Improving AWS Security and Latency for Financial Trading Platform
Challenges
Public cloud utilization continues to increase, but many organizations need guidance on how to optimize the security and performance of their environment. A financial firm located in New York City contacted Vandis to see if we could provide immediate assistance for cloud issues they were facing. The organization was in need of a systems integrator that could help them with the following:
- Troubleshoot their datapath from their premise trading floor into their AWS Transit Gateway (TGW)
- Rearchitect & secure their AWS environment
- Improve connectivity and lower latency
- Securely deploy AWS Direct Connect interfaces to business partner environments without exposing their infrastructure
- Manage the cloud solution, including assistance with monitoring and troubleshooting
Under a tight timeline, the client was one week away from going to production on their new trading platform and our engineering team had to get their environment up and functioning quickly to support this initiative.
Solution
Vandis’ cloud engineering team was able to immediately identify and propose a multi-phase approach to their complex networking issues. The first step was alleviating the primary problem that was impacting their business: connectivity and dropped packets between their premise and AWS environment. Within 1 business day of coming on-site to whiteboard and perform a cloud security assessment the Vandis team proposed a plan to meet the client’s launch deadline for their new cloud trading platform. Over the course of 3 cutovers, Vandis replaced the legacy routing with a highly available routing topology that gave the client a redundant, low latency environment to successfully run their production trading platform on AWS.
Vandis’ Multi-Phase Plan:
Step 1: Get the business-critical application launched within their contractual deadlines and ensure they had reliable and consistent functionality.
- Step1a: Working with Fortinet and AWS, Vandis leveraged our membership in the AWS Consulting Private Offer Program (CPPO) to get discounted pricing and procurement presented to the client via the Amazon Marketplace portal. Ultimately, this made procurement and deployment truly a click of a button.
- Step 1b: Vandis deployed the FortiGate environment in a DMZ attached to the Transit Gateway (TGW) so that the client was able to use the FortiGate for egress into their partner Direct Connects. This allowed their traffic to egress to the API endpoints on the other end, while also protecting traffic from coming back up the Direct Connects into the client environment.
Step 2: Removed Legacy VPN tunnels from the TGW to firewalls in the client environment that did not support dynamic routing. This was done to remove asymmetric routing and provide security and visibility to traffic sourcing from and egressing to the branch sites. This was accomplished by moving the IPsec tunnels to the FortiGate appliance in the Transit Gateway DMZ and having the FortiGate participate in BGP with the TGW providing both route table and security granularity.
Step 3: Vandis installed a collector for their Fortinet SIEM-as-a-Service platform to monitor the resource usage of the Fortinet firewalls as well as to ensure the connection SLAs were met for all their production platforms via synthetic transaction.
Step 4: Vandis deployed Checkpoint Dome9 to snapshot the client’s cloud environments to make on-going recommendations for their security and governance posture.
Results
With the completion of this project, the client now has an AWS environment that is tailored for their business needs. Their rearchitected cloud environment now provides the security, visibility, and performance the financial industry requires from their data centers and cloud providers. The client’s application data flow is now more efficient which is a necessity for high volume trading companies. In addition, the implementation of their Fortinet FortiGate firewalls has increased the overall security of their environment. As our relationship as a trusted advisor evolves, the client has recently asked Vandis to assist on some additional projects that involve F5 Networks ASM, Kubernetes, and expanding their design to support international low latency trading.