Amazon GovCloud (US) Integration

Table 1. Feature History

Feature Name

Release Information

Description

Support for AWS GovCloud (US) with Cisco Catalyst SD-WAN Cloud OnRamp for Multicloud

Cisco IOS XE Catalyst SD-WAN Release 17.9.1a

Cisco vManage Release 20.9.1

With the integration of Amazon Web Services (AWS) GovCloud (US) with Cisco Catalyst SD-WAN Cloud OnRamp for Multicloud, you can store your highly sensitive workloads in an isolated cloud that meets the Federal Risk and Authorization Management Program (FedRAMP) requirements of the U.S. government and its customers.

The same features that are available with the AWS integration with Cisco Catalyst SD-WAN Cloud OnRamp for Multicloud are also available with Amazon GovCloud (US). Use the AWS Transit Gateway to connect your branch devices to the AWS GovCloud (US).

Information About AWS GovCloud (US) Integration

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.9.1a, Cisco vManage Release 20.9.1

Cisco Catalyst SD-WAN Cloud OnRamp for Multicloud extends support for AWS GovCloud (US), allowing you to store and manage your highly sensitive workloads in AWS GovCloud (US).

The following are examples of highly sensitive workloads that you can store in AWS GovCloud (US):

  • Controller Unclassified Information (CUI)

  • Personally Identifiable Information (PII)

  • Sensitive patient medical records

  • Financial data

  • Law enforcement data

  • Export data

The same features and workflow that are available for the AWS integration are also available with the AWS GovCloud (US) integration with the exception of support for the Transit Gateway Network Manager (TGNM).


Note


The TGNM is supported for AWS, but the TGNM is not supported for AWS GovCloud (US).

A transit gateway is a network transit hub that you can use to interconnect your Virtual Private Cloud (VPC) and on-premises networks. You can attach a VPC or a VPN connection to a transit gateway. The transit gateway acts as a virtual router for traffic flowing between your VPC and VPN connections. The transit gateway provides a way to interconnect VPCs and VPNs.

Cisco Catalyst SD-WAN Cloud OnRamp for Multicloud uses the AWS Transit Gateway to connect your branch devices to the AWS GovCloud (US). A configuration wizard in Cisco Catalyst SD-WAN Cloud OnRamp for Multicloud automates the bring-up of the transit gateway to your AWS GovCloud (US) account and automates the connections between AWS GovCloud (US) applications and branch users in the overlay network.

For more information on the AWS GovCloud, see the AWS GovCloud (US) documentation.

Configure Cisco Catalyst SD-WAN Cloud OnRamp for Multicloud with AWS GovCloud (US) using Cisco SD-WAN Manager.

Benefits of AWS GovCloud (US) Integration

  • Allows you to move and store sensitive data workloads in AWS GovCloud (US) that meet the FedRAMP requirements of the U.S. government and its customers

  • Supports the same features and workflow as for the AWS integration

  • Supports advanced routing and path selection using a secure Cisco Catalyst SD-WAN tunnel from a data center to the cloud

  • Supports telemetry data exchange between a data center and AWS GovCloud (US)

Supported Devices for AWS GovCloud (US)

Supported Platforms

For more information on the supported platforms for AWS GovCloud (US), see Overview of AWS Integration.

Supported Instances for AWS GovCloud (US)

  • c5.large

  • c5.xlarge

  • c5.2xlarge

  • c5.9xlarge

  • c5n.large

  • c5n.xlarge

  • c5n.2xlarge

  • c5n.4xlarge

  • c5n.9xlarge

  • c5n.18xlarge

  • t3.medium


Note


AWS and AWS GovCloud (US) instance sizes are the same.


Prerequisites for AWS GovCloud (US) Integration

  • You must have an AWS GovCloud (US) cloud account.


    Note


    An AWS GovCloud (US) account is different from an AWS account.


  • You must have a subscription to the AWS GovCloud (US) marketplace.

  • You must have two Cisco SD-WAN Manager cloud router licenses that are free to use for creating a new account.

Restrictions for AWS GovCloud (US) Integration

  • No support for the TGNM for AWS GovCloud (US).

Use Case for AWS GovCloud (US) Integration

Cisco Catalyst SD-WAN Cloud OnRamp for Multicloud with AWS GovCloud (US) allows you to move and store your compliance workloads in an isolated cloud that meets the FedRAMP requirements of the U.S. government and its customers.

The following are examples of sensitive data that you can store in AWS GovCloud (US):

  • Controller Unclassified Information (CUI)

  • Personally Identifiable Information (PII)

  • Sensitive patient medical records

  • Financial data

  • Law enforcement data

  • Export data

Configure AWS GovCloud (US)

The workflow for configuring AWS GovCloud (US) is the same as the workflow for configuring Cisco Catalyst SD-WAN Cloud OnRamp for Multicloud with AWS.

  1. Create an AWS GovCloud (US) cloud account.

    For more information on creating an AWS GovCloud (US) account, see Create AWS Cloud Account.

  2. Configure global settings for the cloud transit gateway.

    For more information on configuring global settings for the cloud transit gateway, see Configure Cloud Global Settings.

  3. Discover host Virtual Private Clouds (VPCs) in all the accounts across the AWS GovCloud (US) regions.

    For more information on discovering host VPNs in AWS, see Discover Host Private Networks.

  4. Create a cloud gateway.

    For more information on creating a cloud gateway, see Create Cloud Gateway.

  5. Attach sites to a cloud gateway.

    For more information on attaching sites to a cloud gateway, see Configure Site Attachment.

  6. Enable connectivity between Cisco Catalyst SD-WAN VPNs and VPCs.

    For more information on enabling connectivity between Cisco Catalyst SD-WAN VPNs and VPCs, see Intent Management - Connectivity.

  7. Enable peer connections between the transit gateways in different AWS GovCloud (US) regions.

    For more information on enabling peer connections between transit gateways in different AWS GovCloud (US) regions, see Transit Gateway Peering.

  8. Conduct an audit to identify gaps or disconnects between the Cisco SD-WAN Manager intent and what has been realized in the cloud.

    For more information on conducting an audit management review, see Audit Management.