Satellite Communications on AWS: Thales Takes In-Flight WiFi Services to the Cloud

Amazon Web Services (AWS) has been widely adopted in the satellite communications and aerospace sector, acting as a platform to modernize the entire IT infrastructure as well as provide network connectivity solutions. A prime example is how Thales Avionics, a leading satellite and aerospace company, used AWS to build a virtual data center connected to ground stations to enable in-flight WiFi services over satellite communications. The reference architecture shows the successful implementation of virtual Internet Points of Presence (PoPs) with Thales InFlyt Experience (IFE) in various geographic locations using AWS global infrastructure footprint. Thales incorporated Sandvine cloud-native network appliances, which are fully compatible with Amazon Elastic Kubernetes Service (Amazon EKS) environments, to enable seamless interoperability with various AWS services. Thales demonstrated how AWS can facilitate the deployment of satellite communications infrastructure and enable high-speed Internet connectivity to aircraft in flight. Combining AWS’s scalable, distributed cloud platform with purpose-built network appliances enabled Thales to establish robust, geographically distributed virtual data centers that seamlessly integrated with its satellite communications network.

Thales, a leading aerospace company, provides solutions for two out of three aircraft taking off worldwide, with IFE serving more than 1.6 million passengers daily. Thales provides in-flight WiFi services through its In-Flight Connectivity (IFC) solution using the high-level architecture shown in Figure 1. The Thales IFC system consists of the aircraft’s onboard system (Thales Onboard Platform), which consists of proprietary hardware and software that manages passenger connectivity and related services, satellites, ground stations, and Internet PoPs (including Thales Ground Platform) that connect to the Internet using satellite communications. Traditionally, Internet PoPs or Thales Ground Platforms have been built in physical data centers. In the communications realm, the connection bandwidth needs to be managed to optimize passenger quality of experience (QoE) and prevent distributed denial of service (DDoS) attacks and malicious activity. For this purpose, IP policy enforcement or firewall appliances are typically deployed at each Internet PoP site. More importantly, to support such services on a global scale, service providers like Thales need to set up multiple physical data centers near ground stations in each geographic location.

Figure 1. High-level architecture of in-flight WiFi service

Figure 2. Reference architecture for a virtual Internet PoP on AWS

Thales has been driving innovation in the aerospace industry by designing and migrating physical Internet PoP data centers and appliances to the AWS Cloud. These virtual data centers, called virtual PoPs or vPoPs, leverage the benefits of AWS global presence, scalability, and reliability for applications running on the platform. Figure 2 shows a reference architecture aligned with the AWS Well-Architected Framework, meaning the solution is designed to ensure high availability, cost-effectiveness, security, performance, and automation. Additionally, the solution running on AWS is not a typical web server type application, but rather a network appliance that provides transitive routing of user traffic between IFE service users and the Internet. Based on the principles of the Well-Architected Framework and the transitive nature of network solutions, the following key AWS services are used to implement this architecture:

• AWS Direct Connect: In this use case, AWS Direct Connect provides a dedicated connection from the ground station to your VPC. Direct Connect provides a more consistent network experience between the ground station and your VPC than an internet-based connection. To ensure high availability, Direct Connect connections are established with multiple sites, with two redundant links per site.
• AWS Direct Connect Gateway: AWS Direct Connect Gateway is a globally available resource that can ensure high availability and access to multiple AWS Regions. Direct Connect connections are established across multiple sites and Direct Connect Gateways, with two redundant links per site.
• Amazon Virtual Private Cloud (Amazon VPC): VPC provides a virtual data center environment to host the appliances of Thales’ IFC solution. Multiple Availability Zones are used to maximize high availability of the service. Multiple AWS Regions are used for global deployments.
• Amazon Elastic Kubernetes Service (Amazon EKS) with Multus support: Amazon EKS is a managed service that eliminates the need to install, operate, and maintain your own Kubernetes control plane on AWS. In the IFC architecture, Sandvine container network functions (CNFs) run as network function applications on EKS. The cloud-native nature of Sandvine CNFs makes the solution elastic, scalable, and simplified orchestration. In addition to supporting separate network interfaces for handling user traffic, the Multus meta CNI plugin is also used on EKS.
• AWS Transit Gateway: AWS Transit Gateway provides transitive routing capabilities while connecting Direct Connect connections to ground stations and then to VPCs. Transit Gateway acts as a highly scalable cloud router. In the IFC solution architecture, Transit Gateway routing plays a key role in the high availability design. Specifically, as shown in Figure 3, a failure detected by the monitoring tool invokes an AWS Lambda function to update the Transit Gateway route table, which can redirect traffic to a healthy Availability Zone or an Availability Zone with a healthy application.
• Amazon Virtual Private Cloud (Amazon VPC) NAT Gateway with BYOIP: In this IFC solution case, the goal is to provide internet connectivity to service users during flight, so Thales public IP addresses must be used instead of AWS public IPs (Elastic IPs). This can be implemented using AWS’s Bring Your Own IP Address (BYOIP) support, where the BYOIP address can be configured on the NAT Gateway. Additionally, multiple public IP addresses can be attached to the NAT Gateway. Using a NAT Gateway enhances the security posture of the solution by restricting direct access to resources in the private subnet from the internet.
• Amazon VPC Internet Gateway and AWS Shield: Internet Gateway provides a secure, managed connection for internet connectivity. For vPoPs on AWS for IFE services, Shield provides an additional layer of protection, providing the first comprehensive defense against DDoS attacks at the edge of the public internet. These components of AWS contribute to increased infrastructure and network layer security in addition to other application and user layer security measures.

Figure 3. Implementing high availability using the Transit Gateway route update API

As shown in Figure 4, in addition to the key services mentioned above, there are other AWS services available to complete the construction of the entire IFC solution, such as Amazon DynamoDB, Amazon EventBridge, Amazon Route53, Network Load Balancer, AWS Systems Manager, and Amazon CloudWatch. Thales’ IFC solution leveraged all these managed services from AWS to achieve service scalability and flexibility. For example, the running status of computing resources and container applications is collected and monitored through CloudWatch dashboards. Network services such as Route 53 and Network Load Balancer (NLB) are used to handle control plane communication from the aircraft. NLB improves scalability and resiliency by distributing the load across multiple instances of backend services deployed across availability zones.

Route 53 manages the solution’s domain names, and the solution leverages its powerful routing capabilities to implement conditional DNS resolution depending on which network the aircraft is connected to, enabling transparent transitions between networks.

Figure 4. Additional AWS services to complete your IFC solution

Thales is leading innovation in aerospace IFC solutions (from physical PoP data centers) and is the first in the industry to deliver virtual PoPs (vPoPs) on the AWS cloud, leveraging the global presence, scale, and reliability of AWS. Key AWS services used include Direct Connect, Amazon VPC, Amazon EKS with Multus CNI, Transit Gateway for transitive routing, NAT Gateway with BYOIP, and Internet Gateway with Shield for DDoS protection. This cloud-native solution offers single-region and global connectivity throughput scalability and the flexibility to scale on demand, leveraging AWS managed services.

Using AWS services to replace physical infrastructure enables Thales’ IFC to use standard cloud practices such as automation, observability, and monitoring. By adjusting cloud infrastructure based on demand, Thales has reduced its total cost of ownership by more than half and improved sustainability by reducing energy consumption.

For more information about Thales Avionics, follow us on LinkedIn and the Thales blog.

About the Author