AWS for Industries

Modernizing laboratory networks: How Bayer centralizes LIMS on AWS Cloud

This blog is guest authored by Kamil Poliszak, Lead Cloud Architect at Bayer AG, Pharmaceutical division.

Managing laboratory data across global pharmaceutical operations presents complex security and compliance challenges. Bayer AG tackled this by modernizing their Laboratory Information Management Systems (LIMS) with a secure, compliant Amazon Web Services (AWS) Cloud solution. This solution enables seamless data flow across research sites and AWS while maintaining strict regulatory compliance and enhanced security controls.

Introduction

Health for all, Hunger for none, is the mission of Bayer AG. LIMS-supported lab operations are essential to that mission. LIMS not only manage samples, test results, and experimental data but also generate the immutable documentation required for stringent regulatory frameworks like good manufacturing practices (GMPs). The Bayer LIMS solution on AWS accelerates research cycles through a reduction in operational overhead and direct data integration with upstream data and AI platforms.

We will present how Bayer modernized its LIMS by implementing a secure network architecture that connects the laboratory environments of Bayer—separated by various sites, and global regions—to AWS, while maintaining compliance and security best practices. In the solution architecture, traffic is encrypted as it leaves the Lab Network and never traverses the public internet. Within AWS, additional security controls are used to monitor, inspect, and manage network traffic, enabling scalable and compliant LIMS deployment.

Background

Bayer operates in highly regulated environments where data integrity, security, and compliance are critical. To meet these demands, Bayer—like many in the pharmaceutical industry—relies on strict network segmentation between laboratory, manufacturing, and enterprise systems. This segmentation is guided by frameworks such as ISA-95 and the Purdue Model, which define layered architectures for isolating operational systems from broader IT networks.

While network segmentation helps reduce the risk of cyber threats and unauthorized access, it also introduces friction. Restrictive firewall policies governing inbound connections and outbound traffic introduce complexity in data flows between lab equipment, LIMS, and downstream data and AI platforms.

These challenges are not limited to R&D labs. In the manufacturing plants of Bayer segmentation is implemented to protect interactions between manufacturing execution systems (MES) and industrial control systems. However, maintaining strict boundaries can make it difficult to scale connectivity, introduce automation, or adopt cloud-based tools or services, which creates trade-offs between compliance, productivity, and innovation.

The decision to centralize the Bayer LIMS on AWS

At Bayer, labs used to operate their own LIMS instances with custom validation procedures, local access controls, and limited data integrations. This setup slowed down collaboration, and it multiplied operational efforts on IT and quality teams.

To overcome these challenges, Bayer partnered with AWS to move towards a centralized LIMS platform built on cloud infrastructure. AWS provides the technical foundation to support this shift, offering a global footprint, strong security posture, and services designed to meet regulatory requirements. Services such as Amazon Simple Storage Service (Amazon S3), with features like Object Lock, support immutable data storage. AWS CloudTrail and AWS Config enable continuous audit logging capabilities critical for FDA 21 CFR Part 11 and Good Practices (GxP) compliance.

Equally important, AWS helps Bayer to standardize their LIMS deployments across regions using Infrastructure as Code (IaC) and automated pipelines. This reduces validation overhead and confirms consistency when systems are updated. With built-in encryption through AWS Key Management Service (AWS KMS), and fine-grained access control through AWS Identity and Access Management (IAM), Bayer enforces data security. This can be done while scaling globally and meeting data residency laws, such as the General Data Protection Regulation (GDPR).

Solution

The transition to a centralized, cloud-based LIMS model required Bayer to re-evaluate its network connectivity, segmentation, encryption, and security inspection requirements. When deploying LIMS in AWS, the Lab Network is no longer confined to the physical boundaries of the lab building. Instead, it expands to include system components running in virtual private clouds (VPCs) within designated AWS Regions.

Bayer and AWS teams partnered to build the solution design for centralized LIMS deployments on AWS. The joint team anticipated future use cases and created an extensible blueprint which includes the manufacturing domain as well. The core control objectives are aligned with the requirements of Bayer and AWS best practices, both suggesting a zoning model to separate and control network traffic.

The solution transformed the Bayer lab environments from a physically co-located network to a logically grouped set of resources that span both on-premises lab devices and cloud-based LIMS infrastructure.

Figure 1 illustrates the conceptual architecture designed to meet security requirements through the following principles:

  • Full segregation of Corporate Network segment, Lab Network segment, and Factory Network segment (manufacturing) communication domains
  • End-to-end encrypted communication between Lab, Factory Networks, and AWS
  • Enforcement of secure, restricted communication paths through inline firewalls

Network architecture diagram displaying three parallel domains - Corporate, Lab, and Factory Networks. Each domain is contained in a distinct colored box showing an on-premises network segment on the left connected to its dedicated AWS VPC and workloads on the right. AWS Direct Connect provides connectivity, with mandatory encrypted channels for Lab and Factory domains, while the Corporate domain shows optional encryption. Each VPC is protected by a firewall, and the entire system is organized in a layout emphasizing network separation.

Figure 1: Conceptual architecture—securely connecting networks to AWS

Connectivity foundation
AWS Direct Connect is the foundation of the cloud connectivity solution for Bayer. Direct Connect provides private, high-bandwidth connections between the Bayer Corporate Network and AWS. It extends the Bayer private network and IP addressing into their AWS environment.

The requirements of Bayer, and AWS best practices, mandate enforcing encryption for data in transit. While modern applications typically include Transport Layer Security (TLS), not all network communication in LIMS support TLS. In these cases, encryption must be implemented at a lower network layer to confirm secure communications.

“Many on-premises LIMS systems and lab equipment were designed in an era when data encryption in transit was not a default requirement. These systems may transmit sensitive scientific, clinical, or regulatory data over the network using plaintext protocols,” explains Kamil Poliszak, Lead Cloud Architect at Bayer AG, Pharmaceutical division. Poliszak leads the team driving the Bayer LIMS modernization program, which has successfully deployed AWS-based LIMS solutions serving hundreds of users across the pharmaceutical division of Bayer.

Encryption is required end-to-end, from the perimeter firewalls in the Lab and Factory Networks to AWS. This includes the Bayer internal network segments and Direct Connect connection.

AWS Site-to-Site VPN private IP VPN addresses this requirement. Bayer can deploy AWS Site-to-Site VPN connections over Direct Connect using private IP addresses (RFC 1918). With this feature, they encrypt traffic between their on-premises laboratory network segments and AWS through Direct Connect connections, without the need to go over the public internet. This enables enhanced security and network privacy, while benefitting from direct connectivity to AWS.

Network segmentation
Network segmentation enhances security and reliability by limiting communication to only essential interactions between systems. It reduces the risk of cyber threats spreading across segments, protects critical control systems from business network traffic, and streamlines compliance.

Bayer maintains this strict segmentation while extending their environment to AWS through AWS Site-to-Site Private IP VPN. The VPN connects from within each network segment directly to dedicated route tables on the AWS Transit Gateway. Only authorized VPCs, such as those hosting LIMS instances, are attached to these route tables.

These route tables function as isolated routing domains, allowing communication only where explicitly permitted. Additional security can be achieved through VPC Block Public Access (BPA), through which VPCs remain private with no external connectivity except through authorized VPN connections.

Through this solution, Bayer extends their network segments to AWS while maintaining complete isolation between segments, preventing unauthorized cross-segment communication.

Figure 2 depicts the high-level architecture and shows how each encrypted network communication domain remains distinct and independent.

Network architecture diagram showing three distinct communication domains: Corporate, Lab, and Factory Networks. Each domain is represented by a colored box spanning from on-premises networks on the left to AWS Cloud on the right. The Corporate domain uses AWS Direct Connect, while Lab and Factory domains use Site-to-Site Private IP VPNs. All domains connect through a central Transit Gateway in AWS, which contains separate route tables for each domain. Each domain has its own VPC in AWS, with Corporate hosting general workloads, Lab hosting LIMS, and Factory hosting MES. The diagram emphasizes segmentation and encrypted connectivity between on-premises and cloud environments

Figure 2: High-level architecture

End-to-end encryption
Laboratory systems and devices generate sensitive data that must be protected when communicating with LIMS hosted in AWS. This includes sample IDs, test results, and calibration metrics, which are often from instruments that lack built-in encryption capabilities. It is critical that this data remains confidential and unaltered as it moves across network boundaries.

AWS Site-to-Site Private IP VPN provides the necessary encryption over Direct Connect, creating a secure pathway for laboratory data. This solution enables lab instruments to safely transmit data to LIMS while maintaining compliance requirements and supporting time-sensitive laboratory workflows.

As shown in Figure 2, each VPN tunnel originates from a firewall within the lab or factory network segment and connects to a dedicated route table on the Transit Gateway. This design encrypts data transmission across the entire path—from the local network, through Direct Connect, and into AWS.

“Encrypting our traffic over AWS Direct Connect using an IPsec tunnel is a robust, secure way to meet our compliance requirements. It combines the reliability and speed of Direct Connect with the strong encryption guarantees of IPsec VPN, enabling Bayer to safely run sensitive workloads in the cloud. By combining the reliability of AWS Direct Connect with IPsec’s encryption capabilities, we can achieve both operational efficiency and regulatory compliance,” says Poliszak.

Network inspection
Bayer enforces strict security controls through firewalls at the edge of each lab and factory network segment. All traffic entering or leaving these segments must pass through these on-premises firewalls. Bayer extended the same security approach to their AWS environment.

“At Bayer, we implemented centralized network inspection using third-party firewall virtual appliances deployed behind a Gateway Load Balancer. This allows us to use the same firewall control plane for cloud-based and on-premises networks. We have end-to-end visibility into our network communication channels,” Poliszak says, with regards to the Bayer network inspection design.

This centralized approach complements the distributed firewalls across the various sites, while enabling comprehensive traffic inspection within AWS. Such control is essential where the LIMS systems of Bayer interact with other applications and services.

In the centralized inspection model, network firewalls are deployed within a dedicated inspection VPC. Both Site-to-Site VPN and LIMS VPC require separate route tables to direct traffic through the inspection VPC. The route tables for the Lab Network VPN and lab VPC direct incoming traffic to the inspection VPC. The inspection VPC then uses its own route table to manage return traffic. After inspection and policy verification, traffic is routed either back to the Lab Network through VPN or to the lab VPC through VPC attachment.

To streamline configuration and ongoing management, it is recommended to use route propagation instead of static routes wherever possible.

Network architecture diagram showing three communication domains with detailed traffic flows. The Corporate domain connects to AWS through Direct Connect Gateway and Transit Gateway to its VPC. Two encrypted domains - Lab and Factory - each connect through Site-to-Site Private IP VPNs to their respective VPCs and Inspection VPCs. Each domain uses separate Transit Gateway route tables for traffic isolation. Both Lab and Factory domains include Gateway Load Balancers for traffic inspection, with numbered steps showing forward traffic (solid red arrows) and return traffic (dashed red arrows) through the inspection VPCs. Route tables are displayed for each network segment, VPC, and inspection VPC, demonstrating the controlled traffic flow paths. LIMS workloads run in the Lab VPC while MES workloads operate in the Factory VPC. A detailed description follows in the blog body copy of the traffic flow.

Figure 3: High-level architecture with network inspection

Figure 3 shows the inspection architecture, as well as the traffic flows for both the Lab and Factory network segments. Following is a description of the inbound and outbound traffic flow:

  • Inbound traffic flow:

1. Network traffic from Lab and Factory network segments travels through the VPN tunnel to the Transit Gateway.
2. Traffic is routed from Transit Gateway through the inspection VPC.
3. After inspection, traffic returns to the Transit Gateway.
4. Traffic is then forwarded from Transit Gateway to the lab/factory VPC.

  • Return traffic flow:

5. Return traffic begins its journey from the lab/factory VPC to the Transit Gateway.
6. Traffic is routed from Transit Gateway through the inspection VPC.
7. After inspection, traffic goes back to the Transit Gateway.
8. Finally, return traffic travels through the VPN tunnel to the on-premises network.

Note that separate firewalls are recommended for the Lab and Factory Networks to maintain the independence of these two communication domains. While it is technically possible to use a single centralized firewall, doing so would require careful enforcement of segregation through firewall policies rather than complete network-level separation.

Lastly, while network inspection for corporate traffic is a recommended best practice, it is beyond the scope of this discussion. For implementation details, read Centralized network security for VPC-to-VPC and on-premises to VPC traffic.

Conclusions

For Bayer, LIMS serves as the critical backbone for scientific excellence, directly impacting business through accurate data management and accelerated research. By securely extending laboratory networks to AWS using AWS Site-to-Site VPNs, AWS Transit Gateway, and network inspection, Bayer maintains compliance and data integrity in their highly regulated environment.

This solution architecture enables safe interaction between lab equipment and cloud services while meeting stringent regulatory requirements. Centralizing LIMS on AWS has streamlined integration with analytics and AI platforms, reducing overhead and allowing resources to be redirected toward innovative use cases such as AI-assisted research analysis.

Contact an AWS Representative to know how we can help accelerate your business.

Further reading

Mehdi Dahane

Mehdi Dahane

Mehdi Dahane is a Senior Network Specialist Solutions Architect at AWS supporting global accounts advising on cloud architectures and developing solutions to deliver desired outcomes and optimize efficiency, operations and costs. He has 20+ years of cross-industry experience in a wide range of areas. When not working he can be found running or enjoying the outdoors with family and friends.

Kamil Poliszak

Kamil Poliszak

Kamil Poliszak is a Principal Solutions Architect at Bayer AG, where he focuses on designing and implementing scalable cloud solutions to support the company’s digital transformation initiatives. With expertise in cloud technologies, he helps drive innovation in cloud architecture while ensuring security, performance, and cost optimization across enterprise workloads.

Stefan Appel

Stefan Appel

Stefan Appel is a Senior Solutions Architect at AWS. For 10+ years, he supports enterprise customers adopt cloud technologies. Before joining AWS, Stefan held positions in software architecture, product management, and IT operations departments. He began his career in research on event-based systems. In his spare time, he enjoys hiking and has walked the length of New Zealand following Te Araroa.