CASE 105 · CUMULUS · 2024
On-prem to AWS, with two paths that both work.
A healthcare payer ran Direct Connect from their on-prem data centre to AWS as a single physical path. A maintenance window from the carrier had caused a six-hour business outage. We added PrivateLink-over-internet as a hot standby and rehearsed the failover.
Healthcare payer
SECURITY
2024
RESULTS
What changed, by the numbers.
PATHS AVAILABLE
2
FAILOVER TIME
< 60s
MAINTENANCE OUTAGES SURVIVED
3
COST OVERHEAD
+9%
HOW IT WENT
The six-hour outage had been embarrassing for an organisation that processed eligibility checks for hospitals on a tight SLA. The carrier maintenance window had been notified; the team had assumed "we have Direct Connect" was enough. It wasn’t.
We added a second path: PrivateLink connections to the AWS-hosted services the on-prem applications consumed, with an IPsec VPN as a tertiary path. BGP routing handled the failover; Route 53 Resolver kept DNS consistent across paths. Traffic Mirroring on the on-prem side helped verify which path was serving each connection during drills.
In the twelve months following rollout, three carrier maintenance events occurred. All three saw automatic failover inside 60 seconds, and none caused customer-visible impact. The 9% network cost overhead is well within the budget the team had reserved for "things going wrong."
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.