• June 8, 2022
  • Netserv
  • 0

Key Considerations for Extending Cisco SD-WAN to Multi-Clouds

Today, most enterprises have some cloud-first and multi-cloud business strategies yet still face challenges and a unique set of considerations when connecting seamlessly to public and private clouds. This article will walk you through reviews, recommendations, and limitations for extending Cisco SD-WAN sites to AWS, Azure, and Multi-cloud (Megaport). These are based on deployment experiences and constraints that are subject to change with a new software release. Even though it is supported, this article does not cover Cisco SD-WAN integration with GCP and Equinix.

SD-WAN sites to AWS

Cisco SD-WAN Cloud OnRamp for IaaS automates the provisioning of Cisco SD-WAN virtual appliance routers in the AWS cloud and maps VPN segments to the appropriate VPC workloads. This Cloud gateway comprises a transit VPC, two CSR devices, and a transit gateway. For the greenfield deployments, it makes sense to use the vManage Cloud OnRamp workflow to extend SD-WAN sites to AWS. However, for some complex brownfield deployments, you can consider the customized manual option from ASW.

Following are some key features and considerations for AWS integrations.

  • Now, Multicloud supports integration with up to 10 AWS accounts.
  • Intra-Tag Communication allows or denies communication between the VPCs under the same tag.
  • When you enable two WAN edges, they automatically deploy in separate availability zones.
  • By default, periodic auditing is performed to check if there are any configuration differences via Cloud OnRamp workflow and AWS. If there is a difference, the configuration automatically rollbacks to the Cloud OnRamp workflow configuration.
  • You cannot use the Manage Cloud OnRamp if a customer already uses a transit gateway and wants to use the existing transit gateway.
  • Now you can connect the cloud gateway to an AWS transit gateway using GRE based connection, which improves bandwidth and scale. Also, you can connect branch devices to the transit gateway using an IPSec tunnel to access the applications hosted in the cloud.
  • Transit gateway peering allows you to establish peering connections between transit gateways in different regions and enables you to expand and build global networks. 

Following are some critical limitations for AWS integrations as of this writing.

 If you want to connect the Cloud WAN edge to AWS using the direct link, for example, for Data Center connectivity, you will also not be able to archive this with the Cloud On Ramp workflow.

  • Only one cloud gateway instance per region is supported, and only a single pair of Cisco Cloud routers per cloud gateway.
  • Single VPN tunnel per SD-WAN device. This limits the bandwidth of the solution to 2.5 GBPS.
  • AWS integration on IPv6 is not supported.
  • Tags associated with host VPCs with overlapping CIDRs cannot be mapped to each other. 

SD-WAN sites to Azure

Cisco SD-WAN Cloud OnRamp for Multicloud seamlessly automates Microsoft Azure Virtual WAN hub provisioning. It makes sense for the greenfield and brownfield deployments to use this vManage workflow to extend SD-WAN sites to Azure.

Following are some key features and considerations for Azure integrations.

  • Unlike AWS integration, the Azure Cloud OnRamp workflow also supports discovering existing transit virtual networks (VNets) and allows connecting selected VNets to the SD-WAN overlay network.
  • If no virtual transit network (VNet) exists, this workflow creates the new transit virtual network (VNet) and connects it to the SD-WAN overlay network.
  • Now, support for ExpressRoute connections from branch offices to NVAs through SD-WAN tunnels is available (17.8.1a/20.8.1).
  • Inter-region Azure Hub-to-Hub connectivity is enabled by creating VNet tags and mapping them to your VPN sites.
  • Like AWS, the periodic auditing option is available for Azure, starting with 17.7.1a/20.7.1 release. If the user enables the autocorrect option, Cisco vManage automatically resolves recoverable issues if any are found.
  • When you enable two WAN edges, they automatically deploy in a separate availability zone

Following are some critical limitations for Azure integrations as of this writing.

  • If you want to connect the Cloud WAN edge to Azure Express for data center connectivity, you must configure this manually as it is not supported in the Cloud OnRamp workflow.
  • The VPNs selected to be mapped to VNet tags must not have overlapping IP addresses. This is because segmentation is not supported in Microsoft Azure Virtual WAN.
  • Virtual WAN hub architecture does Not support; Segmentation, IPv6, traceroute
  • Azure virtual WAN hubs support a maximum throughput of 2 Gbps with Internet Mix Traffic (IMIX).
  • Only one virtual hub can be configured for each Azure region and each resource group.

Note: Minimum supported releases: Cisco IOS XE Release 17.4.1a and Cisco vManage Release 20.4.1

SD-WAN sites to Multicloud with Megaport

The Cisco Software-Defined Cloud Interconnect (SDCI) with Megaport Virtual Edge (MVE) allows customers to interconnect SD-WAN sites to public or private cloud with assured SLAs. The Megaport fabric provides data-center-agnostic, efficient, high-speed, low-latency, high-bandwidth connectivity across data centers globally.

Following are some key features and considerations for SD-WAN Cloud Interconnect with Megaport:

  • Megaport network has over 700 Megaport-enabled data centers and more than 200 cloud on ramps to most major cloud providers, including AWS, Microsoft Azure, Google Cloud, Oracle, and others.
  • On the network side, a transit gateway is provided to Megaport’s private network so that organizations can connect branches to clouds, components to units, data centers, data centers, and more.
  • Most SD-WAN solutions are the last mile-focused, but Cisco tackles the middle mile. Organizations can deploy the Megaport underlay connection through one automated workflow using the Cisco SD-WAN vManage controller.
  • We recommend that you deploy the SD-WAN instances at a Megaport location closest to your branch location for better performance.

Note: Minimum supported releases for Cisco SD-WAN Cloud (AWS, GCP, and Azure) Interconnect with Megaport Cisco IOS XE Release 17.6.1a and Cisco vManage Release 20.6.1


Cisco SD-WAN workflow makes it very easy to securely connect your DC and Branch sites to the public and private clouds, especially the recent software releases which allow more flexibility and customization design options.

Contributing Author:
Jay Kulkarni,
Principal Engineer