Every cloud provider has its own hub-and-spoke networking service, and they are not interchangeable. If you're a network engineer moving into multi-cloud — or already juggling VPCs across AWS, Azure, and GCP — this is the comparison I wish I'd had when I started.
I'll map each cloud hub to concepts you already know (DMVPN, SD-WAN, VRF-lite), compare the routing models head-to-head, and show how Cisco SD-WAN Cloud OnRamp ties them together.
The Mental Model: Cloud Hubs ↔ Traditional Networking
| Traditional Networking | AWS | Azure | GCP |
|---|---|---|---|
| Hub router | Transit Gateway (TGW) | Virtual WAN Hub | Cloud Router |
| Spoke site | VPC attachment | VNet connection | NCC Spoke |
| Route table | TGW route table | Hub route table | Cloud Router routes |
| BGP peering | TGW Connect / Direct Connect | ExpressRoute / VPN BGP | Partner Interconnect BGP |
| IPsec VPN | Site-to-Site VPN | VPN Gateway | Cloud VPN |
| Dedicated circuit | Direct Connect (10Gbps) | ExpressRoute Direct (100Gbps) | Dedicated Interconnect (100Gbps) |
If you've configured a DMVPN hub or an SD-WAN vSmart controller, you already understand the topology. The cloud just wraps it in different APIs.
AWS Transit Gateway: Most Granular Routing Control
AWS TGW is the most mature and flexible of the three. It centralizes VPC-to-VPC, VPN, and Direct Connect routing through a regional hub supporting thousands of attachments.
The killer feature: multiple route tables with association and propagation controls — the closest thing to VRF-lite you'll find in any cloud.
A typical SD-WAN integration:
Branch (cEdge) ──IPsec──> cEdge in Transit VPC ──BGP──> AWS TGW
│
┌─────┴─────┐
VPC-A VPC-B
(10.1.0.0/16) (10.2.0.0/16)
Key features:
- Multiple route tables with granular association/propagation (think VRF-lite in the cloud)
- Inter-region peering for cross-region transit without VPN
- Connect attachments for native BGP peering (GRE + BGP, up to 5 Gbps per Connect peer)
- ECMP across multiple VPN tunnels for higher throughput
Main limitation: TGW is regional. Cross-region traffic requires inter-region peering, adding latency and data transfer costs.
Azure Virtual WAN: Best Globally Distributed Managed Hub
Azure vWAN takes a fundamentally different approach. Instead of a single regional hub, vWAN provides globally distributed managed hub infrastructure. The hubs are Microsoft-managed routers — you don't deploy your own hub VNet.
This simplifies operations but reduces the granular control TGW provides.
Key features:
- Globally distributed hub-and-spoke with automatic hub-to-hub routing
- Native integration with Azure Firewall, DDoS, and routing intent
- ExpressRoute up to 100 Gbps via ExpressRoute Direct
- Built-in SD-WAN partner integration (Cisco, VMware, Fortinet)
- Routing intent simplifies next-hop policy to "Internet via firewall" or "Private via firewall"
Trade-off: Less control over route tables compared to TGW. If you need VRF-like segmentation with complex route leaking, Azure's model is more opinionated.
GCP Network Connectivity Center: Google's Premium Backbone
GCP NCC focuses on being a connectivity broker leveraging Google's private fiber backbone. The standout: Premium Tier networking routes packets through Google's private network from the nearest edge point — not the public internet.
Key features:
- Premium Tier global backbone — lowest latency between regions
- Cloud Router with dynamic BGP routing (supports graceful restart)
- Dedicated Interconnect up to 100 Gbps
- Hybrid spokes (IPsec VPN, Interconnect, Router appliance)
- Tight integration with Google's AI/ML infrastructure
Trade-off: NCC is the least mature of the three and has the smallest market share (~10% vs AWS 34% and Azure 21%). But for AI/ML workloads on Google's TPU infrastructure, NCC provides unmatched internal networking performance.
Cisco SD-WAN Cloud OnRamp: Unifying All Three
Here's where it gets interesting. Cisco SD-WAN Cloud OnRamp for Multicloud provides a single management plane (vManage) to deploy cEdge routers across all three clouds simultaneously.
| Component | AWS | Azure | GCP |
|---|---|---|---|
| Cloud gateway | cEdge in Transit VPC | cEdge in vWAN Hub | cEdge as NCC Spoke |
| BGP peering | TGW Connect attachment | vWAN hub BGP | Cloud Router BGP |
| Automation | TGW + VPC API | vWAN API | NCC + VPC API |
| Redundancy | Dual cEdge in AZs | Dual cEdge in hub | Dual cEdge pair |
| Tunnels | IPsec to TGW | IPsec to vWAN | IPsec to Cloud VPN |
The Catalyst 8000V runs the same IOS-XE code as physical cEdge routers — your OSPF, BGP, EIGRP, and SD-WAN config knowledge transfers directly.
Which Should You Learn First?
Start with AWS Transit Gateway. AWS holds 34% market share, so most multi-cloud deployments include it. TGW also has the most granular routing controls, and the concepts transfer well to Azure vWAN and GCP NCC where the models are simpler.
Practical learning path:
- AWS TGW — Deploy two VPCs, attach to TGW, configure route tables with association/propagation
- Cisco Cloud OnRamp for AWS — Deploy Catalyst 8000V in transit VPC, establish BGP with TGW Connect
- Azure vWAN — Deploy a vWAN hub, connect VNets, compare the managed model to AWS's DIY approach
- GCP NCC — Deploy Cloud Routers, configure NCC spokes, observe Premium Tier routing behavior
All three clouds offer free tiers or trial credits sufficient for a basic lab.
TL;DR
- AWS TGW = most control, VRF-lite equivalent, regional scope
- Azure vWAN = fully managed, global, less knob-turning
- GCP NCC = Google backbone, lowest latency, smallest ecosystem
- Cisco SD-WAN ties them together with a single control plane
The engineers who understand all three — and can design across them — are the ones commanding $200K+ salaries in 2026.
Originally published at FirstPassLab. For more deep dives on cloud networking, SD-WAN, and data center fabrics, check out firstpasslab.com.
AI Disclosure: This article was adapted from the original with AI assistance. All technical content has been reviewed for accuracy.
Top comments (0)