About the Client
Trimble Hosting Services provides global managed IT services for industry leading ASP and Software as a Service product. These application services include applications for mobile resource management, construction machine, construction site management and precision surveying. Companies use these services to maximize the productivity and efficiency of their mobile workforces and to optimize productivity of machines and other assets.
The Challenge
Being AWS customer this Enterprise Company already had basic setup to suffice their limited DevOps requirements. But the limitation of existing setup started creating hindrance on their ever growing infrastructure. To overcome that they decided to redesign their DevOps/Automation architecture which can adhere to their future growth. Along with this they were looking to achieve fault tolerance by virtue of high availability for all the critical components participating in this design.
Existing setup of their DevOps is explained below-
Why AWS
AWS provides a set of flexible services designed to enable companies to more rapidly and reliably build and deliver products using AWS and DevOps practices. These services simplify provisioning and managing infrastructure, deploying application code, automating software release processes, and monitoring your application and infrastructure performance. DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. This speed enables organizations to better serve their customers and compete more effectively in the market.
Our Solution
After understanding their requirement, use-cases, pain points, we proposed an architecture where the whole setup has to be redesign inside Amazon VPC with all the AWS security best practices in place. We took to the tasks of DevOps implementation of their setup on AWS Cloud, along with 24/7 Managed Services, rendering the client Scalability, High Availability, Security, DevOps and Support.
DevOps on AWS
- Entire stack was provisioned automatically in AWS using Amazon CloudFormation template. AWS Cloud Formation offered the developers and systems administrators an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion
- DevOps automation with Puppet, CFT, PowerShell DSC
- Monitoring tool (ForeMan and its integration with Cloud Watch)
- Deployment to various environments was handle using GIT Hub
- Load Balanced using Amazon Elastic Load balancers
- Region based puppet master provisioning i.e. each region will have their own puppet master
- All virtual machines will be within a VPC
- All VPC’s will be VPC peered
- Traffic route to Puppet master to happen via Private DNS
- Puppet server will reside on a C3 Linux box (Redhat 6.6) with
– Hiera 1.3.4
– Puppet DB
– Facter 2.4.1
- Puppet master will be made highly available via Auto Healing
- Separate Git server will be provisioned and configured for version control management
- Foreman will be installed, paired with the Puppet master and will be used for view purposes
- Role based node identification while catalogue run and
corresponding configuration management via Puppet master
- Secured Assets stored and delivered from Amazon S3
- Amazon CloudWatch and Amazon SNS set up to monitor resources, send notifications, track logs and metrics
- AWS CloudTrail and AWS Config set up for Security and Governance
- If any major change is being made to the Puppet Master Server, an automated script will take a new AMI of this machine and make it the Golden AMI for further Autohealing operation of the Puppet Master
Design for HA/DR
- HA ensured by using Multiple AWS Availability Zones within a region
- Usage of Fault tolerant building blocks like ELB, S3, SNS for HA
- ELB + Auto healing of puppet master was ensuring HA for newly created setup
Design for Security
- Isolated network using Virtual Private Cloud (VPC)
- Each layer of the architecture will be encapsulated with multiple layers of security which comprises of ACL’s, Security Groups and user accounts accesses
- All puppet related communication will be private. Each and every layer will have individual security groups created in AWS which will have layer specific inbound access. No other port communication will be allowed across layers
- VPC peering will be configured for inter VPC communication within the account and across accounts for the same region
- Inter region VPC communication will be made possible via VPN peering, which is already established and managed by the customer
- AWS IAM and MFA for access control deciding what role and how one will interact with provisioned services
- VPC Flow logs and CloudWatch logs for security
Business Impact
- By leveraging AWS services, customer’s environment became Robust and stable
- A production grade Puppet Master server is functional and the same is backed up on a regular basis
- Sensitive and Stateful information related to Puppet Masters functionality is maintained and paired with the in house GIT server thus, making it enterprise grade DevOps process
- The whole process of provisioning and configuring existing/new infrastructure has been reduced to one click to ensure minimal downtime
About SecureKloud
Client
Leading Global Pharma Giant
Sector
Life Sciences
Technology
AWS and DevOps