# Connecting to RISE using SD-WAN **What is SD-WAN** [Software-Defined Wide Area Networking (SD-WAN)](https://en.wikipedia.org/wiki/SD-WAN) is a networking technology that uses software to manage and route traffic across different networks such as Multi-Protocol Label Switching (MPLS), public internet, or the Amazon backbone focusing on improving connectivity and application performance. SD-WAN primarily operates at layer 3 (Network Layer) of the network OSI model offering centralized control, routing, path selection, IP-based policies, and the ability to prioritize specific mission critical applications, such as SAP, making it well-suited for cloud-based RISE with SAP environments. Although SD-WAN primarily operates at Layer 3, using an overlay network such as broadband internet, it can utilize Layer 2 (Data Link) technologies such as [Amazon Direct Connect](https://www.amazonaws.cn/directconnect/) as the underlay network for transport, and Layer 3 (Network) technologies such as [Amazon Site-to-Site VPN](https://docs.amazonaws.cn/vpn/latest/s2svpn/VPC_VPN.html). In SD-WAN architecture, an SD-WAN headend acts as a hub or centralized network component, while [SD-WAN edge devices](https://en.wikipedia.org/wiki/SD-WAN#SD-WAN_edge) deployed at branch offices, remote sites or data centers which serves as the entry and exit points for WAN Traffic. You can refer to more detailed information in the [Reference Architectures for Implementing SD-WAN Solutions on Amazon](https://d1.awsstatic.com/architecture-diagrams/ArchitectureDiagrams/sd-wan-deployment-models-ra.pdf?did=wp_card&trk=wp_card). **Scenario A: SD-WAN appliances (edge and/or headend/hub) on-premises** [Amazon Transit Gateway Connect](https://docs.amazonaws.cn/vpc/latest/tgw/tgw-connect.html) allows you to extend your SD-WAN network to Amazon using [GRE (Generic Routing Encapsulation)](https://en.wikipedia.org/wiki/Generic_routing_encapsulation) tunnels without needing additional Amazon infrastructure. Through [Transit Gateway Connect Peer](https://docs.amazonaws.cn/vpc/latest/tgw/tgw-connect.html#tgw-connect-peer), you can establish GRE tunnels between your transit gateway in your Amazon account and the SD-WAN appliance on-premises which are connected via Amazon Direct Connect connection as underlying transport. The appliance must be configured to send and receive traffic over a GRE tunnel to and from the transit gateway using the [Connect attachment](https://docs.amazonaws.cn/vpc/latest/tgw/create-tgw-connect-attachment.html). The appliance must be configured to use [BGP (Border Gateway Protocol) ](https://www.amazonaws.cn/what-is/border-gateway-protocol/)for dynamic route updates and health checks. Each connection can be configured with its own route table and BGP peer, enabling you to extend your on-premises network segmentation via [Virtual routing and forwarding (VRF)](https://docs.amazonaws.cn/prescriptive-guidance/latest/patterns/extend-vrfs-to-aws-by-using-aws-transit-gateway-connect.html) to Amazon. The RISE with SAP VPC is attached to the Amazon Transit Gateway. This setup provides a streamlined way to connect your SD-WAN environment with RISE with SAP on Amazon using Amazon Direct Connect, maintaining network separation while simplifying the overall architecture. In this scenario, the [overlay network](https://en.wikipedia.org/wiki/Overlay_network) is SD-WAN (with GRE Tunnels) with the headend/hub or edge devices deployed on on-premises, and the underlay transport is Amazon Direct Connect **Pattern A-1: SD-WAN devices integration with Amazon Transit Gateway and Amazon Direct Connect with your Amazon landing zone** ![SD-WAN devices integration with Transit Gateway and Direct Connect with your landing zone](http://docs.amazonaws.cn/en_us/sap/latest/general/images/rise-pattern-a-1-sd-wan-tgw-dx-lz.png) The preceding diagram illustrates a pattern of how you can extend and segment your SD-WAN traffic to Amazon without adding extra infrastructure. You can create Transit Gateway connect attachments using an Amazon Direct Connect connection as underlying transport in your Amazon account. Outbound from RISE with SAP VPC: 1. Traffic initiated from the RISE VPC to the corporate data center is routed to the Transit Gateway. 1. The Transit Gateway connect attachment uses the Direct Connect connection as the underlay transport and connects the Transit Gateway to the corporate data center SD-WAN device with GRE tunneling and BGP. Inbound to RISE with SAP VPC: 1. Traffic from the corporate data center SD-WAN device to the RISE VPC is forwarded to the Transit Gateway via the GRE tunnel of the Transit Gateway attachment over the Direct Connect link. 1. Transit Gateway forwards the traffic to the destination RISE with SAP VPC. **Pattern A-2: SD-WAN devices integration with Amazon Transit Gateway and Amazon Direct Connect with no Amazon landing zone** ![SD-WAN devices integration with Transit Gateway and Direct Connect with no landing zone](http://docs.amazonaws.cn/en_us/sap/latest/general/images/rise-pattern-a-2-sd-wan-tgw-dx-no-lz.png) The preceding diagram illustrates a pattern of how you can extend and segment your SD-WAN traffic to Amazon without adding extra infrastructure. In RISE with SAP, you can request SAP to create Transit Gateway connect attachments using a Direct Connect connection as underlying transport. Customers can leverage SAP-managed [Direct Connect gateway (DXGW)](https://docs.amazonaws.cn/directconnect/latest/UserGuide/direct-connect-gateways-intro.html) if required. Outbound from RISE with SAP VPC: 1. Traffic initiated from RISE VPC to the corporate data center is routed to the Transit Gateway. 1. The Transit Gateway connect attachment uses the Direct Connect connection as transport and connects the Transit Gateway to the corporate data center SD-WAN device using GRE tunneling and BGP. Inbound to RISE with SAP VPC: 1. Traffic from the corporate data center SD-WAN device to the RISE VPC is forwarded to the Transit Gateway via the GRE tunnel of the Transit Gateway attachment over the Direct Connect link. 1. Transit Gateway forwards the traffic to the destination RISE with SAP VPC. **Scenario B: SD-WAN appliances (edge and/or headend/hub devices) in Amazon ** In this scenario, the virtual appliances of the SD-WAN network are deployed in a VPC within Amazon. Then, you use a VPC attachment as underlying transport for the Transit Gateway connect attachment between the SD-WAN virtual appliances and the Transit Gateway in your Amazon account(s). Similar to Scenario A, Transit Gateway connect attachments support GRE for higher bandwidth performance compared to a VPN connection. It supports BGP for dynamic routing and removes the need to configure static routes. In addition, its integration with [Transit Gateway Network Manager](https://docs.amazonaws.cn/vpc/latest/tgwnm/what-is-network-manager.html) provides advanced visibility through global network topology, attachment level performance metrics, and telemetry data. Between on-premises and Amazon, the [overlay network](https://en.wikipedia.org/wiki/Overlay_network) is SD-WAN with GRE or IPSec tunnels with the headend/hub deployed within Amazon, and the underlay transport could be Internet, MLPS, or Direct Connect. Following are the architecture patterns under this scenario: Note: Network patterns covered in the following sections are applicable only with your existing or a new landing zone setup on Amazon. For SD-WAN appliances deployment and connectivity directly with Amazon Account – managed by SAP, refer to Pattern A-2. **Pattern B-1: SD-WAN appliances in Amazon integrated with Amazon Transit Gateway Connect with your Amazon landing zone** ![SD-WAN appliances integrated with Transit Gateway and Direct Connect with your landing zone](http://docs.amazonaws.cn/en_us/sap/latest/general/images/rise-pattern-b-1-sd-wan-aws-tgw-dx-lz.png) The preceding diagram illustrates a pattern of integrating your SD-WAN network with Transit Gateway using [connect attachments](https://docs.amazonaws.cn/vpc/latest/tgw/tgw-connect.html) and placing (third-party) virtual appliances of the SD-WAN network in an Appliance VPC within Amazon. It’s common to have SD-WAN edge appliances deployed at branch locations, and on-premises data center to create a full mesh topology. Outbound from RISE with SAP: 1. Traffic initiated from the RISE VPC to the corporate data center is routed to the Transit Gateway. 1. The Transit Gateway connect attachment uses the VPC attachment as transport and connects Transit Gateway to the third-party appliance in the Appliance VPC using GRE tunneling and BGP. 1. The third-party virtual appliance encapsulates the traffic, which uses the SD-WAN overlay – on top of the Direct Connect link – to reach the corporate data center. Inbound to RISE with SAP: 1. Traffic from branches outside Amazon to the RISE VPC reaches the internet gateway of the appliance VPC via the SD-WAN overlay over the internet. Similarly, traffic from the corporate data center to the RISE VPC reaches the virtual private gateway of the Appliance VPC via the SD-WAN overlay over the Direct Connect link. 1. The third-party virtual appliance in the appliance VPC forwards the traffic to the Transit Gateway via the connect attachment. 1. Transit Gateway forwards the traffic to the destination RISE VPC. **Pattern B-2: SD-WAN appliances in Amazon integrated with Amazon Site-to-Site VPN** ![SD-WAN appliances integrated with Site-to-Site VPN](http://docs.amazonaws.cn/en_us/sap/latest/general/images/rise-pattern-b-2-sd-wan-s2svpn.png) The diagram above illustrates a pattern of integrating your SD-WAN network with Transit Gateway using an Amazon Site-Site VPN connection and placing (third party) virtual appliances of the SD-WAN network in an Appliance VPC within Amazon. You may use this option when your third-party virtual appliance does not support GRE. It’s common to have SD-WAN edge appliances deployed at branch locations, and on-premises data center to create a full mesh topology. Outbound from RISE with SAP: 1. Traffic initiated from the RISE VPC to the corporate data center is routed to the Transit Gateway Elastic Network Interface (TGW ENI). 1. The traffic is routed between the Transit Gateway and the third-party virtual appliance using the Site-to-Site VPN connection. 1. The third-party virtual appliance encapsulates the traffic, which uses the SD-WAN overlay – on top of the Direct Connect link – to reach the corporate data center. Inbound to RISE WITH SAP: 1. Traffic from branches outside Amazon to the RISE VPC reaches the internet gateway of the appliance VPC via the SD-WAN overlay over the internet. Similarly, traffic from the corporate data center to the RISE VPC reaches the virtual private gateway of the appliance VPC via the SD-WAN overlay over the Amazon Direct Connect link. 1. The third-party virtual appliance in the appliance VPC forwards the traffic to the Transit Gateway via Site-to-Site VPN connection. 1. Transit Gateway forwards the traffic to TGW ENI of the destination RISE VPC.