Building a Private Cellular Network with AWS Private 5G - A Practical Guide to CBRS Spectrum and SIM Management
AWS Private 5G provides a private cellular network using CBRS spectrum as a managed service. It enables stable wireless connectivity across large areas such as factories, warehouses, and campuses - connectivity that is difficult to achieve with Wi-Fi - deployable in just days. This article covers network design, SIM management, and when to choose Private 5G over Wi-Fi from a practical perspective.
Why Private Cellular Is Needed - The Limits of Wi-Fi and the Emergence of CBRS
In spaces spanning tens of thousands of square meters, such as factory floors and logistics warehouses, deploying dozens of Wi-Fi access points still results in frequent radio interference and roaming disconnections. IEEE 802.11's CSMA/CA mechanism is designed for devices to share the same channel cooperatively, and throughput drops sharply once the number of connected devices exceeds 50. Cellular technology (LTE/5G), on the other hand, uses a scheduler to allocate resource blocks to each device, enabling fair bandwidth distribution even with hundreds of simultaneous connections. The CBRS 3.5 GHz band opened by the US FCC in 2020 includes a license-free GAA tier, establishing the legal foundation for enterprises to operate their own cellular base stations. AWS Private 5G is a managed service built on this CBRS spectrum, delivering the core network, RAN, and SIMs as a single package. What previously took 6-12 months to build as a private cellular network can now be completed within days of placing an order through the console.
Architecture Overview - The Communication Path from Core Network to Devices
AWS Private 5G uses a three-layer architecture. The first layer is the core network running in the AWS cloud, where AWS operates authentication (AMF), session management (SMF), and user plane (UPF) functions. The second layer consists of compact base stations (Radio Units) installed on-premises that transmit and receive radio signals on the CBRS 3.5 GHz band. A single unit covers a radius of approximately 150 m, or about 2,500 square meters indoors, providing up to 150 Mbps downlink throughput. The third layer is the fleet of devices with inserted SIMs. Communication from devices passes through the radio unit and reaches the AWS core network via an IPsec tunnel. The UPF routes traffic to the internet or a VPC, making it possible to send device traffic directly into a private subnet within a VPC. This enables access to EC2 and RDS without traversing the internet, simultaneously reducing latency and improving security.
SIM Lifecycle Management - Operational Design from Provisioning to Revocation
With Private 5G, AWS ships physical SIM cards. Administrators associate SIMs with the network and assign device policies through the console or API. There is no monthly fee per SIM; charges are based only on network active time, which is a significant departure from traditional MVNO contracts. SIM status is managed across three states - Active, Inactive, and Released - and in case of loss, access can be immediately blocked by switching to Inactive. For large-scale deployments, CSV-based bulk registration can provision thousands of SIMs in minutes. The device group feature allows you to apply QoS controls such as low-latency priority for AGVs and a 5 Mbps bandwidth cap for surveillance cameras. A common operational pattern in practice is to combine EventBridge and Lambda to detect SIM status change events and automatically switch SIMs to Inactive.
Deployment Patterns for Factories, Warehouses, and Campuses - Design Considerations
In manufacturing factories, the primary use cases are AGV navigation control and quality inspection camera video transmission. AGVs need to communicate with control servers at latencies under 20 ms while moving at 1-2 m/s, and Wi-Fi roaming disconnections (typically 50-200 ms handover delay) risk causing the AGV to pause. Cellular handover completes in 10-30 ms, maintaining continuous AGV operation. In logistics warehouses, thousands of handheld terminals simultaneously transmit barcode scan results. In Wi-Fi environments, response delays become noticeable when more than 30 devices connect per AP, but a single Private 5G radio unit supports up to 200 simultaneous connections. A key design consideration is that the CBRS 3.5 GHz band has stronger directionality than 2.4 GHz Wi-Fi and suffers greater attenuation from metal shelving and walls. Layout design that places radio units along line-of-sight paths in corridors is critical.
Choosing Between Private 5G and Wi-Fi - A Three-Axis Evaluation of Cost, Performance, and Operations
Private 5G and Wi-Fi 6/6E are complementary rather than competing technologies. On the first axis of cost, a Wi-Fi 6 AP costs 30,000-50,000 yen per unit, keeping even a 100-unit deployment within a few million yen, whereas Private 5G incurs radio unit upfront costs plus hourly charges, making Wi-Fi more economical for small offices. On the second axis of performance, cellular has the advantage in high device-density environments (200+ devices per floor) and scenarios requiring mobility. On the third axis of operations, Wi-Fi requires in-house SSID/password management and channel planning, while Private 5G simplifies device management through SIM-based authentication. In Azure, Azure Private MEC offers a similar private cellular capability, but it uses Affirmed Networks' core, differing in integration level from AWS's model that completes everything from SIM shipping to core network under a single vendor. The practical recommendation is Wi-Fi for offices, Private 5G for factory floors, and a dual-stack configuration for mixed environments.
Deployment Steps and Post-Launch Monitoring Strategy
Deployment proceeds in four steps. Create a network in the AWS console specifying the address and number of radio units; connect the delivered hardware to a PoE-capable switch, and the radio unit automatically establishes an IPsec tunnel, bringing the cellular network online in minutes. Insert SIMs into devices, associate them in the console, and configure device groups and policies to begin operations. After launch, monitor connected device count, UL/DL throughput, and RSRP (Reference Signal Received Power) with CloudWatch. Areas where RSRP falls below -100 dBm are coverage dead zones, and you should consider adding radio units. Setting threshold alerts with CloudWatch Alarms for early degradation detection is a recommended practice. For more details on wireless communication technology, related books (Amazon) are also a helpful reference.