AWS Cloud WAN is a service that you can use to build, manage, and monitor a unified global network that connects resources running across your cloud and on-premises environments. Cloud WAN ensures dynamic route propagation across multiple regions, and you only need to update the routing tables of the VPCs to provide network connectivity for workloads that reside within the VPCs.
In this example, we'll see how to automatically push routes to VPC routing tables, and create a fully automated end-to-end routing architecture.
You have a global network, across 2 regions. Cloud WAN provides global network orchestration across these regions, and there are 3 Cloud WAN segments, one each for departments named Finance, Sales and HR. VPC IPAM stores the CIDRs assigned to each of the 3 departments.
Whenever a VPC's attachment to Cloud WAN is created, this solution detects the 'attachment created' event, and automatically pushes the department's summary route into the VPC's routing table.
-
An AWS account that you are able to use for testing, that is not used for production or other purposes. NOTE: You will be billed for any applicable AWS resources used if you complete this lab that are not covered in the AWS Free Tier.
-
To deploy this solution you will have to have the AWS CLI installed.
-
If on Windows you will need a utility to execute Makefiles
This sample project is meant to be deployed to a single account and multiple regions. By default, AWS regions us-east-1, us-west-2 and ap-southeast-1 are in use.
- Download the code and cd sample-ipam-cf directory.
git clone https://github.com/labeveryday/sample-ipam-cf.git && cd sample-ipam-cf- Deploy the CloudFormation stacks.
make deployNOTE: This deployment will take greater than 15 minutes.
After the VPC has been attached to Cloud WAN give the solution about 5-10 minutes before the routing tables have been updated.
- In us-east-1 open the EC2 console and connect to the
cloud-wan-demo-instanceec2 instance with SSM. - In ap-southeast-1 open the EC2 console and copy the private ip of the instance.
- In the ec2 SSM terminal window type
pingand then paste the private ip address of the instance in ap-southeast-1.
You now have global end-to-end routing in AWS!
For additional verification you can check the default routing tables in the hr vpcs in both regions. You will notice a prefix list that was added when your VPC was attached to Cloud WAN.
- Delete CloudFormation stacks. This will remove all the stacks. (cloud wan, ipam, regional infrastructure, eventbridge rules, and Cloud WAN VPC attachments)
make undeployNOTE: Remember to do
make undeploywhen you are done with the lab and your tests, to avoid undesired charges.
This section not needed if you deployed step 1. It is to deploy each stack individually.
make deploy-global-infra- This will deploy Cloud WAN and IPAM in us-east-1.make deploy-target-1- This will deploy a VPC, private subnet, VPC endpoints for SSM, an EC2 instance, lambda function, eventbridge rule, and Cloud WAN attachment in us-east-1.make deploy-target-2- This will deploy a VPC, private subnet, VPC endpoints for SSM, an EC2 instance, lambda function, eventbridge rule, and Cloud WAN attachment in ap-southeast-1.
- This solution is useful when your VPCs have multiple exit points. In the scenario drawing, each VPC has 2 exit points. One towards the Cloud WAN core-network, and second towards AWS Direct Connect gateway
- In addition to the networking constructs, there's pricing associated with EventBridge and with Lambda. Please check out service pricing pages for more details
- This solution was presented at re:Invent 2022 as a breakout session: Demystifying VPC IP addressing & creating a complete routing solution
- AWS Cloud WAN documentation.
- AWS Cloud WAN Workshop.
- Blog post: Introducing AWS Cloud WAN (Preview).
- Blog post: AWS Cloud WAN and AWS Transit Gateway migration and interoperability patterns
Please reach out to aichadha@amazon.com or duanlig@amazon.com in case you have any questions about this repo.