🦄 Making great presentations more accessible.
This project aims to enhances multilingual accessibility and discoverability while maintaining the integrity of original content. Detailed transcriptions and keyframes preserve the nuances and technical insights that make each session compelling.
Overview
📖 AWS re:Invent 2025 - The power of cloud network innovation (INV213)
In this video, Rob Kennedy, VP of Network Services at AWS, unveils major networking innovations for AI and multi-cloud environments. He details AWS's full-stack approach from hollow core fiber achieving 30% latency reduction to UltraSwitch and SIDR enabling sub-500ms convergence across 250,000 links. Kennedy announces Project Rainier with 1 million training chips for Anthropic's Claude, cross-region PrivateLink for AWS services, API Gateway Portal with MCP support, VPC encryption controls, Network Firewall Proxy, and Transit Gateway native firewall attachment. The keynote introduces AWS Interconnect Multi-cloud (preview with Google Cloud, Azure coming 2025) and last-mile connectivity with Lumen, plus Fastnet transatlantic cable launching 2028. New regions in Thailand, Taiwan, Mexico, and New Zealand expand AWS's 38-region footprint. CloudFront's flat-rate pricing attracted 15,000 subscriptions in two weeks, while delivering 268 Tbps for Epic Games' Fortnite launch.
; This article is entirely auto-generated while preserving the original presentation content as much as possible. Please note that there may be typos or inaccuracies.
Main Part
Introduction: The Evolution of Networking and the Rise of AI Workloads
Please welcome to the stage Vice President of Network Services at AWS, Robert Kennedy. All right, hey folks. You're all here for networking, right? Great. I'm glad to see there are as many passionate people about networking as I am. I'm Rob Kennedy, Vice President of Network Services. Over the next hour, I'll walk you through the highlights from the past year. I'll introduce you to a few exciting innovations we're unveiling at this re:Invent and share some insights that I hope you'll find valuable for your own business.
I have been with AWS for over 16 years and in the networking industry since I graduated college. I have a fascination with networking. How far it's come has been absolutely amazing for me. It has been the heart and soul of our innovations, allowing us to move forward. Going from what I thought was basic network connectivity back when I graduated to the sophisticated intelligent infrastructure that powers our modern applications today is fundamentally amazing.
Over those 16 years, we've seen amazing workload transformation: simple web applications, massive artificial intelligence models, and global streaming events that reach millions of users simultaneously. From personal devices to orbiting satellites, network infrastructure underpins every aspect of modern day life. It accelerates breakthroughs in medicine, scientific research, and next generation large language model development and use. At AWS, we build networks that keep things running while also pushing the boundary of what's possible.
At AWS, that starts with owning the entire stack from top to bottom and the fiber in the ground. Under the sea, physical hardware, the operating systems that sit on top of that hardware—we control the infrastructure, the data centers. We build them from the ground up: power, cooling, every aspect, all the way out to the internet edge. It's owned and operated by AWS, and really nobody else can say that. We've also built our own software-defined network that sits on top of all the physical foundation, giving us unprecedented control and flexibility.
We don't just build networks; we engineer them from the silicon to the software. Full stack control means we deliver reliability while simultaneously pushing the boundaries of what networks can do next. Networking supports workloads of every scale, from the smallest application to the most demanding high performance computing environments. Right now, no technology is pushing those boundaries more than AI. Models are getting bigger, more complex, and more demanding by the day, rapidly approaching the very limits of what traditional networks can handle.
Models have already crossed the one trillion parameter threshold, but it's not just about size. Customers need to continuously train these models to improve performance and then deploy them globally to serve businesses and customers around the world. The network is no longer just plumbing in the background. It's the backbone that makes it all possible.
The Physics Challenge: Connecting AI Accelerators at Scale
So let's start with a simple question: Why does networking matter? Think about atoms on their own—they can be interesting, but when they connect and combine into different molecular combinations, they make amazing things. Water, air, and my favorite one, which I may have had a little bit of before I came on stage here, being Irish, is whiskey. Hopefully you all know that the Irish invented whiskey, and if you ever hear any Scottish person tell you differently, it's a lie. They have no evidence whatsoever.
The same is true in AI. A single AI accelerator, such as an AWS Trainium chip or GPU, is quite powerful by itself. But to train a large ML model or run inference at scale, you need something more powerful. You need a distributed system comprised of over a million GPUs, all connected through low latency, high performance networking. Think of it this way: those accelerators are atoms, and the network is the bond that connects them and transforms them into something far more powerful. At AWS, we work to strengthen those bonds at every level, from the smallest chip-to-chip link all the way up to hyperscale clusters.
So let's zoom in and look at the basics. Let's start with the simplest use case. Two AI accelerators working together to train a large language model, sharing learned knowledge, adjusting, passing data back and forth.
This is like dance partners in perfect sync. When these AI accelerators sit in the same server, connected by PCIe or NVLink, they communicate in nanoseconds. It's a beautiful partnership, but here's where our story gets complicated. Today's AI models are massive. We're talking about 1 trillion parameters and growing, so we have no choice. We must break up the perfect partnership and scale out across hundreds of thousands of accelerators.
When we do that, the instant we step outside that single server, physics becomes our greatest enemy. We move to the next server and face a latency penalty. Move to the next rack, bigger penalty. Move to the data center, even bigger penalty. Once we reach a region, now we're talking about big challenges. Technologies help to reduce that latency. We go all the way down, even to the physical fiber itself that we put in the ground. So we're constantly innovating, even at that level.
That's where technologies like hollow core fiber come in, which we talked about last year and just launched. This technology is a revolution in material science and manufacture. Imagine the precision it takes to fabricate a long strand of fiber with a perfectly hollow core. The benefits are worth it. Instead of traveling through glass more slowly, the information travels through the hollow core. Since last year, we have deployed hollow core fiber live on our network, and we've continued to deploy thousands of kilometers across our data centers. It ends up with a 30 percent improvement in latency, which is seriously meaningful.
But still, every boundary you cross, every step you take away from that perfect accelerator-to-accelerator connection, physics comes into play. At scale, every connection matters exponentially. The bigger the system, the more latency compounds. Training a large language model with over 11 trillion parameters and growing may require billions of messages to move between AI accelerators. Why billions? Because every microstep of the process—exchanging parameters, gradient updates, intermediate matrix multiplication, and transformer layer operations—may be divided across 8 to 16 accelerators, and each of those accelerators must share partial results hundreds of times per second.
Delays, even on the smallest scale of microseconds, can impact job performance. That's why optimizing communication isn't just important, it's essential as clusters grow. That brings us to the trillion-dollar question: How do you build AI infrastructure that's fast enough, reliable enough, and scalable enough to train the models that will define the next decade?
Trainium2 Ultra Servers and EC2 Ultra Clusters: Building Petabit-Scale AI Infrastructure
Let's start with a concrete example of how we think about scale at AWS. First, let's take our Trainium2 Ultra server. It's not just a server, it's a new category of compute. We pack 64 Trainium2 chips into a single Ultra server, connected with high bandwidth, low-latency Neuron Link interconnects. That's 512 Neuron cores working together, and here's the key insight. Those 64 chips aren't just randomly connected. They're arranged in a carefully designed topology, a 2D torus within each instance with corresponding cores linked in circular pathways that bridge across instances.
This isn't accidental. The network topology directly determines what's computationally possible. The depth of interconnectedness is what makes 1 trillion parameter models feasible. Whether you're training or running inference on models, the Ultra server's interconnect design ensures 64 chips can work together seamlessly, maintaining the performance characteristics you'd expect from a single massive instance. Ultra servers are great for those models that need scaled-up infrastructure.
When you need to scale beyond an Ultra server and connect hundreds of these units together, the network has one job: make it all feel local. Every AI accelerator should think it's talking to its neighbor, even if it's sitting racks away. That means microsecond latency, not milliseconds, and massive bandwidth across every connection. That's exactly why we build EC2 Ultra Clusters. Petabit-scale, non-blocking fabrics that connect over a million training chips or GPUs with predictable ultra-low latency. These clusters have already powered some of the largest AI training runs in the world.
The same architecture that drives training performance delivers rock-solid inference too. The same network fabric that synchronizes thousands of AI accelerators during training seamlessly coordinates inference requests across model replicas deployed fleets of Trainium or GPU instances for real-time applications, massive models, and heavy traffic.
And you'll still get consistent response times without congestion or slowdown. But scaling to these massive clusters isn't just about connecting more hardware, it's about choosing the right network topology. So let me explain the fundamental trade-offs we face.
UltraSwitch, SIDR, and Project Rainier: Achieving Performance and Resiliency at Million-Chip Scale
ML servers have multiple accelerators, each with an index, and ML clusters often use wired rails, connectivity that creates mini networks to connect accelerators of the same index to improve performance. This approach is great when all is working well, but here's the reality: any single link can affect your entire training run, causing work to restart from checkpoints. And in clusters with a quarter of a million or more links, failures are going to happen.
The conventional alternative is to connect all accelerators using a top-of-rack switch. This gives you the flexibility to route around failures, but it decreases bandwidth efficiency and increases accelerator interference. The trade-off is raw performance versus resiliency. Training job utilization is driven by network stability, not just raw latency. ML training jobs create periodic checkpoints that pick up in the face of failures. However, recovering from checkpoint failures is relatively costly.
But can we develop technology that gives us the best of both performance and resiliency? Well, of course you know the answer. We're AWS, of course we can. This is exactly why we developed UltraSwitch, a new first hop networking device in our data centers, homegrown at AWS. UltraSwitch uses a variety of information such as accelerator index, cluster topology information, and network capacity to align AI accelerator traffic consistently down dedicated adaptive rails. We allow for optimal rails-oriented data flow when possible, and when faced with failures, we quickly recover to provide the network stability.
In the event of failures or periods of congestion, UltraSwitch can adaptively route traffic around an impaired area while keeping flow collisions to a minimum, enabling the job to continue without disruption. We also examined shorter links, connections between devices in a rack and between racks. We typically have used copper interconnects for their reliability, but the cabling density and the length requirements make copper impractical when you need to route hundreds of thousands of thick cables through limited rack space.
So traditional optics solve the cable size and reach challenges, but they're more expensive and they're less reliable than copper. We needed to reach the reach and size benefits of optics with the reliability and cost effectiveness of copper. So again, thinking about all of the things that we own across the stack, this allows us to get into even the optics. And so ultra short reach optics delivers exactly that. By limiting cable lengths and minimizing connectors, we enable innovations in optics design and manufacturing that are not possible with traditional optics.
The result is reliability that surpasses copper with 3x improvement in service to network link reliability plus enhanced power efficiency. But networking isn't just about the hardware innovation. When we're training models at massive scale, hundreds of thousands of AI accelerators exchanging gradients every millisecond, the network can't afford to pause. But traditional routing protocols were never built for this. Taking seconds to detect failures, propagate routing information, and recompute best paths for traffic flows, and at AI scale, a few seconds of delay could still stall an entire training run, wasting compute time and money.
To fix it, we built SIDR, Scalable Intent-Driven Routing, a part of our intent-driven network where UltraSwitch handles deterministic forwarding at the switch level, making sure packets never collide. SIDR operates at the network control plane. It continuously monitors the network, detects congestion and failures in milliseconds, and adapts paths instantly, so the ML layer does not see any network interruption.
The result is rapid convergence, with the ability to converge ML fabrics consistent of a quarter of a million physical links in less than 500 milliseconds. No job restarts, no idle accelerators, just smooth, uninterrupted training, even when the unexpected happens. Think of it this way: UltraSwitch gives you predictable paths through each switch. SIDR makes the network itself adaptive and self-healing. Together, they form a fabric that's fast, predictable, and resilient. Exactly what large-scale AI training demands.
And in just 3 years, AWS has deployed over 300,000 switches and more than 40 million physical ports dedicated to ML traffic.
That's growing faster than our core network itself, and it reflects the extraordinary demand for AI. Just recently, we activated Project Rainier, one of the world's largest AI compute clusters, which is now fully operational. AWS collaborated with Anthropic on Project Rainier, which features nearly 500,000 training chips, and we've just scaled up to a million. It provides more than 5 times the compute power Anthropic used to train its previous AI models. We're scaling to more than 1 million chips already, and Anthropic is actively using Project Rainier to build and deploy its industry-leading AI model, Claude.
We built one of the world's largest purpose-built ML networks, delivering the scale, performance, and reliability our customers need to train and run the most advanced models. These networks don't just accelerate training; they also power inference at scale, from serving interactive chatbots to running recommender systems in real time. Whether you're building or serving your models, AWS networks are designed to keep them fast, reliable, and cost efficient. Everything we do here passes on to our entire network as well.
VPC Foundation and Application-Centric Networking with VPC Lattice
These clusters don't exist in isolation. They must connect securely and seamlessly to the rest of your environment, your data pipelines, your applications, and your users. That's where VPC services come in. Now let's shift from the inside of the cluster to the outside and look at how we extend these innovations into VPC, the network foundation that every AWS customer builds on.
I've mentioned before that everything starts with an atom. Atoms bond into molecules and then further connect and scale, extracting to more complex structures like DNA, cells, organisms, and so on. You can think about networking services in a very similar fashion, allowing you to build complex applications from simple foundations, with each component building upon the one below while hiding complexity. We handle all the physical networking we just discussed through GPU communication, through PCIe and NVLink to ultra clusters and connecting across data centers across the world, so you don't have to.
When you move from prototype to production, you need networking that can isolate different workloads from each other, enforce security policy, and scale globally. Whether you're training and running AI training and inference applications, high frequency trading, or retail platforms, you should focus on the application logic, not cable management or switch configurations. While you see many providers offering racks of GPUs, you need a solid network that can isolate your workloads from each other.
At AWS, we've spent nearly two decades perfecting software-defined networking. We provide you with a software abstraction that gives you programmable access to the network without worrying about the underlying infrastructure. We built this from the ground up to deliver microsecond-level latency and deterministic performance while hiding all the physical complexity. That's exactly what VPC represents: the programmable foundation that every production workload on AWS builds upon.
So what does that mean for you? It means you get your own private section of the AWS cloud, completely isolated from everyone else. Within that space, VPC gives you secure boundaries with complete traffic control. You decide what connects to what, when, and how. Whether you're running AI workloads or traditional applications, production environments require strict separation between workloads, compliance domains, and security zones.
Under the hood, AWS builds VPCs as a software-defined network with focus on security, high availability, and resilience. Customer packets never leave AWS-controlled infrastructure. We could do this because of another innovation that we've talked about many times: the AWS Nitro System. It's a combination of dedicated hardware and a lightweight hypervisor, enabling more performance, enhanced security, and faster innovation. VPC control planes use Nitro-based network virtualization, creating millions of independent routing and security domains. Every one of them is isolated, programmable, and elastic, all built on the same foundation. It scales without redesign.
We operate the largest VPC deployments in the industry with hundreds of thousands of resources in each, handling billions of route updates and petabits per second of throughput daily.
Need a new environment for AI training with a strict blast radius? One API call. Need regulated workloads with compliance isolation? Same building blocks, same controls, instantly available. Whether you're running a single workload or managing more than 50,000 VPCs, the same foundational technology scales with you. When we first introduced VPC, the world was a lot simpler. Most customers ran in a single network, one VPC, one region, one set of subnets, everything lived in a single place.
Fast forward to today, startups launch an AWS of microservices spread across multiple VPCs from the start, front-end services in one VPC, APIs in another, data processing in a third. Meanwhile, some of the world's largest enterprises operate tens of thousands of VPCs, each mapped to a specific team, application, or environment. Your VPC foundation provides isolation and security, but true power emerges when we connect them intelligently.
VPC peering creates direct private links between networks. Transit gateway scales an architecture of hundreds of VPCs through a single managed hub. Internet gateways open your applications to the world, and NAT gateways enable private resources to reach out securely without any inbound exposure. But here's what's fundamentally shifted. Developers have moved beyond infrastructure thinking. They no longer think in terms of VPCs and subnets. They think in services, APIs and connections. This is how applications work today. The code doesn't care about network topology. It thinks in business logic, and the architecture reflects this reality.
A single modern application might span multiple VPCs, stretch across regions, and live in different AWS accounts entirely. From the developer's perspective, the ask remains beautifully simple. Connect securely to a database, reach a machine learning model, or access object storage. That's why we built a comprehensive application networking suite that puts your applications at the center, like molecular bonds that hold complex structures together. Let's explore how we're making this vision a reality.
Cross-Region PrivateLink and Application Load Balancer Target Optimizer for AI Workloads
The real magic happens when we build application-centric networking on top of this VPC foundation. That brings us to VPC Lattice, the ultimate expression of intent-driven networking. You'll see this intent-driven networking even in our foundational physical network, and you see it at our software-defined level. Lattice is an application networking service that eliminates the complexity of routing tables, peering configurations, and IP overlap challenges. Instead of configuring network paths across tens of thousands of VPCs, you simply say this service is allowed to talk to that service in a secure manner and define the trust level. Lattice automatically discovers endpoints, enforces zero trust policies using IAM, and continuously monitors connectivity.
No service meshes to deploy, no gateways to manage, no complex addressing plans, just application-centric networking that matches how you build software. With Lattice, you get networking for your applications without needing extensive networking expertise. Your application connectivity requirements don't stop here. As you scale, your applications don't stay in one region. They follow your users, your data, your business requirements all across the globe. However, multi-region architecture shouldn't mean multi-region complexity for your applications.
Last year we launched cross-region private link for SaaS services, providing private connectivity to third-party services across any region without internet exposure or routing complexity. So today I'm excited to announce that we have the full extension of this feature to meet your needs. Cross-region PrivateLink for AWS services is now available. Your applications can access S3, DynamoDB, and other AWS services across regions using the same private connectivity model. The abstraction handles the complexity while your application simply connects to the endpoints it needs.
This is the power of layered abstractions. Each new capability builds upon proven foundations, creating increasingly sophisticated possibilities while maintaining simplicity for developers. But private connectivity is just a foundation. The next challenge becomes ensuring optimal performance when distributing requests to those services. We've learned something critical: infrastructure patterns that work for traditional applications can hurt AI workload performance. Our customers running large language models experience inconsistent response times and poor resource utilization despite sophisticated load balancing.
Servers would sit idle while others were overwhelmed, not from CPU or memory issues, but something more nuanced. When you're running large language models, server capacity isn't just about CPU. It's about model state, memory utilization, token processing complexity, and the specific type of inference request. A server might be technically available but completely unsuitable for the next request based on its current workload characteristics.
Traditional load balancing algorithms based on CPU or connection counts miss these real bottlenecks in AI workloads. We needed something entirely new. That's why we built Application Load Balancer Target Optimizer, a load balancing solution designed specifically for the unique demands of AI and high performance compute workloads. You install the agent on the target, and the agent lets you configure the maximum number of concurrent requests that you want that target to receive from the load balancer. The agent tracks the number of requests the target is processing. If the number goes below the maximum request number, the agent sends a signal to one of the load balancer nodes. The node registers that signal, and when a new request arrives, it knows that it can send the request to that target.
API Gateway Innovations: Portal, Response Streaming, and Model Context Protocol Support
This brings us to a critical realization. In this world of distributed services and cross-region connectivity, every application becomes an ecosystem of APIs. Managing that ecosystem requires intelligent coordination. That's where API Gateway comes in, not just another networking service, but as the intelligent conductor managing how your APIs are documented, exposed, updated, secured, and accessed. Here's what we've learned from processing over 140 trillion requests in 2024, a 40 percent increase year over year across 400,000 accounts. Most successful applications aren't just well coded, they're well connected.
Let me share a story that helps illustrate this evolution. Itaú, the largest private sector bank in Brazil, started with what seemed like a simple architecture: a mobile app connecting to three microservices for front-end authentication, and data processing, each in their own VPC using the patterns we just discussed. But applications never stay simple. Within months, they were integrating machine learning models for personalization, adding real-time analytics, connecting third-party payment services, and building partner APIs. Today, Itaú operates over 5,000 APIs across 4,000 lines of business, each with different security requirements, performance characteristics, and scaling patterns. This distributed architecture now handles more than 160 billion API calls per month across 13,000 AWS accounts, a scale that transforms simple networking decisions into critical infrastructure challenges.
This is exactly why we've been innovating rapidly in API Gateway. In the application-centric world, your APIs aren't just interfaces, they're the control plane for your business logic. That's why I'm excited to introduce three new major capabilities in API Gateway. First, API Gateway Portal transforms how you scale API ecosystems across your organizations and with external partners. In today's interconnected world, your APIs aren't just technical interfaces, they're the business enablers that drive revenue, partnerships, and innovation. Traditional approaches create friction through fragmented documentation, manual API key management, and inconsistent developer experiences, directly impacting adoption and business outcomes.
API Gateway Portals deliver a unified self-service solution. Developers get searchable API discovery, auto-generated documentation, and immediate interactive testing. Providers gain valuable usage analytics and automated governance for security and compliance. This reduces API management overhead from weeks to minutes, so teams can focus on building great APIs instead of managing infrastructure. Another exciting launch is Response Streaming for API Gateway, purpose-built for the AI era. Traditional APIs follow a request-response pattern where the entire payload must be generated, buffered, and transmitted as a complete unit. This works for small JSON responses but creates significant problems for AI-driven applications. When serving large language model responses or processing complex analytics, buffering entire responses creates suboptimal user experiences.
Users stare at loaded screens while your backend generates a complete 2000 word response, even though the first paragraph could be delivered immediately. This also ties up valuable compute resources and memory. Response streaming support enables real-time streaming of API responses as they're generated, delivering content immediately rather than waiting for complete generation. This dramatically reduces perceived latency and improves resource utilization by freeing up memory and compute as data transforms and transmits. It enables entirely new user experience patterns: real-time collaborative editing, progressive data visualization, and interactive AI conversations that feel natural and responsive.
For API providers, you can handle more concurrent requests with the same infrastructure, reduce memory pressure, and provide instantaneous user experience instead of batch process delay. This is critical for the AI era. As applications become more conversational and interactive, users are going to expect things to naturally flow. I'm also pleased to announce that API Gateway now supports Model Context Protocol proxy functionality, enabling seamless transformation of existing REST APIs into MCP compatible endpoints through integration with Amazon Bedrock's AgentCore Gateway service.
Organizations face significant challenges making existing APIs accessible to AI agents. Currently you must build custom MCP servers for each API, implement complex security translations, manage data across protocols, handle capability discovery, and monitor AI agent access separately, all while maintaining enterprise security and governance. API Gateway's MCP capabilities resolve this. With automatic protocol translation between MCP and REST, including context management and capability advertisement, it provides API key and IAM based authentication. It supports both public and private APIs and includes enterprise controls for governance and compliance. Now your AI agents can seamlessly connect with existing and new REST APIs through MCP, powering agentic workflows with built-in support for observability to troubleshoot and optimize your applications.
Integrated Security: VPC Encryption Controls and Network Firewall Proxy
Now that we've established the foundation of application-centric networking, let's address what makes this all possible: security. Intelligent applications require security that's equally intelligent and adaptive. Your network security must adapt and respond without manual intervention. The more connected your applications become, the more sophisticated your security must be. AWS protection spans every single layer of the network stack. It begins in the silicon with the AWS Nitro system enforcing hardware level isolation, extends through the physical network with encrypted transit, continues through the software-defined boundaries of VPC with network ACLs and security groups, reaches the application layer with load balancer security policy and DDoS protection at the edge, which extends to every public API. Security is the foundation that enables every abstraction that we build.
Security must be deployable anywhere, effective at scale, and intelligent enough to adapt. That's why AWS security is programmable and integrated into every workflow. It must be as intent-driven as networking itself. From physical hardware isolation to logical network isolation, VPC carries the same isolation principle into software-defined boundaries. We're extending that integrated security approach to solve one of our customers' most persistent operational challenges. Organizations across financial services, healthcare, government, and retail face operational complexity in maintaining encryption compliance across their cloud infrastructure. Without centralized visibility, customers resort to manually tracking encryption across different network paths, having to piece together multiple solutions, managing complex public key infrastructure, implementing application layer encryption overhead, and manually demonstrating compliance with regulatory frameworks like HIPAA, FedRAMP, and others.
VPC encryption controls address these challenges with simple controls. Available now, and we've already seen a huge number of VPCs already start to be encrypted just over the last week. So in just a few clicks, you can audit the encryption status of your traffic.
You can identify VPC resources that allow plain text traffic, and modify them to enforce encryption across your entire network infrastructure. This extends AWS's proprietary native hardware layer, Nitro encryption, to major AWS services including Firewall tasks, Transit Gateway, Application Load Balancer, and more. It eliminates the operational overhead and complexity associated with certificate and key management.
I'm also excited to announce another breakthrough innovation meant to make it easier for you to secure your applications at AWS: Network Firewall Proxy. Firewall Proxy is expanding the highly resilient and highly scalable NAT Gateway functionality to include comprehensive proxy capabilities. You can authenticate source clients, decrypt and filter internet egress traffic, and provide protection against sophisticated attacks. It uses NAT Gateway's IP address for address translation and ensures egress-only connectivity for private workloads.
With this, you can easily enforce tighter security controls against data exfiltration threats, prevent data leaks, detect compromised workloads, and filter traffic based on domain names, IP rules, and HTTP header fields. Proxy offers multiple layers of protection, including domain filtering, DNS lookup, IP filtering, TLS interception, and response traffic filtering. You can now simply enable this enhanced proxy functionality on your existing NAT Gateway and make it available to applications across different VPCs. No more managing proxy infrastructure. AWS handles the scaling, updates, and availability while you get enterprise-grade filtering and data exfiltration protection.
The firewall deployments at scale can create a paradox. The more connections you secure, the larger your footprint, and the more complex your architecture could become. Customers were building dedicated inspection VPCs, managing route tables, and having to incorporate operational overhead that grew exponentially with each new connection. Our focus is to make things easier for you: focus on your applications rather than the undifferentiated heavy lifting of configuring complex network setups.
I'm excited to share that we've solved this complexity with Transit Gateway and Network Firewall native attachment, eliminating the inspection VPC entirely. Now your firewall integration happens directly at the Transit Gateway level, giving you centralized security control across all VPCs and on-premises networks with no operational overhead. This also solves cost allocation challenges even in large-scale connected environments as we launch TGW flexible cost allocation.
With AWS, you can connect, scale, and secure across all resources, automatically protecting against new risks while enabling innovation. This is security that not only protects your infrastructure but actively improves it. The services we built are battle-tested abstractions that scale without limits, opening the door to building global connectivity that extends beyond regions, beyond continents, and towards planet-scale operations.
AWS Global Network: Regions, Local Zones, and the Fastnet Transatlantic Cable
Throughout this talk, we've seen how abstractions simplify complexity, like atoms forming molecules that scale into larger purposeful structures. Each layer builds on the one beneath while hiding complexity. At AWS, our networking services follow the same philosophy. We've covered physical networking, from GPU-to-GPU communication to multi-data center networks. VPC abstracts this hardware complexity into logical components like subnets and security groups. Lattice further abstracts applications' connectivity, making services communicate seamlessly.
Security follows this model too, with protections at every layer culminating in autonomous global threat detection. These abstractions don't exist in isolation. They're powered by something fundamental: the physical foundation of the AWS Global Network. I spent over 70 years building this network, so it is amazing to see just how far we've come. It's the lifeblood of our global infrastructure.
The AWS Global Network spans continents through terrestrial and subsea fiber connecting AWS regions, local zones, and points of presence into one cohesive global fiber. It ensures your applications can deliver content and services to users anywhere in the world with the highest level of security, reliability, and performance. AWS operates one of the most extensive cloud networks, spanning over 9 million kilometers of fiber.
That's a 50% expansion in just one year. I'm also excited to announce that we recently announced Fastnet, a dedicated high-capacity transatlantic cable connecting the US back to my home country, Ireland. The subsea cable will create alternative data pathways between Maryland and County Cork, delivering fast and reliable cloud and AI services across the Atlantic. Operational in 2028, Fastnet will add vital diversity for customers by building a new data pathway with unique landing points, keeping services running even if other undersea cables encounter issues. This enhanced network resilience will improve global connectivity and meet the rising demand for cloud computing and artificial intelligence.
If you look at our past record, some of you have probably seen cable cuts around the world. It is not by accident that AWS has survived every single one of them. We focus very heavily on ensuring that there is real diversity across all cable paths. This is why we introduced Fastnet because, across the Atlantic, we noticed that there were certain points of failure with the various landing stations in the US. Projects like Fastnet represent investments that enable us to bring these cloud services closer to customers everywhere.
Speaking of proximity, it's not just about network connectivity. We're also rapidly expanding our infrastructure footprint to AWS regions and availability zones. Today, we operate 38 regions and 120 availability zones worldwide, all interconnected through that network. This year alone, we've launched new regions in Thailand and Taiwan, expanding our presence across South Asia, a new region in Mexico, our second in Latin America, and most recently we've launched in New Zealand, expanding coverage to customers across the Pacific.
Looking ahead, we've announced plans for six additional availability zones across two new regions: Saudi Arabia and Chile, further strengthening our footprint in the Middle East and South America, giving our customers more choice, redundancy, and proximity to their end users. To extend our reach further, we offer local zones, infrastructure deployments that place AWS compute, storage, database, GPUs, and other services closer to large population centers and industry hubs. Local zones enable customers to deliver applications that require single-digit millisecond latency and data residency capabilities to end users, bringing the cloud even closer to where it's needed most.
Our footprint already includes 43 local zones worldwide across 35 metropolitan areas, with 18 of those already located outside the US. Here's how some of our customers are benefiting from that. Sophos, a security company, needed to solve a critical problem. Their cloud-based threat intelligence was too slow for customers far from AWS regions. So they deployed front-end services in AWS local zones worldwide while keeping core infrastructure in their parent regions, combined with Amazon Route 53's intelligent routing.
The results were pretty remarkable. 69% latency reduction in Germany, 35% improvement globally, and resilience that scaled from 146,000 to 2 million requests per second during a traffic surge without missing a beat. AWS local zones didn't just fix their latency problem; it transformed their entire global delivery model. DraftKings, a sports betting company, needed to expand across 20 US states while meeting strict data residency requirements. The Federal Wire Act and state regulations require customer data to remain within state borders, and traditional solutions require costly physical data centers in each state with extended deployment timelines.
They deployed in local zones for state-by-state expansion to achieve compliance without physical infrastructure. Deployment went from weeks to days, with zero upfront infrastructure costs and 25% better latency while processing 500 million transactions in the first month of NFL. When leveraging our global infrastructure, whether through regions, local zones, or our extensive network backbone, organizations face an increasing need to connect and manage at global scale their on-premises data centers and branch offices. That's where AWS Cloud WAN transforms this equation, unifying your VPCs and on-premises locations into a single cohesive global network.
Cloud WAN, Direct Connect, and AWS Interconnect Multi-Cloud
Instead of managing dozens of individual connections, you define your network intent through policy and AWS Cloud WAN handles the complexity. AWS Cloud WAN enables you to create network segments, isolate sensitive workloads, implement granular traffic control, and manage everything through a single centralized policy framework. One of the most important updates to AWS Cloud WAN this year is routing policy.
Previously, when implementing advanced filtering and summarization for better control of routes between cloud and external networks, you had to invest in complicated, expensive third-party routers to implement advanced routing techniques. Now, you get AWS native advanced routing capabilities that eliminate the need to invest in these third parties and provide you fine-grained routing controls to optimize route management. You can set advanced BGP attributes to customize your network traffic behavior, and you get advanced visibility into the routing databases, enabling rapid troubleshooting of network issues in complex multi-path environments.
Cloud provides you incredible control and automation for global connectivity, but you also need physical connectivity from your on-premises infrastructure to AWS. That's where AWS Direct Connect steps in, serving as high-performance, dedicated connectivity that ensures your cloud policies can be executed with the reliability, bandwidth, and consistency that mission-critical workloads demand. Over the last 12 months, we've expanded to 150 Direct Connect locations and we continue to roll out 400 gigabit connections to meet the demand of AI. This focus on connectivity reflects a broader principle fundamental to AWS interoperability. We believe you should have the freedom to choose technology that best suits your needs, whether that's connecting your on-premises infrastructure or integrating with other cloud providers.
But here's the reality: when customers try multi-cloud connections today, the experience leaves much to be desired. We constantly hear from customers that the path is far more complex than anticipated. Often customers are left with a DIY approach, leaving them handling the complexities of managing global, multi-layered networks at scale. Innovation shouldn't be constrained by networking complexity, so we're addressing these challenges head on.
Our vision is clear. We want to radically simplify operations so you can establish private cloud-to-cloud connections in minutes. Security must be built in from the ground up, ensuring data protection across cloud boundaries. And you need a single interface for control that provides visibility and management across all cloud providers and on-premises networks. That's exactly why I'm excited to announce AWS Interconnect Multi-cloud. Already in preview with Google Cloud, and I'm also excited to announce that Microsoft Azure will be joining us in the first half of next year.
AWS Interconnect Multi-cloud enables customers to quickly configure private, high-speed connections with dedicated bandwidth between their VPCs and other cloud service providers. We've built extensive pre-cabled capacity pools between AWS and other cloud providers, so when you need connectivity, it's there, ready to be activated with ease. Both AWS and your other cloud provider manage the scaling and operations, while support is directly owned by the cloud providers, all backed by an SLA. This is what multi-cloud networking should be: simple, reliable, and focused on delivering value rather than managing complexity. So stay tuned because there are many other providers that are in the works. With multi-cloud, we have actually defined the standard. We have published the APIs and the standard of how to interconnect, going far beyond what anybody else has ever done.
Salesforce's Multi-Cloud Journey with AWS Interconnect
Now, I'd like to introduce Salesforce to come out and tell their story. Please welcome to the stage Jim Ostrognai from Salesforce. Good morning, everyone. I'm Jim Ostrognai, SVP Engineering, Data 360 at Salesforce. I'm excited to share how Salesforce leverages AWS networking innovations to deliver seamless experiences for our customers worldwide. As Rob just introduced AWS Interconnect Multi-cloud, something we're really excited about, I want to share with you how we're putting this and other AWS networking services to work at enterprise scale.
Salesforce operates one of the largest enterprise platforms, and AWS is the backbone of that scale. Across 18 countries and more than 700,000 production and sandbox organizations, we rely heavily on AWS's global regions and multi-region capabilities. To deliver consistent performance, we lean deeply on AWS networking services: Transit Gateway, PrivateLink, and Network Load Balancers for the massive global throughput that we see. AWS networking isn't just infrastructure; it's fundamental to how Salesforce runs at global scale.
At global scale, here's the reality: customers are multi-cloud. Their analytics may run in Google Cloud, their legacy workloads might live in Azure, and their customer engagement layer is powered by Salesforce. They choose these architectures for good reasons. They might face regulatory constraints, data residency requirements, and simply want the best-of-breed investment. At Salesforce, AWS is where the core of our business resides. It's where we run our primary platform, where we innovate fastest, and where we operate with deep expertise.
But our customers need us to meet them where their data lives, even when the data is locked inside highly secure private environments outside of AWS. This creates a fundamental networking challenge: how do we preserve AWS-grade performance and security and operational excellence while extending Salesforce into private multi-cloud data sets that never touch the public internet? This is precisely the challenge AWS Interconnect multi-cloud solves for us.
Our customers are multi-cloud by design, especially the large enterprises. Their most sensitive or regulatory data sets live inside private Google Cloud environments, yet they expect Salesforce running natively on AWS to connect to that data with the same security, performance, and operational excellence we deliver inside AWS. With Interconnect multi-cloud, we can extend our AWS native private connectivity model directly into Google Cloud. We keep the same Transit Gateway policies, the same PrivateLink-based security principles, and the same operational tooling, but now it works seamlessly across clouds.
For customers, that means choice without compromise. A financial services firm can keep core trading systems and regulatory data sets in Google Cloud while still privately connecting them to Salesforce Data 360, all without touching the public internet. For Salesforce, this means we can finally erase the boundaries between clouds. We can secure the customer's crown jewels of data, wherever it lives, satisfying the strictest compliance mandates without asking them to move a single row.
Consider this use case: we have a large US health company who is already successfully using Data 360 with a data lake hosted on AWS. Previously, they were trapped in a compliance paradox. Strict security policies were forcing them to use brittle middleware and custom encryption just to move clinical data. It killed the real-time agility that they really wanted. Salesforce Private Connect broke this deadlock. We established a direct zero-copy link between Data Cloud and their data lake. Crucially, we built this onto the secure AWS infrastructure their security teams had already signed off on.
With Salesforce managing the complexity, they didn't have to build the pipes. They just unlocked the data. Now we're taking this to the next step. Using the new AWS Interconnect multi-cloud, we are expanding that secure fabric to other data lakes hosted on Google Cloud. The result is profound. The customer doesn't see multiple clouds anymore. They see one unified experience. With Private Connect, they are securely integrating their data lakes across AWS and Google Cloud. Salesforce and their enterprise systems are now a single governed real-time data platform, powering AI agents and member outcomes at the speed of their business.
Looking ahead, the partnership continues to open up incredible possibilities. We're continuing to invest in additional sources and mechanisms, expanding our zero-copy commitment to secure and open integration with Data 360. We're refining our security model to provide consistent zero-trust networking regardless of where workloads are going to run. Most importantly, we're simplifying the customer experience. Next, enterprises will be able to onboard with Data 360 and immediately connect their existing multi-cloud, hybrid, and on-premises infrastructure through a single AWS-powered networking fabric.
Last-Mile Connectivity, Amazon Leo, and CloudFront at Global Scale
This networking fabric represents the future of enterprise software. Rather than forcing customers to choose between clouds, we're giving them the power to use the best of all the clouds. We didn't stop at multi-cloud. We took that specification we had built and thought about how we could go even further into the last mile. Hybrid architectures span on-premises and cloud environments, and they all require the same thing: secure, reliable, and productive connectivity.
We're deploying last-mile connectivity between Direct Connect locations and your on-premises infrastructure. This could take significant investment, time, and effort. You need to find a co-location facility that we're in, identify a suitable partner, negotiate contracts and technical requirements, plan capacity, and procure circuits. However, with AWS Interconnect now offering last-mile connectivity in gated preview with Lumen, you can get a fully managed connectivity service that allows you to connect your remote locations to AWS in just a few clicks.
If you already have a location with a Lumen circuit, you can go to our console and set up direct connectivity over that same physical circuit. Nothing else is required. Lumen are only the first. There are already many other providers we've started to work with, and we're going to bring this across the world and simplify this everywhere. Even though we have an expansive global network, there can be limitations to terrestrial networks, and that's where Amazon Leo comes in.
Through our constellation of low Earth orbit satellites, we're extending the same global connectivity promise to every corner of the world, no matter how remote. Where traditional terrestrial networks can't go, LEO satellite networks seamlessly take over, creating an unbroken bridge between ground-based infrastructure and space-based innovation. We've developed the same interconnects we highlighted with multi-cloud and last-mile for Leo as well.
Let's wrap things up and take a look at CloudFront. We have over 750 points of presence around the globe, and we continue bringing our network even closer to your users. We have 1,100 embedded POPs, a type of clever infrastructure owned and operated by Amazon but deployed directly into internet service providers' and mobile network operators' networks. Embedded POPs are custom-built to deliver large-scale live video, video streaming, video on demand, and game downloads.
We're equally committed to innovating how we bring CloudFront to everyone, from large enterprises all the way down to startups and small businesses. We want to enable everybody to get access to the same world-class infrastructure. Developers have told us they want the power and performance of CloudFront, they need pricing that's as simple and predictable as our new onboarding experience, and they want cost certainty that lets them focus on building great applications without worrying about variable expenses from traffic surges or security events.
We introduced flat-rate pricing packages that bundle CloudFront, Web Application Firewall, DNS, and storage with transparent usage allowances and no overage charges. The result is predictable monthly costs and zero financial uncertainty. When developers stop worrying about bills, they start building the future. Developers are responding. In just two weeks, we've seen over 15,000 subscriptions to our flat-rate bundle.
Whether you're a startup building the next breakthrough app or an established organization like the NBA, CloudFront scales to meet your needs. The NBA leveraged our global infrastructure to deliver NBA to Prime to millions of viewers globally without interruption. Epic Games achieved incredible results with their last Fortnite season launch. CloudFront delivered 268 terabits per second, an all-time high that demonstrates the incredible scale our network can handle when your biggest moments matter.
Everything was handled through our network automation and traffic engineering with no humans involved. Over the last few weeks, we've had over 50 launches across IP management enhancements, DPC features, VPNs, Route 53, and security. From our physical hardware in regions, availability zones, and local zones to our services like CloudOne, Direct Connect, and CloudFront, we're going beyond the boundaries of connectivity, reaching not just across continents but also literally to the stars above.
; This article is entirely auto-generated using Amazon Bedrock.
Top comments (0)