Enabling Cloud-native Microservices Platform using AWS EKS
Kubernetes is an excellent platform for Microservices platform realization and re-platforming an enterprise-wide monolith app to a more agile ecosystem of microservices architecture.
AWS Elastic Kubernetes Service (EKS) is a feature-packed and fully-managed Kubernetes platform that takes care of version maintenance, patching, backup, or security for the cluster at all times. This leaves no burden for the subscriber to worry about ever-growing notifications of zero-day attacks and CVE to patch the fleet of EC2s.
Background
A prime crypto dealer has developed a highly intelligent trade exchange that gives traders the strategic advantage of Global access, Top-Notch security, super-intelligent order splitting /algorithmic trading strategies, and peace of mind via advanced trade risk minimization.
This platform was developed on a Kops-based Kubernetes setup where they have to spend a lot of time managing and monitoring the Kubernetes control plane, and devising plans of how to ensure super security while still maintaining agility. They wanted much better control on rollout and rollback of platform and applications features and 24×7 availability for diverse groups of traders, hedge funds, financial institutions, and other clients
Challenge
Here are some of the challenges that the crypto dealer wanted to have a solution for:
How to rapidly launch new services into production while still having the ability to control the availability of new versions to certain geographic locations or select user groups. Also, have the ability to quickly roll-back service to the old version without high impact to the user base.
Ensure implementation of uniform standards for endpoint security, authentication, and authorization. This is a challenge for a rapidly growing organization with multiple products and services maintained by multiple teams of varying sizes and technical strengths.
Reduce operational costs while achieving operational excellence.
Ensure compliance with security standards, secret management.
Solution
The following diagram describes the key decision points for future Elastic Kubernetes Service (EKS) based platform architecture for the client.
Key Features
Key features of this architecture are:
- EKS managed node groups are an easy mechanism to provision elastic and scalable compute resources for clusters. A node group defines optimal, minimal, and desired capacity for a particular type of computing resource so it can be scaled when needed. Multiple node groups were created to ensure proper compute resources are used for each type of workload. For example, GPU-assisted worker nodes were scaled when Machine learning workloads needed to be executed.
- Cluster Autoscaler provided easy rule-based scaling and cluster nodes would increase or decrease cluster size based on CPU utilization. This tremendously reduces operational costs.
- Existing AWS block and network storage types were used for EKS PODs that needed persisted volumes. The use of existing resources reduced operational costs
- stio does service discovery, security, and routing of all traffic to microservices platform running on EKS. Istio ingress controller automatically provisions required ALBs for routing the public HTTPS traffic to internal endpoints. Istio virtual services would create a wrapper proxy using highly scalable Envoy Proxy to route traffic to the most appropriate version of a microservice to provide:
- Blue/Green deployment in which a service endpoint is updated and traffic is sent to the new version once the update is complete and traffic is drained from the old version. If during testing/assessment of new version on live production traffic does not meet,a quick rollback is performed and every part of the system remains available during updates and rollbacks,
- Canary deployment where a small subset of traffic based on certain criteria, e.g all traffic from a specific region is sent to a new version of a service, and traffic to the new version is gradually increased as ProdOps confidence on new release increases. Ultimately all traffic is diverted to the new version of the service and resources related to the old version are reclaimed
- Circuit Breaking to protect premier service endpoints that consume expensive system resources from too much traffic. Once a threshold is reached, all traffic is sent to a backup or secondary service endpoint that offers lesser quality or slower performance but can handle the remaining traffic
- Istio does discovery and visualization of all services and provides Mutual-TLS based authentication to protect service endpoints from unauthorized usage.
- AWS offers access to additional managed services via Terraform infrastructure code (IaC) so the other managed services like Route 53, TLS Certificates, and management of application secrets (passwords, API access keys, etc) were all integrated with the infrastructure code of the solution to automatically provision a complete and working infrastructure with no manual admin/sysOps work
Why you should choose HPC for enabling microservices platform?
At High Plains Computing (HPC), we specialize in launching all sorts of applications in AWS. Our team of AWS DevOps is dedicated to AWS automation using Infrastructure as code, AWS security, and setting up dev environments on AWS. Our team has built/accumulated a vast repository of Terraform modules that are pre-tested and can provision infrastructure for any application or service within days/weeks rather than months.
Our AWS Certified Solution Architect professional and DevOps professional staff will ensure all AWS infrastructure code, as well as the application that is getting deployed, follow “AWS well Architected” program guidelines and best practices to achieve operational excellence, security, reliability of operation, cost efficiency, and sustainability.
High Plains Computing (HPC) professionals work with your team to deploy your amazing application on AWS infrastructure.
Committed to delivering the best
Thousands of AWS and CNCF-certified Kubernetes solution partners have unique expertise and focus areas. Our focus is on best practices in security, automation, and excellence in Cloud-based operations.
Please reach out to us if you have any questions.
