The Arizona Department of Health Services (ADHS) is an agency within the State of Arizona with a mission to promote, protect, and improve the health and wellness of individuals and communities in Arizona. The agency operates various programs in behavioral health, disease prevention and control, health promotion, community public health, environmental health, maternal and child health, emergency preparedness and regulation of childcare and assisted living centers, nursing homes, hospitals, other health care providers and emergency services.
The agency is committed to providing the public and the media with health information in a timely, accurate and helpful manner through its website (www.azdhs.gov) and is continually striving to make this resource a friendlier, easier way of accessing the vast array of programs it provides.
The Arizona Department of Health Services (ADHS) is an agency within the State of Arizona with a mission to promote, protect, and improve the health and wellness of individuals and communities in Arizona. ADHS had developed a Medical Marijuana Verification System that was developed in house and hosted at the State of Arizona Datacenter. The system was developed using Asp.Net on IIS with Microsoft SQL database for the backend.
ADHS wanted to migrate the system to AWS and re-architect to ensure a better security posture for the application by moving the Web Servers into private subnets and introduce a Load Balancer and Web Application Firewall to receive and inspect incoming traffic.
- Accommodate fluctuations in demand with high availability and scalability.
- Reflect and lower the total cost of infrastructure use (i.e. pay only for what you use).
- Improve the overall security posture of the application.
- Include the automated patching of servers.
- Utilize Managed Services where possible.
- Allow for the collection and monitoring logs and metrics from utilized services
The solution proposed was to utilize AWS Server Migration Service to migrate the on-prem hosted Virutal Machines (VMs) imaged to AWS over Direct Connect. The next step was to enable AWS Directory Services for Active Directory and connect it with On-Prem Domain Controllers for Domain services in the cloud. Also, Zuggand utilized AWS Systems Manager to keep windows server instances up-to-date on patches. And finally, the Application Load Balancer along with AWS Web Application Firewall (WAF) was utilized to receive and inspect incoming traffic from the internet and direct it to Web Servers in the private subnet.
Below is the architecture diagram for the overall solution in AWS and a list of AWS services used along with their definitions.
The following AWS Services were implemented as part of the solution:
- AWS Directory Service: Also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud.
- AWS Systems Manager: AWS Systems Manager helps maintain security and compliance by scanning your instances against your patch, configuration, and custom policies. You can define patch baselines, maintain up-to-date anti-virus definitions, and enforce firewall policies. You can also remotely manage your servers at scale without manually logging in to each server.
- Amazon EC2: A web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.
- Amazon Elastic File System: Provides simple, scalable, elastic file storage for use with AWS Cloud services and on-premises resources.
- AWS CloudFormation: A service which gives developers and systems administrators an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion.
- Amazon EBS: Amazon Elastic Block Store (EBS) is an easy to use, high performance block storage service designed for use with Amazon Elastic Compute Cloud (EC2) for both throughput and transaction intensive workloads at any scale.
- Amazon CloudFront: A global content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to your viewers with low latency and high transfer speeds.
- Amazon RDS: A managed relational database service that provides six familiar database engines to choose from, including Amazon Aurora, MySQL, MariaDB, Oracle, Microsoft SQL Server, and PostgreSQL.
- Amazon CloudWatch: A monitoring service for AWS cloud resources and the applications that run on AWS.
- AWS WAF: A web application firewall that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.
- AWS VPN: AWS Virtual Private Network (AWS VPN) lets you establish a secure and private tunnel from your network or device to the AWS global network. AWS VPN is comprised of two services: AWS Site-to-Site VPN and AWS Client VPN. AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). AWS Client VPN enables you to securely connect users to AWS or on-premises networks.
- AWS Config: AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
- AWS Trusted Advisor: AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices.
- AWS Key Management Service (KMS): A managed service that makes it easy for to create and control the encryption keys used to encrypt data.
By migrating this critical workload to AWS, ADHS now has a stronger security posture for its Medical Marijuana Verification System application. In addition, the automated scalability of AWS services has enabled efficient and cost-effective management of traffic to the system.
In particular, the agency now can automatically:
- Downscale during troughs and thereby lower costs (pay only for what you use).
- Upscale for high profile events to eliminate ‘systembusy’ responses and provide a seamless, professional customer experience for MMV users.
- Patch its critical infrastructure to maintain its security posture.
- Aggregate logs in a centralized system for the purpose of improving security and performance over time.
The solution has also improved agility, time to market and innovation by:
- Leveraging AWS’s proven infrastructure and builds around available solutions thereby reducing investment and maintenance cost.
- Providing a robust, creative open environment to work.
- Implementing round-the-clock monitoring mechanism that sends all necessary alerts.
By optimizing the architecture around the five (5) WAF pillars, ADHS was able to gain the benefits of a well-architected design in the Cloud:
- Optimize costs by using Managed services like RDS, Route 53, Certificate Manager, AWS Directory Services etc.
- Monitor AWS Spend using billing alarms.
- Right size Instances by using recommendations from Trusted Advisor for optimizing resources, instance types and sizes.
- Made architectural choices based on cost/budget, business needs and benchmarking.
- Selection of compute resources, instance family, type and size based on characteristics, cost and business needs.
- Selection of storage solution bases on access patterns, characteristics and requirements.
- Proactively record and monitor performance related metrics and generate alarm based notifications.
- Determine priorities by extensively evaluating customer and compliance needs.
- Ensure operational readiness by training personnel to support production workloads.
- Identify key performance indicators and define workload metrics.
- Monitor the performance of resources through metrics collected in CloudWatch.
- Enabled AWS WAF to protect application assets from external attacks.
- Control human access by granting least privileges.
- Tighten firewall rules to protect compute resources by reducing the blast radius.
- Regularly scan for vulnerabilities and patching using AWS Systems Manager.
- Protect all data at rest using KMS keys for encrypting EBS volumes, Snapshots and S3 buckets.
- Protect all data in transit by enforcing SSL encryption and managing SSL Certificates inside AWS Certificate Manager.
- Regularly monitor and manage service limits with AWS Trusted Advisor.
- Perform data backups automatically and encrypt it using KMS keys.
- Define recovery objectives for downtime and data loss use recovery strategies to meet the recovery objectives.
The MMV System for ADHS was the second mission-critical workload to be migrated to AWS as part of ADHS’s journey to the Cloud. The MMV System processes specific transactions that generate a lot of income for the State of Arizona. Ensuring the continuity of the system, while migrating it to AWS, was absolutely critical to the overall success of this project.
This project required, and even demanded, communication with, and support from, all levels of the organization. Executive leadership was involved from the very beginning of the project and communication regarding the progress was constant. Due to the fact ADHS was moving to a shared environment, understanding how each business unit would financially be impacted was a big part of the overall leadership discussion.