Use Case :
Banking and financial enterprise applications on Windows IIS and MS SQL with containerized workloads.
About the Customer :
The organization is one of the premier asset management companies in India, with over 20 years of track record of investment excellence a 152-year-old Indian financial firm.
The organization is one of the oldest and most respected financial services firms in India.
The firm commenced its stock broking business in the 1860s and the family behind the group has been very influential in the growth and professionalization of capital markets and money management business in India.
Product Landscape includes,
- Tax server Funds
- Equity Fund
- Healthcare Fund
- Small Cap Fund
- US Flexible Equity Fund
Third Party Tools Used :
- Third Party Monitoring using Site 24 x 7.
- Incident management using Fresh Service.
- Backup using native snapshots and enterprise grade Commvault.
- Access management using Arcos.
- Next Generation firewall Palo Alto Pan OS 9.0.1 .
- Firewall and log management using Minemeld.
- Third party software as a service Cloudflare WAF.
- New Relic Application monitoring.
Enterprise focused on premier finance Management,
|1||Windows 2008 R2 Datacenter edition
(Custom Hardened Image)
|MSSQL Standard Edition 2012|
|2||Windows 2012 R2 Datacenter edition (Custom Hardened Image)||MSSQL Standard Edition 2014|
|3||Amazon EKS Images||Postgre SQL RDS 11.5|
|4||Windows 2016 Datacenter Edition (Custom Hardened Image)||MSSQL Standard Edition 2014|
|5||Centos 7||Oracle RDS Standard 12.0.2|
Challenges and Roadblocks :
- Achieve a flexible, state-of-the-art infrastructure to address challenges and match growth;
- Improve performance and availability.
- On-premises Scalability Challenge: Since Enterprise Company in consumer finance segment, have unpredictable workload, hence they want the architecture and resources to be scalable.
- Increased Agility and use of advanced technologies: Usage of high scale data analysis, Kubernetes and AI based services is very difficult to manage on-prem.
- Enterprise grade security with third party proven integrations.
- Near Disaster recovery with high availability.
- Rigorous application monitoring and load testing to be done before finalizing application stack for their various business units.
- Faster GO-to Market rate: For multiple application hosting on Amazon web services with a mixture of IAAS and
- Modernization of legacy monolithic applications.
- Moving away from licensed based databases and adopt cloud native databases like Amazon Aurora in the long run.
- Long term retention in archival and easy retrieval of data for audit & compliance management
- Using RDS for reduced RTO and RPO.
- Building a Hybrid cloud strategy with a Hub and Spoke model as per RBI guidelines.
Proposed Solution :
Dedicated and Cloud Servers, High Availability, Load Balancers.
Considering Enterprise requirements, we proposed AWS based solution considering following requirements.
- High availability & Scalability
- Performance & reliability
- Cost Optimization
Key solution design features include following :
Hosting monolithic IIS MSSQL standard application on amazon web services using the below well architected standards.
- Creating a single source of truth – Separate landscape for production and non-production environment for isolation.
- Using Next generation firewall for protection against generation 5 attacks.
- Communication of App and DB traffic via NGFW.
- Identity and access management with least privilege mechanism and MFA for the user credentials.
- Configuring SQL log shipping for HA and Near DR.
- Configure Direct connect using different ISP for redundancy
- Configured high availability for required applications and placed then behind the internal application load balancer.
- VPC endpoints are required to access AWS services privately from AWS LAN network instead of letting them traverse internet. Example of such services are, EKS cluster, AWS S3.
- Configured VPC flow logs to monitor traffic coming in to the NIC of the server and outgoing traffic.
- Snapshot policy for all the servers apart from the Commvault backup that has been configured on a virtual machine.
- Application servers configured at multiple AZ with load balanced using AWS Application load balancer.
- CloudTrail logs for the user activity logging has been enabled for Customer account and the logs are moved to S3 bucket for audit purpose and long-term retention.
- Kubernetes Cluster deployment
- Servers are configured with auto start /stop mode for cost optimization.
- Production servers accessed restricted via bastion hosts for additional layer of security.
- Configured Lambda for achieving custom DNS query resolving from on-premises to Application load balancer.
- Configured AWS inspector for findings that are non-compliant to CIS benchmarks in the architecture components deployed.
- Using AWS Config for CMDB management
- Configured Guard Duty for analysis of DNS, VPC and CloudTrail logs
- Configure Snapshot Lifecycle Policy for the servers in AWS.
Architecture Deployed :
Why Amazon Web Services :
Amazon web services is a pioneer in the field of open source technological integrations.
- Migration using Cloud Endure is the most efficient way of moving on-premises workloads to cloud with minimum problems.
- Customer wanted near DR, hence having multiple availability zones was a perfect fit.
- AWS integration with marketplace items like Cloudflare and Palo Alto Pan OS, Minemeld
- Segregation of workloads into multiple accounts for additional layer of access management.
- Well Architected framework as a value add for filling in the gaps that occur during large scale migrations
- An AWS Network Competency and Security Competency approved solution that complements native AWS security with real-time threat and data theft prevention
- Dynamic and large-scale deployments can be protected using Guard Duty, AWS Inspector, Config, CloudTrail, AWS Trusted Advisor.
- Amazon Guard Duty and AWS Security Hub integration enables the VM-Series to automatically block potentially malicious activity.
AWS Services Used :
Following services have been used in AWS cloud,
- Amazon Identity and access management
- Amazon Simple storage service
- Amazon EC2
- Amazon VPN
- Amazon Relational Database service
- AWS Trusted Advisor
- Amazon CloudWatch
- Amazon KMS
- Amazon CloudTrail
- Amazon Flow log
- Amazon Guard Duty
- AWS Config
- AWS Inspector
- Amazon CloudFormation
- AWS Elastic Kubernetes service
- AWS Lambda
- AWS Relational Database service
- AWS Glacier
Operational Excellence :
Cloudxchange.io has own service desk web portal for managing the incidents, alerts, sending alerts to user. Cloudxchange.io will provide 24 X 7 help desk support (Phone, Email & web based) to customers. Cloudxchange.io help desk will support customers to address problems related to solution. The Service Desk application includes all direct interaction between a user and the service desk by phone or by Email-ID. It also includes all user activities that occur by use of the self-service Web portal.
Functionality includes :
- Incident management, users can raise tickets via email, self-service portal, phone, or in person as per ITIL standards.
- SLA Management & Self-Service Portal.
- Service Catalog.
- 24*7 Customer Hotline support through chat, Mobile hotline and email.
- Enterprise Grade Next generation firewall implementation (Palo Alto).
- Protection against generation 5 cyber attacks
- Firewall IPS
- Application Control
- Antivirus and Anti-Bot
- Threat Extraction & Threat Emulation
- Advanced Threat Prevention
- Data Encryption at rest using advanced ciphers.
- Data Security in Transit.
- Certificate Offload.
- Access management using Arcos and Active Directory.
- Identity and access management policies with least privileges and Role based access control.
- Landscape segregation – Multi Account with Hub and spoke model.
- Creating single source of truth for application deployment.
- Security baseline logical network segregation.
- Standardized CIS benchmarks for platform and operating system security.
- Database security with CIS benchmark standards.
- Native cloud defined software defined network security.
The Benefits & Outcome :
- Free-up IT resources: Improve efficiency by freeing up valuable financial and staff resources.
- Reduced Capital Expenditures: no longer needs to acquire, enterprise backup software, or hardware system. This eliminates the burden of budgeting for capital equipment well in advance as well as the capital expense.
- During critical events quick response and resolution as everything is software defined.
- Reduced Go to market time.
- Increased Agility and Business focus.
- Scalability, Security, availability and resiliency.
- Higher availability, increased security and greater efficiency to deliver greater visitor experiences.
About the Partner :
- Cloudxchange.io is an Advanced consulting partner in Amazon web service (AWS) Partner network (APN).
- Our wide range of Cloud based offerings with comprehensive services and cost-effective approach will help you meet your technology and business objectives.
- io’s Managed Services for public clouds delivers 24 x 7 monitoring and management services by experienced administrators who are experts in supporting public cloud environments. As an official technology partners with leading public cloud service providers, we provide the much-needed technical support complimenting the infrastructure and support provided by leading public cloud service providers.
- With Cloudxchange.io’s Managed Services, you can rest assured knowing that your cloud infrastructure is fully managed and optimized for your business needs. Cloudxchange.io provides expert technical support with pay-as-you go managed services and improved ROI on your cloud investments.