Phase 1: Initial design and implementation
Our customer has just completed the evaluation of the new “Real-time platform” project and decided to roll it out to the market as fast as possible.
They had an on-premises data center at that time, so Engineering had to work closely with the IT department to secure new resources (VMs).
The new platform roll-out required much faster ways for Engineering to provision required resources.
We chose to go forward with AWS to facilitate a self-service paradigm for infrastructure management.
GreenM partnered with the client to migrate part of the existing infrastructure to support the new platform into AWS and implement BI stack in the cloud.
Engineering had to quickly migrate from IT dependent resource provisioning to self-service.
Considering the tight schedule, Engineering had to maintain a balance between infrastructure governance and freedom to provision resources for engineers.
AWS EC2 provided the required level of elasticity and self-service capabilities.
AWS VPC with its ability to change network layout and security groups on the fly provided required balance between freedom and governance.
“Real-time platform” time-to-market was low- in less than 8 months all the key customers were migrated to the new environment.
Self-service infrastructure made the Engineering team much more efficient (no idle periods caused by waiting for the IT department to provision resources).
Phase 2: Rapid growth. Transition to serverless approach
“Real-time platform” proved to be quite successful and grew rapidly.
Growth caused a new level of requirements to availability, performance and scalability.
The engineering team had to refactor critical services to AWS Managed Service instead of EC2 instances and to implement a scalable Data Lake pipeline to support BI, Serverless Subscriptions module and migrated user-facing BI Portal to serverless managed services in AWS.
We had to support the rapidly growing Platform, simultaneously improving major non-functional requirements.
AWS has all the required capabilities to make this kind of refactoring non-disruptive from Operations standpoint.
CloudFront provides low latency HA content delivery and is utilized for all user-facing portals.
Lambdas and ECS on Fargate were used to migrate EC2 based Web APIs to serverless
EMR and S3 were used to deliver a scalable and reliable BI pipeline for the data lake.
Cost optimization was significant: lower implementation cost compared to on-premises infrastructure and cheaper infrastructure cost compared to EC2.
Besides the switch made it easier to pass security audits with usage of HIPAA certified AWS Managed services.
Phase 3: High-Availability and quick recovery
The next step was to reinforce further the new platform availability requirements by rebuilding a single VPC account AWS infrastructure into a multi account setup and switching all the business-critical processes to the new setting with automated deployment of the platform components.
GreenM cooperated with the customer security and infrastructure teams to design and implement the new set up and achieve repeatable “one click” deployment to all AWS accounts for all product components including those based on AWS Lambda, ECS Fargate, EMR and EC2.
The number of components to migrate and automate deployments was big, the variety of AWS services involved and the fact that “Real-time platform’ was the first product to be migrated to the new infrastructure made this task especially complex.
The Shared Responsibility security model enables custom security configurations allowing to meet the strictest requirements.
AWS also has a great set of tools and services to build highly available secure systems:
– Data Encryption (at rest and at flight) is embedded in all AWS Data services like S3, Dynamo, SQS, SNS, RDS, Elastic, etc. It is a matter of enabling a switch to use secure data encryption.
– Robust set of network services, that makes it easy to go from secure network architecture design to its implementation.
– Mature set of deployment automation services including CloudFormation, Secrets Manager and Parameter Store
– And set of production monitoring and change management tools like CloudWatch and AWS Config to monitor production operations and ensure that only permitted changes are rolled out to production
The new implemented infrastructure:
– supports network segmentation between environments and products;
– supports resource access segregation, that is especially relevant due to sensitive nature of the data;
– serves as an infrastructure platform that minimizes security errors made by developers;
– enables self-service infrastructure setup for developers.
The developed continuous deployment pipeline:
– allowed automated repeatable component deployment from scratch into prepared AWS account infrastructure;
– created a set of PowerShell scripts to automatic creation and termination of Windows EC2 instance in the Active Directory;
– tailored security groups to suit the needs of specific components;
– narrowed IAM policies to allow exact set of permissions required by specific component;
– delivers a basis for further improvements and test automation.
It’s a great opportunity for GreenM to strengthen our partners R&D Team, helping to take a strong position on the market due to the fast adoption of the latest trends.
We will continue our partnership helping the organization to achieve new goals in extending product experience , mature it, and scale it.