Demystifying AWS Data Transfer services to build secure and reliable applications

For cloud users, evaluating data transfer services can be complex, especially when the internal engineering that manages security and delivers high availability and low latency is often abstracted. We are starting a series of posts intended to demystify AWS Data Transfer services and to clarify exactly what Amazon Web Services (AWS) users get when they use the AWS Global Network Infrastructure to transfer data between AWS Regions and/or out of AWS altogether. In this first entry in the series, we explain how a byte travels from the AWS global network infrastructure to the internet, known as data transfer out to the internet (DTO). We also briefly discuss a few of the topics that we will dive deeper into in future entries, enabling customers to build more secure, performant, and resilient applications on the AWS Global Infrastructure.

What does it mean to transfer data on the world’s largest and most advanced global network?
AWS has the largest global infrastructure footprint of any provider. As of November 30, 2024, this includes 34 AWS Regions, 108 Availability Zones (AZs), and over 700 points of presence (PoP) with announced plans for six new Regions and 18 more AZs. Refer to AWS Global Infrastructure for the most up-to-date information. The following map shows the reach and scale of the AWS network, as well as how it connects different cities, countries, and regions throughout the globe. Furthermore, AWS has invested in a network purpose-built for the cloud, and our experience in building and operating this global network infrastructure has enabled us tailor it to meet our users’ high performance and availability needs.

Figure 1: AWS Global Network Infrastructure connects all regions and points of presence globally

Cloud providers’ private networks, which are a combination of third-party and proprietary connectivity solutions, connect their infrastructure and run operations. This approach is conceptually similar to how some other industries such as banking, transportation, and utilities use private networks to link their IT infrastructure and manage operations.

AWS has the largest private network, connecting all its regions, availability zones, and edge locations. This network is built on AWS-designed hardware and software, covering the entire path from cloud resources like Amazon Elastic Compute Cloud (Amazon EC2) instances or Amazon Simple Storage Service (Amazon S3) to external network egress points. At its core, data transfer is a foundational service for cloud applications, enabling users to connect critical business functions, deliver content to end-users, and facilitate systems that depend on moving data from point A to point B. However, some users view data transfer services as equivalent to local IP transit services. With the AWS global network, data transfer out (DTO) remains on the AWS dedicated network for as much of the path as possible, not on the public internet.

To illustrate, AWS first carries data through its datacenter and regional network, delivering packets as close to the end user as possible. For users in different geographical locations, these packets travel over the AWS network backbone, which interconnects AWS Regions and Points of Presence (PoPs) via long-haul terrestrial fiber and sub-sea cables. For last-mile connectivity to deliver data to the end user, AWS partners with nearly 5,000 other networks globally (IP Transit, Internet Exchange, Peering). IP transit services (also known as “bandwidth”) alone don’t provide users with the ability to scale up quickly, securely, and reliably. AWS has built a global network that is meant for the cloud, which means all AWS users have access to premium data transfer services by default, and all AWS users, large and small, benefit from greater security, performance, and availability to support their applications. Collectively, across all PoPs, AWS has enough fiber to travel to the moon and back eight times.

Security

At AWS, security is our top priority, and we foster an internal culture around security as a business imperative. We designed AWS from its foundation to be the most secure way for our customers to run their workloads. We want users to build applications on AWS knowing that the network is built to monitor, detect and mitigate sophisticated and ever-evolving security threats. One example is AWS Shield, which sets a high bar with regard to distributed denial of service (DDoS) protection services. AWS Shield Standard provides always-on network flow monitoring, which inspects incoming traffic to AWS services and applies a combination of traffic signature detection rules, anomaly detection algorithms, and other analysis techniques to detect malicious traffic in real-time. AWS Shield Standard also employs built-in, automated mitigation techniques giving underlying AWS services protection against common, frequently occurring infrastructure attacks. Furthermore, it applies these mitigations inline to protect AWS services, so that there is minimal impact to latency. All AWS users benefit from AWS Shield Standard at no extra cost. AWS Shield Advanced provides more detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS Web Application Firewall (AWS WAF), a web application firewall, at an extra cost.

AWS Shield is one aspect of how AWS secures its global network infrastructure. AWS constantly investigates existing and potential future security threats. In a future entry, we will discuss how AWS is the largest implementation of Resource Public Key Infrastructure (RPKI) and Route Origin Authorization (ROA) to enhance security further.

Performance

AWS offers multiple options for users to increase the performance of their data transfers. Amazon CloudFront, the AWS content delivery network, operates in over 600 globally dispersed PoPs (refer to AWS Global Infrastructure for the most up to date info). Furthermore, it enables customers to get their content closer to end users to deliver low-latency experiences for live events, on-demand video, and other latency sensitive use cases. AWS Global Accelerator terminates TCP connections from clients at AWS edge locations and, almost concurrently, establishes a new TCP connection with your endpoints. This gives clients faster response times (lower latency) and increased throughput. AWS Direct Connect provides private connectivity, which enables users to build hybrid networks composed of AWS and on-premises resources. AWS Direct Connect allows user network traffic to remain on the AWS global network and never touch the public internet, which reduces costs, increases bandwidth, and provides a more consistent network experience than internet-based connections.

Amazon CloudFront, AWS Global Accelerator, and AWS Direct Connect are premium data transfer services that deliver value for users with performance demanding applications. However, AWS Data Transfer Services make sure that all AWS users benefit by default from the explorative and industry leading technologies that AWS network engineers are developing. AWS is continuously looking at new techniques to optimize how traffic moves across our network. For example, AWS is inventing new routing and encapsulation schemes and protocols that dictate how traffic moves across our network. AWS deployed controllers in its border network that prevent congestion by proactively balancing traffic across installed peer capacity while simultaneously finding the lowest latency paths, making sure that traffic remains on the lowest latency path possible. Although AWS users may not be aware of the quick routing decisions and actions, they recognize the consistent performance of the AWS network in supporting their applications. AWS aims to provide a seamless and high-performance experience for its customers, meaning that data on our network isn’t subject to “internet weather” or high latency, high loss events from other external carrier’s networks. AWS controls the data flow similarly to how Amazon Fulfillment controls package delivery through the whole process to provide a positive user experience.

In a future entry focused on the performance of the AWS global network infrastructure, we will discuss, how explorations in router and network controllers are improving the delivery of user data over the AWS Global Network Infrastructure.

Availability

Users depend on AWS to be there when they need us. AWS builds its AWS Regions, AZs, and data centers to make sure of the highest level of availability. The concept of AZs, one or more discrete data centers with independent and redundant power infrastructure, networking, and connectivity in a Region, was born out of the AWS commitment to high availability standards. They are designed not to be simultaneously impacted by a shared fate scenario, such as utility power, water disruption, fiber isolation, earthquakes, fires, tornadoes, or floods. Common points of failure, such as generators and cooling equipment, aren’t shared across AZs and are designed to be supplied by independent power substations. AZs are, at their core, meant to both promote the availability of AWS resources as well as limit the risks that would be shared if resources were collocated.

We take the same approach to building our global network infrastructure. All AWS Regions use multiple geographically diverse paths and devices to provide physical diversity and redundancy for network connectivity. If a network experiences a period of lower availability, then the application it supports won’t perform well, and the applications owners may have to divert their precious attention toward network troubleshooting. AWS has made significant investments in increasing our long-haul terrestrial fiber networks. This is similar to the investments we have made in AWS Regions with multiple AZ footprints. We continue to invest in submarine cable systems to expand our connectivity between AWS global locations. Since 2020, AWS has deployed millions of miles of further terrestrial fiber and subsea cables to expand the AWS global network infrastructure. This improves the network’s redundancy, making sure of continued performance and availability. Building an expansive and global network backbone needs a deep understanding of the actual physical infrastructure. This includes understanding end-to-end latency, how the path is physically routed, as well as the potential hazards on the path. Another key part is understanding fiber path diversity, which we track by precisely identifying links that share physical paths (also known as Shared Risk Link Groups (SRLGs)) and planning redundancy to account for the fact that they share the same fate, and disruptions likely affect all of them. For example, SRLGs exist when multiple paths go under the same sidewalk in a city or cross each other at an intersection. It is critical for us to understand the underlying topology to identify and mitigate risks associated with SRLGs. By building redundancy into every span of the network, we can make sure that when one span is impacted by an event (for example when a fiber cut), our customers continue to operate without seeing interruption. These investments provide us with the flexibility to custom tailor our network to connect to places of our choosing, allowing a more efficient network topology.

In a future entry, we discuss, among other things, how AWS has influenced the industry to develop and deploy 6,912 count fiber optic cable to increase our network capacity while reducing our physical footprint.

Cost

Over the years, AWS has invested billions of dollars to build and continually operate and improve this premium network. We’ve also extended the global network infrastructure into new regions and countries, and in the process increased the number of interconnects and grown the amount of bandwidth available to users. We deployed out a new platform that allows us to natively interconnect with our internet peers and exchanges at 400 Gigabit Ethernet (GbE), which promotes a more reliable, efficient, and durable connection with our peers. That being said, interconnect costs are a small portion of our total data transfer costs in most regions. In addition to network equipment costs, AWS incurs expenses for transferring data across its dedicated network, such as costs for its network infrastructure/backbone, data center facilities, power consumption, cooling systems, and maintenance operations. We pride ourselves on the fact that, despite the significant investments AWS has made to grow and expand its global network infrastructure, we have never raised the public rates for any of our data transfer services.

AWS charges users for use of our dedicated network when transferring data, based only on the amount of data a user chooses to transfer, and the location to and from which the data is being transferred. In 2023, AWS delivered hundreds of exabytes of DTO to the internet on behalf of users, and we have taken actions to make these data transfers more affordable. In 2021, AWS announced the expansion of the free tier from 1 GB to 100 GB for DTO from AWS Regions (we also expanded the free tier for CloudFront from 50 GB to 1 TB). With the 100 GB DTO free tier, 94% of AWS accounts pay nothing for DTO on their monthly bill. In addition, this year, we announced free DTO for customers that want to migrate off AWS to other cloud providers or to on-premises resources to support user choice. Ultimately, AWS data transfer pricing reflects the previously mentioned cost of the network investments that AWS makes in equipment and network backbone to provide a highly secure, performant, and available network that scales to user workloads.

Conclusion

If you can’t tell, we are excited about the AWS Global Network Infrastructure, and how it helps our customers deploy more secure, resilient, and performant applications on AWS. In this entry, we barely scratched the surface regarding the innovation that AWS is deploying with its global network infrastructure, but we hope that it sheds some light on how the global network infrastructure supports AWS Data Transfer services and enables AWS users to reliably scale their applications in the cloud. We are excited to share more with you about the AWS Global Network Infrastructure through this series. Next month, check out our next entry in this series that will focus on how the AWS Global Network Infrastructure secures network traffic for our user’s most critical workloads. In the meantime, learn more about the AWS Global Infrastructure.

About the author