
Executive Summary
A SaaS company running its platform on Contabo Cloud needed to migrate to AWS. The VPS hosting setup had served the company’s early stage, but it could not keep up with the security, availability, and operational demands that came with a growing customer base. The platform had no load balancing, no web application firewall, no encryption key management, and no centralized monitoring.
Teleglobal planned and executed a complete VPS to AWS migration, building a production-grade environment from the ground up. The project covered VPC architecture with public and private subnets, EC2 workload migration, Application Load Balancing, AWS WAF, OpenVPN, AWS KMS encryption, Secrets Manager, S3 storage, and CloudWatch monitoring. This engagement is part of Teleglobal’s cloud migration and modernization services.
Background
The client is a SaaS company that had been running its production platform on Contabo Cloud, a VPS hosting provider. The setup included multiple servers handling different application modules across development, staging, and production. Data was stored on the servers and backed up manually.
As the customer base grew, the cracks in the VPS setup became hard to ignore. There was no network isolation between public-facing and backend resources. Application secrets sat in plain configuration files. Servers were directly exposed to the internet with basic firewall rules. When something went wrong, the team found out from customers, not from their infrastructure.
The company needed more than a server upgrade. It needed a proper AWS cloud foundation with network security, data encryption, load balancing, monitoring, and access controls built in from day one.
The Challenge
The company faced four problems that made the existing hosting setup unsuitable for production SaaS workloads.
Outgrowing VPS Hosting
The Contabo Cloud setup could not provide the high availability, load balancing, or network isolation that a production SaaS platform requires. There was no separation between environments, no managed database, and no structured approach to deployments.
No Network Security Architecture
There was no VPC, no subnet isolation, no NAT Gateway, and no WAF. All servers were exposed with basic firewall rules. Backend services sat on the same network as public-facing endpoints. There was no protection against common web exploits.
Missing Data Encryption and Secrets Management
Data at rest was not encrypted. Application secrets, database credentials, and API keys were stored in configuration files rather than in a service like AWS Secrets Manager. For a SaaS company handling customer data, this was a security and compliance risk that would only grow worse.
Zero Operational Visibility
There were no centralized logs, no dashboards, no alarms, and no metrics. The team had no CloudWatch equivalent, no way to track infrastructure health, and no proactive alerting. Problems surfaced through customer complaints.
The Solution
Teleglobal designed and deployed a complete secure AWS environment, migrating all workloads from Contabo Cloud. This project was delivered through Teleglobal’s AWS migration services. For a similar project involving a multi-region landing zone deployment, see Teleglobal’s VAVETEK AI case study.
Secure VPC and Network Architecture
A custom Amazon VPC was provisioned with public and private subnets, route tables, Internet Gateway, and NAT Gateway. This gave the company proper network isolation for the first time. Production and staging EC2 instances sit in private subnets, completely shielded from direct internet access. Only the load balancer and VPN endpoints occupy the public subnet.
Security Groups and Network ACLs were configured with least-privilege rules, restricting traffic to only the ports and services each component actually needs.

EC2 Workload Migration from Contabo to AWS
All application modules were migrated from Contabo Cloud servers to Amazon EC2 instances in private subnets. Production workloads run on M6i instances. Staging environments use T3a instances. Each instance was configured with IAM roles and security groups for restricted, controlled access. The migration used AWS Application Migration Service with encrypted data transfer.
Application Load Balancer and AWS WAF
An Application Load Balancer (ALB) distributes incoming traffic across EC2 instances in private subnets. AWS WAF was integrated with the ALB to filter malicious traffic and protect the application from common web exploits using both custom and managed rules. This is a standard part of Teleglobal’s cloud security approach for SaaS platforms.
Secure Remote Access with OpenVPN
An OpenVPN server was configured in the public subnet. Developers and administrators connect through VPN to reach private instances and internal services. No production workloads are exposed to the public internet.
Data Encryption with AWS KMS and Secrets Manager
AWS Key Management Service (AWS KMS) was implemented for encryption of data at rest across Amazon S3 and other AWS resources. AWS Secrets Manager replaced the previous approach of storing secrets in plain configuration files. All application secrets, credentials, API keys, and sensitive configuration data are now managed through Secrets Manager with proper access controls and rotation capabilities.
Amazon S3 Storage with Encryption
Three Amazon S3 buckets were configured with KMS encryption, IAM-based access controls, and lifecycle management policies:
- Application data storage for active platform content and user-generated data
- Backups with automated, encrypted retention policies
- Logs for centralized log storage and long-term retention
CloudWatch Monitoring and Proactive Alerting
Amazon CloudWatch was configured across all deployed services. The setup includes logs, metrics, alarms, and dashboards covering EC2 instances, ALB, WAF, and networking components. The team now gets proactive alerts when infrastructure metrics cross defined thresholds. For companies looking to go further with operational monitoring, Teleglobal offers cloud managed services that include ongoing monitoring and incident response.
IAM Access Governance
AWS IAM was configured with users, groups, roles, and policies following least-privilege principles. Fine-grained, role-based permissions control access to EC2, S3, and all other AWS services. This gives the company a clean access governance foundation that meets AWS security best practices.

AWS Services Used
| Category | AWS Services |
|---|---|
| Compute | Amazon EC2 (M6i production, T3a staging) |
| Networking | Amazon VPC, Public/Private Subnets, NAT Gateway, Internet Gateway, Route Tables, Security Groups, Network ACLs |
| Load Balancing | Application Load Balancer (ALB) |
| Security | AWS WAF, AWS IAM, OpenVPN |
| Encryption & Secrets | AWS KMS, AWS Secrets Manager |
| Storage | Amazon S3 (3 buckets: application data, backups, logs) |
| Monitoring | Amazon CloudWatch (logs, metrics, alarms, dashboards) |
| Migration | AWS Application Migration Service |
Results
| Area | Before (Contabo Cloud) | After (AWS) |
|---|---|---|
| Hosting | VPS hosting, servers directly exposed | Production AWS environment with VPC, private subnets, and managed services |
| Network Security | No VPC, no subnet isolation, basic firewall | Custom VPC with public/private subnets, NAT Gateway, Security Groups, NACLs |
| Load Balancing | No load balancer | ALB distributing traffic across EC2 in private subnets |
| Web Security | No WAF, direct server exposure | AWS WAF with custom and managed rules protecting ALB |
| Remote Access | Direct SSH to public servers | OpenVPN for secure access to private subnets only |
| Data Encryption | No encryption, secrets in config files | KMS encryption at rest, Secrets Manager for all credentials |
| Storage | Server-based storage, manual backups | 3 encrypted S3 buckets with lifecycle policies |
| Monitoring | No monitoring or alerting | CloudWatch dashboards, alarms, and proactive alerting |
What’s Next
With the AWS foundation in place, the company can focus on building on top of it instead of worrying about infrastructure gaps.
- Implement Terraform-based Infrastructure as Code for repeatable, version-controlled deployments
- Add CI/CD pipelines to automate application delivery with security checks in the workflow
- Set up AWS Backup with automated policies and cross-account replication for disaster recovery
- Expand CloudWatch dashboards with custom application-level metrics
- Adopt AWS cost monitoring using Cost Explorer and Budgets
- Build operational runbooks and incident response procedures as the team scales
About Teleglobal International
Teleglobal is an IT consulting company that helps SaaS companies and startups migrate from VPS hosting to production-grade AWS environments. From cloud migration and modernization to AWS infrastructure setup and cloud security, Teleglobal builds cloud foundations that are secure, scalable, and ready to grow with your business. Explore more client success stories on the Teleglobal website.