t
AWS Cloud

Region
SD-WAN VPC
SD-WAN Cisco
t u n n els Meraki
vMX
Bran ch sit es

AWS Cloud WAN co re n et wo rk Workload

Re gion Re gion Re gion
VPC

Region
SD-WAN Seg m en t
SD-WAN VPC
Workload
SD-WAN Wo rklo ad Seg ment VPC
t u n n els Cisco
Meraki
Bran ch sit es
vMX • Sim p lified m ult i-Region
con n e ct ivit y
E E E
Workload
VPC • Man age d Tran sit Gat e way

• Se gm e n t at ion an d
Region
in t e n t -based p olicie s
SD-WAN VPC

Cisco
• Re gion al h ub s as VPC
SD-WAN
t u n n els
Meraki
vMX
at t ach
Bran ch sit es

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cisco Me r a k i vMX w it h AWS Clo u d WAN
TOPOLOGY FOR THE DEMO

AWS Cloud
CW Po licy
AWS Core Net work

Reg io n A Reg io n B

SD-WAN VPC SD-WAN Segm ent Workload

VPC
Me raki
Wo rklo ad Segm ent
SD-WAN
1 7 2 .3 2 .0/ 2 4
Bran ch Sit e
1 0 .1 9 8 .0.0 / 24
E E

VPC At t ach m en t

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cisco SD-WAN o r ch e st r a t io n fo r Clo u d WAN
USE CISCO MERAKI TO DEPLOY AND MANAGE AWS CLOUD WAN

Ph ase 0: Usin g AWS Quick Starts

• Ext e nd your Me ra ki SD-WAN Fa b ric t o AWS
• Aut om a t e de ploym e nt of SD-WAN e d g e s in a n y clo u d re g io n u sin g Clo u d Fo rm a t io n
• De ploy Cloud WAN core n e t wo rk a n d co n n e ct t o sit e s in o t h e r re g io n s u sin g AWS Clo u d WAN b a ckb o n e
• Se t up Cloud WAN se gm e n t s a n d p o licie s

Ph ase 1: Usin g Meraki Dash b oard *

• De ploy Cisco Me ra ki vMX t o AWS fro m Me ra ki d a sh b o a rd in a fe w clicks
• De e pe r int e gra t ion wit h t h e AWS n e t wo rk wit h co n n e ct ivit y t o AWS TGW a n d Clo u d WAN
• Dyna m ica lly de fine a nd m a n a g e Clo u d WAN p o licie s a n d se gm e n t s fro m t h e d a sh b o a rd

* Meraki Dash b oard in t egrat ion t arget ed (n ot co mm it ted) fo r 2 HCY202 2

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Wo r k flo w – Cisco Me r a k i
CLOUD ONRAMP FOR MULTICLOUD
1 . Con figure your SD-
Ne t work from t h e Me raki
Dash b oard
2 . Tag SD-WAN e d ge s t o b e
use d as Hub s
1 . Laun ch an SD-WAN 1 . Mult i-re gion d e ploym ent
1 . Laun ch t h e
Ed ge t o your re gion
Cloud Form at ion t e m p lat e 2 . Se t up se gm e n t s b ase d on
2 . De p loy a n e w AWS Tran sit b usin e ss n e eds
2 . Sp e cify st ack d e t ails an d
Gat e way
cre at e st ack 3 . Con figure at t ach m e nt
3 . Con n e ct TGW t o SD-WAN p olicie s b e t ween se gm e nts
VPC via VPC at t ach
4 . Con n e ct b ran ch sit es t o
4 . Program SD-WAN b ran ch d iffe rent se gm en ts
rout e s on AWS
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Se cu rin g t h e VPC
w it h SASE

© 2021, Am
Amazon
a zon We
Webb Se
Services,
rvice s, Inc.
Inc.ororitsitsaaffiliates.
ffilia te s. All
All rights
rights re
reserved.
se rve d.
Se cu r in g t h e VPC w it h SASE
USE CASE OVERVIEW

In t ern et Bran ch Sit es Bran ch Sit es • Traffic t o b ran ch sit es via

AWS Cloud
SD-WAN rout er
Umbrella • In t ern et t raffic from cloud
SIG workload s egresses via SASE
rout er con n ect ed t o Cisco
Um b rella
SD-WAN SD-WAN • Policy en forcement d on e via
Cisco Um b rella SIG
AWS Cloud

SASE Su bn et SD-WAN Su b n et
(Int ern et Gat eway) (Bran ch Co n n ect ivit y)

Servers Servers Servers Bran ch Traffic t o Wo rkload s

Workload Subnet In t ern et Traffic fro m Wo rkload s

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ne xt st e p s

cs.co/ CoR-Trial YouTub e SD-WAN Ch an n el cisco.com/ go/ sdwan

Ch eck out t h e
Risk-free evaluat ion Ch eck out our web sit e & b log Cisco Meraki vMX Quick st art s

m eraki.cisco.com/ eval m eraki.cisco.com/ blog aws.am azon .com/ q uickst art /

Dem o an d m ore in form at ion at our b oot h © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
Nikolai Pit aev Sim arbir Singh
np it a e v@cisco .com sim a rb si@cisco .co m
lin ke din.com / in/ npit a e v/ lin ke d in .co m / in / sim a rb ir-sin g h -8 55 0 7 72 4 /

© 2021, Am
Amazon
a zon We
Webb Se
Services,
rvice s, Inc.
Inc.ororitsitsaaffiliates.
ffilia te s. All
All rights
rights re
reserved.
se rve d.