Zenventory’s web-based inventory management system is a solution that delivers inventory management, vendor management, order fulfillment, and more to small and medium-sized business and 3PL companies, complete with integrations to popular accounting and E-Commerce systems.
Ubiquia had a need to optimize their Zenventory environment focused on security, performance efficiency and cost. In addition, Ubiquia was using a bastion host to connect to resources in AWS and wanted a simpler and manageable solution to connect to AWS. And finally, Ubiquia wanted experts to split and isolate Zenventory platform from the other two product offerings.
High Level Requirements:
- Migrate and isolate the Zenventory systems to a new AWS account.
- Improve the security posture for the application by limiting the blast radius.
- Make the system more reliable by utilizing Managed Services where possible like AWS Directory Service, AWS Systems Manager, NAT Gateways, etc.
- Determine and implement opportunities for cost savings.
- Collect and monitor, logs and metrics from various AWS services.
Proposed Solution & Architecture
Following discussions with Ubiquia’s technical team, a proposed architecture was designed and implemented. Zuggand set up a new AWS account, migrated the workloads and secured them. Client VPN was created to help with secure connectivity to AWS.
To help with development activities, Zuggand helped create Workspaces for the staff so they can login and work remotely from anywhere. In addition to this, to help maintain the new environment, Zuggand set up AWS Systems Manager to patch and maintain EC2 instances on AWS. And finally, Zuggand set up CloudWatch logs and alarms monitoring and notifications.
List of AWS Services Used
The following AWS Services were implemented as part of the solution:
- AWS Directory Service: Also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud.
- Amazon EBS: Amazon Elastic Block Store (EBS) is an easy to use, high performance block storage service designed for use with Amazon Elastic Compute Cloud (EC2) for both throughput and transaction intensive workloads at any scale.
- Amazon RDS: A managed relational database service that provides six familiar database engines to choose from, including Amazon Aurora, MySQL, MariaDB, Oracle, Microsoft SQL Server, and PostgreSQL.
- AWS VPN: AWS Virtual Private Network (AWS VPN) lets you establish a secure and private tunnel from your network or device to the AWS global network. AWS VPN is comprised of two services: AWS Site-to-Site VPN and AWS Client VPN. AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). AWS Client VPN enables you to securely connect users to AWS or on-premises networks.
- AWS Lambda: AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume – there is no charge when your code is not running. Lambda was used for provisioning AWS accounts along with Landing Zone.
- AWS Config: WS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
- Amazon CloudWatch: Amazon CloudWatch is a monitoring and management service that collects monitoring and operational data in the form of logs, metrics, and events, providing you with a unified view of AWS resources, applications and services that run on AWS, and on-premises servers.
- AWS Systems Manager: AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources. Systems Manager was used for automated maintenance and deployment tasks on EC2 Instances.
- Amazon WorkSpaces: Amazon WorkSpaces is a managed, secure cloud desktop service. You can use Amazon WorkSpaces to provision either Windows or Linux desktops in just a few minutes and quickly scale to provide thousands of desktops to workers across the globe.
- AWS Trusted Advisor: AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices.
- AWS Key Management Service (KMS): AWS Key Management Service (KMS) makes it easy for you to create and manage keys and control the use of encryption across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect your keys.
- AWS Certificate Manager: AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.
List of Third Party Services Used
Third Party Services that were implemented as part of the solution
- N2WS: Cloud Protection Manager is a leading in-cloud, enterprise-class backup, recovery, and DR solution for AWS.
The result of this project was that Zuggand successfully migrated Zenventory platform to a new AWS account. As a result of the migration to AWS, Ubiquia significantly reduced its infrastructure and operating costs for while improving its security posture and reliability of the system by utilizing several Managed Services from AWS.
- Utilizing Managed Services like RDS and Lambda has helped Ubiquia realize a better ROI.
- Moving to AWS VPN and Workspaces has significantly improved their overall security posture and improved overall performance of its system.
- More time and resources have become available to focus on innovation and delivery instead of maintenance and operations.
Alignment to Well Architected Framework (WAF)
By optimizing the architecture around the five (5) WAF pillars, Ubiquia was able to gain the benefits of a well-architected design in the Cloud:
- Optimize costs by using Managed services like RDS, Route 53, Certificate Manager, AWS Directory Services etc.
- Monitor AWS Spend using billing alarms.
- Right size Instances by using recommendations from Trusted Advisor for optimizing resources, instance types and sizes.
- Made architectural choices based on cost/budget, business needs and bench-marking.
- Selection of compute resources, instance family, type and size based on characteristics, cost and business needs.
- Selection of storage solution bases on access patterns, characteristics and requirements.
- Proactively record and monitor performance related metrics and generate alarm based notifications.
- Determine priorities by extensively evaluating customer and compliance needs.
- Ensure operational readiness by training personnel to support production workloads.
- Identify key performance indicators and define workload metrics.
- Monitor the performance of resources through metrics collected in CloudWatch.
- Discontinue using bastion hosts for VPN
- Leverage Workspaces for anywhere, anytime access to development tools for the staff
- Control human access by granting least privileges.
- Tighten firewall rules to protect compute resources by reducing the blast radius.
- Regularly scan for vulnerabilities and patching using AWS Systems Manager.
- Protect all data at rest using KMS keys for encrypting EBS volumes, Snapshots and S3 buckets.
- Protect all data in transit by enforcing SSL encryption and managing SSL Certificates inside AWS Certificate Manager.
- Regularly monitor and manage service limits with AWS Trusted Advisor.
- Perform data backups automatically and encrypt it using KMS keys.
- Define recovery objectives for downtime and data loss use recovery strategies to meet the recovery objectives.
Lessons Learned / Outcomes
Ubiquia recognized that in order for their business to scale, they were going to need to isolate and move their platform to a new account. Also, as security continues to be a critical issue for most organizations, hardening their infrastructure and overall security posture was a key consideration.
Through discussions with Ubiquia’s technology team, Zuggand was able to determine they had multiple critical workloads associated with their Zenventory platform. By leveraging the AWS Well-Architected Review program, Zuggand was able to help offset some of the costs for Ubiquia to migrate its platform to a new AWS account. This was a huge win for Ubiquia as it freed up budget to allocate to their next generation technologies, which will also be built on AWS by Zuggand.