AWS Cloud WAN Cheat Sheet

A managed wide-area network (WAN) service that connects your on-premises data centers, branch offices, and AWS VPCs through a single, centralized cloud-native global network.

Features

• Provides a centralized global network using a hub-and-spoke model with AWS Regions acting as network segments.
• Uses Core Network Policies (JSON-based) to define routing intent, segment structure, and attachments.
• Automates the creation of global network topologies, reducing operational overhead compared to manually managing dozens of Transit Gateways (TGWs).
• Includes network segments for separating and isolating traffic
• Integrates with AWS Transit Gateway, SD-WAN appliances, and third-party network providers.
• Supports multi-region connectivity with AWS backbone-managed tunnels.
• Offers a central dashboard in the AWS console to monitor attachments, routing, segments, and health.
• Supports inter-region network virtualization and consistent policies for global routing.

Key Concepts

Global Network

• A logical container for the entire Cloud WAN deployment.
• Represents your aggregated WAN across AWS and on-premises.

Core Network

• The main functional elements of Cloud WAN.
• Made up of core network edges, each corresponding to an AWS Region where Cloud WAN is deployed.

Segments

• Logical traffic zones (e.g, prod, dev, shared-services).
• Allow fine-grained isolation of network environments.
• Policies determine segment-to-segment connectivity (“who can talk to whom”).

Attachments

• Connects network resources into Cloud WAN:
  • VPC attachments
    • Supports appliance mode
    • Propagates VPC CIDRs automatically
    • Allows route filtering per segment
  • Transit Gateway attachments
    • Used for migration from Transit Gateway to Cloud WAN
    • Good for mixed or transitional architectures
  • Connect attachment (for SD-WAN or third-party virtual appliances)
    • BGP over GRE
    • Integrates with SD-WAN vendors (Cisco, Fortinet, Versa, etc.)
  • Peering attachments (inter-core connectivity)
    • Connects core network edges for non-global configurations

Core Network Policy

• Defines the entire network’s topology, routing, segments, and attachment rules.
• Written as a versioned JSON document.
• Supports policy validation before deployment.

Routing

• Uses intent-based routing rules defined in the Core Network Policy.
• Supports route filtering, segment isolation, and attachment-level route permissions.
• Automatically propagates routes across Regions based on policy.
• Supports inserting static routes and controlling segment destinations.

Typical Use Cases

• Global enterprise WAN consolidation.
• Multi-region VPC interconnect with consistent routing rules.
• Connecting hundreds of branch offices using SD-WAN integration.
• Segmenting traffic logically across organizational units.
• Simplifying redundant networks built with multiple Transit Gateways.

Example High-Level Architecture Diagram

Best Practices

• Use separate segments for production, non-production, and shared services.
• Keep attachments logically grouped per Region for similar policies.
• Use policy “scopes” to minimize accidental cross-segment route sharing.
• Validate core network policy changes before applying in production.
• Use AWS Organizations for consistent account/network governance.
• Enable CloudWatch alarms for attachment and core network edge health.

Security

• Integrates with AWS Identity and Access Management (AIM) for policy enforcement.
• Supports resource-level permissions for attachments and segments.
• Allows segmentation by environment, department, or business unit.
• Works with AWS Firewall Manager for centralized security controls.
• Traffic can be inspected by third-party firewall appliances via Connect attachments.

Monitoring & Observability

AWS Cloud WAN integrates with CloudWatch, CloudTrail, and Network Manager to provide end-to-end visibility across your global network.

You can monitor attachment health, core network edge availability, routing propagation, and data processing metrics using CloudWatch.

CloudTrail logs all policy and configuration changes for auditing.

Network Manager offers a global topology map, SD-WAN telemetry, and consolidated operational insights across Regions.

Cloud WAN also integrates with VPC Reachability Analyzer for path validation and troubleshooting across segments.

Region Availability

AWS Cloud WAN is available in these Regions:

• us-east-1 – US East (N. Virginia)
• us-east-2 – US East (Ohio)
• us-west-1 – US West (N. California)
• us-west-2 – US West (Oregon)
• af-south-1 – Africa (Cape Town)
• ap-northeast-1 – Asia Pacific (Tokyo)
• ap-northeast-2 – Asia Pacific (Seoul)
• ap-northeast-3 – Asia Pacific (Osaka)
• ap-south-1 – Asia Pacific (Mumbai)
• ap-south-2 – Asia Pacific (Hyderabad)
• ap-southeast-1 – Asia Pacific (Singapore)
• ap-southeast-2 – Asia Pacific (Sydney)
• ap-southeast-3 – Asia Pacific (Jakarta)
• ap-southeast-4 – Asia Pacific (Melbourne)
• ap-southeast-5 – Asia Pacific (Malaysia)
• ca-central-1 – Canada (Central)
• ca-west-1 – Canada West (Calgary)
• eu-central-1 – Europe (Frankfurt)
• eu-central-2 – Europe (Zurich)
• eu-north-1 – Europe (Stockholm)
• eu-west-1 – Europe (Ireland)
• eu-west-2 – Europe (London)
• eu-west-3 – Europe (Paris)
• eu-south-1 – Europe (Milan)
• eu-south-2 – Europe (Spain)
• il-central-1 – Israel (Tel Aviv)
• me-central-1 – Middle East (UAE)
• me-south-1 – Middle East (Bahrain)

Pricing

Pricing is based mainly on:

1. Core network edge hours
2. Attachment hours (VPC, TGW, Connect, etc.)
3. Data processing per GB across Cloud WAN

No charges for idle policies. 

Pricing also varies by AWS Region for both attachments and data processing.

References

https://docs.aws.amazon.com/network-manager/latest/cloudwan/what-is-cloudwan.html

https://aws.amazon.com/cloud-wan/