Multi-Region AWS Infrastructure

The Challenge

A payment processor handling £500M+ in annual transactions needed to upgrade from a single-region AWS setup to a resilient multi-region architecture. Regulatory requirements also demanded PCI-DSS Level 1 compliance.

The existing infrastructure had been built quickly during a growth phase and had accumulated significant technical debt. A full rebuild was needed.

Architecture Decisions

Primary + Active-Standby regions rather than active-active for the database tier, to avoid distributed transaction complexity while still achieving the required RTO.

Aurora Global Database for the primary data store, with cross-region read replicas and sub-second replication lag.

CloudFront + WAF at the edge for DDoS protection and intelligent routing, with Lambda@Edge for request transformation.

EKS for the application tier, deployed identically in both regions using Helm charts managed through ArgoCD.

Infrastructure as Code

All infrastructure is defined in Terraform with a modular structure. The same modules deploy to both regions, with region-specific variables managing the differences. Zero manual changes to production AWS accounts.

modules/
├── networking/      # VPCs, subnets, peering
├── eks/            # EKS clusters, node groups
├── rds/            # Aurora Global Database
├── security/       # WAF, Security Groups, IAM
└── monitoring/     # CloudWatch, alarms, dashboards

Compliance

PCI-DSS Level 1 was achieved through:

• Network segmentation with strict security group rules
• Encryption at rest and in transit everywhere
• CloudTrail and VPC Flow Logs for audit trails
• GuardDuty and Security Hub for threat detection
• Automated compliance scanning in the CI/CD pipeline