Weizmann

One of the biggest concerns that the client had been facing was the huge costs they were incurring on a year-on-year basis for mostly the PROD environment workloads being run.

Secondly, they were facing support/configuration change management-related issues with their vendor on a frequent basis which resulted in delays in getting those resolved within the stipulated SLAs thus bringing most of their PROD workloads to a halt & heavily affecting productivity & overall output.

The infrastructure hosted with the third-party vendor had limitations when it came to addressing the overall availability of the services being used with risks of facing unplanned maintenance & downtime, especially during an event of a disaster as the vendor didn’t have a DR setup in place.

Further, they had a concern pertaining to the overall security posture of the infrastructure hosted with their existing vendor & were looking to explore additional security-related services like Web Application Firewall, DDoS protection, Load Balancing, etc. that would maximize their productivity & grow resilience to prone external attacks.

Configuring automatic OS patch updates in place for the workloads hosted on the Servers with their vendor, as they didn’t provide that kind of feature.

With respect to the above challenges, they were in search of a Cloud Service provider capable enough of supporting most of the cloud-native features like dynamically scaling up/down the infrastructure’s resources as & when demand, patching-like features, support for automatic backups daily, and other native tools for provisioning applications in UAT & Production that supported ASP.NET framework.

Customer having single standalone Database Server. All the request were directed to this server, hence utilisation was getting high and they were facing issue related to performance and slowness in data retrieval.

We had the ASP.NET application hosted in the AWS environment in N-Tier architecture type with the Web/App Server in the public subnet while the DB Server had been set up in the private subnet, which was followed by applying Security Group (Network level) firewall rules/ port & IP-based restrictions on to each of them.

A Bastion Host Server was provisioned in the public subnet to allow private connectivity from on-premises to the rest of the instances through RDP protocol for their internal users.

As the client wanted to have high availability configured for their on-premises hosted Active Directory, an Additional Domain Controller (ADC) Server was configured on AWS & added to the primary AD for rest.

We deployed and configured an Application Load balancer (Elastic Load Balancer) in the Production environment associated with EC2 Server. To provide access to external users over the Internet.

Also configured security groups for EC2 instances and updated Inbound/Outbound rules wherever necessary as per client requirements.

We have created two MS SQL Databases as primary and secondary and enabled logshipping between these two servers with high availability.

So now the user traffic is distributed between two Database servers, read operation performed on primary and if we require to fetch any reports then it will be retrieved from read replica server.

As the client needed connectivity from their on-premises location to the AWS network, a Site-to-Site IPsec VPN tunnel using a Virtual Private Gateway & Customer Gateway services were created and configured between AWS and the client’s on-premises network.

For security purposes, we set up WAF and Shield in the AWS environment to protect against the most frequent type of SQL injection / DDoS attacks at the Application layer (Layer 7) and Networking & Transport layer (Layers 3 & 4) for everyone which would prove to be effective in taking preventive measures against the same through intelligent threat detection & response control.

We enabled Amazon CloudWatch as a monitoring service to check the health of the Instances.

Backup policies were configured on EC2 instances, and the backed-up data was later stored as Amazon EBS Snapshots while maintaining a copy of the same within Amazon S3 storage.

For compliance, operational auditing & risk auditing of the AWS account, we enabled the AWS CloudTrail service for logging all types of API calls made to the AWS resources & storing the corresponding data within Amazon Simple Storage Service (Amazon S3).

For data recovery & backup purposes, AMI Backup had been set up for the Servers deployed along with EBS Snapshots respectively.

AWS System Manager was set up for troubleshooting & gaining access to the EC2 Servers through the CLI interface and for managing SSM roles. Also, as part of best practices considering that regular OS patch updates need to be applied onto the Servers provisioned, appropriate IAM roles were used for having the same implemented.

Amazon Web Application Firewall (AWS WAF)

Amazon Shield (AWS Shield)

Amazon Elastic Load Balancer (Amazon ELB)

Amazon Systems Manager (AWS SSM)

Amazon Relational Database Service (Amazon RDS)

Amazon Certificate Manager (Amazon ACM)

AWS Identity and Access Management (AWS IAM)

Windows Server Active Directory

Earlier they were hosting their workload on third-party physical data centre’s, where they were not having any control over the servers. So, they decided to move to AWS cloud taking consideration into account the security offered by AWS Services.

Flexibility to scale up and scale down the Servers as per workload. No limitation on the storage size constraint; can increase the size according to the business need.

By migrating their workload to AWS, they no longer had to have the hassle of being concerned about the availability of services & their defined SLAs since AWS would be having the responsibility of maintaining it on the go

After migrating to AWS, the client no longer faced the limitations to instead go through a rigorous approval process for deploying additional services in their environment while also helping them achieve well-in-time support for any troubleshooting/deployment activities for the infrastructure within the SLAs defined.

By moving some of their workloads hosted on CTRLS DC to AWS, they were able to significantly save upon their monthly expenditure billing costs to nearly 40%, reduce latency of the application hosted by 15% & effectively manage the same as well by rightsizing their resources aligned with AWS best practices.

By using backup storage services that make it easy to centralize and automate the backup of data across AWS services in the cloud as well as on-premises using the AWS Storage Gateway. AWS Backup provides a fully managed, policy-based backup solution, simplifying backup management and enabling clients to meet their business and regulatory backup compliance requirements.

Once implemented, log shipping is quite easy to manage. Typically, the manual failover process takes no longer than 15 minutes, resulting in speeding up the data retrieval time.