Achieving a successful implementation of AWS Cloud WAN

The following article will describe a step-by-step implementation for a typical setup of AWS Cloud WAN

AWS Cloud Wan overview

AWS Cloud Wan is a global service that features regional Core Network Edges (CNE) and is like a managed transit gateway within each region. It supports various attachment types, such as VPC, VPN, and Connect attachments, similar to the transit gateway features except for the Direct Connect Gateway (DXGW) as AWS Cloud Wan does not support this directly at the time of writing this article.

Each CNE acts as a routing hub, directing traffic from different attachments. AWS automatically establishes full mesh peering between each CNE within the global core network locations.

Segments are very similar to VRFs and provide multiple routing domain functionality. Currently, the core network supports up to 40 segments, and it is a hard limit. A Core Network Policy JSON file that governs the configuration of Cloudwan. The Core Network Policy JSON file contains all necessary details, including BGP AS numbers, segments, attachments, CNE locations, and routing.

AWS Cloud WAN provides a lot of advantages over Transit Gateway, but the best option is the automatic full mesh peering, especially when you have multiple regions configured.

The step-by-step guide furnishes information on constructing an AWS Cloud WAN setup with four segments deployed across four AWS Regions.

Segment NameAWS Regions used
Shared ap-southeast-2

A visual depiction of the setup is presented below. Multiple VPCs are deployed in each environment within every region. A Transit Gateway will be configured to emulate a Direct Connect Gateway in the shared segment.

aws cloud wan typical setup


The following setup assumes that the setup will be deployed in a setup configured with AWS organizations and a dedicated AWS network account has been created already. This is needed to enable multi-account support and delegate the administration to the previous specific network account created for this purpose.

The basics of Cloud WAN Step-by-step implementation

Building the basic setup

  1. Log in to the management account (master account), go to the AWS network manager services, and select Global Networks.
aws network manager menu

2. Click the enable multi-account support

cloudwan enable multi account support

3. Click the settings option from the AWS network manager menu and enable trusted access and type the account id for the network AWS account previously created

setting the delegated administrators

4. The next step is to log in to the AWS network account. Once you are logged into access the AWS network Manager service and click on the Global Networks option again

5. Enter the name for the Global Network, the description and the necessary tags and click Next

creating the aws global network

6. The next step is to start creating the core network. Click the option to add the core network to your global network.

7. Enter the name, description and the necessary tags of the core network in the core network general settings

creating the core network

8. Enter the AS number range used by the Core network. Assigning a UNIQUE AS number range not used in the existing network environment is essential. Having conflicting AS Numbers will cause problems.

setting the core network policies

9. Choose the required Edge locations i.e. the Regions where resources will be deployed

10. Choose the segment name and description used, such as Production, QA, Corporate, Shared etc… Note only one segment is created now. The other segments will be created later

11. Review the settings and click the Create Global network button.

review core network policies

12. Once the process is finished, click on the newly created global network to show where the CNE were created

If everything was created correctly, a similar setup shown below is created

core network topology diagram

Sharing the Core network infrastructure

13. The next step is to click Core Network, choose the Sharing tab and click Share Core network button

sharing the aws core network

14. Click the Click resource share button and Enter the name for the resource share name

creating the share for the aws core network

From the resources, choose Core networks

share name details

15. Choose the appropriate core network arn and the resource id and click Next

associate the core network as resource to the new share

16. Click Next

set share permissions

17. If you need to share only to a particular AWS account, Organization, OU, IAM role or IAM User, select Allow sharing with anyone. Usually, the core network is to share only with accounts within your organization, so in these cases, click Allow sharing only within your organization. If both scenarios are needed, I would create two resource shares, one for the organization and the other for external users.

defining the share scope

and specify the details required in this case, the account click Add and then click Next

setting the sharing resources

18. Review the settings and click Create resource share

review share details and create the share

Once the share is created, a similar option should be observed

verify share is created

A similar output from the sharing tab from the core network should be visible

Creating the Segment needed

19. Go back to the core network menu and proceed to the next step to start creating the segments by choosing the policy versions under the core network click the latest policy version applied (Live, Latest) and finally click the edit button

core network policy

starting the edit process for the core network policy

20. Click on the segments tab

21. Click on the Create button

22. Enter the segment name, description, and whether it requires acceptance before joining the segment. If needed, the new segment can be limited to specific edge locations (Choose the required edge locations.) and finally, Click the ‘Create Segment’ button. Repeat the process for all the segments needed.

configuring the segment details

Note if the require acceptance is clicked an approval process is required before the attachment will be active.

23. Click on the Create policy button to start the generation of the policy

saving the new policy

Once the request for a new policy is generated, the state changes to pending generation and transitions to ready to execute

24. The next step is to apply the changes by selecting the policy version required and clicking on ‘View or apply change set’ button

25. If you need to compare the policy version before applying, click on the ‘Compare policy versions’ other click view or apply change set

26. Click Apple change set to apply the changes shown below

27. The process of executing the policy takes a bit of time, and the status and progress are shown in the change set state and in the Executing progress tab shows the number of remaining tasks.

28. The next step is to create the attachment policies to associate the transit gateways, VPC, and VPNs with the appropriate segments. Click on the latest policy version and click edit and choose attachment policies

29. Click Create

Creating the Cloud WAN attachment policies

30. Enter the rule number, description, and segment name associated with the attachment. You will need multiple attachment policies to cater for all the segments.

In my case, the following rules are used to match the appropriate attachment to the respective segments

a) By attachment-type to cater for VPNs, Connect attachment

b) Confirm the Segment tag exists and the key value of the Segment tag

To set up the attachment policies by attachment-type for VPNs

In the conditions section, choose the “attachment type” as type and the condition values for VPN as “site-to-site-vpn” :

Whilst for Connect attachment types, the condition values set to connect

In both cases when set click on the Create attachment policy button

When applied, two attachment policies by resource type are created.

31. The next attachment policy required is for VPC attachment. Repeat step 25, use a unique rule number and choose the following conditions for production and click Create attachment policy

Repeat the process for all the segments required and always use different rule numbers.

32. A new policy must be generated and applied once all attachment policies are created. Click Create policy button as shown to start generating the new policy

33. Once the new created policy state is “Ready to execute” repeat Step 20-23 to apply to the live policy

34. The next step is to attach the VPC with the respective segments. Click Attachment under the core network option and click create Attachment

35. Enter the Name, edge location required, and the attachment type (in this case VPC)

If a network appliance (stateful) is configured in the VPC, enable the appliance mode so that Cloudwan will use the same AZ for a specific flow and avoid asymmetric routing, (Appliance mode is currently only supported for VPC attachments.)

If IPv6 is used within the VPC, click IPv6 support. Only dual-stack configuration is currently supported by the VPC attachment with Cloudwan.

Choose the VPC id and the necessary subnets.

36. The final step before creating the VPC attachment is tagging which is extremely important to bind the attachment with the appropriate segment.

In this case, the product segment will be used, which requires the tag name Segment and the key value of prod. Click the Create Attachment button to create the attachment.

37. the attachments are not automatically accepted for the production attachments, so they must be accepted before they are available to use. (We set the required acceptance in the segment properties)

Select the attachment needed to be accepted and click on the Accept button

The state of the attachment will change from the pending attachment acceptance to creating and to pending network update until it becomes available.

38. Repeat the steps from 31-34 for the other segments. It is essential to change the required Segment key value as per attachment policies

39. Once all the VPC attachments are created, the next step is to add the VPN attachments. The process is very similar to the VPC attachment, but for the attachment type, choose VPN from the dropdown menu and choose the respective VPN ID. The Segment tag with the appropriate values is needed to bind the VPN attachment with the required segment

40. The next step is to add the transit gateway (it was already created) to the core network. For more info on creating a Transit gateway, please refer to “Creating a working AWS transit gateway in 5 mins” . Click in the transit gateway network as shown below:

aws network manager menu

41. Click Register transit gateway

42. Choose the transit gateway that needs to be add and click Register transit gateway

Once registered a similar output should be observed.

If you require more details, click on the TGW ID

43. Once the transit gateway is registered, click on the Peering option and click Create Peering

44. Enter the Peering name, the Edge location and the transit gateway (Note that the transit gateway needs to be in the same region as the Edge location)

45. The next step is to associate policy table and creating the peering. In this case, we will create a new one and not use an existing one. To create the peering click Create Peering

A similar output should be visible once the peering creation started

46. Once created, click on the newly peering and choose Associate policy table

47. Choose New and click Associate policy table

Once created and associated, a similar output should be visible

48. The next step is to attach the Transit gateway route table. Start by clicking the attachment option

aws network manager menu

49. Click Create attachment

50. Enter the attachment name and choose the appropriate edge location. Change the attachment type to Transit gateway route table

51. Choose the transit gateway peering and the transit gateway table. Enter the tags required and click Create attachment

52. The next step is to assign the attachment policy to the new transit gateway route table attachment. Click on Policy Versions, then choose the Live Latest policy and click Edit

aws network manager menu

53. Click the Attachment Policies tab and click Create (Not the Create Policy button)

54. Choose a unique rule 100, the segment to be attached and your preferred attachment acceptance option

aws cloud wan attachment policy configuration

55. The next step is to bind the condition for the attachment policy to be assigned to the required segment. In this case, the criteria to match the attachment with the segment required are as follows:

TypeCondition Values
Attachment typetransit-gateway-route-table

Set the attachment type to transit-gateway-route-table and click Create attachment policy

configuring aws cloudwan attachment policy

56. The next step is to create the policy by clicking the Create policy button

creating aws cloudwan attachment policy

57. Once the policy is created, click on the Latest policy and click View or apply change set

Cloud wan policy apply

58. Click Apply change set to apply the changes done

Committing Cloud wan policy

59. To verify the configuration, click the Attachment menu, and the transit gateway route table attachment should be attached to the appropriate segment. In our case, the prod segment was assigned.

aws network manager menu

transit gateway route table associated with prod segment

Migration from Transit Gateway routing to Cloudwan routing

This process is straightforward to achieve by changing the VPC routing. The routes pointing to the transit gateway should now be adjusted to the core network instead of the transit gateway. Examples showing how the routes are configured to route via the transit gateway or Cloudwan are shown below:

A VPC pointing to the Cloud WAN Core network

VPC route table pointing to AWS Cloudwan core network

A VPC pointing to a Transit Gateway

VPC route table pointing to AWS Transit Gateway

60. Go to the VPC services menu and choose route tables

vpc service menu

61. Go to the VPC services menu and choose the appropriate private route tables

aws route table selection

62. Click Edit Routes and modify the route entry pointing to the transit gateway (tgw-xxxxxxxxxx)

aws tgw route table

63. Change the Target from Transit Gateway to Core Network by Selecting Core network from the dropdown menu

vpc route table transit gateway
route table target options

63. Choose the Core network arn from the dropdown menu and click Save Changes

core network route table selection

If the core network arn is missing, ensure the VPC attachment in AWS Cloud Wan was created.

This concludes the steps to build the architecture mentioned.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.