AWS Partner Network (APN) Blog
HCLTech Rebuilds Enterprise-Grade AWS Network for Cadent Gas
By Mevlit Mustafa, Senior Technical Cloud Infrastructure Architect, AWS Practice – HCLTech
By Rajesh Tailor, Senior Partner Solutions Architect, AWS
HCLTech |
The industry is evolving rapidly, with technology advancing at an unprecedented rate to keep up with new trends. Customers are transitioning from fully private Multi-Protocol Label Switching (MPLS) Networks to entirely Software Defined Wide Area Networks (SD-WAN), leveraging the Internet extensively—a stark contrast to the approach taken a decade ago. Additionally, many customers are changing their trust model and moving towards Zero-Trust Architectures, which operate on the principle that no one, whether external or internal, is trusted by default and continuous monitoring is employed to scrutinize their behavior.
As a result, AWS Networking & Security Services have evolved significantly, offering a wide range of features to meet industry trends and customer demands. As a Premier AWS Partner, we are busier than ever, rebuilding our customers’ AWS Landing Zones and Backbone Networks with the latest AWS services to future-proof their infrastructure.
In this blog post, we will highlight a recent Network Transformation for Cadent Gas, the largest gas distribution network in the UK, serving 11 million homes and businesses and managing over 82,000 miles of pipelines across the country.
Existing Architecture
Cadent Gas began their Cloud journey with HCLTech in 2017, migrating over 1,000 servers to AWS and exiting their on-premises data centers, excluding managed network services. Cadent Gas relied on mesh-style Virtual Private Cloud (Amazon VPC) Peering Architectures for VPC-to-VPC Connectivity, which required numerous individual peering connections, i.e. n(n-1)/2 connections given the non-transitive nature of VPCs. While virtual routers were common for transitive routing, these approaches required Cadent Gas to manage the infrastructure including redundancy and high availability, demanding advanced networking skills and presented various challenges and limitations. In addition, the deployment of Firewalls within this type of network topology was difficult and suboptimal.
Figure 1 – Mesh VPC Peering Architecture with Hosted Virtual Interface Integration
To implement a level of segregation, they deployed Direct Connect Gateways:
- Non-Production Direct Connect Gateway: Associated with the Development, Test, and Staging Virtual Private Gateways.
- Production Direct Connect Gateway: Associated only with the Production Virtual Private Gateway.
- Shared Services Direct Connect Gateway: Associated only with the Shared Services Virtual Private Gateway.
Each Direct Connect Gateway is linked to two Private Hosted Virtual Interfaces (VIFs) distributed across two separate co-locations, ensuring circuit-level resiliency. The Hosted VIFs terminate at the AWS routers within the co-locations, which then cross-connect to the customer routers. From there, a first-mile Multi-Protocol Label Switching (MPLS) connection leads to a ‘Security Gateway’ that houses various networking and security services for Cadent Gas, including a Demilitarized Zone (DMZ), internet breakout, and connectivity to multiple on-premises sites and third parties.
This architecture did not have deep-packet inspection between VPCs and requires complex route tables to facilitate routing between peering’s. Given that VPC Classless Inter-Domain Routing (CIDRs) were not summarized in the route tables, we had to add each specific permitted path as a /32 IPv4 route as a security measure. Additionally, moving network providers is challenging due to the physical presence of managed network services in a data center, rather than hosting them virtually within AWS.
The Solution
To address the limitations of the existing architecture, we deployed an AWS Transit Gateway to facilitate transitive routing between VPCs and provide centralized connectivity to on-premises sites, third parties and the internet via a centrally deployed Direct Connect Gateway. This Direct Connect Gateway is associated with Transit Virtual Interfaces (VIFs) that reside on Hosted Direct Connects which terminate in different co-locations, ensuring circuit-level resiliency. The Transit Gateway, Direct Connect Gateway, Transit Virtual Interfaces (VIFs), and Hosted Direct Connects were deployed in a new dedicated AWS account named Core Networking. Following AWS best practices, we deployed a /28 subnets per AZ per VPC to house the Transit Gateway Elastic Network Interfaces (ENIs). We then formed attachments between the Transit Gateway and each VPC.
Figure 2 – Transit Gateway Architecture with Inspection VPC Integration using Gateway Load Balancer and Direct Connect for On-Premise Connectivity
The Transit Gateway Routing Domain Architecture was designed such that below traffic must traverse the Firewall:
- All cross-environment (Dev/Test/Staging/Production) traffic.
- All Internet Ingress and Egress.
- All traffic to/from third parties.
- All traffic to/from on-premise sites.
To enable deep-packet inspection for both North-South (Internet) and East-West (Internal) traffic, we deployed an Inspection VPC and Firewalls. We utilized a third-party Next-Generation Firewall product supporting GENEVE encapsulation with appliance-mode enabled on the Transit Gateway attachment for symmetrical routing. This setup allowed us to use the AWS Gateway Load Balancer for Layer-3 bump-in-the-wire inspection, offering significant advantages over previous patterns that required IPsec tunnels between the Transit Gateway and Firewalls. The Inspection VPC and Firewalls were deployed in a new dedicated AWS account named Gateway Services.
Additionally, we deployed a Networking Services VPC to house the networking appliances required by Cadent Gas’s new network provider. Following the decommissioning of the Security Gateway and the migration of the physical appliances within the data center to EC2 Instances hosted within AWS.
Parallel Architecture & Migration Approach
As Cadent Gas’s AWS environment hosts many critical production workloads, we needed to achieve the AWS network rebuild with only brief interruptions in service while also migrating to a different network provider chosen by Cadent Gas. We deployed the new network solution and security services in parallel with the existing network. Each VPC bridged onto both networks, allowing us to migrate one Cadent Gas site or third party at a time seamlessly.
The parallel network can be visualized as follows:
Figure 3 – Parallel AWS Networks between two separate Network Providers
The Migration was done in four phases:
- Site Migrations
- Bronze (Small depot sites)
- Silver (Medium-sized sites)
- Gold (Large crucial sites)
- Platinum (Critical sites)
- Third-Party VPN Migration (HCLTech and other vendors)
- Inter-VPC Routing Migration
- Non-Production (Dev/Test/Staging)
- Production
- Default Route/Internet Traffic Migration
During the migration of Cadent Gas sites, as the new network provider transitioned each site from the old MPLS-based network to the SD-WAN-based network, we added routes to the VPC Route Tables for each Site CIDR. This routing directed traffic through the Transit Gateway, then to the Inspection VPC, and finally through the central Direct Connect Gateway to the migrated site via the SD-WAN appliances.
This approach enabled a seamless migration with only brief interruptions in service, involving only a simple re-routing exercise. It also allowed for an easy rollback by removing the specific route added to the Transit Gateway, reverting to the VPC’s default route (which covers the entire IP address range) to the Virtual Private Gateway and the existing backbone network. Each Cadent Gas site was categorized based on criticality, so we began migrating lower-priority sites to test the approach, which proved successful.
Similarly, migrating each third party from Cadent Gas’s old network provider’s VPN appliances to the new network provider’s VPN appliance required simply re-routing the specific CIDR allocated to that third party.
Migrating from VPC Peering to the Transit Gateway (via the Inspection VPC) for inter-VPC traffic was more complex. We closely collaborated with application teams to discover all cross-environment communications due to limited visibility in the existing network. We began with non-production Peering’s (Dev/Test/Staging) before moving on to Production VPC Peering’s.
The final phase of the migration involved changing the default route. Since this traffic had already passed through the Firewalls, migrating the ruleset from the old Firewalls to the new ones was relatively straightforward. We collaborated closely with third parties to ensure that the new Public IP Addresses were authorized, as they had changed.
Conclusion
This specific architecture was chosen based on the unique needs and environment of Cadent Gas. If you’re contemplating an upgrade to your AWS network, we recommend the following strategies:
- If your operations span multiple AWS regions, consider leveraging AWS Cloud WAN. Built on AWS Transit Gateway, it offers automated routing enhancements tailored for segmented environments.
- If flexibility with firewall vendors is an option, explore AWS Network Firewall for comprehensive North-South and East-West traffic inspection. Powered by AWS Gateway Load Balancer and GENEVE Encapsulation, it ensures robust security.
- Depending on your business model—whether you manage producer/consumer or service-based workloads—evaluate solutions like AWS Private Link or AWS VPC Lattice for optimized networking patterns.
- For those using SD-WAN, explore deploying virtual SD-WAN appliances within AWS. AWS Transit Gateway and Cloud WAN supports seamless integration using GRE or Tunnel-less Connect (Cloud WAN only), compatible with various SD-WAN products.
.
HCLTech – AWS Partner Spotlight
HCLTech is an AWS Premier Consulting Partner uniquely positioned to help enterprises as a GSI and an ISV. HCLTech is supercharging progress for hundreds of leading global enterprises, vested in solving day-to-day or complex challenges with a dedicated full-stack business unit. HCLTech also holds Generative AI, Migration, DevOps, SAP, Storage, and Mainframe Modernization Competencies and is an MSP Partner.