CASE 13 · CIPHER · 2025
No public ingress, no VPN, no internet egress from prod.
A fintech with strict regulator expectations had a VPC topology that "worked but felt wrong" — a public ALB, a third-party WAF appliance, an open egress NAT. Their CISO wanted defensible boundaries. We redesigned the production VPC for zero-trust: no public ingress, no internet egress, every service-to-service call authenticated.
Fintech
SECURITY
2025
RESULTS
What changed, by the numbers.
PUBLIC INGRESS
0
EGRESS NAT BILL
−84%
CROSS-VPC CALLS
mTLS
PEN-TEST FINDINGS
P0: 0
HOW IT WENT
The first thing we did was draw the actual traffic map — every flow, every protocol, every credential. The drawing didn’t fit on one screen. The CISO understood why she’d been uncomfortable; the team understood why every change broke something.
We collapsed the topology around CloudFront → AWS WAF → PrivateLink → VPC Lattice. Public ingress became a single CloudFront distribution per environment. VPC Lattice handled service-to-service calls with IAM authentication, replacing a homegrown JWT layer. Egress to AWS services went through Gateway Endpoints; the few external SaaS dependencies got dedicated PrivateLink connections.
The next pen-test ran three weeks. The previous report had three P0 exploitable findings. The new report had two P3 findings (both about logging verbosity) and a polite footnote from the assessor recommending we publish the architecture as a reference.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.