How RGC Genetics Center achieved infrastructure automation at scale using AWS Proton

This post was co-written with Rouel Lanche, Associate Director IT Architect, Regeneron

Introduction

Regeneron is a leading biotechnology company that invents, develops, and commercializes life-transforming medicines for people with serious diseases. Founded and led for 35 years by physician-scientists, Regeneron’s unique ability to repeatedly and consistently translate science into medicine has led to numerous FDA-approved treatments and product candidates in development, almost all of which were homegrown in Regeneron laboratories. The Regeneron Genetics Center (RCG™) is a uniquely integrated research initiative that seeks to improve patient care by using genomic approaches to speed drug discovery and development. RGC uses AWS to complement their rapid growth and transformation. To support the demands of the industry, it has never been more important for them to ensure that they can deliver their software at scale, while adhering to strict regulatory requirements.

As RGC’s cloud footprint quickly grew, they needed to find the right balance between increasing release velocity, while maintaining security standards and adhering to best practices. Their platform engineering team was spending a lot of their focus on stitching accounts together with AWS CloudFormation templates to serve the various development groups they supported. The back and forth required to maintain this practice took time away from building out practices to improve developer experience. In addition, tracking what infrastructure-as-code (IaC) resources were deployed across their accounts became a burden and further slowed down update cycles. Ultimately, this slowed down progress as the platform team had to focus on tasks that weren’t providing business value to their customers: developers. To solve their at-scale operational challenges, RGC wanted to build a shared service platform where their platform engineering team could provide a golden path for their developers behind a self-service interface. The goal was to enable their developers to focus on the application development without having to wait for the central platform team to provision resources on their behalf.

Solution overview

To solve the above challenges, RGC realized that they need an internal developer platform to enable their platform engineers to manage multiple environments across AWS accounts through a single-pane-of-glass. In addition. they wanted to provide self-service templates with parametrized inputs to configure those templates based on the developer’s needs. Lastly, they needed central insight into what version of the infrastructure as code templates were deployed to ensure that compliance was met.

“The creation of a standard enterprise application environment took several weeks to implement/deploy but with AWS Proton we scaffold out an environment with all the required services (pick and choose) in a day.” – Rouel Lanche, Associate Director IT Architect

Based on the requirements, the platform team at RGC chose to leverage AWS Proton, which provides a fully managed IaC orchestration experience. AWS Proton helped RGC’s platform team to amplify their impact to their developers because it met their needs without having to build this on their own. It provided their developers a fast path to get their applications deployed based on their needs, without having to wait for a ticket to progress through a backlog. AWS Proton gave their developers an easy way to deploy their code into the various deployment environments, across accounts with all of the tools, governance, and visibility needed to ensure consistent standards and best practices. RGC was able to simplify their multi-account deployments and their day-to-day operational challenges, with AWS Proton as the managed internal developer platform.

The following diagram describes RGC’s Multi-account deployment architecture using AWS Proton, where RGC used AWS Proton’s management account to vend infrastructure in their pre-prod and prod account using AWS Proton’s Account Environment Connection.

Figure 1: RGC’s multi-account deployment architecture using AWS Proton

Above diagram describes RGC’s Multi-account deployment architecture using AWS Proton, where RGC used AWS Proton’s management account to vend infrastructure in their pre-prod and prod account using AWS Proton’s Account Environment Connection.

In RGC, Platform engineers used AWS Proton to define shared infrastructure with reusable environment templates. Templates are infrastructure-as-code (IaC) file created with defined organizational best practices along with security and regulatory guardrails required to operate in a highly regulated industry. AWS Proton helped them to create and register these IaC templates down to the granular account level. With AWS Proton’s Environment Account Connections feature, the platform team was able to manage control and cross account access in a central account, which helped them to define standards for security and access control, code deployment, monitoring for the RGC applications across AWS accounts.

The following diagram outlines the process of the Platform team in RGC uses to create the shared-infrastructure stack to maintain an environment template defined for a particular application Team.

Figure 2: Platform engineering process flow

RGC’s application team relies on multiple AWS services to run their code and store their data. This ranges from Amazon API Gateway with AWS Lambda to Amazon Elastic Container Service (Amazon ECS) for container orchestration. They also use Amazon Simple Storage Service (Amazon S3) for their data lake and Amazon Athena to query them, and Amazon RDS for the persistent data layer. Developers used AWS Proton as a self-service interface to provision infrastructure and deploy their application based on their common patterns to use the technologies needed for their applications to run and scale. With AWS Proton, RGC’s application team can configure services and deploy apps independently to their needs based on the configurable inputs defined by the platform team in the template bundles along with a continuous integration and continuous delivery (CI/CD) pipeline needed for their applications for continuous delivery.

One of the other challenges that the application team was facing was around managing multiple database schemas for their apps and coordinating deployment efforts to apply changes in those schemas. To solve this, RGC used AWS Proton to define custom-resources to manage version-controlled database schemas and provision database for one or more application user(s) with appropriate database permissions, all behind a self-service interface. This deployment has been dictated by parameterized values defined inside the AWS Proton template definition. Besides defining fine-grain access control for the users, these templates are also responsible for encapsulating database credentials using AWS Secret Managers to manage database access. Additionally, the embedding of cfn-lint, cfn-nag and schema validation has ensured that compliance is being adhered at all times during deployments.

The collaboration between DevOps and Application developers has strengthened due to the use of AWS Proton. RGC collaborated and formalized enhancements to environment and service templates using AWS Proton’s schema definitions. This allowed both teams to securely use AWS Services and have confidence that their needs are being met.

This following diagram outlines the process of a development team member using the AWS CodeCommit repo and AWS CodePipeline to manage and deploy their service instances.

Figure 3: App dev process flow

Conclusion

In this post, we showed you how RGC solved their operational challenges as they started growing in the cloud using AWS Proton. This customer story highlights how RGC standardized their process to create application environments in a highly regulated industry using predefined templates with organizational best practices and guardrails at scale and with a simplified deployment efforts to multiple AWS accounts with fine-grain access control using multi-account CI/CD deployments. With this implementation, RGC’s IT Governance got a clear view of infrastructure security and access rules through the lens of the AWS Proton environment and service templates. To find out how you can use AWS Proton for modern applications, Explore AWS Proton features here.