AWS for Industries

How SGN extended isolated networks to AWS using AWS Transit Gateway

Overview

SGN is a UK gas distribution network operator that manages the distribution network for natural and green gas to almost six million homes and businesses across Northern Ireland, Scotland, and southern England. SGN not only provides the management of the gas network (the company owns and operates 74,000km of gas mains, including high-pressure [HP] pipelines), but also delivers an emergency service for gas safety and leakage. SGN needs to maintain a high level of customer service standards and reporting to the stakeholders and regulators while maintaining a cost-effective, insightful, data-driven operation.

SGN began a cloud transformation program in late 2016 to migrate its estate of corporate applications, including some of its mission-critical systems, such as asset management systems to Amazon Web Services (AWS) from their legacy data centers. The main drivers for SGN to use AWS are focused around four key areas: security, reliability, agility, and cost.

SGN also migrated mission-critical gas control operations applications to AWS. The gas control operation manages the flow of gas through HP pipelines, across SGN’s gas distribution network. The whole infrastructure is considered critical national infrastructure (CNI) because of its importance in providing gas supply to homes and businesses nationwide.

To manage these pipelines from the control rooms, SGN requires network connectivity to various workloads and applications across the SGN estate. It also needs network connectivity to third-party and regulatory entities involved in forecasting and transmission of gas across all gas distribution network operators (DNOs). SGN is one of four gas DNOs in the United Kingdom.

Network connection is required from the gas control rooms to multiple separate and isolated networks:

  • Management network: for access to management applications, such as asset management, workforce management, and collaboration tools.
  • Gas pipeline operations network: to monitor and control the gas pressure across the pipeline network, and for direct control of remote telemetry units (RTUs) – intelligent devices for managing sensors and actuators – through satellite and dial-up connections.
  • National Gas network: for National Gas to maintain oversight of SGN and the other gas distribution network operators, and for connectivity between supervisory control and data acquisition (SCADA) systems (collection of software applications to control and manage industrial processes)

Figure 2 Network connectivity before migrating to AWSFigure 2. Network connectivity before migrating to AWS

When migrating gas control applications and operations to the cloud, it is imperative that network segmentation and isolation is maintained across the networks mentioned above. This protocol is in alignment with the National Cyber Security Centre’s Cyber Assessment Framework (NCSC CAF) guidance.

Protecting against cyber-attacks is a layered approach, from well-defined protection policies and processes to managing identity and access control to data, system, and infrastructure security. Each layer plays a role in protecting against, detecting, identifying, responding to, and recovering from cybersecurity risks. One such mechanism is a secure design that separates essential functions, networks, and systems.

The NCSC CAF guidance page on protecting against a cyberattack says that to build a secure design, you must verify that networks and information systems are segmented into the appropriate security zones

Therefore, when designing the hybrid connectivity architecture in AWS, network segmentation and isolation had to be maintained from on-premises locations all the way to Amazon Virtual Private Cloud (Amazon VPC), a service that helps you to define and launch AWS resources in a logically virtual network.

Public VIF and AWS Site-to-Site VPN

Extending multiple networks in different route domains to AWS Transit Gateway – a service that connects Amazon VPCs, AWS accounts, and on-premises networks to a single gateway – requires associating attachments with different AWS Transit Gateway route tables. However, because of the transit virtual interface (VIF) configuration, an attachment through AWS Direct Connect – a service that creates a dedicated network connection to AWS – can only be associated with one route table on AWS Transit Gateway. One option to extend multiple routing domains to AWS Transit Gateway is to employ AWS Site-to-Site VPN, a fully managed service that creates a secure connection between your data center or branch office and your AWS resources using IP Security (IPSec) tunnels. You can establish multiple AWS Site-to-Site VPN connections over AWS Direct Connect and associate different AWS Site-to-Site VPN attachments with different route tables on AWS Transit Gateway.

Establishing AWS Site-to-Site VPN connections over AWS Direct Connect previously required the use and configuration of a public VIF. When you establish a connection over a public VIF, AWS advertises appropriate Amazon prefixes so that you can reach AWS public services using public IP addresses. For many customers with strict security and compliance requirements, this would pose some challenges because they might not be able to use public IP addresses. In June 2022, AWS released a feature that provides the ability to establish AWS Site-to-Site VPN connections over AWS Direct Connect transit VIF using private IP addresses. Nevertheless, the throughput of AWS Site-to-Site VPN tunnel (both public and private) is 1.25 Gbps. Using equal-cost multipath (ECMP), dynamic routing, and multiple AWS Site-to-Site VPN connections, you can scale beyond the default maximum of 1.25 Gbps per tunnel. However, this approach is more complicated because customers would need to monitor and manage several connections instead of one.

Private VIF

A private VIF, with private IP addresses, can be used to access an Amazon VPC or multiple Amazon VPCs using Direct Connect. However, this setup wouldn’t facilitate integration with AWS Transit Gateway, and by extension, with many Amazon VPCs.

Transit VIF with AWS Transit Gateway Connect

AWS Transit Gateway Connect is an attachment type that facilitates the establishment of Generic Routing Encapsulation (GRE) tunnels between customers’ edge devices or virtual appliances and AWS Transit Gateway. This feature provides higher bandwidth performance compared to an AWS Site-to-Site VPN connection (5 Gbps per GRE tunnel, with a maximum of four GRE tunnels per Connect attachment). In addition, the use of AWS Transit Gateway Connect attachment helps you to receive and advertise more prefixes compared to Border Gateway Protocol (BGP) connection over transit VIF. You can send up to 1,000 routes to and receive up to 5,000 routes from AWS Transit Gateway Connect peering. In comparison, you can send up to 100 prefixes from on-premises to AWS, and receive 200 prefixes per AWS Transit Gateway from AWS on a transit VIF.

The AWS Transit Gateway Connect solution provides the ability to associate different Connect attachments (over transit VIF) with separate route tables on AWS Transit Gateway and to establish separate BGP peering through the GRE tunnels (BGP over GRE). The configuration and administration of these connections are much simpler than AWS Site-to-Site VPN. Below is the model SGN implemented to extend its various isolated networks to AWS cloud.

Figure 3 Network connectivity after migrating to AWSFigure 3.  Network connectivity after migrating to AWS

For the detailed implementation of the solution, you can refer to the AWS blog on segmenting hybrid networks.

Resilience in network connectivity

When designing for resilience in hybrid connectivity with AWS Direct Connect, the AWS recommendation is to consider device and location redundancy. To achieve maximum resiliency for critical workloads, establish separate connections that terminate on separate devices in more than one location.

At SGN, delivering a safe and efficient service to keep the gas flowing is of the utmost importance. To this end, operation resiliency plays a major role. Gas control workloads and applications must always be accessible by the operators in gas control sites. SGN achieves this accessibility through redundant AWS Direct Connect links at different AWS Direct Connect locations. Running dynamic routing protocols and path prioritization, SGN makes sure that there are always backup network paths between the applications in their AWS VPCs and the control sites.

Figure 4 Resiliency in network connectivity with AWSFigure 4.  Resiliency in network connectivity with AWS

Network traffic inspection and security assurance

Apart from maintaining network segmentation and isolation across different route domains, SGN also requires network traffic inspection or deep packet inspection to enforce access policies in a multi-account AWS environment. Furthermore, SGN needs to validate and assess the effectiveness of security controls both at the network layer and application layer by conducting independent audits.

Traffic to and from various gas control workloads will only be allowed if the access policy grants it permission. This security measure can be achieved in AWS through a centralized or distributed model for firewall deployment. Customers have choices of AWS Network Firewall, which helps you to define firewall rules that provide fine-grained control over network traffic, or third-party virtual appliances with Elastic Load Balancing, which automatically distributes incoming application traffic across multiple targets and virtual appliances.

In the centralized deployment model, an inspection VPC is attached to the AWS Transit Gateway. You can learn more about these deployment models and approaches in the AWS blog posts about deployment models and centralized inspection architecture.

This critical national infrastructure design and implementation has been subjected to a series of security assurance testing that validates the existence and effectiveness of a wide-ranging set of security controls not limited to workload/user-based identity isolation, network micro-segmentation, network traffic inspection, enhanced logging, and monitoring, etc.

Figure 5 Network traffic inspection through Inspection VPCFigure 5.  Network traffic inspection through Inspection VPC

Conclusion

In this post, we explored SGN’s requirements for extending isolated networks into AWS through AWS Direct Connect and AWS Transit Gateway Connect as well as methods for achieving hybrid network segmentation. We explored the business requirements and assessed the options for delivering the most effective solution using AWS networking services. To get started with these kinds of services, visit the AWS home page to create an account.

TAGS:
Yashar Araghi

Yashar Araghi

Yashar is a Senior Solutions Architect at AWS. He has over 20 years of experience designing and building infrastructure and application security solutions. He has worked with customers across various industries such as government, education, financial, energy and utilities. He has spent the last 5 years helping AWS customers design, build, and operate their cloud solutions that are secure, reliable, performant and cost optimised.

Adam Till

Adam Till

Adam is a Senior Cloud Infrastructure Architect at AWS.  He has over 10 years of experience designing and building infrastructure for systems in the Critical National Infrastructure domain. He has worked with customers across various industries including rail, automotive, media, financial, energy and utilities. He has spent the last 3 years helping AWS customers establish their cloud foundation and developing and securing their network infrastructure.

Frank de Atouguia

Frank de Atouguia

Frank is a Network Architect at SGN. He works on a wide variety of networking technologies helping SGN to migrate from legacy platforms to AWS technologies. Prior to SGN, Frank has worked in financial and IT consulting industries.