* [Blog](https://www2.paloaltonetworks.com/blog) * [SASE](https://www2.paloaltonetworks.com/blog/sase/) * [Partner Integrations](https://www2.paloaltonetworks.com/blog/sase/category/partner-integrations/) * Extend CloudGenix SD-WAN ... # Extend CloudGenix SD-WAN to AWS Seamlessly [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsase%2Fcloudgenix-sd-wan-aws%2F) [](https://twitter.com/share?text=Extend+CloudGenix+SD-WAN+to+AWS+Seamlessly&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsase%2Fcloudgenix-sd-wan-aws%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsase%2Fcloudgenix-sd-wan-aws%2F&title=Extend+CloudGenix+SD-WAN+to+AWS+Seamlessly&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/sase/cloudgenix-sd-wan-aws/&ts=markdown) \[\](mailto:?subject=Extend CloudGenix SD-WAN to AWS Seamlessly) Link copied By [Mike Korenbaum](https://www.paloaltonetworks.com/blog/author/mike-korenbaum/?ts=markdown "Posts by Mike Korenbaum") Dec 10, 2020 6 minutes [Partner Integrations](https://www.paloaltonetworks.com/blog/sase/category/partner-integrations/?ts=markdown) [AWS SD-WAN](https://www.paloaltonetworks.com/blog/tag/aws-sd-wan/?ts=markdown) [TGW Integration](https://www.paloaltonetworks.com/blog/tag/tgw-integration/?ts=markdown) [Transit Gateway Connect](https://www.paloaltonetworks.com/blog/tag/transit-gateway-connect/?ts=markdown) [Transit Gateway SD-WAN](https://www.paloaltonetworks.com/blog/tag/transit-gateway-sd-wan/?ts=markdown) We've just announced the general availability of the [CloudGenix SD-WAN integration with the new AWS Transit Gateway Connect](https://www.paloaltonetworks.com/blog/sase/sd-wan-aws-transit-gateway-connect/). This integration provides a simple and automated way to extend your CloudGenix SD-WAN fabric to AWS through the CloudGenix CloudBlades platform. Prior to this announcement, CloudGenix customers had different ways to extend their SD-WAN fabric to AWS. CloudGenix customers could deploy virtual CloudGenix IONs through our AWS CloudFormation template-based [marketplace listing](https://aws.amazon.com/marketplace/pp/B07C8J9XL1?qid=1605915589308&sr=0-1&ref_=srh_res_product_title). The marketplace listing provides two options to deploy IONs: greenfield, where the ION deploys in a new virtual private cloud (VPC), or brownfield where the ION is deployed in an existing VPC. Customers would typically use the greenfield deployment model, creating a transit VPC where they set up VPC peering and static routes to facilitate the communication between the apps hosted in the peered VPCs and the clients on-premises. This method is usually applicable to small cloud deployments involving only a few applications. ![Extending CloudGenix SD-WAN fabric to AWS using VPC peering with static routes](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/12/parent_blog_fig1-cloudgenix-sdwan-aws_120420.png) For larger cloud deployments including many VPCs, customers would typically deploy an AWS Transit Gateway per region and have all of the VPCs within the region connect to that transit gateway. There are several ways to connect on-premises networks with these central hubs. ![AWS Transit Gateway connects VPCs and on-premises networks through a central hub](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/12/image-6.png) One option would be to build third-party traditional IPsec tunnels directly from all of the CloudGenix remote sites to the transit gateway. This requires manually configuring the VPN attachments on the AWS Transit Gateway for each site and circuit, as well as the reciprocal configuration on the CloudGenix devices. This model is possible but comes with an additional administrative overhead of the IPsec and BGP configuration and management. Another option involves deploying a pair of vIONs in a transit VPC that is assigned to a DC site on the CloudGenix Controller. The IPsec tunnels are established between these IONs and the AWS Transit Gateway with a BGP "core" peering relationship. The branch sites only need to establish zero-touch secure fabric links (CloudGenix VPN) to the DC for the traffic to flow back and forth between the branch and the applications in the VPC attached to the particular Transit Gateway. In this model, customers don't need to manually set up IPsec tunnels from all the branch site vIONs to the Transit Gateway. However, there is still an additional overhead of having to deploy the vIONs, and manually configure the IPsec tunnels and VPN attachments on the Transit Gateway. Furthermore, as the number of remote sites grows, the maximum number of allowed routes at the Transit Gateway can be easily reached, becoming a bottleneck when expanding the number of remote sites. As such, this model could become highly restrictive for customers with many remote sites and prefixes that are not easily summarized. A third option, and the most common, is to use AWS Direct Connect from the on-premises DC sites to the AWS Transit Gateway. This allows customers to use tried and true routing constructs they're used to. Unfortunately, this model defeats the purpose of implementing SD-WAN technology to leverage commodity internet circuits to access business-critical applications in the cloud. Furthermore, traffic backhauled through the DC negatively impacts performance and could potentially prevent the adoption of new business-critical applications to support business growth. While these are possible options for connecting remote sites to AWS, they all come with a trade-off of operational complexity, additional administrative overhead, and scalability challenges. ## **AWS Transit Gateway CloudBlade: Gamechanger** We have taken advantage of the flexibility of the CloudGenix CloudBlades platform and AWS's robust API support for Transit Gateway Connect to develop a new CloudBlade, the AWS Transit Gateway Connect CloudBlade. Thanks to this newly developed CloudBlade, network administrators don't need to worry about IPsec parameters, PSK management, BGP configuration, routing scale, VPN attachments, or vION deployments. All they have to do is express their intent in the CloudBlade configuration screen regarding where to extend the connectivity to, and optionally adjust the characteristics of the policies attached to the CloudGenix branch sites. For example, "I want to extend my SD-WAN fabric to these AWS Transit Gateways deployed in these X regions" or "Users attempting to access each of the applications/prefixes hosted in AWS should have this X path, Y QoS, and Z security policy applied." ![CloudGenix SD-WAN integrated into AWS Transit Gateway Connect with CloudBlade](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/12/image-7.png) ## **A Native Integration that Automates Connectivity and Simplifies Operations** The new AWS Transit Gateway Connect attachment provides native integration with CloudGenix vIONs to simplify configuration and improve the overall scalability of the solution. GRE tunnels are now supported between the Transit Gateway and the IONs, which enables greater performance beyond the 1.25 Gbps originally supported with the IPsec tunnels. In addition, scalability is improved by incrementing the number of routes allowed. Altogether, the route management is simplified, and the routing scale across the hybrid environments is further improved. ![Native integration between CloudGenix SD-WAN and the AWS Transit Gateway Connect to automate connectivity to the Amazon VPCs](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/12/parent_blog_fig2-cloudgenix-sdwan-aws_120420.png) ## **How Does It All Happen?** An administrator configures the CloudBlade parameters on the CloudGenix UI, such as AWS API Key, AWS Subscription ID, and the Transit Gateway regions to attach to. The CloudBlade automatically performs the following actions: * Deploys a Connect VPC to the region(s) of the transit gateway(s) specified * Deploys a pair of vIONs within the VPC(s) in separate availability zones * Claims and assigns each vION to a DC site per region * Configures the Transit Gateway Connect attachment to each vION * Configures GRE tunnels and BGP parameters on both CloudGenix and Transit Gateway * Activates the DC site Once the DC site(s) are activated and in control mode, all branch sites automatically build secure fabric links to the DC site(s). Afterward, the administrator can adjust the application policy as needed. ## **Branch-to-Cloud Access Just Made Simple** As organizations embark on their cloud journey, they come to the realization that they require a complete transformation of their WAN infrastructures. Legacy SD-WAN solutions just do not cut it. They need a next-generation SD-WAN solution like the one provided by CloudGenix SD-WAN, which is purpose-built, based on SDN principles with robust API support, and which allows them to operate and innovate at cloud scale and pace. The integration of CloudGenix SD-WAN and the AWS Transit Gateway Connect enables organizations to connect branches and users with applications at AWS in a much more automated, efficient, and simpler way that ultimately translates to greater productivity and reduced costs. To learn more about the benefits of the CloudGenix SD-WAN and AWS Transit Gateway Connect integration, check out our [solution brief](https://www.paloaltonetworks.com/resources/datasheets/connectivity-aws-cloudgenix). *** ** * ** *** ## Related Blogs ### [Partner Integrations](https://www.paloaltonetworks.com/blog/sase/category/partner-integrations/?ts=markdown) [#### CloudGenix SD-WAN Integrated with AWS Transit Gateway Connect](https://www2.paloaltonetworks.com/blog/sase/sd-wan-aws-transit-gateway-connect/) ### [Partner Integrations](https://www.paloaltonetworks.com/blog/sase/category/partner-integrations/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown) [#### Fast Track Your SASE Journey with New Prisma SASE App on ServiceNow](https://www2.paloaltonetworks.com/blog/sase/fast-track-your-sase-journey-with-new-prisma-sase-app-on-servicenow/) ### [Partner Integrations](https://www.paloaltonetworks.com/blog/sase/category/partner-integrations/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown) [#### Raising the Bar for Endpoint Security: Prisma Access Browser \& IGEL](https://www2.paloaltonetworks.com/blog/sase/raising-the-bar-for-endpoint-security-prisma-access-browser-igel/) ### [Partner Integrations](https://www.paloaltonetworks.com/blog/sase/category/partner-integrations/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown) [#### Palo Alto Networks \& Google Cloud Enhance Multicloud Secure Access](https://www2.paloaltonetworks.com/blog/sase/palo-alto-networks-google-cloud-enhance-multicloud-secure-access/) ### [Partner Integrations](https://www.paloaltonetworks.com/blog/sase/category/partner-integrations/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### Platformization Maximizes Security Efficacy \& IT Operations Efficiency](https://www2.paloaltonetworks.com/blog/2025/04/platformization-maximizes-security-efficacy-it-operations-efficiency/) ### [News \& Events](https://www.paloaltonetworks.com/blog/sase/category/news-events/?ts=markdown), [Partner Integrations](https://www.paloaltonetworks.com/blog/sase/category/partner-integrations/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### Service Providers Can Seize the 5G Opportunity with Prisma SASE 5G](https://www2.paloaltonetworks.com/blog/sase/service-providers-can-seize-the-5g-opportunity-with-prisma-sase-5g/) ### Subscribe to Sase Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language