AWS for Industries

DISH Technologies: Building a broadcast network utilizing AWS CloudWAN

DISH Technologies, commonly known as DISH Tech, is a leading provider of satellite television and broadband services and is a wholly-owned subsidiary of EchoStar. Since its founding in 1980, DISH has continually innovated in the delivery of digital entertainment and information services. Leveraging cutting-edge technology, DISH offers a wide range of services, including satellite TV, internet, and on-demand content, catering to both residential and commercial customers.

In 2015, DISH launched SLING TV, the world’s first live TV streaming platform. SLING TV is the leading live, over-the-top (OTT) platform, featuring a cloud DVR and robust add-on programming packages. When integrated with AirTV, SLING TV provides the best mix of live, recorded, pay-per-view, and local programming on the OTT market.

Dish Tech’s earlier network infrastructure relied on a mesh architecture of IPSec tunnels to connect their eight data centers spread across the US and their AWS network across multiple regions. However, this setup became a bottleneck due to its lack of scalability, management complexity, and frequent connectivity issues. The previous network infrastructure of IPSec tunnels could not scale with the expanding customer base and increasing demands, and to accommodate that, they began exploring a more scalable and centralized network connectivity model using AWS CloudWAN. In this blog post, we discuss the reasons for selecting AWS CloudWAN, offer a technical overview of the deployed CloudWAN network, present the observed results, and outline future improvements and objectives.

Why AWS CloudWAN?

Dish Tech was looking for a fully automated, highly segmented WAN solution, which would provide a single pane of glass to orchestrate connectivity between all of their physical data centers and AWS Regions through global IPSec tunnels, and also provide connectivity between workloads deployed within AWS.

With this WAN solution, Dish Tech was looking to address the following critical issues:

  1. Complexity of a partial mesh network: Managing the network was challenging due to the partial mesh connections between different data centers and AWS regions. A key requirement was to transition from this mesh topology to a hub-and-spoke architecture that better aligns with business processes. In the new setup, AWS Cloud WAN serves as the hub, allowing various data centers and virtual private clouds (VPCs) to connect as spokes.
  2. No Automation and Centralized Management: The previous network infrastructure did not have automation built in. Manual processes were required for configuration and management, leading to inefficiencies. The absence of a centralized management system complicated administration. Automation and centralized manageability of the network were key requirements for Dish Tech. High levels of configuration automation were critical for this network as all changes in Dish Tech are implemented through CI/CD pipelines. AWS CloudWAN provided Dish Tech with the automation capabilities that they were looking for by consolidating the configurations in one core network policy definition. Cloud WAN policy is a machine readable JSON document, which Dish treated as a repository, and any changes to this core network policy definition would only be possible from a CI/CD pipeline, thus eliminating human changes to the policy.
  3. Rigid infrastructure and scalability issues: Since the network infrastructure was being managed manually, any changes that were to be made required significant rework, which was not scalable to Dish Tech’s cloud adoption strategies. With AWS CloudWAN, Dish Tech has been able to leverage the attachments and segmentation features to create a scalable network.
  4. Dynamic Routing and Network Segmentation: Inefficient routing led to latency and performance issues. As the Dish Tech network spans across multiple physical data centers and AWS regions, dynamic routing and network segmentation were key features for the new network. With AWS CloudWAN, Dish Tech was able to create different network segments based on the requirements in the centralized policy itself. The Dish Tech environment in AWS had multiple networks consisting of VPCs connected through AWS Transit Gateways with a centralized inspection VPC model. These multiple networks needed to be segmented into different routing domains based on the business unit they were belonging to. Moreover, the Cloud WAN solution provided Dish Tech the capability of plug and play, with the attachments capability.
  5. Unreliable IPsec Tunnels and lack of auto-healing capabilities: The previous network infrastructure was ridden with frequent tunnel failures, expensive firewall hardware and lack of automatic failure recovery. By consolidating their IPSec tunnels to AWS Cloud WAN through attachments; the new hub and spoke topology is able to leverage streamlined failure recovery with backup tunnels, experiencing less connectivity failures as tunnels are not over consumed and the reliance on expensive firewall hardware for tunnel termination has been reduced.

Technical Overview:

The current global network for Dish Tech can be categorized along two different connectivity paths. The two connectivity paths have been built with inspection patterns specific to the respective business units’ needs, something that was easy to plan out with Cloud WAN segmentation functionality.

Connectivity Path 1: Hybrid connectivity between Dish Tech on-premises physical data centers and Dish Tech AWS Cloud network

As a security requirement, the Sling Legacy environment needed to be kept separate from the new Control Tower environment. To achieve this, Dish Tech defined distinct segments for each environment. A core design principle was to separate production and non-production traffic in both environments, while allowing a shared segment only for applications that required access to common services.

The first connectivity path aimed to link between all the Dish Tech’s on-premises physical data centers and from the on-premises physical data centers to their AWS cloud network. The first part for interconnection of the data centers was achieved by creating a hub and spoke model, with the data centers connecting to each other through the CloudWAN network. The second part, of connecting the on-premises data centers to the AWS cloud network was done by creating a separate on-premises segment for the Sling Legacy environment and another for the Control Tower environment. The on-prem segment provide both the functionalities, namely the data center to data center connectivity and the data centers to AWS connectivity. Traffic on these different on-premises segments was isolated from each other by using the Cloud WAN policy configuration. The following diagram (Fig 1) illustrates the overall architecture, though it simplifies the connectivity and segments within the entire AWS network. The shared segment is omitted for simplicity.

Fig 1 Dish Tech Global Network architecture with Hybrid Connectivity PathFigure 1: Dish Tech Global Network architecture with Hybrid Connectivity Path

Connectivity Path 2: Dish Tech (Sling Legacy and new Control Tower) AWS Environment inter-connectivity through AWS Cloud WAN

As discussed in the first connectivity path, one of the core designing principles of the network was to have no communication between production and non-production segments. There was also a nuanced difference between the two environments in terms of connectivity to the Cloud WAN network. The Sling legacy environment was making use of AWS Transit Gateways attachments to CloudWAN, while the Control Tower environment would have inter-VPC communication through VPC Attachments to CloudWAN. Having this nuanced difference in terms of connectivity to the AWS CloudWAN network, the Sling legacy business unit was able to make continuous use of its existing AWS Transit Gateways and the VPCs attached to them. Sling achieved this by peering their existing Transit Gateways with Cloud WAN. This provided Sling with the route segmentation across multiple regions that they initially lacked in their previous design. The following diagram (fig 2) shows the overall architecture for connectivity path 2 (for simplicity, it does not show connectivity and/or segments of the whole AWS network involved).

Fig 2 Dish Tech AWS inter-connectivity architecture through AWS CloudWANFigure 2: Dish Tech AWS inter-connectivity architecture through AWS CloudWAN

In figure 2, there are four segments of the Dish Tech CloudWAN network shown. The VPCs are attached to the Control Tower segments (Prod and Non-Prod segments, respectively) through the VPC core network attachment types. The VPCs in the Control Tower environment leverage a distributed inspection model, having AWS Gateway Load Balancer endpoints [1] route traffic to distributed 3rd party firewalls [2] behind Gateway Load Balancers. The Gateway Load Balancers have not been shown in the diagram for simplicity.

The VPCs in the Sling Legacy environment were initially connected to Transit Gateways specific to their environment. By separating the Dish Tech Cloud WAN into distinct segments for Sling Legacy and Control Tower, Dish Tech was able to utilize the existing Transit Gateways. They did this by using Transit Gateway route table attachments for the respective Sling Legacy segments. This approach also allowed the Sling Legacy environment to benefit from a centralized inspection model, with one centralized inspection VPC for each region, tailored to the needs of their business units

Results and Future Plans:

With the first set of the AWS CloudWAN deployment, Dish Tech built a highly segmented, secure and hub-and-spoke network topology, providing connectivity between their different business units and their physical data centers. With this approach, Dish Tech reduced the complexity of mesh topology and establish a transparent, centralized network connectivity model. The management of the various network segments between different business units and deployment environments is now more controlled. Centralized networking via CloudWAN enables Dish Tech’s infrastructure teams to maintain the hybrid connectivity and addition of new network workloads in an automated fashion.

By using the power of tagging and automation through Dish Tech’s CI/CD Pipelines and AWS Cloud WANs core network policy, Dish Tech deployed a fully automated infrastructure-as-code network. This expedited Dish Tech’s vision of automation and centralized management of the key constructs of their network. Tagging changes on the Cloud WAN attachment level would trigger the CI/CD Pipelines to automatically add the new attachments to the specific segments. Any new VPC or any new environment now gets attached to the respective Cloud WAN segment through tagging and inherits the correct routing domains through dynamic routing. Given the flexibility of API driven Cloud WAN functionality, changes are now seamless and managed through Infrastructure-as-Code.

Dish Tech now monitors and manages their network connectivity statuses and health through a centralized Amazon Cloud Watch dashboard, which shows them the state of the IPSec tunnels and the amount of traffic in and out of the entire network through Amazon CloudWatch metrics. They have also implemented alert mechanisms to notify them when traffic exceeds certain thresholds or when any tunnels encounter connectivity issues. This has reduced the time spent on operations and has led to faster deployments and quicker development of other business-critical functions

As a next step in the evolution of the Dish Tech network journey, as the traffic bandwidth requirements grow, the IPSec tunnels could be replaced with AWS Direct Connect Connections. AWS Direct Connect links customer’s on-premises network to an AWS Direct Connect location. With this, Dish Tech will have dedicated physical connectivity from their data centers to their AWS regions by terminating the Direct Connect connections on the transit gateways attached to their CloudWAN network segments. Since Direct Connect provides a direct connection to AWS and does not go over the internet, thus any latency or jitter issues experienced by IPSec tunnels over the internet can be mitigated and performance improvements will be observed.

Conclusion:

In conclusion, AWS Cloud WAN has provided Dish Tech with the automation and infrastructure-as-code tools needed to build, operate and monitor their global network. They have been able to achieve a centralized hub and spoke, secure connectivity for their different connectivity paths. They have also been able to streamline monitoring and operational procedures for their network. With AWS Cloud WAN, Dish Tech can expand their network infrastructure for their different environments more efficiently and in a scalable, highly available fashion.

Sarah Morrison

Sarah Morrison

Sarah Morrison is a Principal Customer Solutions Manager at AWS who enjoys partnering with customers to deliver transformative digital initiatives. In her free time, she enjoys traveling, hiking, yoga and the outdoors.

Ankit Chadha

Ankit Chadha

Ankit is a Networking Specialist Solutions Architect supporting AWS Industries Accounts at AWS. He enjoys building secure and scalable network architectures for his customers. In his spare time, Ankit enjoys playing cricket, earning his cat’s trust, and reading biographies.

Harisankar Vellingiri

Harisankar Vellingiri

Harisankar is a Cloud & Platform Engineering Technology Manager & Leadership enthusiast committed to mentoring teams and fostering collaborative, growth-oriented environments. His leadership philosophy centers around empowering others through shared knowledge and creating a culture of innovation. As he continues to grow in his career, Harisankar is dedicated to shaping the next generation of cloud engineers and driving the future of cloud infrastructure. Harisankar has been an expert Platform engineer with over a decade of experience in designing, building, and optimizing cloud-native architectures. He specializes in leveraging AWS technologies to streamline complex systems and improve operational efficiency. Passionate about automation, scalability, and high-performance computing, he’s known for his ability to turn technical challenges into seamless, sustainable solutions. Harisankar is also the owner of the CNCF Denver meetup group and he organizes events for the community.

Karthikayan Balasubramanian

Karthikayan Balasubramanian

Karthikayan is a seasoned Cloud Architect and Networking Specialist with over 18 years of experience in the IT industry. With deep expertise in designing and implementing secure, scalable, and resilient cloud network infrastructures, Karthikayan focuses on Cloud WAN solutions, hybrid connectivity, and advanced networking architectures. Dedicated to advancing secure and innovative network solutions that drive business scalability and operational excellence, Karthikayan is also a passionate traveler and motorcycle enthusiast, finding inspiration and adventure on the open road.

Scott Stimson

Scott Stimson

Scott is a Solutions Architecture Leader with the AWS Industries Telecommunications team and an accomplished technology executive with a proven track record of leading successful digital transformation initiatives for clients across diverse industries. With deep expertise in cloud computing and enterprise architecture, he collaborates closely with C-suite stakeholders to envision and execute scalable, innovative technology solutions that drive business value.

Shirin Bhambhani

Shirin Bhambhani

Shirin is a Senior Network Specialist Solutions Architect at AWS. She works with customers to build solutions and accelerate their cloud migration journey. She is passionate about technology and enjoys building solutions in the Networking and Security.

Teja Veeramachaneni

Teja Veeramachaneni

Teja Veeramachaneni is a Senior Technical Account Manager at AWS, partnering with leading AWS Strategic customers. She supports enterprise customers solve architectural and operational issues across their global cloud environments. In her free time, she has a passion for the outdoors, traveling, driving fast cars and food challenges.