Use case

Network ACL Configuration for Production Environment Security

  • Lakshya Chhajed

About the Customer

BrightPay is a leading API platform enabling seamless integrations across subscription services, SaaS products, and commerce systems. Its RESTful API allows organizations to connect accounts, manage user sessions, streamline payment method synchronization, configure webhooks, and enhance customer- facing workflows. By simplifying multi-platform subscription management, BrightPay empowers businesses to deliver a unified and frictionless user experience.

Customer Challenge

A security audit revealed that the production environment’s Network ACLs (NACLs) were configured to allow unrestricted inbound access (0.0.0.0/0) on all ports. This exposed the environment to significant security and compliance risks, despite instance- level controls provided by Security Groups.

Without remediation, BrightPay’s platform could face unauthorized access threats, experience disrupted core operations, and compromise sensitive workloads. Crucially, the platform was also exposed to severe risks of failing compliance and regulatory audits.

Solution

IAMOPS implemented a comprehensive security enhancement project aligned with AWS best practices.  

  1. The initiative began with detailed analysis of existing application traffic via VPC Flow Logs and reviewing application functional requirements across services including ALB, ECS, EC2, and RDS to determine required ports and trusted IP ranges.
  2. A request was submitted via AWS Service Quotas to increase the NACL rule limit from 20 to 40, enabling granular rule definition. 
  3. Structured rule numbering (100, 105, 110) was used to ensure scalable configuration. Unrestricted 0.0.0.0/0 rules were removed and replaced with precise inbound rules aligned with corresponding Security Groups.  
  4. IAMOPS also implemented VPC Endpoints for Amazon ECR and Amazon SNS with Private DNS, ensuring internal traffic remained secure and did not traverse the public internet. 
  5. Extensive testing including network connectivity checks, application validation, end‑to‑end functional tests, and security scans ensured that changes introduced zero disruption. 
  6. Ran security scans to confirm no unnecessary ports or IPs were exposed. 
  7. Utilized AWS CloudWatch and VPC Flow Logs to monitor application functionality and network traffic post-implementation.
  8. Established a rollback strategy to revert NACL rules to allow all traffic (all ports, all sources) in case of issues, minimizing downtime. 

Results & Benefits

  1. Significantly Enhanced Security and Compliance: 100% removal of unrestricted inbound access, significantly strengthening security posture and achieving full compliance with industry regulations. 
  2. Reduced Operational Risk: Successfully closed audit findings and established a robust, secure network boundary. 
  3. Improved Efficiency: Streamlined the NACL implementation process using structured rules, allowing for clear and rapid network policy application.  
  4. Cost Optimization: 20–25% cost reduction by routing ECR and SNS traffic through VPC Endpoints instead of the public internet. 
  5. Zero Disruption: Zero downtime throughout implementation due to meticulous multi-layer testing. 

About IAMOPS

IAMOPS specializes in providing cloud-based DevOps solutions with a focus on AWS, Azure, and GCP. With expertise in automation, cloud-native infrastructure, and CI/CD pipelines, IAMOPS helps organizations optimize their cloud operations, ensuring efficiency, security, and scalability. IAMOPS holds multiple AWS Specializations and is committed to delivering innovative solutions that meet the unique needs of its clients.

Looking for a dedicated DevOps team?

Book a Free Call
Roy Bernat - IAMOPS's CTO
Welcome to IAMOPS! We are your trusted DevOps Partner
Professional CV Resume