Back to Case Studies

Production grade network security setup in AWS

IndustryECommerce
StageSeed Stage Startup
Business Size< 50 Employees

A fast growing startup in e-commerce space making curated and healthy food options available at doorstep

The Challenge

Increasing vulnerability to web exploits, DDoS attacks, and lack of granular routing control across their microservices.

The Result

Enterprise-grade security posture with custom WAF rules blocking 99.9% of malicious bot traffic.

The Challenge

A rapidly growing Seed-stage ECommerce startup was facing an increasing volume of automated bot traffic, scraping attacks, and probing for common web vulnerabilities. Their existing infrastructure relied entirely on basic security groups, which resulted in:

  • Site Degradation: Malicious bot traffic was consuming precious server resources, slowing down the site for legitimate buyers.
  • Security Vulnerabilities: Lack of layer 7 protection left them exposed to SQL injection (SQLi) and Cross-Site Scripting (XSS) attacks.
  • Complex Routing: They needed a way to dynamically route traffic to new microservices without constantly updating DNS records or suffering downtime.

Our Approach

We completely redesigned their edge and network architecture on AWS to prioritize security and routing intelligence.

1. Infrastructure Architecture

We established a strict multi-tier VPC topology. Public subnets were reserved strictly for ALBs and NAT Gateways. All application instances and databases were moved to isolated private subnets, completely inaccessible from the public internet.

2. Application Load Balancing (ALB) Routing

We implemented complex listener rules on AWS Application Load Balancers. Traffic was dynamically routed based on path conditions (e.g., /api/v1/cart vs /images/) to the appropriate target groups holding the specific microservices.

3. Advanced AWS WAF Integration

We wrapped the ALBs with highly customized AWS Web Application Firewall (WAF) ACLs.

  • We enabled AWS Managed Rules for baseline SQLi and XSS protection.
  • Developed custom rate-limiting rules automatically blacklisting IPs generating excessive 404/500 errors.
  • Implemented bot-control signatures to block known bad actors and scrapers hunting for pricing data.

The Result

The transformation secured the platform instantly while laying the groundwork for future microservice expansion.

  • Total Threat Mitigation: The new WAF setup blocked over 5 million malicious requests in the first week alone, dropping server load by 30%.
  • Resilience: The private subnet architecture ensured that even if a critical vulnerability was found in the application code, attackers could not gain direct access to the database layer.
  • Scalable Routing: The engineering team can now launch new services on dedicated paths within minutes by simply updating Terraform ALB rules.
Back to Case Studies