The following article will describe a step-by-step implementation for a typical setup of AWS Cloud WAN
AWS Cloud Wan overview
AWS Cloud Wan is a global service that features regional Core Network Edges (CNE) and is like a managed transit gateway within each region. It supports various attachment types, such as VPC, VPN, and Connect attachments, similar to the transit gateway features except for the Direct Connect Gateway (DXGW) as AWS Cloud Wan does not support this directly at the time of writing this article.
Each CNE acts as a routing hub, directing traffic from different attachments. AWS automatically establishes full mesh peering between each CNE within the global core network locations.
Segments are very similar to VRFs and provide multiple routing domain functionality. Currently, the core network supports up to 40 segments, and it is a hard limit. A Core Network Policy JSON file that governs the configuration of Cloudwan. The Core Network Policy JSON file contains all necessary details, including BGP AS numbers, segments, attachments, CNE locations, and routing.
AWS Cloud WAN provides a lot of advantages over Transit Gateway, but the best option is the automatic full mesh peering, especially when you have multiple regions configured.
The step-by-step guide furnishes information on constructing an AWS Cloud WAN setup with four segments deployed across four AWS Regions.
Segment Name | AWS Regions used |
Corporate | ap-northeast-3 |
Production | ap-northeast-2 |
QA | ap-southeast-1 |
Shared | ap-southeast-2 |
A visual depiction of the setup is presented below. Multiple VPCs are deployed in each environment within every region. A Transit Gateway will be configured to emulate a Direct Connect Gateway in the shared segment.
Assumptions
The following setup assumes that the setup will be deployed in a setup configured with AWS organizations and a dedicated AWS network account has been created already. This is needed to enable multi-account support and delegate the administration to the previous specific network account created for this purpose.
The basics of Cloud WAN Step-by-step implementation
Building the basic setup
- Log in to the management account (master account), go to the AWS network manager services, and select Global Networks.
2. Click the enable multi-account support
3. Click the settings option from the AWS network manager menu and enable trusted access and type the account id for the network AWS account previously created
4. The next step is to log in to the AWS network account. Once you are logged into access the AWS network Manager service and click on the Global Networks option again
5. Enter the name for the Global Network, the description and the necessary tags and click Next
6. The next step is to start creating the core network. Click the option to add the core network to your global network.
7. Enter the name, description and the necessary tags of the core network in the core network general settings
8. Enter the AS number range used by the Core network. Assigning a UNIQUE AS number range not used in the existing network environment is essential. Having conflicting AS Numbers will cause problems.
9. Choose the required Edge locations i.e. the Regions where resources will be deployed
10. Choose the segment name and description used, such as Production, QA, Corporate, Shared etcโฆ Note only one segment is created now. The other segments will be created later
11. Review the settings and click the Create Global network button.
12. Once the process is finished, click on the newly created global network to show where the CNE were created
If everything was created correctly, a similar setup shown below is created
Sharing the Core network infrastructure
13. The next step is to click Core Network, choose the Sharing tab and click Share Core network button
14. Click the Click resource share button and Enter the name for the resource share name
From the resources, choose Core networks
15. Choose the appropriate core network arn and the resource id and click Next
16. Click Next
17. If you need to share only to a particular AWS account, Organization, OU, IAM role or IAM User, select Allow sharing with anyone. Usually, the core network is to share only with accounts within your organization, so in these cases, click Allow sharing only within your organization. If both scenarios are needed, I would create two resource shares, one for the organization and the other for external users.
and specify the details required in this case, the account click Add and then click Next
18. Review the settings and click Create resource share
Once the share is created, a similar option should be observed
A similar output from the sharing tab from the core network should be visible
Creating the Segment needed
19. Go back to the core network menu and proceed to the next step to start creating the segments by choosing the policy versions under the core network click the latest policy version applied (Live, Latest) and finally click the edit button
20. Click on the segments tab
21. Click on the Create button
22. Enter the segment name, description, and whether it requires acceptance before joining the segment. If needed, the new segment can be limited to specific edge locations (Choose the required edge locations.) and finally, Click the โCreate Segmentโ button. Repeat the process for all the segments needed.
Note if the require acceptance is clicked an approval process is required before the attachment will be active.
23. Click on the Create policy button to start the generation of the policy
Once the request for a new policy is generated, the state changes to pending generation and transitions to ready to execute
24. The next step is to apply the changes by selecting the policy version required and clicking on โView or apply change setโ button
25. If you need to compare the policy version before applying, click on the โCompare policy versionsโ other click view or apply change set
26. Click Apple change set to apply the changes shown below
27. The process of executing the policy takes a bit of time, and the status and progress are shown in the change set state and in the Executing progress tab shows the number of remaining tasks.
28. The next step is to create the attachment policies to associate the transit gateways, VPC, and VPNs with the appropriate segments. Click on the latest policy version and click edit and choose attachment policies
29. Click Create
Creating the Cloud WAN attachment policies
30. Enter the rule number, description, and segment name associated with the attachment. You will need multiple attachment policies to cater for all the segments.
In my case, the following rules are used to match the appropriate attachment to the respective segments
a) By attachment-type to cater for VPNs, Connect attachment
b) Confirm the Segment tag exists and the key value of the Segment tag
To set up the attachment policies by attachment-type for VPNs
In the conditions section, choose the โattachment typeโ as type and the condition values for VPN as โsite-to-site-vpnโ :
Whilst for Connect attachment types, the condition values set to connect
In both cases when set click on the Create attachment policy button
When applied, two attachment policies by resource type are created.
31. The next attachment policy required is for VPC attachment. Repeat step 25, use a unique rule number and choose the following conditions for production and click Create attachment policy
Repeat the process for all the segments required and always use different rule numbers.
32. A new policy must be generated and applied once all attachment policies are created. Click Create policy button as shown to start generating the new policy
33. Once the new created policy state is โReady to executeโ repeat Step 20-23 to apply to the live policy
34. The next step is to attach the VPC with the respective segments. Click Attachment under the core network option and click create Attachment
35. Enter the Name, edge location required, and the attachment type (in this case VPC)
If a network appliance (stateful) is configured in the VPC, enable the appliance mode so that Cloudwan will use the same AZ for a specific flow and avoid asymmetric routing, (Appliance mode is currently only supported for VPC attachments.)
If IPv6 is used within the VPC, click IPv6 support. Only dual-stack configuration is currently supported by the VPC attachment with Cloudwan.
Choose the VPC id and the necessary subnets.
36. The final step before creating the VPC attachment is tagging which is extremely important to bind the attachment with the appropriate segment.
In this case, the product segment will be used, which requires the tag name Segment and the key value of prod. Click the Create Attachment button to create the attachment.
37. the attachments are not automatically accepted for the production attachments, so they must be accepted before they are available to use. (We set the required acceptance in the segment properties)
Select the attachment needed to be accepted and click on the Accept button
The state of the attachment will change from the pending attachment acceptance to creating and to pending network update until it becomes available.
38. Repeat the steps from 31-34 for the other segments. It is essential to change the required Segment key value as per attachment policies
39. Once all the VPC attachments are created, the next step is to add the VPN attachments. The process is very similar to the VPC attachment, but for the attachment type, choose VPN from the dropdown menu and choose the respective VPN ID. The Segment tag with the appropriate values is needed to bind the VPN attachment with the required segment
40. The next step is to add the transit gateway (it was already created) to the core network. For more info on creating a Transit gateway, please refer to โCreating a working AWS transit gateway in 5 minsโ . Click in the transit gateway network as shown below:
41. Click Register transit gateway
42. Choose the transit gateway that needs to be add and click Register transit gateway
Once registered a similar output should be observed.
If you require more details, click on the TGW ID
43. Once the transit gateway is registered, click on the Peering option and click Create Peering
44. Enter the Peering name, the Edge location and the transit gateway (Note that the transit gateway needs to be in the same region as the Edge location)
45. The next step is to associate policy table and creating the peering. In this case, we will create a new one and not use an existing one. To create the peering click Create Peering
A similar output should be visible once the peering creation started
46. Once created, click on the newly peering and choose Associate policy table
47. Choose New and click Associate policy table
Once created and associated, a similar output should be visible
48. The next step is to attach the Transit gateway route table. Start by clicking the attachment option
49. Click Create attachment
50. Enter the attachment name and choose the appropriate edge location. Change the attachment type to Transit gateway route table
51. Choose the transit gateway peering and the transit gateway table. Enter the tags required and click Create attachment
52. The next step is to assign the attachment policy to the new transit gateway route table attachment. Click on Policy Versions, then choose the Live Latest policy and click Edit
53. Click the Attachment Policies tab and click Create (Not the Create Policy button)
54. Choose a unique rule 100, the segment to be attached and your preferred attachment acceptance option
55. The next step is to bind the condition for the attachment policy to be assigned to the required segment. In this case, the criteria to match the attachment with the segment required are as follows:
Type | Condition Values |
Attachment type | transit-gateway-route-table |
Set the attachment type to transit-gateway-route-table and click Create attachment policy
56. The next step is to create the policy by clicking the Create policy button
57. Once the policy is created, click on the Latest policy and click View or apply change set
58. Click Apply change set to apply the changes done
59. To verify the configuration, click the Attachment menu, and the transit gateway route table attachment should be attached to the appropriate segment. In our case, the prod segment was assigned.
Migration from Transit Gateway routing to Cloudwan routing
This process is straightforward to achieve by changing the VPC routing. The routes pointing to the transit gateway should now be adjusted to the core network instead of the transit gateway. Examples showing how the routes are configured to route via the transit gateway or Cloudwan are shown below:
A VPC pointing to the Cloud WAN Core network
A VPC pointing to a Transit Gateway
60. Go to the VPC services menu and choose route tables
61. Go to the VPC services menu and choose the appropriate private route tables
62. Click Edit Routes and modify the route entry pointing to the transit gateway (tgw-xxxxxxxxxx)
63. Change the Target from Transit Gateway to Core Network by Selecting Core network from the dropdown menu
63. Choose the Core network arn from the dropdown menu and click Save Changes
If the core network arn is missing, ensure the VPC attachment in AWS Cloud Wan was created.
This concludes the steps to build the architecture mentioned.