AWS Global Network

AWS uses a multi-layered security approach to keep the applications and workloads running on its network safe. For example, AWS leverages threat intelligence from a massive graph model with billions of nodes to detect and thwart an average of 124,000 new malicious internet domains daily.  Similarly, AWS uses data from its unique global network of sensors to analyze over 100 million interactions a day and automatically mitigate threats.  And AWS threat intelligence tools identify and shut down over 7 billion daily unauthorized external scanning attempts of AWS services within minutes, at global scale.

AWS stops malicious Border Gateway Protocol (BGP) hijacks by using technologies such as Resource Public Key Infrastructure (RPKI) to digitally sign route announcements and drop traffic with invalid routing information. As the largest combined owner of signed IP space on the internet, AWS provides comprehensive protection against BGP hijacking, keeping your data safe as it travels across the network.  

The AWS global infrastructure footprint allows users to deliver latencies as low as single-digit milliseconds to end users and devices, providing the best performance for latency-sensitive applications such as high-frequency trading, online gaming, and AI/ML inference at the edge for real-time decision-making.

The vast majority of network capacity interconnected with the AWS Global Network backbone uses 400 GbE technologies—four times faster than the previous standard of 100 GbE—enabling superior throughput for data-intensive workloads such as AI/ML training, high performance computing, and big data analytics.

AWS leverages advanced machine learning models to analyze vast amounts of network usage data and proactively deploys additional network capacity well ahead of customer demand.  Over the past 12 months, AWS increased its network capacity by nearly 80% to accommodate growing customer workloads. 

AWS uses a comprehensive set of custom-built network management tools that continuously monitor network health, identify potential problems, and resolve network issues automatically. AWS “self-healing” network management tools automatically remediate over 96% of network events without human intervention. 

Unlike the public internet, where each networking device must make independent routing decisions with minimal information about the health of other networks, the AWS centralized, real-time traffic monitoring system has visibility into every link within the global network, ensuring that customer traffic always uses the most available and performant path. This system implements millions of changes a day to optimize traffic routes over both the AWS private network and the public internet, helping to avoid congestion and outages before customer applications are impacted. 

All traffic leaving AWS facilities is secured using multiple layers of encryption, such as quantum-safe optical encryption at Layer 1, MACsec encryption at Layer 2, or AWS open source implementations of the TLS/SSL and QUIC encrypted transport protocols at Layer 4. VPC cross-region peering also uses another layer of encryption and incorporates anonymization—preventing attribution of in-flight traffic to individual organizations. For customers that want additional protection, AWS supports numerous customer-managed encryption solutions.

Each year, AWS automatically stops millions of botnet-driven distributed denial of service (DDoS) attacks within minutes—even seconds—before they can disrupt business operations,  and highly trained response teams are in place to resolve any DDoS attacks that aren’t detected and mitigated automatically. For higher level application-layer DDoS protection, users can identify and remediate attacks using AWS Shield Advanced. AWS works with external parties to disrupt botnets, disable spoofed packet amplification and reflection attack generators, and dismantle the true sources of thousands of L7/HTTP DDoS attacks annually. 

AWS ensures that the health events it discovers on both its private global network and the public internet are made available to you in Amazon CloudWatch Network Monitoring. This ensures that you have full transparency into network performance issues and streamlines the support process. In addition, customer-observed events are sent back to the AWS internal monitoring systems to help AWS correlate individual customer issues with wider network patterns.

AWS Direct Connect helps further reduce latencies and lower network jitter by allowing you to create private, dedicated network connections between your AWS resources and the offices and data centers in your network, at over 140 AWS Direct Connect locations globally.  You can also choose a dedicated connection hosted by one of the several dozen AWS Direct Connect Delivery Partners, offering enhanced flexibility and choice. Direct Connect improves application performance, provides additional security for data in transit, and helps reduce data transfer costs.

With AWS, you no longer need to plan and provision networking infrastructure weeks or months in advance. The comprehensive suite of AWS networking services—including Amazon Virtual Private Cloud, Amazon VPC Lattice, Amazon CloudFront, and AWS Cloud WAN—allow you to quickly provision networking resources that automatically scale with your workloads.

AWS designs and builds its own custom network software (controllers) and hardware (routers, switches, and optical), enabling it to both add network capacity faster and save millions of dollars a year in the process—savings which it passes along to customers in the form of lower prices. And by using its own networking equipment, AWS can rapidly mitigate emergent threats without waiting for patches or software updates.