SD-WAN Integration with AWS: Transit Gateway Connect and Overlay Networks
Designing for integration of a software-defined wide area network (SD-WAN) with AWS (for example, Transit Gateway Connect, overlay networks)
SD-WAN Integration with AWS: Transit Gateway Connect and Overlay Networks
Integrating Software-Defined Wide Area Networking (SD-WAN) with AWS allows enterprises to extend their automated, policy-driven wide-area networks into the cloud. This guide focuses on the architectural patterns, specifically Transit Gateway (TGW) Connect, which simplifies the deployment of third-party SD-WAN appliances within AWS.
Learning Objectives
After studying this guide, you should be able to:
- Explain the role of the SD-WAN Orchestrator and Controller in a hybrid cloud environment.
- Describe the architecture of Transit Gateway Connect and its reliance on GRE tunnels.
- Differentiate between Transit VPC architectures and native Transit Gateway Connect attachments.
- Configure BGP peering over GRE for dynamic routing between AWS and SD-WAN appliances.
- Identify performance considerations like MTU, bandwidth limits, and redundancy.
Key Terms & Glossary
- SD-WAN (Software-Defined WAN): A virtualized service that connects and extends enterprise networks over large geographical distances using centralized control to manage traffic.
- GRE (Generic Routing Encapsulation): A tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links.
- Overlay Network: A virtual network built on top of an underlying physical network (Underlay). SD-WAN uses overlays to create encrypted, logical paths.
- TGW Connect Attachment: A native AWS Transit Gateway attachment type used to connect SD-WAN appliances to a Transit Gateway without needing separate IPsec VPNs.
- BGP (Border Gateway Protocol): The routing protocol used to exchange reachability information between the SD-WAN appliances and AWS Transit Gateway.
The "Big Idea"
Historically, connecting branch offices to AWS required a complex mesh of IPsec VPNs or Direct Connect links, often managed manually. SD-WAN integration via TGW Connect treats the AWS Cloud as another "branch" or "data center" in the existing SD-WAN fabric. By using GRE tunnels instead of IPsec, AWS provides higher bandwidth (up to 5 Gbps per Connect peer) and reduced management overhead, allowing the SD-WAN controller to push routing policies directly into the AWS network environment.
Formula / Concept Box
| Concept | Metric / Rule | Importance |
|---|---|---|
| TGW Connect Bandwidth | Up to 5 Gbps per Connect peer | Higher than the 1.25 Gbps limit of standard VPN tunnels. |
| GRE Overhead | 24 Bytes | Reduces the effective MTU for payload traffic (Standard 1500 becomes 1476). |
| BGP Peers | 2 peers per Connect attachment | Provides routing plane redundancy for high availability. |
| Encapsulation | GRE (Generic Routing Encapsulation) | Essential because TGW Connect does not natively use IPsec for this specific attachment type. |
Hierarchical Outline
- SD-WAN Architecture Components
- SD-WAN Edge: Physical or virtual appliance (EC2) at the network boundary.
- SD-WAN Controller: Manages the control plane and distributes routing policies.
- SD-WAN Orchestrator: Centralized management UI for monitoring and configuration.
- Connectivity Patterns
- Transit VPC (Legacy): Uses EC2 instances as software routers; high management overhead.
- Transit Gateway Connect (Modern): AWS-managed integration using GRE tunnels over VPC or DX attachments.
- Routing & Protocols
- Underlay: The physical transport (Internet or Direct Connect).
- Overlay: The GRE tunnels carrying tenant traffic.
- Dynamic Routing: BGP sessions established inside the GRE tunnels.
Visual Anchors
SD-WAN Integration Flow
Packet Encapsulation Visual (TikZ)
\begin{tikzpicture}[node distance=2cm, font=\small] \draw[fill=blue!10] (0,0) rectangle (8,1) node[pos=.5] {Original IP Payload (TCP/UDP)}; \draw[fill=green!10] (-2.5,0) rectangle (0,1) node[pos=.5] {GRE Header (4B)}; \draw[fill=red!10] (-6,0) rectangle (-2.5,1) node[pos=.5] {Outer IP Header (20B)}; \draw [decorate,decoration={brace,amplitude=10pt,mirror,raise=4pt},yshift=0pt] (-6,0) -- (0,0) node [black,midway,yshift=-0.8cm] {Encapsulation Overhead (24 Bytes)}; \end{tikzpicture}
Definition-Example Pairs
- Dynamic Path Selection: The ability of SD-WAN to choose the best link (MPLS vs. Internet) based on real-time latency.
- Example: A VoIP call is automatically routed over an MPLS link because the SD-WAN controller detects high jitter on the secondary Internet connection.
- Transit Gateway Connect Peer: The logical BGP peering established between the TGW and the SD-WAN appliance.
- Example: Creating a peer with IP
169.254.100.1on the TGW and169.254.100.2on a Cisco CSR1000v instance to exchange routes.
- Example: Creating a peer with IP
- Transitive Routing: The ability for traffic to pass through a hub to reach a destination.
- Example: A branch office accessing an S3 interface endpoint in a spoke VPC by passing through the Transit Gateway hub.
Worked Examples
Scenario: Connecting an SD-WAN Appliance to TGW via Connect Attachment
Goal: Establish a 5 Gbps GRE-based connection between an EC2-based SD-WAN appliance and a TGW.
- Create the Transport Attachment: First, create a standard VPC attachment for the VPC where your SD-WAN appliance resides. This is the "Underlay."
- Create the Connect Attachment: Navigate to Transit Gateway Attachments and select "Connect." Choose the Transport Attachment created in Step 1 as the source.
- Define the Connect Peer:
- Transit Gateway Address:
10.0.0.1(an IP within the VPC CIDR). - Peer Address:
10.0.0.10(the private IP of the SD-WAN EC2 instance). - BGP Inside CIDR:
169.254.6.0/29(The range used for the BGP session).
- Transit Gateway Address:
- Configure the Appliance: On your SD-WAN EC2 instance, configure a GRE tunnel interface pointing to
10.0.0.1and set up BGP to peer with the TGW.
Checkpoint Questions
- What is the primary transport protocol used by Transit Gateway Connect for its overlay tunnels?
- Why would an engineer choose TGW Connect over a standard Site-to-Site VPN?
- If the underlying VPC attachment has an MTU of 1500, what is the maximum possible MTU for traffic inside a TGW Connect GRE tunnel?
- True/False: TGW Connect supports both IPv4 and IPv6 traffic via MP-BGP.
▶Click to reveal answers
- GRE (Generic Routing Encapsulation).
- Higher bandwidth (5 Gbps vs 1.25 Gbps) and native integration with SD-WAN orchestrators.
- 1476 bytes (1500 - 24 bytes of GRE/IP overhead).
- True (though BGP sessions must often be established over IPv4).
Muddy Points & Cross-Refs
- MTU Issues: One of the most common failures is packet drop due to the 24-byte GRE overhead. Always ensure MSS Clamping is configured on the SD-WAN appliance to prevent fragmentation.
- GRE vs. IPsec: TGW Connect does not provide encryption natively. If you require encryption for traffic over the GRE tunnel, you must either use an IPsec underlay (VPN) or ensure the SD-WAN appliance performs its own encryption before GRE encapsulation.
- Direct Connect Integration: TGW Connect can also run over a Direct Connect gateway attachment (Transit VIF), allowing SD-WAN to extend over private fiber links.
Comparison Tables
Connectivity Comparison
| Feature | Transit VPC (Legacy) | TGW Connect (Managed) |
|---|---|---|
| Management | Manual (Manage EC2 routers) | AWS Managed Service |
| Throughput | Limited by EC2 Instance Size | 5 Gbps per Peer |
| Routing | BGP over IPsec | BGP over GRE |
| Cost | EC2 + Software Licensing | TGW Hourly + Data Processing |
| Complexity | High (Lambda/Scripts needed) | Low (Native Attachment Type) |