Deploying hybrid networks using AWS Cloud WAN and AWS Direct Connect

AWS Cloud WAN is a managed wide-area networking (WAN) service for building, managing, and monitoring a unified global network, as well as connecting resources running across your cloud and on-premises environments. We work with many customers to build hybrid networks that connect their on-premises environments to Cloud WAN using AWS Direct Connect. This extends their on-premises environments into the AWS Cloud using private connectivity, bypassing the public internet altogether.

Today, connecting Direct Connect to a Cloud WAN network must be done by peering AWS Transit Gateways and AWS Direct Connect gateways. In this post, we go through how to integrate Direct Connect and Cloud WAN, the most common architectural patterns, and then walk through how to deploy Direct Connect connection to Cloud WAN.

Prerequisites

If you would like to follow along with this post, you will need:

• An AWS account.
• A live Direct Connect connection (Dedicated or Hosted), created in your AWS account.
• A Cloud WAN network deployed in your AWS account.

Overview of AWS Direct Connect integration with AWS Cloud WAN

The architecture to connect Direct Connect to Cloud WAN is shown in the following diagram (figure 1). The first part of the architecture is connecting the Direct Connect connection to a transit gateway. You use a Transit Virtual Interface (Transit VIF) to connect your Direct Connect connection to the Direct Connect gateway. A Direct Connect attachment connects the Transit Gateway to the Direct Connect gateway to send and receive traffic and routes from the Direct Connect connection to the Transit Gateway.

Figure 1 – A wide area network created using Cloud WAN, spanning three Regions. One Amazon VPC is connected to the Cloud WAN Global

For Cloud WAN connectivity, you use a peering connection between the transit gateway and the Cloud WAN network. Each core network edge (CNE) object is peered with a transit gateway in the same AWS Region. There is a single peering connection between the transit gateway and Cloud WAN, whether you are connecting to one or multiple Cloud WAN Segments. The peering connection lets you dynamically send and receive routes from the transit gateway. Depending on which Cloud WAN segment you want to receive the routes from, for example, the Hybrid Segment, you create one or more route-table attachments from the transit gateway to Cloud WAN. We accomplish this through transit gateway policy tables. Similar to attachments to Amazon VPCs, you can tag Cloud WAN attachments so they automatically attach the related segment. This simplifies the deployment of new attachments. We discussed this in more detail in the next section.

Many customers use separate AWS Accounts across their deployments. The integration between Cloud WAN and transit gateway supports cross account peering connections and attachments. This gives you the flexibility to use cross account connectivity within your AWS Organization.

Architectural patterns

When working with customers, we see two common architectural patterns when connecting Direct Connect to Cloud WAN. The following section goes into these patterns and what to consider when building your hybrid network. We review patterns for multiple attachments, and then look at making connections across AWS Regions.

Multiple attachments

A Cloud WAN peering connection can send transit gateway routing tables across Cloud WAN attachments. Many times, you might have different networks or Virtual Routing Forwarding (VRF) deployments that you want to separate by isolating their data within different Cloud WAN segments. For extending on-premises VRFs to Cloud WAN, the first step is to extend VRFs to the Transit Gateway. Details can be found in the Traffic Segmentation Options in AWS Direct Connect Reference Architecture. Once your VRFs are extended to the Transit Gateway, you can use Cloud WAN’s route table association feature to map Transit Gateway’s route tables to Cloud WAN segments. This design is shown below in Figure 2.

Figure 2 – Transit gateway attachments to three different Cloud WAN segments. Tags have been used to associate each transit gateway attachment with the Development, Production, or Hybrid network segment.

The network shown in figure 2 has three network segments: Hybrid, Production, and Development. Many routes go to the Hybrid Segment, which is shared with other segments after inspection occurs. However, for the Production and Development segments, there are specific routes that are only for workloads allowed to use that segment. The transit gateway has one peering connection and three Transit Gateway route table attachments to Cloud WAN. These Segments have separate route tables in the transit gateway and tags indicate which segment they relate to.

NOTE: we do not show inspection flows and segment sharing in this diagram. If you want to learn more on these topics, the Inspecting network traffic between Amazon VPCs with AWS Cloud WAN and Centralized outbound inspection architecture in AWS Cloud WAN blog posts will be helpful.

Connecting across AWS Regions

Many AWS customers have workloads deployed in more than one AWS Region, and use Cloud WAN to interconnect the CNEs between AWS Regions. This architecture uses Direct Connect connections in multiple Direct Connect PoP locations to increase resiliency and connection to the CNE within each Region, as shown in the following diagram, figure 3.

Figure 3 – Transit gateway attachments to three different Regions. This architecture provides resiliency from an architecture perspective.

This diagram shows a Cloud WAN network that spans three AWS Regions—US West (N. California), US East (Ohio), and US East (N. Virginia). We deployed a transit gateway in three AWS Regions to connect the local Direct Connect connection to the Cloud WAN CNE. This lets you route locally to each Direct Connect location and configure unique routes for each Direct Connect connection. Customers can use a single Direct Connect gateway to send and receive routes across the Direct Connect connections, depending on the requirements.

Integrating AWS Direct Connect with AWS Cloud WAN

Now let’s walk-through how to attach Direct Connect to Cloud WAN using the AWS Management Console.

To follow along step by step, you must have a Direct Connect connection already established in your AWS account and a Cloud WAN network deployed with three segments: Production, Development, and Hybrid. Cloud WAN VPC attachments are created for the Production and Development segment.

The following diagram, figure 4, shows what we are building.

Figure 4 – A wide area network created using Cloud WAN, spanning three Regions. Two Amazon VPCs are attached in us-west-2 across different segments, and Direct Connect is used to connect on-premises locations through transit gateways to the hybrid segment using tags.

Follow these steps to connect a Direct Connect Transit VIF to Cloud WAN:

1. Create a Direct Connect gateway
   1. Sign in to the AWS Management Console and navigate to the Direct Connect console.
   2. Select Direct Connect gateway, and then select create Direct Connect gateway.
   3. Enter a name and an Autonomous System number (ASN) for this gateway. This ASN is for the Amazon side of the BGP session. Note that the ASN for the CNE, transit gateway, and Direct Connect gateway must be unique.
   4. Follow these steps to connect a Direct Connect Transit VIF to Cloud WAN:
      

      Figure 5 – Create a Direct Connect gateway

2. Create a Transit VIF and attach it to the Direct Connect gateway
   1. In this step, you create a Transit VIF for the Direct Connect Hosted Connection or Dedicated Connection.
   2. In the Direct Connect console, select the new Direct Connect gateway and create a virtual interface. You must use a Transit Virtual Interface (Transit VIF), as we are attaching it to a transit gateway.
   3. Name the Transit Virtual Interface and select the Direct Connection you created earlier from the dropdown.
   4. Next, choose the Direct Connect gateway you created in the previous step.
   5. Then, provide the VLAN and BGP ASN. (This ASN is the ASN for the on-premises router to which you connect the Transit VIF.)
      

      Figure 6 – Create a Transit VIF and attach it to the Direct Connect gateway

3. Create a transit gateway to connect Direct Connect with Cloud WAN
   1. To use Direct Connect with Cloud WAN, you must first associate your Direct Connect gateway with the transit gateway.
   2. Cloud WAN requires you to interconnect your core network edge with a transit gateway in the same AWS Region.
   3. To create a transit gateway, open the Amazon Virtual Private Cloud console.
   4. In the Region selector, choose the Region that you used when you created the Cloud WAN.
   5. On the navigation pane, choose Transit Gateways.
   6. Name the Transit Gateway and enter its private ASN. This should be the ASN for the AWS side of a Border Gateway Protocol (BGP) session. If you have a multi-Region deployment, we recommend using a unique ASN for each of your Transit Gateways. You should also select an ASN that differs from the on-premises router and Direct Connect gateway.
      

      Figure 7 – Create a transit gateway to connect Direct Connect with Cloud WAN

4. Associate the transit gateway with the Direct Connect gateway
   1. In the Direct Connect console, select the Transit Gateway tab, and then select associate Direct Connect gateway.
   2. Choose the Direct Connect gateway created previously.
   3. In the Allowed Prefixes field, enter the prefixes that the Direct Connect gateway advertises to the on-premises network.
      

      Figure 8 – Associate the transit gateway with the Direct Connect gateway

5. Working with Cloud WAN
   1. Return to the main Amazon VPC console, and select Network Manager.
   2. Once at the network manager console, select Global Networks (it’s in the Connectivity section), and select the Global network ID.
   3. View the Core Network Policy.
      

      Figure 9 – View the Core Network Policy

   4. Review the Cloud WAN Core Network Policy that is already deployed.
   5. The General Settings section shows the policy version number. Find the ASN range for the Cloud WAN.
   6. Verify the Edge locations where Cloud WAN is deployed.
      

      Figure 10 – Verify the Edge locations where Cloud WAN is deployed.

   7. Verify that the Segments deployed, Segment Sharing, Segment routes, and Attachment policies are correct.
      

      Figure 11 – Verify that the Segments deployed, Segment Sharing, Segment routes, and Attachment policies are correct.

6. Register the Transit Gateway with Cloud WAN
   1. The transit gateway created in Step 3 must be registered in Cloud WAN to be part of the Cloud WAN global network.
   2. In Network Manager, once you have selected the Global network ID, select Transit Gateway and choose the transit gateway you want to register.
      

      Figure 12 – Select Transit Gateway and choose the transit gateway you want to register.

7. Peering Cloud WAN with the Transit Gateway
   1. The Cloud WAN peering connection lets you interconnect the Transit Gateway with Cloud WAN.
   2. In Network Manager, once you have selected the Global network ID under Core network, choose Peerings.
   3. Give the peering connection a name and then select the Edge location for the connection.
   4. Select the previously created transit gateway from the Transit Gateway dropdown, and select New to associate the policy table. For information on creating a Transit Gateway policy table, see Transit Gateway policy tables in the AWS Transit Gateway Guide.
      

      Figure 13 – Create a Cloud WAN peering connection.

      After a few minutes, the Peering connection should be available. Do not close the window or refresh the browser during this process.

      

      Figure 14 – View Cloud WAN peering connection status.

8. Adding a Transit Gateway route table attachment to Cloud WAN
   1. Once the Cloud WAN Peering connection is available, the next step is to create a Transit Gateway route table attachment to the Cloud WAN.
   2. In Network Manager, once you have selected the Global network ID, under Core network, choose Attachments.
   3. Choose Create attachment, give it a Name, and select the edge location and the attachment type, which in this case would be Transit Gateway.
   4. Select the Transit Gateway peering connection that was created in Step 7.
   5. Select the Transit Gateway route table you would like to associate with the attachment.
   6. Based on the Segment attachment policy from your core network policy, add the appropriate tag. Here, the Transit Gateway route table attachment is attached to the Hybrid Segment.
      

      Figure 15 – Add a Transit Gateway route table attachment to Cloud WAN.

9. Verify end-to-end connectivity by checking the Transit Gateway route table and Cloud WAN
   1. Open the Amazon VPC console and navigate to the Transit Gateway section. Select Transit Gateway Route table and choose the Transit Gateway table mapped to the Transit Gateway Attachment.
   2. In the Routes section, view the routes learned through the Cloud Peering connection (10.1.0.0/16 and 10.2.0.0/16) created in Step 7, and the routes learned from Direct Connect gateway (10.100.0.0/16) from the on-premises data center.
      

      Figure 16 – Verify end-to-end connectivity by checking the Transit Gateway route table.

   3. Additionally, you can verify the routes learned on the Cloud WAN Hybrid Segment.
   4. The routes 10.1.0.0/16 and 10.2.0.0/16 from the Production and Development segments are shared with the Hybrid segment based on the Core network policy, and the 10.100.0.0/16 is learned from the Transit Gateway route table attachment.
      

      Figure 17 – Verify end-to-end connectivity by checking Cloud WAN.

Now you have created a network with three Regions and three network segments. You built a Direct Connect connection to your transit gateway and established a Cloud WAN peering connection with attachments that attach to the Hybrid Segment.  Hybrid connectivity to your data center has been establishing using Direct Connect and a transit gateway.

Cleanup

Follow these steps to remove the resources you deployed in this blog:

1. Delete the Transit Gateway route table attachment.
2. Delete the Cloud WAN peering connection between your Cloud WAN instance and the Transit Gateway.
3. De register the Transit Gateway from the Cloud WAN global network.
4. Disassociate the Transit Gateway from the Direct Connect Gateway.
5. Delete the Transit Gateway.
6. Delete the Direct Connect Virtual Interface.
7. Delete the Direct Connect Gateway.

Conclusion

In this post, we discussed how to connect Direct Connect to Cloud WAN using transit gateways. We summarized how the connectivity works, the common architectural patterns, and how to deploy a hybrid network using these patterns. For more information, see the Cloud WAN documentation to start building your global hybrid WAN networks.

About the authors