Executive Summary

U.S. Citizenship and Immigration Services (USCIS) supports the nation's lawful immigration system by efficiently adjudicating immigration benefits cases and safeguarding integrity and fairness. In2014, USCIS initiated a critical cloud migration to modernize its aging on-premises IT infrastructure and applications by leveraging the agility, security, and innovation of Amazon Web Services (AWS). USCIS adopted a multi-account strategy, creating over 200 AWS accounts to securely separate production, development, and test environments. A multi-region approach was also implemented for high availability across geographically dispersed data centers. Over the past 5 years, USCIS has migrated over 100 applications to AWS, decommissioning several legacy data centers in the process. AWS now serves as the foundational infrastructure powering USCIS’ IT modernization and digital transformation initiatives, with AWS services enabling enhanced mission delivery, customer experience and workforce productivity outcomes. However, managing this complex multi-region and multi-account AWS environment has surfaced challenges around connectivity, security, automation, and technical debt. As AWS rolls out hundreds of new features annually, USCIS Struggles to stay current and take full advantage of the pace of innovation.

Customer Challenge

USCIS faced several challenges that needed to be addressed:

• Complexity - The hub-and-spoke architecture caused routing complexity and latency. Changes required updating each VPC route table.
• Lack of Agility - Manual reconfiguration of routing tables made adding or modifying VPC connections time consuming.
• Security Risks - No centralized firewall or security controls across the network environment.
• Network Monitoring - Limited visibility into network traffic across regions and VPCs.
• On-Premises Integration - Limited connectivity options and complex routing between on-prem data centers and cloud environments.

The Scope

The scope of the network modernization initiative included:

• On-premises data centers from DHS and AWS cloud infrastructure in us-east-1, us-east-2 and us-west-1
• Approximately 1000+ VPCs distributed across environments and applications.
• Approximately 4000+ EC2 instances across cloud environments
• Connectivity for 20,000+ employees to internal applications
• Connectivity across 85+ Service Centers and Field Offices of USCIS
• Network Analysis across 200+ AWS Accounts including GSS and CHE

The Solution

To address these challenges, USCIS deployed AWS Transit Gateway to modernize their network architecture:

• Transit Gateway - A central connection hub that interconnects all VPCs, VPN connections, endpoints, etc. Simplified network topology and centralized controls.
• Integration with On-Prem - AWS Direct Connect provides high bandwidth connection between data centers and AWS. Site-to-site VPN connects remote offices.
• Distributed VPCs - Migrated from central VPC architecture to distributed VPCs per environment (dev, test, prod) enabling granular access controls.
• Shared Services VPC - Common services like Active Directory, DNS, LDAP hosted in shared services VPC and accessed across environments.
• Network Security - Implemented network firewalls on Transit Gateway to enforce consistent rules across all VPCs.
• Automation - Leveraged infrastructure-as-code and CI/CD pipelines for rapid and consistent deployment.

The Impact

The AWS Transit Gateway architecture delivered significant benefits including:

Conclusion

By leveraging AWS Transit Gateway, USCIS successfully modernized their network architecture to be cloud-native, secure, and easy to manage. This enabled faster application deployment and estimated cost savings.