AWS for Industries

How to Network Your Smart Store to AWS

The emergence of Amazon Web Services (AWS) Smart Store solutions has opened up a new world of possibilities for retailers. In order to take full advantage of these solutions, retailers need to optimize their network infrastructure. As retailers increasingly digitize their operations and move more services to the cloud, security and network infrastructure become major contention points. Managing thousands of endpoints, ensuring security compliance, and providing fast and secure access to the cloud for all stores are just some of the challenges that retailers face. These challenges can be especially daunting for retailers with large store networks spread across the globe.

Fortunately, there is a solution to these challenges—consolidating and centrally managing network and security infrastructure using AWS. By building a global or nationwide network backbone and attaching leaf nodes for stores and business centers, all managed by AWS, retailers can connect thousands of stores across the globe into AWS using AWS Cloud WAN. This approach not only provides low-latency and secure connections, but also centralizes security management and monitoring and enables consistent security policies across all stores. With a centralized management system in place, retailers can achieve compliance with security regulations, streamline their operations, and reduce costs by managing their network infrastructure from a central location without the need for on-site IT staff at every store.

By optimizing their network infrastructure and leveraging AWS Smart Store solutions, retailers can enhance their customers’ in-store experience while improving their bottom line. For example, they can use real-time data analytics to personalize the shopping experience, create new revenue streams by integrating online and offline channels, and optimize their supply chain operations. In addition, retailers can leverage AWS’s machine learning capabilities to automate inventory management, optimize store layout and staffing, and even detect and prevent theft.

The possibilities are endless, but it all starts with a solid network infrastructure and a reliable cloud provider.

Store Requirements

Most retail stores have an IT footprint that is managed by a remote IT team. This includes the following:

  • Retail IT hardware: This category includes devices typically found in the store such as servers, employee PCs, Point-of-Sale (POS) components, Digital Signage, and security devices like cameras.
  • Retail IT software: This category includes operating systems in servers and PCs, productivity software, ERP software, Communications applications, loyalty applications, ecommerce, business applications, and order management software.
  • Retail IT services: This category includes support services, hardware and software management, installations/change management, disaster recovery, custom software integrations/development.

All of the above items have a per store cost which add up when you are looking at over 500 stores across the USA. For some retailers, this number increases significantly with 1000s of stores worldwide.

IT Component   Average Percentage Cost for 500 Stores  
Computer PC 5%
Firewall/Router/Switch 2%
Phone System 6%
DID Lines 7%
Servers (Windows DC,SQL) 4%
Application maintenance/upgrades
POS, Scheduling, Inventory, email, vendor apps
Broadband Connection 3%
IT Maint Contract @40 hrs/month 52%
Data Storage/Backup 1%
Total For some retailers this could be ~$80M

Table 1 – Retail Store IT Costs (Hardware, Software, Services)

With IT spending continually increasing year-over-year for most retailers, a number of these services can be consolidated on AWS to reduce cost and allow for spending on customer experience. Managing this infrastructure can be challenging, especially when dealing with a large number of stores spread across different regions. Ensuring that all hardware and software are up-to-date, secure, and functioning properly can be a daunting task for IT teams.

In addition to the challenges of managing the IT infrastructure, retailers must also ensure that their store networks are reliable, secure, and can support the increasing demand for cloud-based services. With the rise of ecommerce, customers expect a seamless experience across all channels, and retailers must be able to deliver this experience in their physical stores as well. This requires a robust and scalable network infrastructure that can support multiple applications and services, including real-time inventory management, customer analytics, and personalized marketing. By consolidating and centrally managing network and security infrastructure using AWS, retailers can overcome these challenges and deliver a seamless and personalized shopping experience to their customers.

Moving physical store services to AWS will provide the following benefits along with cost reductions:

  1. Centralized security
  2. Centralized internet access reducing points of intrusion
  3. Shared resources for depreciating assets such as phone system/phone lines
  4. Secure desktop appliance with Virtual Desktop Infrastructure (VDI) solution (minimal terminal at stores)
  5. Disaster recovery solution across all stores
  6. Cross store inventory management
  7. Reduced IT labor costs
  8. Deployment of store solutions

Solution Overview

The Smart Store Networking and Infrastructure solution connects all stores to AWS either through a Direct Connect with partners or using a Software-Defined Wide Area Network (SD-WAN) appliance. Each store should have at least two connections to AWS for redundancy. The hardware components for scanning items, payment processing, printing receipts, and terminals at the stores can be connected to AWS services through private connections.

All store software should be deployed in the closest AWS regions for operational support, eliminating the need for servers and per-store maintenance. Payment positions will be equipped with zero client monitors connecting to AWS virtual desktop infrastructure solutions, allowing store applications to communicate with cloud ERP and POS systems, providing higher resiliency and disaster recovery capabilities. The Private Branch Exchange (PBX) service can be consolidated into two regions in the United States using open-source solutions like Asterisk or Sipxcom, integrating it with Amazon Connect for a seamless customer experience.

AWS Network Infrastructure

The AWS network infrastructure will be built using AWS Cloud WAN, with a Cloud Network Engine (CNE) deployed in each of the four US regions: us-east-1, us-east2, us-west1, us-west2. This will allow for Direct Connection locations associated with the four regions to route traffic to Amazon Virtual Private Clouds (Amazon VPC) across AWS regions.

Within AWS Cloud WAN, segments can be created to group traffic rules for stores in each geographic region and their associated Amazon VPC workloads. This simplifies managing internet traffic and redundant workloads, and allows network traffic to be segmented based on application and business requirements, such as VOIP segment for communication traffic, Dev segment for developing and testing applications, and production segment for business applications. This grouping of stores in geographic segments also allows for different services based on region-specific needs.

For security architecture, an egress Amazon VPC will be set up at each region to handle internet in/out traffic for all stores. The egress Amazon VPC will include inspecting traffic using firewalls deployed in redundant configurations, ensuring a high level of security for the network infrastructure.

Figure 1 Reference Network Architecture

Figure 1: Reference Network Architecture

Stores Connectivity to AWS

Each store across a retailer’s network should have a minimum of two fiber connections to two different AWS Direct Connect (Direct Connect) locations, selected based on proximity and network provider servicing. Tertiary backup connections using virtual private network (VPN) to AWS Cloud WAN can be set up using 5G or BB. The stores will not have direct internet access, with any routes pointing to AWS over Direct Connect or VPN. To connect to the AWS Direct Connect service provider, there should be a local router or switch at each store, and it is recommended that the two Direct Connect connections be terminated at different Point of Presences (PoPs).

To manage route priority for multiple Direct Connect connections and VPN backups, border gateway protocol (BGP) should be used at the local router, following AWS best practices. Each Direct Connect connection should be 1G from store to Direct Connect location, with the Direct Connect location bandwidth to AWS at 10G based on the number of stores and bandwidth required. To ensure packet throughput, over-provisioning the bandwidth is recommended. AWS Direct Connect does not manage packet priority and Quality of Service (QoS), so all packets should be Differentiated Services Code Point (DSCP) marked and prioritized at the source, the DSCP markings will be passed through to the destination. If bandwidth and Classless Inter Domain Routing (CIDR) planning are in place, stores can first connect to AWS using SD-WAN before adding Direct Connect connections.

Hybrid Connectivity Model

Not all stores will require the same connectivity model. Stores can be categorized into metropolitan areas, suburb areas, and rural areas. Each of these categories may have different connectivity options and bandwidth needs.

For store connectivity to AWS, a hybrid approach is available that uses SD-WAN for the last mile to a customer-managed switch/router at the local Direct Connect location for the store. This method provides better performance over shorter distances and reduces latency. At the Direct Connect location, SD-WAN connections can be aggregated to connect directly to AWS Cloud WAN.

For stores in suburban regions using broadband circuits, the aggregation of store connections can also be done at the local zone. A virtual SD-WAN appliance can be deployed in the local zone to extend the SD-WAN network into a local AWS location for connection to AWS Cloud WAN. Overall, this hybrid approach allows for efficient store connectivity to AWS.

Each of the connection models should be tested as best-fit-based on performance and latency requirements.

Figure 2 Hybrid Connectivity

Figure 2: Hybrid Connectivity

Store Internet Access

Some stores may not have direct Internet access. Any traffic destined to the internet will be sent to the egress Amazon VPC over Direct Connect. Firewall policies are applied to the internet traffic at the egress Amazon VPC based on configured rules. Egress Amazon VPCs are setup at each AWS Region and traffic is directed to the egress Amazon VPC using the route tables at each segment.

Utilizing this model will reduce the number of firewalls that will need to be managed to a total of four sets. Egress Amazon VPCs will be connected to the shared services segment within AWS Cloud WAN.

Figure 3 Store Connectivity

Figure 3: Store Connectivity

Multi Cloud Interconnection

For workloads that are deployed at other cloud providers such as Azure, GCP, SAP, and so on, a Retailer will need a Direct Connect connection to the transit point where that cloud provider has presence. It is recommended to use Direct Connect locations that support multi-cloud connections.

In order to set this up, a Retailer has two options:

  1. Setup a colocation rack at the Direct Connect location with a router that will interconnect AWS Direct Connect connection and other cloud connections and manage the routing.
  2. Work with a Direct Connect partner that supports multi-cloud.

For both options, we need to ensure that IPv4 CIDR block ranges do not overlap and routing rules in AWS Cloud WAN are setup accordingly to direct traffic to the multi-cloud Direct Connect location.

At each region where the multi-cloud Direct Connect connection is configured, it is recommended to create a transit Amazon VPC with firewall inspection for any routes to and from the multi-cloud connection. This Firewall is separate from the egress firewall.

Note: Multiple Direct Connect locations can be used to connect to other cloud providers if needed based on partner support for the other cloud provider.

Edge Firewall Design

The following Firewalls are recommended for this architecture:

  • AWS Network Firewall – The AWS Network Firewall is deployed in an egress Amazon VPC for all outbound traffic initiated within AWS. Outbound traffic and response traffic will be inspected based on configured policies. AWS Cloud Wan can be configured to direct all Amazon VPC traffic through the egress Amazon VPC.
  • Multi-Cloud Amazon VPC firewall – This firewall will be used for any traffic traversing AWS to other cloud provider connections. One pair at each region setup as active/standby.
  • AWS WAF with AWS Shield – This firewall will be used for any web traffic coming into retail web servers for web applications. This includes any third-party software as a service (SaaS) application that require external maintenance.

Using a centrally managed firewall manager is recommended and should be deployed across multiple regions for high availability and disaster recovery.

Local Zone Connections

Local Zones for future workloads can be supported for sub-millisecond latency if needed. When a local zone is used, the Amazon VPC from the region for that store can extend compute and storage resources to the local zone. As more services are supported in the future, those services can be utilized at the local zone. Using Direct Connect, the stores network routing can be extended directly to the local zone without having to go back to the region.

Each workload will need to be analyzed to ensure the local zone is the right fit.

Smart Store Applications

Smart store applications have both an in-store component and cloud-based component that need to interact together. For example, camera vision and artificial intelligence and machine learning (AI/ML) processing to drive interactive stats, the AI components with the hardware may be in-store, while the data analytics and presentation will be in the cloud. With that being said, stores are moving away from housing bulky hardware and servers in the store, they would rather free up space for selling merchandise. Much of this low latency critical software can be deployed in local zones close to where the stores are located. Utilizing the network architecture as described in this document will allow stores to off load this work. From the local zones, the data can be processed in the AWS region without having to use critical bandwidth at the store.

Security for the communication between the store and the local zone can be achieved through Direct Connect using private network to local zone or encrypting the traffic using SD-WAN based appliances in the store that create secure tunnels to virtual appliances in the local zone. Another consideration is traffic priority. When supporting multiple smart store solutions such as computer vision, RFID, Smart Kiosks, robotics, VOIP, and so on, quality of service becomes a critical need. There will come a time where the store bandwidth needs exceed the broadband uplink capacity. Using an overlay of SD-WAN with Direct Connect will allow network engineers to add policies that prioritize traffic based on business needs. This architecture supports enabling smart stores capabilities.


In conclusion, the AWS network infrastructure and connectivity options for retail stores have been carefully designed to provide high-performance and reliable connectivity to the cloud. With various options for connectivity, including AWS Direct Connect, SD-WAN, and a hybrid approach, retail stores can choose the option that works best for them. Additionally, by utilizing AWS services and best practices, stores can reduce the need for on-premises hardware and maintenance, while improving their security and resiliency.

Overall, this network infrastructure and connectivity solution provides a scalable, flexible, and efficient way for retail stores to connect to the cloud and support their business operations.

Contact an AWS Representative to know how we can help accelerate your business.

Further Reading

Related resource:
AWS cloud solutions for retail

Ameel Kamboh

Ameel Kamboh

Ameel Kamboh is a Senior Solutions Architect at AWS with a background in building 9-1-1 networks globally. With 28+ years of experience in networking and building complex applications, Ameel has focused his designs on High Availability and scalability. At AWS, Ameel has broadened his scope in the retail enterprise sector, leading innovative solutions to customers bringing the art of the possible.

Chris Sereno

Chris Sereno

Chris is a Solutions Architect at AWS with a background in network analysis. He is passionate about helping customers deliver performant and reliable applications. In his spare time, he enjoys creating music with his keyboards.

Justin Swagler

Justin Swagler

Justin Swagler is worldwide head of Physical Retail at AWS, where he leads the global strategy and thought leadership for physical retailing. Justin has 15+ years of consumer packaged goods, retail, and strategy experience spanning innovation strategy, retail operations, product development, and executive leadership. He is passionate about shepherding organizations to strategically innovate and reinvent consumer experiences. He holds an undergraduate degree from the University of Illinois at Urbana-Champaign and an MBA from the Kellogg School of Management.

Rahul Nammireddy

Rahul Nammireddy

Rahul is a Senior Solutions Architect at AWS, focuses on guiding digital native customers through their cloud native transformation. With a passion for AI/ML technologies, he works with customers in industries such as retail and telecom, helping them innovate at a rapid pace. Throughout his 23+ years career, Rahul has held key technical leadership roles in a diverse range of companies, from startups to publicly listed organizations, showcasing his expertise as a builder and driving innovation.