Example architecture #3

An example architecture of a 5GC workload on the AWS Region, RAN CU on an AWS Local Zone, and RAN distributed unit (DU) on customer premise.

5G network architecture showing AWS Region, Local Zone, and customer premise components.

Architecture of 5G RAN on an AWS Local Zone and on-premises network

Security description of the example architecture of 5G RAN network function on AWS Local Zones and customer on-premises network:

Assuming 5G core network functions are deployed in the AWS Region, the security-related services and best practices described in the previous 5G Core deployment examples are also applied here.
5G RAN vCU deployment at the AWS Local Zones. Due to the latency requirements of RAN network functions, the centralized unit (CU) functions of RAN need to be placed within tens of milliseconds from the end users. Therefore, AWS Local Zones are ideal edge locations to host CU function due to their low-latency access to the end users. AWS Local Zones are fully managed by AWS, and includes secure cloud infrastructure providing compute, storage, database and other select AWS services to customers.
5G RAN vDU deployment at customer on-premises network: due to the ultra-low latency requirements (~100 microsecond) of the RAN DU network functions, they are typically deployed at customer on-premises locations, such as D-RAN cell sites, or C-RAN hubs.
The infrastructure-level connectivity between the AWS Regions and AWS Local Zones uses high-speed and secure AWS backbone networks. At the service level, you can extend a VPC from the parent Region into AWS Local Zones by creating a new subnet and assigning it to the AWS Local Zone.
EBS volumes are encrypted by default using Amazon EBS Encryption for data at rest and data in transition between the Local Zone and its parent Region. By default, Amazon EBS encryption uses AWS KMS and AWS-managed keys. However, customers can specify Customer Managed Keys as the default encryption key.
AWS Direct Connect is recommended to provide a dedicated private network connection between the customer on-premises network and AWS networks. While in transit, your network traffic remains on the AWS global network and never touches the public internet; therefore, it is more secure and provides better performance. To add an extra layer of security, you can use AWS Direct Connect connections that support MACsec to encrypt your data from your on-premises network or collocated device to your chosen AWS Direct Connect point of presence.
Network firewalls are typically deployed within CSP customers’ transport networks to filter traffic to/from the RAN.
The customer-owned on-premises HSM can be used to generate cryptographic keys for importing to AWS KMS and securing an on-premises network, or for equipment purposes.
Given the DU functions are typically deployed at the very far edge of the telco network with limited security monitoring (for example, unmanned cell sites), additional security measures (such as disk encryption, secure boot, and so on) should be considered to protect against physical equipment theft or tampering.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Example-architecture-2

Conclusion