Trimble Hosting Services provides global managed IT services for industry leading ASP and Software as a Service product.
About the Client
Trimble Hosting Services provides global managed IT services for industry leading ASP and Software as a Service product. These application services include applications for mobile resource management, construction machine, construction site management and precision surveying. Companies use these services to maximize the productivity and efficiency of their mobile workforces and to optimize productivity of machines and other assets.
After understanding their requirement, use-cases, pain points, we proposed an architecture where the whole setup has to be redesign inside Amazon VPC with all the AWS security best practices in place. We took to the tasks of DevOps implementation of their setup on AWS Cloud, along with 24/7 Managed Services, rendering the client Scalability, High Availability, Security, DevOps and Support.
DevOps on AWS
- Entire stack was provisioned automatically in AWS using Amazon CloudFormation template. AWS CloudFormation offered the developers and systems administrators an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion
- DevOps automation with Puppet, CFT, PowerShell DSC
- Monitoring tool (ForeMan and its integration with Cloud Watch)
- Deployment to various environments was handle using GIT Hub
- Load Balanced using Amazon Elastic Load balancers
- Region based puppet master provisioning i.e. each region will have their own puppet master
- All virtual machines will be within a VPC
- All VPC’s will be VPC peered
- Traffic route to Puppet master to happen via Private DNS
- Puppet server will reside on a C3 Linux box (Redhat 6.6) with – Hiera 1.3.4 – Puppet DB – Facter 2.4.1
Being AWS customer this Enterprise Company already had basic setup to suffice their limited DevOps requirements. But the limitation of existing setup started creating hindrance on their ever growing infrastructure. To overcome that they decided to redesign their DevOps/Automation architecture which can adhere to their future growth. Along with this they were looking to achieve fault tolerance by virtue of high availability for all the critical components participating in this design.
AWS provides a set of flexible services designed to enable companies to more rapidly and reliably build and deliver products using AWS and DevOps practices. These services simplify provisioning and managing infrastructure, deploying application code, automating software release processes, and monitoring your application and infrastructure performance. DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. This speed enables organizations to better serve their customers and compete more effectively in the market.
Design for HA/DR
- HA ensured by using Multiple AWS Availability Zones within a region
- Usage of Fault tolerant building blocks like ELB, S3, SNS for HA
- ELB + Auto healing of puppet master was ensuring HA for newly created setup
Design for Security
- Isolated network using Virtual Private Cloud (VPC)
- Each layer of the architecture will be encapsulated with multiple layers of security which comprises of ACL’s, Security Groups and user accounts accesses
- All puppet related communication will be private. Each and every layer will have individual security groups created in AWS which will have layer specific inbound access. No other port communication will be allowed across layers
- VPC peering will be configured for inter VPC communication within the account and across accounts for the same region
- Inter region VPC communication will be made possible via VPN peering, which is already established and managed by the customer
- AWS IAM and MFA for access control deciding what role and how one will interact with provisioned services
- VPC Flow logs and CloudWatch logs for security