Deploying VMware SD-WAN and AWS Cloud WAN with AWS Quick Starts
search cancel

Deploying VMware SD-WAN and AWS Cloud WAN with AWS Quick Starts


Article ID: 312345


Updated On:




This article covers how organizations can automate the deployment of VMware SD-WAN Edges as well as AWS Cloud WAN using AWS Quick Starts to extend segmentation to the AWS Cloud and greatly improve connectivity to AWS workloads.

As more and more enterprises leverage the cloud for their business-critical applications, VMware SD-WAN plays an increasingly important role in providing that highly reliable, cost effective and optimized connectivity to those applications. 

In this article we will see how customers can automate the deployment of:
  1. VMware SD-WAN Edge Cluster in a transit VPC
  2. AWS Core Network Edge (CNE)
  3. Route-based VPNs from the Edge to a CNE
Each deployment leverages AWS Quick Starts to extend VMware SD-WAN to the AWS Cloud while maintaining segmentation end-to-end.
AWS Quick 1.JPG





We assume that the reader is already a VMware SD-WAN customer with access to our VMware SD-WAN Orchestrator and familiar with the environment and notions such as segmentation, profiles, interface settings, Cloud VPN as well as AWS networking concepts.

Before using this guide, a customer first needs to:
  • Have an administrator account created on a VMware Orchestrator.
  • Have a Hub Profile already created and to be assigned to the Hub Cluster, 
  • Have segments already defined on the VMware Orchestrator.
  • Have a policy file already defined for the AWS Cloud WAN. See example here
  • Have an AWS S3 bucket to host the *.json files which must be in the same region as the Core Network Edge to be deployed).
  • Ensure that the account quotas for Amazon VPC and Site-to-Site VPN are sufficient for the desired deployment configuration.
  • Ensure that the VMware SD-WAN Edges are running software Release 4.3.1 or newer.
Note: In this document, we expect:
  • For every VPC attachment there is only one subnet part of that VPC.
  • There is no other “Non SD-WAN Destination via Edge” configuration. The presence of an additional NSD via Edge configuration may cause the Site-to-Site VPN to fail.

Configuration Steps

  1. Upload the *.json files to the S3 bucket. The following 4 *.json files are necessary to successfully launch the Quick Start:
AWS Quick 2.JPG
  1. Create your CloudFormation stack. Copy the URL of the *-start.json file and click  Next .
AWS Quick 3.JPG
  1. Enter a stack name.
  2. Fill out the required parameters.
AWS Quick 4.JPG
Note: “SecondSegmentName” should match what has been defined on the VMware SD-WAN Orchestrator.
AWS Quick 7.JPG
Note: The segment(s) defined in the "PolicyJson" file should match the segments defined earlier.
AWS Quick 8.jpg
Note: The “Greenfield” and “Brownfield” templates as well as the “Lambda package” file should have been uploaded to the S3 bucket.
Note: As covered in the Prerequisites section, “SubnetToAttachToSegment1” and “SubnetToAttachToSegment2” must NOT belong to the same VPC.
Having confirmed all of the above, click  Next .
  1. Check the box "I acknowledge that AWS CloudFormation might create IAM resources" and click  Create stack .
AWS Quick 9.jpg
  1. The deployment process should take approximately 10-12 minutes to complete. Once completed, you will have an environment with:
    1. Two (2) SD-WAN Virtual Edges in two (2) separate Availability Zones
    2. One (1)  AWS Cloud WAN Core Network Edge (CNE)
    3. Eight (8) Route-based VPNs to the CNE for two (2) segments
AWS Quick 10.jpg
 Note: You can follow the progress of the deployment and review logs in AWS CloudWatch.
  1. Add the necessary static routes and choose the Core Network Edge as the Target for traffic destined to the branches/on-premises to your workload VPC route tables.
AWS Quick 14.jpg
The target should be the Core Network Edge that was just create in the previous step.
  1. Assign the Hub Cluster to the Branch Profile.
AWS Quick 15.png.jpg
  1. The final step is to verify end-to-end connectivity.