Customer-managed VPN and SD-WAN - Hybrid Connectivity

Customer-managed VPN and SD-WAN


Connectivity to the internet is a commodity, and available bandwidth continues to increase every year. Some customers choose to build a virtual WAN on top of the internet instead of building and operating a private WAN. A software-defined wide area network (SD-WAN) through intelligent use of software allows companies to rapidly provision and centrally manage this virtual WAN. Other customers choose to adopt traditional self-managed site-to-site VPNs.

Impact on design decisions

SD-WAN and customer-managed VPNs can run over internet or AWS Direct Connect. SD-WAN or any software VPN overlay, is as reliable as the underlying network transport. Therefore, the considerations discussed earlier in this whitepaper with regard to reliability and SLA, are applicable here. For instance, building an SD-WAN overlay over the internet will not offer the same reliability if built over an AWS Direct Connect.

Requirement definition

  • Do you use SD-WAN in your on-premises network?

  • Are there specific features you require that are only available on certain virtual appliances used for VPN termination?

Technical solutions

We recommend integrating SD-WAN with AWS Transit Gateway. AWS Transit Gateway Connect enables native integration of SD-WAN appliances into AWS. You can seamlessly extend your SD-WAN edge into AWS using standard protocols, such as Generic Routing Encapsulation (GRE) and Border Gateway Protocol (BGP). It provides you with added benefits, such as improved bandwidth, and supports dynamic routing with increased route limits, thus removing the need to set up multiple IPsec VPNs between the SD-WAN appliances and Transit Gateway. Each GRE tunnel can have bandwidth up to 5 Gbps.

AWS can act as a hub or a spoke for SD-WAN sites. AWS backbone can be used to connect different SD-WAN hubs deployed in AWS with a highly reliable and performant network. SD-WAN solutions support automated failover through any available path, additional monitoring, and observability capabilities in a single management pane. Extensive use of automated configuration allows for rapid provisioning and visibility, compared to traditional WANs. Still, use of tunneling and encryption overheads do not compare to dedicated, high-speed fiber links used in private connectivity.

In some cases, you might choose to use a virtual appliance with VPN capability. Reasons for selecting a self-managed virtual appliance include technical features and compatibility with rest of your network. When you select a self-managed VPN or an SD-WAN solution that uses a virtual appliance deployed in an Amazon EC2 instance, you are responsible for the operational management, such as high availability and failover between virtual appliances. While those design considerations increase your operational responsibility, they also could provide you more flexibility. The features and capabilities of the solution depend on the virtual appliance you select.

AWS Marketplace contains many VPN virtual appliances that customers can deploy on Amazon EC2. We recommend that you start with AWS managed Site-to-Site VPN. If that doesn’t meet your requirements, look at other options. The management overhead of virtual appliances is your responsibility.