intelliflo - cloud environment case...
TRANSCRIPT
Intelliflo – Cloud Environment Case Study.
18/02/2020
Intelliflo – Cloud Environment
2
Introduction.
The project is characterised as follows:
• Client/Operating Unit – Intelliflo, Invesco
• Industry Vertical – Financial Services
• Products/Services – outline application for Financial Advisors, Mortgage Brokers,
and Financial Product Providers
• Case Study Title – Intelliflo, DevOps, Cloud Migration
Intelliflo, Invesco are a provider of one financial services products based in Kingston. Its
current market is the United Kingdom which is being extended to provide a global
reach.
The overall project goal was to provide a cloud environment to house the Intelliflo
application portfolio and customer data and thereby service a global customer base,
as opposed to just the United Kingdom.
The migration to a cloud platform was also influenced by a desire to support an
increased number of customer and to provide a resilient platform which does not exhibit
some of the constraints of the current Disaster Recovery provisions.
Work started in August 2019 which saw the environment being completed in January
2020, ready for the containerisation and relocation of applications to the environment
during 2020.
This case study has been compiled to showcase the project and demonstrate the
DevOps best practices created and implemented for Intelliflo to facilitate a rapid
growth in their business.
The Challenge.
During 2019 Intelliflo were acquired by Invesco, an investment management company.
The acquisition of Intelliflo has seen an increased focus on global markets and a desire
to offer access to applications in Australia, Germany and Canada.
To provide the Intelliflo application suite with a global reach requires the existing on-
premise applications and customer data be migrated to the cloud. This is being
Intelliflo – Cloud Environment
3
undertaken in several phases starting with the design and implementation of an
underpinning environment.
The current application portfolio includes online applications for Financial Advisors,
Mortgage Brokers, and Financial Product Providers based around a Microsoft
technology stack including Active Directory and SQL Server databases.
The cloud environment needs to provide a secure location for the development and
automated test of applications, and their staging to production through a secure
automated delivery pipeline with the associated audit controls.
Intelliflo staff were assigned to form an element of the Project team to assimilate best
practice, and the knowledge required to transition the existing service delivery model to
a DevOps model.
Key focus areas included:
• application deployments relying on Microsoft SQL server database and
credentials being created on a per app basis by the internal operations slowing
deployment.
• the storage of unrestricted amounts of Customer data with high levels of
availability and redundancy
• support for large amounts of application containerisation with scalable hosting
platforms
• central store for infrastructure and application logs, infrastructure monitoring on
containers and virtual machines.
The initial Project Discovery phase identified the following Key Performance Indicators
for the Intelliflo environment:
• Deployment of business applications to Australia, Germany and Canada within a
period of six months
• Product augmentation and release cycle of 1-hour catering for a 100% increase
in the volume of changes
• Centralise regulatory and compliance controls through a common technology
platform, security model
Intelliflo – Cloud Environment
4
• Platform for the existing applications portfolio and its augmentation for at least
the next five years
• Increased flexibility and future proofing through a solution landscape defined
using infrastructure as code
• Reduced overall IT operating costs through a DevOps model and shared Cloud
platform.
The remainder of this Case Study focuses on the challenges surrounding creation of the
Cloud environment.
Solution.
DevOps Transformation
The key objective of the DevOps transformation was to provide a Cloud based
environment into which Intelliflo could relocate its suite of on-premises business
applications.
The salient aspects of the DevOps transformation comprised the delivery of:
• Infrastructure Provisioning, scripted service catalogue for the relocation and
instantiation of Intelliflo applications with a global reach (Terraform Cloud)
• Build and Test – repositories and a three-stage delivery pipeline, including
Intelliflo automated testing, to support the delivery and release of changes,
including audit controls
• Release and Acceptance – an automated release process from Pre-production
to Production environments following successful automated tests, which includes
audit controls
• Configuration Management – driven by software development changes using
GitHub and Ansible as the entry point to the delivery pipeline Test environment
• Container Services – catered for by the environment to enable the
containerisation and relocation of Intelliflo application suite
• Monitoring and Tracing – monitoring of Amazon EC2instances, Amazon
S3buckets and application operational data for troubleshooting
Intelliflo – Cloud Environment
5
• Identity and Access Management – is used as an integral element of the security
model to control access to the S3 buckets storing Customer data.
Technology Transformation
Overview
The key objectives of the technology transformation were to create a cloud
environment to host Intelliflo applications and facilitate their access across the globe.
The initial project phase comprises the creation of an environment containing test, pre-
production and production areas, each of which is supported by a separate stage in
the delivery pipeline.
At a conceptual level the environment comprises the following components:
• Environment provisioning
• Delivery pipeline
• Monitoring and audit
• Communications infrastructure.
Subsequent Project phases are planned to perform the containerisation and relocation
of applications and Customer data to the environment created by ECS.
Cloud Environment
Environment provisioning is performed via a service catalogue that enacts a suite of
Terraform ‘runs’ managed through Terraform Cloud and stored in a GitHub repository.
By adopting a modular architecture changes can be readily accommodated to
portions of the environment.
The secure storage of unlimited volumes of Customer data across multiple zones with
high levels of availability is a key. Consequently, S3 buckets have been used which have
no size limit, and cross region replication which can be rapidly configured. Access to the
S3 buckets is restricted using IAM user policies and ACLs to implement the required
security permissions.
The Intelliflo applications are tied to a specific version of SQL Server database which
needs to be hosted as a cluster using EC2. Until the Intelliflo applications are approved
Intelliflo – Cloud Environment
6
to host data in the cloud a direct connect will be provided to there on premise
database instances.
A key consideration is Intelliflo’s desire to refactor their applications and reduce their
reliance on Active Directory. Consequently, AWS Directory Services are for SSO, AWS
Workspaces, and Active Directory groups are used by Vault to control access to
services.
Application and servers are accessed and managed via AWS Workspaces and Session
Manager and not directly from the outside world.
Applications are hosted via AWS EKS using Kubernetes controllers, such as EFS
provisioner, external DNS, ALB Ingress and monitored using AWS CloudWatch agents.
Harness will be used for all application/infrastructure pipeline deployments.
This provides an elegant mechanism for developers to deploy their applications, which
can be restricted per area, via the associated AWS account. SpotInst Ocean is used to
automatically scale EC2 workers based on load avoid AWS EKS maintenance outside of
version upgrades.
Figure 1 – Environment Overview
The following decisions are reflected in the environment:
• applications have a separate Route53 record and may be reached by load
balancers which route to the applications hosted in EC2 or to the EKS workers
Intelliflo – Cloud Environment
7
• Terraform runs are used to provision all AWS resources and store software in
separate GitHub repositories; state files are stored in workspaces in Terraform
cloud
• Hashicorp Vault is used to manage the credentials for applications and
deployment using clusters on EC2
• Consul is used for service delivery combined Kubernetes Service Mesh to support
clusters using EC2
• AWS Control Tower is used to manage a master AWS accounts for the test, pre-
production and production areas of the environment.
Delivery Pipeline
A three-stage pipeline has been used comprising test, pre-production and production
areas the entry point to which is software changes which are stored in GitHub; changes
enact an automated build and functional test, defined and maintained by Intelliflo.
Automated functional tests are performed at each stage of the pipeline, and if the tests
pass, the change is automatically progress through the pipeline.
GitHub repositories are used for configuration management and Jenkins, including its
Control Centre, is used to implement continuous integration.
A central shared services account hosts the master Jenkins instance, from which further
instantiations can be provisioned and configured for each area. It is also used to share
services such as Active Directory between accounts.
To maintain flexibility Jenkins scripts have been used to provide modular pipeline
elements that deploy to selected all parts of the environment.
Intelliflo – Cloud Environment
8
Figure 2 – Delivery Pipeline
Monitoring and Audit
Application logs, infrastructure logs, EC2 logs and container logs are published to
CloudWatch using FluentD. CloudWatch provides a central indexed location for
troubleshooting the logs, see below.
EKS nodes and application pods are monitored using AWS CloudWatch integration and
the AWS CloudWatch agents within EKS. AWS CloudWatch agents are also used to
monitor the EC2 instances, and to display alerts and availability centrally.
Figure 3 – Audit/Logging Infrastructure
Intelliflo – Cloud Environment
9
Communications Infrastructure
A new communications infrastructure was established to host the Intelliflo environment
which comprises subnets for public, management and application traffic, each of which
use a single VPC account, see below.
The management and application subnets only host internally reachable applications
and infrastructure, while the public subnet provides a DMZ to the other subnets to
control network connectivity.
VPC security groups and NACLs have also been used to restrict inbound and outbound
connections, complemented with VPC peering to provide connectivity between
accounts.
Figure 4 – Communications Infrastructure
Intelliflo – Cloud Environment
10
Project Execution
The Project comprised a Discovery phase followed by several Enablement phases. Each
of the phases was undertaken by a self-managed team of DevOps specialists,
undertaking business and technical transformation activities, referred to a POD.
The project team comprised five engineers including a Project Lead, Security Specialist
and Windows Specialist supported by an Agile Coach. The team was located at the
Intelliflo Offices in Kingston to work closely with their DevOps Manager and business
sponsors.
The project comprised the follow activities:
• Project Inception, a Discovery phase that identified a significant change in
Project scope, as requested by Intelliflo, which was addressed through a solution
Road Map
• Project Execution, the completion of fixed duration Sprints to deliver the required
environment through Proof Of Concept spikes
• Delivery Management, through the application of a Sprint Backlog populated
with agreed elements of the Road Map
• Scope Management, was performed using the Road Map against which changes
were raised
• Customer Acceptance, performed via demonstrations including the DevOps
Manager, Programme Manager and senior business sponsors and an
Acceptance Certificate
• Customer Management, conducted by an ECS Account Executive liaising with
the DevOps Manager, and a complete Customer Satisfaction Questionnaire.
Intelliflo – Cloud Environment
11
Services Used.
The following AWS services were used to deliver the DevOps solution:
Service Application
AWS Lambda Various copy, resizing and
Intelliflo AWS island
AWS CloudWatch Monitoring the infrastructure to
underpin dashboards
AWS Config Baseline change alerts and
auditing
Amazon EC2 Provisions virtual machines for
non-containerised applications
AWS X-Ray Ad-hoc container
troubleshooting
AWS Control Tower Provisions new AWS accounts
AWS API Gateway Implements API's to EKS/EC2
hosted applications
AWS S3 (Simple Storage) Stores Intelliflo and Customer
documents
AWS IAM (Identity Access
Management)
Manages user permissions to
AWS resources
AWS GuardDuty Performs continuous threat
detection for provisioned AWS
accounts
AWS VPC Deploys the underlying network
infrastructure and layer 3
firewalls
Intelliflo – Cloud Environment
12
Service Application
AWS SNS (Simple Notification
Service)
Inter application
communication using
microservices
Amazon EKS (Elastic Kubernetes
Service)
Hosts the majority applications
in Kubernetes pods
AWS ECR (Elastic Container
Registry)
Stores container images
AWS Direct Connect Connects AWS eco-system to
On-premises applications
(migration)
AWS Route53 Performs external DNS routing
and domain purchase via the
registrar
AWS SSO (Single Sign On) Centrally manages access to all
AWS accounts
AWS KMS (Key Management
Service)
Stores encryption keys for
secrets and customer data
AWS EFS (Elastic File System) Hosts NFS volume for Jenkins
backend storage (initially)
AWS Backup Performs backups of EFS
(fileshares) and EBS (Volumes)
Amazon ElastiCache Host Redis caches for
applications to store data for
rapid access
AWS Secrets Manager Stores Hashicorp Vault recovery
keys and root tokens
AWS Certificate Manager Manages certificates for
domains purchased in Route53
Intelliflo – Cloud Environment
13
Third Party Solutions.
The following 3rd party packages augment the application ecosystem.
Solution Application Use Cases
Terraform Infrastructure-as-Code Provision AWS Resources,
Deploy Kebernetes Helm
Chart
Terraform Cloud Backend State file storage Provision AWS Resources,
Deploy Kebernetes Helm
Chart
Artifactory Image/Nuget package
store
Store Container Images
Store Nuget Packages
Vault Secret Manager Store Active Directory
Secrets, Generate Active
Directory Secrets
Consul Service Discovery Provide Service Mesh,
merge Legacy Services
Helm Kubernetes package
manager
Manage Kebernetes
Application
SQL Server Customer Database Manage Application
Database
Cloudbees Jenkins Continuous Integration Orchestrate Application
Life-cycle, Promote
Application Software
Intelliflo – Cloud Environment
14
Metrics for Success.
The deployment of business applications was extended from the United Kingdom to
Asia Pacific (Australia) within six months, with the goal of reaching the remainder of
Europe and North America as quickly as possible.
The application availability has been increased through the increased resilience
provided by the Cloud as previously in a disaster recovery scenario the user population
supported by a fall-back data centre was reduced significantly.
The product change cycle has been reduced from 24 hours to 1 hour and can easily
cater for a 100% increase in the volume of changes (currently fourteen per day), with
improved quality through automated testing.
Regulatory and compliance controls have been augmented through a common
technology platform, security model and centrally managed security controls, which can
also be readily changed to accommodate new security threats.
The technology transformation and the increased flexibility enabled by using
infrastructure as code will provide a platform for the
The Outcome.
The skilling of Intelliflo staff in DevOps practices was constrained by their initial staffing
levels and the level of business as usual activity. This has now been addressed and a
further two staff are being assigned to the project.
Customer changes of scope and in-flight learnings impacted the delivery dates which
was managed through prioritisation and re-scoping. Ideally more technical spikes
should have been included to allow for subtleties in the Intelliflo Environment.
ECS recommended the replacement of Bastion Hosts by Amazon Workspaces. This was
agreed by the Intelliflo once it had been confirmed that the required functionality was
provided. This decision resulted in reduced effort to deliver and maintain the
environment.
The use of Terraform Cloud to provision the test, pre-production and production
environments has significantly reduced the manual effort required to create
environments. These can now be provisioned within minutes through a Service
Catalogue.
Intelliflo – Cloud Environment
15
The extra work required for the Intelliflo development staff to host their applications
Kubernetes as opposed to EC2 was significant. This included ALB Ingress, Route 53, and
NGINX controllers, all of which required significant levels of testing.
London Floor 7, 2 More London Riverside, London, SE1 2AP +44 (0) 207 403 0477 Edinburgh Apex 3, 95 Haymarket Terrace, Edinburgh, EH12 5HD +44 (0) 131 543 3215 Glasgow Parkview House, 6 Woodside Place, Glasgow, G3 7QF +44 (0) 141 572 3040 Manchester Bartle House, Oxford Court, Manchester, M2 3WQ +44 (0) 161 407 0069 India Office 203, 2nd Floor Buidling 2, Commerzone, Survey 144/145 Yerwada Samrat Ashok Path Pune 411006 +91 (0) 206 726 0700 Singapore 8 Wilkie Road, 3-01 Wilkie Edge, Singapore 228095 +65 96830785