Cisco Catalyst SD-WAN Onboarding Guide, Releases 26.x and Later

PDF

Install SD-WAN Control Components in AWS

Want to summarize with AI?

Log in

Guides users through the installation process for SD-WAN Control Components in AWS, including requesting AWS AMI images, creating virtual networks and subnets, deploying virtual machines, and configuring security groups to enable secure connectivity.


The procedures described here are the stages in installing the SD-WAN Control Components in AWS.

Request AWS AMI images

This topic describes how to deploy SD-WAN Control Components in an AWS account using AMI images.

Procedure

1.

You must place an order for $0 customer managed SD-WAN Control Component SKU. For more information, refer to the Catalyst SD-WAN Control Component SKU table in the ​Cisco Catalyst SD-WAN Controller Ordering Guide.

2.

After you purchase the SKU, the Cisco CloudOps team validates the order information, and reaches out to you asking for additional details such as:

  1. AWS account number.

  2. Software version requirement for the AMI.

3.

The Cisco CloudOps team verifies the information and shares the requested AMIs to your AMI inventory in the US-WEST-2 region.

Note

The AMI images that the CloudOps team provides are for your use only. Do not share them with others. If the images are shared with others, we reserve the right to remove the images and take any necessary action to prevent the images from being shared.

What to do next

Create a VPC, Subnet, and Security Group in AWS.


Create a virtual network, subnets, and network security group in AWS

This topic describes how to create a VPC, Subnet, and Security Group in AWS.

Note

For definitive information about tasks in AWS, see the AWS documentation.

Before you begin

Follow these steps to create virtual network, subnets, and network security group in AWS.

Procedure

1.

Create a virtual private cloud (VPC), and while creating the VPC ensure that you complete these actions:

  1. Enter a name and a region for the VPC.

  2. Enter an address space for the VPC (for example, 10.0.0.0/16).

  3. Add a minimum of two subnets to the VPC, and an additional subnet if you plan to create a SD-WAN Manager cluster. For each subnet, provide a name and an address space for the subnet. A later step associates these subnets with virtual machine network interfaces.

    Example:

    Example subnets:
    • Add subnet 0 with the address 10.0.1.0/24, which will be used by VPN 512 as the primary interface for the SD-WAN Control Components.

    • Add subnet 1 with the address 10.0.2.0/24, to use it as the controllers' transport or tunnel interface for VPN 0.

    • Add subnet 2 with the address 10.0.3.0/24, to use it for SD-WAN Manager clustering (this is only required when deploying a SD-WAN Manager cluster).

  4. (Optional) Enter a tag to categorize the VPC.

2.

Create the necessary resources required for the VPC, to form the environment for running the controller instances.

  1. The security group must contain these:

    • Source public IP address of the user NOC center to access the controllers for management purpose.

    • Address 0.0.0.0/0 for all TCP/UDP ports for TLS/DTLS for all edges to join the controllers.

    • Enable public IPs for each controller to reach other controllers.

  2. Enter a name and a region for the security group.

  3. (Optional) Enter a tag to categorize the security group.

3.

Associate the newly created security group with the subnets created in Step 1.

4.

Create an internet gateway and associate it with the VPC.

5.

Create a routing table and associate it with the VPC. Add a default route entry pointing to the internet gateway.

What to do next

Create a virtual machine for the SD-WAN Control Components.


Create a virtual machine for the SD-WAN Control Components

This topic describes how to create a virtual machine for the SD-WAN Control Component.

Note

For definitive information about tasks in AWS, see the AWS documentation.

Follow these steps to create a virtual machine for the SD-WAN Control Component.

Procedure


1.

Begin the workflow for creating a virtual machine. When creating a virtual machine, ensure that you complete these steps:

  1. Install the virtual machine in the virtual private cloud (VPC) created in task "Create a VPC, Subnet, and Security Group in AWS".

  2. Enter a name and region for the virtual machine.

  3. For the image, select the appropriate shared controller AMI for Cisco SD-WAN Manager or Cisco SD-WAN Validator or Cisco SD-WAN Controller.

    Note

    For information about how to locate custom images, see the AWS documentation.

  4. For the virtual machine size, select an option with the number of CPUs and memory that you want to use for the controller. For Cisco SD-WAN Controller-device compatibility and Cisco SD-WAN Controller server requirements, see Cisco SD-WAN Controller Compatibility Matrix and Server Recommendations.

  5. For disk resources, perform one of these options:

  • If you are deploying a SD-WAN Controller or a SD-WAN Validator, no additional disk resources are required beyond the default.

  • If you are deploying a SD-WAN Manager, choose one additional disk.

  • For networking details, choose the VPC, the subnets, and the security group that you created in earlier steps. Each virtual machine must have two network interfaces, one for the VPN 512 management subnet and one for the VPN 0 tunnel subnet.

  • Assign an Elastic IP address to the VPN 0 and VPN 512 network interfaces of each controller.

  • For Cisco SD-WAN Controller Release 20.6.1 and later, you have an option to use the user data feature to enter commands for the virtual machine to execute when rebooting.

  • (Optional) Add a tag to categorize the controller.

2.

After creating the virtual machine, create additional network interfaces (NICs) for the virtual machine. Create the network interfaces that you created in an earlier task.

  • If you are deploying a SD-WAN Controller or a SD-WAN Validator, create one additional network interface.

  • If you are deploying a SD-WAN Manager, create two additional network interfaces.

  • If you are deploying a SD-WAN Manager in a cluster, see Cluster Management and Deploy Cisco SD-WAN Manager for additional information about SD-WAN Manager out-of-band interfaces.

3.

When creating a network interface, complete these actions:

  • Specify the VPC, subnets, and the security group created in Task 2.

  • Associate NICs with subnets.

    Example: Associate NIC 1 with subnet 1.

    • If you are deploying a SD-WAN Manager controller, associate NIC 2 with subnet 2.

    • If you are using a SD-WAN Manager cluster, associate NIC 3 with subnet 3.

      Note

      Associating a NIC with a subnet enables the virtual machine to connect to the subnet.

    • For each NIC, enter the tag used for the controller that you are deploying.

4.

Create a static public IP for all the controllers to use, and associate this public IP with NIC 1.

Note

Use the Elastic IP in AWS.

5.

When creating a public IP, ensure that you complete the following actions:

  • For assignment, choose static.
  • To specify NIC 1, use the associate option.
6.

Stop the virtual machine, and confirm when it has stopped.

7.

Attach the newly created NICs to the virtual machine.

  • If you are deploying a SD-WAN Controller or a SD-WAN Validator, attach the NIC to the virtual machine.

  • If you are deploying SD-WAN Manager, attach both of the newly created NICs to the virtual machine.

8.

Restart the virtual machine. Confirm in the AWS portal that the virtual machine has restarted.


What to do next

Configure the Security Group.


Configure the Security Group

This topic describes how to configure the Security Group.

Note

For definitive information about tasks in AWS, see the AWS documentation.

Before you begin

The security group is functionally related to a firewall policy. When configuring the security group, it is helpful to be aware of firewall port configuration in Cisco Catalyst SD-WAN. See Firewall Ports for Cisco SD-WAN Deployments.

Follow these steps to configure the Security Group.

Procedure

1.

Using the AWS portal, add inbound security rules to the security group created in an earlier task, to allow inbound traffic from the IP range required for the following:

  • Establishing control connections between each of the SD-WAN Control Components. If the controllers lack connectivity to each other, the control plane and the data plane cannot operate.

  • Accessing the SD-WAN Control Component using HTTPS or SSH protocols.

2.

For the security group, use the option to add inbound security rules. Using the rules, allow all the controller virtual machine IP addresses, to enable the required connectivity between the SD-WAN Control Components. When creating a new inbound security rule, ensure that you complete the following actions:

  1. Specify IP ranges, protocol, and so on.

  2. For the action of the rule, choose the option to allow the traffic.

3.

To verify the connectivity, log in to the virtual machine using the NIC 0 public IP of SD-WAN Manager.

What to do next

Verify the deployment of SD-WAN Control Components in AWS.