ESG Technical Review: Branch Networking Flexibility with Amazon Web Services Transit Gateway and Cisco SD-WAN


The report highlights the benefits delivered by Amazon Web Services (AWS) Transit Gateway in conjunction with Cisco’s SD-WAN. We illustrate how AWS Transit Gateway can help organizations to scale the interconnection of multiple Amazon Virtual Private Clouds (VPCs) with one another and their on-premises networks. We also describe the benefits that organizations can derive from the integration of AWS Transit Gateway capabilities with those of Cisco’s SD-WAN. A case study features the benefits derived from using this combined solution.

The Challenges

The percentage of organizations that use or plan to use infrastructure-as-a-service (IaaS).1

The percentage of organizations that expect to maintain a measurable on-premises environment in the next three years.2

The percentage of organizations that view their IT environments as equally or more complex than two years ago.3

Enterprise cloud adoption continues to increase as organizations want to leverage infrastructure-as-a-service (IaaS) for the ease of application deployment and IT resources scalability. Yet, as the number of organizations planning to run production applications on the cloud grows, they still intend to maintain a measurable on-premises IT environment—data centers and remote offices/branch offices (ROBOs)—for the foreseeable future. Furthermore, the increasingly distributed nature of organizations and their applications make IT environments more complex and difficult to manage. These organizations need to ensure that their cloud-based resources are networked to their on-premises environments, and to one another, without incurring additional IT network complexity and associated costs.

Typically, connecting on-premises offices and data centers to the cloud requires the use of point-to-point connections, such as IPsec Virtual Private network (VPN) tunnels or private network fiber connections. Connecting virtual networks (groups of networked cloud resources) with one another also requires point-to-point connections. However, as the number of on-premises offices and virtual networks increases, the number of point-to-point connections grows, resulting in a large mesh network that can be difficult, cumbersome, and costly to manage. Organizations using AWS have typically used AWS Direct Connect4 and AWS Site-to-Site Virtual Private Network (VPN) connections5 for connecting their on-premises environment to individual Amazon VPCs and VPC peering for connecting their Amazon VPCs with one another (see Figure 1).

As organizations deployed more geographically dispersed Amazon VPCs, AWS initially offered a networking construct called a transit VPC to manage their growing AWS environments. The transit VPC served as a central hub for VPC peering connections as well as connections between Amazon VPCs and on-premises locations. While the transit VPC helped to centralize network connectivity, organizations would still need to manually configure redundant third-party virtual routers within the transit VPCs. Should issues arise with the transit VPC, organizations would need to coordinate external support between multiple vendors.

Ideally, organizations should be able to connect their cloud and on-premises resources without adding network complexity and ongoing management and operational effort.

The Solution: Amazon Web Services Transit Gateway

Amazon Web Services (AWS) Transit Gateway is a managed, regional, and scalable service that enables organizations to interconnect a large number of Amazon VPCs and on-premises networks without relying on numerous point-to-point connections or the transit VPC.

AWS Transit Gateway simplifies how organizations connect their Amazon VPCs with one another and to their on-premises networks within a region (see Figure 2) by serving as a central point for Layer 3 network connectivity. By enabling a “hub-and-spoke” topology, the solution can help organizations reduce the number of VPC peering connections and consolidate access to the on-premises network.

Even though the number of VPCs is small and there is only one enterprise location in Figure 2, it is easy to see how the Transit Gateway simplifies the environment. Imagine how much complexity is removed when there are additional enterprise locations and hundreds or thousands of Amazon VPCs. Now, organizations can simply connect their on-premises networks and Amazon VPCs via AWS Transit Gateway.

Routing Traffic with AWS Transit Gateway

Amazon VPCs and on-premises locations connect to AWS Transit Gateway via transit gateway attachments (see Figure 2). These attachments enable AWS Transit Gateway to route traffic to the correct destination either on-premises or in the AWS Cloud.

When connecting an Amazon VPC with AWS Transit Gateway via a transit gateway attachment, AWS Transit Gateway’s default route table6 is automatically populated with the destination IP addresses of the attached Amazon VPC to which AWS Transit Gateway can direct traffic. (Routing outgoing traffic from an Amazon VPC requires that an administrator updates the Amazon VPC route table with the relevant destination IP addresses.) When attaching an on-premises location to AWS Transit Gateway either via a VPN tunnel or AWS Direct Connect, a similar exchange of IP address information occurs.

Organizations can also segment and isolate network traffic by creating multiple route tables within AWS Transit Gateway. Each route table corresponds to a routing domain that directs traffic to specific Amazon VPCs or on-premises locations based on business needs. Because AWS Transit Gateway can support multiple route tables on AWS Transit Gateway in a region, an administrator can control routing on a per-attachment basis.

Reducing the overall number of point-to-point connections to create and configure individually, as well as dynamic routing between AWS Transit Gateway and an organization’s on-premises locations and Amazon VPCs, helps to decrease network complexity while increasing operational efficiency. Creating AWS Direct Connect, AWS Site-to-Site VPN, and VPC peering connections may require little manual effort (such as navigating multiple interfaces and configuring routers and gateways) for a small number of on-premises locations and Amazon VPCs. However, for enterprises with IT environments spanning hundreds of Amazon VPCs and multiple on-premises offices, that manual effort, along with the associated resources and costs, can very quickly become quite difficult to manage. Ultimately. using AWS Transit Gateway can help to lower operational efforts and costs while increasing business agility.

Building Global Enterprise Network Architectures with AWS Transit Gateway

Organizations can now use AWS Transit Gateway to build out their IT networks without dealing with extensive network architecture planning and upgrades. They can take advantage of other networking and security services offered by AWS or AWS Partner Network (APN) Partners to deploy a global enterprise-grade network, as opposed to manually integrating different solutions from multiple vendors. Because AWS Transit Gateway is a managed service, enterprises can also avoid the hardware and software refresh and upgrade cycles typically associated with similar hardware or software-based solutions.

Key AWS Transit Gateway features that can be leveraged to build out a global network architecture while centralizing control, maximizing network and application performance, and ensuring overall network security include:

AWS Transit Gateway Inter-Region Peering

AWS Transit Gateway Inter-Region Peering enables traffic to traverse between AWS Transit Gateways over the AWS global backbone. Deploying a global network becomes easier using inter-region peering as AWS Transit Gateways and their VPC and VPN attachments can be interconnected. Inter-region peering connections also encrypt traffic and route the traffic exclusively on the AWS global backbone, thereby ensuring overall network security. These connections are also designed for high availability, as the AWS backbone is built with redundant 100Gbps network links connecting all AWS regions globally.

With inter-region peering, organizations can architect a private global network while decreasing the time and resources required to connect an organization’s Amazon VPCs and on-premises networks in different regions. Functional groups, such as engineering and development, can collaborate with minimal delay in creating the proper connections to communicate and thus respond to business needs quickly.

AWS Transit Gateway Network Manager

To simplify network operations and administration, AWS Transit Gateway Network Manager provides a centralized and consistent user experience. With a single interface, global IT networks can be viewed and monitored as AWS Transit Gateway Network Manager summarizes configuration and performance data from all AWS Transit Gateways and their attachments with other Amazon VPCs and on-premises locations.

Enterprises can view components of their global networks through different visualizations (via lists, logical diagrams, or geographic maps) and alert administrators of unhealthy connections and changes in availability and performance across AWS regions and on-premises sites. Figure 3 shows the geographic view of a global network. Nodes represent network details such as AWS regions, AWS Transit Gateways, and on-premises locations. An administrator can click on any nodes to obtain detailed information. For example, by clicking on the US-West-2 node, AWS Transit Gateway Network Manager reveals its AWS Transit Gateways and connected on-premises offices. Status of the VPN attachments is also displayed.

Monitoring and Management

To manage and monitor AWS-based networks, AWS Transit Gateway Network Manager leverages other AWS services, specifically Amazon CloudWatch and Amazon VPC Flow Logs, to compile and display near real-time metrics such as bandwidth usage on AWS Transit Gateway attachments, packet flow count, packet drop count, and other information related to IP traffic routed through AWS Transit Gateway. For example, Figure 4 shows graphs of metrics tracking traffic bytes routed through AWS Transit Gateway in Ireland. ESG also noted that a summary of events occurring over time can be generated to help an administrator quickly identify possible causes of ongoing network issues.

Route Analyzer

In addition to monitoring near real-time network metrics, organizations can identify potential causes of network disruptions by analyzing how traffic is routed between AWS Transit Gateways and their attached Amazon VPCs and on-premises locations. With Route Analyzer (accessed via AWS Transit Gateway Network Manager main interface), organizations can identify potential causes of the disruptions.

For example, an administrator has been alerted that AWS resources within Amazon VPCs deployed in the western US (US-East-2) and Germany (EU-Central-1) cannot talk with each other. The Amazon VPCs are attached to AWS Transit Gateways in Oregon and Frankfurt, Germany. To allow communication between Amazon VPCs in the US and Germany, both AWS Transit Gateways should be connected via AWS Transit Gateway Inter-Region Peering.

With Route Analyzer, the administrator can check if AWS Transit Gateway’s route tables have been configured correctly (see Figure 5). By inputting the source and destination transit gateway name, transit gateway attachment, and IP addresses, Route Analyzer can check if an EC2 instance in the US-West-2 Region (the source) can communicate with the EC2 instance in the Frankfurt Region (the destination) using peered AWS Transit Gateways. In this case, the Route Analyzer has found that both the forward and return paths do not exist between AWS Transit Gateways (as indicated in the blue fields). The administrator now knows that correcting this issue requires inputting the correct routes into AWS Transit Gateway’s route tables.

Cross-account Support

An organization can share its AWS Transit Gateway with other AWS accounts so that they are free to attach their own Amazon VPCs or on-premises locations when business needs dictate (e.g., when development and testing groups need to collaborate). Enabling this support eases the process of setting up and tearing down these interconnections without having to configure route tables of multiple Amazon VPCs or on-premises routers and gateways. Management and administration of AWS Transit Gateway remains with the primary account in order to retain overall centralized control of the network.

Multicast Support

Instead of using on-premises multicast networks, AWS customers can send multicast data straight from AWS-based applications using AWS Transit Gateway Multicast. This is especially applicable for applications such as video or stock ticker information. With AWS Transit Gateway Multicast, organizations eliminate the need for deploying multiple high-bandwidth unicast connections to each client while reducing network congestion and network infrastructure costs.


To help in ensuring overall cloud-based network security, AWS Transit Gateway operates on the AWS private network, thus not exposing an enterprise’s traffic on the public internet. This helps to decrease threat vectors such as distributed denial of service (DDoS) attacks and common exploits such as SQL injection and cross-site scripting. AWS Transit Gateway also inherits compliance from the Amazon VPCs, meeting the standards for PCI DSS Level 1, ISO 9001, ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, FedRAMP Moderate, FedRAMP High, and HIPAA eligibility.

SD-WAN Integration

Organizations typically use software-defined wide area networking (SD-WAN) solutions to maximize the use of network transport resources by automatically re-routing VPN tunnels over alternative network paths should application or network performance degrade on a designated primary path. With select SD-WAN solutions, organizations also have the option to create AWS Site-to-Site VPN tunnels directly between a branch and AWS Transit Gateway with minimal manual effort using the SD-WAN solution’s management interface (see Figure 6). The integration of APN Partner SD-WAN solutions with AWS Transit Gateway Network Manager can also enable organizations to visualize, manage, and monitor IT environments spanning both on-premises and the AWS Cloud Infrastructure.

Why This Matters

Integrating cloud and on-premises IT environments remains a challenge for organizations when pursuing a hybrid cloud strategy. A necessary part of that integration is ensuring that resources both in the cloud and on-premises locations are networked to respond to business needs without the need for extensive architecture planning, management, and administration.

AWS Transit Gateway enables organizations to network their cloud and on-premises environments. With this managed, distributed, and scalable service, large enterprises can develop global private networks connecting on-premises locations to Amazon VPCs in any AWS region without the need for multiple point-to-point connections. Enterprises can leverage AWS Transit Gateway Network Manager to monitor the performance and availability of their AWS Transit Gateways and corresponding attachments. AWS Transit Gateway also offers other features that help organizations to build out and manage global enterprise-grade networks. With AWS Transit Gateway, organizations can ultimately decrease the time and resources required to deploy and manage a global network architecture with less complexity, decreasing both network infrastructure and operational costs.

Branch Networking Flexibility and Visibility using Cisco SD-WAN

Organizations employing software-defined wide area networking solutions seek to maximize the use of existing network bandwidth from multiple communication services—5G, LTE, broadband/cable, public internet—while reducing their dependence on costly multiprotocol label switching (MPLS) networks when connecting their offices and data centers. Benefits included lowering network bandwidth costs and maximizing use of network resources while optimizing network and application performance and availability. As enterprises increase the adoption of IaaS for select workloads, the need arises to simplify the connection of on-premises networks to cloud infrastructure while still maintaining high performance.

To connect on-premises networks to Amazon VPCs, organizations using Cisco’s SD-WAN solution utilize Cisco SD-WAN OnRamp for IaaS to automatically create and deploy a Gateway VPC—a private Amazon VPC containing redundant Cisco SD-WAN Virtual Routers deployed in separate AZs. Using the Gateway VPC, every branch office can potentially reach any Amazon VPC. However, the number of redundant AWS Site-to-Site VPN connections (from the pair of Cisco SD-WAN Virtual Routers to an individual Amazon VPC) increases as more Amazon VPCs are deployed, increasing overall network complexity. With increased complexity comes increased time, resources, and costs in deploying and managing the hybrid cloud environment.

With the integration of AWS Transit Gateway and Cisco SD-WAN, organizations can now connect branch offices with Amazon VPCs using VPN connections automatically today. Organizations can terminate standard VPN connections between the branch and the Gateway VPC, then complete the connection with a VPN attachment (using AWS Site-to-Site VPN) between the Gateway VPC routers and AWS Transit Gateway (see Figure 7). In the future, Cisco plans to implement the capability for connecting branches directly to AWS Transit Gateway with AWS Accelerated Site-to-Site VPN connections without the Gateway VPC.

With the first option, Cisco’s application-aware routing determines the optimal path for traffic between the branch offices and the Amazon VPCs by monitoring performance against network and application metric thresholds. Security is also maintained as paths between the branches and AWS Transit Gateway are secured via IPsec VPN connections.

Organizations adopting the first option can interconnect the Gateway VPC and AWS Transit Gateway, while extending the SD-WAN fabric from the branch offices into the AWS Cloud, via an automated process. Enabled by Cisco SD-WAN OnRamp, the process can minimize the overall time for completing these tasks, helping to increase agility (see left-hand side of Figure 8). An IT administrator simply needs to create a Cloud Gateway in a selected region. The Cloud Gateway includes the Gateway (or transit) VPC and the IPsec VPN tunnel connecting the VPC with AWS Transit Gateway.

To enforce consistent network segmentation, an administrator can use the ”Connectivity Intent Management” tool in Cisco SD-WAN Cloud OnRamp. Communications between branch VPN to host Amazon VPC as well as pairs of host Amazon VPCs can be controlled and managed (see right-hand side of Figure 8).

Organizations can choose to connect the Gateway VPC and AWS Transit Gateway with VPC attachments as opposed to VPN attachments. While organizations can achieve higher bandwidth per VPC attachment and lower their management overhead and costs (because they have fewer VPN connections to manage), organizations will need to consider how to secure network traffic traversing the VPC attachment itself.

For organizations that want to implement the second option of attaching a branch office directly with the AWS Gateway (when it becomes available), the need to maintain a Gateway VPC is eliminated. While organizations can save on time and costs in not implementing a Gateway VPC, the ability to extend the SD-WAN fabric into the AWS Cloud is lost. Other SD-WAN features such as traffic steering and optimization and quality of experience will be lost.

For broader network visibility, organizations can opt for vManage and AWS Transit Gateway Network Manager to exchange events and telemetry when VPN connections interconnect the branch offices and AWS Transit Gateway (with or without the Gateway VPC). A network administrator then has visibility into the Amazon VPCs and their interconnections, while the cloud administrator has visibility into the on-premises network.

Why This Matters

When pursuing a hybrid cloud strategy, interconnecting IT resources in both the cloud and on-premises data centers and ROBOs presents challenges. AWS customers with a large number of Amazon VPCs to be networked with one another have relied on numerous point-to-point connections, increasing network complexity and time spent on deployment, management, and administration. Those customers also leveraging Cisco SD-WAN would like to simplify the deployment of AWS Site-to-Site VPN connections, should they choose to use them to connect their ROBOs with their Amazon VPCs. To address these needs, customers would benefit from a solution that simplifies the network architecture while decreasing the time spent on network deployment, management, and administration.

AWS Transit Gateway enables organizations to network their Amazon VPCs with one another by centralizing Layer 3 connectivity, eliminating the need to rely on VPC peering connections. With the Cisco SD-WAN, organizations can further simplify network buildouts by automating the deployment of AWS Site-to-Site VPN connections to connect branch offices and Amazon VPCs using Cisco OnRamp via the vManage NMS. The SD-WAN overlay will leverage these VPN connections as an alternate path for application traffic. The integration also enables full network visibility of both the on-premises and Amazon VPC resources to simplify management and monitoring.

Case Study – Multinational Biotechnology Company

This company is a NASDAQ-100 global biotechnology company, serving over 20,000 employees and developing multiple drug brands. It has been working with AWS over the past five years, migrating select workloads and applications to AWS across multiple regions worldwide. The company also has an extensive Cisco router installed base.


At present, its global network architecture includes on-premises data centers interconnected with multiple Amazon VPCs via AWS Direct Connect. To connect its regional branch offices with Amazon VPCs, the company has leveraged Cisco’s SD-WAN, using the Gateway VPC as the central hub enabling branch offices to connect to any Amazon VPC. IPsec VPN connections interconnect the Gateway VPC with all Amazon VPCs, while Cisco’s SD-WAN creates the overlay for virtual connections between the branches and the Gateway VPC.

The company initially relied on VPC peering connections for its Amazon VPCs to communicate. As the number of Amazon VPCs grew, managing those connections became complex and time-consuming. To connect its branch offices to Amazon VPCs, the company also employed a transit-VPC architecture supported by Cisco SD-WAN Virtual Routers. However, the redundant VPN connections between the Cisco SD-WAN Virtual Routers and each branch office became operationally burdensome as the company deployed more Amazon VPCs. Resolving issues also became complicated as multiple stakeholders—cloud administrator, network administrator, AWS support, and Cisco support—needed to coordinate their efforts. Time to resolution would be prolonged as the four parties had to identify the cause and derive a joint solution. Scalability also became an issue, as the company was leveraging numerous Amazon VPC peering connections and AWS Site-to-Site VPN tunnels to connect resources both on-premises and in the AWS Cloud platform. Network complexity, management, and administration increased.


To simplify their overall network architecture without compromising performance, the company has integrated AWS Transit Gateway into its global network. AWS Transit Gateway addresses the performance issues experienced by the company when scaling the number of Amazon VPCs in its global network. AWS Transit Gateway has also decreased the number of AWS Site-to-Site VPNs between branch offices and Amazon VPCs worldwide.

The company is also leveraging the combination of AWS Transit Gateway and Cisco SD-WAN to ensure failover of multiple branches within a single region to another data center in a nearby region should a data center fail. Typically, the company would connect its branch offices to regional data centers via AWS Direct Connect. This becomes a single point of failure should that connection fail. Instead, branches would connect via the Gateway VPC, while regional data centers would connect to AWS Transit Gateway. By creating a single overlay that stretched across regions, branch offices in one region can fail over to another region as a single group should application and network metrics dictate. The ability to connect to its regional data center would be maintained despite not using AWS Direct Connect.


The company reduced its network complexity with the reduction in AWS Site-to-Site VPNs used between Cisco’s Gateway VPC and AWS Transit Gateway. It also simplified requests for support, as any issues related to connections between branch offices and AWS Transit Gateway no longer require support from both Cisco and AWS. Multiple edges in each region help organizations to fail over to other data centers or regions so that they can still get to AWS regardless of where traffic originates.

The Bigger Truth

Organizations’ adoption of cloud infrastructure services continues to increase, yet most plan to maintain some level of on-premises environments. Building and updating the network underlying hybrid clouds can be a complex and time-consuming exercise that decreases business agility. To remove this burden, organizations can benefit from a solution that easily enables a global network architecture connecting cloud and on-premises environments while decreasing overall network complexity.

AWS Transit Gateway can simplify a global network architecture by centralizing Layer 3 connectivity of Amazon VPCs, on-premises data centers, and remote offices. Organizations can use AWS Transit Gateway to quickly set up a global, scalable, and manageable network without extensive time dedicated to architecture design, planning, purchasing, and refreshes. AWS enables organizations to build out such a network by offering features such as AWS Transit Gateway Inter-Region Peering, AWS Transit Gateway Network Manager, and cross-account support.

AWS customers using Cisco SD-WAN can simplify the deployment of AWS Site-to-Site VPN connections between their branch offices and Amazon VPCs via automation using Cisco OnRamp via the vManage NMS. The Cisco SD-WAN overlay can determine which specific connection is the optimal path for traffic to maintain high application performance and/or availability. To obtain network visibility of both ROBOs and Amazon VPCs, AWS customers can authorize the exchange of event and telemetry information between the vManage NMS and Amazon CloudWatch.

ESG’s case study validated that AWS Transit Gateway can serve as a platform for building and expanding a virtual network architecture interconnecting large numbers of Amazon VPCs without relying on multiple VPC peering connections. By leveraging the integration with Cisco SD-WAN, the customer can automatically create AWS Site-to-Site VPN connections to their regional data centers and leverage the SD-WAN overlay to switch traffic between these connections. This architecture will ensure that the company will be able to reach Amazon VPCs connected to these data centers, regardless of the region in which the user resides, since AWS Transit Gateway has inter-region peering support.

As the AWS-Cisco partnership progresses, ESG would recommend that both companies exploit Cisco’s experience in routing as they deepen the integration between AWS Transit Gateway and Cisco SD-WAN. AWS has managed to simplify the deployment of simplified and scalable network environments, yet enterprises may require more routing-based features to ensure that their networks can satisfy a wide variety of use cases.

ESG was impressed with the benefits that AWS customers derived. We believe that organizations can leverage AWS Transit Gateway to build a core network underlying their hybrid clouds. ESG believes that the integration of AWS Transit Gateway and Cisco SD-WAN will further simplify the deployment, management, and administration of hybrid clouds via automating the deployment of AWS Site-to-Site VPN connections. If your organization is planning large-scale Amazon VPC deployments that will interconnect with a large number of branches, ESG strongly believes that you should consider AWS Transit Gateway with Cisco SD-WAN when evaluating solutions for interconnecting your cloud and on-premises environments.

1. Source: ESG Master Survey Results, 2020 Technology Spending Intentions Survey, January 2020.
2. Source: ESG Master Survey Results, Hybrid Cloud Trends, May 2019.
3. Source: ESG Master Survey Results, 2020 Technology Spending Intentions Survey, January 2020.
4. AWS Direct Connect is a cloud service solution for establishing a dedicated network connection from on-premises locations to AWS.
5. An AWS Site-to-Site VPN connection consists of two Internet Protocol Security (IPsec) VPN tunnels, each terminating in two different Availability Zones (AZ) to ensure high availability.
6. A route table contains dynamic and static routes that decide how traffic is directed based on the destination IP address of the packet.
This ESG Technical Validation was commissioned by Amazon Web Services and is distributed under license from ESG.
Topics: Networking Cloud Services & Orchestration