© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ent erprise Net working and
SD-WAN wit h Cisco and AWS
SPONSORED BY CISCO DOP217 - S
Simarbir Singh
Technical Marketing Engineer Virtualization and SD-WAN Cisco
Technical Marketing Engineer SD-WAN and Cloud
Cisco
Nikolai Pitaev
Centralized firewall inspection architecture with SD-WAN Global WAN with Cisco SD-WAN and AWS Cloud WAN
Creating a bridge between apps and SD-WAN via AWS Cloud Map Deeper connectivity into the cloud with Cisco Meraki virtual MX and AWS Transit Gateway
Global WAN with Meraki SD-WAN and AWS Cloud WAN Securing the VPC with SD-WAN and SASE
Agen da
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Wh at is SD-WAN n ow?
• Separation of control and data planes
• Policy-based application path selection across
multiple WAN connections
• Service chaining for additional services
Yesterday
• IaaS: cloud is just another branch/ PoP
• SaaS with first packet match and cloud telemetry
• Cloud app detection and integration into SD-WAN
Today
SD-WAN
Powered By
Simple and secure full -stack IT for SD-Branch and lean IT environments
Maximum versatility with advanced capabilities for sophisticated IT
environments
Viptela
Powered By
Wh ich Cisco SD-WAN?
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralized firewall
inspection and SD-WAN
Cen t ralized firewall in sp ect ion an d SD-WAN
USE CASE OVERVIEW
AWS us-west
AWS TGW FTDv-1
Shared services VPC
Host VPC1
App1
AZ1
GWLBAWS
SD-WAN VPC
c8k-R2 AZ2 c8k-R1
AZ1
…
SD-WAN fabric
SD-WAN branch 1
Host VPC2
App2
FTDv-n AZ2
…
Public internet
SD-WAN branch 2
Requirements
East-west, north-south traffic must go through firewall
Benefits
• Scalable solution
• SD-WAN and security from one hand
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Host VPC con n ect ivit y op t ion s
AWS us-west
AWS TGW FTDv-1
Shared services VPC
Host VPC1
App1
AZ1
GWLBAWS
SD-WAN VPC
c8k-R2 AZ2 c8k-R1
AZ1
…
Host VPC2
App2
FTDv-n AZ2
…
Design option 1: Host VPC route points to GLWB endpoint
Design option 2: Host VPC route points to AWS TGW
10.111.0.0/ 16 local
0.0.0.0/0 tgw -XYZ AWS Transit Gateway 10.111.0.0/ 16 local
0.0.0.0/0 vpce-XYZ FW-Endpoint -Service
Pack et flow: Sim p lified
AWS us-west
AWS TGW FTDv-1
Shared services VPC
Host VPC1
App1
AZ1
GWLBAWS
SD-WAN VPC
c8k-R2 AZ2 c8k-R1
AZ1
…
Host VPC2
App2
FTDv-n AZ2
…
From Host VPC to SD-WAN
Host VPC ➔ AWS TGW ➔ GWLB ➔ FTDv ➔ TGW ➔ SD-WAN
Returning traffic
SD-WAN ➔ AWS TGW ➔ GWLB ➔ FTDv ➔ TGW ➔ Host VPC
GENEVE protocol for load balancing between GWLB and FTDv
Appliance mode is required for sym m etric routing
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pack et flow: Det ails for sh ared services VPC
FTDv-1
Shared services VPC AZ1
FTDv-2
GWLB endpoint
cross-zone load
GWLB
balancing, GENEVE
2 3
4
Step 2: TGW routes to GWLB endpoint – shared services route table 10.102.0.0/ 16 local
0.0.0.0/0 vpce-XYZ FW-Endpoint -Service-AZ1 10.102.3.91
Target Group: FW-Target-Group-Geneve with 4 firewalls:
10.102.3.174 MC-FTD-IFT-1 6081 us-west-AZ1 10.102.13.67 MC-FTD-IFT-2 6081 us-west -AZ1
…
Step 3: GWLB endpoint routes traffic to GWLB using AWS PrivateLink Step 4: GWLB routes traffic to a firewall using GENEVE
FTDv-1 AZ1 FTDv-2
GWLB endpoint
cross-zone load
GWLB
balancing, GENEVE
5 6
7
Shared services VPC
Step 5: Firewall decapsulates GENEVE, inspects the packet, re-encaps and sends it back to GWLB
Step 6: GWLB removes GENEVE header and forwards packet to the appropriate GWLB endpoint
Step 7: GWLB endpoint sends packet to TGW
Con n ect in g SD-WAN
AWS us-west
AWS TGW FTDv-1
Shared services VPC
Host VPC1
App1
AZ1
GWLBAWS
SD-WAN VPC
c8k-R2 AZ2 c8k-R1
AZ1
…
Host VPC2
App2
FTDv-n AZ2
…
VPN or connect attachment for SD-WAN VPC BGP between AWS TGW and SD-WAN routers Cisco Catalyst 8000V as SD-WAN router
Multi-Region via AWS Cloud WAN – see the next chapter!
Automation: GitHub repo SD-WAN CoR LabInfra
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cisco SD-WAN and
AWS Cloud WAN
Cisco Mult icloud Solut ion s for AWS
SD-WAN TVPC Host VPC Host VPC
TGWAWS US-West-1
Branch 1 Branch 2 Branch 3
Branch Connect:
Direct IPSec to AWS TGW
Extending SD-WAN Fabric to the cloud
VPN Attachment (IPSec) or Connect Attachment (GRE)
All – autom ated in Cisco vManage!
New!
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cisco SD-WAN an d AWS Cloud WAN
USE CASE OVERVIEW
Los Angeles SD-WAN Branch
AWS Core Network
Cisco SD-WAN Fabric
London SD-WAN Branch
VPC
Cisco vManage
Apps in any region
YAML file
• Easily stitch SD-WAN & cloud across many regions
• End-to-End Segmentation
• Secure, Scalable and On- Demand Bandwidth
Benefits
• Site-to-Cloud
• Site-to-Site over AWS Core
Use case
Arch it ect ure
TVPC
VPC VPC
CNP
Cisco vManage
CNE-2 CNE-1
VPC VPC VPC VPC
CNE-3 Region 1
Cisco SD-WAN Fabric
CGW
AWS Core Network
SD-WAN Policy
Branch 1 Branch 2
Branch 3Test Prod
Core Network Policy (CNP):
• Regions
• Edges
• Segments
• Dynamic routing
• Attachments
• Sharing (route leaking)
• Service Insertion (FW)
Region 2 Region 3
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cisco SD-WAN orch est rat ion for Cloud WAN
• Connect SD-WAN branches to AWS with private or public connections
• Deploy SD-WAN Cloud Gateway (CGW ) with edge services in as many AWS Regions as required
• AWS core network will automatically create inter-Region core network edge (CNE) peering in participating Regions using AWS backbone
• Extend SD-WAN segments by discovery and tagging for end-to-end segmentation across multiple Regions
• Enable Transit Gateway Connect attachment between SD-WAN edge and CNE for high bandwidth requirement
• Enable unified end-to-end network policy control
• Insert services between segments using business-driven policy intent
USE CISCO VMANAGE TO DEPLOY AND MANAGE AWS CLOUD WAN
Work flow – Cisco vMan age
CLOUD ONRAMP FOR MULTICLOUD
1.Provide vManage access permissions to your AWS
account 2.Select
configuration for SD-WAN router acting as cloud gateway
1.Discover VPCs across AWS Regions
2.Select VPCs to connect your cloud SD-WAN network to
3.Tag VPCs for SD-WAN management
1.Launch an SD-WAN cloud gateway in your Region
2.Deploy a new AWS Transit Gateway 3.Connect Transit
Gateway to SD-WAN VPC
1. Configure segmentation 2. Select segments to extend
to VPCs
3. Stitch WAN segments to
VPC segment
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Map p in g SD-WAN an d cloud in frast ruct ure
ONE CLICK IN THE INTENT MANAGEMENT TABLE
Mapping SD-WAN to host VPCs with 1 click!
AWS Cloud Map as a
bridge between apps
and SD-WAN network
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Creat in g a b ridge b et ween cloud ap p s an d SD-WAN via AWS Cloud Map
Use case summary
Cloud native WAN-adapter / vManage detects cloud-based app autom atically
DevOps register cloud-based apps at AWS Cloud Map (write m etadata “traffic-profile”)
NetOps create SD-WAN policies and ensure required app experience in the network
AWS Cloud Map
“traffic-profile=video”
Los Angeles branch
SD-WAN fabric
DevOps App
NetOps
Details: developer.cisco.com/ docs/ cloud-native-sdwan/ #!cn-wan-adaptor
Cisco Meraki and AWS
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
P O W E RE D BY ME RAKI
DIGITAL BUSINESS
{ API } OUT - OF - THE - BOX
MANAGEMENT & ANALYTICS
{ HTTPS }
A p lat form ap p roach t o SD-WAN
Creat e t h e foun dat ion for
high -quality experience in three clicks
Simple The ability to configure site-to-site, Layer 3 IPsec VPN tunnels in just three clicks in the Cisco Meraki dashboard over any WAN link
Automatic VPN configuration generated and deployed automatically from the cloud – create a mesh or hub-and-spoke topology with only a few clicks
Resilient Automatically adjusts to changes in order to maintain secure connectivity during an ISP or datacenter outage,
hardware failure, or IP address update
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ext en d securit y deep in t o t h e cloud
• Virtual MX ( vMX) is a virtual instance of a Meraki security & SD-WAN appliance.
• vMX extends optimized SD-WAN fabric to hybrid cloud environments
• Deep public cloud connectivity for multi -region deployments
• AWS Transit Gateway
• AWS Cloud WAN
MULTI - REGION CONNECTIVITY
Flexible connectivity
Cisco Meraki vMX and
AWS Transit Gateway
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Extend your branch SD-WAN deployments to applications hosted on AWS
• Highly available architecture for deeper connectivity to cloud resources via AWS Transit Gateway (TGW) using AWS lambda
• Single-button automated deployment via AWS Quick Start
Ext en din g SD-WAN t o
AWS Tran sit Gat eway
Cisco Meraki vMX and
AWS Cloud WAN
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Mult i-Region dep loym en t use case
• Customers are
increasingly operating in multiple Regions within the cloud
• Manually setting up multiple peering
attachments and lack of automation can make it difficult to scale
and manage
AWS Cloud
SD-WAN VPC Region
Cisco Meraki vMX
Workload VPCs
SD-WAN VPC Region
Cisco Meraki vMX
Workload VPCs
SD WAN VPC Region
Cisco Meraki vMX
Workload VPCs Peering attachments
Branch sites
Branch sites
Branch sites
SD-WAN Tunnels SD-WAN
tunnels
SD-WAN tunnels
TGW
TGW
TGW
Sim p lified m ult i-Region dep loym en t
AWS Cloud
SD-WAN VPC Region
Cisco Meraki vMX
Region
E
Region
E
Region
E
Workload Segment SD-WAN Segm ent
SD-WAN VPC Region
Cisco Meraki vMX
SD-WAN VPC Region
Cisco Meraki vMX
Workload VPC Workload VPC
Workload VPC
Branch sites
Branch sites
Branch sites
• Simplified multi-Region connectivity
• Managed Transit Gateway
• Segmentation and intent-based policies
• Regional hubs as VPC attach
SD-WAN tunnels
SD-WAN tunnels
SD-WAN tunnels
AWS Cloud WAN core network
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CW Policy
Workload SD-WAN VPC VPC
Meraki SD-WAN
AWS Cloud
Region A
E
Region B
E Workload Segment SD-WAN Segment AWS Core Network
Branch Site 10.198.0.0/ 24
172.32.0/ 24
Cisco Merak i vMX wit h AWS Cloud WAN
TOPOLOGY FOR THE DEMO
VPC Attachm ent
Cisco SD-WAN orch est rat ion for Cloud WAN
Phase 0: Using AWS Quick Starts
• Extend your Meraki SD-WAN Fabric to AWS
• Automate deployment of SD-WAN edges in any cloud region using CloudFormation
• Deploy Cloud WAN core network and connect to sites in other regions using AWS Cloud WAN backbone
• Setup Cloud WAN segments and policies
Phase 1: Using Meraki Dashboard*
• Deploy Cisco Meraki vMX to AWS from Meraki dashboard in a few clicks
• Deeper integration with the AWS network with connectivity to AWS TGW and Cloud WAN
• Dynamically define and manage Cloud WAN policies and segments from the dashboard
USE CISCO MERAKI TO DEPLOY AND MANAGE AWS CLOUD WAN
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Work flow – Cisco Merak i
CLOUD ONRAMP FOR MULTICLOUD
1. Launch the
CloudFormation template 2. Specify stack details and
create stack
1. Launch an SD-WAN Edge to your region
2. Deploy a new AWS Transit Gateway
3. Connect TGW to SD-WAN VPC via VPC attach
4. Program SD-WAN branch routes on AWS
1. Configure your SD-
Network from the Meraki Dashboard
2. Tag SD-WAN edges to be used as Hubs
1. Multi-region deployment 2. Setup segments based on
business needs
3. Configure attachment policies between segments 4. Connect branch sites to
different segments
Securing the VPC
with SASE
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Securin g t h e VPC wit h SASE
AWS Cloud
AWS Cloud
Servers Servers Servers Workload Subnet
SASE Subnet
(Internet Gateway) SD-WAN Subnet (Branch Connectivity)
Branch Sites Branch Sites Internet
SD-WAN SD-WAN
Branch Traffic to Workloads Internet Traffic from Workloads
USE CASE OVERVIEW
• Traffic to branch sites via SD-WAN router
• Internet traffic from cloud workloads egresses via SASE router connected to Cisco Um brella
• Policy enforcement done via Cisco Um brella SIG
Umbrella SIG
Next st ep s
Risk-free evaluation Check out our website & blog Check out the
Cisco Meraki vMXQuick starts
m eraki.cisco.com/ eval m eraki.cisco.com/ blog aws.am azon.com/ quickstart/
cs.co/ CoR-Trial YouTube SD-WAN Channel cisco.com/ go/ sdwan
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.