Business Case: AWS Migration from PaaS to Self-Managed AWS Environment
Confidential – Client identity and sensitive details have been omitted.
1. Executive Summary
A major digital-services provider needed to move dozens of mission-critical microservices off a third-party PaaS and into its own AWS Organization—gaining cost control, stronger security posture, and full operational ownership. BERM Cloud designed and executed a zero-downtime “parallel-run” migration strategy across ECS, RDS, SQS, SES, and related services. Traffic was shifted incrementally via header-based routing (managed by WAF + CloudFormation), achieving a 100% cutover for each service with no user impact.
2. Business Challenge
- Vendor Lock-In & Cost Unpredictability
Reliance on the PaaS provider meant fluctuating monthly bills and limited visibility into infrastructure spend. - Control & Compliance Gaps
The client required tighter security controls (e.g. custom WAF rules, Advanced Shield protections) and full auditability of their cloud environment. - Scalability Limits
The PaaS model constrained fine-grained autoscaling policies and made feature deployments slower.
3. Objectives
- Full AWS Ownership
Migrate workloads into the client’s AWS Organization, with centralized billing and consolidated IAM controls. - Zero Downtime
Preserve SLAs by ensuring continuous service availability throughout the cutover. - Enhanced Security & Governance
Leverage AWS WAF, Shield Advanced, and CloudFormation guardrails for policy-as-code enforcement. - Improved Deployment Velocity
Transition to AWS-native CI/CD pipelines—shortening lead times for new features and patches.
4. Migration Approach
| Phase | Key Activities |
|---|---|
| Discovery & Planning | • Inventory ~30 microservices (ECS) and associated RDS Postgres instances, SQS queues, SES configs, pipelines. • Define parallel-run strategy using blue/green headers and WAF rules. |
| Pilot Migration | • Stand up a proof-of-concept service in the client’s AWS account. • Validate header-based traffic split via AWS WAF + CloudFormation. |
| Bulk Migration | • Automate provisioning via CloudFormation (VPC, ECS Clusters, Lambdas, S3 buckets, RDS). • Deploy new services alongside PaaS counterparts. • Gradually shift traffic by adjusting header-routing percentages—monitored end-to-end. |
| Cutover & Clean-Up | • Achieve 100% traffic on AWS for each service. • Decommission PaaS instances and shut down legacy pipelines. • Finalize IAM roles, tagging, and cost-allocation reporting. |
5. Technical Architecture
- Compute & Orchestration: ECS Fargate for container workloads, Lambda for event-driven tasks
- Data Services: Amazon RDS (Postgres) with Multi-AZ for high availability
- Messaging & Email: Amazon SQS & SES
- Eventing: EventBridge for cross-service event bus
- Infrastructure as Code: CloudFormation with nested stacks; modular templates for repeatability
- Security Controls: AWS WAF + Shield Advanced, IAM policies scoped by organizational units
6. Results & Benefits
| Metric | Before | After |
|---|---|---|
| Downtime | Planned maintenance windows; outages risk | 0 seconds (zero-downtime migration) |
| Deployment Velocity | Weekly releases | Hourly releases via native CI/CD |
| Cost Visibility & Control | Vendor-managed billing | Centralized AWS billing with cost tags |
| Security Posture | Limited PaaS rules | Custom WAF rules + Shield Advanced protection |
| Scalability & Resilience | Constrained by PaaS | Autoscaling ECS + Multi-AZ RDS |
- Cost Savings: Projected 20–25% reduction in monthly infrastructure spend through rightsizing and reserved instances.
- Risk Mitigation: Elimination of single-vendor dependency; enhanced compliance readiness for future audits.
- Operational Excellence: Standardized, reusable IaC modules accelerate future migrations and greenfield deployments.
7. Conclusion & Next Steps
By shifting to a self-managed AWS Organization, the client not only secured a more predictable cost model and enhanced security posture but also unlocked ambitious growth plans—deploying features faster and scaling without PaaS constraints.
Next Steps:
- Extend this migration pattern to new regions (EMEA, APAC) for global coverage.
- Introduce policy-as-code guardrails to other teams within the organization.
- Conduct a follow-up workshop to explore advanced use cases (e.g., serverless data lakes, Kubeflow pipelines).
Prepared by BERM Cloud – Leveraging AWS expertise to transform your operations.
