AWS Landing Zone with Cloud NGFW
Confidential SaaS Platform
Context
A SaaS platform needed a secure AWS landing zone with consistent traffic inspection across VPCs and hybrid connectivity to on-premises data centres. The organisation was beginning cloud transformation and needed secure, scalable foundations for multi-account operations.
Challenge
Design and implement a cloud landing zone balancing security requirements with developer agility, incorporating centralised network inspection, identity federation, and Infrastructure as Code from day one.
Approach
Deployed Cloud NGFW and VM-Series in a hub-and-spoke architecture, integrated with AWS routing, Transit Gateway, and Application Load Balancing. Developed reference architecture based on AWS Control Tower with custom guardrails.
Delivery
Delivered in three phases: foundation and governance (6 weeks), network and security (8 weeks), and workload onboarding patterns (4 weeks). Comprehensive documentation and training ensured independent operation.
Outcomes
Centralised security controls
Consistent logging with repeatable, auditable patterns across all environments
Rapid provisioning
Automated account vending and workload deployment reducing setup time by 50%
Zero configuration drift
GitOps workflows ensure infrastructure consistency across 50+ workload accounts
Legacy & Sustainability
Terraform modules and CI/CD workflows empowering teams to deploy secure environments independently.
Stack
Timeline
18 weeks
What's Next
The landing zone now supports over 50 workload accounts. We continue advisory support for complex migration patterns.
Client identity is confidential. Detailed references and outcomes available under NDA.
Request References