Context -> High Level Design (Target State) -> Design Considerations (Target State) -> High Level Network Migration Strategy

Understand current state and therefore provide a future state view and transition plan from a network perspective.

Captures current state connectivity, use cases and challenges.

TEG has two DC environments, one in Mascot, another in Kidman Park. Both operated by Hostworks.

Discovery -> Identified Domain Controllers, Firewalls, Internet Gateways, Load Balancers and Platforms (i.e. Origin Server) and Other Information Systems and Applications are hosted at the DCs and need to be accounted for in the Target State.

Telstra MPLS Network - Services TEG Offices, Sites and Venues, Aegis Call Centre, Dispatch and Temporary Sites (via 4G)

Spark MPLS Network - Services TEG Offices in New Zealand

Site to Site VPN - International Sites and Third Party Sites

Remote Access - Users using Cisco AnyConnect

Security and Access Control of the North/South Flows (between Internal and External Networks) are enforced by the ASA 5520 Firewalls.

The ASAs also terminate the Site to Site VPNs and enable Remote Access using the Cisco AnyConnect client. The ASAs also leverage the Active Directory hosted on the Domain Controllers to enable Role Based Access Control for the VPN.

The Internet Gateways enable Internet Access for Sites and Venues connected into the WAN.

Connectivity into Hostworks enables Aspect, the client for point-of-sale, to communicate with the Origin Server in the DC.

DC Environment and MPLS Networks aren't easily scalable and lack cost efficiencies across all sites.

Temporary Sites utilising 4G may experience issues with reliability, being dependent on location.

Most sites and venues only have one route, which doesn't consider for resiliency. Also, third-party sites aren't regulated regarding hardware and network requirements therefore, service levels are not guaranteed equal across all sites.

Relay between multiple parties, to organise the links.

Understood - At the DC in Mascot, a Direct Connect into AWS provisioned by Hostworks is present. However, as TEG is moving out of the DC, another service is required to be selected. As such, we've proposed Telstra's Cloud Gateway for the Australian WAN Network, to reduce complexity and timelines for the Migration. However, the vendor can be reviewed as required.

As we're leveraging the existing patterns, TEG Offices and TEG Sites/Venues will connect into AWS through Direct Connect at a COLO, where the Direct Connect and Telstra MPLS Termination will reside.

Leverage the Direct Connect through Telstra's MPLS Network.

New Service, IPSec VPN through the Internet via 4G. However, this will require an assessment to identify the requirements.

Similarly to Telstra's Cloud Gateway, Spark was identified to also provide a similar service to enable connectivity into AWS. Similarly, the vendor can be revised if required.

Further, sites and venues that previously had site to site VPNs and users requiring remote access will utilize the same patterns to connect into AWS.

For connectivity in the future state, the current patterns will be leveraged to accelerate and simplify the planning and migration activities.

Working with Peter Stojkovski and Chris Morgan from Deloitte, and David from TEG

Represents TEG Offices, Sites/Venues, Aegis Call Centre and Dispatch

Represents TEG Office in New Zealand and International Sites. Also, some Third Party Sites and Venues.

Represents - Temporary Sites and Venues, Some Third Party Sites and Venues

Following the like-for-like approach, we focused on enabling consistent quality of experience based on the Current State, As such, the bandwidth and latency is expected to be the same as the current state. However, moving to AWS will account for horizontal scalability for future growth, with the ability to increase and decrease performance on-demand in AWS. This will allow flexibility to changing consumption patterns and application requirements.

For the Future State, continuing with Cisco and it's ASAv to succeed the ASAs will ensure configuration and feature parity to reduce migration complexity and operational upskilling.

On analysis, the ASAv30 was the aligned better to succeed the ASA 5520 in Current State. On paper, ASAv30 matches, and in most cases exceeds the performance of the ASA 5520, catering for additional demand.

Where Ansible Playbooks and Python can be leveraged as Automation Toolsets to assist with the Migration and Validation Phases.

Through DevOps, methods and tools can be built to take advantage of the environment, enabling infrastructure and resources to be deployed and destroyed at will, allowing dynamic scaling to meet demand.

By adopting Infrastructure as Code, rapid re-deployment and flexibility in deployment patterns can be enabled, simplifying change and rollback processes.

APIs on the network infrastructure can also be leveraged to perform tasks such as automated changes from a click of a button, avoiding the traditional approach of performing changes on a per-device basis.

Stateful Firewalling, Remote Access and Site-to-Site VPN Termination is currently performed by the ASA 5520. It will be the ASAv30 in the future state.

Active Directory will be replaced with AWS' Directory Service to deliver Authencation and Authorisation of Users.

AWS Route 53 for DNS Lookup and Resolution.

Replacing the Foundry Load Balancers for the Origin Platform with AWS ELBs.

For the Direct Connect, AWS will charge ~$1,500/mo for two DXs (one for Australia, another for NZ), with a Port Speed of 1G, at 10G/Hr.

Additionally, Telstra will charge $2,650/mo to enable the Cloud Gateway.

Spark wasn't able to respond to us around pricing so, we weren't able to provide an estimation.

Between FY2016 and 2018, TEG consumed between 4-6G of Internet/Hr. We've accounted for 10G/Hr, which carries a cost of $1,200/mo.

Accounted for 2 ASAv30 for HA/DR, which will cost $3,400/month.

Assuming the ELB processes 5G/Hr, it will cost $100/mo.

Lastly, Route53 for DNS. The cost appeared to be negligible.

Together, with the exception of the Spark DX Service, we estimate it would cost ~$8,800 AUD each month.

Engage Telstra for New Zealand's MPLS Network

The WAN Overlay (WAN Provider), Field Services (Network Teams) and Carriage Services (Service Providers) can be de-coupled. Presently, TEG is locked-in with Telstra for the Telstra MPLS Network, as it's a proprietary solution.

The MPLS Network (Primary) and the Internet is the Secondary. Reducing cost.

Centralised Perimeter Protection Plane for Remote Users and Sites

The migration strategy feeds into the outcomes of the Network Migration Stream for the EPICs

As represented at a high-level, a feedback loop to is present to enable on-going innovation. We'll be going into more detail in the coming slides.

May introduce more unknowns.

This is the approach proposed for the Network Migration.

Noted is that, the commencement of the Network Migration is dictated by the establishment of the Core Infrastructure in AWS prior to Migration.

As such, we're looking at approximately 50 change windows to complete the migration.