Book a Call
Case Studies/Client Project
Fintech / Regulated Financial Services

Air-Gapped EKS Deployment for a Regulated Fintech Platform

SaaS deployment in AWS EKS in 4 weeks

Key Takeaways

Fully air-gapped AWS EKS cluster delivered in 4 weeks — zero internet egress from private subnets
10+ VPC interface endpoints provisioned — every AWS service call stays inside the AWS network
CI/CD pipeline with 0 public registry dependencies at any stage
Client's team independently deploying and onboarding new services from day 28

The Challenge

Client's building a SaaS for regulated financial services and had a hard requirement: private subnets with zero internet egress. Every container image, every AWS API call, every secret — all had to stay inside the VPC. Standard tooling doesn't work in this environment.

The platform — a Next.js dashboard, Python FastAPI backend, and mobile API — needed to run on Amazon EKS under these constraints:

  • No container images could pull from public registries — including third-party Kubernetes controllers
  • All AWS services (ECR, Secrets Manager, Bedrock, Transcribe, CloudWatch, STS) had to route through VPC endpoints
  • The CI/CD pipeline had to be rebuilt from scratch for VPC-internal operation
  • The data layer (PostgreSQL, DynamoDB, Redis) had to live in private subnets with no public endpoints
  • Client's team needed to operate and extend the infrastructure independently post-handoff
Prodinit delivered a production-grade, fully air-gapped EKS environment in four weeks. The infrastructure was solid from day one, and our team was independently deploying new services before the engagement even ended.
CTO
Financial Services AI SaaS Platform

How We Made It Happen

Prodinit built the entire platform over 4 weeks across five parallel workstreams — networking, compute, CI/CD, security, and AI services — with every component locked inside the VPC boundary from day one.

High-level architecture: air-gapped EKS with VPC endpoints, private ECR, and self-hosted CI/CD runner

Network & Compute

  • Multi-AZ VPC with 10+ VPC interface endpoints (ECR, Secrets Manager, Bedrock, Transcribe, STS, CloudWatch, ELB, SSM)
  • Private EKS cluster — control plane never exposed; managed node groups with cluster-autoscaler in private subnets
  • AWS Load Balancer Controller pre-mirrored to private ECR before cluster bootstrap

Data Layer

  • RDS PostgreSQL (pgvector, Multi-AZ) · DynamoDB · ElastiCache Redis — all on private subnets, no public endpoints
  • S3 + CloudFront CDN for media delivery via signed URLs

Air-Gapped CI/CD

  • Self-hosted GitHub Actions runner deployed inside the VPC — hosted runners can't reach a private EKS API endpoint
  • Every controller image pre-mirrored into private ECR; zero public registry dependencies at any stage
  • Deployments via kubectl + Helm through AWS Systems Manager Session Manager — zero open inbound ports

Security & AI Services

  • AWS WAF · Secrets Manager + External Secrets Operator · ACM TLS · CloudWatch Container Insights
  • Amazon Bedrock and Transcribe via VPC endpoints — IAM roles scoped to specific model ARNs
  • SQS + SNS for async job processing; Active Directory via SAML/OAuth mapped to EKS RBAC

By the Numbers

4 weeks — full production infrastructure from blank AWS account to live traffic

10+ VPC endpoints — zero AWS service calls leave the private network

0 public registry dependencies — entire CI/CD pipeline runs inside the VPC

Results

  • Air-gapped EKS cluster live in 4 weeks — from VPC provisioning to end-to-end CI/CD validation
  • Zero internet egress from private subnets confirmed across all platform components
  • All 5 data services operational at handoff: RDS PostgreSQL with pgvector, DynamoDB, ElastiCache Redis, S3, CloudFront CDN
  • AWS WAF, Secrets Manager with External Secrets Operator, TLS termination, and CloudWatch Insights all live on day 28
  • Client's team independently deploying and onboarding new services with full runbook documentation delivered

Frequently Asked Questions

Nodes pull images exclusively from private Amazon ECR repositories via a VPC interface endpoint — no internet path is involved. All images, including third-party controllers like cluster-autoscaler and the AWS Load Balancer Controller, must be mirrored into private ECR before the cluster bootstraps. Missing even one image will prevent the cluster from coming up.
The pipeline requires a self-hosted runner deployed inside the VPC (or an AWS CodePipeline agent with VPC access). Deployments execute via `kubectl` and Helm through AWS Systems Manager Session Manager — no inbound ports need to be opened on the bastion or nodes.
At minimum: ECR API, ECR Docker, Secrets Manager, Systems Manager, CloudWatch Logs, STS (required for IRSA), and ELB (required for ALB controller). Add Bedrock and Transcribe if using AI services. S3 and DynamoDB use free gateway endpoints. Missing a single endpoint for a service your workloads call will cause runtime failures — not boot failures.
AWS Secrets Manager holds all credentials. Kubernetes External Secrets Operator syncs them into Kubernetes Secret objects at pod startup. Credentials never appear in a manifest file or container image layer. Secrets Manager also supports automatic rotation — credentials stay fresh without redeployment.
With clear requirements and AWS account access from day one, a complete air-gapped deployment covering networking, compute, data layer, CI/CD, security controls, and AI service integrations takes approximately **4 weeks**. The most common delays are VPC endpoints discovered missing at runtime, and controller images that weren't pre-mirrored before cluster bootstrap.

Building in Fintech?

Prodinit is an AI engineering partner for startups and enterprises. We build production systems that hold up cloud infrastructure, AI products, and data pipelines. No pitch, just an honest conversation.

Book a scoping call →