How Spring Venture Group Uses AWS Service Catalog to Launch Amazon ECS Clusters
By Phil Christensen, Sr. Solutions Architect at Logicworks
When developers have the power to rapidly launch new Amazon Web Services (AWS) resources, organizations can reduce time-to-market for new products.
Long gone are the days when developers had to wait two to three months for IT to provision new servers. On AWS, developers can test and deploy in minutes or hours, resulting in more frequent product releases–and better products.
Spring Venture Group is a group of insurance brokerages that’s expecting double or triple digit growth in the next three years, in large part due to their innovative approach to providing data analytics and other software services to sellers and customers.
As a health insurance sales organization, Spring Venture Group needs to maintain HIPAA compliance, so the potential impact of even a single misconfigured AWS resource is high.
Spring Venture Group saw the power of providing developers with self-service access to AWS resources. However, they did not want developers to manually build each new AWS environment in the AWS Management Console. Manual approaches can result in “snowflake” environments, which create new organizational risks such as improperly configured security controls.
Architecting a Containerized HIPAA-Compliant AWS Environment
Spring Venture Group reached out to our team at Logicworks, an AWS Partner Network (APN) Premier Consulting Partner and Managed Service Provider with the AWS Healthcare Competency, to architect and manage their AWS deployment.
Spring Venture Group’s developers were comfortable building and deploying containers in their on-premises environment, but were eager to get greater agility and flexibility on AWS. They faced severe availability issues running containers on-premises.
One of the key parts of the architecting process was choosing the right container orchestration platform. We discussed Kubernetes, Docker Swarm, and the AWS orchestration platform, Amazon Elastic Container Service (Amazon ECS). Amazon ECS has deep integration with other AWS services like AWS CodeBuild, AWS CodeDeploy, and Amazon Elastic Container Registry (Amazon ECR), making it the most robust and integrated container orchestration platform for AWS.
Although Spring Venture Group’s environment was built prior to the release of Amazon Elastic Container Service for Kubernetes (Amazon EKS), many of the environment’s strengths are also part of the Amazon EKS service.
Spring Venture Group ultimately chose Amazon ECS over Kubernetes due to the overhead of managing their own Kubernetes master nodes and the simplicity of the Amazon ECS platform. On an ongoing basis, Spring Venture Group would be responsible for building and deploying container images, while Logicworks would be responsible for maintaining their AWS account and the Amazon ECS clusters themselves.
To maintain HIPAA standards, several key security features (intrusion detection, logging, bastion hosts, and centralized authentication) should be present in each Virtual Private Cloud (VPC). Rather than replicating standard features in each VPC, Logicworks created a central hub VPC that is peered to spoke VPCs. This provides Spring Venture Group with a separation of concerns, network isolation, and a basis for comparison of security groups.
Additionally, all Logicworks customers are subject to a background process that ensures AWS CloudTrail and AWS Config recording are properly enabled in all regions. This is a crucial step in any environment, allowing for easy detection of unusual or unexpected activity in other regions, and forensics that aid in resolution of complex security issues.
Using AWS CloudFormation and AWS Service Catalog
After Logicworks designed the architecture for Spring Venture Group, we built an AWS CloudFormation template that launched their hub-spoke VPC model and Amazon ECS clusters.
A key aspect of our approach is to selectively create nested stacks for larger recurring concepts. For example, our customized Auto Scaling Group template ensures that necessary support resources (Amazon CloudWatch Alarms, Amazon SNS topics, AWS Identity and Access Management roles, deletion policies) are included by default.
Figure 1 – A typical Spring Venture Group deployment leveraging hub-spoke VPC model.
We put this template and other templates into AWS Service Catalog so Spring Venture Group’s developers could launch them through a self-service interface. Access to AWS Service Catalog is controlled so that only certain developers can launch certain products. This provides additional governance controls on the environment.
Spring Venture Group’s developers know that when they launch an AWS environment from AWS Service Catalog, the key security and compliance features are already in place. They don’t have to do any manual configuration of instances or Amazon ECS clusters. The environment is ready for their application-specific Docker containers.
Figure 2 – A CI/CD pipeline using AWS DevOps tools and Amazon ECS.
Here’s the process that Spring Venture Group uses to launch new AWS environments and deploy code:
- A Spring Venture Group developer commits a change to their local Git repository and pushes to an AWS CodeCommit repository.
- The commit triggers a notification to AWS CodePipeline, which pulls down the source and triggers two jobs in parallel.
- The first job ensures our Amazon ECS Service Catalog product has been instantiated for the particular branch. It will launch a new copy of the cluster if it doesn’t exist yet for this branch, or update an existing one with the anticipated Docker image ID.
- The second job uses a buildspec.yml file defined in the repository to build the current commit into a new Docker container, and pushes the resulting image to Amazon ECR.
- Finally, the Amazon ECS cluster created in Step 3 continually looks for the anticipated Docker image ID and deploys it when ready. When we push an image in the earlier part of the pipeline, we push the Git commit as the tag name. The service that is spun up specifically refers to the Git commit that invoked the change.
Here’s a simplified architecture diagram showing the standard environment launched from AWS Service Catalog.
Figure 3 – Selected AWS Service Catalog products are used to deploy a standardized Amazon ECS environment.
Spring Venture Group used to face significant reliability and performance issues running containers on-premises. Now on AWS, they’re pushing hundreds of product updates a year, and they’ve been able to keep up with the growth of their business.
Running AWS Service Catalog and Amazon ECS has created a reliable, stable deployment pipeline, resulting in hundreds of hours saved for their engineering team each month. Leveraging Logicworks for 24×7 monitoring and support means Spring Venture Group’s developers can focus on delivering great products instead of doing manual configurations.
By using AWS Service Catalog to launch Amazon ECS clusters, Spring Venture Group can rapidly deliver HIPAA-compliant AWS environments that support Docker containers. This not only accelerates product updates, it also ensures AWS resources are configured in a consistent, secure manner.
The content and opinions in this blog are those of the third party author and AWS is not responsible for the content or accuracy of this post.
Logicworks – APN Partner Spotlight
Logicworks is an APN Premier Consulting Partner. They provide expertise in complex infrastructure for industries with high security and compliance requirements, including finance, healthcare, and retail.
*Already worked with Logicworks? Rate this Partner
*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.