Migration & Modernization
How Q2 is Transforming Digital Banking Through Large-Scale Migration to AWS
Background
Q2 is an independent software vendor (ISV) and a leading provider of digital banking and fraud solutions for banks and credit unions. Q2 completed a successful migration of online banking application stacks for over 450 of their financial institution clients to Amazon Web Services (AWS). This strategic move represents one of the most significant technological transformations in the company’s history. In this blog post, we will cover how Q2 planned this large migration in phases and achieved it with no disruption to their customers or business.
Challenge
Q2 faced increasing pressure to scale their infrastructure while maintaining the highest levels of security and performance. With over 22 million users generating more than $3.3 trillion in transactions, Q2’s existing on-premises infrastructure struggled to keep pace with rapid growth and evolving customer needs. They needed a solution to address their current scalability challenges and position them for future growth while reducing operational overhead. To address these challenges, Q2 embarked on a migration to AWS. Q2’s customers are accustomed to a 99.99% availability SLA, and this became an important success criterion as they migrated to AWS. To maintain this SLA, Q2 made architectural choices that adhered to this requirement. The size of this migration also required careful planning to assess the impact on customers while the cloud hosted digital banking solution was set up and operated for the first time.
Solution Overview
Q2 started by assessing their on-premises hardware inventory for applications and data dependencies. Q2 used AWS Optimization and Licensing Assessment (OLA), a complimentary program from AWS, to determine the optimal deployment options for their existing licensing investments. Next, Q2 outlined the target state cloud architecture. The assessment helped Q2 decompose the online banking platform and plan a parallel migration of independent modules. Q2 created a well-architected multi-account setup on AWS using AWS Control Tower and AWS Organizations. This provided a robust foundation for multi-account management and governance, enabling the creation of purpose-built accounts for migration. Migrated workloads landed in accounts with preventative and detective controls already configured. Q2 deployed the solution and SQL server databases on Amazon EC2. Because Q2 had containerized many of the on-premises workloads, it created a cluster of EC2 instances to orchestrate application containers for online banking. Q2 used Nomad for container deployment and orchestration.
Q2 replicated applications running on virtual machines on-premises to EC2 compute instances using AWS Application Migration Service (MGN). MGN uses block-level replication to move the source servers to AWS and provides the status of the replication. MGN also facilitates the testing and cutover to the migrated instances. Q2 deployed their EC2 instances across 3 availability zones (AZs) in each region for high availability. Further, the SQL Server database is set up in an always on availability group configuration across AZs as well. This has helped Q2 continue to achieve their desired level of availability on AWS. Q2’s online banking applications replicatedata and run copies of applications in a second AWS region. This ensures business continuity even in the event of a potential regional disruption.
The high-level architecture for Q2’s online banking stack in AWS is shown in Figure 1. The architecture carefully organizes the sensitive workload resources in Amazon Virtual Private Cloud (VPCs) within private subnets. This avoids direct routes to the internet without the enforced inspection of inbound and outbound traffic. By using AWS Systems Manager Patch Manager and Systems Manager Maintenance Windows, Q2 remains compliant with the patching schedule for their compute instances. Automating patching in this manner has resulted in savings of several hours of operations time across their compute fleet.
Figure 1, Architecture for Q2’s Online Banking Platform on AWS
Implementation Details
Phase 1: Planning
Q2 assessed the existing hardware inventory in their data centers, applications and data dependencies, architecture and security, compliance and resiliency needs. Q2 adopted a phased approach that provided flexibility, scalability, and minimal disruption to service. The strategy began by decomposing the platform into smaller, manageable components, enabling parallel migrations of independent modules, starting in 2024.
Phase 2: Migration Execution
Q2 first partnered with smaller financial institutions in early waves to test the service quality in the cloud. They first migrated the single-tenant front-end services to AWS. The front-end services continued to interface with the backend services and databases hosted in the data centers. Q2 used this to establish their initial AWS environment and gain confidence operating in the cloud. This approach helped validate the technical framework and build internal confidence. They gradually migrated each financial institution’s siloed, single tenant backend stacks to the cloud. In 2025, Q2 expanded both the complexity of workloads and the size of financial institutions involved. This deliberate staggered scaling model accelerated cloud adoption and reduced risk through controlled, iterative progress. Q2 tracked AWS service quotas throughout the migration. They proactively requested quota increases when they approached account or regional quota limits. Q2 also tracked Amazon CloudWatch metrics and implemented alarms to monitor runtime usage and prevent performance or availability issues. This included tracking metrics for compute, storage, network and other parts of Q2’s architecture that could be exerted under increased load.
Phase 3: Optimization
Post-migration, Q2 is focused on optimizing their AWS architecture by leveraging additional AWS features and managed services to enhance performance and reduce costs. This includes implementing AWS Auto Scaling for compute resources, optimizing database configurations and exploring cloud-native databases. They are also implementing advanced Amazon CloudWatch features for enhanced monitoring and alerting. Q2 is evaluating Amazon Elastic Kubernetes Service (EKS) to further modernize containerized applications. They currently manage their own container orchestration, including the control plane and data plane. Adopting EKS will allow Q2 to focus on delivering business value by offloading more of the undifferentiated heavy lifting to AWS. Q2 will also incorporate serverless architectural patterns where appropriate, to reduce operational overhead and gain cost efficiencies.
Security and SOC 2 compliance
As a FinTech ISV servicing several financial institutions, Q2 certifies its software platform for SOC 2 Type 2 compliance. A SOC 2 Type 2 audit is typically a long and rigorous process. An auditor evaluates how well your systems and processes meet stringent security, availability, and confidentiality requirements. Auditors ask for detailed evidence such as proof of change tracking, backup processes, asset identification, disaster recovery strategies, monitoring capabilities, firewall configurations, and vulnerability management records. While these requirements are comprehensive, Q2 used various AWS Services to help support their SOC 2 Type 2 audit.
Security and compliance on AWS is a shared responsibility between AWS and the customer. AWS is responsible for security of the cloud, while the customer is responsible for security in the cloud. Understanding this, Q2 picked AWS services after carefully reviewing the functionality and configuration options for each. A key requirement in a SOC 2 Type 2 audit is demonstrating a complete audit trail of system changes. Q2 used AWS CloudTrail to help maintain detailed records of API calls AWS CloudTrail providing a detailed record of API calls, console sign-ins, and changes to their infrastructure. Q2 used AWS Backup to back up their EC2 instances and Amazon Elastic Block Store (EBS) volumes. The implementation included configuring retention settings, vault replication across regions, and compliance rules. By establishing a well-defined tag strategy, Q2 ensured that all resources are consistently labeled according to ownership, environment, and purpose. Firewalls and network controls are critical to SOC 2 compliance, and AWS Network Firewall provides visibility into VPC east-west network traffic, inbound and outbound north-south network traffic and the control to block or allow traffic based on established criteria. Q2 built rulesets to control both ingress and egress traffic. AWS Config, AWS Systems Manager, and AWS Control Tower provide the ability to detect and document misconfigurations, patch compliance, and continuous improvement efforts. Leveraging AWS native capabilities, Q2 implemented encryption at rest across services, fortified their architecture with robust firewall protections, and enforced precise egress controls to tightly govern data flows. By embedding security and compliance into the foundation of the migration strategy, Q2 maintained its rigorous prior operational standards and elevated them for cloud-native operations on AWS.
Q2 leveraged AWS services and their own disciplined operational practices to support their compliance program. The transparency, reporting, and automation capabilities built into AWS simplified this audit process for Q2.
Benefits
The migration to AWS has delivered substantial improvements across Q2’s operations. Early results have shown a 22% decrease in downtime by implementing high-availability recommendations on AWS, such as multi-AZ deployments and ensuring redundancy for architectural components. Mean time to resolution (MTTR) has decreased by 30%, enabling faster identification and resolution of issues. Even Q2’s support team has seen 24% reduction in customer cases, improving end user experience and responsiveness. The scalable AWS infrastructure has also positioned Q2 to better serve their growing global customer base with improved performance and reliability.
Additionally, as a FinTech company operating in a highly regulated industry, Q2 faced the critical challenge of migrating to the cloud without compromising on compliance, security, or change management protocols. Every step of the migration had to uphold the stringent standards required by financial institutions and regulators. Rather than being a constraint, this became an opportunity to enhance Q2’s overall security posture. This resulted in a cloud-native environment that was more resilient, auditable, and secure than ever before.
Looking Ahead
As Q2 continues to enhance their cloud-native posture, the focus is shifting to innovation and service enhancement. Q2 is starting to leverage AWS AI and machine learning capabilities to implement advanced fraud detection systems, enhance customer personalization, and develop new digital banking features. With managed services like Amazon Bedrock, Q2 can develop solutions for their AI use cases at a speed not possible before the migration. These initiatives will help Q2 maintain their position as a leader in digital banking solutions while delivering increased value to their customers.