AWS re:Invent 2025 - Networks at scale and how to automate operations (NET323)

Automating Network Operations at Scale: Applying DevOps Principles

Scaling Challenges in AWS Networking

• Manual processes that don't scale
• Inconsistent deployments creating security risks
• Validation happening too late

Best Practices for Automated Network Operations

1. Multi-Account Environment with Guard Rails:

   • Using AWS Organizations to manage multiple accounts
   • Leveraging Service Control Policies (SCPs) to enforce security guardrails

2. Managed AWS Network Services:

   • Utilizing AWS Cloud One to build and manage global networks
   • Automating network tasks like VPC creation, routing, and security

3. Serverless Automation:

   • Employing AWS Step Functions to orchestrate network operations
   • Integrating with AWS EventBridge to trigger automated workflows

Use Case: Automated Network Provisioning and Segmentation

1. VPC IP Address Management (IPAM):

   • Enforcing VPC creation only with approved IPAM pools using SCPs
   • Preventing non-compliant VPC deployments

2. Global Network Automation with AWS Cloud One:

   • Defining routing domains and traffic segmentation policies
   • Automating cross-region traffic inspection using service insertion

3. Attachment Policy Automation:

   • Automatically associating VPC attachments to their respective routing domains
   • Integrating hybrid connections (VPN, Direct Connect) with the hybrid segment

Serverless Automation with AWS Step Functions

1. Event-Driven Workflows:

   • Capturing VPC attachment creation events using AWS EventBridge
   • Triggering AWS Step Functions to automate the attachment tagging process

2. Dynamic Tagging and Segment Assignment:

   • Obtaining the Organizational Unit (OU) information from the account ID
   • Automatically applying the appropriate routing domain tag to the VPC attachment

Key Takeaways

1. Architect by Use Case, Not Habit:

   • Define the business outcomes and architect the network accordingly
   • Leverage the right AWS services for the specific use case

2. Architect for Agility:

   • Implement modular, infrastructure-as-code designs
   • Embrace continuous iteration and automation

3. Orchestrate Beyond Networking:

   • Integrate security, governance, and automation across the AWS portfolio
   • Leverage services like AWS Organizations, SCPs, and Step Functions

Technical Details and Examples

• AWS Cloud One: Managed service for building global networks with policy-as-code
• AWS Step Functions: Serverless orchestration service used to automate network operations
• AWS EventBridge: Serverless event bus service used to capture VPC attachment creation events
• AWS Organizations and Service Control Policies: Enforcing network security guardrails
• Specific use case examples:
  • Implementing VPC IPAM-based IP address management
  • Automating cross-region traffic inspection using service insertion
  • Dynamically associating VPC attachments to their respective routing domains

Business Impact

• Increased agility and scalability in network operations
• Improved security and governance through automated enforcement of policies
• Reduced operational overhead and manual intervention for network teams
• Faster time-to-market for new applications and services by streamlining network provisioning

Real-World Applications

• Enterprises with rapidly growing cloud footprints and complex network requirements
• Organizations looking to adopt DevOps principles and automation in their network operations
• Service providers and managed service providers offering network management services