This Guidance shows how to deploy a software-defined wide area network (SD-WAN) router to provide resilient communications and applications at the edge. It enables you to use your organic transmission systems—whether hardware or virtual as well as government or commercial—to access the AWS global infrastructure. This affords you unified access to both your cloud environments and your edge locations, helping you mitigate infrastructure limitations. This Guidance currently uses the Juniper Session Smart Router (Zero Trust to enhance security), but you can adjust it to be SD-WAN agnostic.

Please note: [Disclaimer]

Architecture Diagram

Download the architecture diagram PDF 
  • Overview
  • This architecture diagram shows the high-level functional components deployed in AWS GovCloud (US) and commercial partitions.

  • Core orchestration flow
  • This architecture diagram shows the core orchestration flow for the deployment of an SD-WAN controller. 

Well-Architected Pillars

The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.

The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.

  • Using infrastructure as code (IaC), AWS CDK for Terraform enables complete and quick deployment, with a time expectation of 45 minutes from start to finish. Global Accelerator provides a highly available, distributed-denial-of-service-resilient anycast address assigned to SD-WAN routers deployed on AWS. Additionally, used for remote management of machines, Systems Manager removes the need for Secure Shell (SSH) access or bastion hosts. Its documents provide a mechanism for programmatically deploying configurations into the SD-WAN control plane and modifications to the deployed infrastructure. Finally, AWS Lambda functions automatically create deployable ISO images (which are disk image files) for edge routers, simplifying the deployment process.

    Read the Operational Excellence whitepaper 
  • This Guidance uses multiple partitions—commercial and government—to maintain data sovereignty. And to maintain security, the control plane exists by default within AWS GovCloud (US). This setup also enables you to directly connect with existing AWS deployments in IL4 or IL5 environments. Additionally, the Systems Manager Parameter Store enables you to safely store sensitive data outside the deployed Amazon EC2 instances. And Systems Manager Session Manager removes the need for direct SSH access into the deployed instances. When enabled, AWS Shield also protects these instances from volumetric attacks. Global Accelerator and Amazon Virtual Private Cloud (Amazon VPC) Flow Logs both provide a historical record of network traffic data seen across the deployment. Finally, AWS GuardDuty provides visibility into the VPC environments and external threats. If needed, AWS security groups can lock down external-to-internal and internal-to-internal traffic.

    Read the Security whitepaper 
  • This Guidance uses multiple Regions, AWS Local Zones, and AZs to maintain a highly available SD-WAN network on top of the AWS infrastructure. The SD-WAN routers provide fault detection and rerouting, and AWS provides infrastructure resilience. As a result, this architecture can sustain multiple outages simultaneously without losing its communication capability. Additionally, Global Accelerator enables remote locations to access AWS resources from more than 600 AWS global points of presence in the most efficient manner. Finally, AWS Backup uses Lambda to automatically back up configurations and relevant public key infrastructure data in case you need to manually recover SD-WAN controllers.

    Read the Reliability whitepaper 
  • This Guidance helps you realize your network and resiliency goals while minimizing your technical and administrative burden. For example, Global Accelerator delivers extremely low-latency connectivity from the edge to AWS. AWS prefix lists enable you to easily adjust security rules when many locations need access to the cloud-edge environment. Additionally, AWS CDK for Terraform supports a standards-based multicloud-capable IaC architecture. Systems Manager handles the initial configuration of the SD-WAN controller, which then configures all the SD-WAN routers. You can also configure Amazon EC2 instance sizes within AWS CDK for Terraform, defining router quantity, location, and size based on your operational needs. Finally, this Guidance provides an ISO-builder process, powered by Lambda. By decreasing the usual number of steps from over 20 to just 5, this process helps remote teams with minimal training to efficiently and rapidly deploy new routers.

    Read the Performance Efficiency whitepaper 
  • The bandwidth costs in this Guidance are pay per use, and you can optimize costs by rightsizing your environments at deployment time. For example, you can configure Amazon EC2 instance sizes and quantities based on your current needs, then scale them up and down as needed. Additionally, you can use Amazon CloudWatch alarms to automate dynamic capacity adjustments. In a high-availability deployment, CloudWatch monitors the primary router and enables a secondary router when the network load requires an increase in capacity. It then shuts down the secondary router once the high load subsides, helping you lower costs.

    Read the Cost Optimization whitepaper 
  • This Guidance lets you optimize compute by rightsizing your Amazon EC2 instances for your needs. Amazon EC2 also scales automatically based on demand. This enables you to reduce your energy use for compute. Additionally, CloudWatch lets you automate dynamic capacity adjustment, further reducing your carbon footprint. CloudWatch keeps a secondary router disabled until it is needed to support the primary router for large network loads. It then shuts down the secondary router once the high load subsides, helping you avoid energy waste.

    Read the Sustainability whitepaper 
[Content Type]

[Title]

This [blog post/e-book/Guidance/sample code] demonstrates how [insert short description].

Disclaimer

The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.

References to third-party services or organizations in this Guidance do not imply an endorsement, sponsorship, or affiliation between Amazon or AWS and the third party. Guidance from AWS is a technical starting point, and you can customize your integration with third-party services when you deploy the architecture.

Was this page helpful?