I Built a Hybrid Cloud Payment Backend: WireGuard, FastAPI, AWS Lambda, and a Proxmox VM

It has been a while since I posted here. One of my previous article on GitHub Actions OIDC got picked up and reposted by Dev.to's own X account, which I did not expect. That was a good signal to keep writing, but between job applications, AWS SAA-C03 prep, and a few client things, the writing fell off.

The reason I am back now is a specific realisation I had while reviewing my own portfolio: every single project I have built is greenfield AWS. Clean VPCs, Lambda functions, managed services from day one. There is nothing wrong with that, but the real world is not greenfield. Most companies are running something on-premises, in a data centre, or on a server that someone's CTO refused to migrate five years ago. If I cannot architect across that boundary, I am limited.

So I built Paycore: a hybrid cloud B2B payment middleware that runs a FastAPI application on an on-premises Proxmox VM, bridged to AWS serverless infrastructure via WireGuard VPN. This is not a tutorial scaffold. The infrastructure, secrets management, networking, and deployment pipeline are all production-pattern. I will walk through the architecture, the security decisions, and the parts I deliberately left imperfect and why.