Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Candid Partners - Architecting a Banking App with Serverless Technology - AWS reInvent 2018 SRV220

114 views

Published on

Candid Partners' presentation from a breakout session at AWS re:Invent 2018 on Architecting a Banking Application with Serverless Technology.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Candid Partners - Architecting a Banking App with Serverless Technology - AWS reInvent 2018 SRV220

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Re-architecting a Consumer Banking Application for Better Scale and Reliability Chris Lofton SVP, Cloud Program SunTrust Bank 23094 Aaron Bawcom Chief Architect Candid Partners
  2. 2. 5 The Challenge • How fast can we go using AWS? • What changes do we need to make to go that fast consistently? • How do we make sure our security requirements are met? • How far can we push the technical limits? Can a Bank Win a Race? • How can we demonstrate success early in cloud journey? • How much can we simplify the development process? • How do we decrease TAS and increase GSD? • What’s the lowest cost we can operate?
  3. 3. 6 Problem Massive Scalability Waves of user onboarding Minimum of 10,000 concurrent users per second Spikes
  4. 4. 7 Solution Lambda + API Gateway Use Lambda for request processing Use API Gateway to process API requests Allocate enough IP space to satisfy Lambda ENI attachment to VPC Use NodeJS for language
  5. 5. 8 The Application Millions of Banking ConsumersMassive Scalability Zero Downtime Deployments Frequent Deployments 100% Uptime Bank Level Security Crazy Fast Performance
  6. 6. 9 Ease of Use Problem Millions of Bank Consumers Development Legal Compliance
  7. 7. 10 JavaScript Solution Single Page Application User Experience Deployment Fast
  8. 8. 11 Problem Bank Level Security Secure Content Logging Configuration Management Regulated Data Data Obfuscation Compliance
  9. 9. 12 Solution Cloud Native Services + Splunk Secure Content Logging Configuration Management Regulated Data Data Obfuscation Compliance CloudFront, API Gateway, S3, WAF, Advanced Shield, Certificate Manager CloudTrail, CloudWatch, Kinesis, VPC CodeCommit Proprietary Hashing Custom Development Config, Lambda, GuardDuty
  10. 10. 13 Sub 500ms Latency Problem Need Crazy Fast Performance Heavy Load
  11. 11. 14 CloudFront Solution Lambda, CloudFront, ElastiCache NodeJS Lambda ElastiCache Results
  12. 12. 15 Initial Deployment Initial Deploy 20 Hours!
  13. 13. 16 Daily Deployments Problem Frequent Deployments Automated Tests Automated Promotion Zero Downtime Continuous Delivery Traceability
  14. 14. 17 Solution Pipeline as Code, Automated Promotion Daily Deployments Automated Tests Automated Promotion Zero Downtime Continuous Delivery Traceability Go-CD BlazeMeter, BrowserStack, NodeJS, CloudWatch Go-CD CloudFront, Lambda Edge Go-CD Go-CD, CloudTrail, CodeCommit
  15. 15. 18 Account vs Application Infrastructure Pipelines Global Region 1 Region 2 Account Account Global Account Regional Account Regional
  16. 16. 19 Account vs Application Infrastructure Pipelines Global Region 1 Region 2 Account Application App Sec App Code App Code App Global App Ops App Ops Account Global Account Regional Account Regional
  17. 17. 20 Canary Deploys - UI Us-east-1 Us-east-2 CloudFront distribution CookieCookie AWS Cloud InternetUser request Primary Canary Primary Canary Go-CD
  18. 18. 21 Canary Deploys - API Canary version of the Lambda function is installed Routing Config. AWS Cloud New (Canary) Version Release (Current) Version Go-CD
  19. 19. 22 Canary Deploys – API – 1% Routing Config. AWS Cloud New (Canary) Version Release (Current) Version 1% CloudWatch Logging Process logs to determine success 99% Routing Configuration is updated 99% / 1% split Go-CD
  20. 20. 23 Canary Deploys – API – 100% Routing Config. AWS Cloud New (Canary) Version Release (Current) Version CloudWatch Logging Process logs to determine success 100% Routing Configuration is updated 0% / 100% split Go-CD
  21. 21. 24 Canary Deploy – API - Finished Routing Config. AWS Cloud New (Canary ) Version Release (Current) Version CloudWatch Logging Process logs to determine success 100% Canary Alias becomes Release Routing Configuration is updated 100% Release Go-CD
  22. 22. 25 Continuous Improvement Initial Deploy Added Dev, QE, Staging Environments Added 2 way Canary Deploys Experienced outage in us- east-1 due to SSM 2 Weeks
  23. 23. 26 Problem 100% Uptime Availability Business Recovery Dependent Services Security Performance
  24. 24. 27 Solution Multi-Region Active/Active Availability + Performance Business Recovery + Dependent Services Security API Gateway, S3 JS, CloudFront, Route53 API Gateway, CloudFront, S3, Route53
  25. 25. 28 Multi-Region Active/Active CloudFront Lambda Edge Logic - UI app.org.com Request from Florida ui.geo.app.org.com app-ui-us-east-1.s3.amazonaws.com Geographic Latency Records Fail Over Alias Records app.org.com Origin Request Lambda@Edge NodeJS DNS CNAME Lookup for ui.geo.app.org.com API Gateway (Regional) IAM Secured Method Request + VTL to Zero Out Content CF S3 Request Bucket: app-ui Region: us-east-1 Origin Access Identity Secured S3 Request 1 2 app-ui-us-east-2.s3.amazonaws.com
  26. 26. 29 Continuous Improvement Initial Deploy Added 2 way Canary Deploys Experienced outage in us-east-1 due to SSM Deployed Multi Region Support us-east-2 full region outage 2 way canary deploys 1 way canary deploys Redis cluster outage Cost Optimized 24 weeks of weekly releases • Zero downtime due to deploys! • No service interruptions after adding multi region! 5 Weeks
  27. 27. ui.geo.app.org.com app.ui.us.east-1-s3.amazonaws.com app.ui.us.east-2-s3.amazonaws.com api.geo.app.com API Gateway Custom Target Domain name API Gateway Custom Target Domain name Amazon S3 Origin access identity Service Lambda Service Lambda API us.east.1 us.east.2 api.geo.app.org.com api.geo.app.org.com AWS Cloud Role Amazon S3 Role
  28. 28. 31 The Unexpected Long canary deployments AWS region outage API Security
  29. 29. Candid Partners Proprietary & Confidential 32 Incorporating the Learnings
  30. 30. 33 Can a Bank Win a Race? Just as good as any Unicorn How fast can we go using AWS? Rapid prototyping in hours using appropriately secured sandbox accounts What changes do we need to make to go that fast consistently? Change the release process to allow for same-day deployments based off of automated testing and security checks How do we make sure our security requirements are met? Make the pipeline a security control. Implement compliance Policies as Code. How far can we push the technical limits? Innovate Infrastructure as Code compliance policies change the physics of the release process How can we demonstrate success early in cloud journey? Re-architect a smaller application to Serverless to demonstrate success How much can we simplify the development process? A lot! All application components are serverless eliminating the need to manage, maintain, and upgrade servers How do we decrease TAS and increase GSD? Embed empowered team members and require accountability What’s the lowest cost we can operate? Thousands of dollars per month
  31. 31. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Chris Lofton Aaron Bawcom Aaron.Bawcom@CandidPartners.com

×