Project Name
VPN Dependency Cut by 70% With a Zero-Trust Overlay Network for a Global SaaS Platform
A growth-stage technology company building a distributed workload management platform faced a security architecture dissolving faster than it could be maintained. With workloads spanning AWS, VMware, and Hyper-V, every new environment provisioned meant another VPN tunnel, another firewall rule, and another attack surface. Each runtime required direct inbound administrative access – making the security perimeter an existential architectural risk. The platform needed to support workload deployment and lifecycle management without exposing management services to the public internet. With plans to scale into regulated verticals, it required zero-trust principles from day one. Applying its AI-First approach, Ksolves delivered a layered platform architecture replacing VPN access with identity-based zero-trust fabric, immutable builds, and unified observability.
- Broad VPN-Based Network Access: Every environment required VPN tunnels for administrative access, exposing internal services publicly and creating an ever-expanding attack surface across a hybrid infrastructure that grew with every new deployment.
- No Service-Level Least-Privilege Enforcement: Access policies operated at the network level rather than the service level. Once inside the VPN, lateral movement across services was unrestricted - meaning a single compromised credential could traverse the entire internal network.
- Fragmented Image Provisioning Across Environments: Runtime appliance images were built manually for each target environment - AWS, VMware, and Hyper-V - leading to configuration drift, inconsistency, and environment-specific failures that slowed every deployment cycle.
- Uncontrolled Software Supply Chain: Container images, OS packages, and build dependencies were pulled ad hoc from public registries at runtime with no version pinning, audit trail, or promotion governance, creating reproducibility failures and unquantified security risk across every build.
- Manual Service Deployment With No GitOps Governance: Shared infrastructure services were provisioned through scripts and Ansible playbooks with no version-controlled desired-state management, making rollback difficult and deployment consistency impossible to enforce.
- Fragmented Observability Across Layers: Host-level and Kubernetes-level monitoring were disconnected, leaving blind spots in runtime health visibility and making incident correlation across appliance and platform layers structurally impossible.
Ksolves designed and implemented a layered platform architecture built around six engineering principles: eliminate public exposure, enforce identity-based access, standardise immutable builds, internalise the supply chain, govern deployments through GitOps, and centralise observability. Each principle directly addressed a specific operational pain point, and the solution was delivered as a cohesive platform rather than a collection of point fixes.
- OpenZiti Zero-Trust Overlay Fabric: Replaced all VPN-based access with an outbound-only overlay network where runtime nodes connect to a secure fabric using identity-based policies. No inbound ports, no public management endpoints - each service is accessible only to explicitly authorised identities, reducing the attack surface to zero for administrative interfaces.
- Packer-Based Immutable Appliance Pipeline: Built a single-source image pipeline using Packer and QEMU that produces QCOW2, VMDK, OVA, VHDX, and AWS AMI outputs from one definition in under 18 minutes. Every environment receives the same hardened Bot Runner appliance - eliminating per-environment drift and cutting build time from hours to minutes.
- Harbor + Nexus Internalised Supply Chain: Centralised all container images, APT packages, base images, and promoted artifacts through Harbor and Nexus. Nothing is fetched ad hoc at runtime - every dependency is version-controlled, internally distributed, and fully auditable with provenance tracking and promotion governance.
- GitLab CI/CD + ArgoCD GitOps Governance: Migrated shared services to GitOps-managed workflows using ArgoCD with environment-specific overlays. Workload images follow digest-based immutable promotion across dev, test, and prod - the same artifact is promoted, never rebuilt, eliminating configuration variance between environments.
- Prometheus + Grafana + Loki Unified Observability: Deployed a converged monitoring stack covering both host-level and Kubernetes-level telemetry. Prometheus, Grafana, Loki, Alertmanager, Node Exporter, and cAdvisor provide end-to-end visibility across appliance and platform layers with unified dashboards, log correlation, and alerting.
- Keycloak + Traefik Authentication and Edge Routing: Deployed Keycloak and Traefik as the authentication and edge routing layer, providing SSO integration, TCP SNI passthrough, and cluster-owned routing - replacing legacy HAProxy patterns with a governed, identity-aware ingress model.
Technology Stack
| Category | Technology |
|---|---|
| Security | OpenZiti |
| Infrastructure | Packer + QEMU |
| Platform | Harbor + Nexus |
| DevSecOps | GitLab CI/CD + ArgoCD |
| Observability | Prometheus + Grafana + Loki |
| Platform | Keycloak + Traefik |
- VPN Dependency Reduced by 70%: OpenZiti overlay fabric eliminated 70% of VPN connections across all runtime environments, with remaining tunnels scheduled for phase-out. Administrative access now operates entirely through outbound-only identity-based service paths with zero public exposure.
- Firewall Change Requests Down 60%: Identity-based service policies reduced firewall change requests by 60%, with routing handled entirely within the overlay fabric. New environments and services no longer require manual firewall rule updates or security review cycles for each deployment.
- Image Build Time Cut From Hours to 18 Minutes: Single Packer pipeline now produces all 5 output formats - QCOW2, VMDK, OVA, VHDX, and AMI - in under 18 minutes from one source definition. Manual per-environment assembly, taking 2-4 hours per variant, has been eliminated.
- 100% of Supply Chain Dependencies Internalised: Every build and runtime dependency now flows through Harbor and Nexus with full provenance tracking and promotion governance. Ad hoc public registry pulls have been eliminated, closing a significant reproducibility and security risk across all environments.
- Full-Stack Observability Achieved: Converged Prometheus, Grafana, and Loki stack provides unified dashboards, log correlation, and alerting across all runtime layers. Disconnected monitoring silos have been replaced with end-to-end visibility from host to Kubernetes across every appliance and platform component.
A growth-stage SaaS platform plagued by VPN sprawl, manual firewall rules, and fragmented provisioning across AWS, VMware, and Hyper-V was transformed into a zero-trust, fully governed platform through Ksolves DevOps consulting services. OpenZiti cut VPN dependency by 70%, Packer reduced image build time from hours to 18 minutes across 5 output formats, and 100% of the supply chain was internalised through Harbor and Nexus. With GitOps governance enforced via ArgoCD and full-stack observability delivered through Prometheus, Grafana, and Loki, the platform now enforces identity-based least-privilege access at the service level,ready to scale into regulated verticals without expanding the attack surface.
Still Relying on VPNs and Manual Firewall Rules to Secure Your Distributed Infrastructure?
