AWS for Industries

Discount Tire Uses Cloud WAN and Buffer VPC to Create a Scalable Enterprise Network

Enterprises often face complex routing challenges when integrating existing infrastructure with modern cloud networking solutions, and when connecting branch locations to a corporate network. This blog explores how Discount Tire and AWS collaborated to solve critical routing and network integration challenges using a Buffer VPC solution.

Discount Tire’s AWS infrastructure uses both AWS Cloud WAN and AWS Transit Gateway to support various workloads. The Cloud WAN environment connects retail stores to on-premises infrastructure through SD-WAN and other modern cloud applications, while the Transit Gateway environment hosts legacy systems and traditional VM-based workloads.

This dual-environment approach functioned well within each domain but created significant challenges for workloads that traversed both environments. Traffic inspection occurred at different layers depending on source and destination, route propagation conflicts emerged due to overlapping IP ranges, and direct connectivity between environments violated Cloud WAN’s native route evaluation principles.

Discount Tire’s network team wanted a solution that could maintain existing security processes while providing predictable routing behavior and eliminating operational overhead associated with constant route conflict resolution. Solving these challenges would allow them to more easily scale their network and add branch locations.

Understanding Discount Tire’s Network Landscape

Discount Tire’s 1,200+ retail locations and multiple cloud vendors create a hybrid environment in which each retail business function requires its own networking strategy. This architecture includes:

  • Retail connectivity: Store locations seamlessly integrated through SD-WAN infrastructure and Cloud WAN.
  • Existing infrastructure: Business applications running on infrastructure connected via Transit Gateway.
  • Modern cloud workloads: Serverless and containerized applications connected through Cloud WAN.
  • Security requirements: Traffic inspection policies that vary based on traffic source and destination.

Illustration of Discount Tire’s network architecture before Buffer VPC

Figure 1: Discount Tire’s network architecture before Buffer VPC

This architecture creates challenges, including:

  • Asymmetric traffic inspection: Dual traffic inspection across Transit Gateway and Cloud WAN introduces unnecessary operational overhead and extra costs in routing traffic to the correct inspection point.
  • Route table complexity: Overlapping summary routes in both Transit Gateway and Cloud WAN’s route tables cause unpredictable routing interactions.
  • Routing architecture constraints: The integration of Cloud WAN and Transit Gateway routing domains requires careful orchestration that slows the ability to scale.

The Buffer VPC Approach

A Buffer VPC is a network architecture concept that provides an additional layer of isolation and control between environments. It acts as an intermediary network zone between an organization’s main VPC and external networks or the internet. It typically houses security appliances and access control mechanisms that filter and monitor traffic flowing in and out of protected resources.

Illustration of Multi-region AWS network architecture with Cloud WAN, Transit Gateway, and Buffer VPC segmentation

Figure 2: Multi-region AWS network architecture with Cloud WAN, Transit Gateway, and Buffer VPC segmentation

Discount Tire’s introduction of a Buffer VPC addressed the need for precise routing control between environments. The team’s implementation focused on creating predictable routing behavior while maintaining existing security and operational requirements. The Buffer VPC serves as a central routing control point that enables traffic steering between Cloud WAN and Transit Gateway environments. This approach provides several compelling advantages:

  • Centralized route management: All inter-environment routing decisions are managed in the Buffer VPC. Centralizing routing decisions creates consistent traffic patterns that follow Cloud WAN’s native evaluation logic without unexpected behavior. Predictable routing provides clear visibility into traffic flow patterns and simplifies network diagnosis.
  • Preserved inspection capabilities: Existing traffic inspection patterns remain intact in both Cloud WAN and Transit Gateway environments. Simplifying the path to inspection points and removing redundant steps reduces cost.
  • Scalable and agile foundation: The architecture provides a framework for future network expansion without introducing additional routing complexity. Network engineers can make routing changes with confidence, knowing that the Buffer VPC prevents unintended route propagation.

Packet Walk-through

Illustration of Packet flow from Legacy Production VPC to Stores

Figure 3: Packet flow from Legacy Production VPC to Stores/Direct Connect through Buffer VPC

Forward Traffic Flow

  1. Traffic originates from workloads in the Legacy Production VPC and is routed to the Transit Gateway (TGW) toward Spoke TGW Route Table (associated with the Legacy Prod VPC attachment).
  2. The Transit Gateway processes the traffic using the Spoke TGW Route Table and forwards it to the Buffer VPC.
  3. The Buffer VPC acts as an intermediary routing layer. Traffic from the Buffer VPC is sent to the Buffer TGW Route Table for next hop determination.
  4. Traffic exits TGW Route Table and traverses the TGW-to-Core Network peering connection, entering the Core Network’s Peering Segment.
  5. The Peering Segment routes traffic to the Inspection VPC where AWS Network Firewall performs deep packet inspection and applies configured security policies.
  6. After successful firewall inspection, traffic is forwarded from the Inspection VPC to the Inspection Segment within the Core Network.
  7. The Inspection Segment routes the traffic to the Direct Connect Gateway (DXGW), which forwards it through the Direct Connect connection to reach the on-premises destination.

Return Traffic Flow

  1. Return traffic from on-premises infrastructure enters AWS through the Direct Connect connection and reaches the Direct Connect Gateway.
  2. Traffic from the DXGW Segment is directed to the Inspection VPC where AWS Network Firewall performs security inspection.
  3. The Network Firewall processes the return traffic according to configured security policies. After security policy evaluation, traffic is forwarded from the Inspection VPC to the Inspection Segment.
  4. The Inspection Segment routes traffic back through the Core Network-to-TGW peering connection to reach the Buffer TGW Route Table.
  5. Traffic is forwarded from the Buffer TGW Route Table through the Transit Gateway to the Legacy Production VPC, reaching the destination workloads.

Improvements

  1. Centralized route management with consistent traffic patterns. Simplified network diagnosis and more reliable routing.
  2. Seamless integration between different network domains. Unified network architecture supporting diverse workloads.
  3. Predictable routing with clear visibility into traffic flow patterns. Easier troubleshooting through centralized routing control.
  4. Streamlined path without redundant inspection steps. More efficient traffic routing and reduced overall infrastructure costs.

Setting Up a Buffer VPC

1. Transit Gateway Setup
Create Route Tables and Attachments

  • Create a TGW Route Table for your original VPC to act as the Spoke.
  • Create a TGW Route Table to be the Buffer for intermediary routing.
  • Attach the original and buffer VPCs to your Transit Gateway and associate it with the respective route tables.

2. Core Network Configuration
Set Up Network Segments

  • Create a Peering Segment for Transit Gateway connectivity.
  • Create an Inspection Segment for traffic coming in from firewalls/security appliances.
  • Create a Direct Connect Gateway Segment for Direct Connect integration.

Create Attachments

  • Create a Transit Gateway route table attachment to establish the TGW-to-Core Network peering connection.
  • Attach your Inspection VPC to Core Network peering connection.
  • Connect the Direct Connect Gateway to Core Network peering connection.

3. Routing Configuration
Configure TGW Route Tables

  • Spoke Route Table: Route on-premises traffic to the Buffer VPC.
  • Buffer Route Table: Route traffic to the Core Network peering connection for inspection.

Set Up Core Network Routing Policy

  • Peering Segment should point to the Inspection Segment (mandatory inspection).
  • Inspection Segment should point to the Direct Connect Gateway Segment (to on-premises).
  • Direct Connect Gateway Segment → Inspection Segment (return traffic inspection).

4. Network Firewall Deployment
Deploy AWS Network Firewall

  • Create a firewall policy with stateful and stateless rules as needed.
  • Deploy any firewalls in dedicated Inspection VPC subnets.
  • Configure inspection routing to direct traffic through firewall endpoints.

5. Direct Connect Integration
Connect On-Premises Networks

  • Associate Direct Connect Gateway with Core Network peering connection.
  • Configure BGP routing for proper on-premises network advertisement.
  • Set up a return path by routing through the inspection layer.

This architecture ensures all traffic between your legacy AWS environment and on-premises infrastructure flows through centralized security inspection while maintaining high availability and performance.

Enabling Scalable Network Growth

By implementing a Buffer VPC, Discount Tire increased network reliability, agility, and scalability while reducing operational overhead and costs. This new architecture provides Discount Tire a robust foundation for future retail expansion and establishes a corporate network that supports its mission of delivering exceptional customer service through both physical and digital channels.

Customers like Discount Tire that implement network architectures featuring CloudWAN can connect new AWS VPCs and Regions in minutes rather than days and cut their number of static routes by 50 percent.

By using AWS Cloud WAN and Buffer VPCs, retailers and enterprises with distributed locations and complex network landscapes can enable reliable, high-performance connectivity between retail stores, corporate systems, and cloud-based applications. The result: outstanding customer experiences—just as Discount Tire has successfully demonstrated.

Abhay Kulkarni

Abhay Kulkarni

Abhay Kulkarni is a Senior Technical Account Manager at AWS, designing and supporting large-scale cloud-native architectures for retail customers. He focuses on best practices, ensuring optimal performance and reliability of cloud infrastructure.

Aaqib Bickiya

Aaqib Bickiya

Aaqib Bickiya is a Solutions Architect at Amazon Web Services. He supports enterprise customers in building well-architected solutions and adopting new technologies. Aaqib’s focus areas include machine learning and serverless applications.

Vihar Kodakandla

Vihar Kodakandla

Vihar Kodakandla is a Domain Specialist Engineer at AWS. He serves as an engineer to UOps customers, focusing on customer onboarding, building customer context, and delivering ongoing proactive mechanisms through Critical Workload Reviews. He works with customers to troubleshoot complex technical issues, identify resilience and observability opportunities across AWS networking services.