Example architecture #2 - Applying Security Practices to a Network Workload on AWS for Communications Service Providers

This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.

Example architecture #2

An example architecture of a 5GC workload with AWS Outposts. The 5G control plane and user plane are running on-premises.

AWS Outposts architecture for 5GC workload with on-premises control and user planes.

Architecture of 5G core on AWS Outposts

Security description of the example architecture of 5G core network function on AWS Outposts:

  1. VPC routing tables. As an example, customers can direct the user plane or internet traffic to on-premises network using the AWS Outposts local gateway.

  2. Traffic going in and out of the instances are filtered using security groups.  In addition, there are network ACL rules that can filter traffic on a subnet level. Network ACLs are stateless firewall rules.

  3. Nitro hardware-based instances. 

  4. Persistent data at rest stored in EBS volumes.

  5. Access to AWS services that do not reside inside the VPC is through VPC endpoints.

  6. Snapshots, AMIs, manifest files, or backup data can be stored in Amazon S3 storage. Data at rest is encrypted using AWS KMS, and access to data can be restricted with IAM policies.

  7. AWS Direct Connect instances.

  8. AWS KMS for management of encryption keys.

  9. AWS Certificate Manager to manage imported SSL/TLS certificates.

  10. Amazon ECR is used to store container images.

  11. Amazon EKS service is used for Kubernetes-based container orchestration.

  12. AWS CloudTrail helps enable governance, and supports operational and risk auditing of an AWS account. 

  13. Amazon CloudWatch monitors AWS resources and applications that run on AWS in near real-time.

  14. AWS Config provides a detailed view of the configuration of AWS resources in an AWS account.

  15. AWS CloudFormation helps set up AWS resources automatically.

  16. AWS WAF helps protect application endpoints or APIs against common web exploits and bots.

  17. AWS IAM helps to securely control access to AWS resources.

  18. AWS Control Tower provides a simple way to set up and govern a secure, multi-account AWS environment.

  19. VRF devices, virtual router, and forwarding devices are used to segregate the VPN.

  20. Customer SEGs are entities on the borders of the IP security domains used for securing native IP based protocols.

  21. Customer owned on-premises HSM to generate cryptographic keys for importing to AWS KMS or use with AWS KMS XKS.