By Vivek Achar, Senior Product Line Manager; Eric Cheung, Partner Solution Architect; and Mike Scott, Senior Technical Product Manager, VMware SASE
AWS Cloud WAN is a managed WAN service that helps enterprises build, manage and monitor a unified network that connects resources across cloud and on-premises environments. AWS Cloud WAN is being enhanced with the capability for Tunnel-less Connect, which allows Virtual Network Appliances like SD-WAN Edges to peer with the Core Network Edge, and as the name suggests without setting up IPSec or GRE tunnels. Deploying SD-WAN instances in AWS Cloud WAN lets organizations reap the benefits of the cloud while improving network performance and security. The upcoming launch of AWS Tunnel-less Connect will simplify VMware SD-WAN™ connections to application workloads in AWS Cloud WAN.
VMware SD-WAN and AWS
As part of their journey to WAN modernization, enterprises embraced SD-WAN to reduce costs and enhance operational efficiency. As part of broader digitization initiatives, enterprises also started adopting SaaS applications and hosting applications on IaaS platforms like AWS.
To facilitate seamless connectivity with IaaS providers, SD-WAN vendors offered various methods for cloud integration. VMware SD-WAN, for instance, enables customers to connect to the AWS infrastructure by establishing secure links from VMware SD-WAN Gateways or extending the SD-WAN fabric to the AWS infrastructure by deploying VMware SD-WAN Edges in a Transit VPC (Virtual Private Cloud) and then connecting back to networking constructs like AWS Transit Gateway. This allowed on-premises users to connect to workloads hosted in AWS VPC.
Evolution of Transit VPC
Initial deployments allowed enterprises to host VMware SD-WAN Edges within the Transit VPC. Enterprises began by hosting their application workloads in these VPCs. As the number of applications increased, enterprises found themselves managing tens, and in some cases, hundreds of VPCs across multiple regions. To address this, AWS introduced Transit Gateway, enabling enterprises to connect these numerous VPCs to the Transit Gateway and link the VMware SD-WAN Edges to the Transit Gateway using VPN attachments.
With growing adoption and network throughput demands, AWS introduced Connect attachment on Transit Gateways, allowing VMware SD-WAN Edges hosted in the Transit VPC to connect using GRE/BGP to the Transit Gateway.
In late 2022, AWS unveiled a new service, AWS Cloud WAN, empowering enterprises to build a global network using the AWS Global Network This involved deploying SD-WAN Edges in a Transport VPC to connect to the Cloud WAN component, the core network edge, and extending branches to connect to application workloads hosted in AWS. Cloud WAN also introduced the concept of network segments to align with the segmentation offered by SD-WAN vendors.
Connectivity and sharing routes via BGP
With VPN attachment or Connect attachment, the VMware SD-WAN Edges set up the IPSec or GRE tunnels to the core network edge in AWS Cloud WAN. Over these tunnels, there is a BGP session set up to exchange the prefixes learned from the SD-WAN fabric with the core network edge.
In late 2023, this connectivity will further be enhanced with the launch of AWS Tunnel-less Connect from VMware SD-WAN Edges hosted in the Transport VPC to the core network edge. This eliminates the need to set up IPSec or GRE tunnels and allows VMware SD-WAN Edges hosted in the Transport VPC to exchange route prefixes with the core network edge directly via BGP.
Topology
AWS Cloud WAN Network Edge now brings in the functionality to connect VMware SD-WAN Edges natively via BGP to the core network edge. This functionality is available only for a single segment.
Steps to configure
In your AWS Management console:
Configure the VPC attachment at the core network edge for the Transport VPC
Configure the Connect core network edge. For Connect peers with IP Network for Core Network Edge and Connect Peer IPs, configure the Peer BGP ASN (autonomous system number)
Provision the VMware SD-WAN Edge in the Transport VPC with an ENI (elastic network interface) in the public and private subnet. IPs configured on the private subnet need to map to the peer IPs configured on the core network edge
On the VMware Edge Cloud Orchestrator:
Configure BGP neighbor on the VMware SD-WAN Edge for the core network edge BGP ASN and IP
And voila, the BGP neighbor should come up and routes will be exchanged successfully.
Summary
With Tunnel-less Connect on the Cloud WAN core network edge, AWS has once again elevated cloud networking capabilities, enabling VMware SD-WAN customers to simplify connectivity and increase throughput to their application workloads hosted in the cloud.
