Deploying a Secure and Scalable AWS Landing Zone for a UAE-Based Insurance Company
REGION
United Arab Emirates
COMPANY TYPE
Insurance Company
INDUSTRY
Financial Services & insurance
CLOUD SOLUTION
THE CUSTOMER
The customer is one of the leading insurance providers in the UAE, offering health, motor, property, and life insurance services to both individuals and enterprises. As a regulated financial entity, it is mandated to comply with stringent data protection standards such as UAE Central Bank regulations and international frameworks like ISO 27001 and PCI-DSS.
To support digital transformation initiatives and streamline operations, the customer embarked on a journey to modernize its IT infrastructure by leveraging Amazon Web Services (AWS). The company sought to deploy a robust, secure, and scalable cloud foundation capable of hosting sensitive workloads while supporting seamless integration with on-premises systems.
THE CHALLENGE
Providing a Secure and Scalable AWS Landing Zone within the UAE Region
The customer’s primary challenge was to build a secure and scalable AWS Landing Zone specifically tailored for the UAE region, where data residency, low-latency connectivity, and deep traffic inspection were critical. Key concerns included:
• Ensuring secure connectivity between AWS-hosted services and on-premises systems within the UAE.
• Centralizing control over north-south (internet/on-premises) and east-west (inter-VPC) traffic.
• Integrating third-party next-generation firewalls (NGFWs) for comprehensive traffic inspection.
• Enabling automated failover mechanisms for firewalls to maintain high availability.
• Supporting a scalable, multi-account AWS architecture to accommodate future business units.
THE SOLUTION
Enterprise-Grade Landing Zone with Transit Gateway, Perimeter VPC, Inspection VPC, and GWLB Integration with 3rd party Network Virtual Appliances
To address the customer’s security, compliance, and scalability needs, Bespin Global implemented a robust AWS Landing Zone tailored specifically for the regulatory and operational landscape of the UAE. The solution established a secure and governed cloud foundation, enabling the customer to confidently host sensitive workloads while ensuring seamless hybrid connectivity, centralized traffic control, and high availability. This architecture laid the groundwork for scalable multi-account cloud operations, aligning with both internal IT strategies and external regulatory mandates, ultimately accelerating the customer’s digital transformation goals. The solution roadmap included:
• AWS Control Tower for multi-account governance and guardrails.
• AWS Transit Gateway (TGW) to centralize routing across VPCs and hybrid connectivity.
• Perimeter VPC containing third-party NVAs (e.g., Palo Alto, Fortinet) for inspecting traffic towards and from the internet and on-premises systems.
• Inspection VPC with third-party NGFWs integrated via AWS Gateway Load Balancer (GWLB) to inspect traffic between application VPCs (east-west traffic).
• Transit VPC concept utilizing custom route tables to direct traffic through inspection points.
• Firewall API integration for automated health checks and dynamic route updates during perimeter firewall failover scenarios.
Operationalizing Security and Resilience in the Cloud
Following the architectural design, Bespin Global executed a comprehensive implementation strategy to bring the secure AWS Landing Zone to life. This involved deploying foundational services across a multi-account structure with centralized governance, advanced routing mechanisms, and tightly integrated security controls. Special emphasis was placed on traffic inspection, access management, and observability to ensure the environment met both regulatory and operational demands. In parallel, a robust disaster recovery (DR) framework was built within the same region to maintain compliance with data residency requirements while ensuring high availability, automated failover, and resilient infrastructure performance. The following outlines the key components and configurations of the deployed solution.
Account Governance: AWS Control Tower provisioned landing zone accounts for security, logging, shared services, networking, and application teams. Guardrails enforced baseline security policies.
Transit Gateway Route Tables:
Spoke Route Table: The Default route points to the Inspection VPC.
Inspection Route Table: Controls routing between VPCs after inspection.
Perimeter Route Table: Handles traffic towards the internet and on-premises.
Custom Routing Logic:
Route propagation is disabled between spoke VPCs to avoid direct communication.
Static routes created to force spoke-to-spoke and spoke-to-internet traffic through the Inspection and Perimeter VPCs, respectively.
Firewall and NVAs:
HA deployments of Palo Alto NGFWs in Inspection VPC and Fortinet in Perimeter VPC.
Firewalls connected to internal and external interfaces with policies enforcing inspection, NAT, and logging.
Security Logging and Monitoring:
All VPCs enabled with VPC Flow Logs sent to centralized Amazon S3.
AWS CloudWatch is integrated with firewall metrics.
SIEM tools ingested logs for anomaly detection and alerting.
Disaster Recovery (DR) Strategy To meet stringent regulatory compliance requirements mandating data residency within the UAE region, the customer requested Bespin Global to implement an in-region disaster recovery (DR) solution using the third availability zone (AZ) within the same AWS UAE Region.
Single and Multi-AZ Deployment: Core infrastructure, including load balancers and Transit Gateway, was deployed in Multi-AZ, while Perimeter and inspection Firewall, in addition to the workload, were deployed in the third availability zone
Non-overlapping IP CIDRs: The DR network setup uses a unique and non-overlapping IP space, which allows the setup to be active from a network point of view, together with the production site.
NVA policy replication: Firewall policies were replicated from the production site to the DR using the specific vendor firewall manager. The use of a per-site IP object was useful to replicate the same policy between the two sites with site-specific IP addresses.
Regular DR Testing: Simulated AZ failover scenarios were conducted quarterly to ensure applications and security appliances could operate seamlessly under failover conditions, maintaining recovery time objectives (RTO) and recovery point objectives (RPO).
This approach ensured continuous operations within the UAE region without violating data sovereignty regulations, while providing the resilience necessary for a mission-critical fintech environment.
RESULTS & BENEFITS
The implementation of a secure AWS Landing Zone transformed the customer’s cloud operations, aligning with stringent regulatory standards while unlocking tangible performance, security, and operational benefits. The solution not only strengthened network governance and threat prevention but also enabled scalable growth, streamlined provisioning, and ensured business continuity through resilient architecture. Key outcomes included:
1. Centralized Network Control: Transit Gateway enables central policy enforcement across VPCs and accounts, reducing complexity.
2. Enhanced Security: All north-south and east-west traffic was inspected by enterprise-grade firewalls, preventing lateral movement and external threats.
3. Scalable Architecture: The transit model allowed seamless addition of VPCs with minimal configuration.
4. Reliable On-Premises Connectivity: via VPN failover ensured constant, low-latency access to core systems.
5. Improved Visibility: Centralized logging, flow analysis, and deep packet inspection improved incident response and compliance.
6. Operational Efficiency: Automated routing, monitoring, and provisioning reduced overhead and eliminated manual errors.
7. Resilient Disaster Recovery: In-region multi-AZ failover strategy ensured compliance with UAE data residency requirements and provided continuous availability.
Performance Highlights
• Achieved Higher uptime for both inter-VPC and internet traffic thanks to the NGFW HA architecture and integration with AWS GWLB.
• Reduced latency in mission-critical east-west application flows.
• Zero critical security incidents reported post-deployment due to enforced inspection and network segmentation.
• Reduction in workload onboarding time through automated VPC creation, account provisioning, and centralized networking and security architecture.
• Simplified audit process, cutting compliance review efforts due to centralized logging and inspection.
About Bespin Global, an e& enterprise company:
Bespin Global established a joint venture with & enterprise, making it the largest public cloud managed and professional service provider in the Middle East. We serve as your strategic ally in the digital landscape, adeptly navigating complexities and unlocking opportunities with precision and foresight.
Our services encompass cloud migration, integration, and management, empowering businesses to scale efficiently and adapt dynamically in an ever-evolving market.
Bespin delivers the tools, expertise, and support needed to ensure a sustained future.
Bespin is committed to elevating the clients’ technological capabilities, emphasizing continuous improvement and proactive engagement. Our holistic, customer-centric approach ensures that every solution not only meets but exceeds expectations.
Bespin forges lasting partnerships and creates enduring value. It is the go-to partner for expert cloud integration and strategic guidance.
Address: The Offices 4, #138-139, One Central, Dubai World Trade Center (DWTC)
Telephone: 800 BESPIN (237746)
P.O. Box: 340729
Start the Conversation Today
Let's Talk