NantEnergy develops innovative and intelligent energy storage solutions that are accelerating the worldwide transition to sustainable and reliable energy. Their proprietary zinc-based rechargeable batteries cost less and function longer than the lead-acid batteries and diesel generators they replace, with far less impact on the environment. NantEnergy’s solutions serve as the core of distributed commercial and industrial energy management systems, remote microgrids, and reliable backup power systems to critical wireless infrastructure.
NantEnergy wanted to move their battery tracking and monitoring system that was hosted in their Datacenter into AWS. The goal was to reduce capital expenditure and get a better Return on Investment (ROI) by utilizing Managed services in AWS. This would also provide better reliability, security and performance at a reduced cost for infrastructure and operations.
The system was built using Microsoft technologies with Internet Information Service (IIS) for Webserver Microsoft SQL for database server and Active Directory for Domain and Identity services. The system receives health data from battery units in the field. It can also issue command remotely to the battery units in order to perform patching and maintenance tasks. Data is later summarized and reports are created using SQL Server Reporting Services.
High Level Requirements:
- Migrate the system from On-Premise to AWS.
- Improve the security posture for the application by limiting the blast radius.
- Make the system more reliable by utilizing Managed Services where possible like AWS Directory Service, AWS Systems Manager, NAT Gateways, etc.
- Determine and implement opportunities for cost savings.
- Collect and monitor, logs and metrics from various AWS services.
Proposed Solution & Architecture
Following discussions with NantEnergy’s technical team, a proposed architecture was designed and implemented. First, Zuggand set up a site-to-site VPN between AWS and NantEnergy’s on-premise environment using AWS VPN and leveraged AWS Directory Services for Active Directory capabilities in the Cloud. In addition, IIS Webservers on EC2 instances and MS SQL Database on RDS were created. And finally, Zuggand configured a public facing Application Load Balancer to direct traffic to the Webservers and a Network LoadBalancer to provide a Static Public IP for the Battery Units to communicate with.
As part of the migration strategy, Zuggand used the AWS Server Migration Service to migrate VM images from On-Premise to AWS. Then, leveraging an AWS Snowball, Zuggand migrated 7TB of NantEnergy’s data into AWS.
To maintain the new environment, Zuggand set up AWS Systems Manager to patch and maintain EC2 instances on AWS. Also, Zuggand created and scheduled a lambda function to periodically update the Application Load Balancer IP on Network Load Balancer Listeners. And finally, Zuggand set up CloudWatch logs and alarms monitoring and notifications.
List of AWS Services Used
The following AWS Services were implemented as part of the solution:
- AWS Directory Service: Also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud.
- Amazon EBS: Amazon Elastic Block Store (EBS) is an easy to use, high performance block storage service designed for use with Amazon Elastic Compute Cloud (EC2) for both throughput and transaction intensive workloads at any scale.
- Amazon RDS: A managed relational database service that provides six familiar database engines to choose from, including Amazon Aurora, MySQL, MariaDB, Oracle, Microsoft SQL Server, and PostgreSQL.
- AWS Snowball: With a Snowball, you can transfer hundreds of terabytes or petabytes of data between your on-premises data centers and Amazon Simple Storage Service (Amazon S3). AWS Snowball uses Snowball appliances and provides powerful interfaces that you can use to create jobs, transfer data, and track the status of your jobs through to completion. By shipping your data in Snowballs, you can transfer large amounts of data at a significantly faster rate than if you were transferring that data over the Internet, saving you time and money.
- AWS VPN: AWS Virtual Private Network (AWS VPN) lets you establish a secure and private tunnel from your network or device to the AWS global network. AWS VPN is comprised of two services: AWS Site-to-Site VPN and AWS Client VPN. AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). AWS Client VPN enables you to securely connect users to AWS or on-premises networks.
- AWS Lambda: AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume – there is no charge when your code is not running. Lambda was used for provisioning AWS accounts along with Landing Zone.
- AWS Config: WS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
- Amazon CloudWatch: Amazon CloudWatch is a monitoring and management service that collects monitoring and operational data in the form of logs, metrics, and events, providing you with a unified view of AWS resources, applications and services that run on AWS, and on-premises servers.
- AWS Systems Manager: AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources. Systems Manager was used for automated maintenance and deployment tasks on EC2 Instances.
- AWS Trusted Advisor: AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices.
- AWS Key Management Service (KMS): AWS Key Management Service (KMS) makes it easy for you to create and manage keys and control the use of encryption across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect your keys.
- AWS Certificate Manager: AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.
The result of this project was that Zuggand successfully migrated NantEnergy’s battery tracking and monitoring system to AWS. As a result of the migration to AWS, NantEnergy significantly reduced its infrastructure and operating costs for while improving its security posture and reliability of the system by utilizing several Managed Services from AWS.
- Moving from CapEx to OpEx Model has given agility to the business along with an efficient use of resources.
- Utilizing Managed Services like RDS and Lambda has helped NantEnergy realize a better ROI.
- Moving to AWS has significantly improved their overall security posture and improved overall performance of its system.
- More time and resources have become available to focus on innovation and delivery instead of maintenance and operations.
Alignment to Well Architected Framework (WAF)
By optimizing the architecture around the five (5) WAF pillars, NantEnergy was able to gain the benefits of a well-architected design in the Cloud:
- Optimize costs by using Managed services like RDS, Route 53, Certificate Manager, AWS Directory Services etc.
- Monitor AWS Spend using billing alarms.
- Right size Instances by using recommendations from Trusted Advisor for optimizing resources, instance types and sizes.
- Made architectural choices based on cost/budget, business needs and benchmarking.
- Selection of compute resources, instance family, type and size based on characteristics, cost and business needs.
- Selection of storage solution bases on access patterns, characteristics and requirements.
- Proactively record and monitor performance related metrics and generate alarm based notifications.
- Determine priorities by extensively evaluating customer and compliance needs.
- Ensure operational readiness by training personnel to support production workloads.
- Identify key performance indicators and define workload metrics.
- Monitor the performance of resources through metrics collected in CloudWatch.
- Control human access by granting least privileges.
- Tighten firewall rules to protect compute resources by reducing the blast radius.
- Regularly scan for vulnerabilities and patching using AWS Systems Manager.
- Protect all data at rest using KMS keys for encrypting EBS volumes, Snapshots and S3 buckets.
- Protect all data in transit by enforcing SSL encryption and managing SSL Certificates inside AWS Certificate Manager.
- Regularly monitor and manage service limits with AWS Trusted Advisor.
- Perform data backups automatically and encrypt it using KMS keys.
- Define recovery objectives for downtime and data loss use recovery strategies to meet the recovery objectives.
Lessons Learned / Outcomes
NantEnergy recognized that in order for their business to scale, they were going to need to move their IoT platform from on-premise to the Cloud. Also, as security continues to be a critical issue for most organizations, hardening their infrastructure and overall security posture was a driving factor for their decision to move to AWS.
Through discussions with NantEnergy’s technology team, Zuggand was able to determine they had multiple critical workloads associated with their IoT platform. By leveraging the AWS Well-Architected Review program, Zuggand was able to help offset some of the costs for NantEnergy to migrate its platform to AWS. This was a huge win for NantEnergy as it freed up budget to allocate to their next generation technologies, which will also be built on AWS by Zuggand.