David Sumsky

The client required a production-ready, scalable Kubernetes infrastructure to host a mobile application API layer. It was running on an AWS EKS service provisioned with Terraform modules and delivered through the Terraform enterprise platform.

Based on load-testing performed with Artillery and performance metrics analysis, the infrastructure was tuned with cloud-native auto-scaling, horizontal pods scaling, and cluster over-provisioning to mitigate cluster auto-scaling latencies. Further recommendations were given on how to optimize the application itself.

Finally, we improved the CircleCI CI/CD pipeline (which was delivering Docker images for the application) by implementing Docker image vulnerability scanning and Dockerfile linting to improve the overall security of the infrastructure.

The client needed a solution that helps to quickly set up a multi-account AWS environment based on best practices and with recommended guardrails in place. It provided a baseline configuration to get started with a multi-account architecture, identity, and access management, governance, data security, network design, and logging. The solution overcomes the limitations of previous AWS solutions based on multi-tenant accounts.

The environment is a set of interconnected AWS accounts hosting apps and tools with following settings:
• AWS VPC with the network setup including VPC Peering connections, subnets, SGs and NACLs
• AWS CloudTrail and Config with visibility into users and resources activity
• AWS IAM with a set of roles and policies and identity federation
• AWS Organizations to manage accounts creation and their cost
• Integration with third-party tools like Evident.io, Okta, CloudHealth
• Centralized shipping logs to a central logging account
• Interface for app provisioning
• Tagging of resources

Framework Features:
• Scalable and delivers an environment in a few minutes
• Automated with Sceptre, AWS CloudFormation, Python/Boto 3, and Jenkins pipelines
• Follows the IaC paradigm
• Reproducible and extensible

To increase the stability of multi-account AWS environments, the client needed a testing framework that performs smoke-testing of the newly set up environment before it is handed over to end-users.

The framework is based on AWS Lambda and Step Functions services, which are orchestrating the execution of smoke tests. A smoke test is represented by a CloudFormation template, which is declaring execution of related "atomic" tests (e.g., internet access through an HTTP proxy, connectivity over VPC Peering connections, AWS CloudTrail/VPC Flow Logs events, security groups that are allow required connectivity, and more).

When a stack is created from the template, an AWS EC2 instance is launched, or an AWS Lambda function is invoked to initiate smoke testing. Test results are reported by CloudFormation signals and test dependencies and their status is driven by AWS Step Functions. Notifications are sent to SQS queues, processed, and forwarded to Slack channels.

Framework Features:
• Completely serverless
• Automated with AWS CloudFormation, Step Function, Lambda, and Python/Boto 3
• Plugged into multi-account AWS environment delivery pipelines

The client required a suitable configuration management system to streamline Linux and Windows-based application deployments in the AWS cloud.

When the evaluation phase was finished and SaltStack was chosen, the client needed to build a highly resilient SaltStack infrastructure that could run in every cloud environment. The infrastructure was managing thousands of salt minions/EC2 instances in the master and masterless modes.

The overall infrastructure provides
• Automation of highly-available SaltStack masters
• Standardized provisioning and configuration of salt minions on EC2 instances
• Custom state, execution, and pillar modules

The infrastructure is automated with AWS CloudFormation and Python/Boto 3 and leverages AWS services like EC2, ASG, S3, and DynamoDB.

The client required a tool for comprehensive AWS service limits and usage monitoring and reporting. Native AWS tools like Trusted Advisor provides a subset of AWS limits and only give weekly alerts.

The solution is based on a set of AWS Lambda functions written in Python to monitor AWS services limits with the "awslimitchecker" tool. This tool takes care of hard-coded limits, API-based limits and data from Trusted Advisor.

It provides:
• More granular alerting
• AWS SNS-based alerting
• Limits tracking with AWS DynamoDB data back end
• Automatic support cases opening to increase some limits

The client required a custom solution to build and distribute Linux golden images into a customer's cloud environments.

The solution defines automated build process of AMIs for CentOS and OEL which includes:
• Custom configuration of system and services
• Installation of predefined and custom packages
• Installation of security patches
• Security hardening based on CIS benchmarks
• Installation of ENI drivers
• HVM/PV AMIs generation
• AMIs distribution from the build environment to the rest of the environments

The whole process is automated with SaltStack and Jenkins pipelines where any code-change commit then triggers a dry-run build to validate the build process. Once a month, a full build is executed to build new AMIs and to distribute them.

The client needed us to design and implement a cloud-ready automated deployment of a Java-based middleware system running on Windows and Linux in AWS.

The final solution defines:
• Infrastructure as code based on AWS CloudFormation
• Highly-available and scalable infrastructure based on AWS AutoScaling groups and Elastic Load Balancers with deep health-checks
• Installation and configuration process which is abstracted with SaltStack and set of PowerShell scripts
• Patches and updates are distributed with AWS CodeDeploy
• Logging and monitoring facilities are integrated with Sumo Logic