Enabling Rapid and Secure Hybrid Connectivity with AWS Site-to-Site VPN

AMJ Cloud Technologies collaborated with a mid-sized fintech company to establish a secure, encrypted hybrid cloud connection using AWS Site-to-Site VPN. This case study showcases how we delivered a rapid, cost-effective solution to meet urgent compliance deadlines while ensuring high availability and future readiness.

Situation

The client, a fintech company headquartered in Mumbai, needed to extend its on-premises infrastructure to AWS to host regulatory reporting systems and customer analytics workloads. With strict compliance requirements around encryption and data privacy, they required a secure, reliable connection to a newly provisioned VPC in the ap-south-1 (Mumbai) region. The solution needed to be deployed quickly to meet an impending compliance audit deadline, while also being cost-effective and temporary, as the client planned to adopt AWS Direct Connect in the future.

Task

Our team was tasked with designing a solution to meet the following objectives:

• Deploy a secure, encrypted connection between the on-premises network and AWS within a day.
• Minimize costs by leveraging existing infrastructure and avoiding new hardware investments.
• Ensure data encryption in transit to comply with local regulatory standards.
• Provide a temporary solution that could serve as a bridge until a dedicated AWS Direct Connect link was provisioned.
• Maintain high availability and operational resilience during the interim period.

The project was executed by a team of cloud architects and network engineers within a one-day timeline.

Action

To achieve these objectives, we implemented an AWS Site-to-Site VPN to establish a secure, encrypted connection with minimal lead time, leveraging the client’s existing infrastructure for cost efficiency and speed:

1. Virtual Private Gateway (VGW) Setup:

   • Created a Virtual Private Gateway (VGW) and attached it to the client’s VPC in Mumbai.
   • Utilized the VGW’s highly available, AWS-managed endpoints in separate Availability Zones for redundancy.

2. Customer Gateway (CGW) Configuration:

   • Configured the client’s existing FortiGate firewall as the Customer Gateway (CGW), using its public IP to connect to AWS.
   • Verified the firewall’s BGP capability to support dynamic routing.

3. IPSec Tunnel Setup:

   • Configured two IPSec tunnels—one to each VGW endpoint—to provide high availability and automatic failover.
   • Enforced strong encryption policies (AES-256, SHA-2) to meet the client’s data security and compliance requirements.

4. Dynamic Routing with BGP:

   • Configured Border Gateway Protocol (BGP) to dynamically advertise the on-premises CIDR ranges to AWS.
   • Eliminated the need for manual static routes and enabled automatic route failover in case of tunnel degradation or failure.

5. Route Propagation:

   • Updated VPC route tables to enable route propagation from the VGW, ensuring traffic destined for on-premises resources was routed through the VPN tunnel.

6. Monitoring and Alerts:

   • Configured AWS CloudWatch and the firewall’s logging stack to monitor VPN tunnel health.
   • Set up alerts for tunnel failures or latency spikes to ensure proactive issue resolution.

7. Testing and Validation:

   • Conducted failover tests to confirm automatic switching between tunnels during simulated failures.
   • Validated encryption compliance and performance metrics to ensure readiness for the audit.

The team collaborated with the client to monitor metrics during rollout and fine-tuned configurations to optimize security and performance.

Result

The AWS Site-to-Site VPN implementation delivered significant outcomes:

• VPN Connection Deployed in Under Two Hours: Met the urgent compliance timeline ahead of schedule, ensuring audit readiness.
• No Additional Hardware or Long-Term Contract Costs: Leveraged existing infrastructure, keeping costs minimal and within budget.
• Encrypted Data Transmission Meeting Regulatory Standards: Passed a third-party security audit with end-to-end compliance for data in transit.
• Automatic Failover with Dual Tunnels and BGP Routing: Ensured high availability, with seamless traffic switching during maintenance or failures.
• Designed to Integrate with Future Direct Connect Implementation: Provided a future-ready architecture, allowing the VPN to serve as a backup or encryption layer for Direct Connect.
• Operational Simplicity: Quick implementation with minimal disruption.

This solution has become a reference for AMJ Cloud Technologies’ rapid hybrid connectivity projects, showcasing our expertise in AWS networking and compliance-driven architectures.

Technologies Used

• AWS Site-to-Site VPN: Provided secure, encrypted connectivity.
• Virtual Private Gateway (VGW): Enabled VPC connectivity to the VPN.
• Customer Gateway (CGW) – FortiGate Firewall: Connected on-premises infrastructure to AWS.
• IPSec (AES-256 Encryption): Secured data in transit.
• BGP (Dynamic Routing): Managed routing and failover.
• AWS CloudWatch for Monitoring: Tracked VPN health and performance.
• VPC Route Propagation: Simplified network management.
• ap-south-1 (Mumbai) Region: Hosted the client’s workloads.

Key Use Cases

This architecture is suitable for:

• Organizations needing rapid, secure hybrid cloud connectivity under tight deadlines.
• Businesses with strict compliance requirements for encrypted data transmission.
• Enterprises seeking cost-effective, temporary solutions before adopting dedicated connectivity.

Ready to enable secure hybrid connectivity? Contact us to explore how AMJ Cloud Technologies can help.

Key Takeaways

This case study highlights the impact of AWS Site-to-Site VPN in delivering rapid, secure, and cost-effective hybrid connectivity for a fintech client. By leveraging existing infrastructure and AWS-managed services, we met urgent compliance deadlines, ensured high availability, and provided a future-ready solution. AMJ Cloud Technologies is dedicated to delivering practical cloud solutions for compliance-driven hybrid architectures.

Architectural Diagram