Guest post by Fan Yang & Tony Banuelos

Enterprises across all verticals are migrating their applications to public cloud (IaaS) services and taking advantage of the great cost savings on compute hosting. But the cost benefits shouldn’t affect security, scalability or customer experience. Enterprises require the same level of secure network access, control and visibility in the cloud as they do with on-premise networks. Cloud providers offer basic network functions like IPSEC VPN, BGP routing, NAT. It’s a good enough solution to build a simple site-to-site VPN network with some routing, but enterprises could quickly face these challenges:

  1. How can I build a hub spoke network with transit routing capability?
  2. How can I visualize my traffic across different locations?
  3. How can I select the best path for different applications if I have both Internet and AWS Direct Connect or Azure Express Route at the same time?

With the Cisco IWAN solution running on Cisco CSR1000v, a network admin can extend Cisco IWAN capabilities into a public cloud (AWS, Azure, Alibaba Cloud [coming soon]).

What is Cisco IWAN (Intelligent WAN)?


  • Transport-independent design: you can choose whatever combination of providers and connectivity that works best for you.
  • Intelligent path control: automatically route network traffic and load-balance based on the “best path” to make sure your applications perform well.
  • Application optimization: add WAN optimization and caching to help applications run faster and efficiently using your current WAN bandwidth.
  • Secure connectivity: block attacks with highly secure VPN overlay and strong encryption techniques.


 How do I provision IWAN?

Cisco Application Policy Infrastructure Controller – Enterprise Module (APIC-EM) is the Cisco SD-WAN controller. The IWAN app on APIC-EM simplifies WAN deployments by providing a highly intuitive, policy-based interface that helps IT abstract network complexity and design for business intent. The IWAN Application is prescriptive of the Cisco Validated Design and provisioning of its core pillars for a large number of sites from a centralized location.

How do I use IWAN in public cloud?

The Cisco® Cloud Services Router 1000v (CSR 1000v) is a virtual form factor router that delivers comprehensive WAN gateway and network services functions into virtual and cloud environments. It’s offered in AWS and Azure marketplaces. You can easily deploy it like any virtual machine and manage it through Cisco APIC-EM.

Enterprise customers can have dual links into public clouds. One dedicated MPLS link like Amazon AWS Direct Connect or Microsoft Azure Express Route for fast and private connections, and the other link could be an Internet based VPN. Also, most enterprise customers may have multiple VPC (Virtual Private Cloud) or VNET (Virtual Network) connections across different regions, in addition to their on-premise network. By enabling IWAN capability on CSR1000v, it will help build an overlay network by interconnecting various resources in a scalable way, recognize your application traffic, and split them across multiple paths based on business priority.

As shown in the network topology above, you may have multiple VPCs in AWS cloud and one physical branch. You can turn your AWS VPC network into an IWAN Hub and spoke by running CSR1000v as an IWAN BR (Broader Router). APIC-EM is hosted in your hub (Cloud Data Center) to provision IWAN services for the IWAN hub and branch, including virtual and physical.

LiveAction is used to visualize traffic for PfR (Performance Routing) path selection. For example, the following diagram shows how “HTTP” traffic is routed through INET (Internet) while “FTP” traffic is routed through MPLS (Direct Connect) based on an application policy set in APIC-EM.

If you are interested in this solution and want to understand more details, please watch our demo video:


Cathy Karaguez

Product Marketing Manager