Timothy Wong | September 30, 2020
Devops, Serverless
CallEvo was looking to both deploy and set up DevOps for its custom software. Their application was initially developed to run within a monolithic framework. Triumph Tech was brought in to help “decouple” their architecture and speed up application delivery.
Triumph chose AWS to provide the cost efficient resources to run CallEvo’s custom software and speed the delivery of application updates.
During the initial discovery phase, we discovered that the development team did not have a procedure to rapidly deploy changes to their application nor did they have an efficient way of running the application.
Project metrics were determined post-buildout with the execution of load tests and the speed of how application changes could be deployed. We needed to know if the environment could handle at least 100 requests per second in under 2000MS per request with a low error rate. Additionally, we needed to find the amount of time required to deploy code changes to the environment.
Locust was used to load the test by simulating common user behaviors that trigger read / write operations on the data layer. We simulated 1000 users and a request rate of 100 RPS. This was a success. We found that the application could respond in <500MS with a 0% error rate.
In order to test the ability to push code changes quickly to the application, we calculated the time required for CodePipline to execute all tasks to completion. The total time was <10 minutes and deemed a success. We compared this duration with the amount of time required to manually push changes to the environment; this was around 1 hour and 20 minutes until changes were live.
TCO was calculated based on the amount of time to manually push code to the environment and the resources required to do so.
Serverless functions are scalable and a cost-effective way of running production workloads.
Automated deployment solutions greatly reduce the amount of time required to deploy code to production.
Cloud environment is native cloud. The entire stack is running on Amazon Web Services in the US-West-2 region.
CodePipeline Health Metrics
If any step within the pipeline fails, notifications are sent out to the DevOps Slack channel. This is achieved via an integration between SNS topics and AWS Chatbot integration with Slack.
Lambda health is determined by success / failure of the Lambda function. The most important metric is error count and success rate (%).
Lambda health is further defined by using Xray application tracing in order to effectively trace and debug requests made to the lambda function. Application exceptions (errors) are viewed within Xray and help enhance the performance of the application.
We consult clients on best practices in terms of log / metric collection. For application related logs we prefer the use of an ELK stack, which takes advantage of AWS Elastic Search Service, Logstash running on EC2, and Kibana. This allows for complete security and granular control over log collection and visualization.
To automate the alerting of unhealthy targets of an application / network / or classic ELB, we consult our client on the use of CloudWatch alarms, SNS alarm trigger notification, and AWS Lambda. The Lambda function makes a describe-load-balancer or describe_target_groups API call to get the identity of the failed target as well as the cause of the failure and then triggers an email notification via SNS with the discovered unhealthy host details.
We recommend the use of Grafana running on EC2 and Prometheus for the monitoring of individual workloads running within a stack. EC2, RDS, Container, EKS, and ECS metrics are collected by Prometheus and data visualized via dashboards within Grafana.
Enabling the client to manage and maintain the DevOps pipeline after handover is of the utmost importance. Our goal is to always minimize the amount of maintenance that will be required with the level of automation. Our goal is for all members of the Development team to be able to simply push code, follow a development process, and know that their applications are being tested and rapidly deployed.
Training and handover are always included in scope. This process includes the development of documentation specific to the customer workload. It outlines the development lifecycle from source control and branching all the way through deployment.
We document how to version IAC modules / templates that were developed and push out updates to their infrastructure.
We provide architecture diagrams, which outline the branch strategy / git workflow.
Lastly, we schedule a video conference, and do a hands-on session with the client where we go over how to push application updates throughout the development, staging, and production environments. We go over the development workflow and branching strategy.
Deployments are tested and validated through a promotion strategy. The only branch which automatically deploys without approval is the development branch, which is deployed to the isolated development environment. The team will QA and validate application functionality and approve a promotion to the staging environment. A pull request is submitted to source control and merged into staging. Workloads are then deployed to the staging environment. After testing and validation of staging, a pull request is submitted from staging into master and merged. Master branch triggers a build and deployment to production via CodeBuild / CodePipeline.
All code assets are version controlled within GitHub.
Application Workload and Telemetry
CloudWatch application logging is integrated by default into all of our container and serverless workloads. We include this as an “in-scope” item for all DevOps projects. This provides a centralized system where error logs can be captured and aid in operational troubleshooting.
Xray is implemented for application request tracing to help the client debug and improve performance of their workload.
Access Requirements Defined
In order to discover access requirements, we take a look at the organizational units within the client’s business such as developers, systems engineers, security engineers, and stakeholders, which will be required to access DevOps infrastructure. We have previously defined best practices that we follow for each of these groups.
IAM groups are created for each of these Organizational Units and least privilege access is applied to each. Each group is only granted access to what they actually required.
Our developer policy looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupEgress"
],
"Resource": "arn:aws:ec2:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"ec2:Describe*",
"iam:ListInstanceProfiles",
"mgh:CreateProgressUpdateStream",
"mgh:ImportMigrationTask",
"mgh:NotifyMigrationTaskState",
"mgh:PutResourceAttributes",
"mgh:AssociateDiscoveredResource",
"mgh:ListDiscoveredResources",
"mgh:AssociateCreatedArtifact",
"discovery:ListConfigurations"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateSecurityGroup",
"ec2:ModifyInstanceAttribute",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DeleteVolume",
"ec2:CreateImage"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"ForAllValues:StringLike": {
"ec2.ResourceTag/appenv": [
"rmmigrate-dta"
]
}
},
"Action": [
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RunInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "iam:PassRole",
"Resource": "*",
"Effect": "Allow"
}
]
}
No processes deployed to AWS infrastructure will make use of static AWS credentials. All instances which call other AWS functions use roles. The only case where static AWS credentials are used to call AWS services is when third party integrations can’t make use of assumed roles.
Log into AWS for each APN partner and user of the platform, make use of unique IAM users or federated login. No root access is permitted. We have a CloudWatch alarm setup which triggers an SNS notification via email anytime the root user logs in.
All security groups within the environment meets the following requirements:
Components which require encryption:
AWS CLI is used for all programmatic access.
The deployment process is fully automated. When we merge a change into the master branch from development within GitHub, CodePipeline is triggered. CodePipeline first runs CodeBuild and compiles application dependencies via pip and requirements.txt, then creates an artifact and CloudFormation template which triggers the deployment of the serverless function via CloudFormation. We use change sets and then automatically execute those change sets via CodePipeline.
Data is backed up every 24 hours, so the worst case scenario is that we lose a day.
This application uses Lambda, API Gateway, and RDS Aurora Postgres Serverless. We are using provisioned concurrency for Lambda and autoscaling on Aurora. We can respond rapidly in response to demand.
We deployed the workload into a development environment and load tested the application using methods previously described. Then we gathered metrics such as execution time and memory allocation to estimate costs. Our RDS Postgres Costs were determined based on the capacity units required by the application over a 24 hour period. Elasticsearch and ElastiCache costs were fixed and included in the TCO analysis for the AWS environment. We found our initial estimate was 95% accurate as it was only $100 away from the average costs since workload has been deployed to production.
Looking to implement an Automated Serverless Architecture? Contact one of our Serverless Specialists today.
Locust was used to load the test by simulating common user behaviors that trigger read / write operations on the data layer. We simulated 1000 users and a request rate of 100 RPS. This was a success. We found that the application could respond in <500MS with a 0% error rate.”