Overview
AWS Cloud WAN is a managed wide-area network (WAN) service that lets customers easily connect and route their data centers, remote sites, and cloud applications over the AWS global network.
Cloud WAN enables customers to create and operate their wide-area networks with simple network policies, removing the necessity to stitch together different networking, security, and third-party services.
Cloud WAN improves network security with built-in network segmentation capabilities, making it easier for customers to manage network isolation across their AWS or on-premises locations.
Cloud WAN provides the control plane for how customer traffic flows through the AWS global network for their geographically dispersed use-cases, making it possible to create high-performance, scalable, and secure wide-area networks in minutes.
Check Point CloudGuard Network Security integrates with Cloud WAN through the existing Gateway Load Balancer (GWLB) integration. This integration simplifies creating equivalent but complex architecture with Transit Gateways + GWLB.
Cloud WAN Feature Details
Cloud WAN is a good selection for customers who want to operate in multiple regions, provide connectivity between sites through AWS's backbone, or prefer AWS-managed routing and automation.
The policy language in Cloud WAN makes it simple to manage security policies between connectivity methods across regions in one declarative document.
Cloud WAN operates primarily on layer 3 (routing) security. Cloud WAN uses policy to send selective traffic through a certain attachment where a firewall is (VPC or TGW Connect) or use attachment-level tags to determine which segment an attachment must map to - new or existing. For Check Point customers, integration with Cloud WAN offers a simpler L3 insertion of firewalls through policy language.
- AWS Network Manager - The user interface in the AWS Management Console and related APIs to manage your global network centrally.
- Global Network - A private network that acts as the root-level container for your network objects. A global network can contain both Transit Gateways and a Core Network.
- Core Network - The part of your global network managed by AWS.
- Core Network Policy - One versioned policy document that defines all aspects of your core network.
- Attachments - Connections or resources you want to add to your core network. Supported attachments include VPCs, VPNs, and Connect attachments.
- Core Network Edge (CNE) - A Regional connection point for your attachments as defined in the policy. Under the hood, Cloud WAN uses technology similar to Transit Gateway. AWS manages it, but there are differences (dynamic routing is one example).
- Network Segments - Routing domains that by default only allow communication in a segment consistently throughout the global network. They strongly enforce layer 3 routing domains (unless you create sharing relationships in your network policy).
You can find the latest
Cloud WAN Service documentation >>> HERE <<<
Prerequisites
- In-depth knowledge of AWS Cloud WAN design, installation, and configuration
- In-depth knowledge of CloudGuard Network Security's integration with AWS Gateway Load Balancer(GWLB)
- AWS Supported Regions and Pricing
- Check Point Security Management Server or Smart-1 Cloud (R80.40 or higher)
- Supported Versions:
- Licensing: BYOL and PAYG
- Supported BYOL SKUs:
- CPSG-VSEC-VEN-BUN-NGTP
- CPSG-VSEC-VEN-BUN-NGTX
- Supported traffic flows:
- East/West
- (NOTE: cross region only, cross AZ support is on the roadmap)
- Egress
- Ingress
Deployment Steps
- Create AWS Global Network
- Create AWS Segments
- Create AWS Cloud WAN Policy
- Deploy CloudGuard for AWS GWLB CFT in each region per traffic inspection requirements (NOTE: CloudGuard is not required to be deployed in every Cloud WAN region).
- Create Security VPC attachment with tag
- Create Spoke VPC attachments with tag > for every Spoke VPC
- Add Spoke VPC route to the GWLBe and NAT Gateway subnets > for each Spoke VPC
- Edit Spoke VPC route table > for every Spoke VPC
Deployment Templates
Description |
Notes |
Version |
Direct CFT Launch |
Deploys and configures an AWS Cloud WAN Global Network and an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC for Transit Gateway. |
This CFT deploys:
- An AWS Cloud WAN Global Network and Core Network with 3 segments, basic policy and a Security VPC with Gateway Load Balancer
- Check Point CloudGuard Network Security Gateway Auto Scaling Group
- An optional Security Management Server
- AWS Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Cloud WAN
|
R80.40 |
 |
|
This CFT deploys:
- An AWS Cloud WAN Global Network and Core Network with 3 segments, basic policy and a Gateway Load Balancer
- Check Point CloudGuard Network Security Gateway Auto Scaling Group
- An optional Security Management Server
- AWS Gateway Load Balancer Endpoints, and NAT Gateways for each AZ, in an existing VPC for Cloud WAN
|
R80.40 |
 |
Description |
Notes |
Version |
Direct CFT Launch |
Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer and Cloud WAN Core network attachment. |
This CFT deploys:
- AWS Gateway Load Balancer
- Check Point CloudGuard Network Security Gateway Auto Scaling Group
- An optional Security Management Server
- AWS Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Cloud WAN, and attaches the VPC to an existing Cloud WAN Core Network.
|
R80.40 |
 |
|
This CFT deploys:
- AWS Gateway Load Balancer
- Check Point CloudGuard Network Security Gateway Auto Scaling Group
- An optional Security Management Server
- AWS Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in an existing VPC for Cloud WAN, and attaches the VPC to an existing Cloud WAN Core Network.
|
R80.40 |
 |
Reference Architecture
- Use one security VPC for each region to prevent cross-region charges.
- The region's CGNS GWLB/ASG pool inspects the inbound traffic without traversing through the Cloud WAN segments.
- Outbound traffic egresses from the same region the traffic originated from.

Example Flows
EAST/WEST(cross region only, cross AZ support is on the roadmap)

EGRESS

INGRESS

Additional Information
- Maximum bandwidth for each VPC attachment: Up to 50 Gbps
- MTU:
Related Solution: sk174447 - CloudGuard Network Security for AWS Gateway Load Balancer Architecture Options