Financial Ruler is a comprehensive financial planning and management platform that is looking at moving to cloud to tighten security around its data and architecture while ensuring reliability, performance efficiency as well as cost and compliance optimization. LTI to restructure and migrate their infrastructure to AWS for higher availability and scalability.
The client is an all-inclusive social media platform for financial planning that offers services such as asset management, budgeting, retirement planning, and managing your financial data repository all under one roof. They also provide financial projections by converting available complex data into easy-to-view reports and charts along with augmented intelligence tools via integrated technologies to enhance their clients’ usage and experience.
The client is currently running its day-to-day business operations on an external network system and is planning to migrate and host its existing applications in the AWS cloud mainly for future scalability, reliability and high availability.
LTI , a premier and trusted consulting partner of AWS is to re-architect the client’s applications by setting up high-availability application and database layers to help them migrate to cloud efficiently with minimal downtime and optimum infrastructure security.
LTI ’s cloud experts engaged with the customer to understand their requirements, application setup, current architecture and network to draft a suitable cloud migration strategy.
LTI also facilitated assessment and scalability of the entire architecture on cloud along with devising a progressive plan of action for security and compliance, establishing database high availability and minimizing overall infrastructure costs.
Currently the application is a monolithic setup where the application and database are both hosted on a single physical server.
LTI proposes re-architecting the current setup to a three-tier architecture by splitting the web, applications and database servers to rebuild it as a service-oriented scalable design.
This method helps organizations to take full advantage of cloud-native capabilities. In this case, the proposed AWS architecture has allowed them to easily add capacity, strengthen security and accelerate productivity.
The AWS setup
Using root accounts for deployments is not advisable as per AWS recommended security best practices. To securely access different AWS services, MFA enabled IAM accounts with least permissible access were created and users were given access to only those services, which were needed. This was to ensure an additional layer of security was in place, in case credentials got compromised.
AWS web application firewall (WAF) was setup to secure the web applications hosted on AWS from hacks and cyber attacks.
NAT gateway was provisioned comprising of VPCs with public and private subnets to enable Internet access for servers in the private subnet. Network was designed using appropriate CIDR range, subnets and route tables.
LTI helped configure Network Access Control Lists (NACLs) based on security requirements to control traffic at the subnet level where rules are defined to control traffic from required IP addresses.
They created security groups to control traffic at the VM layer and opened only required ports with least access. IP whitelisting for various third party providers was also covered at the security group level.
SSL certificates were deployed on the load balancers to protect data in transit. Customers could either bring in their own SSL certificates or use public SSL certificates from AWS for free.
A load balancer serves as the single point of contact and distributes incoming application traffic across multiple targets such as EC2 instances, in multiple availability zones. This elevates the availability of the client’s application.
LTI established required config rules, abolished default VPCs across all regions and accounts and enabled VPC flow logs to capture IP traffic data across the network interfaces on cloud. VPN tunnels were also to be enabled between AWS, customer locations and data centers.
Enabling CloudTrail helped the client capture all API activities in the account.
LTI provisioned EC2 instances, which are virtual servers in AWS EC2 service that help run web applications on the AWS infrastructure. Subsequently, they configured web and application servers providing EC2 instances for MongoDB – primary, secondary and arbiter setup. It is a document-oriented cross platform NoSQL cloud database service for modern applications.
LTI devised auto scaling for these application instances that support it and took MongoDB backup to restore data on master MongoDB instance on AWS, thus enabling replication between primary, secondary and arbiter MongoDB servers.
The primary is the only member in the replica set that receives read/write operations. However, server name cannot be defined for the same. A secondary maintains the copy of the primary data set and applies operations from the primary’s operations log to replicate data on to its own data set. Arbiters are MongoDB instances that are part of a replica set that don’t require any dedicated hardware but also do not hold any data. Arbiters can be added to the setup if a replica set has an even number of members.
Post migration checks were essential and LTI ensured an end-to-end application validation was conducted and any issues if found in the infrastructure configuration were fixed swiftly.
To enable going live on production, the Amazon Route 53, an AWS DNS web service and the Amazon CloudFront services were both configured successfully to dispense highly scalable and secure web applications, data and APIs across the globe on cloud. AWS WAF enabled application protection via its WAF policies. It also helped cleanup unwanted data logs on the production environment, set the app in maintenance mode, helped restart all necessary components, performed application validation and updated the DNS to point to AWS.
AWS Monitoring and Logging
Inducted the CloudWatch tool, which provides infrastructure and application monitoring of all the applications, resources and services that run on cloud and on-premise. It helps collect operational data logs, metrics and events through automated backups that can be viewed in consolidated form on dashboards. Appropriate alarms were configured in CloudWatch to notify the customer when certain thresholds were crossed. Amazon SNS were used for notifications.
AWS Config service enabled assessment, audit and evaluation of all AWS resources. Config monitored and recorded all AWS resource configurations in accordance with AWS best practices for change management. It can eventually automate evaluated records against expected configurations as well.
LTI supported AWS infrastructure operations by leveraging AWS services in the following areas:
- Continuous cost optimization through rightsizing EC2 instances, scheduling, upgrading instances to latest generation and deleting unused cloud-based storage volumes.
- AWS Server Management provided 24/7 support for server monitoring, disaster recovery in case of server outage or compromise, speedy response time along with environment and app monitoring.
- Security management was administered via AWS cloud security services that helped the client meet their security and compliance requirements, ascertained data protection and confidentiality with stringent measures in place for any security threats, enabled secure scaling, provided greater visibility and automated security tasks.
- AWS Network Services ensured consistent network availability, data integrity and 24/7 monitoring of cloud infrastructure that can run workloads with high throughput and lowest latency requirements. AWS network capabilities are one of the largest globally and can deliver client applications and content across the world over a private network.
- AWS Backup enables backup policy configurations from a centrally managed console to confirm that application data across AWS services are backed up and secure. It supports automated backup processes and maintains consolidated backup activity logs for all AWS services.
- DR support minimizes downtime and data loss by enabling speedy and reliable recovery of physical, virtual and cloud-based servers into AWS cloud. This simplifies architecture implementation and protects enterprise applications and databases without compromising business continuity.
- AWS Audit Manager provides continuous audit of AWS usage to assess risks and compliance against industry standards. It provides prebuilt frameworks that are mapped to the client’s AWS resources to ensure if regulatory controls are being abided by. Audit manager facilitates automated collection of data for assessment on daily, weekly or monthly basis as per client’s requirement.
- With the migration to AWS, the client acquired a much more strengthened, secure and efficient infrastructure. Application and server performances got more coherent.
- Database is now fully secured with prevention of unauthorized public access and static data stored in AWS S3 bucket is encrypted.
- Moving to cloud signified cost optimization by eliminating unwanted costs and managing expenses without overspending.
- The AWS well-architected framework offered operational flexibility and excellence, took care of monitoring the systems on a continuous and automated basis and helped recover from quick service or infrastructure disruptions if any.
Thus, the client has reaped benefits of up to 30% in operational savings and up to 25% in AWS infrastructure savings while also improving their operational SLAs, security, and compliance posture.