Creating an Automated, Software-Defined Global Network on AWS with Carrier

Since its founding in 1915, Carrier has grown from a small manufacturer of HVAC (heating, ventilation, and air conditioning) systems to a global enterprise encompassing more than 75 brands. The company transforms and optimizes indoor spaces with innovative, energy-efficient products in the HVAC, refrigeration, and fire and security segments.

As Carrier transitioned from manufacturing equipment to providing digitally supported healthy lifestyles, its network became increasingly critical for connecting its assets, offices, manufacturing facilities, and 53,000 employees in more than 180 countries. At first, teams collaborated using Amazon Virtual Private Cloud (Amazon VPC)—a service that gives companies full control over their virtual networking environment, including resource placement and security. Carrier used AWS Transit Gateway—which connects Amazon VPCs, AWS accounts, and on-premises networks—to connect its VPCs in a hub-and-spoke model. This architecture required static routes for providing connectivity across multiple AWS Regions, which relied on engineers to make manual configuration changes.

Additionally, as the network became increasingly entangled, engineers couldn’t be sure if one team’s change request would cause an outage or break another team’s workload. Although the network was functioning, Carrier needed to accommodate a growing number of AWS accounts to speed up innovation. “As we migrated more and more workloads to the cloud, our networking was really an afterthought,” says Justin McDowell, associate director of cloud engineering and governance at Carrier. “It didn’t keep up with the pace of innovation and the scale of organic growth that Carrier was experiencing in the cloud.”

In 2023, Carrier started preparing to migrate from another cloud service provider to AWS, and the company knew that its entangled network and lack of global visibility might complicate the process. “We needed a rock-solid networking design to make that migration successful,” says McDowell. “That was the driving force behind investing in network changes.”

Carrier began a large-scale project to rearchitect its global AWS network using AWS Cloud WAN—which provides a central dashboard for making connections between branch offices, data centers, and VPCs, building a global network with a few clicks. The company also used Amazon VPC IP Address Manager (Amazon VPC IPAM), an Amazon VPC feature that lets organizations plan, track, and monitor IP addresses for AWS workloads.

Carrier kicked off this project in May 2023. The company recognized that proper IP address planning and management was critical for network stability. To create new accounts with standard baselines and guardrails, including specifying classless inter-domain routing ranges for VPCs and subnets, Carrier turned to Amazon VPC IPAM. Thus, the company automated the creation and setup of accounts, cutting the time to provision a new account from 3 days to just minutes, avoiding manual errors, and gaining greater visibility into IP address use.

To further prepare accounts for onboarding, Carrier updated the configurations of its products in AWS Service Catalog, which lets organizations centrally manage their cloud resources to achieve governance at scale using infrastructure-as-code templates. Before deployment, engineers spent time on writing high-quality code, carefully documenting changes, and generating highly understandable audit trails. “We’ve removed manual touchpoints wherever we could,” says McDowell. “That helped us analyze and rightsize our network.”

Using AWS Cloud WAN, Carrier’s small team of cloud network engineers can adjust connectivity for their VPCs on the fly. Working alongside AWS, Carrier instituted a metadata-driven design, using tags to identify the networking characteristics of a particular VPC. “We wanted to take the human-error element out of networking,” says McDowell. “Using AWS Cloud WAN, we can dynamically change a VPC’s networking characteristics by changing a tag.” Carrier anticipates a significant reduction in tickets to the help desk and escalations to the cloud operations teams because AWS Cloud WAN routes data appropriately according to carefully defined rules. “Now, it’s not a huge deal to make a networking change, whereas before it could have taken months,” says McDowell.

Carrier has a requirement to inspect its traffic through third-party firewalls. The company’s legacy network used hard-coded firewall instances, which were difficult to scale and were prone to single points of failure. To alleviate this, Carrier used Gateway Load Balancer—which deploys, scales, and runs third-party virtual appliances—to manage its third-party firewall appliances and create a highly scalable firewalling architecture.

Using crisp networking diagrams that show network traffic as it traverses various configuration scenarios, engineers clearly understand what traffic needs to be routed to firewalls. Carrier has further enhanced cybersecurity through the use of Service Insertion, a new feature of AWS Cloud WAN that simplifies the incorporation of security and inspection services into global networks. Thus, Carrier can steer its network traffic from multiple AWS Regions to security services without having to create and manage complex route configurations. Engineers centrally define their inspection and routing intent and deploy a consistent security configuration across the AWS Cloud WAN network. “A major benefit is that now everybody understands our network and can audit the configuration,” says McDowell. This has also reduced the time it takes to connect new accounts.