About the customer
In 1981, two prominent groups, SMIFS Limited & Co. and C. Mackertich, having a legacy of 100 years joined hands to synergies their Expertise and Experience; to emerge and establish themselves as a fine integrated wealth advisory and equity broking house, catering to FII’s, Banks, Corporate’s, HNI’s and Retail clientele.
SMIFS Limited was looking for hosting there LD, PMS & RAKSHAK applications on AWS. All these applications need to run the windows workload with MSSQL as the persistent storage. On premises configuration not properly scaled and enough performant during the traffic spike at morning and afternoon. SMIFS Limited wanted to shift their entire infrastructure where scale up/down won’t be mattering anymore and should be done automatically. Since Workmates have already registered itself as a promising Cloud Consulting Partner in Advance tier, so they helped SMIFS Limited out of this situation by hosting their Windows workload on AWS while managing infra & applications 24X7, so SMIFS Limited now concentrate only in the application development.
Workmates Core2Cloud Solution Approach
- Workmates prepared an AWS account to create all the infra in Mumbai Region
- The initial Infrastructure consisted of LD, PMS and RAKSHAK Servers and MSSQL Server running on EC2 on Windows. All Server Sizing was initially taken based on the current sizing and its utilization shared by the customer. Based on the utilization reports in CloudWatch Servers were scaled up or down.
- Workmates team created all the required infra in SMIFS Limited AWS a/c. To facilitate secure connectivity, we provisioned two separate network segments namely public and private and Network Access Control Lists (NACLs) were used to control traffic at the subnet level. And NAT gateway was used for in stances in private network to have access to internet.
- All the servers were placed in private subnet and ELB (Elastic Load Balancer) was on internet facing. With ALB one would get the SSL certificate and it would protect and manage the external threat of their internal IP’s from exposing to internet. ALB would be used as per the application team’s requirement.
- Users were linked their client applications to their respective client machines via the local IP of the VM instance via the VPN tunnel
- Servers could be accessed only over SSL-VPN. All the VPN users were provided with secured keys for accessing the servers
- The public facing network (public subnet) contained one NAT gateway for upgrades patches and occasional system updates to the hosted machine
- The Application and Database server were hosted on the non-internet network i.e., private subnet) with a network route configured to the NAT gateway and the VPN subnet
- To protect unwanted access to backups we had created S3 bucket which was KMS encrypted (AWS managed).
- The servers were configured with the latest update of Windows Server OS with one additional SSD volume
- We provisioned a scheduled task that took a backup of the primary data store on the MSSQL DB to S3
- Our approach towards data backups and AMI snapshots were ensure complete data availability. Two lambda functions had been created for these operations.
- Another two lambda functions had been created to notify the users in case Instances are failed to start/stop
- AWS Config was enabled, and all the AWS recommended config rules were created
- Periodic patching of the servers was done via AWS SSM Patch Manager
AWS Services used:
EC2, EBS, ALB, Route53, S3, CloudFormation, CloudWatch, IAM, Config, Systems Manager, NAT gateway, Lambda, SNS, KMS, SES
Application Stack used:
- MS SQL Database on EC2
- Windows Server run on EC2
- AWS Multi-Factor Authentication for privileged accounts, including options for hardware/Software based authenticators was enabled.
- Using IAM we restricted users and group to access specific AWS resources only as per the requirement.
- All the SSH port were bind with OpenVPN server, also default ports were changed to the custom port.
- DB was accessible only through the Application containers and through the VPN. All servers were hosted on the private subnet.
- All the Data on Rest was encrypted using AWS KMS. EBS volumes of EC2 and all S3 buckets were encrypted.
- Trusted Advisor Checks were carried out every week ensure all the security checks are used.
- For Configuration Management and Policy as a Code, AWS Config was used, which helped us detect any configurations drift within the AWS Account.
- Quarterly Patch Management and Patch Automations was carried out using AWS SSM. During patch all the security patches, OS critical patches were applied.
Results and Benefits
SMIFS Limited is now able to cope up the traffic spike during morning and afternoon with more customers login to their in-house solution. Also, on AWS, they can quickly scale their production stack as dynamically as their workloads scale.
CloudWorkmates finished the project on-time and under-budget delivering a scalable and highly available infrastructure with no single point of failure. SMIFS Limited was happy with the deliverables and the executed timeframe.