We will remediate the following high-priority items in the Security and Cost of Well Architected Review. In order to be eligible for this remediation work, Customer would have to purchase a subscription to nops.io through AWS Marketplace.

1. Secure Root Account with MFA
2. If Root user is used for day-to-day activities, create a new IAM Admin user
3. Secure IAM Users with MFA (MFA option within AWS Console will be used. Integrating with Corporate Identity Server or Single Sign-On Solution is not part of this remediation package)
4. For automated access within AWS, move from IAM Users to IAM roles
5. Remove unused Secrets/Keys associated with IAM Users
6. Help to clean up unused volumes
7. Downsize over provisioned resources
8. Work with Client team to lower IOPS on EBS volumes
9. Help integrate nops.io with Customer’s AWS Accounts and setup appropriate Alerts

    

   TEAMS & RESOURCES INVOLVED:

   Sales Team = 1x
   Project Management Team = 1x
   DevOps Team = 3x
   Client Team = 3x

We will offer Consulting Services to modernize Customer’s AWS Infrastructure. The initial phase of the project will be focused on these items.

1) Integrating a Security Information and Event Management (SIEM) Solution. This can be one of the following options

– Option A) AWS Security Solutions: Integrate AWS GuardDuty, AWS Inspector and AWS Security Hub.

– Option B) AlertLogic SIEM Solution (Customer must purchase this solution)

2) Evaluate and integrate a single-sign on solution (Okta or AWS SSO) for AWS Console Login

3) Move from IAM Users to IAM roles for automated AWS API access

4) If the chosen SSO solution has a LDAP/Active Directory endpoint, integrate OpenVPN with SSO After the initial phase, we will work with Customer to prioritize and plan other items from their DevOps backlog. This includes the following.

• Offering advice on the current architecture and ongoing migration from EC2-based services to Lambda.
• Help with the adoption of Appsync and Cognito We have done a Well-Architected Review on Customer’s AWS Infrastructure.

   

  TEAMS & RESOURCES INVOLVED:

  Sales Team = 1x
  Project Management Team = 1x
  DevOps Team = 2x
  Client Team = 3x

We will build the infrastructure using Cloudformation. We’ll also automate the deployment using CodeStar. After the Cloudformation automation, we will distribute the workload in three AZs, we will spin up a new region in Oregon, and spin up a pilot light environment. The deployment will keep the code in sync for both of the regions.

The client portal is a single-tenant app, and there are about 30 customers. The custom code is currently saved in SVN, the customer will migrate from SVN to GitHub. During the deployment, we will fetch the custom code build custom AMIs.

TEAMS & RESOURCES INVOLVED:

Sales Team = 1x
Project Management Team = 1x
DevOps Team = 2x
Client Team = 2x

The client is looking for us to help with many DevOps projects. Jenkins automation is one of the first projects the Client would like us to tackle. Currently, Jenkins jobs are created manually, Client would like us to build a scalable and fully automated Jenkins environment on ECS. We will be helping with many other DevOps-related projects like building ephemeral environments on AWS and infrastructure automation.

TEAMS & RESOURCES INVOLVED:

Sales Team = 1x
Project Management Team = 1x
DevOps Team = 4x
Client Team = 3x
Layer 1 team = 3x

This project is for developing a new deployment platform for the Client’s web-based solution on existing On-Premises Infrastructure based on Kubernetes Cluster. The project will include

1) Kubernetes Dashboard for web-based Kubernetes user interface

2) Istio as a Service Mesh

3) Kali for Service mesh observability and configuration

4) Prometheus, Grafana, and Alert Manager for analytics and monitoring

5) Dex as an identity service that uses OpenID Connect to drive authentication via OKTA for all applications.

6) Gangway to allow secure access to Kubernetes cluster via Dex

7) Vault for managing secrets and protecting sensitive data

8) Filebeat to post logs to existing ES

9) Jenkins CI/CD Pipeline to do automated deployments on the new platform and to do environment promotions using Jenkins-X Platform

10) WSO2 for API management

TEAMS & RESOURCES INVOLVED:

Sales Team = 1x
Project Management Team = 5x
DevOps Team = 3x

1) Migrating the Application Suite to Kubernetes Platform

2) Using kubeadmin to install and Kubernetes cluster and kubectl to manage it

3) Develop easy-to-install package that utilizes kubeadmin to get Kubernetes cluster installed on end-user’s on-prem network (utilizing one or more machines) and deploy Application Suite on that cluster

4) The main Data Store is a Cassandra Database. There will be an option to deploy the Cassandra database within the Kubernetes cluster (as single node) for development and testing purposes. In production scenario in AWS and on-prem network, Cassandra will setup separately. Application also uses a Relational Database as Data Store. This will be installed separately in all cases.

TEAMS & RESOURCES INVOLVED:

Sales Team = 1x
Project Management Team = 1x
DevOps Team = 2x
Client Team = 2x

Customer recently had a security breach; luckily only the QA environment was affected. Customer is now looking for managed services. But the first month of the engagement Customer wants us to focus on making sure all the security best practices are in place, which were discovered during the well-architected assessment. We will attempt to containerize the infrastructure for managed services through containers, but if for some reason it’s too much work containerizing apps, we will use Opsworks to manage the infrastructure. In addition to building infrastructure with best practices, we will be responsible for doing OS patch management for the production environment.

TEAMS & RESOURCES INVOLVED:

Sales Team = 1x
Project Management Team = 1x
DevOps Team = 5x
Client Team = 2x
Layer 1 team = 3x
Layer 2 team = 2x

Client currently has a pretty simple infrastructure. But the AWS environment is lacking automation, all of the changes are currently done manually, and there are many gaps in security, for example, everything right now running in public subnet. Because infrastructure inefficiencies, Andrew ends up spending about 30-40% of his time on DevOps related tasks. The customer is looking for expert to help them set up the infrastructure with best practices, so it’s easier for Andrew to maintain. There are a couple of apps running in Beanstalk; it would be easier if we migrate them to ECS cluster and make it part of the current deployment pipeline. We will be providing on going DevOps consulting services for Client.

TEAMS & RESOURCES INVOLVED:

Sales Team = 1x
Project Management Team = 1x
DevOps Team = 3x
Client Team = 3x

Client would like to have a unified Deployment Platform for all their Microservices. Their current platform is Elastic BeanStalk with Single Container Docker Environment. Elastic Container Service (ECS) provides a better choice because of flexibility to run a combination of their services on a single ECS Cluster and efficiently make use of EC2 nodes in the cluster. Specialized believes that this will be more manageable with respect to deployments, capacity-planning and auto-scaling. The project is to containerize all Microservices that are used in the Application Stack and to design and implement a new Deployment Architecture on Elastic Container Service (ECS)

TEAMS & RESOURCES INVOLVED:

Sales Team = 1x
Project Management Team = 1x
DevOps Team = 3x
Client Team = 3x

We will be providing advisory services to Client regarding their EKS infrastructure. Customer’s Application Stack currently runs on EC2 servers and there are about five services. Datastore is on RDS. Customer has containerized all the services in order to migrate to EKS. However, they are facing some technical difficulties getting the services running in Cluster. We will help Customer in finishing this project and get the workload running on EKS. Specifically, we will provide guidance with

1) Terraform code for creation and configuration of EKS Cluster

2) Set up Cluster Autoscaling

3) Attach Deployment steps to existing Jenkins pipeline

4) System Monitoring with DataDog. New Relic APM is currently used and it will be integrated in the EKS setup.

5) Log Aggregation with ELK Stack (or external service like Sumologic, logz.io, etc.).

6) Kubernetes dashboard with Oauth Proxy (without Kubeproxy)

7) Install additional features including route-53 configuration and nginx ingress controller

8) Help with setup of Network Architecture (VPC, Subnets, Peering)

TEAMS & RESOURCES INVOLVED:

Sales Team = 1x
Project Management Team = 1x
DevOps Team = 2x
Client Team = 2x
Layer1 Team= 5x

1) Migrating the Application Suite to Kubernetes Platform

2) Using kubeadmin to install and Kubernetes cluster and kubectl to manage it

3) Develop easy-to-install package that utilizes kubeadmin to get Kubernetes cluster installed on end-user’s on-prem network (utilizing one or more machines) and deploy Application Suite on that cluster

4) The main Data Store is a Cassandra Database. There will be an option to deploy the Cassandra database within the Kubernetes cluster (as single node) for development and testing purposes. In production scenario in AWS and on-prem network, Cassandra will setup separately. Application also uses a Relational Database as Data Store. This will be installed separately in all cases.

TEAMS & RESOURCES INVOLVED:

Sales Team = 1x
Project Management Team = 1x
DevOps Team = 2x
Client Team = 2x