1001010110101010
Thank you! Our team will contact you soon
Start Your AI Journey

Securing AUC's Learning Platform: Zero&One Delivers Deep Traffic Inspection on AWS

  • Industry : Education
  • Country : Egypt
aws
security

Executive Summary

To modernize its Learning Management System (LMS), AUC deployed Moodle on Amazon Web Services (AWS) with a strong emphasis on security and network visibility. In collaboration with Zero&One, AUC implemented a cloud-native solution designed to monitor and control all network traffic—ensuring data confidentiality, integrity, and system uptime. Leveraging advanced AWS networking features, Zero&One designed a scalable and secure architecture that allows real-time inspection of ingress and egress traffic through third-party firewall integration, aligning with AUC's stringent security requirements.

Customer Challenge

AUC needed to replicate and enhance its on-premises security controls within the cloud, especially to prevent data exfiltration and unauthorized access. The main challenge was implementing deep traffic inspection to detect threats before they could impact system performance or compromise sensitive educational data. This required visibility into all inbound and outbound network flows at the application level (Layer 7), which traditional cloud-native tools alone could not fulfill. AUC also needed to enforce strict policies and maintain governance without disrupting access to their LMS environment.

Why Zero&One and AWS

Zero&One, as an AWS Premier Partner with deep cloud security expertise, enabled AUC to architect a tailored solution that balances compliance, control, and cloud agility. AWS offered the foundational infrastructure and native services needed to scale Moodle securely, while Zero&One's architectural guidance ensured that the network design could support third-party firewalls, traffic routing logic, and future workload expansion. This combination empowered AUC to meet its academic mission while ensuring a secure, compliant digital environment.

The Solution

auc aws case study solution

To address AUC's security and traffic inspection requirements, Zero&One designed a highly secure and scalable network architecture on AWS that leverages advanced VPC routing, Gateway Load Balancer (GWLB), and Fortigate NGFW appliances for deep packet inspection and threat prevention at the OSI Layer-7 level.

The solution begins with the Moodle workload deployed in a dedicated VPC, isolated into private subnets. These subnets host EC2 instances running Moodle, which are not directly accessible from the internet. To inspect all North-South traffic (ingress and egress), a Gateway Load Balancer endpoint (GWLBe) is deployed within the Moodle VPC, configured to route traffic to a Security VPC that hosts Fortigate virtual appliances.

Outgoing (egress) traffic from Moodle's EC2 instances is first routed through a dedicated egress subnet associated with the GWLB endpoint. This endpoint uses a VPC endpoint service (powered by AWS PrivateLink) to forward traffic to the Gateway Load Balancer in the Security VPC. There, traffic is encapsulated using GENEVE protocol, a key requirement for deep packet inspection, and directed to Fortigate instances configured in an Auto Scaling Group (ASG) behind the GWLB target group. After inspection, clean traffic is returned back through the same route to the Moodle VPC and routed toward the Internet Gateway (IGW) for external delivery.

For incoming (ingress) traffic, requests first reach the IGW in the Moodle VPC and are routed via an ingress route table to the GWLB endpoint. The traffic follows the same inspection path through the Security VPC, ensuring that all inbound requests are evaluated by the Fortigate firewall before reaching Moodle's backend systems.

This setup is reinforced with NACLs and Security Groups that enforce least-privilege network access at both subnet and instance levels. Additionally, route tables are carefully managed to prevent route propagation leaks and ensure all North-South flows pass exclusively through the inspection layer. Fortigate firewalls are configured with application control policies, IPS signatures, and URL filtering to detect and prevent a wide range of Layer-7 threats, including SQL injections, cross-site scripting (XSS), and data exfiltration attempts. All inspection logs are streamed to Amazon CloudWatch and optionally archived in Amazon S3 for compliance and auditing purposes.

The architecture also aligns with AWS best practices for multi-account security by isolating inspection and workload functions into separate VPCs and optionally separate AWS accounts. The GWLB architecture enables centralized security enforcement with minimal operational overhead, while preserving elasticity and fault tolerance through integration with Auto Scaling, Elastic Load Balancing, and AWS High Availability Zones.

Finally, the environment is designed for future extensibility — supporting the integration of Network Firewall, Transit Gateway, or east-west inspection via additional VPC endpoints, should AUC decide to expand its cloud footprint or deploy additional workloads in parallel VPCs.

Results & Benefits

The deployment of AUC's Moodle platform on AWS, with deep network inspection, has resulted in measurable security and operational improvements. With Fortigate firewalls integrated via Gateway Load Balancer, AUC now inspects 100% of ingress and egress traffic at Layer 7, without impacting system performance. The architecture supports over 10,000 concurrent connections, ensuring stable access during peak academic periods. Over 30GB of security event logs are generated and stored monthly, providing full auditability and incident response readiness. Since implementation, the system has maintained 99.99% uptime and recorded zero security breaches. Automated threat detection and centralized control have reduced manual effort for the security team by over 40% and has cut operational overhead by 30%.

Qualitatively, AUC has strengthened its security posture and gained real-time visibility into all traffic flows, aligning with internal compliance policies and global standards. The solution is scalable, governance-ready, and positions AUC for future cloud expansion, all while ensuring that student and institutional data remains protected.

Overall, AUC now operates with greater resilience, agility, and visibility, supported by a scalable AWS environment ready for future expansion.

About Zero&One

Zero&One is a leading Premier AWS Consulting Partners in MENA region with a vision to empower businesses of all scales in their cloud adoption journey. We specialize in AWS services like DevOps, application modernization, cloud migration and serverless computing. We currently operate from our offices in Lebanon, UAE, and Saudi with 100+ certifications in our hands and serve 50+ happy customers across the region.

01
Contact Us

We'd like to hear from you

Copyright © Zero&One. All rights reserved - Policies.
Protect yourself and others from the covid-19 pandemic. Learn more