Skip to main content

AWS Solutions Library

Guidance for Building Your Enterprise WAN on AWS

Overview

This Guidance demonstrates a four-phased approach to progressively migrate your enterprise wide area network (WAN) to AWS. It includes the most common steps you could take in your network modernization journey to a Network-as-a-Service (NaaS) consumption model. However, this Guidance can be easily modified and tailored, depending on your network architecture, footprint, expertise, resources, and budget. Moreover, each phase includes an architecture diagram that allows you to envision the future state of your networking environment and the intermediate steps involved in the migrations process. This can help you make data-driven decisions when assessing the overall value of migrating your WAN to AWS. For detailed, step-by-step instructions on configuring the components outlined here, refer to the implementation resources section.

Background

Network modernization is a journey akin to how Software as a Service (SaaS) transformed on-premises workloads. As a global enterprise, you run workloads across your WAN that span on-premises and the cloud. The on-premises workloads reside in geographically dispersed data centers and are accessed from remote locations and branch offices. As your business expands globally, you are faced with changing traffic patterns and unpredictable bandwidth peaks that span many time zones.

Historically, building a global network to meet these requirements required capacity planning in advance and investment in fixed cost infrastructure or circuits with long-term contracts. With data center consolidation and application modernization initiatives taking advantage of cloud computing services that accelerate time-to-market for business owners, you must ensure the network is an enabler and not a blocker.

In order for your network to be as flexible as cloud compute, you need to modernize the network infrastructure to consume it as a service. AWS WAN solutions, including this Guidance, use a Network-as-a-Service (NaaS) consumption model. As defined by Gartner, NaaS allows you to consume the network from the cloud as a service, provides access to scale capacity up or down when needed, and offers the flexibility of only paying for what you use.

Benefits

The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.

With a Pay-As-You-Go model for networking infrastructure, you can optimize costs without the need for long-term contracts or fixed capacity networks sized for peak demand periods, regardless of usage. 
Networking services like AWS Cloud WAN empower you to define your global networks using policy-as-code and automation. This speeds up your deployments, reduces human error, and allows you to scale your global network to thousands of VPCs across all supported regions using less resources.
The network infrastructure used by the AWS services in this Guidance is fully managed by AWS. These architecture diagrams can be configured in a highly available manner across multiple Availability Zones to reduce downtime and troubleshooting. 

Architecture Diagram

These technical details feature an architecture diagram to illustrate how to effectively use this solution. The architecture diagram shows the key components and their interactions, providing an overview of the architecture's structure and functionality step-by-step.

Download the architecture diagram

Well-Architected Pillars

The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.

AWS Cloud WAN and SiteLink are used throughout this Guidance to enhance your operational excellence. AWS Cloud WAN allows you to accelerate workload migration by simplifying your global connectivity patterns through network policies and automated network management. It provides a centralized dashboard that helps you visualize and control your network by monitoring performance and health, and automating routine tasks. With features like SiteLink, you can easily simplify on-premises connectivity between your data centers, helping you reduce operational overhead and human errors for your global network. 

Read the Operational Excellence whitepaper

In this Guidance, we recommend you use Direct Connect or Site-to-Site VPN to connect your on-premises environment to AWS. To encrypt your traffic, you can either use Direct Connect with MAC Security (MACsec) or Site-to-Site VPN, which supports Internet Protocol security (IPsec) VPN connections. Furthermore, Traffic Encryption Options in AWS Direct Connect lists various ways you can build a secure, consistent, low latency network experience. Also, all data flowing across AWS Regions over the AWS global network is automatically encrypted at the physical layer before it leaves AWS secured facilities. More information about encryption in transit within AWS can be found in Data protection in Amazon EC2.

Read the Security whitepaper

This Guidance consists of AWS Cloud WAN, Direct Connect, and Site-to-Site VPN, which are AWS managed networking services built on top of the AWS Global Infrastructure that delivers the highest network availability of any cloud provider. Additionally, this Guidance requires you to connect your on-premises network to the cloud. While the reliability of the on-premises network is your responsibility, this Guidance uses Direct Connect which has a resiliency model that provides recommendations on how to build a highly available network connection between your on-premises environment and AWS. 

Read the Reliability whitepaper

This Guidance helps you improve your performance efficiency in a number of ways. For one, you can decide to use Site-to-Site VPN over the internet compared to dedicated circuits through Direct Connect for your hybrid connectivity. Second, you can choose Direct Connect locations to be closest to your data centers to improve latency, jitter, and other performance parameters. Third, for your global network, you can use AWS Cloud WAN to track network events, routes, and performance. Using this Guidance to replace existing WAN services, such as multiprotocol label switching (MPLS), can decrease round-trip network latency by 200ms and increase bandwidth by 66x for long-haul intercontinental connections (for example, US West to Asia-Pacific).

Read the Performance Efficiency whitepaper

AWS Cloud WAN, Direct Connect, and Site-to-Site VPN offer usage-based pricing, allowing you the flexibility to pay only for the network resources you use. Data transfer out (DTO), in the case of Direct Connect, and data processing, in the case of AWS Cloud WAN, are based on the amount of traffic consumed. Additionally, data transfer for network traffic that is sent into AWS over Direct Connect is free of charge. Finally, you have the flexibility to increase your usage over time, so you can avoid unnecessary costs, build, and operate cost-aware workloads.

Read the Cost Optimization whitepaper

AWS Cloud WAN, an AWS managed service, allows you to scale your Regional connections, as well as your global network footprint, in minutes. Also, because this Guidance uses Site-to-Site VPN and Direct Connect, you can choose the optimal on-premises connectivity option based on your current requirements. This helps you optimize your workloads as your demand grows and minimize the environmental impacts of running cloud workloads.

Read the Sustainability whitepaper

Implementation resources

A detailed guide is provided to experiment and use within your AWS account. Each stage of building the Guidance, including deployment, usage, and cleanup, is examined to prepare it for deployment.
Open guide

Related content

Blog

Introducing AWS Direct Connect SiteLink

This blog post talks about how customers can quickly create a WAN using SiteLink, a feature of AWS Direct Connect, to connect across their data centers by sending data from one Direct Connect location to another, bypassing AWS Regions.

Learn more
Blog

Introducing AWS Cloud WAN (Preview)

This blog post looks at the main use cases for Cloud WAN. We cover how you can get started, and look at the key functionality available.

Learn more
Guidance

Guidance for Automating Amazon VPC Routing in a Global Cloud WAN Deployment

This Guidance demonstrates how to automatically update the routing tables of your Amazon Virtual Private Cloud (Amazon VPC) when the Amazon VPC is attached or detached from an AWS Cloud WAN segment.

Learn more
Blog

Centralized outbound inspection architecture in AWS Cloud WAN

This blog post describes architectural patterns for centrally managing and inspecting outbound network traffic from AWS workloads in a Cloud WAN network. 

Learn more
Blog

Inspecting network traffic between Amazon VPCs with AWS Cloud WAN

This blog post takes a closer look at centralized architectures for native East-West (VPC-to-VPC) inspection both within and across Regions with Cloud WAN. 

Learn more
Blog

Advanced Routing scenarios with AWS Direct Connect SiteLink

This blog post walks through advanced routing scenarios and best practices that customer architects can use to meet such requirements while using AWS Direct Connect with SiteLink. 

Learn more
Blog

AWS Cloud WAN and AWS Transit Gateway migration and interoperability patterns

This blog post discusses interoperability design patterns and how to migrate from Transit Gateway to Cloud WAN. 

Learn more

Disclaimer

The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.