Electronic Birth Registration System Migration

Arizona Department of Health Services

Problem Statement

The Arizona Department of Health Services (ADHS) is an agency within the State of Arizona with a mission to promote, protect, and improve the health and wellness of individuals and communities in Arizona. ADHS’s Bureau of Vital Records (BVR) is responsible for registering, maintaining, and issuing certified copies of vital records, including birth, death, fetal death certificates and certificates of birth resulting in stillbirth for events that occurred in Arizona. The ADHS BVR and Bureau of Public Health Statistics collaboratively focus on the mission to provide meaningful and timely information on patterns and trends regarding the health status of Arizonians.

ADHS BVR implemented a web-based Electronic Birth Registration System (EBRS) hosted at the State of Arizona Datacenter and managed by ADHS Staff. The system was built using Microsoft Technologies and interacts with external third party interfaces for data exchange. The system is a collection of smaller sub-systems built independently by different vendors and managed by different teams. The apps interact with each other using various protocols like http, sftp, SOAP and REST APIs.

The existing EBRS system had to be migrated to AWS in a short amount time due to the upcoming decommissioning of the State Datacenter while leveraging the benefits of Cloud like Security, Reliability, Cost and Performance efficiency. In order to integrate with 3rd party interfaces some of the servers were placed in the public network, exposing the servers to security threats from the internet. This needed to be remediated by re-architecting in AWS. Multiple FTP deployments were used in the current solution, this needed to be consolidated into one for cost efficiency and reliability. Some server hardware was end of life and needed to be replaced for reliable operation.

ADHS required a solution that would:

  • Migrate EBRS System from On-Premise to AWS.
  • Determine and implement opportunities for consolidation cost savings.
  • Decrease the threat landscape and Improve the overall security posture for the application.
  • Improve visibility into the health of various components by collecting and monitoring, logs and metrics.
  • Procure latest hardware and server instances for reliable operations.
  • Implement automated patching of servers using AWS Systems Manager.
  • Utilize Managed Services where possible like AWS Certificate Manager.

Proposed Solution & Architecture

The solution proposed was to migrate their Virtual Machines (VMs) from the State Datacenter to AWS using AWS Server Migration Service.  Leveraging this service allowed Zuggand to migrate their VM images and convert them into Amazon Machine Images (AMIs) within AWS. Then, EC2 instances were created from the migrated images in private subnets and Load Balancers were placed in the public subnet to receive external traffic for the instance.

Zuggand also enabled the Web Application Firewall (WAF) on the public facing Load Balancers to protect against security threats and attacks.  We also utilized a Network Load Balancer (NLB)  to provide static public IP addresses to external interfaces that cannot utilize a Domain Name Service (DNS) name.

The environment is currently utilizing AWS Systems Manager to keep Windows Server instances up-to-date on patches. For reliability, we consolidated SFTP onto one solution and enabled auto-healing. And finally, we configured the environment to collect logs and metrics from all EC2 Instances and AWS Services into CloudWatch to improve visibility into the health of various AWS components.

Below is the architecture diagram for the overall solution in AWS and a list of AWS services used along with their definitions.

Arizona Department of Health Services - Electronic Birth Records System Architecture Diagram

List of AWS Services Used

The following AWS Services were implemented as part of the solution:

  • AWS Directory Service: Also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud.
  • AWS Systems Manager: AWS Systems Manager helps maintain security and compliance by scanning your instances against your patch, configuration, and custom policies. You can define patch baselines, maintain up-to-date anti-virus definitions, and enforce firewall policies. You can also remotely manage your servers at scale without manually logging in to each server.
  • Amazon EC2: A web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.
  • Amazon EBS: Amazon Elastic Block Store (EBS) is an easy to use, high performance block storage service designed for use with Amazon Elastic Compute Cloud (EC2) for both throughput and transaction intensive workloads at any scale.
  • Amazon RDS: A managed relational database service that provides six familiar database engines to choose from, including Amazon Aurora, MySQL, MariaDB, Oracle, Microsoft SQL Server, and PostgreSQL.
  • Amazon CloudWatch: A monitoring service for AWS cloud resources and the applications that run on AWS.
  • AWS WAF: A web application firewall that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.
  • AWS Server Migration Service: AWS Server Migration Service (SMS) is an agentless service which makes it easier and faster for you to migrate thousands of on-premises workloads to AWS. AWS SMS allows you to automate, schedule, and track incremental replications of live server volumes, making it easier for you to coordinate large-scale server migrations.
  • AWS VPN: AWS Virtual Private Network (AWS VPN) lets you establish a secure and private tunnel from your network or device to the AWS global network. AWS VPN is comprised of two services: AWS Site-to-Site VPN and AWS Client VPN. AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). AWS Client VPN enables you to securely connect users to AWS or on-premises networks.
  • AWS Server Migration Service: AWS Server Migration Service (SMS) is an agentless service which makes it easier and faster for you to migrate thousands of on-premises workloads to AWS. AWS SMS allows you to automate, schedule, and track incremental replications of live server volumes, making it easier for you to coordinate large-scale server migrations.
  • AWS Config: AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
  • AWS Trusted Advisor: AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices.
  • AWS Key Management Service (KMS): A managed service that makes it easy for to create and control the encryption keys used to encrypt data.
  • AWS Certificate Manager: AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.

Results

By migrating this critical workload to AWS, ADHS now has a stronger security posture for its Electronic Birth Registration System application.  In addition, they were able to improve the reliability of the workload by enabling self-healing capabilities.

In particular, the agency now can automatically:

  • Spin up new instances of their application if individual instances fail.
  • Patch its critical infrastructure to maintain its security posture.
  • Aggregate logs in a centralized system for the purpose of improving security and performance over time.

Alignment to Well Architected Framework (WAF)

By optimizing the architecture around the five (5) WAF pillars, ADHS was able to gain the benefits of a well-architected design in the cloud:

Cost Optimization:

  • Optimize costs by using Managed services like RDS, Route 53, Certificate Manager, AWS Directory Services etc.
  • Monitor AWS Spend using billing alarms.
  • Right size Instances by using recommendations from Trusted Advisor for optimizing resources, instance types and sizes.
  • Consolidate services into fewer number of EC2 Instances.

Performance Efficiency:

  • Made architectural choices based on cost/budget, business needs and benchmarking.
  • Selection of compute resources, instance family, type and size based on characteristics, cost and business needs.
  • Selection of storage solution bases on access patterns, characteristics and requirements.
  • Proactively record and monitor performance related metrics and generate alarm based notifications.
  • Utilize latest EC2 Instance types for better performance at lower cost.

Operational Excellence:

  • Determine priorities by extensively evaluating customer and compliance needs.
  • Ensure operational readiness by training personnel to support production workloads.
  • Identify key performance indicators and define workload metrics.
  • Monitor the performance of resources through metrics collected in CloudWatch.

Security:

  • Enabled AWS WAF to protect application assets from external attacks.
  • Control human access by granting least privileges.
  • Tighten firewall rules to protect compute resources by reducing the blast radius.
  • Regularly scan for vulnerabilities and patching using AWS Systems Manager.
  • Protect all data at rest using KMS keys for encrypting EBS volumes, Snapshots and S3 buckets.
  • Protect all data in transit by enforcing SSL encryption and managing SSL Certificates inside AWS Certificate Manager.

Reliability:

  • Regularly monitor and manage service limits with AWS Trusted Advisor.
  • Perform data backups automatically and encrypt it using KMS keys.
  • Define recovery objectives for downtime and data loss use recovery strategies to meet the recovery objectives.

Lessons Learned / Outcomes

The EBRS online solution for ADHS is another mission-critical workload that was migrated to AWS as part of their journey to the Cloud.  The EBRS application is important in that it enable the agency to issue certified copies of vital records, including birth and death certificates, quickly and efficiently to Arizona citizens. Leveraging the AWS Server Migration Service allowed Zuggand to more quickly migrate the application so as to meet the deadlines to migrate out of the State Data Center.

As with most major projects within a large organization, communication with, and support from, all levels of the agency was vital to the overall success of the project.  Zuggand played a critical role in ensuring all levels of the organization understood how the journey to the Cloud would impact them.