Amazon Web Services (AWS) has found widespread adoption in the satellite communication and aerospace sectors, serving not only as a platform for modernizing their overall IT infrastructure but also for delivering network connectivity solutions. One prominent example showcases how a leading satellite and aerospace company, Thales Avionics, used AWS to build a virtual data center connected to a ground station, enabling in-flight WiFi services over satellite communication. The reference architecture demonstrates the successful implementation of virtual internet points-of-presence (PoPs) by Thales InFlyt Experience (IFE) across various geographic locations, using the AWS global infrastructure footprint. By incorporating a cloud-native network appliance from Sandvine that’s fully compatible with the Amazon Elastic Kubernetes Service (Amazon EKS) environment, Thales achieved seamless interoperability with various AWS services. Thales demonstrated how AWS can facilitate the deployment of satellite communication infrastructure, enabling high-speed internet connectivity to aircraft in flight. The AWS scalable and distributed cloud platform, combined with specialized network appliances, enabled Thales to establish a robust and geographically dispersed virtual data center that seamlessly integrates with their satellite communication network.

Overview of Thales inflight Wi-Fi

As a leading company in the aerospace industry, Thales provides solutions to two out of three aircraft taking-off in the world, and IFE serves more than 1.6 million passengers every day. Thales provides in-flight WiFi service through the In-Flight Connectivity (IFC) solution, using the high-level architecture depicted in Figure 1. The Thales IFC system consists of the onboard system on the aircraft (Thales Onboard Platform) composed of proprietary hardware and software to manage passengers’ connectivity and related services, satellite, ground station, and internet PoP (which includes Thales Ground Platform), which uses satellite communication for internet connectivity. Traditionally, internet PoP or Thales ground platforms have been built in physical data centers. In the realm of communication, there are requirements for managing the connectivity bandwidth optimizing the quality of experience (QoE) for the passengers and preventing distributed denial of service (DDoS) attacks and malicious activities. For this purpose, IP policy enforcement or firewall appliances are typically placed at each internet PoP site. More importantly, to support such services globally, service providers like Thales have to establish multiple physical data centers near ground stations in each geographic location.

Figure 1. High-level architecture for in-flight WiFi service

Reference architecture

Figure 2. Reference architecture for virtual internet PoP on AWS

Thales has been driving innovation in the aerospace industry by designing and migrating physical internet PoP data centers and appliances into the AWS Cloud. This virtual data center is referred to as a virtual PoP or vPoP, using the benefits of the global presence, scalability, and reliability of AWS for applications running on the platform. Figure 2 shows the reference architecture that follows the AWS Well-Architected Framework. This means the solution is designed to ensure high availability, cost efficiency, security, performance, and automation. In addition, the solution running on AWS is not a typical web-server type of application but a network appliance that provides transitive routing of user traffic between IFE service users and the internet. Based on the principles of the well-architected framework and the transitive characteristics of networking solutions, the following key AWS services are used to implement this architecture.

• AWS Direct Connect: In this use case, AWS Direct Connect provides a dedicated connection from the ground station to VPCs. Direct Connect provides a more consistent network experience than internet-based connections for the network between ground stations and VPCs. To ensure high availability, Direct Connect connections are established with multiple sites with two redundant links per site.
• AWS Direct Connect gateway: An AWS Direct Connect gateway is a globally available resource, and it can ensure high availability and multi-AWS Region access. Direct Connect connections are established with multiple sites to the Direct Connect gateway with two redundant links per site.
• Amazon Virtual Private Cloud (Amazon VPC): A VPC provides a virtual data center environment to host appliances for Thales’ IFC solution. To maximize high availability of the service multiple Availability Zones are used. Multiple AWS Regions are used for global deployment.
• Amazon Elastic Kubernetes Service (Amazon EKS), and Multus support: Amazon EKS is a managed service that eliminates the need to install, operate, and maintain your own Kubernetes control plane on AWS. In the IFC architecture, Sandvine container network functions (CNFs) operate as a network function application on EKS. The cloud-native characteristics of the Sandvine CNFs offer elasticity, scalability, and simplified orchestration of the solution. In addition to supporting separate network interfaces for serving user traffic, the Multus meta CNI plugin is also used in EKS.
• AWS Transit Gateway: AWS Transit Gateway connects Direct Connect connections to ground stations and then to VPCs while providing transitive routing capability. Transit Gateway acts as a highly scalable cloud router. In the IFC solution architecture, Transit Gateway routing plays an important role in the high-availability design. More specifically, as shown in Figure 3, failures detected by monitoring tools would invoke an AWS Lambda function to update the Transit Gateway route table. This allows traffic to be redirected to a healthy Availability Zone or an Availability Zone that has healthy applications.
• Amazon Virtual Private Cloud (Amazon VPC) NAT gateway with BYOIP: In this IFC solution case, because the goal is to provide internet connectivity for service users during the flight, it is necessary to use Thales’ public IP address instead of an AWS public IP (elastic IP). This can be implemented with bring your own IP addresses (BYOIP) support in AWS, and a BYOIP address can be configured to a NAT gateway. Furthermore, a NAT gateway can be attached with multiple public IP addresses. Using a NAT gateway restricts direct access to resources in private subnets from the internet, thereby enhancing the security posture of the solution.
• Amazon VPC internet gateway and AWS Shield: An internet gateway provides a secure and managed connection for internet connectivity. In the case of vPoP on AWS for IFE service, Shield provides an additional layer of protection. This provides the first comprehensive defense against DDoS attacks at the edge of the public internet. These components of AWS contribute to enhancing infrastructure and networking layer security, in addition to other application and user layer security measures.

Figure 3. High-availability implementation using Transit Gateway route update API

There are other AWS services available to complete the construction of entire IFC solutions, such as Amazon DynamoDB, Amazon EventBridge, Amazon Route53, Network Load Balancer, AWS Systems Manager, and Amazon CloudWatch, in addition to the key services listed previously, as represented in Figure 4. Thales’ IFC solution took advantage of all these managed services of AWS to achieve scalability and flexibility of service. For example, the running status of compute resources and container applications is collected and monitored through the CloudWatch dashboard. Network services such as Route 53 and Network Load Balancer (NLB) are used to handle the control plane communication coming from the airplane. NLB improves scalability and resiliency by distributing the load among multiple instances of backend services deployed across Availability Zones.

Route 53 manages domain names for the solution. The solution took advantage of the powerful routing capabilities to implement conditional DNS resolution, depending on the network to which an aircraft is connected, enabling transparent migration between networks.

Figure 4. Other AWS services to complete IFC solutions

Conclusion

Thales is leading innovation in aerospace IFC solutions (from physical PoP data centers) to be the first in the industry with virtual PoPs (vPoPs) on the AWS Cloud, taking advantage of the global presence, scalability, and reliability of AWS. Key AWS services used include Direct Connect, Amazon VPC, Amazon EKS with Multus CNI, Transit Gateway for transitive routing, a NAT gateway with BYOIP, and an internet gateway with Shield for DDoS protection. This cloud-native solution provides scalability of connectivity throughput at a single region and globally, flexibility to grow on demand, and takes advantage of AWS managed services.

Replacing physical infrastructure by using AWS services enables Thales’ IFC to use its standard cloud practices such as automation, observability, and monitoring. By adjusting the cloud infrastructure based on the demand, Thales reduced the total cost of ownership by more than half while reducing the energy consumption for better sustainability.

For more information on Thales Avionics follow us in LinkedIn and Thales Blog.

About the authors