Finance & Trading Technology
Built for Scale
Redesigning a cloud environment for a quantitative trading firm — from inherited complexity to infrastructure as code
At a Glance
- Client
- Duality Group — a quantitative trading firm operating in an environment where infrastructure reliability is a business-critical concern, not a quality-of-life one.
- Problem
- An AWS environment inherited from a previous managed service provider whose contract was structured as a percentage of Duality's cloud spend — a billing model that made complexity profitable, and left behind an overbuilt, poorly rationalized, and expensive environment.
- Services
- AWS architecture · multi-account design · Terraform infrastructure as code · network design · FortiGate virtual firewall deployment · encrypted VPN connectivity · security monitoring and observability
- Platforms
- AWS (VPC, Transit Gateway, Fargate, Route 53, VPC Endpoints) · Terraform · Fortinet FortiGate (virtual) · Terraform Cloud
- Outcome
- A fully code-defined, multi-account AWS environment that is reproducible from scratch, costs less than what it replaced, and is significantly more capable.
The Challenge
An environment built for someone else's incentives
Duality Group is a quantitative trading firm operating in a space where infrastructure reliability is not a quality-of-life concern — it is a business-critical one. Latency matters. Uptime matters. The integrity of data connections to market data providers and downstream execution partners matters in ways that are immediate and financial.
The environment they inherited had been built by another managed service provider — one whose contract was structured as a percentage of Duality's AWS spend. That billing model created a perverse incentive: complexity wasn't a problem to be solved, it was a revenue mechanism. The result was an overbuilt, poorly rationalized environment that was expensive, fragile, and difficult to reason about.
The goal wasn't to patch it. It was to replace it entirely — with an environment designed from first principles, built entirely in code, and capable of scaling with the demands of a growing trading operation.
Architecture
Multi-account, multi-environment from the ground up
The new environment is organized across discrete AWS accounts — infrastructure, development, UAT, and production — each isolated, consistently structured, and managed entirely in Terraform. Every subnet, routing rule, firewall policy, and access control is version-controlled and reproducible. Configuration drift is impossible by design.
A Transit Gateway in the infrastructure account serves as the backbone, with all inter-environment routing flowing through a single, centrally managed hub. Shared services — DNS resolution, firewall, identity — live in the infrastructure account and are consumed by all other environments through controlled, auditable paths.
Network Design
Subnets purpose-built for containerized workloads
Each environment is subdivided into distinct subnet tiers: public-facing, application, data, and a dedicated container tier for Fargate workloads. The container subnets are intentionally oversized — providing thousands of available addresses per availability zone — because Duality's trading workloads need room to scale horizontally without re-addressing infrastructure.
The data tier, where databases live, is kept fully isolated with its own routing and access controls. Nothing reaches it that isn't explicitly permitted. AWS service traffic is routed through private VPC endpoints, keeping it off the public internet entirely.
Firewall
Active/passive FortiGate high availability
All traffic into and out of AWS flows through a pair of Fortinet FortiGate virtual appliances deployed in the infrastructure account across separate availability zones. They run in active/passive high availability — if the active unit fails, the passive takes over automatically, with no manual intervention and no traffic disruption.
The FortiGates were procured with full security licensing and support contracts — a predictable, fixed annual cost, rather than a variable expense that grows with cloud spend.
External Connectivity
Encrypted tunnels to market data and execution partners
Duality's trading operation depends on reliable, low-latency connectivity to a major market data provider for trade data, and to downstream partners for trade execution. Both connections are handled as encrypted VPN tunnels terminated at the FortiGate layer — traffic that never traverses the public internet unprotected. The firewall manages all policy enforcement for these connections: what is permitted in, what is permitted out, and how it routes once inside.
Internal DNS resolution is centrally managed in the infrastructure account and shared across all environments, so every account resolves internal hostnames consistently without duplicating infrastructure.
Security & Observability
Defense in depth, managed as code
Threat detection, API audit logging, resource configuration history, and encryption key management are all enabled across every account from day one — centrally aggregated, consistently configured, and defined in code alongside everything else. Every VPC generates flow logs. Nothing in the environment is undocumented or unobserved.
Outcomes
What we delivered.
- A fully code-defined AWS environment across four accounts — reproducible, version-controlled, and auditable
- Container subnets built for horizontal scale, with capacity to grow without architectural changes
- Active/passive FortiGate high availability with automatic failover and no single point of failure at the network edge
- Encrypted connectivity to market data and execution partners, terminated at the firewall and never exposed to the internet
- All environments connected through a centralized routing hub, with shared DNS and security services flowing from a single infrastructure account
- Security monitoring, audit logging, and configuration tracking running across all environments from day one
- A lower monthly AWS bill than the environment it replaced — despite being significantly more capable