Networking & Content Delivery

Designing for global scale: XM Cyber’s 22-Region AWS Cloud WAN implementation

Note: This post is published in collaboration with Liav Arnon, DevSecOps Engineer at XM Cyber | on Sep, 17th 2025 in Networking & Content Delivery, Advanced (300)

XM Cyber is a leader in Exposure Management, helping enterprises identify and remediate attack vectors before they can be exploited. Providing context-driven exposure insights across the entire attack surface, such as multicloud environments and on-premises infrastructure, allows organizations to get clear insights into what to fix first to reduce risk. Operating globally, XM Cyber’s platform needs secure, reliable connectivity across multiple Amazon Web Services (AWS) Regions to deliver real-time security insights to their customers.

AWS Cloud WAN is a managed wide area networking service that allows you to build, manage, and monitor a unified global network that connects resources across your cloud and on-premises environments. When managing enterprise networks across multiple AWS Regions, organizations need secure, reliable connectivity that scales with their business. The service streamlines your network management, automates network security, and allows you to scale your network across AWS Regions. In this post, we demonstrate how XM Cyber solved these challenges by implementing AWS Cloud WAN to manage their global network spanning 22 AWS Regions with 470 attachments. Their journey from traditional networking to a fully automated cloud-native network architecture provides insights and best practices for similar enterprise-scale deployments.

In this post, we demonstrate:

  • XM Cyber’s global network architecture design
  • Their approach to network segmentation and security
  • How they automated network deployments across AWS Regions
  • Their achievements in cost and performance optimization

Prerequisites

Before proceeding, you should be familiar with the following concepts:

  • AWS Cloud WAN AWS Cloud WAN is a managed wide-area networking (WAN) service that you can use to build, manage, and monitor a unified global network that connects resources running across your cloud and on-premises environments building blocks: core network, segment, and attachment
    • Global network :A single, private network that acts as the high-level container for your network objects. A global network can contain both AWS Transit Gateways and other AWS Cloud WAN core networks.
    • Core network The part of your global network managed by AWS. This includes Regional connection points and attachments, such as VPNs, VPCs, and Transit Gateway Connects. Your core network operates in the Regions that are defined in your core network policy document.
    • Attachments: Attachments are any connections or resources that you want to add to your core network. Supported attachments include VPCs, VPNs, Transit Gateway route table attachments, and Connect attachments.
  • AWS Transit Gateway – AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub. This connection simplifies your network and puts an end to complex peering relationships. Transit Gateway acts as a highly scalable cloud router—each new connection is made only once.

The challenge

Before implementing AWS Cloud WAN, XM Cyber relied on a combination of traditional AWS networking services and third-party solutions:

  • VPC Peering: Manual mesh peering between VPCs across AWS Regions, needing individual peering connections for each VPC pair.
  • Internet-based connectivity: Intra-Region and cross-Region communication routed through the public internet.
  • Third-party network monitoring tools: External solutions for network visibility and performance monitoring.
  • Manual routing and security group management: Static routes and manual security group policy configurations were maintained across multiple AWS accounts and Regions.

This approach needed extensive manual configuration, and monitoring was fragmented across multiple tools, making troubleshooting complex and time-consuming.

“Our previous networking approach using internet-based connectivity and traditional VPC peering exposed us to unnecessary security risks,” says Liav Arnon, DevSecOps at XM Cyber. “We needed a solution that could provide both the enhanced security and automation capabilities needed for our global operations.”

The team faced several challenges:

  • Managing connections across 22 AWS Regions created significant operational overhead. The team spent considerable time maintaining and updating network configurations, which impacted their ability to focus on core business initiatives.
  • Security and compliance requirements became increasingly complex. Implementing consistent security policies while maintaining compliance across AWS Regions proved challenging with their existing tools and processes.
  • Network scalability hit limitations as manual configuration and maintenance of routing tables became unsustainable. Each new AWS Region or service needed careful coordination to avoid disrupting existing connections.
  • Cross-account communication requirements grew more complex. As their AWS footprint expanded, establishing secure communication between multiple AWS accounts necessitated increasingly complex peering arrangements, leading to potential configuration errors and security risks.

AWS Cloud WAN offered XM Cyber the opportunity to build a more scalable and automated network architecture that could address these challenges while providing a foundation for future growth.

Solution architecture

Before settling on AWS Cloud WAN, XM Cyber evaluated several networking approaches to address their global connectivity requirements.

Transit Gateway approach

Initially, the team attempted to scale their network using Transit Gateways with inter-Region peering. Although Transit Gateways provided better connectivity than VPC peering, managing routing across 22 AWS Regions quickly became overwhelming. “We found ourselves spending countless hours manually configuring and maintaining routing tables across multiple Transit Gateways and VPCs,” explains Liav. “Every time we added a new VPC or needed to modify routing policies, it needed manual updates across multiple AWS Regions, which was both time-consuming and error-prone.”

The Transit Gateway approach also lacked the centralized policy management that XM Cyber needed for their complex segmentation requirements. Managing consistent security policies across multiple Regional Transit Gateways proved challenging and increased the risk of configuration drift.

XM Cyber implemented AWS Cloud WAN to create a unified global network that connects their resources across multiple AWS accounts and Regions. In the following sections we examine the key components of their solution, as shown in the following figure.

Figure 1: The network segmentation strategy

Figure 1: The network segmentation strategy

The architecture includes the following key components:

Core network design

  • Deployment across 22 AWS Regions including:
    • European Union (EU) Regions such as Ireland, Frankfurt, and Paris
    • United States (US) Regions such as N. Virginia, Ohio, and Oregon
    • Asia Pacific (AP) Regions such as Tokyo, Singapore, and Sydney
    • Middle East (ME) Regions such as Bahrain and UAE
    • Canada (CA) Region in Montreal
  • Israel (IL) Region in Tel Aviv to support their global operation.
  • 450 VPC attachments connecting various resources and workloads from several AWS accounts.
  • Seven distinct network segments to maintain proper isolation and control.
  • Transit Gateway integration for AWS Region support, allowing connectivity in unsupported AWS Regions, such as São Paulo, through Transit Gateway attachments to the core network.

Network segmentation

XM Cyber’s AWS Cloud WAN implementation uses a seven-segment architecture with all inter-segment communication flowing through the centralized core network for consistent policy enforcement.

  • Development segments (Dev Tenant, Dev Services): These are isolated environments for feature development and testing. Dev Tenant provides complete VPC isolation, while Dev Services hosts common development resources such as multi-tenant services, monitoring tools, and testing tools.
  • Pre-production segments (Pre-Prod Tenant, Pre-Prod Services): These segments mirror production environments for final validation. Pre-Prod Tenant replicates production isolation for realistic testing, while Pre-Prod Services hosts the staging versions of shared infrastructure.
  • Production segments (Prod Tenant, Prod Services): The production segments handle customer-facing workloads with strict security controls. Prod Tenant makes sure of complete customer isolation, while Prod Services manages production shared infrastructure with optimized routing for minimal latency.
  • Shared Services segment: This hosts common infrastructure components accessible across segments such as DNS servers, monitoring tools, and security services, enabling centralized management and cost optimization.

Core network policy

The core network policy enforces all routing and security policies centrally, eliminating complex mesh connectivity while providing granular control over inter-segment communication, as shown in the following figure.

Figure 2: The global network architecture implemented with AWS Cloud WAN

Figure 2: The global network architecture implemented with AWS Cloud WAN

Implementation steps

XM Cyber followed a phased approach to implement their AWS Cloud WAN solution:

Step 1: Planning phase

  1. Network segment design: They analyzed existing workloads and compliance requirements to define seven distinct segments, making sure of proper isolation between environments while enabling necessary cross-segment communication for shared services.
  2. IP Classless Inter-Domain Routing (CIDR) management: XM Cyber conducted comprehensive audit of existing VPCs to identify and resolve overlapping CIDR blocks, implementing a standardized IP addressing scheme that would scale across all 22 Regions without conflicts. To streamline this process and ensure make sure of IP CIDR management efficiency, XM Cyber developed an open source tool called Unique CIDR Manager that automates IP CIDR allocation and prevents overlapping address spaces across multi-Region deployments.
  3. Cost analysis: XM Cyber performed detailed traffic flow analysis comparing inter-Region and internet traffic costs when using constructs such as NAT gateways and internet gateways as opposed to AWS Cloud WAN.
  4. Routing requirements documentation: XM Cyber mapped all existing connectivity patterns and defined new routing policies for each segment, including security requirements and traffic flow priorities.

Step 2: Initial deployment

  1. Core network creation: Deployed AWS Cloud WAN core network using AWS CloudFormation templates with version control, enabling consistent deployment across AWS Regions and streamlined rollback capabilities, if needed.
  2. Network policies configuration: Implemented segment-based routing policies using the AWS Cloud WAN policy framework, defining which segments can communicate and under what conditions.
  3. Infrastructure adjustments: Modified existing VPC security groups and routing tables to work with the AWS Cloud WAN centralized routing model, making sure of compatibility without service disruption.
  4. Initial attachments setup: Connected pilot VPCs in primary AWS Regions first to validate connectivity and performance before full-scale migration.
  5. Testing and benchmarking: Conducted comprehensive latency and throughput testing between AWS Regions to establish performance baselines and validate that the new architecture met SLA requirements.
  6. Security validation: Verified that all security controls, including network segmentation and access policies, functioned correctly in the new architecture.

 Step 3: Global expansion

  1. Rollout strategy implementation: XM Cyber executed segment-by-segment deployment starting with non-critical segment such as dev, allowing for lessons learned to be applied to production segments, thereby minimizing risk to customer-facing services.
  2. Global attachment process: They systematically connected all 470 attachments across 22 AWS Regions using automated scripts with built-in validation checks to make sure that each attachment was properly configured before proceeding to the next.
  3. Infrastructure-as-Code integration: They developed Pulumi modules for automated AWS Cloud WAN attachment deployment, reducing deployment time and eliminating configuration drift.
  4. Route propagation configuration: They used the AWS Cloud WAN automated route advertisement and route sharing capabilities across segments, replacing manual route table management with dynamic routing that adapts to network changes automatically.
  5. Monitoring implementation: They deployed Amazon CloudWatch metrics, custom dashboards, and alerting for network health monitoring. This provided real-time visibility into network performance and automatic notification of issues.
  6. Performance validation: XM Cyber conducted end-to-end testing of customer workflows across the new network architecture, measuring improvements in latency and reliability compared to the previous architecture.
  7. Documentation and knowledge transfer: They created comprehensive runbooks, architectural diagrams, and operational procedures to make sure that the team could effectively manage and troubleshoot the new network infrastructure.

Migration project

XM Cyber had existing VPCs and workloads running across their 22 AWS Regions that needed to be connected to the new AWS Cloud WAN architecture.

The migration process was significantly streamlined as compared to their previous networking changes. Instead of complex routing table modifications and peering relationship management, the team only needed to do the following:

  • Attach existing VPCs to the AWS Cloud WAN core network at the relevant segment.
  • Add a single route table entry pointing to the AWS Cloud WAN attachment.
  • Make necessary backend application configuration changes to use the new network paths.

“The migration to AWS Cloud WAN was remarkably clear,” says Liav. “What used to need days of careful routing table coordination across AWS Regions was reduced to VPC attachments and a single route entry. The centralized policy management meant that we could define our segmentation rules once and have them automatically applied across all AWS Regions.”

This streamlined migration approach minimized downtime and reduced the risk of connectivity issues during the transition.

Results and benefits

  • Global expansion: AWS Cloud WAN transformed XM Cyber’s global network infrastructure into a scalable, secure, and automated platform, addressing critical enterprise networking challenges while providing a foundation for continued global expansion. The implementation significantly streamlined network management across 22 AWS Regions, enhanced security and compliance through consistent policy enforcement, achieved operational excellence by reducing network configuration time by 50%, and eliminated manual routing table management.
  • Operational efficiency: From an operational perspective, the solution dramatically improved efficiency by reducing network configuration time and eliminated human error situations. The automated route propagation across AWS Regions, combined with centralized network management, streamlined their operational workflows and reduced administrative overhead.
  • Enhanced security: Security enhancements were substantial, with the implementation enabling consistent policy enforcement across all AWS Regions. Using private IPs allowed XM Cyber to remove the need for internet exposure, while gaining improved network visibility. The new architecture also streamlined compliance management across their global infrastructure.
  • Cost optimization: The solution delivered notable cost benefits. Optimizing data transfer paths and eliminating unnecessary internet egress charges allowed XM Cyber to achieve significant cost savings. The reduced operational overhead further contributed to the overall cost optimization of their network infrastructure.

Best practices

Through this implementation, XM Cyber identified several key best practices across planning, implementation, and operations phases.

Planning and design phase

Start with a clear segmentation strategy that aligns with your security and compliance requirements. Document routing requirements early in the process, such as traffic patterns and bandwidth needs. Incorporate plans for future scaling into the initial design, and conduct thorough IP CIDR planning to avoid overlapping address spaces across AWS Regions.

Implementation phase

Use infrastructure as code (IaC) for all network policies and attachments to make sure of consistency and repeatability across AWS Regions. Implement proper testing procedures with pilot deployments in non-critical AWS Regions first. Maintain backup connectivity during migration to make sure of business continuity, and establish rollback procedures for each phase of the deployment.

Operations phase

Implement consistent monitoring of network metrics including latency, packet loss, and throughput across all segments. Set up automated testing procedures to validate connectivity and performance on a regular basis. Maintain updated documentation including network diagrams, routing policies, and troubleshooting guides. Establish clear change management processes for network modifications, and implement proper alerting thresholds to proactively identify issues.

Security and compliance audit phase

Regularly audit segment isolation to make sure of proper traffic flow restrictions. Implement network access logging and review policies periodically. Use least-privilege principles when defining inter-segment communication rules, and maintain compliance documentation for audit purposes.

These practices helped XM Cyber make sure of the ongoing reliability, security, and efficiency of their AWS Cloud WAN deployment while reducing operational overhead.

Conclusion

XM Cyber’s journey from traditional networking to AWS Cloud WAN demonstrates how modern cloud networking solutions solve enterprise-scale challenges, providing a blueprint for organizations managing multi-Region workloads to build robust, secure, and scalable global networks. “AWS Cloud WAN has transformed how we manage our global network infrastructure. We now have the scalability and security we need to support our growing customer base, while significantly reducing operational overhead.” says Liav. Looking ahead, XM Cyber plans to use this foundation to expand into new AWS Regions and continue enhancing their security platform’s capabilities, showcasing how AWS Cloud WAN enables organizations to focus on innovation rather than network management.

To learn more about implementing AWS Cloud WAN, refer to the AWS Cloud WAN documentation and AWS Cloud WAN Workshop.

About the authors

Yazan Khalaf

Yazan Khalaf

Yazan Khalaf is a Solutions Architect at AWS, specializing in Independent Software Vendor (ISV) customers. He helps customers solve complex architectural challenges and build secure, scalable cloud solutions. Yazan drives innovation through artificial intelligence, security, migration, and modernization initiatives. As an active member of the AWS Security Technical Field Community, he brings deep expertise in advancing secure and innovative cloud practices.

Liav Arnon

Liav Arnon (Guest)

Liav Arnon is a DevSecOps engineer at XM Cyber, where he focuses on implementing and maintaining secure development and operational practices. He specializes in integrating security measures throughout the software development lifecycle while ensuring efficient system deployment and operation. With expertise in networking and infrastructure security, he works to bridge the gap between development, operations, and security to deliver robust and secure solutions.