This overview of the AWS Virtual Edge Deployment Guide provides a general overview, a CloudFormation Template Overview, and CloudFormation Downloads (Green Field VPC Template and Brown Field Template).

General Overview

Multi-cloud or hybrid cloud deployments have become increasingly popular over the past few years, and as Enterprise customers move their workload to the Public Cloud infrastructure, they expect to extend SD-WAN from remote branches to the Public Cloud to guarantee SLA. There are two main options offered by VMware depending on the following use cases: leveraging distributed VCGs to establish IPSec towards Public Cloud or deploying the Virtual Edges directly in public cloud virtual private network. This document describes how to deploy Virtual Edges in AWS.

For a small branch deployment that demands a throughput less than 1G, a single Virtual Edge can be deployed in the private network (AWS VPC). For larger data center deployments that demand multi-gig throughput, hub clustering can be deployed.

CloudFormation Template Overview

There are two CloudFormation default templates, "New - Green Field VPC" and "Existing - Brown Field VPC;" both represent a common deployment within AWS, as indicated in the topology illustration in the section titled, Deploying Virtual Edge with CloudFormation. These two CloudFormation default templates create necessary resources, collect the SASE Orchestrator target, and collect the activation key to push via the CLOUD-INIT.

CAUTION: No matter which template you choose, make sure that you review and understand the template before deploying. Both CloudFormation templates are intended to be used as a reference, and they might need altering to accommodate your specific environment.

CloudFormation Template Values

Listed below are the values included in the CloudFormation templates:
  • Attach Interfaces to VMware Instance (GE1 – eth0 / GE2 – eth1 / GE3 – eth2)
  • Allocate Elastic IP and attach to GE2
  • Create LAN-side and WAN-side Security Groups – Allowed Ports:
    • WAN: GE1 & GE2: UDP 2426 – VMware Multipath Protocol
    • WAN: GE1 & GE2: TCP 22 – SSH Access (for Support Access)
    • WAN: GE1 & GE2: UDP 161 – SNMP
    • LAN: GE3 – ICMP Only (add additional protocols after deployment or modify the template as needed)
  • Public Route Table (VPC Router): 0.0.0.0/0 to the Internet Gateway
  • Private Route Table (VPC Router): 0.0.0.0/0 to ENI (VMware SD-WAN Edge GE3)
  • Deactivate Source/Destination Check on all interfaces

CloudFormation Template Downloads

There are two available templates for you to choose from to deploy a Virtual Edge, either New - Green Field VPC or Existing - Brown Field VPC. While these template will activate a Virtual Edge, the simplicity of the topology will not accommodate all environments. Therefore, you must edit your environment accordingly. For a better understanding of the CloudFormation template structure and syntax see: https://aws.amazon.com/cloudformation/aws-cloudformation-templates/ .

NEW – Green Field VPC Template

Use the NEW – Green Field Template if you want to create a new VPC.

EXISTING – Brown Field Template

If you use the EXISTING – Brown Field Template template, the VPC, subnets, and route tables will not be not created. The EXISTING – Brown Field template populates the existing VPC and subnets available for that region.

IAM Permissions

For the Cloud Formation template, the minimum permissions needed are as follows. Customers must ensure they have sufficient quota limits available for the services used in the Cloud Formation template.
s3:PutObject
s3:GetObject

cloudformation:CreateStack
cloudformation:DeleteStack
cloudformation:DescribeStacks

ec2:DescribeAvailabilityZones
ec2:DescribeVpcs
ec2:DescribeSubnets
ec2:DeleteCustomerGateway
ec2:CreateCustomerGateway
ec2:DeleteVpnConnection
ec2:CreateVpnConnection
ec2:DescribeKeyPairs