AWS Partner Network (APN) Blog

Embracing Hybrid Cloud with Citrix SD-WAN and AWS Transit Gateway Connect

By Joanne Lei, Sr. Partner Solution Architect at AWS
By Valerie DiMartino, Sr. Product Marketing Manager at Citrix

Connect with Citrix-2

When moving workloads to Amazon Web Services (AWS), one of the most important considerations is connectivity.

With the goal of delivering the best application experience, AWS and Citrix collaborate on many different solutions.

One of the key integrations is Citrix SD-WAN’s support for AWS. Citrix SD-WAN provides a unique combination of proactive application traffic management, end to end.

In this post, we’ll show you how to architect a scalable SD-WAN solution with the new AWS Transit Gateway Connect attachment and streamline the deployment with Citrix SD-WAN Orchestrator.

Citrix is an AWS Technology Partner with AWS Competencies in Networking and Digital Workplace. From enabling sustainable hybrid work models to streamlining the journey to multi-cloud, Citrix helps organizations deliver a consistent and secure work experience no matter where work needs to get done—in the office, at home, or in the field.

The Challenge

Legacy WAN architectures are impeding the vision of hybrid multi-cloud. Organizations need a reliable and intelligent network to allow branch and home office workers frictionless access to workloads in the cloud, as well as to the on-premises data center and software-as-a-service (SaaS).

The WANs of yesterday fall short of achieving the performance needs of today’s modern enterprise.

Prevalent WAN technologies like MPLS are unable to effectively handle the uptick in bandwidth demanded from the increase in cloud application traffic, resulting in inconsistent end-user experiences.

Sub-optimal routing practices arise from the need to backhaul application traffic to a central location for inspection purposes, creating additional latency that can worsen application performance for users.

Implementing direct internet access at local branches can easily mitigate the latency challenges. However, a major concern when adopting this approach is security. Left behind in the data center, the security stack is now required to secure the edge of the network where users are.

By running Citrix SD-WAN on AWS, organizations can overcome these challenges and deliver a consistent, high performing, and secure overlay network for their branch and home office users to access the applications in the cloud.

Deploying Citrix SD-WAN in a single virtual private cloud (VPC) is straightforward, but this model does not scale as your footprint on AWS expands to multiple VPCs.

While customers can scale the solution by integrating Citrix SD-WAN with AWS Transit Gateway using either a VPC or virtual private network (VPN) attachment, each attachment type comes with its own limitations.

Solution Overview

The hybrid architecture has a Citrix SD-WAN virtual appliance (VPX) deployed on AWS, usually in an Edge VPC or Transit VPC, serving as an entry point to all of your workloads running in the same or other VPCs.

Citrix SD-WAN VPX on AWS can securely reach all of the branch offices, data centers, and corporate headquarters via multiple network paths, and load balance traffic at the packet level to deliver a resilient and optimized WAN solution.

Now, with the new Transit Gateway Connect, Citrix SD-WAN can natively consolidate edge connectivity to AWS, dynamically route through a single ingress/egress point, provide higher bandwidth interconnects, and lower overall operational costs.

With this native integration, enterprises can simplify overall network architecture, reduce operational overhead, and gain the ability to centrally manage critical aspects of your connectivity, including security.

As you migrate more workloads to AWS, you can automatically connect the newly-created workload VPC to SD-WAN by simply attaching it to the Transit Gateway. With Border Gateway Protocol (BGP) peering between Citrix SD-WAN appliance and AWS Transit Gateway, routes are dynamically learned and propagated as new workload VPC and branch office comes online.


Figure 1 – Hybrid cloud architecture with Citrix SD-WAN and AWS.

By accessing resources on AWS from branches over a Citrix SD-WAN virtual path, you get benefits including:

  • Link bonding.
  • Per packet traffic handling for fast failover.
  • Dual-ended Quality of Service (QoS).
  • Packet racing over multiple links for critical traffic like audio.
  • Next-gen integrated edge firewall.
  • Centralized visibility and orchestration.

To reduce the administrative overhead, you can use the SD-WAN Orchestrator service hosted in Citrix Cloud to centrally configure, manage, and operate all of the SD-WAN appliances across your entire infrastructure, cloud or on-premises.

Through a guided workflow on Citrix SD-WAN Orchestrator, IT managers can natively integrate Citrix SD-WAN virtual appliances with Transit Gateway Connect and link to their resources in Amazon VPCs.

Additionally, customers can traverse AWS’s backbone infrastructure to reach resources deployed in other AWS regions across the world.

AWS Transit Gateway Connect Attachment

Prior to the new Transit Gateway Connect attachment, there were two ways to integrate AWS Transit Gateway with third-party network appliances like Citrix SD-WAN—via VPC attachment or VPN attachment.

The VPC attachment approach is simple to implement, but only supports static routing. Failover requires manual intervention, or you can automate it with a custom AWS Lambda function.

The VPN attachment approach allows you to interconnect the Citrix SD-WAN and Transit Gateway with IPSec VPN tunnel, and leverage BGP for dynamic routing for automatic failover. But the maximum throughput is 1.25Gbps per VPN attachment.

To scale beyond that, you need to establish multiple IPSec VPN tunnels and use BGP ECMP (equal-cost multipath) to distribute the network traffic across the different tunnels, as depicted in Figure 2 below.

Provisioning workflow requires multiple touchpoints and can be complex to implement and operate, especially for customers who are not networking savvy.


Figure 2 – Previous integration model with AWS Transit Gateway.

With the new Transit Gateway Connect attachment, you can establish Connect peer (GRE tunnel) between Citrix SD-WAN appliance and AWS Transit Gateway. Each GRE tunnel will support a maximum bandwidth of 5 Gbp.

To achieve higher throughput, you can add more GRE tunnels and scale up to 20 Gbps per Connect attachment (maximum 4 GRE tunnels per Connect attachment at launch). If 20 Gbp aggregated bandwidth is still not sufficient, you can scale horizontally by creating more Connect attachment.

Besides removing the complexity of multiple IPSec tunnels, the Transit Gateway Connect attachment also provides a more native way for third-party appliances to automate the integration.

Since it has a programmatic interface, setting up a GRE tunnel or BGP peering can be done by invoking a REST API or using an AWS Software Developer Kit (SDK). Citrix SD-WAN Orchestrator built an integrated workflow leveraging this API capability so you can provision the entire setup through a single user interface without switching between consoles.


Figure 3 – New integration model with AWS Transit Gateway.

Citrix SD-WAN Orchestrator Workflow

To use SD-WAN Orchestrator for AWS Transit Gateway integration provisioning, you first need to provide the AWS credentials (AWS Subscription ID, Secret Access Key, Access key ID) for Orchestrator to perform operations in your AWS account. Here’s how to create secret keys.

The Citrix SD-WAN VPX should be deployed in a VPC dedicated for networking services like SD-WAN, VPN, or Firewall. Some customers name it Edge VPC, Outbound VPC, or Transit VPC. Regardless of the names, it’s usually managed by the central IT to provide enterprise-wide network security functions across your entire AWS footprint.

Your existing AWS environment most likely has a Transit Gateway deployed already. If not, you can create new Transit Gateway from the AWS Management Console. Once you have identified the Transit Gateway and Edge VPC, you can use Citrix SD-WAN Orchestrator to complete the rest of the deployment without switching between different Consoles.

Orchestrator can create Transit Gateway Connect attachment on the Transit Gateway, configure a /24 or larger CIDR block of IPv4 address as the Transit Gateway side of GRE tunnel peer IP, bring up the GRE tunnel, and establish BGP routing between Citrix SD-WAN VPX and Transit Gateway.

The entire workflow is streamline by Orchestrator for end-to-end automation that eliminates multiple touchpoints and manual process.

First of all, Citrix SD-WAN Orchestrator needs to be authenticated in order to interact with AWS infrastructure. Enter the AWS subscription ID, AWS Secret Access Key, and AWS Access Key IDs as shown in the screenshot below.


Figure 4 – Establish trust between Citrix SD-WAN Orchestrator and AWS.

In the next step, we’re going to deploy a VPC attachment to create a connect attachment between the Citrix SD-WAN virtual appliance on AWS (US West, in this case) and the AWS Transit Gateway, which has been preconfigured and is identified with the ID tgw-017379fd84219f3ed.


Figure 5 – Deploy VPC attachment from SD-WAN Orchestrator.

Once the VPC attachment is deployed, we’re going to connect the Citrix SD-WAN virtual appliance in an AWS region (US West, again) with Transit Gateway by picking the IP addresses of Transit Gateway CIDR block and the peer address (SD-WAN VPX’s LAN IP).


Figure 6 – Attaching Citrix SD-WAN virtual appliance to AWS Transit Gateway.

Before finalizing the configuration, you can look at the summary page to decide if you want to go ahead with the configuration process.

Once you click on Save Config, you can proceed to pushing this configuration to the Citrix SD-WAN network in order for the GRE tunnels to be established between the Citrix SD-WAN virtual appliance and AWS Transit Gateway.


Figure 7 – Summary of configuration.


With Citrix SD-WAN support for the new AWS Transit Gateway Connect, you can create a next-generation WAN that provides the foundation of building a successful hybrid cloud.

This solution allows your organization to consolidate the edge connectivity to AWS, scale quickly to provide higher bandwidth as workloads and VPC grows in AWS, automate configuration tasks to eliminate manual intervention, and streamline operations end-to-end with Citrix SD-WAN Orchestrator.



Citrix – AWS Partner Spotlight

Citrix is an AWS Advanced Technology Partner that transforms how businesses and IT work. As an extension of their ongoing collaboration with Amazon, Citrix delivers networking and desktop virtualization solutions on AWS.

Contact Citrix | Partner Overview | AWS Marketplace

*Already worked with Citrix? Rate this Partner

*To review an AWS Partner, you must be a customer that has worked with them directly on a project.