AWS for Industries

Best Buy improves in-store customer experience using SD-WAN, powered by AWS Transit Gateway Connect and Fortinet FortiGate

Retail customers are improving the in-store customer experience through personalization by connecting their remote stores to AWS using SD-WAN. For the largest specialty consumer electronics retailer in North America, Best Buy Co., Inc., connecting stores to cloud-based workloads has shortened application response times. It allows stores to sync up-to-date inventory, view real-time supply chain information and product details, facilitate order pickup and management, and read customer purchase history to build personalized experiences. Best Buy used AWS Transit Gateway Connect and Fortinet’s FortiGate SD-WAN virtual appliance to achieve resilient, low-latency connectivity to cloud-based applications. In this blog post, we’ll discuss Best Buy’s strategy and implementation for extending AWS Transit Gateway, AWS Direct Connect, and SD-WAN using Fortinet’s FortiGate to connect Best Buy’s 1,000+ stores to AWS. We’ll discuss Best Buy’s transactional cloud-based initiatives, architecture considerations, and tradeoffs for design and implementation, all geared toward delighting Best Buy customers.

The Best Buy Mission

With a mission to enrich people’s lives through technology, Best Buy has grown to become a household name that’s synonymous with high-quality electronics and exceptional customer service. The company operates a vast network of retail stores across the United States and Canada, as well as a robust online presence through its website and mobile app. Best Buy’s extensive product range includes everything from smartphones, laptops, and televisions to home appliances, gaming consoles, and smart home devices.

Best Buy’s Cloud-First Strategy

For nearly a decade, Best Buy has effectively used AWS to run a diverse range of applications, establishing a strong foundation in cloud technology. Best Buy’s “Cloud First” program has consistently and successfully migrated critical workloads from on-premises systems to AWS.

In early 2022, Best Buy strategically designated AWS as its preferred cloud provider for infrastructure services. This partnership signifies a pivotal move to integrate cloud technology across its retail operations. AWS is a strategic ally in cultivating cloud engineering talent. This collaboration empowers the enterprise to expedite innovation, enhancing customer experiences and facilitating the development of world-class digital interactions that impact millions.

Best Buy’s AWS Networking Overview

Best Buy’s AWS footprint spans two AWS Regions, with a significant portion of its dynamic application suite residing in a primary Region. The primary Region plays a more substantial role in hosting and supporting Best Buy’s critical applications. These Regions were selected for data redundancy, latency considerations, and resource availability, ensuring that the applications hosted in these Regions operate efficiently and with high availability.

Best Buy’s AWS networking architecture is a testament to its comprehensive and strategic approach in harnessing the full potential of AWS networking constructs. By incorporating AWS Transit Gateway and AWS Direct Connect, Best Buy has built a robust network infrastructure that optimizes connectivity, security, and efficiency.

AWS Transit Gateway serves as a centralized hub, facilitating seamless communication among various Virtual Private Clouds (VPCs) within and across AWS Regions. Using centralized egress with inspection allows for thorough scrutiny of outbound traffic, ensuring that security measures and compliance standards are consistently applied, safeguarding data and mitigating potential threats. This centralized inspection design extends east/west to VPC-to-VPC communications and ties into routing with Direct Connect, bridging the gap between on-premises infrastructure and AWS resources, resulting in a seamless and efficient network environment.

Before SD-WAN

Best Buy’s intricate network architecture seamlessly interconnects retail stores, distribution centers, and supply chain hubs to Best Buy data centers and the internet, using technologies including MPLS, Managed Internet Circuits, Satellite, and cellular for resiliency. Best Buy’s digital footprint extends across multiple cloud providers, where a select number of mission-critical applications operate. This complexity, using multiple transport mechanisms across hundreds of locations, introduced management overhead—and in some cases, latency—to applications depending on where they are hosted.

Why Fortinet + AWS Transit Gateway Connect?

Fortinet for SD-WAN
Best Buy’s selection of Fortinet as its preferred SD-WAN partner stems from Fortinet’s exceptional suitability for its networking needs. Among the myriad SD-WAN technology providers available, Fortinet emerged as the ideal choice due to several compelling reasons, including:

  • Comprehensive suite of SD-WAN solutions that align with Best Buy’s need for a versatile networking architecture, allowing for customization and optimization in various use cases.
  • Strong reputation for security reliability, where Best Buy can trust Fortinet for robust security features.
  • Fortinet’s industry-leading presence, proven track record, and experience delivering high-performance SD-WAN solutions.

Fortinet’s FortiGate supports several proven deployment models. Best Buy opted to use an active-passive HA configuration between multiple availability zones and AWS Transit Gateway, following a reference architecture from Fortinet.

Considerations for Transit Gateway Connect Peers
AWS Transit Gateway Connect attachments are used to establish a connection between a Transit Gateway and third-party virtual appliances (such as SD-WAN appliances) running in a VPC. These Connect attachments support the Generic Routing Encapsulation (GRE) tunnel protocol for high performance and Border Gateway Protocol (BGP) for dynamic routing. After creating a Connect attachment, create one or more GRE tunnels (also referred to as Transit Gateway Connect peers) to connect the Transit Gateway and the third-party appliance. Finally, establish two BGP sessions over the GRE tunnel to exchange routing information.

A Transit Gateway Connect peer consists of two BGP peering sessions terminating on AWS-managed infrastructure. The two BGP peering sessions provide routing plane redundancy, ensuring that losing one BGP peering session doesn’t impact your routing operation. The routing information received from both BGP sessions is accumulated for the given Connect peer. The two BGP peering sessions also protect against any AWS infrastructure operations such as routine maintenance, patching, hardware upgrades, and replacements. If your Connect peer is operating without the recommended dual BGP peering session configured for redundancy, it might experience a momentary loss of connectivity during AWS infrastructure operations. It’s strongly recommended to configure both BGP peering sessions on the Connect peer. If there are multiple Connect peers to support high availability on the appliance side, it’s strongly recommended that you configure both BGP peering sessions on each of your Connect peers.

A Connect attachment uses an existing VPC or AWS Direct Connect attachment as the underlying transport mechanism, otherwise known as a transport attachment. The Transit Gateway identifies matched GRE packets from the third-party appliance as traffic from the Connect attachment. It treats any other packets, including GRE packets with incorrect source or destination information, as traffic from the transport attachment. To use an AWS Direct Connect attachment as a transport mechanism, you’ll first need to integrate Direct Connect with AWS Transit Gateway.

For large-scale deployments, be aware of the quotas for Transit Gateway, including:

  • Total combined routes across all route tables for a single Transit Gateway
  • Maximum bandwidth per Transit Gateway Connect peer per Connect attachment, related to baseline bandwidth for single-flow (5-tuple) traffic
  • Dynamic routes advertised from a virtual router appliance to a Transit Gateway Connect peer

Best Buy’s SD-WAN Implementation

Scalability facts for design consideration
Best Buy’s extensive network comprises more than 1,000 stores across North America, each uniquely configured with a number of private subnets. These subnets serve multiple purposes, including enhanced security and reduced operational overhead.

During Best Buy’s POC, the central FortiGate headend in the data center experienced substantial network traffic, often reaching up to 10Gbps during periods of high-velocity application usage, media rollouts, and significant business events. Best Buy’s agile network operations must efficiently handle substantial traffic surges driven by peak customer interactions, content delivery, and essential business functions, requiring effective traffic management and optimization to maintain network responsiveness during critical operational periods.

The architecture
At a high level, Best Buy’s architecture enables remote locations to directly access AWS-hosted workloads. It eliminates routing through the data center using Fortinet’s FortiGate-VM active-passive HA deployment model across multiple AWS zones. For resiliency, stores must continue to maintain connectivity to the data center.

Figure 1 Best Buy pre-SD-WAN store network connectivityFigure 1: Best Buy pre-SD-WAN store network connectivity

Best Buy’s primary objective is to harness a robust 10Gbps circuit to accommodate traffic flowing from stores to the central SD-WAN headend. However, the following AWS limitations require us to explore alternative solutions.

  • AWS Transit Gateway imposes a maximum bandwidth constraint of 5Gbps per Connect attachment, because GRE is technically single flow, and single flow has a 5Gbps limitation.
  • Best Buy faces store capacity challenges, where each store uses a number of subnets, precluding summarization. Consequently, this configuration results in thousands of network prefixes at the AWS headend.

It’s imperative to maintain uniformity in the prefix lengths of store networks. The SD-WAN appliance at the branch level and the SD-WAN headend virtual appliance in AWS must also be consistent. Ensuring uniform prefix lengths guarantees the preservation of network continuity, enabling seamless failover when needed. In the event of a failover, the backup path remains intact, ensuring uninterrupted connectivity.

While using a summarized network advertised from the SD-WAN headend in AWS to the Transit Gateway route table seems appealing to eliminate adjusting the prefix count on the Connect peer, it goes against Best Buy’s design principle of having a resilient backup path in case the direct AWS tunnel from the store experiences disruption.

To address limitations, Best Buy implemented a solution with two pairs (each pair operating in High Availability) of virtual appliances per region. It directs each set of 500 stores’ SD-WAN VPN tunnels to one HA pair, covering 1,000 stores with two HA pairs in each region, effectively splitting the 10Gbps headend requirement into 2 x 5Gbps chunks. Best Buy also worked with AWS to adjust the prefix quota over the Connect peer to accommodate overhead.

As a significant portion of the application suite resides in a primary Region, Best Buy positioned the SD-WAN headend appliances exclusively in this Region. This means all workloads in a secondary Region also use these SD-WAN VMs in the primary Region, ensuring cost efficiency while aligning with established design guidelines for network performance, scalability, and security. This streamlined approach optimizes resource utilization and centralizes network control.

Figure 2 Best Buy resilient SD-WAN store network connectivity showing primary and secondary pathsFigure 2: Best Buy resilient SD-WAN store network connectivity showing primary and secondary paths

A key design guideline mandates a backup path from the branch SD-WAN to AWS workloads. The routing decision point resides within AWS Transit Gateway and is linked to Direct Connect. Both Regions’ Transit Gateways are associated with Direct Connect, but the primary region’s Transit Gateway route table takes precedence, aligning with the SD-WAN VM location. Centralizing routing at the primary Region’s Transit Gateway ensures efficient traffic flow, failover capabilities, and optimized network performance and reliability.

The Results

Through this implementation, Best Buy realized a 20 percent reduction in latency from store to AWS by using this SD-WAN solution, which has improved customer satisfaction and adoption rates when using applications that interact with both stores and workloads in AWS. Additionally, Best Buy is seeing improved uptimes through its scalable and reliable network architecture, ensuring that customers are served in a timely fashion.

What’s Next

Best Buy’s strategic embrace of SD-WAN technology underscores its commitment to staying at the forefront of networking innovation. By maximizing its capabilities, the company has optimized its network infrastructure, bolstering performance, security, and scalability to better serve its customers. This transformation not only enhances the retailer’s operational efficiency but also reinforces its position as a leader in the retail industry.

Work with AWS Solutions Architects to learn how you can implement SD-WAN to connect your stores to AWS. Engage Fortinet to learn how FortiGate can play a key role in intelligently routing network traffic across your WAN.

Reach out to your AWS Account Team or Fortinet Account Team, or review the AWS documentation or Fortinet documentation to get started on your implementation.

Jason Schamp

Jason Schamp

Jason Schamp is a Principal Solutions Architect based out of Cleveland, Ohio. Jason is focused on guiding enterprise Retail/CPG customers through their cloud journeys, accelerating migrations, modernizing workloads, and adopting new ways of working. Jason has a specialty in Security and Compliance and is passionate about container security, cloud operations, automation, and self-service.

Andrew Painter

Andrew Painter

Andrew is a Senior Principal Engineer at Best Buy, specializing in complex cloud and platform engineering initiatives. He has over 20 years of experience at Best Buy and 15 years of expertise in AWS, shaping the company’s AWS strategy and building its foundation.

Moulee Natarajan

Moulee Natarajan

Moulee is a Staff Network Engineer at Best Buy, focusing on Data Center and Cloud Networking Core Services. He is passionate about networking technologies and enjoys designing, building, and supporting reliable network solutions. His interests include traditional Data Centers, SDN, Security, SD-WAN, and private and public cross-cloud connectivity.