End of life data center migration
The course is part of these learning paths
This course is a "live" scenario discussion where the Cloud Academy team tackle a migration project. Our customer needs to migrate out of their current data center by a certain date. They also would like to modernize their business applications.
Our brief in the exercise is to deliver:
- A target architecture that addresses the challenges described by the customer
- A migration plan detailing how to move the service to AWS with minimal interruption
- A recommendation on how to approach DR to achieve RPO of 24 hours and RTO of 4 hours
- An application optimization plan with a proposed enhancement roadmap
As a scenario, this series of lectures is recorded "live" and so is less structured than other Cloud Academy courses. As a cloud professional you often have to think and design quickly, so we have recorded some of the content this way to best emulate the type of conditions you might experience in the working environment. Watching the team approach this brief can help you define your own approaches and style to problem-solving.
This course discusses AWS services so it is best suited to students with some prior knowledge of AWS services.
We recommend completing the Fundamentals of AWS learning path before beginning this course.
If you have thoughts or suggestions for this course, please contact Cloud Academy at email@example.com.
- [Narrator] Our brief is to deliver the following, a target architecture which addresses the challenges described by the customer, a migration plan detailing how to move the service to AWS with minimal interruption, a recommendation on how to approach DR to achieve RPO of 24 hours and RTO of four hours, an application optimization plan with a proposed enhancement roadmap. Expertise Please provides a website, www.expertiseplease.com, that customers use to manage their accounts and view their documents. The digital legal documents are sourced in two ways. The customer grants Expertise Please the right to scan and digitize their paper-based court documents. This is a highly automated process that only requires human intervention in scanning files. Digitized documents are stored in the Expertise Please service. Original documents are archived by a legal processing agency on behalf of the customer. External third party companies send contracts as PDFs directly to Expertise Please customers. PDF files are uploaded via sFTP and processed in batches during off-peak hours. Third party companies can also log in to view contracts and to check on the status of batch uploads. Most of the documents being stored within the application are sensitive so there are stringent requirements that must be adhered to including security. Documents can only be viewed by the end customer to whom they are addressed. Data must be encrypted in transit and at rest. The www.expertiseplease.com service manages subscribers' personal information and irregularly audited for security vulnerabilities and must adhere to industry standards, e.g. ISO27001, ISO27018. Durability, digital documents are retained for an unlimited period of time or until the customer deletes the document or closes the account. However, expertiseplease.com has observed that less than 2% of documents older than six months are viewed. Expertise Please has to provide highly durable storage of documents. They rely heavily on redundant storage within the data center and take backups stored in DR location. Availability, end consumers access the application at any time. Current target www.expertiseplease.com availability SLA is 99.5%. They target to increase to 99.9%. Third parties can deliver digital documents at any time. A 24-hour processing SLA exists. Performance, customer response time to render documents is less than two seconds. Current SLA is 99.5% of transactions to meet this target time. The current architecture is a three-tier web application comprising of Apache Web Server, JBoss Application Server, and Oracle Database. Connectivity, provided by a colocation provider, peak capacity 500 megabits per second. DNS, hosted on DNS servers within the same data center. CDN, no CDN is used today. Firewall, trusted firewall appliances. IDS, monitoring of traffic, manual implementation of firewall rules to block and measures traffic. Load balancing, front-end, providing SSL offload. Web service, Apache T.2 provides static content and routing to application clusters. Application clusters, JBoss 7.1, two clusters providing different functions, session replication via Multicast. sFTP server, receive documents from external third party companies and acts as a batch submission gateway to the application service. Database cluster, Oracle Database 11g with three nodes, active, standby, and DR target using Oracle Data Guard. Virtual cluster IP using Multicast technology. NAS storage, NetApp appliance with 150 terabytes of stored documents replicated within DC, off-site tape backup to DR DC. Storage usage increasing at five terabytes per month with 35 terabyte storage remaining. Hardware security module, SafeNet HSM manages and stores encryption master keys for a database, Oracle TDE, Transparent Data Encryption, and file-level encryption. Scanning devices and digitizers. Scanning devices are located in the legal support center. Each scanning device is configured with the IP address of both digitizers. Scanning devices communicate with digitizers over a private network to a DC using a custom TCP protocol. Digitizers communicate with the digitizer application module via HTTPS. Expertise Please application is a classic three-tier model, originally custom developed by an external third party, but now maintained in-house. It consists of static web content, Java modules, and a data access service to communicate to a database and underlying file storage. The Java modules run on two different application clusters, external-facing modules on cluster one and internal modules on cluster two, providing the following functions. Registration, registers new subscribers and setup unique subscriber encryption keys. Subscribers sign in using their email address. Password is encrypted and stored in a database. Login, subscribers or a third party company use a login. Payment, processing module for subscriptions, integrates with third party digital wallet providers via internet API. No credit card data is handled within this service. Doc Manager, manages and renders digital documents, encrypts and decrypts documents using file encryption keys. Presentation, delivers rendered content to subscriber devices. Core, central business processing logic for the application, for both subscribers and third party companies. Batch processing, conversion of third party company templates and delivery of documents to subscribers. Encryption, interface to HSM to provide access to data encryption keys for file encryption. Administration, backend portal for application administration and reporting. Digitizer, ingestion processing workflow module, execute similar functionality as batch processing module. Data access service, abstraction layer for database and document storage access. The server and network hardware has reached end of life and the storage capacity requires an urgent upgrade. The data center contract for production facility is due for renewal in nine months. CAPEX costs are driving concerns over the long term service viability based on the current business model. They're looking for a more cost efficient approach. Achieving the current availability SLA is challenging due to a number of operational pain points and maintenance exclusions for data center and connectivity provider. Expertiseplease.com needs to increase the availability SLA to 99.9% as their customers complain about service availability. The infrastructure is unable to meet peak demand, affecting the ability to meet performance SLA. Reliance on monolithic application server clusters impacts the ability to maintain and update the application at a quick pace. They're looking for improved agility to support more rapid application feature development and deployment. The volume of digital sources is increasing and third parties are trying to negotiate more real-time delivery of documents as part of service contracts. Batch processing is no longer an option. The passive IDS and legacy firewall solution are not effective at handling application-level attacks. They need to be more secure to be able to detect and mitigate external attacks in real time. For enhanced security, they need to restrict and log management access to the application and infrastructure for a Bastion host, accessible from the internal network only. So there's our brief. Now, why don't you have a think about how you would tackle this problem. Think about what components you might want to use and what kind of phasing you might put together to come up with a solution that can meet the requirements as they've been specified. Now, if you want any help with the solution, by all means, just reach out to us at firstname.lastname@example.org and we can help you get started or give you some mentoring if you feel quite stuck. And ideally, send us your initial design so that we can discuss it with you and provide you with feedback and any advice. Okay, if you're feeling ready, let's step through how the team tackles this scenario.
About the Author
Head of Content
Andrew is an AWS certified professional who is passionate about helping others learn how to use and gain benefit from AWS technologies. Andrew has worked for AWS and for AWS technology partners Ooyala and Adobe. His favorite Amazon leadership principle is "Customer Obsession" as everything AWS starts with the customer. Passions around work are cycling and surfing, and having a laugh about the lessons learnt trying to launch two daughters and a few start ups.