AWS Public Sector Blog
Introducing AWS Cloud WAN in AWS GovCloud (US) Regions
Amazon Web Services (AWS) announced the general availability of AWS Cloud WAN in AWS GovCloud (US-West) and AWS GovCloud (US-East) Regions. With AWS Cloud WAN, you can use a central dashboard and network policies to create a global network that spans multiple locations and networks, removing the need to configure and manage different networks using different technologies. You can use network policies to specify which Amazon Virtual Private Clouds (VPCs), AWS Transit Gateways, and on-premises locations to connect using AWS Site-to-Site VPN, AWS Direct Connect, or third-party SD-WAN products. AWS Cloud WAN automatically creates a global network across AWS Regions using Border Gateway Protocol (BGP) so that you can exchange routes across Regions, and generates a view of the network to help you monitor network health, security, and performance.
Previously, organizations operating in AWS GovCloud (US) that needed to connect resources across GovCloud (US-West) and GovCloud (US-East) Regions, on-premises data centers, and branch offices had to configure and manage different networks individually using different technologies, resulting in operational complexity that grows with each new location, network appliance, and security requirement. With this launch, organizations processing Controlled Unclassified Information (CUI), International Traffic in Arms Regulations (ITAR)-controlled data, and other sensitive workloads can now use the same policy-based automation and centralized management capabilities available in commercial Regions, enabling multi-Region disaster recovery architectures, hybrid connectivity, and streamlined network operations while maintaining the compliance boundaries AWS GovCloud (US) provides.
In this post, we cover the use cases for AWS Cloud WAN in AWS GovCloud (US), walk through the key capabilities now available to government organizations and regulated industries, provide guidance on getting started, and discuss important considerations for deployment.
What is AWS Cloud WAN?
AWS Cloud WAN is a managed wide-area networking (WAN) service that streamlines building and operating networks through a centralized control plane that automates network configuration across multiple Regions. Instead of manually configuring individual networking components, you define your network architecture through declarative JSON policies, and AWS Cloud WAN implements the configuration automatically. The service creates isolated routing domains called segments, similar to globally consistent virtual routing and forwarding (VRF) tables in traditional networks, that let you separate different environments or workload types at the network level.
In AWS GovCloud (US), the AWS Cloud WAN control plane home Region is AWS GovCloud (US-West) (us-gov-west-1). This means the central dashboard, network policies, and Amazon CloudWatch metrics for your core network are managed from AWS GovCloud (US-West), while Core Network Edges (CNEs) operate in both AWS GovCloud (US-West) and AWS GovCloud (US-East) as defined in your core network policy. The Network Manager API endpoint for GovCloud is networkmanager.us-gov-west-1.amazonaws.com, which is FIPS 140-3 validated as listed on the AWS FIPS 140-3 compliance page.
For detailed information about core network architecture, network segments, attachments, and routing behavior, refer to the AWS Cloud WAN documentation.
Figure 1 illustrates an example of AWS Cloud WAN implementation across two AWS GovCloud (US) Regions.
Figure 1: Example AWS Cloud WAN implementation across two AWS GovCloud (US) Regions
AWS GovCloud (US) Regions overview
AWS GovCloud (US) is an isolated AWS partition designed exclusively for US government agencies, their partners, and organizations with regulated workloads. The partition consists of two Regions, AWS GovCloud (US-West) and AWS GovCloud (US-East), that are physically and logically isolated from commercial AWS Regions, with no commingling of government and commercial data. Access is restricted to verified US citizens, with root account holders undergoing rigorous vetting to confirm their US person status. Data sovereignty is maintained. Data resides within the US, complying with regulations such as ITAR. Additionally, AWS GovCloud (US) offers a range of AWS services with enhanced security features, such as advanced encryption and network protections, which are tailored to government needs.
This isolation supports the compliance requirements that drive organizations to AWS GovCloud (US) in the first place. The partition holds Federal Risk and Authorization Management Program (FedRAMP) High authorization, the highest baseline for nonclassified systems. It supports Department of Defense (DoD) Cloud Computing Security Requirements Guide (CC SRG) for Impact Levels (ILs) 4 and 5, enabling DoD mission owners to process CUI and mission-critical workloads for National Security Systems. Additional compliance frameworks include ITAR, Export Administration Regulations (EAR), Criminal Justice Information Services (CJIS) Security Policy, Internal Revenue Service (IRS)-1075 for tax data protection, and Federal Information Processing Standard (FIPS) 140-3 for cryptographic standards.
Data sovereignty is a foundational design principle. Data in AWS GovCloud (US) remains physically within the United States, and administrative access is limited to vetted US persons. For organizations subject to ITAR, EAR, or other data residency requirements, this provides a compliance boundary at the infrastructure level.
With the availability of AWS Cloud WAN in this partition, organizations can now apply centralized, policy-driven network automation across both GovCloud Regions, bringing the same operational model used in commercial Regions to workloads that require this level of isolation and compliance.
Use cases in AWS GovCloud (US)
- Multi-Region disaster recovery – Connect applications across AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions with automated failover and dynamic routing, so mission-critical systems remain operational during regional disruptions.
- Hybrid connectivity – Integrate on-premises data centers with AWS GovCloud (US) environments using Direct Connect through Transit Gateway attachments, centralizing hybrid connectivity management through a single policy framework.
- SD-WAN integration – Extend your SD-WAN infrastructure into AWS GovCloud (US) using Tunnel-less Connect for higher performance and streamlined operations compared to traditional tunneled approaches.
- Network segmentation for workload isolation – Create isolated routing domains for workloads with different classification levels or compliance requirements, with the ability to confine segments to a specific Region for data residency needs.
Key capabilities
Policy-based networking with version control
AWS Cloud WAN uses centralized, declarative network configuration defined in JSON policies. You specify your desired network state, including which VPCs connect to which segments, how traffic flows between Regions, and where security inspection occurs, and AWS Cloud WAN implements the configuration automatically. Each policy change creates a new version with rollback capabilities, providing the audit trail and change management controls that frameworks such as FedRAMP and DoD SRG require. You can test a new network configuration, validate it, and if something is not right, roll back to the previous version.
Service insertion for security inspection
AWS Cloud WAN service insertion supports integration of network and security services, including AWS Network Firewall and third-party security appliances through Gateway Load Balancer. You define inspection requirements in your policy, and AWS Cloud WAN automatically steers traffic through the appropriate security controls with no complex static routes and no manual configuration across Regions. This capability supports east-west (VPC-to-VPC), north-south (internet egress), and hybrid traffic inspection between on-premises and cloud environments. For organizations required to inspect traffic at trust boundaries under Trusted Internet Connections (TIC) 3.0 or similar frameworks, service insertion provides a centralized, policy-driven approach to traffic steering.
Dynamic routing for cross-Region connectivity
AWS Cloud WAN automatically establishes BGP peering between Core Network Edges, dynamically exchanging routes and adapting to network changes. When building disaster recovery architectures across AWS GovCloud (US-East) and AWS GovCloud (US-West), this dynamic routing replaces the complexity of managing static routes between transit gateways. Traffic automatically reroutes around failures without manual intervention.
AWS Cloud WAN also supports Routing Policy, providing fine-grained controls to optimize route management, control traffic patterns, and customize network behavior across your global network. This includes route filtering, summarization, and BGP path manipulation, capabilities that let you control which on-premises routes are accepted in each Region and optimize traffic paths between Regions.
Hybrid connectivity with Direct Connect
In AWS GovCloud (US) Regions, AWS Cloud WAN integrates with Direct Connect through AWS Transit Gateway attachments. This architecture provides dedicated, high-bandwidth connections while maintaining centralized policy-driven management.
Tunnel-less Connect for SD-WAN
You can integrate SD-WAN technologies to simplify branch connectivity to AWS using GRE or IPsec tunnels. AWS Cloud WAN supports Tunnel-less Connect as a higher-performant alternative. Third-party SD-WAN appliances can peer with AWS Cloud WAN using BGP without specialized tunneling protocols, delivering up to 100 Gbps per Availability Zone while streamlining operations.
Centralized network management
AWS Cloud WAN provides a unified view of your network, including topology, health, performance, and security posture, through a single dashboard and policy framework. For organizations managing networks across both AWS GovCloud (US) Regions, this eliminates the need to context-switch between different services or piece together network state from multiple consoles.
Regional segment confinement
AWS Cloud WAN segments can be configured with regional scope so you can create network isolation boundaries that do not extend beyond a specific Region. This capability addresses compliance scenarios where data residency requirements mandate that certain workloads remain within specific geographic boundaries. For organizations subject to ITAR or handling workloads across different Impact Levels, you get the benefits of automation and centralized management while maintaining the isolation boundaries your compliance frameworks demand.
Getting started in AWS GovCloud (US)
The configuration process for AWS Cloud WAN in AWS GovCloud (US) follows the same workflow as in commercial Regions. You can configure AWS Cloud WAN using the AWS Management Console, AWS Command Line Interface (AWS CLI), JSON policy, AWS APIs (SDKs), or infrastructure as code (IaC) tools such as AWS CloudFormation or Terraform.
There are a few GovCloud-specific details to be aware of:
- Home Region: The AWS Cloud WAN control plane home Region in the GovCloud partition is AWS GovCloud (US-West) (us-gov-west-1). Network policies, dashboard data, and CloudWatch metrics are managed from this Region.
- Edge locations: Your core network policy specifies
us-gov-west-1andus-gov-east-1as edge locations, as shown in the example below. - FIPS endpoint: The Network Manager API endpoint (
networkmanager.us-gov-west-1.amazonaws.com) is FIPS 140-3 validated. - Partition isolation: AWS Cloud WAN core networks in AWS GovCloud (US) are separate from commercial partition core networks. They cannot span across partitions.
For detailed step-by-step instructions, refer to the AWS Cloud WAN User Guide.
The following JSON policy illustrates the example used to create the AWS Cloud WAN network shown in Figure 1. You don’t need to be proficient in JSON because the service automatically creates and version-controls the policy when you use other configuration methods.
{
"version": "2025.11",
"core-network-configuration": {
"vpn-ecmp-support": true,
"dns-support": true,
"security-group-referencing-support": false,
"asn-ranges": [
"64612-64712"
],
"edge-locations": [
{
"location": "us-gov-west-1"
},
{
"location": "us-gov-east-1"
}
]
},
"segments": [
{
"name": "Prod",
"edge-locations": [
"us-gov-west-1",
"us-gov-east-1"
],
"require-attachment-acceptance": false
},
{
"name": "Dev",
"edge-locations": [
"us-gov-east-1",
"us-gov-west-1"
],
"require-attachment-acceptance": false
},
{
"name": "Hybrid",
"edge-locations": [
"us-gov-west-1",
"us-gov-east-1"
],
"require-attachment-acceptance": false
}
],
"network-function-groups": [
{
"name": "NFG",
"require-attachment-acceptance": false
}
],
"attachment-policies": [
{
"rule-number": 101,
"condition-logic": "and",
"conditions": [
{
"type": "tag-value",
"operator": "equals",
"key": "Name",
"value": "Prod"
}
],
"action": {
"association-method": "constant",
"segment": "Prod"
}
},
{
"rule-number": 102,
"condition-logic": "and",
"conditions": [
{
"type": "tag-value",
"operator": "equals",
"key": "Name",
"value": "Dev"
}
],
"action": {
"association-method": "constant",
"segment": "Dev"
}
},
{
"rule-number": 103,
"condition-logic": "and",
"conditions": [
{
"type": "tag-value",
"operator": "equals",
"key": "Name",
"value": "Insp"
}
],
"action": {
"add-to-network-function-group": "NFG"
}
}
]
}Considerations
- AWS Cloud WAN core networks cannot stretch between AWS GovCloud (US) and commercial partitions. Because of compliance and isolation requirements, these operate as separate network domains. If you need connectivity between partitions, use patterns such as VPN over the internet or connectivity through on-premises gateways. For current regional availability and service limitations, refer to the AWS Services by Region page.
- At the time of this writing, Direct Connect gateways cannot be attached directly to AWS Cloud WAN in AWS GovCloud (US) Regions. Check the AWS Cloud WAN documentation for the latest updates on this capability.
- AWS Cloud WAN and AWS Transit Gateway coexist during transitions, meaning you can incrementally migrate workloads without disrupting production traffic. For detailed migration patterns and best practices, refer to AWS Cloud WAN and AWS Transit Gateway migration and interoperability patterns.
- AWS Cloud WAN supports both IPv4 and IPv6 for traffic across its Core Network Edges (CNEs).
- AWS Cloud WAN has default quotas for segments, attachments, and other resources per core network. For the full list of quotas and how to request increases, refer to the AWS Cloud WAN endpoints and quotas page.
- AWS Cloud WAN pricing in AWS GovCloud (US) Regions follows the same structure as commercial Regions. For detailed pricing information, refer to the AWS Cloud WAN pricing page.
Conclusion
AWS Cloud WAN in AWS GovCloud (US) Regions brings policy-driven network automation to government organizations and regulated industries operating mission-critical workloads. Whether you are connecting AWS GovCloud (US-West) and AWS GovCloud (US-East) for disaster recovery, integrating on-premises data centers through Direct Connect, or extending SD-WAN infrastructure to distributed field locations, AWS Cloud WAN provides centralized management and automation while maintaining the compliance boundaries your mission requires. To get started, refer to the AWS Cloud WAN documentation.