01 — Executive Summary
Cloud-Centric Transformation
This proposal outlines a modern, cost-effective Enterprise Architecture for Geregu Power PLC that eliminates fragile point-to-point site dependencies in favour of a resilient AWS Cloud hub with intelligent edge aggregation.
Zero
On-Prem Servers Required
☁️
AWS as the Hub
Both the HQ and Plant connect directly to the AWS Cloud. No fragile site-to-site VPNs between locations. The cloud becomes the single, resilient routing and data centre.
🔗
BotNet Edge Aggregation
BotNet by Botxoft bonds multiple ISP links at the remote Ajaokuta Plant into a single, resilient pipe — solving remote connectivity without expensive dedicated circuits.
📊
Serverless Data Lake
Real-time Plant telemetry flows into an AWS Data Lake. HQ accesses live dashboards and historical analytics via the cloud — no direct Plant connection needed.
02 — Current State Assessment
Identified Challenges
The existing infrastructure suffers from single points of failure, broken inter-site connectivity, and an inability for HQ to monitor Plant operations remotely.
🔴 Critical Issues
- Broken IP Telephony: Plant IP phones depend on HQ-hosted CUCM via a leased line that is not configured at the plant side. Staff cannot make inter-site calls.
- Single ISP Dependency: Both sites rely on Airtel as the sole internet provider. A single outage isolates the entire network.
- No Remote Monitoring: HQ has no visibility into Plant operations, CCTV, or telemetry from Abuja.
🟡 High-Risk Gaps
- No IT/OT Segmentation: The industrial control network (SCADA/DCS) is not properly isolated from the corporate IT network.
- No WAN Redundancy: The Glo leased line is non-functional. There is no failover path between sites.
- Manual Processes: SharePoint-hosted processes lack automation and cloud integration.
03 — Target Architecture (To-Be)
AWS Cloud Hub & BotNet Edge
A highly resilient design. BotNet by Botxoft aggregates multiple ISPs at the Plant edge. Both sites tunnel securely into the AWS Transit Gateway — the central routing hub.
🎯 Cloud-Centric Network Architecture
🏢 Head Office — Abuja
🔥 Sophos XGS Firewall
💻 HQ Workstations
📈 Grafana Dashboards (Browser)
📞 Cloud PBX Endpoints
📹 Remote CCTV Viewing
🔐 Sophos ZTNA Agent
IPsec VPN ↑
☁️
AWS TGW
Central Hub
↓ Bonded Tunnel
🏭 Plant — Ajaokuta
🔥 Sophos XGS Firewall
🔌 BotNet by Botxoft (Aggregator)
🌐 Bonded: Glo + Airtel + ISP3
⚙️ Industrial IoT Gateway
📹 HikVision NVR + Cameras
📞 IP Phone Endpoints
🔌 BotNet by Botxoft — Role Clarification
BotNet is deployed as a dedicated network aggregator sitting behind the Sophos XGS Firewall at the Plant. It does not replace the firewall or perform security functions. Its sole purpose is to:
- Bond multiple ISP links (Glo, Airtel, Starlink/VSAT, etc.) into a single high-bandwidth, resilient pipe.
- Provide hitless failover — if any single ISP drops, traffic is seamlessly re-routed over the remaining links with zero packet loss.
- Establish a persistent, bonded tunnel to the AWS Transit Gateway, ensuring Plant-to-Cloud connectivity is always available.
Traffic Flow: Plant Devices → Sophos XGS (Security & QoS) → BotNet (Link Aggregation) → Bonded ISP Links → AWS TGW.
04 — Cloud Application Deployment
Remote Monitoring & Data Lake
Specific AWS services deployed for real-time Plant monitoring, historical analytics, and secure remote CCTV viewing — all accessible from HQ via the cloud.
⚙️
AWS IoT SiteWise
Collects and structures OPC-UA/Modbus telemetry directly from Siemens SGT5-2000E turbines and auxiliary plant equipment. Organises data into asset models for analysis.
📈
Amazon Managed Grafana
Cloud-hosted, real-time operational dashboards. HQ engineers view live turbine output, temperatures, vibration, and alarms from their browsers. No VPN required.
📹
Kinesis Video Streams
Securely ingests HikVision CCTV feeds into the AWS Cloud. HQ staff view live or recorded camera feeds from Abuja without overloading the Plant uplink.
📊 Serverless Data Lake Architecture
📡AWS IoT CoreDevice Gateway
🔄Amazon KinesisStream Ingestion
⚡AWS LambdaServerless Compute
🪣Amazon S3Data Lake Storage
🔍Amazon AthenaSQL Analytics
🛡️AWS IAMAccess Control
Plant → IoT Core → Kinesis → Lambda (transform) → S3 Raw → S3 Curated (Parquet) → Athena (SQL Queries) → Grafana Dashboards @ HQ
💡 Why Serverless?
Every component in the data pipeline is fully managed and pay-per-use. There are no servers to provision, patch, or scale. Geregu pays only for the data processed and stored — not for idle infrastructure. This reduces operational cost by an estimated 40–60% compared to hosting equivalent infrastructure on EC2 instances or on-premises servers.
05 — Unified Communications
Intercomms: HQ ↔ Plant
A comparison of cloud telephony options to replace the broken on-premise Cisco CUCM and restore voice/video between HQ and the Plant.
| Criteria |
Cisco Webex Calling |
3CX on AWS |
Microsoft Teams Phone |
| Existing Hardware |
✅ Native Cisco IP Phone support |
✅ SIP registration (most Cisco models) |
⚠️ Limited — requires SIP Gateway adapter |
| Infrastructure |
Fully cloud-managed (Cisco) |
Self-hosted on AWS EC2 (serverless option) |
Fully cloud-managed (Microsoft) |
| Intercom/Paging |
✅ Supported |
✅ Supported |
⚠️ Limited native paging |
| Video Calling |
✅ Webex integrated |
✅ Built-in |
✅ Teams integrated |
| QoS over AWS TGW |
✅ DSCP marking honoured |
✅ DSCP marking honoured |
✅ DSCP marking honoured |
| Integration with M365 |
Good (plugin) |
Good (plugin) |
Native |
| Best For |
Cisco-heavy environments |
Cost-sensitive deployments |
Deep M365 environments |
✅ Recommendation: 3CX Hosted on AWS
For an optimized deployment, deploy 3CX on a small AWS EC2 instance within the same VPC connected to the Transit Gateway. This provides:
- Full SIP compatibility with existing Cisco IP Phones — no hardware replacement.
- Highly efficient operating model compared to alternatives.
- Voice traffic routes internally through the AWS TGW — zero public internet dependency for inter-site calls.
- Built-in intercom, paging, video calling, and mobile app for remote workers.
🔄 Alternative: Cisco Webex Calling
If Geregu prefers a fully managed, vendor-supported solution with guaranteed SLA and zero infrastructure management, Cisco Webex Calling offers the most seamless migration from the existing CUCM and native Cisco phone support. Requires lower operational burden.
📞 Routing Voice Through AWS Transit Gateway
All voice and video traffic between HQ and Plant is routed through the AWS Transit Gateway. This is both cost-effective and reliable:
- No dedicated voice circuit required — voice rides the same bonded BotNet tunnel as data.
- QoS enforced — Sophos XGS marks voice packets with DSCP EF (Expedited Forwarding). The AWS TGW preserves these markings end-to-end.
- Latency target: <150ms one-way (Abuja → AWS af-south-1 → Ajaokuta), well within ITU-T G.114 recommendation for toll-quality voice.
07 — Implementation Roadmap
8-Week Delivery Plan
All deployments completed within 2 months. Phased to deliver connectivity first, then monitoring and communications, then analytics and security hardening.
Phase 1 — Cloud Foundation & Edge Aggregation
Critical Path
Weeks 1–3
1.1 Provision AWS Transit Gateway in the target region.
1.2 Deploy and configure BotNet by Botxoft at the Ajaokuta Plant. Bond Glo, Airtel, and any available tertiary link.
1.3 Establish bonded SD-WAN tunnel from BotNet to AWS TGW.
1.4 Configure IPsec VPN from HQ Sophos XGS to AWS TGW.
1.5 Validate end-to-end HQ ↔ AWS ↔ Plant routing, latency, and failover.
Phase 2 — Intercomms & Data Ingestion
High Priority
Weeks 4–6
2.1 Deploy 3CX (or selected Cloud PBX) on AWS EC2. Register Plant and HQ IP phones via SIP.
2.2 Provision AWS IoT SiteWise and configure Plant IoT gateway to push telemetry data.
2.3 Configure Amazon Kinesis Video Streams for HikVision CCTV ingestion.
2.4 Deploy S3 Data Lake buckets (Raw + Curated zones) and Lambda transformation functions.
Phase 3 — Dashboards, Analytics & Security
Completion
Weeks 7–8
3.1 Deploy Amazon Managed Grafana. Build Plant operations dashboards accessible from HQ browsers.
3.2 Configure Amazon Athena for historical SQL analytics on the Data Lake.
3.3 Implement Sophos ZTNA for secure, granular remote access to Plant applications (SCADA HMI, etc.).
3.4 Conduct end-to-end acceptance testing, failover drills, and handover documentation.
08 — Next Steps
Information Required to Proceed
To finalise this proposal into a detailed Statement of Work (SOW), the following information is requested from Geregu Power PLC.
| # |
Question |
Impact |
| 1 | Exact number of IP Phones at HQ and Plant (model numbers if available)? | PBX licensing & SIP compatibility |
| 2 | Current ISP contracts at the Plant (Glo, Airtel) — bandwidth, SLA, contract end dates? | BotNet sizing & failover design |
| 3 | Is there interest in adding a tertiary link (e.g., Starlink, VSAT) at the Plant? | Redundancy & BotNet config |
| 4 | Exact SCADA/DCS system vendor and version at the Plant? | IT/OT DMZ segmentation design |
| 5 | Number of HikVision cameras and desired cloud retention period? | Kinesis Video Streams sizing |
| 6 | Preferred AWS region (af-south-1 Cape Town or eu-west-1 Ireland)? | Latency & data residency |
| 7 | Number of users requiring remote access (Sophos ZTNA)? | ZTNA licensing requirements |
| 8 | Confirmation on Cloud PBX preference (3CX / Webex / Teams)? | Intercomms deployment |
📋 Proposed Engagement
Upon approval, Botxoft will deliver a detailed Statement of Work (SOW) covering architecture design, deployment, testing, and knowledge transfer — targeting full commissioning within 8 weeks of project kickoff.
For questions or to schedule a follow-up session, please contact:
Adewale Daniel Olayiwola
Enterprise Cloud Solution Architect
Botxoft