Q: What are the components of AWS Cloud WAN?
The Cloud WAN service consists of several components, including the following:
- Global network: A single network that acts as the high-level container for your network objects. A global network can contain both AWS Transit Gateways and other Cloud WAN core networks. Your global network is shown in the Network Manager console.
- Core network: The part of your global network managed by AWS. Core networks include Regional connection points and attachments, such as virtual private networks (VPNs) and Amazon VPCs. Your core network operates in the AWS Regions defined in your core network policy document.
- Core network policy: A single document that defines the global configuration of your core network. The core network policy document defines how your VPCs, VPNs, and existing Transit Gateways connect to your network. The core network policy also defines the routing policy and how you want to segment traffic across the network. You can configure the core network policy document from the AWS Management Console or by calling Cloud WAN APIs.
- Attachments: Attachments are any connections or resources that you want to add to your core network. Supported attachments include Amazon VPCs, VPNs, and connect software-defined wide area network (SD-WAN) attachments.
- Core network edge: The Regional connection point managed by AWS in each Region, as defined in the core network policy. Every attachment connects to a core network edge. The core network edge is similar to AWS Transit Gateway, but it is managed by AWS. Cloud WAN concepts such as attachments, routing, and protocol support are similar to AWS Transit Gateway concepts.
- Network segments: Segments are isolated routing domains, which means that, by default, only the attachments within the same segment can communicate. You can define segment actions that share routes across segments in the core network policy. In a traditional network, a segment is similar to a globally consistent virtual routing and forwarding (VRF) table or to a layer 3 IP VPN over a multiprotocol label switching (MPLS) network.
- Peering: You can interconnect your core network edge and Transit Gateway in the same AWS Region by using a peering connection. You can create route table attachments over a peering connection to peer a Transit Gateway route table with a Cloud WAN network segment and deploy a complete segmentation across your Transit Gateway and Cloud WAN networks.
Q: What is a wide-area network (WAN)?
A wide area network refers to the networking infrastructure that connects your branch offices, data centers, and cloud resources together. It’s called a wide area network because it spans beyond a single building or large campus to include multiple locations spread across a specific geographic area, or even the world.
Q: Does AWS act as my "first mile" or "last mile" provider to connect my on-premises locations to AWS?
No, you need to make connections between the local service providers used at your on-premises locations.
Q: When should I use network segmentation?
By using network segmentation, you can divide your global network into separate, isolated networks. For example, a bank might create one segment for payment card transactions and another for general network traffic. By preventing communication between the networks, segmentation provides an additional layer of security and control.
Core network policy
Q: What is an AWS Cloud WAN core network policy used for?
Use the Cloud WAN core network policy to control network traffic across your network segments and AWS Regions. You can create the policy by using a declarative language, such as JSON. You can define your access control and traffic routing, and Cloud WAN handles the configuration details. Examples of what you can create with policies include the following:
- Creating a segment for shared services (for example, service directories, authentication services)
- Enabling or disabling internet access from a network segment
- Assigning Amazon VPCs to segments based on tags automatically
- Defining a subset of AWS Regions where a segment is available
Q: What is defined in the core network policy?
The network policy has the following sections:
- Network configuration: Define the AWS Regions where you want connectivity. You can also add or remove Regions with the network policy. For each AWS Region that you define in the policy, Cloud WAN will create a core network edge router.
- Segments: You can name your segments and define whether attachments can communicate within the segment, whether resources asking for access require approval, and specify explicit route filters. Each attachment connects to one segment.
- Attachment rules: You can choose to map attachments to segments by explicitly mapping a resource (such as a vpc-id) to a segment, or by using the tags on the attachment.
- Segment actions: When you map attachments to segments, you can choose how routes are shared between segments. For example, you might want to share access to a VPN across multiple segments or allow access between two types of branch offices. You can also configure centralized internet routing for a segment or route traffic between segments through a firewall.
Q. Can I use AWS Cloud WAN with my existing WAN?
Yes. Cloud WAN works with existing networks. You can augment your existing WAN and incrementally move it to Cloud WAN. The following methods describe how you can use Cloud WAN alongside your existing WAN:
- Attach on-premises sites to Cloud WAN global networks – Continue to use your existing WAN, and connect your on-premises sites to Cloud WAN. You can choose to move incrementally, shifting parts of your network over to Cloud WAN by defining routing logic on your on-premises routers or gateways. You can also choose to make Cloud WAN your primary WAN and use your existing WAN as backup, or the other way around.
- Configure software-defined wide area network (SD-WAN) to use Cloud WAN as the underlying network transport – Your SD-WAN devices can use Cloud WAN alongside your existing connections to create an overlay network. You can define policies for SD-WAN devices to route traffic over Cloud WAN while keeping other traffic on your existing WAN. For example, you can keep voice traffic over your existing WAN connections and allow all other traffic to use Cloud WAN.
Q: How do I determine whether to use AWS Cloud WAN or AWS Transit Gateway to build my networks?
Both Transit Gateway and Cloud WAN allow centralized connectivity between VPCs and on-premises locations. Transit Gateway is a Regional network connectivity hub and is optimal if you operate in a few AWS Regions, want to manage your own peering and routing configuration, or prefer to use your own automation.
Cloud WAN is a managed wide area network (WAN) that unifies your data center, branch, and AWS networks. Although you can create your own global network by interconnecting multiple Transit Gateways across Regions, Cloud WAN provides built-in automation, segmentation, and configuration management features designed specifically for building and operating global networks. Cloud WAN has additional capabilities such as automated VPC attachments, integrated performance monitoring, and centralized configuration.
Q. Can I natively connect a AWS Transit Gateway to an AWS Cloud WAN?
Yes. You can connect your Transit Gateway with a core network edge natively by using a peering connection. The Transit Gateway must be in the same AWS Region as the core network and have an Autonomous System Number (ASN) that doesn't fall within the range of ASN assigned to Cloud WAN. The Transit Gateway can be in the same AWS account or in a different AWS account as the core network edge.
Q. Does the peering connection between AWS Cloud WAN and a Transit Gateway support dynamic routing?
Yes. Peering connections between Cloud WAN and Transit Gateway support dynamic routing with the automatic exchange of routes by using Border Gateway Protocol (BGP). You can use route table attachments on the peering connection to exchange routes selectively between a specific Transit Gateway route table and a Cloud WAN network segment for complete segmentation and network isolation. The ASN used on a Transit Gateway must be different from the ASN configured on the core network edge.
Q: How can I integrate my AWS Direct Connect networks with AWS Cloud WAN?
Currently we don’t support native Direct Connect attachments to Cloud WAN. You can integrate your Direct Connect network with Cloud WAN by using the Transit Gateway service. You can use Direct Connect attachments to interconnect your Direct Connect gateway with the Transit Gateway. You can then peer the Transit Gateway with Cloud WAN to route traffic back and forth between your Direct Connect network and the Cloud WAN network.
Q: How do I determine whether to use Direct Connect SiteLink or AWS Cloud WAN?
Depending on your use case, you might choose one, the other, or both. Cloud WAN can create and manage networks of VPCs across multiple Regions. By contrast, SiteLink connects AWS Direct Connect locations together, bypassing AWS Regions, to improve performance.
Q. How do I get started with AWS Cloud WAN?
To get started with Cloud WAN, create a free AWS account and start building in the AWS Management Console.
Learn about AWS Cloud WAN features