Introduction to Network Transformation on AWS – Part 1
Your organization may have a sprawling network built with variety of topologies. As your organization begins to embrace cloud, you extend your network to AWS using a hybrid connectivity architecture. Over time, traffic patterns change as more and more of your applications move to the cloud. This means that you can start transforming your network and use the AWS network backbone and global infrastructure to connect data centers, branches, and users directly to applications on AWS. In this blog, we show you five simple use cases to transform your network, accelerate your workload migrations, and reduce costs.
Network transformation: definition and benefits
Network transformation is a prescriptive guide to a fundamental redesign of your entire network including: cloud, Wide Area Network (WAN), branch, data centers, remote user connectivity, and network security infrastructure. Network transformation is not a lift and shift of your current on-premises data center network to AWS. Working backwards from customer’s requirements, we divided network transformation into five simple use cases. Each use case contains prescriptive guidance on architecture and implementation.
By quickly scaling up or down, the AWS network backbone and global infrastructure gives you increased flexibility and agility, helping you adapt to changing business requirements. It enables provisioning of network with infrastructure as code and as config as code approach for repeatable and automated network configuration. You can scale globally with integrated security and achieve global reach in minutes. Your organization reduces reliance on high cost and frequently under-utilized domestic and global multiprotocol label switching (MPLS) links, and is no longer required to sign long-term contracts and volume commitments. You benefit from AWS’s pay per use, low latency, highly-available, elastic, secure, and resilient global network. Your organization has the choice of topology and hybrid connectivity. You can connect via dedicated or hosted private links, or use internet-based connectivity solutions with optional acceleration through AWS global backbone, or Software Defined Wide Area Network (SDWAN) solutions from AWS Partners for remote branch offices.
You have a choice of several architecture patterns when interconnecting your data centers and branch offices with your resources running in AWS. One of the most common patterns we see is the hub and spoke model. In this model, data centers are the network hubs. These hubs perform routing, security, and other network functions. Traffic must transit through the hub as it moves from one spoke to another. When most applications are hosted within data centers, users connect directly to applications, and traffic patterns are optimized for best performance. When you start using AWS, you may establish network connectivity in a way that each AWS Region is a spoke hanging off your existing Wide Area Network (WAN) and security inspection is done at the on-premises data centers. Now traffic between users in branches or remote locations and applications on AWS hairpins through data centers. This is shown in the following diagram (figure 1):
Figure 1: AWS as an extension of your network, with data centers as hubs.
The network that connects these hubs and spokes is called the backbone network. It provides connectivity for global and regional applications. It is often built with MPLS, leased lines, site-to-site VPNs, and other private connectivity solutions that run between data centers, campus, and branches. This type of network is expensive to operate, does not scale quickly, takes months to provision or add new links, and requires long-term contracts. In turn, these contracts require minimum bandwidth usage or volume commitments.
As applications migrate to AWS, traffic patterns change. Overtime, the majority of the traffic ends up in the cloud and uses the cloud provider’s backbone. This change could be a business trigger to transform the network and security environment, introduce automation, or reduce cost. This is shown in the following diagram (figure 2):
Figure 2: Transformed network on AWS
This is one approach to transforming your network. Depending on your current state, network topology, and requirements, your transformed state may be different. You can also continue with the current state if it already meets your requirements.
Use cases for network transformation
Below are the five key network transformation use cases:
- Connectivity within AWS
- Connectivity to data centers
- Connectivity to branches
- Connectivity to the internet
- Network security
Now let us take you through details of each use case.
1) Connectivity within AWS
This use case encompasses multi-Region connectivity between Amazon Virtual Private Clouds (VPCs) and spoke networks, while building a foundation for other use cases. There are two primary scenarios that should be considered. The first is scalable VPC-to-VPC connectivity using AWS Transit Gateway, VPC peering, and AWS PrivateLink. The second scenario is transit between AWS Regions with spoke networks using Transit Gateway and hybrid connectivity solutions. These scenarios result in rapid adoption of Transit Gateway to transform your connectivity within AWS. Keeping your traffic within AWS helps you benefit from the AWS global network’s scale, reach, and availability in an elastic, pay as you go manner. The AWS backbone offers low latency, low packet loss, and high overall network quality. This is achieved with a fully redundant 100 GbE fiber network backbone, often providing many terabits of capacity between Regions.
2) Connectivity to data centers
In this use case, we cover hybrid connectivity with appropriate resiliency with multiple locations, SLA with up to 99.99% uptime, and compliance with regulations such as HIPPA and PCI. We see our customers adopting two types of approaches to hybrid connectivity to data centers. Some customers are planning to migrate all existing IT resources to the cloud and require short to medium-term hybrid connectivity to migrate assets into the cloud before shutting down data centers. In other cases, customers maintain IT resources both on premises and in the cloud and continue to operate in such environment for the long term. AWS Direct Connect and AWS Site-to-Site VPN are two common ways to interconnect and create a hybrid network. Hybrid connectivity enables customers to comply with regulations that mandate private network connectivity to the cloud and also lower their data transfer costs. Combined with Transit Gateway, customers use hybrid connectivity to communicate between their data centers, cloud workloads, and other resources. A private or MPLS network between data centers can now be replaced with the AWS backbone.
3) Connectivity to branches
This use case covers organizations that are adopting SDWAN solutions for user-to-application connectivity, typically over ubiquitous internet circuits. There are two main transformative trends in branch connectivity. The first trend is the shift from private connectivity, such as site-to-site VPNs or MPLS, to user-to-application connectivity where users connect directly to cloud-based applications. In this model, there is no private network within a branch and all users are accessing applications the same way irrespective of their location.
The second trend is the use of SDWAN, which orchestrates the provisioning of encrypted network tunnels to AWS and can integrate with Transit Gateway. By connecting branches directly to AWS, you can reduce reliance on your existing data centers, improve performance, reduce cost, and improve security. You benefit from rapid provisioning of new branches over internet links, with no long-term commitments, and price elasticity. AWS further enhances SDWAN with integrated network security. AWS partners with SDWAN solution providers to deliver integration with AWS through the Transit Gateway Connect feature.
Another option is to use AWS Accelerated Site-to-Site VPN connections. These connections work with AWS Global Accelerator to route traffic from your on-premises network to the AWS edge location that is closest to your gateway device. AWS Global Accelerator optimizes the network path, using the congestion-free AWS global network to route traffic to the endpoint that provides the best application performance.
4) Connectivity to the internet
This use case covers a centralized egress architecture pattern for access to the internet. This egress pattern is used for machine-to-machine (for example, API, software download) and user internet access. Organizations often consolidate network security controls and traffic inspection, as opposed to having distributed internet egress points, each with their own security controls. For publishing applications to the internet, AWS customers use inbound (or ingress) solutions. This includes addressing security with AWS WAF, load balancing with Elastic Load Balancing, Domain Name System (DNS) with Amazon Route 53, global traffic management with AWS Global Accelerator, and content distribution at a local and global scale with Amazon CloudFront.
5) Network security
This use case covers workload segmentation, ingress and egress security, traffic filtering, intrusion prevention system (IPS), and encryption. Network security is job zero. AWS Network Firewall helps you keep network traffic and network security control points within AWS, without hair-pinning the traffic back to on-premises data centers for security inspection. You also have a choice of using AWS Partner firewall appliances combined with AWS Gateway Load Balancer. You can deploy these network security solutions on demand in a distributed, centralized, or combined manner. These additional network security controls can be added transparently, on top of existing controls like Security Groups and Network ACLs. Network security is part of AWS shared responsibility model that covers multiple areas of security, including access to control plane like AWS API, identity, and data security.
We’ve logically grouped the use cases for multiple reasons. First, we know that you may want to focus on the technical and business benefits of a single use case one at a time, and projects can range from months to over a year. We believe you get the most simplification and value when you adopt all five use cases together. Second, each use case provides structure and contains prescriptive guidance to address business requirements. We will go into technical and architecture details of each in the part two of the blog post series.
AWS global infrastructure
We believe it is important to share with you the scale and security of AWS global infrastructure. The AWS global network currently spans 81 Availability Zones within 25 geographic Regions around the world. In addition, AWS has announced plans for 21 more Availability Zones and 7 more AWS Regions in Australia, India, Indonesia, Israel, Spain, Switzerland, and United Arab Emirates (UAE).
One of the first questions we are asked when we share the network transformation prescriptive guidance is how the traffic flowing across AWS global backbone is secured. The AWS global network that interconnects our data centers and Regions is automatically encrypted at the physical layer before it leaves our secured facilities, as shown in the following image (figure 3). Each individual customer’s traffic is isolated using Amazon VPC and software-defined networking constructs.
Figure 3: AWS global infrastructure
Voice of customers and partners
Based on the experience of AWS customers that have transformed their network, AWS Partners are an integral component of network transformation. AWS Partners provide connectivity, network appliances for a variety of use cases, and tools supporting observability. Many of these partner solutions are available directly on AWS Marketplace.
We collected several quotes from our customers and partners who have completed this network transformation on AWS. Our partners not only transformed their own network using AWS, but they also offer joint solutions and implementation help to mutual customers.
“The Covid-19 pandemic brought the costs of legacy global WAN connectivity into sharp focus with offices shut for long periods. As most workloads are already inside AWS in multiple Regions, and our extensive use of the earlier transit VPC solution on Cisco CSRs, we decided to enable Transit-to-Transit connectivity over inter-Regional VPC peering to form a new global backbone. By converting our 100+ offices’ backup DMVPN solution to the primary connectivity, using the AWS transit VPC CSRs as new Regional DMVPN hubs, we were able to cancel all the expensive (and slower) MPLS/VPLS circuits. The MPLS direct cost saving is 55% rising to 60% with the removal of the Direct Connect lines globally. Since the migration we have had a reduced incident count for WAN services with a marked speed increase.” – James Brunner, Director of Global Network Services, Informa
“Users, applications and data have left the building and public cloud has become the modern network hub. Our Enterprise customers are adopting this transformation by using AWS global backbone as the Enterprise network thereby modernizing the infrastructure between the users and applications. At Prosimo, we already use AWS as a network hub, which enables us to innovate faster and deliver zero-trust secure access to users along with enhanced app-to-app connectivity experiences.” – Ramesh Prabagaran, CEO, Prosimo
“Presidio is excited about AWS’ capability to act as the enterprise network hub. This capability provides better standardization with a more flexible and optimized approach to securing zero-trust user access, enhancing what is already the most mature cloud networking platform in the public cloud market today. As an AWS Premier Consulting Partner and authorized Managed Services Provider, Presidio is helping AWS customers to implement network transformation leveraging Presidio’s deep technical expertise.” – Robert Kim, VP Technology Strategy, Presidio
“We have now connected ENGIE domestic networks with Regions globally via local hubs on AWS, offering easier integration and more control and flexibility in changes.” – Adrien Geniller, Lead Network Architect, ENGIE. The primary network design focused on its backbone network, called “ENGIE BB.” The network leveraged connectivity within AWS using Transit Gateway, connectivity to data centers using AWS Direct Connect, and connectivity to branches using Cisco SD-WAN. More details are available in this case study.
Regardless of where you decide to start, get in touch with your AWS account team or contact sales support. We will support your network transformation on AWS journey, including the architecture and design, ROI and TCO calculation, integration with existing network, and deployment. Network transformation on AWS is included in the AWS Migration Acceleration Program. For implementation, you can partner with AWS Professional Services (AWS ProServe) and AWS Partner Network (APN).
In this blog post, we showed how to transform your network focusing on five key use cases and the associated benefits. In part two of this series, we show the target state architecture and technical details for each use case.