The company had a legacy software product installed within an ISP customer's network, making it impossible to access the system remotely without opening firewall ports and/or obtaining access to VPN software.
As the number of ISP customers increased into the hundreds, receiving health information about the installed legacy software was needed to provide proactive service and troubleshooting to better serve the customer.
The solution was to add a small, proxy software agent that initiated requests for a "job" to an AWS serverless deployement.
Since nearly all customer network's firewalls include Network Address Translation (NAT), requests and their responses are allowed when the request initiated from the customer's network.
The "Job Agent" software used a secure, encrypted AWS CLI requests to an IaC-deployed stack in AWS with the additional security measure of only accepting requests whose source IP matched the ICANN assigned IP CIDRs assigned to that ISP customer.
Newly activated customer Job Agents registered on first access to the AWS stack domain/Route66/CloudFront HTTPS URL, triggering the server-side to deploy a separate IaC stack of resources dedicated to that customer for multi-tenant separation and security.
A web dashboard with Cognito user authentication comprised of embedded QuickSight dashboards was made available to company-internal users to see the status of the customer's installed legacy software system.