AWS Network Modernization with Cato SD-WAN Integration

PTP designed and implemented a secure AWS network modernization architecture for an enterprise customer with multi-account and multi-region cloud networking needs. The solution used AWS Transit Gateway, cross-region Transit Gateway peering, Cato Socket NVA deployment, Cato SD-WAN integration, hub-and-spoke routing, centralized egress security, branch connectivity, Azure connectivity, and route table segmentation to simplify operations, improve security, and support scalable cloud growth.

Illustrated PTP goat mascot wearing a SecOps shirt and glasses while holding a system patch log clipboard

Executive Summary

This case study describes an AWS network architecture designed and deployed for an enterprise customer undergoing cloud network modernization. The engagement covered multi-account, multi-region network design spanning Shared Services, Production, and Sandbox AWS accounts across us-east-1 and us-west-2. The solution integrates Cato Networks SD-WAN to deliver secure, centralized connectivity to on-premises branch offices and an Azure environment — all managed through a single unified fabric.

The architecture was purpose-built to eliminate fragmented connectivity, consolidate internet egress through a single security edge, and provide a scalable foundation for the customers ongoing cloud growth.

The AWS Network Modernization Challenge

The customer needed to modernize a fragmented multi-account, multi-region AWS network spanning Shared Services, Production, and Sandbox environments across us-east-1 and us-west-2. The existing architecture lacked centralized routing, consistent security inspection, scalable branch connectivity, and private cross-region communication.

  • Fragmented AWS connectivity: Production and Sandbox workloads across us-east-1 and us-west-2 did not have a centralized routing model, making cross-account and cross-region communication complex and inconsistent.
  • No unified egress security: Internet-bound traffic from spoke VPCs was not inspected through a centralized security edge, creating gaps in firewall, secure web gateway, and data loss prevention coverage.
  • Branch and Azure connectivity complexity: The customer relied on individual VPN tunnels for branch offices and Azure connectivity, which increased operational overhead and made the network harder to scale.
  • No reliable private cross-region routing: Workloads in us-east-1 and us-west-2 needed a private communication path that avoided routing traffic across the public internet.
  • Inconsistent security boundaries between environments: Production, Sandbox, and Shared Services VPCs needed route table segmentation to prevent direct spoke-to-spoke communication and enforce consistent network controls.
  • Limited operational visibility: The customer needed a unified way to manage network connectivity and security policy across AWS, branch offices, and Azure through a single operational fabric.

The Solution: AWS Transit Gateway and Cato SD-WAN Integration

PTP designed and implemented a secure AWS network modernization architecture using a hub-and-spoke model across multiple AWS accounts and regions. The solution combined AWS Transit Gateway, cross-region Transit Gateway peering, Cato Socket NVA deployment, Cato SD-WAN integration, and centralized routing controls to simplify connectivity, strengthen security, and support scalable cloud growth.

Multi-Account AWS Network Architecture

The architecture organized the customer’s AWS environment across Shared Services, Production, and Sandbox accounts in us-east-1 and us-west-2. Each VPC connected to a regional AWS Transit Gateway as a spoke, while the Shared Services account hosted the network hub, Transit Gateways, and Cato Socket NVA infrastructure.

Core Architecture Elements

  • Shared Services account hosting the network hub, Transit Gateways, and Cato Socket NVA deployment.
  • Production and Sandbox AWS accounts connected through regional Transit Gateway spokes.
  • Multi-region AWS network design spanning us-east-1 and us-west-2.
  • Hub-and-spoke routing model to centralize traffic flow and simplify network operations.
  • Transit Gateway route table segmentation to prevent unintended spoke-to-spoke communication.

Cato Socket NVA and Centralized Security Edge

PTP deployed the Cato Socket NVA in the Shared Services VPC to act as the centralized security and SD-WAN edge for AWS workloads. The three-interface design separated management, WAN, and LAN traffic to support secure control plane access, Cato Cloud tunnel termination, and spoke VPC routing through Transit Gateway.

  • Management ENI: Supported out-of-band control plane access for Cato Socket NVA management.
  • WAN ENI: Used an Elastic IP for Cato Cloud tunnel termination through DTLS and IPsec connectivity.
  • LAN ENI: Connected to AWS Transit Gateway to route spoke VPC traffic through the centralized security edge.
  • Centralized egress inspection: Internet-bound traffic from AWS workloads was routed through Cato Cloud for NGFW, Secure Web Gateway, and Data Loss Prevention enforcement.

Private Cross-Region and Multi-Cloud Connectivity

Two AWS Transit Gateways were deployed in the Shared Services account, one in each region. Transit Gateway peering connected us-east-1 and us-west-2 over the AWS private backbone, enabling private cross-region traffic without public internet traversal. Branch offices and the Azure environment connected through the Cato Cloud backbone, eliminating the need for direct VPN tunnels to AWS.

Connectivity and Routing Controls

  • Transit Gateway peering: Enabled private cross-region communication between us-east-1 and us-west-2.
  • Static routing: Supported controlled cross-region route propagation and predictable traffic paths.
  • Cato SD-WAN integration: Connected branch offices and Azure through Cato Cloud instead of separate site-to-site VPN tunnels.
  • Route table segmentation: Enforced network boundaries between Production, Sandbox, and Shared Services environments.
  • Unified fabric: Centralized cloud, branch, and Azure connectivity through a single operational model.

AWS Network Modernization Outcomes

The AWS network modernization engagement helped the customer replace fragmented connectivity with a secure, scalable, and centrally managed cloud network architecture. By combining AWS Transit Gateway with Cato SD-WAN, PTP improved routing consistency, egress security, branch connectivity, Azure connectivity, and private cross-region communication.

  • Centralized security enforcement: Internet egress from AWS workloads was routed through Cato Cloud to support Next-Generation Firewall, Secure Web Gateway, and Data Loss Prevention policy enforcement from a single control plane.
  • Simplified branch and Azure connectivity: Branch offices and the Azure environment connected through the Cato Cloud backbone, removing the need for direct VPN tunnels to AWS.
  • Private cross-region traffic: Workloads in us-east-1 and us-west-2 communicated over the AWS private backbone through Transit Gateway peering instead of the public internet.
  • Improved spoke isolation: Transit Gateway route table segmentation helped prevent direct communication between Production and Sandbox VPCs, strengthening network boundaries.
  • Unified operational visibility: Network connectivity and security policies were managed through the Cato Management Application, giving the customer a single operational view across AWS, branch locations, and Azure.
  • Scalable cloud network foundation: The new architecture made it easier to add future spoke VPCs, branch offices, and cloud regions with minimal changes to the core design.

AWS Network Modernization Summary

This AWS network modernization engagement delivered a secure, scalable, and operationally efficient foundation for the customer’s multi-cloud environment. By combining AWS Transit Gateway hub-and-spoke routing with Cato SD-WAN integration, PTP helped centralize egress security, simplify branch and Azure connectivity, and enable private cross-region communication without complex per-site VPN configurations.

The architecture was designed to scale with the customer’s cloud growth. New spoke VPCs, branch offices, and cloud regions can be added with minimal changes to the core design, while network and security policy remain centrally managed through Cato Cloud.

About the Author: Tejas V – AWS & Linux Team - AWS Certified Solutions Architect Professional, PTP

AWS Certified Solutions Architect Professional Badge
Isometric graph icon representing medical document automation and patient intake processing on AWS

Modernize Your AWS Network Architecture

PTP helps organizations design secure, scalable AWS networking with Transit Gateway, hub-and-spoke routing, SD-WAN integration, centralized egress security, and private cross-region connectivity.

Schedule your free consultation today.

Tell us a bit about your project to get started with PTP. Fill out the form below and our team will be in touch shortly.

Homepage Contact Us

FAQs About AWS Network Modernization with Cato SD-WAN

What is AWS network modernization?

AWS network modernization is the process of redesigning cloud networking to improve security, scalability, routing consistency, connectivity, and operational visibility. This can include AWS Transit Gateway, hub-and-spoke architecture, cross-region peering, centralized egress security, route table segmentation, SD-WAN integration, and private connectivity across AWS accounts, regions, branch offices, and other cloud environments.

How does AWS Transit Gateway support multi-account cloud networking?

AWS Transit Gateway supports multi-account cloud networking by acting as a central routing hub for VPCs across different AWS accounts and regions. In a hub-and-spoke architecture, Shared Services, Production, and Sandbox VPCs can connect to regional Transit Gateways, helping simplify routing, improve segmentation, and reduce the complexity of managing many individual network connections.

Why integrate Cato SD-WAN with AWS networking?

Cato SD-WAN integration can help unify AWS, branch office, and multi-cloud connectivity through a centralized network and security fabric. By routing traffic through Cato Cloud, organizations can simplify branch connectivity, reduce direct VPN tunnel management, centralize security inspection, and enforce policies such as Next-Generation Firewall, Secure Web Gateway, and Data Loss Prevention from one control plane.

What is centralized egress security in AWS?

Centralized egress security in AWS routes internet-bound traffic from spoke VPCs through a shared security edge instead of allowing each VPC to manage its own outbound access separately. This model helps enforce consistent firewall, secure web gateway, inspection, logging, and data loss prevention policies across AWS workloads in multiple accounts and regions.

How does Transit Gateway peering enable private cross-region connectivity?

Transit Gateway peering enables private cross-region connectivity by connecting AWS Transit Gateways across regions using the AWS private backbone. This allows workloads in regions such as us-east-1 and us-west-2 to communicate privately without traversing the public internet, improving routing control, security, and reliability for multi-region AWS environments.

How does PTP support AWS network modernization with Cato SD-WAN?

PTP supports AWS network modernization by designing and implementing secure multi-account, multi-region AWS network architectures using AWS Transit Gateway, hub-and-spoke routing, Transit Gateway peering, Cato Socket NVA deployment, SD-WAN integration, route table segmentation, centralized egress security, and private connectivity for branch offices and Azure environments.