The Problem
Multi-cloud architectures create real security challenges: data moving between cloud providers typically crosses the public internet unless you engineer private connectivity. Ometrics needed their Azure-hosted data accessible in AWS for analytics processing, but compliance and security requirements meant no data could touch a public endpoint, no database could have a public IP, and every access event needed to be fully auditable.
How We Solved It
We implemented an AWS Site-to-Site VPN between the Azure VNet and a dedicated AWS VPC using BGP dynamic routing for automatic failover. The RDS SQL Server replica lives in private subnets only with no public accessibility. Database administration goes through an EC2 proxy managed via AWS Systems Manager Session Manager. No open SSH ports, no bastion host, no public exposure of any kind. Defense-in-depth security throughout: strict Network ACLs, security groups with minimal ingress rules, WAF on the analytics API layer, and CloudTrail capturing every API call. The entire environment (VPN configuration, VPC, RDS, EC2, IAM roles, security groups) is defined in Terraform with zero manual console work.
What We Delivered
- Secure Azure-to-AWS data bridge established
- Database fully isolated with zero public exposure
- Entire environment codified in Terraform