Government Cloud Establishment

By James Bromberger

24th October 2019

In early 2018, a government department in Western Australia was looking to develop several cloud-based proof of concept (POC) projects in the public cloud space.

The first project was an architecture to manage the payments for services from several disparate source systems, voice, IVR, and customer relations officers to process via an online payments processor and store the results of the transaction within their existing database.

Akkodis were engaged to help set up the AWS environments and provide best practice technical guidance to the on-site development team and architecture team in creating a suitable AWS based architecture. Along with the best practice guidance, Akkodis developed an open source dashboard solution to monitor the AWS based services being consumed.

The Challenge

The Akkodis team was tasked to create an AWS based environment that is highly secure and PCI compliant against the DSS 3.2 standard, following AWS Best Practices and principles in a very short amount of time. Considerable architectural guidance and best practices already learned at other WA government agencies were presented and adopted by the client.

The Solution

Akkodis staff had already pioneered a multi-account best practice template with other government customers, so when AWS announced AWS Organisations in mid-2018, Akkodis were on hand to set up the organisational structure for the multi account environments, ensuring the customer fully realised the benefits of the structure and security best practices.

Architectural guidance to fully utilise the low cost serverless architecture, along with best practices in creating a completely resilient and secure environment were adopted by the customer.

As part of the solutions created, the architectural patterns included many managed components, such as the Simple Queue Service (SQS), Simple Storage Service (S3), AWS Lambda for serverless execution, EC2 and VPC for VM based service operation, CloudWatch, CloudFront for web Content Delivery, and Route53 for reliable and scalable DNS.

The SQS service provided an extremely fault tolerant, lose coupling of services, providing legacy on premise systems to establish outbound connections for data flow integration rather than incoming connections, meeting the customer’s security team preference.

The first of four AWS based projects went live September 2018 supported by a fully templated dashboard visualisation project created by Akkodis to monitor, visualise and alert on services and conditions that occurred. As expected, the provisioned AWS based services and architecture proved extremely resilient and reliable, especially during unexpected events with the on-premises infrastructure occurred.

For the cloud-based network (VPC), a three-Availability-Zone balanced network was created, complete with optimised private access for services such as AWS Simple Storage Service (S3). All internet access by either protocol was enforced as one way using managed outbound IPv4 NAT Gateways, or Egress-Only IPv6 gateways, mapped automatically via routing tables, and again managed via CloudFormation templates.

The dashboarding solution selected was Grafana, was hosted on the smallest AWS EC2 machine at that time (a t2.nano) within a subnet only accessible via a connection to an Application Load balancer. EC2 machine scheduling was accomplished using an instance scheduler template only turning the dashboard host on and off during required business hours to optimise service costs.

Outcome and Results

With this in place, the customer had confidence in the engineering, reliability and cost effectiveness of well-designed and managed cloud environments. The cost of operation of their payment processing environment came in at less than $10/month. However more importantly, the team were freed up to investigate latency on their payment services provider, having evidence and visualisation for time delays with various types of transactions, and helping their service provider improve their service.