Cloud Platform Deployment on AWS
Construction Management Software for Home Builders
Hyphen Solutions built and currently operates BuildPro, the most widely used software-as-a-service application among North American home builders, as well as their suppliers, distributors, and manufacturers. Given the nature of this unique industry, Hyphen has taken great care to make all of our products accessible on almost any device anywhere in the country. The current marketplace demands a real-time solution at all times.
Over the years, Hyphen developed a number of legacy applications that were designed and architected using traditional frameworks, methodologies and processe. Hyphen realized that it had a business need to improve the capacity, performance, scalability and security of its systems infrastructure and applications to better support its customers – both internal and external to the organization. In addition, it was becoming more and more difficult to acquire the necessary CapEx budget to maintain its technology environment.
Hyphen wanted to build a strong foundation in the Cloud based on the principles of the AWS Well-Architected framework (WAF), as well as security and compliance needs. The foundation allows workloads to be deployed quickly and efficiently, as well as enable teams to experiment and innovate.
High Level Requirements:
- Architect a foundation from scratch, following Cloud best practices and the AWS Well-Architected Framework.
- Leverage multiple geographic regions for a high availability and disasater recovery.
- Provide security isolation for different departments to minimize blast radius.
- User Identity Federation with the corporate directory to centrally manage access to AWS.
- Automate provisioning of environments using Infrastructure as Code.
- Establish a pipeline for the continuous integration and delivery of code.
- Provide a simple and robust mechanism to maintain adequate separation as well as inter-connectivity between different AWS and on-premises networks.
Proposed Solution & Architecture
Two AWS geographical regions were selected to support Hyphen’s operations – Oregon being the primary and Virginia being the disaster recovery region. The network architecture will allow for redundancy and sustain a failure without impacting day-to-day operations.
A multi-account strategy was adopted to ensure proper cost allocation, agility, and security, for the various business units within the organization. AWS Organizations was used to structure and manage multiple AWS accounts for billing purposes. Dedicated accounts were created for Security, Logging and Shared services. An AWS Transit Gateway was utilized to easily manage connectivity and routing between VPCs belonging to different accounts. The Transit Gateway also enables attaching VPC/s and VPN connections between the two regions and routing traffic between them.
The AWS Landing Zone solution was used to quickly set up a secure, multi-account AWS environment based on AWS best practices. The Account Vending Machine (AVM) was used to automate the creation of new accounts in Organizational Units (OUs) pre-configured with an account security baseline, and a predefined network.
The following are the different accounts that were created as part of the solution:
- Transit: Account for a central Transit VPC that has the Transit Gateway and serves as a global network transit hub to interconnect multiple spoke VPCs running in different accounts that might be geographically disparate, as well as on-premises networks over a IPSec VPN connection.
- Business User (BU) Accounts: Accounts to host Business Unit specific workloads.
- Shared Services: Account to manage all users in a single account and enable user and group access to resources in other accounts. This account also houses Active Directory to centrally manage and store user identities and federate IAM users.
- Security: Account for collecting and analyzing security-related data, running compliance scripts and configuring security services.
- Logging: Account to centrally store, secure, and process infrastructure and application logs and configuration data.
List of AWS Services Used
The following AWS Services were implemented as part of the solution:
- AWS Organizations: AWS Organizations helps you to centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts. You can use Organizations to define central configurations and resource sharing across accounts in your organization.
- AWS Transit Gateway: AWS Transit Gateway is a service that enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway. Transit Gateway acts as a hub that controls how traffic is routed among all the connected networks which act like spokes.
- AWS Landing Zone: AWS Landing Zone is a solution that helps customers more quickly set up a secure, multi-account AWS environment based on AWS best practices. With the large number of design choices.
- AWS Single Sign-On: AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications.
- AWS Lambda: AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume – there is no charge when your code is not running. Lambda was used for provisioning AWS accounts along with Landing Zone.
- AWS Config: AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
- AWS CloudFormation: AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment. CloudFormation allows you to use a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts.
- AWS Systems Manager: AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources. Systems Manager was used for automated maintenance and deployment tasks on EC2 Instances.
- AWS Snowball: With a Snowball, you can transfer hundreds of terabytes or petabytes of data between your on-premises data centers and Amazon Simple Storage Service (Amazon S3). AWS Snowball uses Snowball appliances and provides powerful interfaces that you can use to create jobs, transfer data, and track the status of your jobs through to completion. By shipping your data in Snowballs, you can transfer large amounts of data at a significantly faster rate than if you were transferring that data over the Internet, saving you time and money.
- AWS Certificate Manager: AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.
- AWS Resource Access Manager: AWS Resource Access Manager (RAM) is a service that enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization. You can share AWS Transit Gateways, Subnets, AWS License Manager configurations, and Amazon Route 53 Resolver rules resources with RAM.
- AWS Key Management Service (KMS): AWS Key Management Service (KMS) makes it easy for you to create and manage keys and control the use of encryption across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect your keys.
- Amazon CloudWatch: Amazon CloudWatch is a monitoring and management service that collects monitoring and operational data in the form of logs, metrics, and events, providing you with a unified view of AWS resources, applications and services that run on AWS, and on-premises servers.
- AWS VPN: AWS Virtual Private Network (AWS VPN) lets you establish a secure and private tunnel from your network or device to the AWS global network. AWS VPN is comprised of two services: AWS Site-to-Site VPN and AWS Client VPN. AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). AWS Client VPN enables you to securely connect users to AWS or on-premises networks.
- AWS Direct Connect: AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. AWS Direct Connect lets you establish a dedicated network connection between your network and one of the AWS Direct Connect locations.
List of Third Party Services Used
Third Party Services that were implemented as part of the solution
- Rubrik: Rubrik Cloud Data Management delivers backup, replication and DR, search, archival, analytics, and copy data management for your cloud-native, hybrid cloud and data center applications in one software fabric.
- Zayo: CloudLink by Zayo, paired with Direct Connect, provides a low latency and secure connection to AWS from a customer’s enterprise location or data center to any of over 50 AWS on-ramps globally.
Hyphen now has a secure and reliable Cloud platform architected following best practices and principles of the AWS Well-Architected Framework. They can now on-board workloads on a strong foundation that is capable of providing standardized and compliant foundational services required to build and run modern applications.
Their new AWS environment provides increased operational visibility and is easier to operate and manage. The pay-as-you-go model, combined with the elasticity of the resources, provides a better Return on Investment (ROI). This in turn will help Hyphen divert more time and resources towards focusing on their business problems and innovation.
- Infrastructure available on demand globally, without capacity constraints.
- Standardization across all globally spread locations makes manageability simple and outcomes more predictable.
- Moving from CapEx to OpEx Model has given agility to the business along with an efficient use of resources.
- Utilizing Managed Services like RDS and lambda has helped GPS realize a better return on investment (ROI).
- Automation of the delivery pipeline has significantly reduced time to market.
- More time and resources to focus on innovation and delivery instead of maintenance and operations.
- Pay-as-you go pricing makes experimentation easier than ever along with access to all the latest and newly added services for IT staff.
Alignment to Well Architected Framework (WAF)
By optimizing the architecture around the five (5) WAF pillars, Hyphen was able to gain the benefits of a well-architected design in the Cloud:
- Match supply of resources with demand by provisioning resources dynamically and maximizing utilization.
- Optimize costs by using managed services like AWS Single Sign-On, Certificate Manager, RDS, Lambda, Route 53, etc.
- Implement pricing model analysis to choose between Reserved, On Demand and Spot Blocks or Spot Fleet instances.
- Monitor AWS spend using billing alarms.
- Use Trusted Advisor for optimizing resources – instance types and sizes.
- Make architectural choices based on cost/budget, business needs and bench marking.
- Selection of compute resources, instance family, type and size based on characteristics, cost and business needs.
- Selection of storage solution bases on access patterns, characteristics and requirements.
- Design your network to minimize the number of ACLs while still meeting requirements. Having too many ACLs can negatively impact network performance, reducing system performance or efficiency.
- Utilizing RDS for database to reduce the burden of maintenance and management whole fulfilling the business needs.
- Determine priorities by extensively evaluating customer and compliance needs.
- Implement application and user activity telemetry that feed live dashboards as well as trigger notifications when anomalies are detected.
- Automate build, deployment, and testing of the workload. This reduces errors caused by manual processes
- Identify key performance indicators (KPIs) based on desired business and customer outcomes. Evaluate KPIs to determine operations
- Ensure operational readiness by training personnel to support production workloads.
- Manage workload and operations events by using Incident Management tools and communicating health status through dashboards.
- Monitor the performance of resources through metrics collected in CloudWatch.
- Enforce multi-factor authentication through AWS single sign-on
- Centrally manage identities using AWS Directory Service.
- Integrate access management with user life cycle, to revoke unused and unnecessary credentials when a user leaves or changes roles.
- Grant programmatic access through Roles and Temporary tokens with minimum privileges to reduce the risk of unauthorized access.
- Protect compute resources by defining fine-grained security group rules and by regularly scanning for vulnerabilities and patching using AWS Systems Manager.
- Protect all data at rest using KMS keys for encrypting EBS volumes, Snapshots and S3 buckets.
- Protect all data in transit by enforcing SSL encryption and managing SSL Certificates inside AWS Certificate Manager.
- Regularly monitor and manage service limits with AWS Trusted Advisor.
- Adapt to changes in demand by dynamically provisioning compute resources using Auto Scaling Groups.
- Well defined strategy for disaster recovery and implemented in a different region with recovery objectives for downtime and data loss.
- Utilizing managed services from AWS where possible to improve the reliability and availability of the entire solution in AWS.
- Automated change deployment process to make it more reliable using external tools like Jenkins and Git.
- Perform data backups automatically and encrypt it using KMS keys.
Lessons Learned / Outcomes
Making the journey to the Cloud is not only about technology. It is also about people, processes, leadership, culture, standardization, accountability and most importantly – change. Change is hard, but it is also inevitable in today’s rapidly changing world. Large organizations, such as Hyphen, can experience a major culture shift when moving to the Cloud. However, Hyphen embraced this change with support from its leadership, which was critical to the success of their journey.
Expectations from Hyphen’s customers, both internal and external to the organization, have increased and their demand for digital information and services is higher than ever. As a result of working with Zuggand, Hyphen now has a Cloud-based platform in which its IT organization can efficiently support its operations, while also delivering innovation and business value on a larger scale.