Cloud Infrastructure

Hybrid Cloud Networking and SD-WAN Architecture

January 11, 2026

Hybrid cloud networking connects on-premises infrastructure with cloud environments, enabling seamless workload migration and data flow. SD-WAN (Software-Defined Wide Area Network) provides intelligent traffic routing and simplified management across distributed locations.

Hybrid Connectivity Options

  • VPN: Encrypted tunnels over public internet
  • Direct Connect/ExpressRoute: Dedicated private connections
  • Transit Gateway: Hub for multi-VPC and on-premises connectivity
  • SD-WAN: Software-defined overlay network

AWS Transit Gateway

# Terraform - Transit Gateway hub
resource "aws_ec2_transit_gateway" "main" {
  description                     = "Main Transit Gateway"
  auto_accept_shared_attachments  = "enable"
  default_route_table_association = "disable"
  default_route_table_propagation = "disable"
  dns_support                     = "enable"
  vpn_ecmp_support               = "enable"

  tags = {
    Name = "main-tgw"
  }
}

# VPC attachment
resource "aws_ec2_transit_gateway_vpc_attachment" "production" {
  subnet_ids         = var.production_subnet_ids
  transit_gateway_id = aws_ec2_transit_gateway.main.id
  vpc_id             = var.production_vpc_id

  tags = {
    Name = "production-attachment"
  }
}

# Route table
resource "aws_ec2_transit_gateway_route_table" "production" {
  transit_gateway_id = aws_ec2_transit_gateway.main.id

  tags = {
    Name = "production-rt"
  }
}

# Route to on-premises
resource "aws_ec2_transit_gateway_route" "on_prem" {
  destination_cidr_block         = "10.0.0.0/8"
  transit_gateway_attachment_id  = aws_ec2_transit_gateway_vpn_attachment.on_prem.id
  transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.production.id
}

Site-to-Site VPN

# Terraform - VPN connection
resource "aws_customer_gateway" "on_prem" {
  bgp_asn    = 65000
  ip_address = var.on_prem_gateway_ip
  type       = "ipsec.1"

  tags = {
    Name = "on-prem-cgw"
  }
}

resource "aws_vpn_connection" "main" {
  customer_gateway_id = aws_customer_gateway.on_prem.id
  transit_gateway_id  = aws_ec2_transit_gateway.main.id
  type                = "ipsec.1"

  tunnel1_ike_versions                 = ["ikev2"]
  tunnel1_phase1_encryption_algorithms = ["AES256"]
  tunnel1_phase1_integrity_algorithms  = ["SHA2-256"]
  tunnel1_phase1_dh_group_numbers      = [20]
  tunnel1_phase2_encryption_algorithms = ["AES256-GCM-16"]
  tunnel1_phase2_integrity_algorithms  = ["SHA2-256"]

  tags = {
    Name = "on-prem-vpn"
  }
}

Direct Connect

# Terraform - Direct Connect Gateway
resource "aws_dx_gateway" "main" {
  name            = "main-dxgw"
  amazon_side_asn = "64512"
}

resource "aws_dx_gateway_association" "tgw" {
  dx_gateway_id         = aws_dx_gateway.main.id
  associated_gateway_id = aws_ec2_transit_gateway.main.id

  allowed_prefixes = [
    "10.0.0.0/8",
    "172.16.0.0/12"
  ]
}

# Virtual interface
resource "aws_dx_private_virtual_interface" "main" {
  connection_id    = var.dx_connection_id
  dx_gateway_id    = aws_dx_gateway.main.id
  name             = "main-vif"
  vlan             = 100
  address_family   = "ipv4"
  bgp_asn          = 65000
  amazon_address   = "169.254.255.1/30"
  customer_address = "169.254.255.2/30"
}

Network Segmentation

# Transit Gateway route table segmentation
resource "aws_ec2_transit_gateway_route_table" "shared_services" {
  transit_gateway_id = aws_ec2_transit_gateway.main.id
  tags = { Name = "shared-services" }
}

resource "aws_ec2_transit_gateway_route_table" "production" {
  transit_gateway_id = aws_ec2_transit_gateway.main.id
  tags = { Name = "production" }
}

resource "aws_ec2_transit_gateway_route_table" "development" {
  transit_gateway_id = aws_ec2_transit_gateway.main.id
  tags = { Name = "development" }
}

# Production can reach shared services but not development
resource "aws_ec2_transit_gateway_route_table_association" "prod_to_shared" {
  transit_gateway_attachment_id  = aws_ec2_transit_gateway_vpc_attachment.shared.id
  transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.production.id
}

SD-WAN Integration

# CloudFormation - SD-WAN appliance in AWS
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  SDWANInstance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: !Ref SDWANAmiId
      InstanceType: c5.xlarge
      NetworkInterfaces:
        - DeviceIndex: 0
          SubnetId: !Ref ManagementSubnet
          GroupSet: [!Ref SDWANSecurityGroup]
        - DeviceIndex: 1
          SubnetId: !Ref TransportSubnet
          GroupSet: [!Ref SDWANSecurityGroup]
      UserData:
        Fn::Base64: |
          #!/bin/bash
          # SD-WAN bootstrap configuration
          /opt/sdwan/bootstrap.sh

Conclusion

Hybrid cloud networking requires careful planning of connectivity options, routing, and security. Transit Gateway provides a scalable hub for multi-VPC and on-premises connectivity, while SD-WAN adds intelligent traffic management across distributed locations.

Related Posts: