SLIDE 1 Running multiple customer-facing application in Fargate!
Nils Rhode | Haufe.Group | 09.09.2019
Community Day 2019 Sponsors
SLIDE 2 Does it always have to be K8s?
v 1.0
Running multiple customer-facing application in Fargate!
Nils Rhode | Haufe.Group | AWS Community Day Hamburg 2019
SLIDE 3
- 1934 founded as family company
- 407 Mio € revenue 2019
- 2.000 employees worldwide
distributed over ~20 difgerent locations like Freiburg, Barcelona, Timisoara, St. Gallen
- All DAX 30 Companies rely on our expertise
- We are leading companies in terms of
transformation to digitization
Haufe.Group
SLIDE 4
Haufe Talent Managemen t
Team Recruiting Instant Feedback Marketplace My Onboarding
….
SLIDE 5
Administration Backend for Managers
- … with a few clicks, employees can
request feedback on their own behavior or provide feedback on a person, meeting or survey — at any time.
Haufe Instant Feedback
SLIDE 6
for employee and Manager
- … helps organizations to establish an
agile, self-organized and motivating
- culture. Give employees access to
new work opportunities and help them achieve their career goals, unlock their potential and expand their professional network.
Haufe Agile Hats
SLIDE 7
From self-hosted applications to cloud-native applications
SLIDE 8 2017
IF 1.0 developed as native app based on a backend, hosted at AzureDE*
2018
Backend reengineering (better multitenancy, Orchestration, new features)
2019
Hybride App approach with fmutter Move to AWS
Haufe Instant Feedback Haufe Agile Hats
2018
Start of development of Agile Hats as web application following a microservice approach
2019
Move to AWS
SLIDE 9 V 1.0 Backend Reengineerin g Move to AWS
Haufe Instant Feedback
V 2.0 (Kubernetes, Docker)
SLIDE 10 V 1.0 Backend Reengineerin g Move to AWS
Haufe Instant Feedback
cloud native
SLIDE 11 Start of Development Move to AWS
Haufe Agile Hats
SLIDE 12 Start of Development Move to AWS
Haufe Agile Hats
cloud native
SLIDE 13
AWS Architecture
based on EKS
SLIDE 14 Move to AWS - Overview
Amazon Pinpoint Amazon Aurora Amazon SQS Amazon API Gateway AWS Lambda
(Moible) data processing done via AWS Lambda instead of K8s containers
Amazon CloudWatch AWS CloudT rail AWS Systems Manager AWS T rusted Advisor Amazon CloudFront Amazon Route 53 AWS T ransit Gateway Amazon GuardDuty Amazon Cognito AWS Certifjcate Manager AWS WAF Amazon Pinpoint
SLIDE 15
AWS Architecture
based on Fargate
EKS to Fargate
SLIDE 16 AWS Architecture
based on Fargate
RBAC DeamonSets Pods ConfjgMaps Deployments S e c r e t s AutoScaler PV / PVC N a m e s p a c e s ReplicaSet Ingress S e r v i c e s Seamless integration into AWS services RDS IAM ParameterStore ELB / ALB / WAF K8s Updates
AWS Fargate Amazon API Gateway AWS Lambda Amazon Aurora NLB VPC Link
Containers T ask Service
Role-based access following least privileges S3
SLIDE 17
- K8s for hybrid-cluster over multiple cloud provider
Not the right fjt for our cloud-native applications/approaches
- Fargate serves better and easier integration in AWS
Services
- ne abstraction layer less and usage of triggers and seamless integration
(role-based access for Pods following least privileges in K8s is a mess)
- Fargate reduces a lot of overhead
like scaling, RBAC, namespaces, Updates & Security of K8s by using managed services
- It is cheaper and better scalable
AWS Architecture
Conclusion
SLIDE 18
Architectural Deep Dive
SLIDE 19
Architectural Overview
Deep dive
SLIDE 20 Architectural Overview
Separation on product level
VPC IN EU-CENTRAL 1 Availability Zone 1-3 Product IF Product AH AWS CLOUD Product *
SLIDE 21 Architectural Overview
Container Orchestration
VPC IN EU-CENTRAL 1 Availability Zone 1 AWS CLOUD Availability Zone 2 Availability Zone 3
WWW
Container T ask Service Container T ask Service Container T ask Service
SLIDE 22 Fargate Cluster
Availability Zone 1 Availability Zone 2 Availability Zone 3
SLIDE 23 Fargate Cluster
Availability Zone 1 Availability Zone 2 Availability Zone 3 Container Container Container
SLIDE 24 Fargate Cluster
Availability Zone 1 Availability Zone 2 Availability Zone 3 Container T ask Container T ask Container T ask
SLIDE 25 Fargate Cluster
Availability Zone 1 Availability Zone 2 Availability Zone 3 Container T ask Service Container T ask Service Container T ask Service
SLIDE 26 Network Load Balancer
Availability Zone 1 Availability Zone 2 Availability Zone 3
SLIDE 27 API Gateway with VPC Link
Availability Zone 1 Availability Zone 2 Availability Zone 3
SLIDE 28 API Gateway with VPC Link
Availability Zone 1 Availability Zone 2 Availability Zone 3
SLIDE 29
- Least privileges on each container and service
- No IAM users needed at all (deployment via EC2, Login via SSO)
- No jump host or “open” port 22 => Transit Gateway in private
Subnet
- Nothing is deployed in public subnet (except NAT Gateway)
- Everything is encrypted (RDS, S3, EFS, Backups, HTTPS-traffjc)
- Credentials to RDS shared via Parameter Store
- CloudTrail with S3 and Athena
- Security Hub with integration of GuardDuty, Inspector and some
more tools
Architectural Overview
Security
SLIDE 30
Quick Journey: environment deployment for multiple production applications
SLIDE 31 Architectural Overview
Setup of Infrastructure
- Everything is done by terraform
- Workspaces used to split between Dev, Int and Prod
environment and also with var-fjles
- Difgerent accounts per environment/workspace
- Gitlab Runner based on EC2 to deploy infrastructure
(deployment happens from inside the AWS account)
PRODUCT VPC
AWS Cloud RUNNER VPC
HAUFE
Amazon EC2
AWS Direct Connect
AWS DEV ACCOUNT AWS INT ACCOUNT AWS PROD ACCOUNT
SLIDE 32
Architectural Overview
Setup of Infrastructure - Baseline
SLIDE 33
Architectural Overview
Setup of Infrastructure - Instant Feedback
SLIDE 34
Architectural Overview
Setup of Infrastructure - Agile Hats
SLIDE 35 Architectural Overview
Setup of Infrastructure
Base infrastructure to serve
- VPC (Network)
- Security
- Backup
- SES (setup)
- Security
Application specifjc infrastructure to serve application services like
- API Gateways
- Fargate
- S3
- Elasticache
- Cloudfront
- ….
SLIDE 36
Architectural Overview
Setup of Infrastructure - CI/CD Push to feature/bug branch => terraform validate … => merge request to develop => terraform plan … => merged into develop => terraform apply to dev environment … => merge request to master => terraform validate => terraform plan => terraform apply to new AWS account (int) => backup from prod into new AWS account (int) => testing… … => merge to master => terraform apply to prod env
SLIDE 37 Architectural Overview
Setup of Infrastructure - CI/CD
- Gitlab (own branch) with validate => request =>
validate, plan => merge => deploy in dev infra
- Gitlab (dev) to master request => validate, plan,
deploy to INT => check/test => merge => deploy to master
SLIDE 38
Architectural Overview
Setup of Infrastructure - CI/CD
validate plan apply
SLIDE 39 Architectural Overview
CI/CD for our products
PRODUCT VPC
AWS Cloud RUNNER VPC
HAUFE ECR
Fargate
- 3. deploy 4. int-test 5. check
(6.)Rollback if required
SLIDE 40
Conclusion
SLIDE 41
- Make use of services and reduce maintenance efgort
(Backups, DR, Scalability, Monitoring/Logging)
- Reduce development overhead by making use of services
(e.g. Lambda instead of own docker)
- Handling and applying high security standards
- K8s has a difgerent purpose than cloud native – don’t
depend on both
Benefjts of going cloud native
SLIDE 42
The big difgerence for cloud native applications is really how they are built, delivered and operated.
If you are going cloud native:
Rethink your architecture and avoid a lift and shift.
