What You’ll Learn
- How to deploy public cloud connectivity over internet-based transports using Cisco Catalyst SD-WAN (formerly Cisco SD-WAN) Cloud OnRamp for Multicloud
- How to set up a cloud account in Cisco Catalyst SD-WAN Manager (formerly vManage)
- Discover and tag host Virtual Private Clouds (VPCs) in Amazon Web Services (AWS)
- Deploy cloud gateways in AWS
What You’ll Need
- An AWS account with a valid billing method on file
- AWS access key and secret access key for application programming interface (API) access
- VPCs hosted in AWS
- Access to a Cisco Catalyst SD-WAN fabric with internet access
- Licenses for two Cisco Catalyst 8000V routers. There is a cost for spinning up two Catalyst 8000V routers in AWS. This tutorial demonstrates the use of SD-WAN 20.11.1 and IOS XE 17.9.4 code.
Note: As of Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, Cisco has renamed its SD-WAN products as follows: vManage is now called Cisco Catalyst SD-WAN Manager, vSmart is now Cisco Catalyst SD-WAN Controller, vBond is now Cisco Catalyst SD-WAN Validator, vAnalytics is now Cisco Catalyst SD-WAN Analytics, and the entire Cisco SD-WAN solution is now called Cisco Catalyst SD-WAN..
Here is what we are going to do at a high level in this tutorial:
- Associate an AWS cloud account with Cloud OnRamp for Multicloud
- Configure cloud global settings for Cloud OnRamp for Multicloud
- Discover host private networks in AWS
- Subscribe to Catalyst 8000V in AWS Marketplace
- Install Catalyst 8000V licenses in SD-WAN Manager
- Attach an AWS device template to Catalyst 8000V WAN Edge routers
- Create cloud gateways in Cloud OnRamp for Multicloud
- Establish cloud connectivity to AWS workloads
The first task is to add your AWS account details to SD-WAN Manager. This will allow SD-WAN Manager to discover the VPCs in your AWS account and create the necessary components to establish connectivity to the AWS workloads.
Note: Although Cisco SD-WAN is now called Cisco Catalyst SD-WAN, the screenshots shown in this tutorial still display the previous name.
- In SD-WAN Manager, navigate to Configuration > Cloud onRamp for Multicloud.

- From the Setup workflow, click the Associate Cloud Account link to configure the AWS account.

- Configure the AWS account. Make sure that Amazon Web Services is chosen in the Cloud Provider drop-down menu. Provide a name for the account (for example, AWS1) and set Use for Cloud Gateway to Yes. Choose Log in to AWS with Key, and provide your AWS account credentials (access key and secret access key). Click Add to create the account.

You will receive a success message once the account is configured.

Next, you need to specify the cloud global settings.
- From the Cloud Account Management page, click Cloud Global Settings to configure the default cloud gateway settings for an AWS region.

- Verify that Amazon Web Services is chosen in the Cloud Provider drop-down menu, and click Add to add the global settings.

- In the Cloud Gateway Solution drop-down menu, choose Transit Gateway – VPN based (using TVPC).

- Once you have chosen the cloud gateway solution, you must choose the AWS account and region, and configure the software version, instance size, and other cloud gateway settings. In this example, we are using the following settings:
Reference Account Name: AWS1
Reference Region: us-east-1
Software Image: BYOL (C8000v 17.09.04a)
Instance Size: t3.medium (2 vCPU)
IP Subnet Pool: 192.168.168.0/24
Note that your AWS region and Catalyst 8000V IOS XE Software version might differ.

- Scroll down and configure the remaining settings as follows:
Cloud Gateway BGP ASN Offset: 64530
Intra Tag Communication: Enabled
Program Default Route in VPCs towards TGW: Enabled
Full Mesh of Transit VPCs: Enabled
Site-to-Site Tunnel Encapsulation Type: IPSEC
Enable Periodic Audit: Enabled
Enable Auto Correct: Enabled
Click Save to save the global settings for AWS region us-east-1.

Next, you need to discover the available host VPCs in AWS. Recall that you will need to create these two host VPCs ahead of time in your AWS account.
- From the Cloud Global Settings page, click Discover Host Private Networks. Wait for the discovery process to list all discovered host VPCs.

- From the list of discovered host VPCs, choose your two host VPCs in the region in which they were created. In the example, the host VPCs are called sdwan-host1-vpc and sdwan-host2-vpc and are located in the us-east-1 region. Once the two host VPCs are selected, click Tag Actions, and choose Add Tag. The tag is used to group the host VPCs into a singular unit, allowing for intratag communication if necessary.

- Enter a tag name. In the example, CloudWorkloads is used as the tag name. Click Add to create the tag.

- Verify that the tag is successfully created.

Next, you need to access the AWS Management Console web page and activate the Catalyst 8000V subscription for your region.
- Log in to the AWS Management Console and ensure that the appropriate region is selected. In the example, we are using US East (N. Virginia) – us-east-1.

- Once the region is selected, use the search box to type Catalyst 8000v, choose Marketplace from the list on the left, and then choose Cisco Catalyst 8000V for SD-WAN & Routing (Bring Your Own License).

- Click Continue to Subscribe, and then click Accept Terms to finalize the subscription process.


Next, you need to log in to SD-WAN Manager and add the required device licenses that will allow Catalyst SD-WAN to spin up the Catalyst 8000V routers that will act as cloud gateways in AWS and add them to the SD-WAN overlay.
- Log in to SD-WAN Manager and navigate to Configuration > Devices.

- Click Upload WAN Edge List to upload the license file.

- Click Choose File, and navigate to the folder with the .viptela file that you obtained from the
Cisco Smart Software Licensing portal. In the example, the file was named serialFile.viptela.

- Make sure to check the Validate the uploaded vEdge List and send to controllers check box option to validate the devices, and click Upload. Click OK to confirm the upload, and then click OK again to finalize the upload process.

- Wait a few moments for the new licenses to propagate to all the controllers.

Next, you need to attach an SD-WAN device template to the newly added Catalyst 8000V routers so that when they get spun up by AWS, they receive the necessary configuration to join the SD-WAN overlay.
- In SD-WAN Manager, navigate to Configuration > Templates.

- Click the Device Templates button. Choose to display the default template types, and use the search box to filter for only AWS templates. Use the more options button (…) next to the Default_AWS_TGW_C8000V_Template_V01 template, and choose Attach Devices.

- Choose the two WAN Edge device licenses that you added in the previous task, move them to the Selected Devices field, and click Attach.

- Configure the template variable values for the two new WAN Edge devices. Open the more options (…) menu for the first device, and choose Edit Device Template.

- Configure the required variable values. The example uses the following values:
Color: biz-internet
Hostname: cgw1
System IP: 1.0.0.1
Site ID: 1000
Click Update to confirm.

- Open the more options (…) menu for the second device, and choose Edit Device Template.

- Configure the required variable values. The example uses the following values:
Color: biz-internet
Hostname: cgw2
System IP: 1.0.0.2
Site ID: 1000
Click Update to confirm.

- Once the values are entered, click Next, and then click Configure Devices to push the configuration to the two routers.


- Mark the Confirm configuration changes on 2 devices check box to confirm deployment, and click OK.

- Because the devices are not yet deployed and are seen as offline by SD-WAN Manager, the configuration deployment task will be scheduled, and the configuration will be deployed when the devices come online.

Next, you will need to deploy the cloud gateway in AWS that will be linked to the two Catalyst 8000V WAN Edge devices that were configured in the previous task.
- In SD-WAN Manager, navigate to Configuration > Cloud onRamp for Multicloud. Under the Manage workflow, click Create Cloud Gateway.

- Choose Amazon Web Services in the Cloud Provider drop-down menu, and enter a name (for example, GCW) in the Cloud Gateway Name field. Choose the AWS account that you created earlier, and select the appropriate region and site name. In the example, the account is set to AWS1, the cloud region is set to us-east-1, and the site chosen is SITE_1000.

- Scroll down and analyze the rest of the parameters. You will notice that they have all been preconfigured, based on the site name choice and the cloud global settings for the us-east-1 region. Click Add to deploy the cloud gateway.

Wait for the deployment to finish and verify that the gateways were successfully deployed.
Verify that the deployment has been successfully completed. In SD-WAN Manager, navigate to Configuration > Cloud onRamp for Multicloud. You should see two WAN Edge devices reachable within the newly created AWS cloud gateway.

The final task is to create a mapping to establish connectivity between service-side VPNs from the Catalyst SD-WAN sites and the workloads hosted in the AWS public cloud. The mapping of the VPN and the cloud workloads brings up IPsec tunnels between the Catalyst SD-WAN cloud gateways and the host VPC transit gateway.
- In SD-WAN Manager, navigate to Configuration > Cloud onRamp for Multicloud. Click the Cloud Connectivity link under the Intent Management workflow.

- Choose Amazon Web Services in the Cloud Provider drop-down menu, and click Edit to modify the connectivity intent.

- In the example, the mapping of VPN100 with the CloudWorkloads is enabled to establish communication between the SD-WAN sites and the AWS cloud workloads. You need to click in the intent matrix to enable the mapping. Click Save to apply the changes. Note that enabling the intent will initiate the building of VPN tunnels. This procedure can take some time to complete, upwards of 10 to 15 minutes.

- In SD-WAN Manager, navigate to Configuration > Cloud onRamp for Multicloud to confirm the tunnel status. Verify that the VPN tunnels to the transit gateway are up and reachable and that the host VPC is mapped to a VPN.

Congrats! You have successfully deployed Cisco Catalyst SD-WAN cloud gateways to AWS and established connectivity to the cloud-hosted workloads.
You have completed this tutorial, advancing in your learning journey. To continue building your networking skills, check out our additional tutorials, courses, and learning paths.
Why Create a Free Cisco U. Account?
A Cisco U. account helps you:
Personalize training: Set your learning goals and pace.
Track progress: Monitor your achievements and learning milestones.
Resume anytime: Continue your learning exactly where you stopped.
Further Learning Resources
Training Resources
Need Help or Want to Engage?
Finishing Up
Don’t forget to click Exit Tutorial to log your completed content.