Replacing MPLS With AWS Transit Gateway: What It Actually Costs and Where It Breaks
SD-WAN hybrid cloud with Transit Gateway, VPN, Direct Connect, and multi-cloud routing. The architecture, the cost model, and the failure modes your vendor won't tell you about.
A Production-Ready Reference Architecture for Multi-Cloud, Multi-Region WAN Modernization
Modern enterprises are no longer confined to a single data center or cloud provider. Applications run in AWS, backups live in Azure, analytics workloads run in GCP, and branch offices need secure, low-latency connectivity from around the world.
This architectural shift introduces one major challenge:
How do you build a unified, secure, highly available WAN across clouds, regions, and on-premises?
This is exactly where Software-Defined WAN (SD-WAN), combined with AWS Transit Gateway and Cloud WAN, delivers a powerful solution.
In this blog, we walk through a production-ready reference architecture created by InfraTales, a blueprint for building scalable, intelligent, multi-cloud WAN connectivity using Transit Gateway, VPN, Direct Connect, and pulumi automation.
Overview: What This Architecture Solves
Enterprises typically face these networking challenges:
- Multiple VPCs across AWS regions
- On-prem data centers needing hybrid connectivity
- Workloads spread across AWS, Azure & GCP
- Remote sites & branch offices requiring secure access
- Need for dynamic routing & automatic failover
The InfraTales SD-WAN architecture delivers:
- Highly available global connectivity
- Automated dynamic route propagation
- Intelligent path selection (VPN, DX, ExpressRoute, Interconnect)
- Application-aware optimization
- End-to-end encryption & deep security controls
- Multi-cloud integration using a modular model
- Full infrastructure automation with Pulumi
High-Level Architecture
Below is the core SD-WAN + AWS Transit Gateway architecture visualized using Mermaid.
SD-WAN Hybrid Multi-Cloud Architecture
This diagram illustrates the full SD-WAN hybrid cloud design integrating AWS Transit Gateway, on-prem routers, branch networks, and multi-cloud providers. It shows secure connectivity using VPN, Direct Connect, and dynamic routing. Ideal for understanding the overall network topology.
Data Flow and Routing Logic
Below is how traffic moves dynamically between on-prem, AWS, and multi-cloud environments:
This diagram illustrates how application traffic moves through the SD-WAN environment, from branch sites to the SD-WAN controller and into AWS or other clouds. It highlights intelligent path selection based on latency, jitter, and link performance. The sequence also shows how failover decisions are made dynamically using metrics and BGP routing updates. It provides a clear view of how SD-WAN optimizes end-to-end traffic flow across hybrid and multi-cloud networks.
Core Components
1. AWS Transit Gateway (TGW)
Acts as a central routing hub, simplifying what used to require dozens of VPC-to-VPC peering links.
Why TGW?
- Multi-VPC routing
- Multi-region support
- Connect AWS ↔ On-Prem ↔ Azure ↔ GCP
- BGP dynamic route propagation
2. SD-WAN Edge Devices
Examples:
- Cisco SD-WAN (Viptela)
- Palo Alto Prisma SD-WAN
- Fortinet Secure SD-WAN
- VMware Velocloud
Their role:
- Optimize traffic based on metrics
- Provide dynamic fallback between VPN/Direct Connect
- Offer WAN acceleration & error correction
3. Hybrid Connectivity: VPN + Direct Connect
Most enterprises use both:
Direct Connect
✔ Low-latency private circuit
✔ Suitable for heavy workloads
Site-to-Site VPN
✔ Quick to deploy
✔ Acts as failover link
Multi-Cloud Integration
The architecture integrates with:
Azure
- ExpressRoute
- VPN Gateway
GCP
- Cloud Interconnect
- Cloud VPN
All clouds connect via Transit Gateway or Cloud WAN with unified routing.
Security Architecture
A quick view of the security stack:
- AES-256 IPsec encryption across VPN
- MACsec for Direct Connect links
- IAM least privilege access
- Isolation via VPC, NACL, SG
- Route 53 Resolver for DNS security
- IDS/IPS, URL filtering, DPI using SD-WAN appliances
- CloudTrail + GuardDuty monitoring
Cost Breakdown (Production Environment)
| Component | Cost (₹/month) |
|---|---|
| Transit Gateway | ₹40,000–70,000 |
| Direct Connect | ₹80,000–150,000 |
| Site-to-Site VPN | ₹15,000–30,000 |
| Cloud WAN | ₹50,000–100,000 |
| Total | ₹200,000–370,000 ($2,500–4,625) |
Costs vary based on data transfer, region, DX port speed, and number of VPC attachments.
Monitoring & Observability
Included monitoring stack:
- CloudWatch metrics & dashboards
- Transit Gateway Flow Logs
- X-Ray service tracing
- Multi-cloud performance telemetry
- SNS notifications for failover events
Project Implementation (Pulumi)
The project provides:
✔ Pulumi configuration
✔ Docs: cost, security, troubleshooting
✔ Mermaid diagrams
✔ Enterprise-ready folder layout
Code implementation (TGW, VPN, DX, Cloud WAN) is intentionally left minimal so teams can customize it.
Use Cases
Multi-Cloud Workloads
AWS ↔ Azure ↔ GCP communication for distributed applications.
Hybrid Production Environments
On-prem data center + AWS cloud applications.
Disaster Recovery
Auto-failover between DX and VPN.
Branch Connectivity
Retail, banks, manufacturing plants, and remote workforce.
What’s Next?
To make the template fully production-ready, implement:
- Transit Gateway deployment
- Route tables, attachments, propagation
- VPN & Direct Connect configuration
- Security groups, NACLs
- Multi-region & multi-account support
- Cloud WAN global network orchestration
- Observability integrations
Final Thoughts
This architecture represents a modern, cloud-native approach to global enterprise networking. SD-WAN, when combined with AWS Transit Gateway and Cloud WAN, creates an intelligent and scalable fabric connecting users, applications, and clouds seamlessly.
The InfraTales SD-WAN Hybrid Connectivity project serves as an excellent foundation for building:
✔ Enterprise-grade hybrid clouds
✔ Multi-cloud interconnects
✔ Highly available global networks
✔ Secure and optimized WAN topologies
If you're designing next-generation cloud networking, this blueprint is your starting point.
🔗 Transit Gateway - https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html
🔗 Cloud WAN - https://docs.aws.amazon.com/cloudwan/latest/APIReference/Welcome.html
🔗 AWS VPC - https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html
Hybrid Connectivity
🔗 Site-to-Site VPN - https://docs.aws.amazon.com/vpn/latest/s2svpn/what-is-ipsec-vpn.html
🔗 Direct Connect - https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
🔗 VPN-DX Design Guide - https://docs.aws.amazon.com/whitepapers/latest/aws-vpn-bgp-design/overview.html
Multi-Cloud
🔗 Azure VPN - https://learn.microsoft.com/en-us/azure/vpn-gateway/
🔗 GCP Interconnect - https://cloud.google.com/network-connectivity/docs/interconnect
🔗 GCP Cloud VPN - https://cloud.google.com/network-connectivity/docs/vpn
Security & Monitoring
🔗 AWS SRA - https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/welcome.html
🔗 AWS Encryption (KMS) - https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
🔗 CloudWatch - https://docs.aws.amazon.com/cloudwatch/
🔗 TGW Flow Logs - https://docs.aws.amazon.com/vpc/latest/tgw/tgw-flow-logs.html
👉 GitHub Repository:
https://github.com/InfraTales/sd-wan-hybrid-connectivity
GitHub - InfraTales/sd-wan-hybrid-connectivity
Contribute to InfraTales/sd-wan-hybrid-connectivity development by creating an account on GitHub.
InfraTales
