Improving security and control using AWS Network Firewall with BharatPe

Founded in India in 2018, BharatPe specializes in digital payments, point-of-sale systems, and other financial services, primarily for small merchants and stores. The company handles more than 16 million transactions per day from 10 million active merchants.

BharatPe faced two primary challenges with its previous network infrastructure. First, the infrastructure didn’t have a network firewall. The company used security groups and network access control lists to protect outbound traffic, but these VPC features depend on static IP addresses. Many of BharatPe’s end users have devices with dynamic IP addresses, so it needed a firewall solution with domain-based traffic filtering.

Second, multiple agencies audit the company regularly, and it needed to enhance visibility into its network to maintain compliance. “In fintech, it’s crucial to track exactly what services or third-party endpoints you are connecting your network infrastructure to,” says Madhav Dubey, technology lead of DevOps for BharatPe. “It plays a major role in understanding how and where your data is being transferred.”

The company wanted to perform additional scans on outbound traffic and implement a network firewall that used domain-based approvals instead of IP addresses. After exploring third-party solutions, BharatPe found that using external firewalls might limit scalability and involve additional licensing costs and constant manual adjustments according to volume and evolving needs. Already using AWS services, the company realized that it would be much simpler and more efficient to use a native AWS solution.

BharatPe turned to the AWS accounts team to help implement AWS Network Firewall for outbound traffic targeting UPI—the company's unified payment interface—and other third-party application providers. "The kind of support that the AWS team provides is really great," says Dubey “The team proactively looked at the solutions for the challenges we were facing and provided support at even the earliest stages.” BharatPe created a proof of concept in 7–10 days. “It went smoothly, and we got the results that we were looking for,” says Ravi Ranjan, senior engineering manager, DevOps, at BharatPe.

BharatPe wanted to create a comprehensive solution for controlling outbound traffic. To do this, it implemented AWS Network Firewall alongside AWS Transit Gateway, which businesses use to get better visibility and control over VPCs.

The company uses a combined firewall model, with a centralized firewall architecture for consumers and a segmented one for merchants. As part of this implementation, BharatPe redesigned its network architecture so that each Availability Zone uses a separate NAT gateway. Creating this zone-independent architecture, instead of using a single NAT gateway to receive all traffic, helps enhance resiliency and network performance.

Using AWS Network Firewall, BharatPe has strengthened security for its AWS workloads by restricting outbound traffic to allowlisted domains. Because access control is domain based, even services with dynamic IP endpoints remain protected. In addition, the company has enhanced overall visibility into both inbound and outbound network traffic. “We have visibility into where we’re sending traffic and where we’re connecting our cloud infrastructure, which we didn’t have before,” says Ranjan. “It’s also simpler to gather this evidence and share it with the audit team.”

For even more detailed control, BharatPe implemented geographic IP filtering, which allows traffic only to certain countries, along with URL and content filtering. The company also added comprehensive logging to monitor outbound traffic in near real time. Now, if a security issue arises, BharatPe can look at detailed logs, validate which services traffic is going to, and do a thorough analysis.

After 1 year of using AWS Network Firewall, BharatPe reduced its network cost by 20 percent. Because it’s using a managed service on AWS, it doesn’t need to worry about software patches, updates, or maintenance. The company also achieved 99.99 percent availability, increasing its service reliability. “Since onboarding AWS Network Firewall, we’ve achieved near-zero downtime,” says Dubey.

Using AWS Network Firewall, BharatPe can comply with regulatory requirements, increase network security for consumers and merchants, and better protect traffic from its core applications. The company has also resolved all findings from auditors at one agency about network security for outbound traffic.

To further improve operational efficiency and visibility, BharatPe—with the help of AWS Enterprise Support, which provides optimized cloud services for enterprises—is exploring additional features of AWS Network Firewall. This includes using the monitoring dashboard and domain-level logging.

“By using AWS Network Firewall, we’ve made it nearly impossible for unauthorized connections to get data out of our infrastructure because our applications can connect only to the approved endpoints,” says Dubey.