AWS Private 5G

 What is AWS Private 5G? 

AWS Private 5G is a managed service that helps you to deploy, operate, and scale your own private mobile network at your on-premises location. Private 5G provides the pre-integrated hardware and software for mobile networks, helps automate the setup, and scales capacity on demand to support additional devices as needed. You pay only for the network coverage and capacity that you need. 

Private 5G concepts 

The following are the key concepts for Private 5G. • Private 5G network – A private mobile network at your on-premises facility. 

• Private 5G site – The physical building or location where you set up your private mobile network. A site must meet the facility, networking, and power requirements for a mobile network. 

• Private 5G equipment – The physical hardware that provides access to your Private 5G network, including cables, radio units, SIM cards, and any other networking appliances owned and managed by AWS. 

• Radio units – The physical hardware, supplied by AWS, that emits RF signals for end-user equipment to connect to the Private 5G network.

 • SIM cards – The cards supplied by AWS that you insert into end-user equipment to access the Private 5G network. Also known as subscriber identity modules or subscriber identification modules. 

Pricing

 Private 5G charges you an hourly rate based on the number of radio units that you order, with a minimum commitment of sixty days. After you meet the minimum charge, charges are based on the number of active radio units in use on your network. For data transferred out of the AWS Region, we charge you the same rate that we charge for outbound data from Amazon Elastic Compute Cloud (Amazon EC2).

How does AWS Private 5G work? 

Use AWS Private 5G to set up and scale private mobile networks at your on-premises site. AWS delivers the necessary hardware to the location where you want to set up and operate a private mobile network. When the hardware arrives, you install and provide the coordinates of your site, and AWS activates your network. You insert the SIM cards provided by AWS into your end-user devices to use the network. Use Amazon CloudWatch to monitor the network. The following diagram illustrates a private mobile network at an on-premises site. A radio unit at your site connects to the AWS Region and the Spectrum Access System (SAS), a service that makes spectrum grants.



Hardware provided by AWS 

AWS provides the physical hardware to deploy your own private mobile network at your on-premises location. Radio units A radio unit emits RF signals for end-user equipment to connect to the Private 5G network. The radio units come preconfigured for network access to the AWS Region and SAS, a service that grants spectrum.

To receive spectrum grants, each radio unit requires CPI certification, which specifies the geographic location of the radio unit, including latitude, longitude, and elevation. You can segregate Private 5G network traffic from other traffic on your network by creating a dedicated VLAN. A VLAN is a configuration that you make on your network equipment upstream from the radio units. 

You can power the radio units with a standard electrical outlet or Power over Ethernet (PE+ - 30 watts). You only need to provide power using one of these methods. In addition to internet access, the radio units require DHCP, an IPv4 IP address, and DNS. 

SIM cards 

AWS provides SIM cards that you insert into end-user equipment to access the Private 5G network. These cards are also known as subscriber identity modules or subscriber identification modules.

Networks 

The network is a private mobile network at your on-premises facility that's managed by AWS. 4G/ Long Term Evolution (LTE) mobile networks support on-premise workloads that require reliable, low latency, or high-density device connectivity such as machine-to-machine communications, multimedia applications, and data connections at event venues.

Sites 

A site is a physical location where you set up and operate your network. You may need to open ports on your firewall to ensure that the hardware provided by AWS can connect to the AWS Region and apply for and receive spectrum grants from an automated service.

Network site requirements for AWS Private 5G 

A network site is a physical location where you set up your network. The range and coverage that you obtain can vary depending on the following characteristics of your site: 

  • Physical conditions 
  • Throughput requirements 
  • The antennas and radio power of the equipment connecting to the network 
  • Citizen Broadband Radio Service (CBRS) power grants 
  • The location of your small cell equipment 
Before you create an order, verify that your site meets the following requirements

Facility 

Your facility must meet the following criteria: 
  • Environment – Radio units hold an Ingress Protection rating of IP67, which allows for indoor or outdoor installations. 
  • Operating temperature – The ambient temperature must be between -40° F (-40° C) and 149° F (65° C). Weight support – If pole-mounted, structural support for 5.5 lbs (2.5 kg) in addition to the weight of any mounts. 
  • Power – You must supply power to the radio units using Power over Ethernet (PoE). 
  • Operating country – You must operate the radio unit in the United States. You cannot, and will not permit or authorize any third parties to export or otherwise remove the Private 5G equipment from the United States. 
  • Federal Communications Commission (FCC) limits – Equipment must comply with FCC radiation exposure limits for an uncontrolled environment. Install and operate this equipment with a minimum distance of 7.8 inches (20 cm) between the radio unit and your body. 

Networking 

You must provide the following: 

  • Cables for network and power. 
  • A 1 Gbps Ethernet port with copper wire and an RJ45 connector.
  • A wide area network (WAN) with 200 Mbps capacity and a maximum transmission unit (MTU) of at least 1428 Bytes.
  • IPv4 routing.
  • DHCP so that radio units can obtain IP addresses. 
  • DNS resolution to a trusted and reliable DNS server registered with ICANN. 

Outbound ports required for radio units 

The radio units require open connections to the internet on the following ports: 
  • IP 50 – IPsec tunnel traffic 
  • IP 51 – IPsec tunnel traffic 
  • UDP 53 – DNS 
  • TCP 53 – DNS 
  • TCP 80 – Certificate retrieval 
  • UDP 123 – NTP/clock synchronization 
  • TCP 443 – Management traffic 
  • UDP 500 – IPSec tunnel traffic 
  • UDP 4500 – IPSec tunnel traffic

Security in AWS Private 5G 

Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations. 

Security is a shared responsibility between AWS and you. The shared responsibility model describes this as security of the cloud and security in the cloud: 
  • Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the AWS Compliance Programs. To learn about the compliance programs that apply to Private 5G, see AWS Services in Scope by Compliance Program. 
  • Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations

Data protection in AWS Private 5G 

The AWS shared responsibility model applies to data protection in AWS Private 5G. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over the content that is hosted on this infrastructure. This content includes the security configuration and management tasks for the AWS services that you use. 

For more information about data privacy, see the Data Privacy FAQ.  For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center (successor to AWS Single Sign-On) or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways: 

  • Use multi-factor authentication (MFA) with each account.
  • Use SSL/TLS to communicate with AWS resources. We recommend TLS 1.2 or later. 
  • Set up API and user activity logging with AWS CloudTrail. 
  • Use AWS encryption solutions, along with all default security controls within AWS services. 
  • Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3.
  • If you require FIPS 140-2 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint.
We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a Name field. This includes when you work with Private 5G or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.

Quotas for AWS Private 5G 

Your account has default quotas, formerly referred to as limits, for each AWS service. Unless otherwise noted, each quota is Region-specific. You can request increases for some quotas, and other quotas cannot be increased. 

  • To view the quotas for Private 5G, open the Service Quotas console. In the navigation pane, choose AWS services, and then select AWS Private 5G. 
  • To request a quota increase, see Requesting a Quota Increase in the Service Quotas User Guide. If the quota is not yet available in Service Quotas, contact AWS Support. 

Your account has the following quotas for Private 5G. The access point is another name for a radio unit. 







Comments

Post a Comment