Complete Vendor Journey Map
Vendor traffic is cleaned by Cloudflare WAF and routed to our dedicated VM.
Keycloak verifies identity & 2FA against our local PostgreSQL database.
Backend processes UI logic. Documents save to MinIO, data saves to Postgres.
App data is instantly encrypted by the Edge Firewall to prepare for transport.
Data arrives securely inside the Client's internal CPI Middleware via VPN.
Replacing AWS Cognito with Local Enterprise Security
Web Browser
Nginx Entry
Identity Provider
Auth DB Data
Replacing AWS RDS and S3 to eliminate recurring fees
Uploads PDF
Validates Token
Node.js Engine
Object Storage
Relational Data
Bridging the gap between our Proxmox Server and your Enterprise Network
Generates PO
Edge Gateway
Accepts Tunnel
Middleware
Moving from public cloud to a secure, private Proxmox infrastructure provides unparalleled control and cost savings.
By bringing this architecture in-house, we instantly eliminate over $3,000/month in recurring AWS hosting, NAT Gateway, and Database fees.
We replace public endpoints with strict, open-source enterprise tools: Cloudflare, Keycloak, and Kong API Gateway.
Securing vendor access without relying on AWS Cognito.
Keycloak is an industry-standard Open Source Identity Provider. It natively handles Vendor logins, password resets, and Two-Factor Authentication (2FA).
Upon login, the system generates a signed JSON Web Token (JWT). Every subsequent action the vendor takes is cryptographically verified by this token.
Managing high-volume files and data rows locally to avoid AWS S3/RDS bloat.
Before any file touches our server, Kong intercepts the request. If the user's Token is invalid or expired, the request is instantly dropped.
Instead of paying Amazon for S3 storage, we use MinIO. It provides the exact same API as S3, but saves vendor Invoices and PDFs securely on our local hard drives.
The ultimate benefit of On-Premise hosting: Direct Firewall bridging.
Because our firewall handles the IPsec tunnel encryption, our Backend App literally does not know the internet exists. It simply sends data to your internal SAP IP address.
The Site-to-Site VPN ensures that proprietary Purchase Orders and Vendor Banking information is heavily encrypted while traveling between our two buildings.