In July 2022, we announced the general availability of AWS Cloud WAN. With that, we launched the AWS Transit Gateway Connect feature, which provides a native way to extend your SD-WAN (Software defined wide area network) infrastructure into AWS using Generic Routing Encapsulation (GRE) tunnels. Today, we are announcing Tunnel-less Connect for Cloud WAN. This new capability provides you with a simple and higher performance way to build global SD-WANs using the AWS Global network as a middle-mile transport network. With this capability, third-party SD-WAN appliances can natively peer with Cloud WAN using Border Gateway Protocol (BGP) without specialized tunneling protocols like GRE. Native BGP support between third-party appliances in an Amazon Virtual Private Cloud (VPC) and Cloud WAN, without usage of tunnels, makes it easier to extend your SD-WAN in AWS cloud, and make use of the AWS Global Network for branch-to-branch and branch-to-cloud connectivity

Benefits of AWS Cloud WAN Tunnel-less Connect

• Cloud Enabled SD-WAN: SD-WAN technology simplifies branch connectivity between on-premises data centers and the AWS cloud. SD-WAN hub appliances deployed in AWS extend your branch networks. Currently, these appliances integrate with Cloud WAN by using IPsec VPN or GRE tunnels. Now, with Tunnel-less Connect, you can natively integrate your SD-WAN infrastructure into AWS cloud without the use of IPsec or GRE tunnels, achieving lower overhead  and higher throughput.
• AWS Global Network as a middle-mile for inter-office connectivity: SD-WAN typically uses the internet as a transport network to interconnect branch offices, on-premises data centers, and AWS cloud. Enterprises have SD-WAN enabled branch offices and data centers dispersed in multiple geographies, as well as AWS resources in multiple AWS Regions that must be interconnected with each other. With this new feature, you can now have a simpler and high-bandwidth integration between your SD-WAN and Cloud WAN, and use AWS Global network as a fast, secure, and private middle-mile network for inter-office connectivity (see following figure).

Figure 1: Cloud WAN Tunnel-less Connect Middle Mile

• Improved Throughput Performance: Tunneling protocols like GRE and IPsec not only reduce the effective bandwidth but also introduce additional packet overhead. Tunnel-less connect provides higher throughput and no packet overhead. Higher effective throughput can optimize the size and number of Amazon Elastic Compute Cloud (Amazon EC2) instances used to run third-party SD-WAN appliances. Tunnel-less Connect integration provides the full VPC attachment bandwidth (up to 100 Gbps per AZ) for customer traffic as compared to IPSec VPNs and GRE based connect.

Overview and key terminology

The following are the principal components of Tunnel-less Connect (see the following figure for reference). Refer to the Global and core network key concepts section in our Cloud WAN documentation for more details.

• Global network: A single, private network that acts as the high-level container for your network objects. A global network can contain both AWS Transit Gateways and other Cloud WAN core networks.
• Cloud WAN Core Network: The part of your global network managed by AWS. The core network acts as a routing and connectivity backbone for your global network and is managed by AWS. The core network spans all the AWS Regions where you have SD-WANs connected to AWS cloud.
• Core Network Edge (CNE): The Core network edge (CNE) acts as a Regional connection point for Cloud WAN. The CNEs can have single or multiple network segments that act as isolated routing domains and support network isolation and multi-tenancy.
• Transport VPC: This is a VPC where one or more third-party SD-WAN virtual appliances are deployed. Transport VPCs are connected as spokes to the Cloud WAN core network using tunnel-less connect attachments.
• Connect Attachment (Tunnel-less): SD-WAN appliances peer with the Core Network using a Connect attachment that functions in a tunnel-less manner and uses native BGP to dynamically exchange routing and reachability information between SD-WAN appliances in the VPC and the CNE.
• VPC Attachment: The VPC attachment acts as a transport attachment and carries data-plane traffic between SD-WAN appliances and the CNE.

Getting started with Cloud WAN Tunnel-less connect

In this example, we review the process using the AWS Management Console and AWS Command Line Interface (AWS CLI). A diagram of the overall architecture shown in the walkthrough can be seen in the following diagram (figure 2).

Figure 2: Cloud WAN Tunnel-less Connect – High Level Architecture – Virtual Appliance

Before getting started, make sure the following prerequisites are in place.

Prerequisites

• Create a Cloud WAN Core network and configure the core network policy by following the steps in our documentation that cover these items:
  • Regions: AWS Regions in which you want to operate your global network
  • Autonomous system number (ASN) Range: Autonomous system number range for your CNEs. We have selected this as 64512-65534.
  • Inside CIDR Block: The Cloud WAN IPv4 address for BGP peering is chosen from this CIDR range, 192.168.0.0/16 in our example. We’ve also selected a CNE Inside CIDR Block of 192.168.0.0/24 (see following figure). Please note that a BGP peer IP will be chosen at random from this CNE Inside CIDR block.

Figure 3: Inside CIDR Block for Core Network Policy

• • Segment: Name of the SD-WAN segment for all the SD-WAN appliances and any segment or routing actions.
  • Attachment policy: Use tags or resource names to associate Tunnel-less Connect attachment to the SD-WAN segment.
  • Launch third-party SD-WAN appliances in the Transport VPC.
  • Create VPC attachment into the desired subnets/AZs of the Transport VPC.

Now that we have these prerequisites in place, we can get started with creating a tunnel-less connect attachment. To get started with Cloud WAN tunnel-less connect:

• Open the Console and navigate to Network Manager.
• Create an attachment for your Core Network and choose the protocol as tunnel-less (No-Encapsulation), as shown in the following screenshot (figure 4).

Figure 4: Create Cloud WAN Tunnel-less Connect Attachment

You can also use the AWS CLI command to create this attachment, as shown in the following:

$ aws networkmanager create-connect-attachment –core-network-id core-network-0123 –edge-location us-west-1 –transport-attachment-id attachment-vpc-123 –options Protocol=NO_ENCAP –tags Key=segment,Value=backbone

• Once the connect attachment is in the available state, setup BGP peering by creating a connect peer (see the following figure). We are using Exterior Border Gateway Protocol (eBGP) and recommend using a different ASN on your SD-WAN appliance from the ASN configured on the CNE.

Figure 5: Create a Tunnel-less Connect peer

Figure 6: Configure a Tunnel-less Connect peer

The same step can be performed through AWS CLI as shown in the following:

$ aws networkmanager create-connect-peer –connect-attachment-id “attachment-connect123” –peer-address “10.1.0.1” –subnet-arn “arn:aws:ec2:us-east-2:111122223333:subnet/Subnet-ID ” –bgp-options PeerAsn=65413

• Please note that subnet-arn is a mandatory parameter for tunnel-less connect peers
• The subnet-arn must be same as your deployed SD-WAN appliance subnet. We also recommend to place your SD-WAN appliance in same subnet as Cloud WAN Transport VPC attachment for seamless integration with Tunnel-less Connect.
• You must configure your Transport VPC route table, which is associated with the subnet hosting the SD-WAN appliance, with a route directed toward the CNE Inside CIDR block with next-hop as Cloud WAN. This will establish network connectivity between your appliance and CNE (see the following figure).

Figure 7: Transport VPC Route Table for CNE subnet and SD-WAN appliance in the same subnet

• Once this is done, you must configure a BGP session on your SD-WAN appliance to the CNE by specifying the CNE Inside IP as the BGP peer IP. You can view your CNE inside IP address using the following AWS CLI command:

$ aws network manager get-core-network –core-network-id core-network-xyz

• In addition, if you choose to place your CNE Attachment ENI and SD-WAN appliance ENIs in different subnets, then you also need to add the destination prefixes advertised by the CNE (see the following figure) to the Transport VPC route table.

Figure 8, Transport VPC Route Table for CNE subnet and SD-WAN appliance in different subnets

• Once done, verify you can ping the BGP peer IP address of the CNE. You should now be able to bring the BGP session up and exchange routes dynamically.

Things to know

• Refer to the Cloud WAN documentation for details around quotas. At launch:
  • You are allowed a single Tunnel-less Connect attachment per VPC.
  • You can create up to four Connect (BGP) peers on a single Tunnel-less Connect attachment.
• You can create both GRE based Connect and Tunnel-less Connect attachment(s) on the same Transport VPC attachment.
• Only VPC Attachment Transport is supported for Tunnel-less Connect launch. AWS Direct Connect attachment isn’t supported at launch.
• Your Transport VPC Attachment and Tunnel-less Connect Attachment must be associated with the same Cloud WAN segment. Tags assigned to the Connect attachment determine the segment association for both VPC and Tunnel-less Connect attachment.
• If your SD-WAN appliance is deployed in a different subnet than the Core network attachment subnet, then you must manually add the prefixes advertised by the CNE to the Transport VPC route table as shown in the preceding figure.
• Pricing for the Tunnel-less Connect feature is the same as for the existing Connect feature. Refer to the Cloud WAN pricing page for details.

Industry leading Partners

We started on this innovation journey collaborating with Cisco and had the pleasure to be working with leading industry partners at the launch of Cloud WAN tunnel-less connect. We want to highlight the great things our partners have been doing and saying:

Conclusion

Cloud WAN Tunnel-less Connect provides a simpler and more performative way for building global SD-WAN. It helps you to easily extend your SD-WAN infrastructure into AWS without the need for tunnelling protocols thereby simplifying network integration and significantly increasing network bandwidth. Go build your global SD-WAN network using tunnel-less connect.