Contact Us

With SD-WAN, Pursuing Hybrid Cloud Connectivity Might Be Simpler Than You Think


For enterprises to innovate, grow, and outpace their competition, they must embrace digital transformation. It enables them to automate tasks and become more agile. According to a consumer report, nearly 78% of enterprise applications are now on the public cloud. That includes Software as a Service (SaaS) applications and Infrastructure as a Service (IaaS) providers, such as Amazon Web Services (AWS), Azure and Google Cloud Platform (GCP).

The fact is, adopting cloud services is no longer optional. Yet figuring out connectivity to your branches to support robust use of cloud services can be challenging. If you don’t optimize and simplify connectivity to the cloud, you may not be able to make the most out of your cloud investments.

Let’s look at a real-world example, using AWS products and consider a traditional router scenario. (Similar options are available from other cloud providers like Azure. The table provides the product name equivalent.)

Amazon Web Services


Virtual Private Cloud

Virtual Network

AWS Direct Connect

Azure Express Route

Transit Gateway

Virtual WAN

Virtual Private Gateway

Virtual Private Network Gateway

One way to extend your branch LAN to the public cloud is to build an IPsec tunnel from your branch router. Typically, there are two popular options:

  1. Building IPsec tunnels between branches and the Virtual Private Gateway (VPG)
  2. Building IPsec tunnels to a Transit Gateway (TGW)

Building IPsec Tunnels Between Branches and a Virtual Private Gateway

You can attach a VPG to a Virtual Private Cloud (VPC) and configure multiple site-to-site Virtual Private Network (VPN) connections to data centers and branches. You would configure routing so that any traffic bound to the VPC will route to the VPN tunnel; and any traffic to your branch network will route to a VPG (as illustrated).



Building IPsec Tunnels to a Transit Gateway

You can attach a TGW to a VPC and configure multiple site-to-site VPN connections to individual branches. You would configure routing so that any traffic bound to the VPC will route to the VPN tunnel; and any traffic to your branch network will route to the TGW, as shown.



This approach requires network engineers to configure branch routers and set up the VPN. Depending on the vendor and type of router, this might be a manual process (although some engineers may develop an automated script). Regardless, as the number of branches increases, the process gets complicated and harder to maintain.

Without a controlled overlay, the visibility into application performance is also limited. Static IPsec tunnels mean your applications are at the mercy of the transport’s performance. Traditional IPsec will often expose an impaired WAN when application performance degrades and causes reduced productivity or lost revenue.

A Wise Investment in SD-WAN

All of these scenarios can benefit from investment in a Software Defined Wide Area Network (SD-WAN) that simplifies cloud connectivity. Most SD-WAN vendors have virtual instances of their edge devices available on public cloud marketplaces. By installing an SD-WAN appliance in the VPC, you can add your cloud environment as an endpoint in your SD-WAN network. Then, with SD-WAN orchestration, you can treat your public cloud as any other data center. The branch SD-WAN edges can build tunnels directly to the cloud endpoint and reach applications quickly. The SD-WAN overlay reduces the need for router configurations and provides application enhancements.

Similar to traditional routing, SD-WAN allows you to integrate the network into the public cloud in multiple ways. The two most popular ways are to:

  1. Install an SD-WAN appliance on the VPC
  2. Connect to a third-party virtual SD-WAN appliance on a TGW

Installing an SD-WAN Appliance on the VPC

In this deployment, a virtual instance of an SD-WAN edge (or vEdge) can be deployed in a VPC, which then learns from other peer vEdges. The branch vEdge will automatically discover your cloud routes and build dynamic or static tunnels to reach applications. Since overlay tunnels are established between branch SD-WAN edge and the public cloud, you will have visibility in the network, and gain SD-WAN enhancements and Quality of Service (QoS) end-to-end. Depending on SD-WAN capabilities, you can also extend your branch operations like Payment Card Industry (PCI) systems, back office applications, and guest Wi-Fi to your public cloud.



Connect to a Third-party Virtual SD-WAN Appliance on a Transit Gateway

You can now natively connect your network to a TGW without configuring complex IPsec VPN connections. Dynamic routing capability further simplifies route management across hybrid cloud environments. In addition, you no longer need to manage and operate multiple IPsec VPN connections between third-party appliances and the TGW to support higher bandwidth.

Many SD-WAN vendors have developed virtual appliance integration with various TGWs. Branch SD-WAN edges build overlay to the virtual appliance in a public cloud and hand off traffic to the TGW for routing. The TGW simplifies routing within the public cloud when applications reside in multiple VPCs.



Powering and Simplifying the Network You Depend On

No matter how you approach your network and digital infrastructure, it’s nearly impossible to do business without the cloud. With that shift comes increased network complexity. If you already have SD-WAN at your branches, there are a host of ways to optimize connectivity to the public cloud and ensure you make the most out of your SD-WAN investment. If you don’t yet have SD-WAN, there’s no better time than now to explore digital transformation and how you can both power and simplify the network you depend on.


About the Author

Pranav Kondala is a Solutions Architect at Hughes who loves to help customers solve complex networking problems. He is passionate about technology and solving problems. Pranav works on developing solutions for our customers by working with customers. Outside work, Pranav is an avid explorer, hiker and mentors students at various technology groups and educational institutions. You can follow Pranav on LinkedIn and Twitter @PranavKondala