When an integration platform sits at the center of a company’s operations, replacing it is never a small decision. For HDI Seguros Argentina, the decision was driven by a hard deadline — and it turned into an opportunity to modernize. Working with Craftech, an AWS Advanced Tier Services Partner, HDI Seguros rebuilt its API integration layer as a serverless, event-driven platform on AWS. Roughly 60% of production traffic already runs on the new architecture, with full migration targeted ahead of IBM API Connect’s end-of-support window.
About HDI Seguros Argentina
HDI Seguros Argentina is an insurance provider operating in the Argentine market. Its business runs on a critical API integration ecosystem that connects its core insurance processes — an AS400 legacy core, scheduled batch jobs, third-party services, and partner integrations. Because these integrations underpin day-to-day operations, any change to the platform had to preserve uninterrupted production traffic.
The challenge
The integration layer was historically built on IBM API Connect, with batch processing implemented as scheduled Java jobs running on Amazon EC2 instances. That setup created several compounding pressures:
- A hard deadline. IBM API Connect was approaching end-of-support between mid and late 2026, forcing a migration to avoid mounting licensing and support risk.
- Paying for idle capacity. The EC2-based batch jobs ran 24/7, consuming compute — and ongoing OS-patching effort — even when actual processing was light.
- Tight coupling and vendor lock-in. Deployments, security (user, token and access management) and traffic routing were bundled into a single proprietary product, making every independent change expensive.
- An identity layer to modernize. 56 existing user identities on IBM API Connect needed to move to a sustainable, managed identity provider.
HDI Seguros needed an AWS-native replacement that could scale with consumption, remove vendor lock-in, modernize identity, and avoid OS-level patching — all while keeping the AS400 core and ESB middleware running through a phased cut-over.
The solution: a Dispatcher pattern on AWS
Craftech designed an AWS-native, event-driven serverless platform that replaces IBM API Connect end to end.
Traffic enters through Amazon API Gateway using a single Proxy+ catch-all integration that forwards every request to a central AWS Lambda function — the Dispatcher. Built in Python 3.12 with the AWS Distro for OpenTelemetry, the Dispatcher:
- reads routing rules and Jinja2 transformation templates from two Amazon DynamoDB tables (mappings and templates) at single-digit-millisecond latency,
- validates JWT tokens issued by Amazon Cognito with scope-based authorization,
- performs the XML-to-JSON / JSON-to-XML transformation the downstream systems require, and
- forwards each request to the correct backend over a private VPC route.
This Dispatcher pattern was a deliberate architectural choice. A naive 1-to-1 migration of the legacy endpoints would have exceeded API Gateway’s hard limit of 600 resources. By routing everything through a single catch-all integration backed by configuration in DynamoDB, adding a new endpoint becomes a configuration change rather than an infrastructure deployment — removing the resource limit entirely.
Batch workloads moved from the always-on EC2 cron fleet to Amazon ECS on AWS Fargate scheduled tasks, orchestrated by Amazon EventBridge Scheduler and billed only for the seconds they actually run — removing both idle capacity cost and OS-patching effort. Secrets are stored in AWS Secrets Manager (KMS-encrypted) and consumed at runtime by the pipeline and the Dispatcher.
Observability runs on Amazon CloudWatch Application Signals and AWS X-Ray, with automated traces and golden metrics for latency, errors and throughput. CloudWatch Alarms cover Lambda error rate, DynamoDB throttling, Cognito sign-in failures and API Gateway 5xx responses, and multi-region AWS CloudTrail is enabled with versioned Amazon S3 storage and log-file validation. The whole stack is fully managed, with infrastructure declared as code in Terraform and AWS SAM, and CI/CD running on GitHub Actions authenticated to AWS via OIDC — no long-lived access keys.
A clear operational boundary was built into the design: the customer’s Enterprise Service Bus (ESB) and its connection to the on-premise AS400 core are operated by HDI Seguros’ internal IT team in a separate AWS environment, which the Dispatcher reaches through a private network route. Documenting that boundary explicitly keeps ownership unambiguous for any future incident triage.
Results
Key outcomes delivered so far:
- ~60% of production traffic is already served by the AWS-native platform, with implementations for 100% of legacy endpoints in place and a gradual cut-over toward full migration.
- Zero long-lived credentials in CI/CD: 100% of the production pipeline assumes AWS IAM roles via GitHub Actions OIDC.
- No more OS patching for the integration layer — the managed Lambda + DynamoDB + Fargate stack replaces a patched EC2 fleet of Java cron hosts.
- Pay-per-use batch processing: Fargate scheduled tasks bill by the second of execution, eliminating the 24/7 idle cost of the legacy cron fleet.
- Identity modernized: 56 IBM API Connect users are moving to Amazon Cognito with scope-equivalent access.
- Scalability headroom: new endpoints are added by configuration, not deployment, with no API Gateway resource ceiling.
- Progressive independence from IBM API Connect: every endpoint that completes cut-over leaves the IBM license scope, steadily reducing exposure to the end-of-support deadline.
Just as importantly, the architecture replaces fixed licensing, idle compute and OS-patching effort with consumption-based billing on fully managed services — aligning cost directly with usage.
Looking ahead
With the architecture proven and the majority of traffic already migrated, HDI Seguros Argentina is on track to fully retire IBM API Connect ahead of its end-of-support deadline — on a platform that grows by configuration and scales with demand.
Building or modernizing your integration layer on AWS? Craftech is an AWS Advanced Tier Services Partner helping companies across LATAM migrate, modernize and operate on AWS. Get in touch to talk through your project.
