This Guidance demonstrates a four-phased approach to progressively migrate your enterprise wide area network (WAN) to AWS. It includes the most common steps you could take in your network modernization journey to a Network-as-a-Service (NaaS) consumption model. However, this Guidance can be easily modified and tailored, depending on your network architecture, footprint, expertise, resources, and budget. Moreover, each phase includes an architecture diagram that allows you to envision the future state of your networking environment and the intermediate steps involved in the migrations process. This can help you make data-driven decisions when assessing the overall value of migrating your WAN to AWS. For detailed, step-by-step instructions on configuring the components outlined here, refer to the implementation resources section.
Please note: [Disclaimer]
Background
Network modernization is a journey akin to how Software as a Service (SaaS) transformed on-premises workloads. As a global enterprise, you run workloads across your WAN that span on-premises and the cloud. The on-premises workloads reside in geographically dispersed data centers and are accessed from remote locations and branch offices. As your business expands globally, you are faced with changing traffic patterns and unpredictable bandwidth peaks that span many time zones.
Historically, building a global network to meet these requirements required capacity planning in advance and investment in fixed cost infrastructure or circuits with long-term contracts. With data center consolidation and application modernization initiatives taking advantage of cloud computing services that accelerate time-to-market for business owners, you must ensure the network is an enabler and not a blocker.
In order for your network to be as flexible as cloud compute, you need to modernize the network infrastructure to consume it as a service. AWS WAN solutions, including this Guidance, use a Network-as-a-Service (NaaS) consumption model. As defined by Gartner, NaaS allows you to consume the network from the cloud as a service, provides access to scale capacity up or down when needed, and offers the flexibility of only paying for what you use.
Benefits
-
Optimize Costs
With a Pay-As-You-Go model for networking infrastructure, you can optimize costs without the need for long-term contracts or fixed capacity networks sized for peak demand periods, regardless of usage.
-
Reduce Complexity
Networking services like AWS Cloud WAN empower you to define your global networks using policy-as-code and automation. This speeds up your deployments, reduces human error, and allows you to scale your global network to thousands of VPCs across all supported regions using less resources.
-
Increase Availability
The network infrastructure used by the AWS services in this Guidance is fully managed by AWS. These architecture diagrams can be configured in a highly available manner across multiple Availability Zones to reduce downtime and troubleshooting.
Architecture Diagram
Overview
This Guidance takes a four-phased approach to progressively build your enterprise Wide Area Network (WAN) on AWS. These phases are some common steps you can take to optimize costs, reduce complexity, and increase availability during your network modernization journey on AWS.
It deploys several AWS services or features to help you build a global WAN, including AWS Cloud WAN, SiteLink, a feature of AWS Direct Connect (DX), AWS Transit Gateway, AWS Site-to-Site VPN, and Software Defined Wide Area Networks (SD-WANs).
The slides that follow describe the following phases in greater detail:
Phase 1: Backup your connectivity between data centers.
This phase deploys SiteLink, which creates an on-demand, consumption-based network connecting all of your data centers. This helps you establish a backup network path for your data centers.
Phase 2: Connect your data centers.
The objective in this phase is to achieve a consumption-based model for your primary on-premises network. It helps you deploy SiteLink as the primary connection between on-premises data centers and migrate your data centers to AWS.
Phase 3: Connect branch offices and segment your enterprise WAN.
On-premises connectivity requires branch office connectivity. In this phase, you can deploy AWS Cloud WAN, which provides a central dashboard for making connections between your branch offices, and Amazon Virtual Private Cloud (Amazon VPC).
Phase 4: Expand your enterprise WAN footprint.
During this phase, you can extend your WAN to additional cloud Regions and on-premises locations by using a combination of SiteLink and AWS Cloud WAN.
Well-Architected Pillars
The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.
The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.
-
Operational Excellence
AWS Cloud WAN and SiteLink are used throughout this Guidance to enhance your operational excellence. AWS Cloud WAN allows you to accelerate workload migration by simplifying your global connectivity patterns through network policies and automated network management. It provides a centralized dashboard that helps you visualize and control your network by monitoring performance and health, and automating routine tasks. With features like SiteLink, you can easily simplify on-premises connectivity between your data centers, helping you reduce operational overhead and human errors for your global network.
-
Security
In this Guidance, we recommend you use Direct Connect or Site-to-Site VPN to connect your on-premises environment to AWS. To encrypt your traffic, you can either use Direct Connect with MAC Security (MACsec) or Site-to-Site VPN, which supports Internet Protocol security (IPsec) VPN connections. Furthermore, Traffic Encryption Options in AWS Direct Connect lists various ways you can build a secure, consistent, low latency network experience. Also, all data flowing across AWS Regions over the AWS global network is automatically encrypted at the physical layer before it leaves AWS secured facilities. More information about encryption in transit within AWS can be found in Data protection in Amazon EC2.
-
Reliability
This Guidance consists of AWS Cloud WAN, Direct Connect, and Site-to-Site VPN, which are AWS managed networking services built on top of the AWS Global Infrastructure that delivers the highest network availability of any cloud provider. Additionally, this Guidance requires you to connect your on-premises network to the cloud. While the reliability of the on-premises network is your responsibility, this Guidance uses Direct Connect which has a resiliency model that provides recommendations on how to build a highly available network connection between your on-premises environment and AWS.
-
Performance Efficiency
This Guidance helps you improve your performance efficiency in a number of ways. For one, you can decide to use Site-to-Site VPN over the internet compared to dedicated circuits through Direct Connect for your hybrid connectivity. Second, you can choose Direct Connect locations to be closest to your data centers to improve latency, jitter, and other performance parameters. Third, for your global network, you can use AWS Cloud WAN to track network events, routes, and performance. Using this Guidance to replace existing WAN services, such as multiprotocol label switching (MPLS), can decrease round-trip network latency by 200ms and increase bandwidth by 66x for long-haul intercontinental connections (for example, US West to Asia-Pacific).
-
Cost Optimization
AWS Cloud WAN, Direct Connect, and Site-to-Site VPN offer usage-based pricing, allowing you the flexibility to pay only for the network resources you use. Data transfer out (DTO), in the case of Direct Connect, and data processing, in the case of AWS Cloud WAN, are based on the amount of traffic consumed. Additionally, data transfer for network traffic that is sent into AWS over Direct Connect is free of charge. Finally, you have the flexibility to increase your usage over time, so you can avoid unnecessary costs, build, and operate cost-aware workloads.
-
Sustainability
AWS Cloud WAN, an AWS managed service, allows you to scale your Regional connections, as well as your global network footprint, in minutes. Also, because this Guidance uses Site-to-Site VPN and Direct Connect, you can choose the optimal on-premises connectivity option based on your current requirements. This helps you optimize your workloads as your demand grows and minimize the environmental impacts of running cloud workloads.
Implementation Resources
A detailed guide is provided to experiment and use within your AWS account. Each stage of building the Guidance, including deployment, usage, and cleanup, is examined to prepare it for deployment.
Related Content
Introducing AWS Direct Connect SiteLink
This blog post talks about how customers can quickly create a WAN using SiteLink, a feature of AWS Direct Connect, to connect across their data centers by sending data from one Direct Connect location to another, bypassing AWS Regions.
Introducing AWS Cloud WAN (Preview)
Advanced Routing scenarios with AWS Direct Connect SiteLink
AWS Cloud WAN and AWS Transit Gateway migration and interoperability patterns
Centralized outbound inspection architecture in AWS Cloud WAN
Guidance for Automating Amazon VPC Routing in a Global Cloud WAN Deployment
Inspecting network traffic between Amazon VPCs with AWS Cloud WAN
This blog post takes a closer look at centralized architectures for native East-West (VPC-to-VPC) inspection both within and across Regions with Cloud WAN.
Disclaimer
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.