Simplifying Global Hybrid Connectivity with AWS Cloud WAN + Direct Connect: Notes from the Trenches

Blog ENG - AWS - Post 4 2025

When your network spans continents, clouds, and decades of design choices, “simple” can feel like a luxury. Over the years, I’ve helped enterprises evolve from hub‑and‑spoke VPNs to global backbones, and more recently to cloud‑first architectures. The latest integration between AWS Cloud WAN and AWS Direct Connect has been one of those rare upgrades that genuinely reduces complexity without forcing a rewrite of everything you’ve built. Here’s how I’m seeing teams put it to work and the practical considerations I share with clients.

What actually changed and why it matters

AWS Cloud WAN now supports native Direct Connect gateway attachments. In practice, this means you can attach a Direct Connect Gateway (DXGW) straight to your Cloud WAN core network and let routes propagate between on‑premises and AWS segments without inserting an intermediate Transit Gateway. Fewer moving parts, simpler routing, and a cleaner operational story.
There’s a subtle routing improvement too: your on‑prem routers receive the full BGP AS-PATH for routes advertised through Cloud WAN via the DXGW. That added visibility helps you make deterministic decisions on‑prem (e.g., biasing traffic to a nearer POP or preferring a primary DC link) without extra hacks.
Finally, the association model is thoughtful: attach a DXGW to all or a subset of Cloud WAN core network Regions. If you choose a subset, on‑prem learns only the routes local to those Regions, which is an elegant way to limit east‑west spread or enforce geo preference. In most designs, I still recommend associating across all the Regions hosting your segment to keep paths short and symmetric.

How it works, in plain terms

Create a Direct Connect Gateway with a unique ASN that doesn’t collide with Cloud WAN’s ASN or your on‑prem ASN. Uniqueness sounds obvious, but ASN overlaps are a surprisingly common source of “mysterious” flaps.
Attach the DXGW to a Cloud WAN segment (e.g., Development, Production, or a dedicated Hybrid/Partner segment). Choose the Regions you want this DXGW to serve.
Bring up Transit VIFs on your physical Direct Connect links and let BGP do the heavy lifting in both directions. You can use BGP community tags for active/passive behavior without resorting to static trickery.

From there, Cloud WAN advertises VPC prefixes (IPv4 and IPv6) within the segment to the DXGW, which then announces them down to your routers. Conversely, the DXGW accepts your on‑prem prefixes, preserves AS-PATH, and shares them across Cloud WAN core network edges for consistent reachability.

Three patterns I keep recommending

1) Single site, dual Direct Connect links (per segment).
If you have one data center connecting into (say) a Development segment, use two physical Direct Connects and two Transit VIFs. Shape failover with BGP communities for clean active/passive. Keep the DXGW associated with all Regions hosting that segment for shortest paths and symmetric flows.

2) Multiple sites with unique on‑prem prefixes.
Advertise distinct RFC1918 summaries per location. Use one DXGW attached to your Production segment across Regions and let BGP pick the correct egress by destination. It’s simple, scalable, and avoids split‑brain situations.

3) Multiple sites advertising the same summary (geo preference).
If two DCs must advertise the same prefix, create two DXGWs, attach each to the Hybrid/Partner segment, and associate each DXGW with the Regions you want to prefer. Cloud WAN will choose the route with the shortest AS-PATH via the “local” DXGW, which achieves the geo‑smart egress you intended (without hand‑crafted policy tables).

Greenfield vs Brownfield: pragmatic migration steps

If your current hybrid path is Cloud WAN → Transit Gateway → Direct Connect, you can migrate in small, low‑risk increments:

Create new DXGWs and new Transit VIFs. Keep them dark initially; just verify BGP peering.
Attach the new DXGWs to the right Cloud WAN segments and Regions. On‑prem will start learning routes with a longer AS-PATH (DXGW ASN + Cloud WAN edge ASN), so nothing should prefer the new path yet.
Advertise test prefixes from on‑prem via the new VIFs. Validate reachability, symmetry, and failure behavior. Then migrate prefixes in batches and finally decommission the TGW path when you’re satisfied.

In production, this staged approach avoids outage windows and gives you clean rollback points (critical when multiple business units ride the same backbone).

Design notes and gotchas I’ve seen in the field

Segment intentionally. Keep Production, Development, and Partner/Hybrid traffic separated at the policy level. It simplifies compliance, failure domains, and blast radius. The Cloud WAN + DXGW integration honors segment boundaries natively.
Prefer full‑Region associations for the DXGW when segments exist in those Regions. It keeps return paths short and avoids “random” remote‑Region forwarding.
Use BGP communities for intent. Whether you want active/passive per VIF or site preference for shared summaries, communities remain the most portable signal between on‑prem and AWS.
Automate attachment lifecycle with tags. In larger estates, tag‑driven attachment policies and centralized routing controls help scale cleanly as teams create new VPCs and segments.
Embrace IPv6 early. Cloud WAN and DXGW propagate both IPv4 and IPv6. Standing up dual‑stack now prevents painful retrofits later, especially for global audiences and IoT edge.

From an architect’s lens: what I like about it

I’ve long advocated consolidating control planes and pushing intent to the edges. This integration does exactly that for hybrid routing: it removes a hop, clarifies AS-PATH visibility, and respects segment boundaries. Operationally, the combination of Cloud WAN policies and DXGW associations aligns well with how enterprises structure environments (prod/dev/partner) and regions (local/global), which cuts down on bespoke per‑site logic and the “snowflake” risk in change management.

Final thoughts

If you’re planning a new hybrid backbone, start with Cloud WAN segments that mirror your organizational boundaries, attach DXGWs where you need them, and keep BGP policies simple and declarative. If you’re migrating from TGW‑based designs, favor a staged rollout: new DXGWs, new VIFs, test prefixes, then progressive cutover. The payoff is a global network that’s easier to reason about, simpler to operate, and kinder to your incident runbooks. In my experience, that’s the kind of “simple” that endures.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.