Well-Architected Framework (Next-Gen MSP Blog Series #2)

Well-Architected Framework

Next-Gen MSP Blog Series #2

Well-Architected Framework (the Framework) is a set of proven design principles and best practices developed by AWS. The Framework provides a strategic and systematic methodology for cloud architects and developers to build secure, high-performing, resilient, and efficient cloud infrastructure and applications.

The Framework is widely adopted by most leading Next-Gen Managed Services Providers (MSP) for several practical benefits to customers:

  • Help customers understand and prioritize their design requirements based on informed decisions
  • Build cloud applications with evolutional architecture to resolve business and IT challenges
  • Control security and operation risks with proven designs
  • Educate customers on best practices at the early stages of their cloud adoption journeys

Knowing the Framework – The Five Pillars

The Framework consists of more than 30 design principles and relevant best practices, organized into Five Pillars.  This structure improves the communications between the cloud architects, cloud developers and business owners.

These are the Five Pillars:

  1. Operational Excellence: Run and monitor systems to deliver business value and to continually improve supporting processes and procedures.
  2. Security: Protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.
  3. Reliability: Recover application and infrastructure from service failures, dynamically acquire computing resources to meet demands, and mitigate disruptions such as misconfigurations or transient network issues.
  4. Performance Efficiency: Use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve.
  5. Cost Optimization: Run systems to deliver business value at the lowest price point.

When designing the architecture of a cloud application, cloud architects will analyze the business and IT requirements, apply the design principles and best practices whenever appropriate.  However, in reality, there could be conflicts between different pillars. An experienced cloud architect would lead business owners to make trade-off decisions that align with business priorities.  For example, for production applications, business owners often weigh Security and Reliability over Cost Optimization.  On the other hand, for non-critical environments, such as development or pilot projects, Cost Optimization often takes priorities over Reliability and Performance Efficiency.  Nevertheless, our experience shows Operational Excellence and Security are more critical than other pillars, especially for mission-critical and revenue-generating applications.

Customer Example

Our customer ABC Company hosted their corporate website on an in-house developed Content Management System (CMS) on AWS.  They engaged us to re-architect their corporate website which was found unstable from time to time.

After reviewing the customer’s system, it was found that the system not only overloaded at peak hours, but also lacked security measures to protect the system from cyberattacks.   Successful Indicators of Compromise (IoC) were found in application logs which timestamps right before two system outages.

Based on customer’s requirement, we re-architected the CMS system with priorities the Security, Performance and Reliability over other 2 pillars.  We identified and implemented the key enhancement items as listed below.

Security Performance Efficiency Reliability Cost Optimization Operation Excellence
·     Deploy AWS WAF with OWASP’s Top 10 Policy

·     Establish VPN between customer’s office to AWS VPC

·     Restrict CMS administrative login page from authorized internal IP only

·     GuardDuty threat detection

·     Cloudfront CDN

·     Compute resources monitoring

·     RDS read replica

·     Auto-scaling

·     Mutil-AZ design

·     ALB for WordPress services

·     Auto-failover RDS redundancy

·     Centralized logging with high-durability storage

·     Starts with smallest EC2 & RDS instances by default

·     Automatic scale-out/scale-in for EC2 and RDS instances

·     Manual scale-up/scale down for RDS

·     Deployment automation with CloudFormation

·     Monitoring resources with CloudWatch

·     Automatic alert with SNS service

·     Routine tasks automation with Systems Manager

For the application architecture, we decoupled the system from a single-node design into 3 components, including the web service, the shared file system, and the database.  AWS managed services were deployed whenever feasible for performance ease of management.  The diagram below shows the final application architecture.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In our next blog post, we will share the basis of automation in cloud environment with practical use cases.


About the Author

Elton Tsang
Associate Director
HKBN ESCloud

Posted in Blog, ICG Blog.