Task Statement 1.5: Design a routing strategy and connectivity architecture between on-premises networks and the AWS Cloud.
📘AWS Certified Advanced Networking – Specialty
1. What is SD-WAN?
SD-WAN (Software-Defined WAN) is a technology that uses software to manage and optimize network traffic across multiple WAN links (like internet, MPLS, VPN).
Key features:
- Centralized control (policy-based routing)
- Dynamic path selection (chooses best path automatically)
- Application-aware routing (prioritizes important traffic)
- Supports multiple transport types (internet, MPLS, LTE)
In AWS context:
SD-WAN appliances (physical or virtual) can be deployed in:
- On-premises data centers
- Branch offices
- Cloud environments (including AWS VPCs)
2. Why Use SD-WAN with AWS?
SD-WAN integration with AWS helps achieve:
a. Simplified Connectivity
- Reduces dependency on complex traditional routing setups
- Centralizes network management
b. Improved Performance
- Routes traffic based on latency, packet loss, or application type
- Ensures critical applications get better paths
c. Better Scalability
- Easily connect multiple branches to AWS
- Supports hybrid and multi-cloud environments
d. Cost Optimization
- Uses cheaper internet links instead of expensive private circuits when possible
3. AWS Services Used in SD-WAN Integration
3.1 AWS Transit Gateway
AWS Transit Gateway is a hub that connects:
- Multiple VPCs
- On-premises networks
- VPNs and Direct Connect
Key Role:
- Acts as a central routing hub
- Simplifies network architecture (hub-and-spoke model)
3.2 Transit Gateway Connect
Transit Gateway Connect is specifically designed for SD-WAN integration.
Purpose:
- Allows SD-WAN devices to connect directly to Transit Gateway using GRE tunnels
- Supports dynamic routing using BGP
Key Components:
- GRE tunnels (Generic Routing Encapsulation)
- BGP (Border Gateway Protocol)
- Connect attachments on Transit Gateway
3.3 Overlay Networks
SD-WAN uses overlay networks to create logical connections over existing physical infrastructure.
Definition:
An overlay network is a virtual network built on top of an underlying network (underlay).
In SD-WAN:
- SD-WAN devices build encrypted tunnels (often over internet)
- These tunnels form the overlay network
In AWS:
- Overlay is created between SD-WAN devices and Transit Gateway using:
- GRE tunnels
- IPsec tunnels (in some cases)
4. How SD-WAN Integrates with AWS
Step-by-Step Flow:
Step 1: Establish Underlay Connectivity
- Internet, MPLS, or Direct Connect is used as the physical path
- This is called the underlay network
Step 2: Create Overlay Tunnels
- SD-WAN devices create GRE tunnels to AWS Transit Gateway
- These tunnels form the logical network (overlay)
Step 3: Use Transit Gateway Connect
- A Transit Gateway Connect attachment is created
- SD-WAN devices connect to this attachment using GRE tunnels
Step 4: Exchange Routes with BGP
- BGP is used for dynamic routing
- Routes are exchanged between:
- SD-WAN edge devices
- AWS Transit Gateway
Step 5: Traffic Steering
- SD-WAN policies determine:
- Which path to use
- How to prioritize traffic
- Traffic can be routed:
- Based on application
- Based on performance metrics (latency, jitter, loss)
5. BGP in SD-WAN + AWS
BGP is critical in SD-WAN integration.
Key functions:
- Exchanges routing information dynamically
- Supports failover and redundancy
- Allows path selection based on policy
In Transit Gateway Connect:
- BGP runs over GRE tunnels
- AWS and SD-WAN devices advertise routes
- Enables dynamic routing between on-premises and AWS
6. Routing Design Considerations
a. Route Control
- Use BGP attributes to control routing:
- AS Path
- Local Preference
- MED (Multi-Exit Discriminator)
b. Traffic Segmentation
- Use different overlays for:
- Production traffic
- Backup traffic
- Management traffic
c. High Availability
- Use multiple tunnels and redundant paths
- Connect multiple SD-WAN appliances
- Deploy across multiple AWS Availability Zones
d. Security
- Encrypt traffic (IPsec tunnels if needed)
- Use segmentation and access control policies
- Use AWS security features like:
- Security Groups
- Network ACLs
7. SD-WAN Traffic Flow in AWS
Typical traffic flow:
- Application traffic originates in on-premises network
- SD-WAN appliance evaluates:
- Policy rules
- Network performance
- Traffic is sent through the best path:
- GRE tunnel to AWS
- Traffic reaches:
- Transit Gateway
- Transit Gateway routes traffic to:
- Target VPC
8. Exam-Relevant Key Points
You MUST remember:
- SD-WAN uses overlay networks over an underlay (internet/MPLS)
- Transit Gateway Connect is used to integrate SD-WAN with AWS
- GRE tunnels + BGP are the main mechanisms used
- Transit Gateway acts as a central routing hub
- SD-WAN enables:
- Dynamic path selection
- Application-aware routing
- Centralized control
9. Common Exam Scenarios
Scenario 1:
Need dynamic routing between SD-WAN and AWS
→ Use Transit Gateway Connect + BGP
Scenario 2:
Need multiple branch offices connected to AWS
→ Use SD-WAN overlay + Transit Gateway hub-and-spoke model
Scenario 3:
Need high availability with multiple paths
→ Use:
- Multiple GRE tunnels
- Multiple SD-WAN devices
- Multiple Transit Gateway attachments
Scenario 4:
Need performance-based routing
→ Use SD-WAN policies + BGP route control
10. Summary (Quick Revision)
- SD-WAN = software-based WAN management with dynamic routing
- Overlay network = virtual network on top of physical network
- Underlay = physical network (internet, MPLS, Direct Connect)
- Transit Gateway = central routing hub
- Transit Gateway Connect = integrates SD-WAN using GRE + BGP
- BGP = dynamic route exchange and path selection
- Benefits:
- Flexibility
- Scalability
- Better performance
- Cost optimization
