Your company just expanded to five AWS Regions. You have 30 VPCs, a data center, and 20 branch offices. Last quarter, a routing misconfiguration in us-east-1 took down prod for two hours — because someone edited the wrong Transit Gateway route table in the wrong Region. There's a better way.

AWS Cloud WAN is a managed global wide-area network service that lets you define your entire network topology — across Regions, on-premises sites, and branch offices — as a single JSON policy, and AWS provisions everything automatically. It turns "edit route tables in ten different consoles" into "push a policy and wait."

The Problem Cloud WAN Was Built to Solve

Before Cloud WAN launched in 2022, engineers running multi-Region AWS architectures had exactly one native option: Transit Gateway (TGW), deployed independently per Region, with inter-Region peering stitched together manually.

Here's what that looked like in practice: deploy a TGW in each of your 6 Regions, create inter-Region peering attachments between each pair that needs connectivity, configure route tables in each TGW separately with no shared policy, and when a new VPC appears, manually attach it to the right TGW, add the right routes in the right tables, and verify nothing conflicts — then repeat in every Region.

A single routing policy decision — say, "dev traffic should never reach prod" — might require changes to 12 route tables across 6 Transit Gateways. And there's no single view that shows you the global routing topology. You audit it Region by Region.

🧠
Mental Model Cloud WAN is to Transit Gateway what Terraform is to ClickOps. TGW is imperative — you specify every route table, every attachment, every peering. Cloud WAN is declarative — you specify the desired state, and AWS figures out the plumbing.
BEFORE — MANUAL TGW MESH TGW us-east-1 TGW eu-west-1 TGW ap-se-1 TGW us-west-2 TGW sa-east-1 Manual route tables · No global view Policy changes = edits in N consoles AFTER — AWS CLOUD WAN Network Policy JSON · Single source Core Network CNE · CNE · CNE · CNE · CNE AWS-managed backbone One policy · Global enforcement · Single pane Figure 1 — Multi-region networking: before and after Cloud WAN

What Is AWS Cloud WAN?

AWS Cloud WAN is a managed WAN (wide-area network) service that connects your AWS Regions, on-premises data centers, and branch offices into a single unified private network. You describe your network in a JSON policy document — which segments exist, which Regions participate, what can route to what — and Cloud WAN provisions the underlying infrastructure and keeps it consistent.

What Cloud WAN is NOT:

  • Not a replacement for Direct Connect or VPN — those are still the physical/encrypted pipes. Cloud WAN manages how traffic routes over them.
  • Not a firewall or traffic inspection service — you still need AWS Network Firewall or a third-party appliance for that.
  • Not just "Network Manager with a new name" — Network Manager is the observability layer. Cloud WAN is the provisioning layer.
  • Not a multi-cloud solution — it manages AWS and hybrid connectivity, but not Azure or GCP natively.
🏢
Enterprise Angle For CTOs evaluating Cloud WAN, the business case is: replace MPLS carrier contracts or third-party SD-WAN vendor costs for AWS connectivity with AWS-native managed infrastructure. The TCO comparison must weigh Cloud WAN charges against MPLS circuit fees, SD-WAN licensing, and the engineering hours spent managing the alternative. For many enterprises at 3+ Regions with hybrid connectivity, Cloud WAN wins.

The Core Components

Cloud WAN has a clear component hierarchy. Understanding how each piece nests is the prerequisite for everything else.

AWS Account / AWS Organizations
└── Global Network // one per org · top-level container
    └── Core Network // the WAN fabric
        ├── Network Policy // JSON · single source of truth
        ├── Core Network Edges // one per Region · managed TGW
        ├── Segments // routing domains · like VRFs
        └── Attachments // VPCs, VPNs, DX, SD-WAN

Global Network — The top-level container. One per organization. Links to Network Manager for visibility.

Core Network — The actual WAN fabric. It lives inside the Global Network, has a policy document, and contains your Core Network Edges and Segments.

Core Network Edge (CNE) — One per AWS Region. This is a fully managed Transit Gateway that AWS provisions and operates on your behalf. You cannot see it in your account as a TGW resource — it's completely abstracted. You connect things to it via attachments.

Segments — Routing domains within the Core Network. They're the Cloud WAN equivalent of VRFs (Virtual Routing and Forwarding tables). Traffic within a segment routes freely; traffic between segments requires explicit policy.

Attachments — The connections that plug into the Core Network: VPCs, Site-to-Site VPN connections, Direct Connect Gateways, existing Transit Gateway route tables, or Connect (SD-WAN) attachments.

Network Policy — A JSON document that declares your desired WAN state. Everything is defined here.

💼
Interview Angle Interviewers love asking "what is a Core Network Edge?" Strong answer: it's an AWS-managed Transit Gateway provisioned in a Region by Cloud WAN — you interact with it only via attachments and the policy, never directly. Bonus: CNEs are multi-AZ by default. You don't need two edges per Region for HA.
GLOBAL NETWORK Network Policy JSON document CORE NETWORK prod segment dev segment shared-services segment share CORE NETWORK EDGES (AWS-Managed TGW) CNE us-east-1 CNE eu-west-1 CNE ap-se-1 CNE + more any region AWS Global Backbone (private · encrypted) VPC attachment VPN attachment DX GW attachment Connect SD-WAN TGW RT migrate Figure 2 — Cloud WAN component hierarchy: policy → segments → edges → attachments

Segments: Your Network's Routing Domains

Segments are the most important concept in Cloud WAN and the most commonly misunderstood. A segment is a full Layer 3 routing domain. Every attachment belongs to exactly one segment. Routes from one segment don't leak into another unless you explicitly write a segment action to allow it.

🧠
Mental Model A segment is a VRF — a separate routing table that spans every Region in your Core Network simultaneously. Just as a VRF on an enterprise router keeps routing contexts isolated, a Cloud WAN segment keeps your prod VPCs' routes invisible to your dev VPCs, globally.

Segment Actions: Controlled Cross-Segment Routing

When you need traffic to cross segment boundaries — say, all environments need to reach your shared DNS VPC — you use segment actions in the policy. There are two types:

share — Bidirectionally shares routes between a source segment and target segments. The VPCs in the shared-services segment appear in the route tables of prod and dev segments.

create-route — Injects a static route into a segment pointing to a specific attachment. Use this for one-directional reachability or to point to a specific CIDR.

segment-actions · JSON 
"segment-actions": [
  {
    // shared-services routes become visible in prod and dev
    "action": "share",
    "mode": "attachment-route",
    "segment": "shared-services",
    "share-with": {
      "segments": ["prod", "dev"]    // prod ↔ dev still cannot see each other
    }
  }
]

This single policy block makes your shared-services VPCs reachable from prod, dev, and staging — in every Region — without touching a single route table directly.

isolate-attachments: Within-Segment Isolation

By default, all attachments in the same segment can route to each other. Setting "isolate-attachments": true on a segment means VPCs in that segment cannot route to each other directly — each becomes reachable only via explicit segment actions.

⚠️
Gotcha isolate-attachments is an all-or-nothing flag on the segment. You can't say "VPC A can reach VPC B but not VPC C" within the same segment. For that granularity, put VPCs in different segments and use segment actions with CIDRs.
💼
Interview Angle The difference between "two VPCs in different segments" and "two VPCs in the same segment with isolate-attachments=true" is a favorite interview question. Segment separation gives a stronger compliance argument: no routes exist at all between the segments. isolate-attachments still shares a routing table; it just filters which attachment routes are visible.

Attachment Types

Attachments are how you plug things into your Core Network. Cloud WAN supports five types:

TypeWhat It ConnectsUse Case
VPC AttachmentAn AWS VPCConnect workload VPCs to the network
Site-to-Site VPNIPSec VPN tunnelBranch offices, on-prem DC connectivity
Direct Connect GatewayDX private VIFHigh-bandwidth, dedicated on-prem connectivity
TGW Route TableExisting Transit GatewayGradual migration from TGW without re-attaching VPCs
Connect (SD-WAN)GRE over BGP to applianceCisco, Fortinet, VMware branch integration

Attachment Policies: Tag-Based Auto-Assignment

Every new attachment needs to land in a segment. Attachment policies are rules in your network policy JSON that automatically assign attachments to segments based on their tags — the "intent-based networking" part of Cloud WAN.

attachment-policies · JSON 
"attachment-policies": [
  {
    "rule-number": 100,          // lowest wins
    "condition-logic": "or",
    "conditions": [
      {
        "type": "tag-value",
        "operator": "equals",
        "key": "Env",
        "value": "prod"          // VPCs tagged Env=prod auto-land in prod segment
      }
    ],
    "action": {
      "association-method": "constant",
      "segment": "prod"
    }
  }
]

When a new VPC with tag Env=prod is attached, it's automatically placed in the prod segment. No human intervention. No route table edit. This scales to hundreds of VPCs.

⚠️
Gotcha If require-attachment-acceptance is true on a segment, the tagged attachment queues in PENDING state and waits for manual approval. It's easy to forget this is set, then spend an hour debugging why a VPC "isn't connecting."

The Network Policy: Declaring Your WAN

The network policy JSON is the heart of Cloud WAN. Everything you configure lives here. Let's walk through a complete, annotated policy for a three-Region deployment with three segments.

network-policy.json · Terraform — full example 
resource "aws_networkmanager_core_network" "main" {
  global_network_id = aws_networkmanager_global_network.main.id

  policy_document = jsonencode({
    version = "2021.12"

    # Step 1: declare which Regions participate and their BGP ASNs
    core-network-configuration = {
      vpn-ecmp-support = false
      asn-ranges       = ["64520-64525"]   # must not overlap on-prem ASNs
      edge-locations = [
        { location = "us-east-1",      asn = 64520 },
        { location = "eu-west-1",      asn = 64521 },
        { location = "ap-southeast-1", asn = 64522 }
      ]
    }

    # Step 2: declare routing domains (VRFs)
    segments = [
      {
        name                          = "prod"
        require-attachment-acceptance = false   # auto-approve attachments
        isolate-attachments           = false   # VPCs in prod can reach each other
      },
      {
        name                          = "dev"
        require-attachment-acceptance = false
        isolate-attachments           = false
      },
      {
        name                          = "shared-services"
        require-attachment-acceptance = false
        isolate-attachments           = false
      }
    ]

    # Step 3: allow prod/dev to reach shared-services (but not each other)
    segment-actions = [
      {
        action   = "share"
        mode     = "attachment-route"
        segment  = "shared-services"
        share-with = { segments = ["prod", "dev"] }
      }
    ]

    # Step 4: auto-assign VPCs to segments by tag
    attachment-policies = [
      {
        rule-number     = 100
        condition-logic = "or"
        conditions = [
          { type = "tag-value", operator = "equals", key = "Env", value = "prod" }
        ]
        action = { association-method = "constant", segment = "prod" }
      },
      {
        rule-number     = 200
        condition-logic = "or"
        conditions = [
          { type = "tag-value", operator = "equals", key = "Env", value = "dev" }
        ]
        action = { association-method = "constant", segment = "dev" }
      },
      {
        rule-number     = 300
        condition-logic = "or"
        conditions = [
          { type = "tag-value", operator = "equals", key = "Env", value = "shared" }
        ]
        action = { association-method = "constant", segment = "shared-services" }
      }
    ]
  })
}

# Attach a prod VPC — tag drives auto-segment assignment
resource "aws_networkmanager_vpc_attachment" "prod_vpc" {
  core_network_id = aws_networkmanager_core_network.main.id
  vpc_arn         = aws_vpc.prod.arn
  subnet_arns     = [aws_subnet.prod_a.arn, aws_subnet.prod_b.arn]

  tags = {
    Env = "prod"   # matches rule 100 → lands in prod segment automatically
  }
}

The Changeset Workflow

Updating a Cloud WAN policy doesn't take effect immediately. AWS uses a changeset workflow:

Update Policy edit JSON document Validate JSON schema check Changeset diff current → desired Preview review blast radius Execute 10–30 min propagate Figure 3 — Policy changeset workflow (analogous to Terraform plan/apply)
⚠️
Gotcha The 10–30 minute propagation window means Cloud WAN is not suitable for dynamic routing scenarios. If you need real-time routing changes (e.g., failover), use BGP on the SD-WAN side, not policy updates.
💼
Interview Angle Why does the changeset workflow exist? It's declarative infrastructure management applied to networking — same reason Terraform plans before applying. The network is production infrastructure; changesets force a deliberate review step. Strong candidates relate this to the "plan/apply" pattern and explain blast radius protection.

Traffic Flow: End-to-End

Let's trace a packet from a branch office in London to a production app in ap-southeast-1.

PACKET FLOW: LONDON BRANCH → AP-SOUTHEAST-1 APP Branch London 1 IPSec VPN attachment 2 attach CNE eu-west-1 prod segment 3 backbone CNE ap-se-1 prod segment 4 VPC App VPC Singapore 5 EC2 app Entire journey stays in prod segment — dev VPCs never see this traffic Figure 4 — End-to-end packet flow: branch to app across AWS backbone, segment-enforced
🔍
Deep Dive — Connect Attachments (SD-WAN) For Connect (SD-WAN) attachments, the traffic path adds a GRE tunnel between the SD-WAN appliance in its VPC and the CNE. BGP runs over this GRE tunnel, and your SD-WAN appliance advertises branch CIDRs into the Core Network. The CNE installs these routes into the appropriate segment. This is how Cisco, Fortinet, or VMware appliances inject branch routes into Cloud WAN.

Debugging Cloud WAN

When things go wrong — and in networking, things go wrong — Cloud WAN gives you several layers of observability.

Route Analyzer — The most powerful tool. Tests "can subnet X in Region A reach subnet Y in Region B?" by simulating the routing path end-to-end without sending actual traffic. Start here, before checking anything else.

Network Manager Topology View — A global visual map of your Core Network: all edges, all attachments, all segments, color-coded by health. Useful for spotting attachments stuck in PENDING or FAILED state.

Changeset History — Every policy update generates a changeset with a status and event log. If a changeset partially failed, the event log shows the specific failure reason.

CloudWatch Metrics — Cloud WAN publishes metrics for BGP session state, attachment bandwidth, and packet drops. Set alarms for BgpPeerState going DOWN.

SymptomLikely CauseFix
VPC attachment stuck in PENDINGrequire-attachment-acceptance=true and no one approvedApprove in console or via API
Route not appearing in segmentAttachment policy tag mismatchCheck VPC attachment tags against policy rules
Cross-region traffic not routingVPCs in different segments with no segment actionAdd share action in policy
BGP session down on Connect attachmentSD-WAN appliance security group blocking GREAllow protocol 47 (GRE) in security group
Changeset stuck in IN_PROGRESSConflict with concurrent changesetWait for first to complete
⚠️
Gotcha — #1 Connectivity Trap VPC route tables are not automatically updated when you attach a VPC to Cloud WAN. You still need to add routes in the VPC route table pointing to the Cloud WAN attachment ENI for subnets that need to route through Cloud WAN. This is the #1 source of "I attached my VPC and it still doesn't work" confusion.

Cost Model

Cloud WAN has three billing dimensions. Understanding them is essential for budgeting — and for spotting the traps.

ComponentPriceNotes
Core Network Edge (per hour)$0.05/hr (~$36/mo)Per Region, always-on once created
Data processed (per GB)$0.02/GBCharged at ingress to Core Network
Cross-region data$0.02/GBAdditional on top of attachment charge
VPN connection$0.05/hrStandard Site-to-Site VPN rate

Worked example — 5-Region deployment:
5 CNE edges × $36 = $180/month · 5TB inter-region × $0.02 = $100/month · 4 VPN connections × $36 = $144/month = ~$424/month for Cloud WAN infrastructure. Significantly cheaper than a single MPLS circuit (typically $500–2,000+/month per site).

🏢
Enterprise Angle The biggest cost trap is orphaned CNE edges. An idle CNE in a region where you "thought about expanding" still costs $36/month. Tag all edges, review monthly, and remove edges from regions where you have no attachments. Also: inter-Region data transfer is charged on top of the CNE fee — model this carefully for data-heavy workloads.

Cloud WAN vs. The Alternatives

Feature Cloud WAN ✓ AWS Native Transit Gateway Only Aviatrix
Multi-region managementSingle JSON policyManual per-regionCentralized GUI/API
Network segmentationSegments (VRF-like)Route table domainsSecurity domains
SD-WAN integrationNative Connect attachmentsTGW Connect (manual BGP)Native, multi-vendor
ObservabilityNetwork Manager + Route AnalyzerSeparate tooling neededAdvanced (CoPilot)
Setup complexityMedium-high (JSON learning curve)Low-medium (familiar console)Low (GUI-driven)
Approx. cost$0.05/hr/edge + $0.02/GB$0.05/hr/attach + $0.02/GB$5–15/hr controller + data
Multi-cloudNo (AWS + hybrid only)NoYes (Azure, GCP)
Vendor lock-inAWSAWSAviatrix

When Transit Gateway alone wins: Single-region deployment, or 2 Regions with simple peering. TGW is simpler when you don't need centralized policy and global segment isolation.

When Aviatrix wins: Multi-cloud is a hard requirement. Or if your team prefers GUI-driven networking over JSON policy. Or if you need Aviatrix FireNet's inline inspection model.

When Cloud WAN wins: 3+ AWS Regions, hybrid connectivity, prod/dev/shared isolation requirements — and you want to stay AWS-native.

🏢
Enterprise Angle The "AWS native vs. third-party" debate often comes down to organizational risk tolerance. Cloud WAN locks you into AWS networking primitives, but AWS is responsible for the control plane. Aviatrix adds a third party's software into your critical networking path — if Aviatrix has an outage, your network management plane is down. Both are valid choices; the question is which dependency risk is more acceptable.

When to Use (and When NOT to)

Use Cloud WAN when:

  • You operate in 3 or more AWS Regions
  • You have hybrid connectivity across multiple sites
  • You need enforced network segmentation (prod/dev/compliance zones) globally
  • You have branch offices on SD-WAN connecting to AWS
  • You're building from scratch without an existing TGW investment

Do NOT use Cloud WAN when:

  • You're single-region or two-region with simple connectivity — the setup cost isn't justified
  • Your team has no network engineering experience — the JSON model has a real learning curve
  • You need real-time routing changes — the 10–30 minute changeset window is a hard constraint
  • You need native multicast — that stays on Transit Gateway for now
  • You require inline traffic inspection — Cloud WAN has no built-in firewall
  • You're actively multi-cloud — Cloud WAN covers AWS and hybrid only
Enterprise

Enterprise Adoption Considerations

Compliance fit: Cloud WAN's segment model maps cleanly to compliance zone requirements. PCI-DSS cardholder data environments become their own segment with require-attachment-acceptance: true and tightly controlled segment actions. The changeset audit trail plus CloudTrail satisfies change management controls for SOC2.

Migration from TGW: The safest path is gradual. Stand up Cloud WAN alongside existing TGWs. For existing VPCs, attach the existing TGW to Cloud WAN via a TGW Route Table attachment — this lets TGW-attached VPCs route through Cloud WAN without re-attaching each one. Over time, migrate VPCs to direct VPC attachments. Decommission TGW peerings last.

Security model: Cloud WAN is a routing boundary, not a security boundary. Security groups, NACLs, and AWS Network Firewall still provide traffic filtering. A segment boundary alone won't satisfy a compliance requirement for "no network communication" between zones — you need NACLs or a firewall in the data path for that.

🏢
Enterprise Angle CTOs evaluating Cloud WAN should ask three questions: (1) Does this reduce our network change failure rate? (2) Does the declarative model reduce mean time to implement a global routing change? (3) What's the migration risk from our current TGW topology? For organizations that have experienced routing-related incidents from manual TGW management, (1) and (2) are usually yes, and (3) is manageable with the gradual migration path.
Interview Prep

Interview Prep

Top 10 Conceptual Questions

What is a Core Network Edge (CNE), and how does it relate to Transit Gateway?
A CNE is an AWS-managed Transit Gateway provisioned by Cloud WAN in a Region. You never interact with it as a TGW resource — all interaction is through Cloud WAN attachments and policy. Each CNE is multi-AZ by default; you don't need two edges per Region for HA.
What is a segment, and how does it differ from a VPC route table?
A segment is a routing domain that spans all Regions in the Core Network simultaneously — like a global VRF. A VPC route table is per-VPC and per-AZ. Segments control which attachments' routes are visible to each other across the entire WAN.
Walk me through how an attachment gets assigned to a segment.
Two ways: manually specify the segment when creating the attachment, or define attachment policies (tag-based rules) in the network policy JSON. Tags on the attachment (e.g., Env=prod) are evaluated against attachment policy rules in order by rule-number; the first matching rule assigns the segment.
What is a changeset, and why does it exist?
A changeset is the diff between the current network state and the desired state in an updated policy. It exists to give operators a preview of what will change before execution — preventing accidental, irreversible routing changes in production. Analogous to Terraform's plan step.
When would you use isolate-attachments vs. putting VPCs in different segments?
isolate-attachments=true prevents VPC-to-VPC routing within the same segment while still allowing all VPCs to reach shared segment routes. Different segments provide complete routing table separation — no routes exist at all between them. Use different segments when no direct routing should ever exist, even with policy overrides. Different segments give a stronger compliance audit argument.
How does traffic cross between two Regions in Cloud WAN?
Traffic flows from the source VPC through its VPC attachment, into the local CNE, across the AWS global backbone to the destination Region's CNE, then out through the destination VPC attachment. The backbone transit is encrypted and not over the public internet. You don't configure any of this — it's managed by AWS.
How do you debug a VPC that can't reach another VPC across regions through Cloud WAN?
Start with Route Analyzer in Network Manager — simulate the path end-to-end. Check that both VPCs are in segments that share routes (via segment actions). Verify VPC route tables have routes pointing to the Cloud WAN attachment ENI. Check changeset history for any failed policy application. Check attachment state for PENDING status.
Can Cloud WAN replace Direct Connect?
No. Direct Connect is the physical dedicated connection between on-premises and AWS. Cloud WAN manages routing on top of that connection — it's a management and policy plane, not a transport layer. You still need DX for the physical circuit; Cloud WAN manages how routes propagate over it.
What are the cost components of a Cloud WAN deployment?
Core Network Edge per-hour charge (~$0.05/hr per Region), data processing charge per GB processed through attachments ($0.02/GB at attachment ingress, plus $0.02/GB for cross-region traffic), and standard VPN/Direct Connect connection charges layered on top.
What connectivity types can attach to a Cloud WAN Core Network?
Five types: VPC attachments, Site-to-Site VPN, Direct Connect Gateway, Transit Gateway Route Table attachments (for gradual migration), and Connect (SD-WAN/GRE over BGP) attachments.

Top 5 System Design Scenarios

1
Global enterprise WAN: 5 Regions + 20 branch offices + on-prem DC with strict prod/dev/shared isolation
Strong answer: One Core Network with 5 edges. Three segments: prod, dev, shared-services. shared-services shared into prod and dev via segment actions. Branch offices connect via Site-to-Site VPN attachments tagged to their segment. HQ DC connects via Direct Connect Gateway attachment. Attachment policies auto-assign VPCs by Env tag. Network Firewall in a centralized inspection VPC for east-west inspection.
2
Zero-downtime migration from existing 4-Region TGW architecture to Cloud WAN
Strong answer: Stand up Cloud WAN alongside existing TGWs. Create TGW Route Table attachments to plug existing TGWs into Cloud WAN — this gives existing TGW-attached VPCs Cloud WAN routing without re-attaching. Test routing with Route Analyzer. Gradually move VPCs to direct VPC attachments. Remove TGW peerings. Decommission TGWs. Use Route Analyzer to verify paths at each step.
3
Acquired company integration — integrate their AWS environment into your Cloud WAN
Strong answer: VPC attachments work cross-account via Resource Access Manager (RAM). The acquired company's VPCs can attach to your Core Network via RAM sharing. Assign them to an isolated segment with controlled sharing to shared-services only. Set require-attachment-acceptance: true on their segment for controlled onboarding with approvals.
4
PCI-DSS compliant cardholder data environment isolation
Strong answer: CDE VPCs in a dedicated segment with isolate-attachments: true and require-attachment-acceptance: true. No direct segment-action sharing with non-CDE segments — only explicit create-route to specific inspection VPC CIDRs. All traffic in/out goes through Network Firewall in a security VPC. Segment isolation satisfies PCI requirement for network separation; firewall satisfies traffic inspection controls.
5
SaaS multi-region: shared authentication service accessible from all 4 product Regions
Strong answer: Auth service VPCs in a platform segment. Product VPCs in a product segment. share action makes platform routes visible in product. Auth VPCs deployed in all 4 Regions for low latency (or 2 Regions + PrivateLink for cost optimization). Cloud WAN handles cross-region routing automatically — no TGW peering to manage.

Red Flags

  • Saying "Cloud WAN replaces Direct Connect" — it manages routing on top of DX
  • Confusing segments with VLANs or subnets — segments are Layer 3 routing domains
  • Claiming you need two edges per Region for HA — CNEs are multi-AZ by default
  • Saying policy changes take effect immediately — the changeset window is 10–30 minutes
  • Thinking Cloud WAN includes traffic inspection — you still need a separate firewall
Advanced

Advanced Nuances

TGW Migration with Parallel Operation

The Transit Gateway Route Table attachment is the migration superpower most engineers don't know about. When you attach an existing TGW's route table to Cloud WAN, all of that TGW's attached VPCs immediately gain connectivity through the Core Network — without re-attaching each VPC individually.

This lets you operate TGW and Cloud WAN in parallel during migration, giving you a safe rollback path at each step. You can validate Cloud WAN routing while keeping TGW as the fallback, then progressively cut over VPCs and decommission TGW peerings when you're confident.

Service Insertion (East-West Inspection)

Cloud WAN has no inline firewall capability. For east-west traffic inspection, you build a centralized inspection VPC — a VPC with AWS Network Firewall or a Gateway Load Balancer endpoint — as its own attachment in a security segment.

Segment actions route traffic from prod/dev through the security segment's inspection VPC before reaching the destination. The routing is: prod VPC → CNE (prod segment) → security VPC (via segment action) → Network Firewall → shared-services VPC. This "bump-in-the-wire" pattern is well-documented in AWS architecture guides.

The key design constraint: the inspection VPC must be in a segment that both the source and destination segments can share routes with, and the route must explicitly go through the firewall attachment — not directly between segments.

ECMP for SD-WAN Connect Attachments

When using Connect attachments with SD-WAN appliances, you can deploy multiple appliance EC2 instances and configure each as a separate BGP peer to the CNE. The CNE will install all their advertised routes and ECMP (Equal-Cost Multipath) across them — giving you both redundancy and throughput aggregation.

This is how enterprises achieve multi-Gbps throughput on SD-WAN workloads through Cloud WAN, since a single EC2 instance has network bandwidth limits. A common pattern: deploy 4 SD-WAN appliance instances in 2 AZs, each with a Connect attachment, all peering BGP to the CNE — 4× the throughput of a single instance.

BGP Community Passthrough

BGP communities from SD-WAN appliances are preserved as traffic flows into the Core Network. Advanced deployments use community tags to influence segment placement or route preference inside Cloud WAN.

This is useful when your SD-WAN vendor already uses BGP communities for traffic classification — those communities can feed directly into Cloud WAN routing decisions. It's a non-obvious but powerful feature that enables sophisticated traffic engineering without additional policy complexity.