By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Migrating TGW to AWS Cloud WAN

0

Hey Team, I have the following setup:

  1. AP-South-1 and US-East-1 regions have limited services and are connected to the on-prem firewall via IPsec tunnels from their respective Transit Gateways (TGWs).
  2. In EU-West-1, the TGW is integrated with AWS Viptela SD-WAN and AWS Palo Alto SD-WAN for WAN connectivity. Additionally, Palo Alto SD-WAN is also being used for inter-VPC inspection within the region.
  3. All other on-prem data centers are equipped with both Viptela and Palo Alto SD-WAN. So, any traffic destined for EU-West-1 routes through either Viptela or PA SD-WAN.
  4. Traffic destined for AP-South-1 and US-East-1 continues to route via IPsec tunnels.

I'm now working on migrating from AWS Transit Gateway (TGW) to AWS Cloud WAN. However, due to cost constraints, I am looking to reuse the existing AWS Viptela and AWS Palo Alto SD-WAN setup in EU-West-1 for the Cloud WAN architecture but the migration should be seamless.

Could someone please assist with outlining the migration steps for this transition? my questions are

  1. is it possible to use the same AWS PA SDWAN as Network function group in AWS Cloud WAN setup .
  2. Shall I need to create the seperate IPSEC tunnel (AP-South-1 and US-East-1 ) for AWS Cloud WAN or the existing TGW IPSEC tunnel can be utilized until Complete VPC migration to AWS Cloud WAN. Thanks!
Topics
Networking & Content Delivery
Tags
AWS Transit GatewayAWS Cloud WAN
Language
English
NDE
asked a month ago121 views
1 Answer
0

Migrating from AWS Transit Gateway (TGW) to AWS Cloud WAN can be done in a phased approach to ensure a seamless transition. Here's an outline of the migration steps and answers to your specific questions:

  1. Create an AWS Cloud WAN core network and define your network segments based on your current architecture.

  2. Start by migrating the VPCs in EU-West-1 from the Transit Gateway to AWS Cloud WAN. This can be done in phases to minimize risk.

  3. For AP-South-1 and US-East-1:

    • You need to create new IPsec VPN attachments directly to AWS Cloud WAN.

  4. For EU-West-1 with Viptela and Palo Alto SD-WAN:

    • AWS Cloud WAN supports integration with SD-WAN solutions. You can use Transit Gateway connect attachments to link your existing SD-WAN setup with AWS Cloud WAN.
    • Create Transit Gateway connect attachments using your existing VPC attachments (where your SD-WAN virtual appliances are located) as the underlying transport.

Regarding your specific questions:

  1. It is possible to use your existing Palo Alto SD-WAN setup with AWS Cloud WAN. While AWS Cloud WAN does offer a network function group (NFG) feature for service insertion, you can still integrate your existing SD-WAN solution using Transit Gateway connect attachments. This allows you to reuse your current setup while benefiting from Cloud WAN's global network management capabilities.

  2. For AP-South-1 and US-East-1, you have two options: a. Create new IPsec tunnels directly to AWS Cloud WAN. This is recommended for a clean migration and to take full advantage of Cloud WAN's features.

    b. Temporarily continue using the existing TGW IPsec tunnels while migrating VPCs to Cloud WAN. Once all VPCs are migrated, you can then create new tunnels directly to Cloud WAN and decommission the old ones.

The second option allows for a more gradual transition, but may require additional configuration steps to ensure proper routing between Cloud WAN and the existing TGW setup during the migration period.

Remember to thoroughly test each phase of the migration and update your routing configurations accordingly to ensure uninterrupted connectivity throughout the transition process.

For any migration/modification to Network setup such as AWS Transit Gateway (TGW) to AWS Cloud WAN migration, I would recommend opening an AWS Support case for architecture review and migration validation.

Sources
Simplify global hybrid connectivity with AWS Cloud WAN and AWS Direct Connect integration | Networking & Content Delivery
Migration to AWS Cloud WAN multi-Region inspection using service insertion | Networking & Content Delivery
AWS Transit Gateway + SD-WAN solutions - Amazon Virtual Private Cloud Connectivity Options

profile picture
re:Post Agent
answered a month ago
AWS
SUPPORT ENGINEER
Babar
revised a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content