Contributing author:
Vipul Shah, Engineering Product Manager – Cisco SD WAN

In today’s world, enterprise customers are dominantly focused on their users and applications. The bridge that stitches them together is the Enterprise WAN, which not only needs to align with the growing complex needs of its users but also needs to be secure, scalable, resilient, and programable. Cisco SD-WAN brings together users, branches, applications, and data centers (on-prem or cloud) under one cohesive architecture to meet today’s expectations. Cisco vManage provides a single pane of glass to provision, operate, and manage this network.

The enterprise cloud footprint is growing at a rapid pace, resulting in complex policies and designs for connectivity across enterprise sites and workloads in the cloud. Traditional AWS cloud-native service like AWS Transit Gateway is a regional construct, which performs well in a design involving transit gateway peering across a small number of AWS Regions. As more Regions are added, the network can get exponentially complex with additional transit gateway peering. Also, separate route tables for segmentation add another layer of complexity to the network.

Questions we typically hear from our customers are:

  1. Contributing author:
    Marty Ma, Technical Marketing Lead – Cisco SD-WAN

    How do I easily deploy and manage a cloud network for segmented users, applications, and other resources dispersed across regions, while maintaining a hardened security posture?

  2. Can my network be agile enough to quickly adapt to changing policies and application requirements?
  3. What is the impact on the user experience for a multi-region application?
  4. My users connected to region X are having inconsistent experiences accessing an application in region Y. What can I do?
  5. Can I use the Cloud Service Provider (CSP) backbone as a faster way to connect my sites instead of less reliable internet?

It basically drills down to having a more robust means to connect site-to-site, site-to-cloud workloads, and inter-Region workloads in AWS. This is exactly what the Cisco SD-WAN and AWS Cloud WAN integration can offer.


AWS Cloud WAN is a managed WAN solution that was announced at AWS re:Invent 2021. It enables users to build a multi-Region global WAN network on the AWS backbone using simple policy statements. It removes the need to stitch together multiple Regions as is the case with AWS Transit Gateway.


The key building blocks of the AWS Cloud WAN architecture are:

  • Cloud WAN: Cloud WAN is a managed WAN service that allows enterprises to establish network connectivity across the Region using the AWS backbone. Cloud WAN can be enabled in a Region that is near to sites, users, or workloads. Cloud WAN includes CNE (Core Network Edge) which is a Regional Connection Point. Resources are connected to CNE using attachments like VPC, VPN, etc.
  • Core Network Policy (CNP): A single JSON policy document that defines the whole configuration of the Cloud WAN. It lists the Regions through which the Cloud WAN extends. It carries the segment information which is used for routing separation. It also defines how the VPC and VPN attachments are connected to the network segments, along with route leak configuration for shared services use-cases.
  • Attachments: Attachments are a way to connect resources to the Cloud WAN. The types of attachments are VPC, VPN, Connect, and TGW.
  • Core Network Edge (CNE): The regional connection point managed by AWS in each Region, as defined in the Core Network Policy. Every attachment connects to a Core Network Edge.

Based on CNP configuration, AWS Cloud WAN will create CNE in the configured Regions. The CNEs across all the Regions will automatically peer with each other. Cloud WAN also carries segment information across the Region, thus automatically creating end-to-end routing domain for each individual segment. Resources are attached to the CNE and are mapped to a segment.

This Cloud WAN architecture’s built-in automation manages the complexity and provides customers with a simple plug-n-play approach to deploy and manage the cloud network.

Cisco SD-WAN Integration

The Cisco SD-WAN Cloud OnRamp for Multicloud with AWS, provides enterprise customers the following capabilities to deploy a secure SD-WAN fabric over a reliable AWS Cloud WAN backbone.

  1. Automation: The integrated solution gives users the automation to integrate their SD-WAN policies with AWS cloud-native constructs for reliable and consistent sites and cloud deployments. Cisco vManage simplifies the process of creating and managing the Core Network Policy (CNP) document and AWS manages the implementation details.
  2. Security: AWS Cloud WAN’s built-in network segmentation enables seamless integration with Cisco SD-WAN to provide end-to-end segmentation. Using a simple workflow in Cisco vManage, enterprise customers can deploy carrier grade transport (across Regions) using the AWS backbone.
  3. Observability: Cisco SD-WAN integration with AWS Cloud WAN simplifies operations by enabling visibility for the SD-WAN overlay and AWS Cloud WAN underlay in the vManage portal.

Cisco vManage will:

  • Discover workload VPC across regions
  • Tag the VPC attachment to map to a desired segment (VPN)
  • Deploy Cloud Gateway (CGW)
  • Instantiate CNE in the required region
  • Instantiate Transit VPC (TVPC) with pair of Cisco SD-WAN virtual edge routers
  • Establish VPN or Connect attachment and BGP peering between CNE and SD-WAN virtual edge router for each segment/VPN
  • Realize Intent by mapping SD-WAN VPN to AWS Cloud WAN segments

With the help of Cloud Gateway (CGW), the Cisco SD-WAN fabric is extended to the edge of the AWS Cloud in the desired Region. As shown in the topology above, Cisco vManage manages the SD-WAN policy across the fabric. This enables vManage to push consistent SD-WAN policies to the branches and Cisco SD-WAN virtual edge router in the TVPC. With the AWS Cloud WAN integration, vManage can create and update the CNP document. Using API calls, vManage pushes the CNP to AWS. AWS Cloud WAN then updates necessary configuration based on the policies defined in the CNP documents. Thus, Cisco SD-WAN intuitively helps create and manage end-to-end segments from the users to the application.

Automation Workflow

Cloud OnRamp for Multicloud automation follows a simple 4 step workflow. Users can follow these simple steps to implement AWS Cloud WAN integration:

1. Setup

Customer selects the solution and defines global parameters for the AWS Cloud WAN integration.

Cisco vManage OnRamp for Multicloud configuration

2. Discover

Customer uses the Discover option to discover host VPCs (workload VPCs) in the cloud. These VPCs can now be tagged with the segment name which attaches them to the desired VPN.

3. Deploy

At this step we deploy CGW in the AWS Region. Repeat this step for all the required AWS Regions to build a multi-region AWS Cloud WAN network.

4. Declare Intent

As a final step, users can map SD-WAN VPNs to AWS Cloud WAN segments by simply clicking on the specific matrix to establish the intended connections. In the example below, VPN 61 is mapped to SALES segment. VPN2 and VPN10 are being configured to map to TEST and PROD segments respectively.

That’s all it takes to bring up the AWS Cloud WAN integration using vManage. ?

The complimenting partnership between Cisco and AWS delivers a simplified WAN for:

  • Unified Management – leverage an intuitive workflow to deploy site-to-cloud and site-to-site connectivity over a reliable backbone network, with end-to-end visibility and assurance, via single UI, Cisco vManage.
  • Security – The built-in segmentation in AWS Cloud WAN not only simplifies VPN mapping with Cisco SD-WAN but also enables propagation of unified business-intent policies across the network.
  • Reduced TCO – Reduce deployment time for overlay and underlays, ability to dynamically deploy in software is critical as traditional MPLS circuits takes weeks or months to provision. Significantly lower OpEx through improved performance and a reliable, on-demand consumption model provisioned through Cisco vManage.

To summarize, Cisco SD-WAN and AWS Cloud WAN integration will simplify Site-to-Cloud, Site-to-Site, and inter-region workload use-cases for the customers. This alleviates customers from dealing with the complexity of today’s WAN requirement and focuses on their users, applications, and core business.

To learn more:


Diptish Doshi

Technical Marketing Engineer, Cloud

Enterprise Networking