Lessons learned from Intelsat’s successful domain migration with AWS

Intelsat operates one of the world’s largest integrated satellite and terrestrial networks and is a leading provider of in-flight connectivity (IFC), powering inflight internet for 23 commercial airline partners and nearly 3,000 aircraft.

Intelsat expanded its service offerings with the acquisition of Gogo Commercial Aviation in 2020 and subsequently integrated Gogo to create Intelsat Commercial Aviation. In 2022, Intelsat collaborated with Amazon Web Services (AWS) to complete the post-acquisition domain migration from Gogo without impacting inflight experiences and other operations. This blog post shares the lessons learned from Intelsat’s successful domain migration with AWS.

Domain migration challenges

Intelsat and Gogo technical teams faced a number of post-acquisition integration challenges, like converting the brand and domain names of customer-facing applications from Gogo to Intelsat while ensuring uninterrupted in-flight experiences for airline customers and onboard resource availability for flight crews.

Additionally, the acquisition occurred during the global COVID-19 pandemic, which negatively impacted domestic and international travel. For Intelsat and Gogo, the pandemic impacted availability of technical resources needed to support the domain migration.

Changing domain names in the domain name system (DNS) while continuing to deliver consistent and reliable inflight experiences is not a recurring technical activity. As a result, there were no migration blueprint plans available to use as templates for on-premises applications and integrating domain names on AWS. To accomplish the domain migration without interruption, the new and old domains had to work simultaneously in order to maintain seamless operations for in-flight services. Furthermore, the high level of interdependency between applications required a DNS change and migration strategy for each AWS resource type. To accomplish this, Intelsat utilized their AWS account team and AWS Enterprise Support’s cloud domain expertise to identify the AWS resources that required a DNS change and establish a migration strategy for each AWS resource type.

Once the new domains were determined, both the Gogo and Intelsat Commercial Aviation domains were used simultaneously to access the applications through the Classic Load Balancer. This was achieved by using a Subject Alternative Name (SAN) certificate, which simplified certificate management by enabling multiple domains to be authenticated using a single certificate. A key aspect of simplifying the certificates using a SAN certificate is that it provided a solution for integrating with the Classic Load Balancer. Since a SAN certificate contains multiple domains in one certificate, each domain is validated by the authoritative domain owners by publicly hosting DNS validation records that prove authority and ownership.

Once the applications that used Gogo domains were moved to either Intelsat or Gogo/Intelsat SAN certificate, the developers updated the code only with Intelsat domains. After moving the known parts of the applications to the new domains, they focused on any ancillary calls still using the old domain by examining logs, then locating and updating the ancillary references to use the new domains.

Route 53 zones and records with old and new domains

Intelsat used Amazon Route 53 which hosted the zone and DNS records for old and new domains. Additionally, Route 53 was used for internal DNS for communication between the aircraft, Intelsat’s ground network, and AWS-hosted applications.

Prior to handing off the zones to Gogo, Intelsat reviewed each DNS record to determine if there was a valid AWS resource and if the resource was still in use. A best practice in testing to confirm if a DNS record is in use or not, is to nullify the record by prefixing it with a null character in Route 53. The null character disables the record, with an easily revertible change if the record is still being used.

As part of the agreement between Intelsat and Gogo, Intelsat released ownership of the Route 53 public records to Gogo by providing a copy of Route 53 zone files. This allowed Gogo to begin resolving domain names for their applications and Intelsat to start their migration of more than 70 applications to Intelsat’s domain names.

Route 53 query logging also helped Intelsat effectively identify whether the applications were being accessed using the old Gogo domain name. Once Gogo had taken ownership of the Route 53 zones, Intelsat and Gogo worked collaboratively to verify if the old public Gogo records were still being accessed. Intelsat identified and updated DNS records in Route 53 so that the new domain resolved to the correct resources.

Other domain migration tips

Although the domain migration involved more than 70 applications, there are a few AWS services and technical concepts that should be considered for anyone working through a similar technical project.

• Ensure that single sign-on (SSO) is integrated with the new domain name
• Update identity and access management (IAM) policy references to older static email addresses that include references to inactive domains
• For Amazon API Gateway with custom domain, consider duplicating each API Gateway endpoint with a new domain and secure with AWS Certificate Manager (ACM)
• Update Amazon Simple Email Service (Amazon SES) to use the identifiers from the new domain names
• Update Amazon Simple Notification Service (Amazon SNS) subscribers to use the email addresses associated with the new domain names
• Update DevOps tooling and certifications to use the new domain names
• Cleanup AWS Budgets reports associated to the resources tagged to the old domain

Successful domain migration

Commercial airlines must balance comfortable and convenient passenger experiences, flight crews’ need for resources to complete their duties with ease and efficiency, and security and safety protocols.   Intelsat satellite connectivity services leverage AWS to support reliable, cost-effective, high-performance inflight entertainment and connectivity experience for commercial airlines and passengers, empower crews with the latest onboard systems, and increase operational efficiency.

A domain migration requires a large commitment of time and resources from many areas like engineering, IT, finance, legal, marketing, and operations. Given the complexity of a post-acquisition environment, the scope of work is not always clear at the beginning of such a project. It is important to regularly review and re-evaluate the scope and time commitments to ensure resource availability while still maintaining day-to-day operations and other ongoing efforts.

The domain migration from Gogo to Intelsat was a massive effort with many unknowns and moving parts. There was a lot of discovery and many lessons learned. It couldn’t have happened without a lot of hard work and help from AWS, Intelsat developers, network team, and many others.

Learn more about AWS for Aerospace and Satellite

Organizations of all sizes across all industries are transforming and delivering on their aerospace and satellite missions every day using AWS. Learn more about the cloud for aerospace and satellite solutions so you can start your own AWS Cloud journey today.

Get inspired. Watch our AWS in Space story.

Read more about AWS for aerospace and satellite:

• Amazon and AWS to reimagine space station operations and logistics for Orbital Reef
• How Satellogic and AWS are harnessing the power of space and cloud
• AWS selects 13 start-ups for the 2023 Space Accelerator
• What we learned at Amazon re:MARS 2022 for the public sector
• Managing the world’s natural resources with earth observation
• AWS joins the Digital IF Interoperability (DIFI) Consortium
• How Natural Resources Canada migrated petabytes of geospatial data to the cloud

Contributing Authors: Claire Zou Price, Customer Solutions Manager, AWS; Jeff Cole, Enterprise Support Manager, AWS