About the customer
BSH (Turkish for ‘B/S/H Home Appliances’, stylized as B/S/H/) is an Istanbul based global manufacturer of home appliances and related digital services, and positions itself as a leading company in the home appliance industry. Operating in the consumer durables / “white goods” manufacturing sector, it serves households with product categories that include cooking and baking, dishwashing, cooling and freezing, washing and drying, and small appliances. B/S/H says its portfolio ranges from large appliances to cooktops, ovens, ventilation hoods, dishwashers, washers, dryers, fridges, and freezers to small appliances such as vacuum cleaners, espresso machines, and kitchen machines. It sells these products through a multi-brand strategy that includes global brands like Bosch, Siemens, and Gaggenau, plus regional brands such as Neff and Thermador (alongside additional local brands in some markets). The company is part of the Bosch Group and notes that it is a trademark license of Robert Bosch GmbH for the Bosch brand and Siemens AG for the Siemens brand. For 2024, B/S/H reported turnover of about €15.3 billion and more than 57,000 employees. Its industrial footprint spans 39 factories, and the group says it is represented in around 50 countries. Alongside hardware, B/S/H emphasizes software-enabled experiences via Home Connect, an ecosystem that connects appliances from multiple B/S/H brands to digital services in a single app. Home Connect supports remote control and automation and can work through voice assistants like Amazon Alexa or Google Home. In industry terms, B/S/H competes with other major home-appliance manufacturers in a market where energy efficiency, design, reliability, after-sales service, and smart-home integration are key differentiators. On its corporate site, B/S/H frames its mission as improving quality of life at home worldwide by staying close to consumer needs and continuously innovating across its brands. Overall, it sits at the intersection of industrial manufacturing and digital consumer technology, supplying branded appliances and connected services to households around the world.
Customer Challenge
B/S/H was operating critical production and development workloads across multiple on-premises environments located in Vodafone Datacenter in Istanbul and an additional site in Çerkezköy. As the infrastructure footprint continued to grow, managing workloads across different locations became increasingly complex from both operational and governance perspectives. The existing environment was heavily dependent on traditional infrastructure management processes, limiting scalability, operational agility, and standardization between environments.
As part of the organization’s cloud transformation strategy, B/S/H aimed to migrate workloads from on-premises infrastructure to AWS while maintaining business continuity and minimizing operational disruption. However, the migration initiative introduced several architectural and operational challenges, particularly around environment separation, centralized governance, network segmentation, and maintaining consistent operational standards across production and development systems.
Another significant challenge was establishing a scalable and future-ready cloud operating model capable of supporting long-term growth. B/S/H required stronger visibility into workloads, improved operational control, and standardized security practices across environments while ensuring that the target architecture remained manageable as additional workloads and AWS accounts were introduced over time.
Partner Solution
How Commencis solved the customer challenge
Commencis designed and implemented a scalable AWS landing zone architecture aligned with AWS best practices to support the B/S/H’s cloud transformation journey from on-premises environments to AWS. A multi-account structure was established to provide clear separation between production and development workloads while improving governance, operational control, and long-term scalability. This approach enabled B/S/H to standardize infrastructure management and create a more structured and manageable cloud operating model across environments.
To simplify network management and strengthen centralized security controls, Commencis implemented a hub-and-spoke network architecture within AWS. Shared networking and security services were centralized to reduce operational complexity and provide consistent governance across workloads and AWS accounts. This architecture also enabled centralized inspection and control of outbound traffic using AWS Network Firewall and DNS Firewall, improving visibility into internet-bound communications and enabling more controlled egress security management for cloud-native workloads.
In addition to the infrastructure and security transformation, Commencis helped B/S/H establish an operationally more mature cloud environment by implementing centralized monitoring, governance, and operational standards across AWS workloads. The resulting platform provided B/S/H with a secure, scalable, and future-ready cloud foundation capable of supporting ongoing migration activities, future workload growth, and improved operational efficiency while remaining aligned with AWS architectural and security best practices.
AWS Services used as part of the solution
Commencis designed and implemented a secure and scalable AWS architecture aligned with AWS best practices to support the B/S/H’s migration from on-premises environments located in Vodafone Datacenter Istanbul and Çerkezköy into AWS. The solution was built using a multi-account hub-and-spoke networking model to provide centralized governance, controlled traffic inspection, and operational scalability across both production and development environments.
At the networking layer, Amazon VPCs were deployed to isolate workloads and environments, while AWS Transit Gateway (TGW) was used as the centralized routing and connectivity hub between VPCs, shared services, and hybrid connectivity components. Site-to-Site VPN connections were established to provide secure communication between on-premises datacenters and AWS during migration and hybrid operation phases. To strengthen outbound traffic governance and security visibility, AWS Network Firewall was implemented as the centralized egress inspection layer, allowing internet-bound traffic to be inspected and controlled through centralized firewall policies. In addition, AWS Route 53 DNS Firewall was deployed to filter and restrict access to malicious or unauthorized domains, providing an additional DNS-layer protection mechanism for workloads running inside AWS.
For ingress traffic protection, Commencis implemented a layered edge security architecture using Amazon CloudFront, AWS WAF, and internal Application Load Balancers (ALB). AWS WAF was positioned in front of CloudFront to protect customer-facing applications against Layer 7 attacks such as SQL injection, bot traffic, malicious requests, and common web exploits. CloudFront was used to improve application performance, reduce latency, and provide secure edge delivery capabilities, while internal ALBs were configured as CloudFront origins to prevent direct public exposure of backend application workloads hosted on EC2 instances.
The application and database workloads were primarily hosted on Amazon EC2, Amazon EKS, and Amazon RDS for Microsoft SQL Server. EC2 instances were used to run application services and custom workloads requiring infrastructure-level control, while Amazon EKS provided a managed Kubernetes platform for containerized workloads and microservices. Amazon RDS for MSSQL provided a managed and highly available relational database platform with simplified backup, maintenance, and operational management capabilities. AWS Systems Manager was implemented to centrally manage EC2 operational activities such as patching, automation, and remote administration without relying on direct SSH/RDP exposure. Sensitive credentials and application secrets were securely stored and managed using AWS Secrets Manager to reduce operational risk and eliminate hardcoded credential usage within applications and automation workflows.
To strengthen secure access management for internal applications and administrative services, AWS Verified Access was implemented to provide identity-aware secure access controls without exposing workloads directly to the public internet. This helped B/S/H improve access governance and reduce dependency on traditional network-based access models.
As part of the migration process, AWS Database Migration Service (DMS) was utilized to support secure and controlled migration of databases and workloads from on-premises environments into AWS with minimal disruption. To improve operational visibility and monitoring capabilities, Amazon CloudWatch was implemented for centralized metrics, logging, alarms, and operational monitoring across infrastructure and application layers.
In addition, Commencis implemented a centralized data analytics and reporting capability using Amazon S3, AWS Glue, and Amazon Athena. Operational logs and reporting data were stored in Amazon S3, while AWS Glue was used for data cataloging and schema discovery. Amazon Athena enabled serverless querying and analysis of operational data directly on S3, supporting reporting, troubleshooting, governance, and operational analysis use cases without requiring dedicated analytics infrastructure.
AWS Lambda functions were also integrated into the environment to automate operational workflows, event-driven actions, monitoring integrations, and incident management processes across the platform. AWS Backup was implemented to centrally manage backup policies, automated snapshots, retention controls, and recovery operations for supported AWS services, ensuring alignment with the B/S/H’s disaster recovery and business continuity requirements.
Combined with centralized monitoring, security inspection, governance controls, backup management, and secure access mechanisms, the resulting AWS architecture provided B/S/H with a secure, scalable, and operationally mature cloud platform capable of supporting both current migration requirements and future workload growth.
Third party applications or solutions used
As part of the container and Kubernetes management operations, B/S/H environment utilized Rancher for centralized Kubernetes and Amazon EKS cluster management. Rancher was used to simplify cluster administration, workload visibility, access management, and operational governance across Kubernetes environments running in AWS. Through Rancher, operations teams were able to centrally manage Kubernetes workloads, monitor cluster health, standardize operational processes, and simplify day-to-day container platform management activities. In addition to Rancher, Terraform was used as the primary Infrastructure as Code (IaC) tool for automated AWS resource provisioning, while Github served as the centralized version control and source code repository for infrastructure definitions, deployment templates, and operational automation workflows.
Commencis Support Services During Pre and Post Implementation of the Solution
Commencis provides 24/7 managed services and operational support for B/S/H’s AWS environment to ensure continuous monitoring, rapid incident response, and operational continuity across production workloads. Infrastructure and application monitoring are centrally managed using Amazon CloudWatch, where metrics, logs, and operational alarms are continuously monitored for EC2 instances, databases, networking components, and critical AWS services. CloudWatch alarms are integrated with automated operational workflows using AWS Lambda and Jira, enabling automatic ticket creation when predefined operational thresholds are exceeded. In addition, workload and infrastructure severity levels are managed through tagging standards, allowing incidents to be dynamically classified based on business criticality. For high-priority events such as Severity=1, incidents are automatically escalated to Opsgenie to trigger 24/7 on-call response processes, while lower severity operational issues are managed and resolved according to predefined SLA-based support procedures. This operational model enables Commencis to provide proactive monitoring, centralized incident management, and continuous operational support across the B/S/H’s AWS platform.
Results and Benefits
Architectural Diagram
Benefits of the Solution
The implemented AWS architecture provided the B/S/H with a secure, scalable, and operationally standardized cloud platform capable of supporting both current migration requirements and future business growth. By adopting a multi-account hub-and-spoke architecture aligned with AWS best practices, B/S/H significantly improved governance, workload isolation, centralized security management, and operational visibility across production and development environments. Centralized ingress and egress security controls using AWS WAF, CloudFront, Network Firewall, and DNS Firewall enhanced the overall security posture while enabling more controlled and visible traffic management across workloads.
In addition, the B/S/H gained improved operational efficiency and resilience through centralized monitoring, automated operational workflows, managed Kubernetes services with Amazon EKS, and automated backup management using AWS Backup. The use of services such as CloudWatch, Lambda, Systems Manager, and Secrets Manager reduced operational overhead while improving incident response, automation, and infrastructure management capabilities. Combined with secure hybrid connectivity, scalable database services, and analytics capabilities using S3, Glue, and Athena, the solution enabled B/S/H to modernize its infrastructure, simplify operations, and establish a future-ready cloud foundation aligned with enterprise security and operational best practices.

