Deploying VMware SD-WAN and AWS Cloud WAN with AWS Quick Starts

Products

VMware

Issue/Introduction

This article covers how organizations can automate the deployment of VMware SD-WAN Edges as well as AWS Cloud WAN using AWS Quick Starts to extend segmentation to the AWS Cloud and greatly improve connectivity to AWS workloads.

As more and more enterprises leverage the cloud for their business-critical applications, VMware SD-WAN plays an increasingly important role in providing that highly reliable, cost effective and optimized connectivity to those applications.

In this article we will see how customers can automate the deployment of:

VMware SD-WAN Edge Cluster in a transit VPC
AWS Core Network Edge (CNE)
Route-based VPNs from the Edge to a CNE

Each deployment leverages AWS Quick Starts to extend VMware SD-WAN to the AWS Cloud while maintaining segmentation end-to-end.
AWS Quick 1.JPG

Environment

VMware SD-WAN

Resolution

Prerequisites

We assume that the reader is already a VMware SD-WAN customer with access to our VMware SD-WAN Orchestrator and familiar with the environment and notions such as segmentation, profiles, interface settings, Cloud VPN as well as AWS networking concepts.

Before using this guide, a customer first needs to:

Have an administrator account created on a VMware Orchestrator.
Have a Hub Profile already created and to be assigned to the Hub Cluster,
Have segments already defined on the VMware Orchestrator.
Have a policy file already defined for the AWS Cloud WAN. See example here.
Have an AWS S3 bucket to host the *.json files which must be in the same region as the Core Network Edge to be deployed).
Ensure that the account quotas for Amazon VPC and Site-to-Site VPN are sufficient for the desired deployment configuration.
Ensure that the VMware SD-WAN Edges are running software Release 4.3.1 or newer.

Note: In this document, we expect:

For every VPC attachment there is only one subnet part of that VPC.
There is no other “Non SD-WAN Destination via Edge” configuration. The presence of an additional NSD via Edge configuration may cause the Site-to-Site VPN to fail.

Configuration Steps

Upload the *.json files to the S3 bucket. The following 4 *.json files are necessary to successfully launch the Quick Start:

Create your CloudFormation stack. Copy the URL of the *-start.json file and click Next .

Enter a stack name.
Fill out the required parameters.

Note: “SecondSegmentName” should match what has been defined on the VMware SD-WAN Orchestrator.

Note: The segment(s) defined in the "PolicyJson" file should match the segments defined earlier.

Note: The “Greenfield” and “Brownfield” templates as well as the “Lambda package” file should have been uploaded to the S3 bucket.
Note: As covered in the Prerequisites section, “SubnetToAttachToSegment1” and “SubnetToAttachToSegment2” must NOT belong to the same VPC.

Having confirmed all of the above, click Next .

Check the box "I acknowledge that AWS CloudFormation might create IAM resources" and click Create stack .

The deployment process should take approximately 10-12 minutes to complete. Once completed, you will have an environment with:
1. Two (2) SD-WAN Virtual Edges in two (2) separate Availability Zones
2. One (1) AWS Cloud WAN Core Network Edge (CNE)
3. Eight (8) Route-based VPNs to the CNE for two (2) segments

Note: You can follow the progress of the deployment and review logs in AWS CloudWatch.

Add the necessary static routes and choose the Core Network Edge as the Target for traffic destined to the branches/on-premises to your workload VPC route tables.

The target should be the Core Network Edge that was just create in the previous step.

Assign the Hub Cluster to the Branch Profile.

The final step is to verify end-to-end connectivity.