AlphaGrep: Migrating and Deploying a Highly Available Enterprise Grade Environment in AWS
Challenges
AlphaGrep is a global organization specializing in Global Trading and Investments. AlphaGrep partnered with Searce to Migrate their Existing Enterprise Environment to AWS with the highest grade of Resilience, Security and Compliance.
Alphagrep wanted to enhance their ability to monitor, minimise the downtime, setup resilient, highly available application architectures, and use managed services for their use cases, which helps them with easy maintenance, business continuity, cost-effective setup, and minimal operational overhead for the critical applications. The Alphagrep team needed the following in the new architecture:
- Setup 50+ Servers on AWS which were hosted on Huge Compute optimized servers
- Landing zone for centralized access to their accounts
- Automatic Account provisioning
- Enhance threat detection and Remediation using GuardRails
- Enhanced Monitoring using Cloudwatch and Cloudtrail
- More than 100 AWS Workspaces for their employees
- Automated Patching to minimize the downtime and ensuring compliance of EC2 instances and Workspaces
- Enhanced Security of Workspaces by Implementing MFA and AD Group Rules
- Network Traffic Protection using the AWS Network Firewall
- Secure Access to a Bundle of Tools from Workspaces Using S3 Endpoints
- Deployment of servers into multi-AZ to increase the high availability and to improve business continuity of critical apps
Searce Solution
The Searce Team gathered all the requirements in the form of Deep Dive sessions with AlphaGrep’s Team to understand the underlying Architecture of the Environment and its features. After a series of discussions and gathering the requirements, Searce provided a Highly Available, Secure, resilient, and robust architecture and has implemented the proposed solution. The high-level architecture and implementation are as follows:
- Modernization and Migration – Migration
- Setup of 50+ Servers on AWS
- Complete Optimization of servers to viable compute optimized instances on AWS, thereby reducing overprovisioning by 30%
- Using large, compute-optimized servers for hosting Globally used Trading and Investment Applications which require extreme computing power thereby achieving 100% client Satisfaction, minimal latency, and minimal management overhead
- Governance & Management – Modernization
- Implemented AWS OUs & Account Segregation
- Logical separation of environments and applications by using Separate Accounts
- Deployed AWS Control tower for fully automated governance
- Implemented Service Control Policies and AWS Guard Rails as part of the Control Tower Implementation
- Configured AWS Config Rules with auto-remediation rules for common scenarios like enforcing S3 Privates buckets and opening SSH access to the world
- Introduced AWS SSO integrated with Active Directory and implemented least RBAC using users and groups
- Network Security and Perimeter Controls – Rationalization
- Created a Security Account for all communication within AWS for complete security monitoring and compliance
- Have implemented IDS and IPS by using AWS Network Firewall in Workspaces
- Deployed Stateless and Suricata rules on the Network Firewall and all Inbound and Outbound traffic is inspected
- Implemented Suricata rules for allowing access to only specific sites, such as nseindia and google.com while other sites are blocked from the workspaces
- Workload Security Controls
- Customized firewall rules: AWS NACLs and Security groups based on environment
- All Encrypted Data at Rest by using AWS KMS and data in Transit by enabling TLS communication in each tier
- Implemented AD Group rules in order to prevent copying to clipboard
- Implemented MFA with Workspaces using FreeRadius Server on EC2
- Scheduled the patching activity by using AWS SSM
- Implemented an S3 Endpoint for secure access to Bundle packages without traversing the Internet
- Resiliency Controls
- Deployment of servers into Multi-AZ to increase SLA to 99.95% and above
- Automation of patching and AWS config remediation to minimize the downtime
- The databases are deployed in RDS service using Multi-AZ configuration for replication
Business Impact
- Setup 50+ servers on AWS to bolster the research workloads of Alphagrep
- Optimization of Compute resources to meet target criteria and reduce overprovisioning by 30%
- Using c5.9xlarge compute optimized instances for Global Investment workloads requiring extreme computational power and minimal latency
- Implemented Landing Zone with Control Tower in conjunction with Guard rails for additional Security and Compliance
- Implemented MFA for workspaces using FreeRadius Server on EC2 machines
- Complete Network Traffic Restriction by using AWS Network Firewall with Sirucata rules to restrict access to specific Websites
- Secure Bundle installation using S3 endpoints and Patch management using SSM patch manager and reduced the manual patching errors and increased up time
- Able to meet the 99.95 SLA requirements for the deployed systems
- Achieved the resiliency requirements for the applications
Industry: Finance and Crypto currency
Workload: AWS Networking Components, WAF, AWS RDS, Ec2, VPN Gateway