cms.teleglobals.com

Migrate VPS to AWS: How a SaaS Company Moved from Contabo to a Secure, Encrypted AWS Environment

Executive Summary 

A SaaS company running its platform on Contabo Cloud needed to migrate to AWS. The VPS hosting setup had served the company’s early stage, but it could not keep up with the security, availability, and operational demands that came with a growing customer base. The platform had no load balancing, no web application firewall, no encryption key management, and no centralized monitoring. 

Teleglobal planned and executed a complete VPS to AWS migration, building a production-grade environment from the ground up. The project covered VPC architecture with public and private subnets, EC2 workload migration, Application Load Balancing, AWS WAF, OpenVPN, AWS KMS encryption, Secrets Manager, S3 storage, and CloudWatch monitoring. This engagement is part of Teleglobal’s cloud migration and modernization services. 

Background 

The client is a SaaS company that had been running its production platform on Contabo Cloud, a VPS hosting provider. The setup included multiple servers handling different application modules across development, staging, and production. Data was stored on the servers and backed up manually. 

As the customer base grew, the cracks in the VPS setup became hard to ignore. There was no network isolation between public-facing and backend resources. Application secrets sat in plain configuration files. Servers were directly exposed to the internet with basic firewall rules. When something went wrong, the team found out from customers, not from their infrastructure. 

The company needed more than a server upgrade. It needed a proper AWS cloud foundation with network security, data encryption, load balancing, monitoring, and access controls built in from day one. 

The Challenge 

The company faced four problems that made the existing hosting setup unsuitable for production SaaS workloads. 

Outgrowing VPS Hosting 

The Contabo Cloud setup could not provide the high availability, load balancing, or network isolation that a production SaaS platform requires. There was no separation between environments, no managed database, and no structured approach to deployments. 

No Network Security Architecture 

There was no VPC, no subnet isolation, no NAT Gateway, and no WAF. All servers were exposed with basic firewall rules. Backend services sat on the same network as public-facing endpoints. There was no protection against common web exploits. 

Missing Data Encryption and Secrets Management 

Data at rest was not encrypted. Application secrets, database credentials, and API keys were stored in configuration files rather than in a service like AWS Secrets Manager. For a SaaS company handling customer data, this was a security and compliance risk that would only grow worse. 

Zero Operational Visibility 

There were no centralized logs, no dashboards, no alarms, and no metrics. The team had no CloudWatch equivalent, no way to track infrastructure health, and no proactive alerting. Problems surfaced through customer complaints. 

The Solution 

Teleglobal designed and deployed a complete secure AWS environment, migrating all workloads from Contabo Cloud. This project was delivered through Teleglobal’s AWS migration services. For a similar project involving a multi-region landing zone deployment, see Teleglobal’s VAVETEK AI case study. 

Secure VPC and Network Architecture 

A custom Amazon VPC was provisioned with public and private subnets, route tables, Internet Gateway, and NAT Gateway. This gave the company proper network isolation for the first time. Production and staging EC2 instances sit in private subnets, completely shielded from direct internet access. Only the load balancer and VPN endpoints occupy the public subnet. 

Security Groups and Network ACLs were configured with least-privilege rules, restricting traffic to only the ports and services each component actually needs. 

AWS Solution Architecture

EC2 Workload Migration from Contabo to AWS 

All application modules were migrated from Contabo Cloud servers to Amazon EC2 instances in private subnets. Production workloads run on M6i instances. Staging environments use T3a instances. Each instance was configured with IAM roles and security groups for restricted, controlled access. The migration used AWS Application Migration Service with encrypted data transfer. 

Application Load Balancer and AWS WAF 

An Application Load Balancer (ALB) distributes incoming traffic across EC2 instances in private subnets. AWS WAF was integrated with the ALB to filter malicious traffic and protect the application from common web exploits using both custom and managed rules. This is a standard part of Teleglobal’s cloud security approach for SaaS platforms. 

Secure Remote Access with OpenVPN 

An OpenVPN server was configured in the public subnet. Developers and administrators connect through VPN to reach private instances and internal services. No production workloads are exposed to the public internet. 

Data Encryption with AWS KMS and Secrets Manager 

AWS Key Management Service (AWS KMS) was implemented for encryption of data at rest across Amazon S3 and other AWS resources. AWS Secrets Manager replaced the previous approach of storing secrets in plain configuration files. All application secrets, credentials, API keys, and sensitive configuration data are now managed through Secrets Manager with proper access controls and rotation capabilities. 

Amazon S3 Storage with Encryption 

Three Amazon S3 buckets were configured with KMS encryption, IAM-based access controls, and lifecycle management policies: 

  • Application data storage for active platform content and user-generated data 
  • Backups with automated, encrypted retention policies 
  • Logs for centralized log storage and long-term retention 

CloudWatch Monitoring and Proactive Alerting 

Amazon CloudWatch was configured across all deployed services. The setup includes logs, metrics, alarms, and dashboards covering EC2 instances, ALB, WAF, and networking components. The team now gets proactive alerts when infrastructure metrics cross defined thresholds. For companies looking to go further with operational monitoring, Teleglobal offers cloud managed services that include ongoing monitoring and incident response. 

IAM Access Governance 

AWS IAM was configured with users, groups, roles, and policies following least-privilege principles. Fine-grained, role-based permissions control access to EC2, S3, and all other AWS services. This gives the company a clean access governance foundation that meets AWS security best practices. 

Migration & Security Flow

AWS Services Used 

Category AWS Services 
Compute Amazon EC2 (M6i production, T3a staging) 
Networking Amazon VPC, Public/Private Subnets, NAT Gateway, Internet Gateway, Route Tables, Security Groups, Network ACLs 
Load Balancing Application Load Balancer (ALB) 
Security AWS WAF, AWS IAM, OpenVPN 
Encryption & Secrets AWS KMS, AWS Secrets Manager 
Storage Amazon S3 (3 buckets: application data, backups, logs) 
Monitoring Amazon CloudWatch (logs, metrics, alarms, dashboards) 
Migration AWS Application Migration Service 

Results 

Area Before (Contabo Cloud) After (AWS) 
Hosting VPS hosting, servers directly exposed Production AWS environment with VPC, private subnets, and managed services 
Network Security No VPC, no subnet isolation, basic firewall Custom VPC with public/private subnets, NAT Gateway, Security Groups, NACLs 
Load Balancing No load balancer ALB distributing traffic across EC2 in private subnets 
Web Security No WAF, direct server exposure AWS WAF with custom and managed rules protecting ALB 
Remote Access Direct SSH to public servers OpenVPN for secure access to private subnets only 
Data Encryption No encryption, secrets in config files KMS encryption at rest, Secrets Manager for all credentials 
Storage Server-based storage, manual backups 3 encrypted S3 buckets with lifecycle policies 
Monitoring No monitoring or alerting CloudWatch dashboards, alarms, and proactive alerting 

What’s Next 

With the AWS foundation in place, the company can focus on building on top of it instead of worrying about infrastructure gaps. 

  • Implement Terraform-based Infrastructure as Code for repeatable, version-controlled deployments 
  • Add CI/CD pipelines to automate application delivery with security checks in the workflow 
  • Set up AWS Backup with automated policies and cross-account replication for disaster recovery 
  • Expand CloudWatch dashboards with custom application-level metrics 
  • Adopt AWS cost monitoring using Cost Explorer and Budgets 
  • Build operational runbooks and incident response procedures as the team scales 

About Teleglobal International 

Teleglobal is an IT consulting company that helps SaaS companies and startups migrate from VPS hosting to production-grade AWS environments. From cloud migration and modernization to AWS infrastructure setup and cloud security, Teleglobal builds cloud foundations that are secure, scalable, and ready to grow with your business. Explore more client success stories on the Teleglobal website.