Specialized Network & Security Services for AWS and Hybrid Environments
Architecture reviews, implementation, and incident escalation support for complex traffic flow, firewall, routing, SD-WAN, and multi-vendor connectivity challenges.
Senior expertise across
Independent advisory. Vendor names are used for technology reference only.
When the issue spans more than AWS, ownership gets complicated.
Modern production environments rarely live inside a single platform. They span multiple vendors, teams, and support contracts — and when something breaks across that boundary, no single party owns the full picture.
Your environment likely involves
- AWS says the service is healthy
- Firewall vendor sees no obvious issue
- SD-WAN tunnel is up
- Routes appear correct
- Traffic is still failing
We help isolate the real failure point across the full network and security path — spanning AWS, on-premises, SD-WAN, firewalls, load balancers, and across vendor boundaries — so you can resolve the issue rather than pass it between support teams.
Three focused engagement types
Each engagement is scoped and confirmed manually. We do not offer generic retainers or open-ended advisory contracts.
Architecture & Design Review
Structured review of AWS, hybrid, and multi-vendor network and security architecture. We assess your current design against production requirements and provide actionable findings.
- Network & Security Architecture Review
- High Availability & Resilience Review
- Cost Optimization Review
- Vendor / Solution Selection Guidance
Pricing depends on scope, environment complexity, and available documentation.
Design & Implementation Services
Scoped design and implementation of network and security changes across AWS and hybrid environments. This is defined-scope work, not open-ended consulting.
- AWS network design & implementation
- TGW / Cloud WAN deployment
- Firewall insertion & routing design
- Palo Alto / FortiGate / AWS Network Firewall patterns
Pricing is determined after discovery based on scope, environment complexity, and timeline.
Incident Escalation Support
Live escalation support for complex production-impacting issues involving AWS plus firewalls, SD-WAN, load balancers, on-premises systems, or other vendors. Not for general AWS administration.
- Traffic not reaching destination
- Routing correct but traffic still dropping
- Firewall path and inspection issues
- Hybrid connectivity instability
Minimum 2-hour engagement. Confirmed manually in Phase 1.
Vendor names are used for technology reference only. CloudArc is independent.
Clear, scoped engagements
No open-ended retainers. Every engagement is reviewed and confirmed manually.
Priced based on environment complexity, scope, and documentation availability. Confirmed after initial review.
Request Architecture ReviewCustom scoped pricing. Engagements are scoped after discovery. Complexity and duration determine the total.
Request ScopeFor complex production-impacting issues spanning multiple systems or vendors. Availability confirmed manually.
Request Incident EscalationPhase 1 engagements are reviewed and confirmed manually. Architecture and implementation pricing is scoped after reviewing requirements and available documentation. Incident escalation availability is confirmed on request.
We are not a replacement for AWS Support — we handle what falls between teams.
AWS Support is the right tool for AWS service-level issues. CloudArc is useful when the problem crosses system boundaries.
- Service availability and health issues
- AWS console and API errors
- AWS-native service configuration questions
- AWS infrastructure faults on their side
AWS is only one part of the path
When traffic flows through a firewall, SD-WAN, or on-premises system before or after AWS, the problem space extends well beyond what AWS Support owns.
Ownership is fragmented across vendors
AWS Support owns AWS. Your firewall vendor owns their appliance. SD-WAN vendor owns the tunnel. No single party owns the full traffic path — we do.
The real problem is architecture, routing, or policy interaction
Misconfigured inspection VPCs, asymmetric routing through Transit Gateway, policy mismatches between firewall and security groups — these need end-to-end expertise.
The team needs cross-system traffic-flow analysis
We trace traffic from source to destination across every hop — VPC routes, TGW attachments, firewall policies, SD-WAN path selection, and BGP propagation.
Senior practitioners with experience across AWS, Cisco, Juniper, Palo Alto, Fortinet, F5, and enterprise hybrid networking environments.
Built on senior infrastructure experience
CloudArc Advisory is built on senior infrastructure experience across cloud, networking, Kubernetes, and hybrid connectivity environments involving AWS, Cisco, Juniper, Aviatrix, Palo Alto, Fortinet, and enterprise traffic-flow architectures.
Technology background
Background highlights
CCIE
Cisco Certified Internetwork Expert
AWS
AWS Certified
CKA
Kubernetes Certified
Former AWS experience
Direct experience working within AWS, providing rare insight into how AWS services, networking, and support operate from the inside.
CCIE certified background
One of the industry's most demanding networking certifications — a foundation for deep routing, switching, and enterprise network architecture expertise.
AWS & Kubernetes certified
Formal certification across AWS architecture and Kubernetes, underpinning the EKS networking, CNI, and hybrid connectivity work we deliver.
Deep multi-domain expertise
AWS networking, hybrid connectivity, SD-WAN, BGP routing, EKS networking, and multi-vendor security architecture — across real enterprise environments.
The kinds of issues we resolve
These are representative scenario patterns — illustrative of the type of cross-system complexity we typically engage with. Not case studies.
TGW + Inspection VPC Routing Failure
AWS multi-account, Transit Gateway hub-and-spoke with centralized inspection VPC. Palo Alto VM-Series as the inspection appliance. Production workloads in two spoke VPCs.
Traffic between two spoke VPCs routed through TGW but packets dropped after inspection. TGW route tables, VPC routes, and security groups appeared correct. Palo Alto session logs showed traffic accepted. AWS did not flag any service issues.
Inspection VPC routing asymmetry: east–west traffic entered the firewall through one AZ but return traffic was routed through a different AZ with no existing session state. Palo Alto dropped return traffic due to missing session — but logged the drop only at the secondary AZ.
End-to-end path analysis correlating TGW route tables, VPC route tables, and per-AZ Palo Alto session logs. Identified the AZ routing asymmetry and ensured flow symmetry for return traffic using per-AZ static routes.
Production east–west traffic restored. Symmetric routing enforced across both AZs. Firewall session state now maintained correctly.
Hybrid Connectivity Instability: The "Silent" PMTUD Failure
AWS Direct Connect (10 Gbps) with a Virtual Private Gateway (VGW) termination. SD-WAN overlay established between AWS and the corporate data center. A FortiGate firewall sits inline at the on-premises edge. The control plane and route exchange across the SD-WAN fabric remain stable throughout the instability.
Hybrid connectivity experiences periodic stalls every 45–75 minutes. While the fabric remains healthy, only specific high-throughput TCP-based workloads are impacted — lightweight TCP traffic and UDP traffic remain unaffected. Issues manifest as intermittent stalls that resolve after 3–4 minutes.
Tunnel-Induced MTU Mismatch: The path has an effective MTU below 1500 bytes due to SD-WAN/IPsec encapsulation overhead. Lightweight TCP flows (using smaller segments naturally) pass through without issue. Heavyweight TCP workloads attempting full 1500-byte segments are silently dropped by FortiGate, which is blocking ICMP "Fragmentation Needed" signals. These dropped packets cause TCP window stalls in high-bandwidth sessions until the application times out and retries.
Diagnostic: stalls correlated exclusively with high-throughput traffic by analyzing Flow Logs and session-state timing. Immediate mitigation: applied TCP MSS clamping (1380 bytes) on the SD-WAN edge and FortiGate to force compatible segment-size negotiation. Long-term correction: adjusted MTU on all tunnel virtual interfaces to 1400 bytes and updated firewall policy to permit ICMP Type 3, Code 4, restoring end-to-end Path MTU Discovery.
Stable hybrid connectivity achieved. Application-layer stalls eliminated. TCP sessions now negotiate frame sizes that bypass fragmentation bottlenecks, removing dependency on application-level timeouts for recovery.
How an engagement works
A straightforward four-step process from initial request to active engagement.
Choose the engagement type
Identify whether you need an architecture review, scoped implementation work, or live incident escalation support.
Submit your context
Complete the request form for your chosen engagement. Include environment details, technologies, and what you need addressed.
We validate scope and availability
We review your submission, assess fit, and confirm scope and timing. Architecture and implementation engagements are priced after this step.
Engagement begins
Receive your architecture review findings, implementation scope and delivery, or live incident escalation engagement.
Architecture and implementation pricing is scoped after reviewing requirements and documentation. Incident escalation availability is confirmed manually in Phase 1. We typically respond to all requests within one UAE business day.
Start a conversation
Tell us about your environment and what you need. We'll respond with the right engagement path within one business day.
UAE business hours
Monday to Friday
We typically respond within one business day.
Send a quick inquiry with a description of your environment and issue. We'll guide you to the right engagement path before anything is scoped or priced.