AWS Cloud Foundation
Fortune 500 Manufacturing Firm
Fortune 500 Manufacturing Firm successfully deploys its global Cloud platform on AWS
A Fortune 500 manufacturing firm partners with Zuggand to build its new global Cloud foundation on AWS.
“The Zuggand team was very responsive and knowledgeable about AWS. They were a great partner in helping us design a solution that is best for our organization going forward.”
– Enterprise Cloud Architect
A Fortune 500 Manufacturing Firm (referred to as “The Manufacturer” in this case study with its name hidden for privacy reasons) is driving energy efficient innovations, empowering customers to reduce global energy use. The company’s products help engineers solve their unique design challenges in automotive, communications, computing, consumer, industrial, medical and military/aerospace industries. They operate a world-class supply chain and quality program, and a network of manufacturing facilities, sales offices and design centers in key markets throughout North America, Europe, and the Asia Pacific regions.
Over time, The Manufacturer developed a number of legacy applications that were designed and architected using traditional frameworks, methodologies and processes. Leveraging the Cloud is an opportunity to start fresh, standardize processes and follow best practices. The Manufacturer wanted to build a strong foundation in the Cloud based on the principles of the AWS Well-Architected framework (WAF), as well as security and compliance needs. The foundation allows workloads to be deployed quickly and efficiently, as well as enable teams to experiment and innovate.
The Manufacturer’s IT department serves multiple business units and manages operations across the globe. So the solution needed to provide the ability for individual business units to manage their environments including access, security and billing isolation.
High Level Requirements:
- Architect a foundation from scratch, following Cloud best practices and the AWS Well-Architected Framework.
- Leverage multiple geographic regions for a global presence.
- Provide security isolation for different departments to minimize blast radius.
- User Identity Federation with the corporate directory to centrally manage access to AWS.
- Automate provisioning of environments using Infrastructure as Code.
- Establish a pipeline for the continuous integration and delivery of code.
- Provide a simple and robust mechanism to maintain adequate separation as well as inter-connectivity between different AWS and on-premises networks.
- Ensure strong isolation of auditing data in an account separate from where workloads are deployed.
Proposed Solution & Architecture
Four AWS geographical regions were selected to support the Manufacturer’s global operations. The network architecture was replicated in all four regions to allow for complete redundancy and sustain a failure without impacting day-to-day operations.
A Multi-Account strategy was adopted to ensure proper cost allocation, agility, and security, for the various business units within the Manufacturer. AWS Organizations was used to structure and manage multiple AWS accounts for billing purposes. Dedicated accounts were created for Security, Logging and Shared services. An AWS Transit Gateway was utilized to easily manage connectivity and routing between VPCs belonging to different accounts. TheTransit Gateway also enables attaching VPCs and VPN connections in the same Region and routing traffic between them.
The AWS Landing Zone solution was used to quickly set up a secure, multi-account AWS environment based on AWS best practices. The Account Vending Machine (AVM) was used to automate the creation of new accounts in Organizational Units (OUs) pre-configured with an account security baseline, and a predefined network.
The following are the different accounts that were created as part of the solution:
- Transit: Account for a central Transit VPC that has the Transit Gateway and serves as a global network transit hub to interconnect multiple spoke VPCs running in different accounts that might be geographically disparate, as well as on-premises networks over a IPSec VPN connection.
- Business User (BU) Accounts: Accounts to host Business Unit specific workloads.
- Shared Services: Account to manage all users in a single account and enable user and group access to resources in other accounts. This account also houses Active Directory to centrally manage and store user identities and federate IAM users.
- Security: Account for collecting and analyzing security-related data, running compliance scripts and configuring security services.
- Logging: Account to centrally store, secure, and process infrastructure and application logs and configuration data.
List of AWS Services Used
The following AWS Services were implemented as part of the solution:
- AWS Organizations: AWS Organizations helps you to centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts. You can use Organizations to define central configurations and resource sharing across accounts in your organization.
- AWS Transit Gateway: AWS Transit Gateway is a service that enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway. Transit Gateway acts as a hub that controls how traffic is routed among all the connected networks which act like spokes.
- AWS Landing Zone: AWS Landing Zone is a solution that helps customers more quickly set up a secure, multi-account AWS environment based on AWS best practices. With the large number of design choices.
- AWS Single Sign-On: AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications.
- Amazon RDS PostgreSQL: A managed relational database service that provides six familiar database engines to choose from, including Amazon Aurora, MySQL, MariaDB, Oracle, Microsoft SQL Server, and PostgreSQL. Here It was used as the backend database for the Dashboard Application.
- AWS Lambda: AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume – there is no charge when your code is not running. Lambda was used for provisioning AWS accounts along with Landing Zone.
- AWS Config: AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
- AWS CloudFormation: AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment. CloudFormation allows you to use a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts.
- AWS Systems Manager: AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources. Systems Manager was used for automated maintenance and deployment tasks on EC2 Instances.
- AWS Certificate Manager: AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.
- AWS Resource Access Manager: AWS Resource Access Manager (RAM) is a service that enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization. You can share AWS Transit Gateways, Subnets, AWS License Manager configurations, and Amazon Route 53 Resolver rules resources with RAM.
The Manufacturer now has a secure and reliable Cloud platform architected following best practices and principles of the AWS Well-Architected Framework. They can now on-board workloads on a strong foundation that is capable of providing standardized and compliant foundational services required to build and run modern applications.
Their new AWS environment provides increased operational visibility and is easier to operate and manage. The pay-as-you-go model, combined with the elasticity of the resources, provides a better Return on Investment (ROI). This in turn will help the manufacturer divert more time and resources towards focusing on their business problems and innovation.
- Infrastructure available on demand globally, without capacity constraints.
- Standardization across all globally spread locations makes manageability simple and outcomes more predictable.
- Moving from CapEx to OpEx Model has given agility to the business along with an efficient use of resources.
- Utilizing Managed Services like RDS and lambda has helped GPS realize a better return on investment (ROI).
- Automation of the delivery pipeline has significantly reduced time to market.
- More time and resources to focus on innovation and delivery instead of maintenance and operations.
- Pay-as-you go pricing makes experimentation easier than ever along with access to all the latest and newly added services for IT staff.
Alignment to Well Architected Framework (WAF)
By optimizing the architecture around the five (5) WAF pillars, the Manufacturer was able to gain the benefits of a well-architected design in the Cloud:
- Match supply of resources with demand by provisioning resources dynamically and maximizing utilization.
- Optimize costs by using managed services like RDS, Lambda, Route 53, Certificate Manager, AWS Single Sign-On etc.
- Implement pricing model analysis to choose between Reserved, On Demand and Spot Blocks or Spot Fleet instances.
- Monitor AWS spend using billing alarms.
- Use Trusted Advisor for optimizing resources – instance types and sizes.
- Make architectural choices based on cost/budget, business needs and benchmarking.
- Selection of compute resources, instance family, type and size based on characteristics, cost and business needs.
- Selection of storage solution bases on access patterns, characteristics and requirements.
- Design your network to minimize the number of ACLs while still meeting requirements. Having too many ACLs can negatively impact network performance, reducing system performance or efficiency.
- Utilizing RDS for database to reduce the burden of maintenance and management whole fulfilling the business needs.
- Determine priorities by extensively evaluating customer and compliance needs.
- Implement application and user activity telemetry that feed live dashboards as well as trigger notifications when anomalies are detected.
- Automate build, deployment, and testing of the workload. This reduces errors caused by manual processes
- Identify key performance indicators (KPIs) based on desired business and customer outcomes. Evaluate KPIs to determine operations
- Ensure operational readiness by training personnel to support production workloads.
- Manage workload and operations events by using Incident Management tools and communicating health status through dashboards.
- Monitor the performance of resources through metrics collected in CloudWatch.
- Enforce multi-factor authentication through AWS single sign-on
- Centrally manage identities using AWS Directory Service.
- Integrate access management with user lifecycle, to revoke unused and unnecessary credentials when a user leaves or changes roles.
- Grant programmatic access through Roles and Temporary tokens with minimum privileges to reduce the risk of unauthorized access.
- Protect compute resources by defining fine-grained security group rules and by regularly scanning for vulnerabilities and patching using AWS Systems Manager.
- Protect all data at rest using KMS keys for encrypting EBS volumes, Snapshots and S3 buckets.
- Protect all data in transit by enforcing SSL encryption and managing SSL Certificates inside AWS Certificate Manager.
- Regularly monitor and manage service limits with AWS Trusted Advisor.
- Adapt to changes in demand by dynamically provisioning compute resources using Auto Scaling Groups.
- Well defined strategy for disaster recovery and implemented in a different region with recovery objectives for downtime and data loss.
- Utilizing managed services from AWS where possible to improve the reliability and availability of the entire solution in AWS.
- Automated change deployment process to make it more reliable using external tools like Jenkins and Git.
- Perform data backups automatically and encrypt it using KMS keys.
Lessons Learned / Outcomes
Making the journey to the Cloud is not only about technology. It is also about people, processes, leadership, culture, standardization, accountability and most importantly – change. Change is hard, but it is also inevitable in today’s rapidly changing world. Large organizations, such as the Manufacturer, can experience a major culture shift when moving to the Cloud. However, the Manufacturer embraced this change with support from its leadership, which was critical to the success of their journey.
Expectations from the Manufacturer’s customers, both internal and external to the organization, have increased and their demand for digital information and services is higher than ever. As a result of working with Zuggand, the Manufacturer now has a Cloud-based platform in which its IT organization can efficiently support its global operations, while also delivering innovation and business value on a larger scale.