VPC attachments in AWS Cloud WAN

When you attach a VPC to a core network edge in AWS Cloud WAN, you must specify one subnet from each Availability Zone to be used by the core network edge to route traffic. Specifying one subnet from an Availability Zone enables traffic to reach resources in every subnet in that Availability Zone. For more information about limits to core network VPC attachments, see Transit Gateway attachment to a VPC in the Transit Gateway User Guide.

Appliance mode

If you plan to configure a stateful network appliance in your VPC, you can enable appliance mode support for the VPC attachment in which the appliance is located when you create an attachment. This ensures that Cloud WAN uses the same Availability Zone for that VPC attachment for the lifetime of the flow of traffic between a source and destination. It also allows Cloud WAN to send traffic to any Availability Zone in the VPC as long as there is a subnet association in that zone. While appliance mode is only supported on VPC attachments, the network flow can enter the core network from any other Cloud WAN attachment type, including VPC, VPN, and Connect attachments. Cloud WAN appliance mode also works for network flows that have sources and destinations across different AWS Regions in your core network. Network flows can potentially be rebalanced across different Availability Zones if you don't initially enable appliance mode but later edit the attachment configuration to enable it. You can enable or disable appliance mode using either the console or the command line or API.

Appliance mode in Cloud WAN optimizes traffic routing by considering the source and destination Availability Zones when determining the path through an appliance mode VPC. This approach enhances efficiency and reduces latency. The following are example scenarios.

Scenario 1: Intra-Availability Zone traffic routing via an appliance VPC

When traffic flows from a source Availability Zone in us-east-1a to a destination Availability Zone in us-east-1a, with appliance mode attachments in both us-east-1a and us-east-1b, Cloud WAN chooses a network interface from us-east-1a within the appliance VPC. This Availability Zone is maintained for the entire duration of the traffic flow between source and destination.

Scenario 2: Inter-Availability Zone traffic routing via an appliance VPC

For traffic flowing from a source Availability Zone in us-east-1a to a destination Availability Zone in us-east-1b, with appliance mode VPC attachments in both us-east-1a and us-east-1b, Cloud WAN uses a flow hash algorithm to select either us-east-1a or us-east-1b in the appliance VPC. The chosen Availability Zone is used consistently for the lifetime of the flow.

Scenario 3: Routing traffic through an appliance VPC without Availability Zone data

When traffic originates from source Availability Zone in us-east-1a to a destination without Availability Zone information — for example, internet-bound traffic — with appliance mode VPC attachments in both us-east-1a and us-east-1b, Cloud WAN chooses a network interface from us-east-1a within the appliance VPC.

Scenario 4: Routing traffic through an Availability Zone distinct from either the source or destination

When traffic flows from a source Availability Zone in us-east-1a to a destination Availability Zone us-east-1b with appliance mode VPC attachments in different Availability Zones from either the source or destination — for example, the appliance mode VPCs are in us-east-1c and us-east-1d — Cloud WAN uses a flow hash algorithm to select either us-east-1c or us-east-1d in the appliance VPC. The chosen Availability Zone is used consistently for the lifetime of the flow.