Close

HPE Aruba Networking Blogs

Aruba SD-Branch Fully Automates Integration with AWS

By Ramanan Subramanian, Senior Director of Product Management for Aruba SD-WAN and SD-Branch

This blog is coauthored by Kishore Seshadri, Vice President and General Manager for SD-WAN, SD-Branch and User Experience Insights at Aruba. 

Over the last few years, enterprises have been rapidly moving workloads to public cloud platforms such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud. This trend has accelerated further in the last few months with the impact of the COVID-19 pandemic. Enterprises have learned to extensively leverage the IaaS (infrastructure-as-a-service) and PaaS (platform-as-a-service) capabilities that these solutions offer, and in many cases have specific goals to completely migrate their on-premises data center workloads to their cloud provider data centers. Consequently, the traditional WAN connectivity model of directing all traffic from branches and remote workers to on-premises data centers with hub and spoke network topologies has evolved to more complex connectivity models, resulting in more complex WAN topologies. The good news is that such topologies need not be complex to deploy and manage.

The Aruba SD-Branch solution has integration with several cloud providers to simplify the deployment of SD-WAN gateways at remote branch, home workers and campus locations with orchestrated connectivity to cloud providers such as AWS. In this article, we look at the deep integration between Aruba SD-Branch and AWS, and the ensuing benefits. We also explore the integration with AWS Transit Gateway in dramatically simplifying connectivity to AWS.

Fully Automated Deployment of Aruba Virtual Gateways

When customers deploy SD-WAN to connect to their on-premises data center, they typically deploy a headend (hub) gateway. These gateways generally sit in the data center DMZ (behind a perimeter firewall) and extend the SD-WAN secure fabric into the data center via a zone of security services in the DMZ. All routing across the SD-WAN fabric is automated by the Aruba SD-WAN Orchestrator, and headend gateways use BGP or OSPF to exchange routes with the data center core switches and routers. A similar deployment model is realized in the cloud data center environments with AWS Virtual Private Cloud (VPC).

Instead of a physical headend gateway, an Aruba Virtual Gateway (vGW*) is deployed in what is usually referred to as a “Edge VPC”. Since this is a virtual environment, there are many configuration steps required to deploy a vGW, namely:

  • Spinning up the vGW in the correct environment
  • Deploying it across multiple Availability Zones (AZs)
  • Connecting to virtual network interfaces (ENIs)
  • Connecting to AWS Transit Gateway
  • Create and modify routing tables
  • Connecting to the SD-WAN fabric, and ensuring applications can be accessed from on-prem sites

An engineer who is familiar with AWS networking can implement these changes by following a manual procedure; however, this tends to be cumbersome and error-prone. Aruba simplifies this entire process by completely automating the deployment of Aruba vGWs by orchestrating their deployment from Aruba Central. The user essentially provides four pieces of information:

  • Their AWS Identity and Access Management (IAM) credentials
  • The VPC in which to deploy the vGW
  • Select the size of the vGW (500Mbs to 4Gbps in throughput terms)
  • Whether they want to deploy it with high availability across Availability Zones (AZs)

… and they are done!

The following steps are completely automated:

  • The customer’s Virtual Private Clouds (VPCs) and AWS Transit Gateways are auto-discovered
  • The Aruba vGW instances are automatically spun up and connected to Aruba Central for control and management plane functions
  • Based on user configuration, Aruba vGWs can be automatically deployed with high-availability and across Availability Zones
  • Aruba vGWs connected to the SD-WAN fabric over the AWS Internet Gateway (IGW) and AWS VPN Gateway (VGW)
  • The routing tables are created and modified to reflect the desired subnets to be shared and the failover policies to be reflected
  • Aruba vGW instances automatically discover and peer to the AWS Transit Gateway
  • If desired, monitoring information is shared with the AWS Transit Gateway Network Manager

These steps, triggered by a few clicks, enable on-premises locations to seamlessly connect to workloads in AWS. In a matter of minutes an administrator can connect a new Cloud data center with all locations running Aruba SD-WAN. One can view the AWS Transit Gateway in a manner similar to the data center core routers in a traditional on-premises data center. Essentially, the AWS Transit Gateway acts as the central hub for connecting all VPCs in-region and across regions. AWS Transit Gateway and Aruba vGWs can be seen in the Topology View on Aruba Central and on the AWS Transit Gateway Network Manager dashboard.

Figure: Aruba Virtual Gateway peered with AWS Transit Gateway

Figure 1: Aruba Virtual Gateway peered with AWS Transit Gateway

Connecting On-Prem and Cloud Data Centers with Ease

It is increasingly common that customers have hybrid environments, with workloads running in both on-premises data centers, colocation facilities, and in public clouds (AWS VPCs). In essence, these can be treated as hub locations that need to be connected with a unified SD-WAN fabric. The Aruba SD-Branch solution provides the ability to automatically form a hub mesh, connecting on-premises data center sites and cloud data center sites over MPLS and Internet transport. An enterprise can avoid complex configuration to build this network by deploying Aruba SD-Branch, which leverages the Aruba SD-WAN Orchestrator to automatically create mesh connectivity between hub locations and provide dynamic routing with transitive routing capabilities. Transitive routing gives customers deployment flexibility and provides a higher degree of resiliency.

Figure: Transitive Routing with hub mesh

Figure 2: Transitive Routing with hub mesh

In the given topology, the VPNC in the DC, Aruba vGW in AWS US West region and Aruba vGW in AWS EU region are auto-meshed by Aruba SD-Branch. When the connection between VPNC and vGW EU fails, the traffic from the DC to AWS EU region is automatically rerouted to vGW US-West, which acts as a transit hop. Transitive routing can be exercised at any of the hub points, including the Aruba vGW running in AWS.

Orchestrated Multi-Region Connectivity

The SD-WAN mesh can be extended to connect across multiple AWS region. Once the cloud hub points are identified, the SD-WAN Orchestrator takes care of connecting them together. Secure overlays are automatically built across public and private circuits, and routes are dynamically learned and exchanged with intelligent route costing to provide optimal connectivity while avoiding loops. Once deployed, users can access applications that are running across on-premises and cloud environments.

In addition to MPLS and Internet transports, enterprises can leverage the AWS backbone with AWS Transit Gateway inter-region peering to build their WAN-core for inter-region connectivity using the SD-WAN mesh fabric. The network admin can view the entire live topology – control connections, routes and tunnels, from a single dashboard on Aruba Central, making it significantly easier to manage the network.

Figure: Multi-region deployment with AWS and Aruba SD-Branch

Figure 3: Multi-region deployment with AWS and Aruba SD-Branch

Aruba Cloud Connect provides one-click connectivity to AWS Transit Gateway

While the Aruba vGW running on AWS provides an easy way to extend the Aruba SD-WAN to AWS, there are scenarios where an enterprise might simply choose to extend VPN connectivity to AWS Transit Gateway. This allows on-premises appliances in the data center or at remote branch/campus sites to directly peer with the AWS Transit Gateway. With Aruba Cloud Connect service on Aruba Central, the entire procedure to connect to AWS Transit Gateway is automated. The network administrator simply identifies the set of sites they need to connect to the AWS Transit Gateway with the additional option to select Accelerated VPN and they are done!

Aruba Cloud Connect in turn talks to AWS via APIs in the background to negotiate the connectivity and configuration parameters, and to exchange network state in order to provide visibility across on-prem and cloud resources.  Once enabled, sites will automatically setup VPN connections to AWS Transit Gateway along with the needed BGP peering. The network administrator can actively monitor the connectivity status from Aruba Central or from AWS Transit Gateway Network Manager.

The recent native integration of Aruba Virtual Gateways with AWS Transit Gateway Connect attachment overcomes some of the limitation with IPsec connectivity and provides a higher bandwidth connection (up to 10Gbps) to AWS Transit Gateway. With the AWS Transit Gateway becoming the hub for branch-to-cloud, DC-to-cloud, and cloud-to-cloud connectivity, this important enhancement significantly improves connectivity and performance for customers.

Customers have several deployment choices with Aruba SD-Branch

The Aruba SD-Branch solution offers several deployment options for customers connecting to AWS. Enterprises who have deployed Aruba SD-Branch love the automation and flexibility that is available to easily connect and extend their SD-WAN connectivity to AWS. Our customers are able to leverage the latest AWS networking capabilities offered with AWS Transit Gateway as a result of the deep integration with the Aruba SD-Branch solution. The key benefits that Aruba SD-Branch delivers:

  • High-performance Aruba Virtual Gateways with large scale IPsec (VPN) support
  • Automated Aruba Virtual Gateway deployment with SD-WAN
  • High availability with automatic failover
  • Automated branch-to-cloud and DC-to-cloud connectivity with transitive routing
  • Advanced overlay route control including filtering, setting preference and segmentation
  • Automatic built-in loop avoidance
  • Advanced BGP capabilities such as AS Path Prepend, route-maps and high route scale
  • Enterprise grade visibility and troubleshooting capabilities
  • Intra-region and inter-region transit peering
  • Multi-region and multi-cloud connectivity

Here is what Sase Govindan at Verisk Analytics has to say, “Aruba SD-Branch met all of our One Verisk requirements. Plus, it offered IT streamlining options we’d yet to even think about, such as virtual gateway automation and SD-WAN orchestration.” Read more about it in the detailed case study on Verisk.

Working with integration benefits Aruba, AWS and Enterprise Strategy Group have published a technical review highlighting the key delivered by Amazon Web Services (AWS) Transit Gateway in conjunction with Aruba SD-Branch. Read it here.

Learn More

Aruba SD-WAN and AWS Transit Gateway Solution

Aruba SD-Branch Solutions Page

* Note that the acronym “vGW” in this article refers to Aruba Virtual Gateway, not AWS VPN Gateway.