Under Attack?
Broken Network System?
Leave your details below and we’ll get back to you shortly
Background
During the last few months, Oasis has been working with Xfone 018 and AWS on building a mobile network, where all control plane elements are built on the AWS infrastrcture.
As the goal is to build a very lean system with minimal maintence, while maintaining high reliability and scalability, one of our design decisions was to rely on AWS managed services for as many services as possible.
In this post we will focus on the use of AWS route 53 to provide DNS services for the various network elements within the mobile core network.
Before we dive into the route53 specifics, we provide some details on the role of DNS within the mobile core network.
In mobile core networks, the Domain Name System (DNS) serves a crucial role in the resolution of Access Point Names (APNs) associated with services and functions within the Evolved Packet Core (EPC). Specifically, in procedures involving Serving Gateway (SGW) or Mobility Management Entity (MME) APN resolution, DNS operates as the key component for mapping human-readable APN identifiers to their respective IP address representations. When a mobile device initiates a data session or connects to a specific service, the EPC, through the MME or SGW, relies on DNS to resolve the APN requested by the device. This resolution process involves querying the DNS servers to obtain the IP address corresponding to the requested APN, allowing the network elements (such as SGW or MME) to establish the necessary data paths and connectivity for the mobile device within the core network. Accurate and swift DNS resolution is critical for efficient subscriber mobility management, seamless service continuity, and proper routing of data traffic between various network nodes in the mobile core architecture, ultimately ensuring robust and reliable connectivity for mobile users.
Obviously DNS is a mission ciritical infrastrcture within the mobile core, and requires reliability, low latency and security.
Solution requirements
In this section we will outline the DNS solution functional requirements.
These are of course on top of the reliability, security and low latency requirements outlined above.
• The solution is on the autoritative side of the DNS system (the mobile network has some DNS resolver and cache requirements as well, but they are out of scope for this document).
• The solution need to support isolated private zones that are only accessible from the mobile core side (both MVNO core elements and MNO core elements).
• Some public zones are required as well, for other services provided by Xfone 018.
• The solution needs to support less common DNS record types, such as NAPTR, SRV, PTR etc’.
In the next section we will describe how we utilised various AWS services and features to meet these requirements.
Solution description
The foundation of every good distrbuted system is a roubust networking layer to provide connectivity between the various endpoints. In our case this connectivity domain extends from the hosting MNO core elements, through the Xfone 018 IP/MPLS core to the AWS region in Israel, over two diverse direct connect circuits.
Within the AWS region infrastrcture the the solution utilizes multi AZ VPCs interconnected by a transit gateway.
Route53 managed DNS service is the heart of the solution.
Route53 is a global AWS service, meeting all the reliability performnce and security (including ddos protection for the DNS traffic) required by DNS.
There are several Route53 features that are worth a bit more attention as they help to meet the functional requirements.
To achieve the isloation of the mobile core DNS zone we utilized route53 private hosted zone, which provides authoritative DNS services that are isolated within the customers AWS private infrastructure.
However by default, private hosted zones are only avilable within the AWS infrastructure, but we needed them to be accessible to the core network elements that are outside of the AWS infrastructure.
To make the private hosted zone accessible from the mobile core we utilize Route53 inbound endpoints.
With inbound endpoints we associate IP addresses in specific subnets within a VPC with the route53 service (route53 actually creates ENI an within these subnets). Of course the connectivity and filtering (Firewalls, security groups, NACLs etc’) need to be adjusted and allow the traffic betweren the on-prem network and the inbound endpoints.
Conclusion and a note about cost.
This post outlines an innovative, yet simple and easy to implement approach to providing critical DNS service using a managed cloud service while maintaining the required isolated nature of mobile core networks.
The setup of the solution took no more than several hours from outlining the requirements, architecting the solution, configuration and testing.
This is specifically outstanding if you consider the alternative – installing specialized DNS software on top of highly available infrastructure while maintaining consistent configuration across all instances of the software.
There are some excellent choices of software out there, from free open source DNS software to commercial integrated HW/SW solutions.
But even the free open source alternative has a high cost associated with underlying infrastructure, labor cost for orchestration solution to maintain consistency, network tuning such as anycast routing and more.
Even the most carefully engineered on prem solutions cannot get close to the scale and performance available from a cloud-based service, relying on global scale infrastructure such as AWS.
One of the Paradoxes of Route53 is the low cost of this service, which is priced based on a combination of number of zones and query volumes.
Even with very low TTL values for DNS records (to allow fast changes) it’s hard to exceed several tens of USD per month for the entire DNS solution.
Compared with the CAPEX costs of on prem solutions the choice of managed cloud service for mobile core DNS resolution is a no brainer.
As mobile operators work hard to provide high quality services while maintaining competitive pricing they should seriously consider cloud services for their mobile core services and in particular control plane functions.
Amos Rosenboim
CTO and Co-Founder
Leave your details below and we’ll get back to you shortly