AWS Public Sector Blog
Inside a self-service cloud research computing platform: How RONIN is built on AWS
RONIN is an Amazon Web Services (AWS) Partner solution that empowers researchers with a simple interface to create and control computing resources, set and monitor budgets, and forecast spend. RONIN is designed and architected to advance research institutions’ missions, by providing a research platform that manages the most common research use cases, and is also compatible with advanced cloud computing services from AWS. Learn what powers RONIN underneath the user-friendly interface.
Standardizing resource creation
In its default and simplest configuration, RONIN is installed in one AWS account owned by the RONIN administrator. RONIN provides a four-page build sheet that the administrator can use to specify security parameters, such as the IP addresses which are allowed access to the RONIN portal, and the default Amazon Simple Storage Service (Amazon S3) bucket policy. Because researchers manage AWS resources only through the RONIN web application, all resources are created according to the same security profile. Only the administrator and those have been granted access are able to see the console.
Multiple account configurations are also possible, and make sense in scenarios such as when different departments manage their own finances or when one department has different security needs than another. In this case, the build sheet specifications and the RONIN administrator might be different for each configuration.
Streamlining secure access
RONIN users and permission groups are managed using Amazon Cognito, but most institutions ask to connect their own authentication service to enable single sign-on. Once users have access to RONIN, they need to be assigned to a project to be able to create resources. The project is an important abstraction that allows a lab to allocate a budget, a timeframe, and billing codes to a specific set of compute and storage resources. Each project has its own project subnet, with its own security groups, isolating projects from each other. RONIN uses tagging to identify who creates and uses different resources, and cost allocation tags to track these resources against the billing of the account.
Machines created within RONIN can be configured to connect securely with on-premise license servers to take advantage of existing MATLAB, SPSS, and a long list of commonly used commercial research packages. An AWS solutions architect can set this with up with VPN, Direct Connect, Proxy Server and security groups, managing interconnectivity between machines. RONIN Secure Stream, an additional RONIN service, streamlines this task by simply taking a list of license servers and ports and orchestrating this configuration.
Tightly secured machines can be difficult for researchers to access and ssh port tunneling poses a steep learning curve. To make this easier, RONIN includes a desktop application called RONIN Link for Mac, Windows, and Ubuntu. This application helps automatically route applications that would normally open up ports for RStudio Server, Jupyter Notebooks, Ganglia Monitoring System, and anything else through an encrypted connection through SSH port 22. RONIN also supports the creation of remote desktops for Linux and Windows machines in this way, using the NICE DCV remote visualization software available on Amazon Elastic Compute Cloud (Amazon EC2) instances.
Supporting reproducible workflows
RONIN was designed to make it simple for researchers to create machines and auto-scaling clusters and either install their own software on these assets or leverage pre-constructed machine images or packages. This is because researchers normally need control over the entire software stack so that they can reproduce complex technical workflows. This control, and the ability to save and package important versions of software and data to reproduce the analysis later is an important value that AWS brings to research over simple on-premise computing. However, as researchers begin to learn and adopt modern concepts from IT such as containerization, data lakes, and serverless computing to modernize research codes for the cloud, the extensible design of RONIN can grow with them.
Enabling extensible architectures
Behind the scenes, the organization’s RONIN administrators have access to the AWS console for the account and can use all of the AWS services in the background to further monitor, tag, manage, and create new resources for RONIN users that are separately managed. RONIN administrators can use AWS Cost Explorer to further break down billing codes and tags to obtain detailed and personalized breakdowns of cost at very fine granularity. Users can patch and control system-wide assets with AWS Systems Manager, enabled by default on all instances. To access on-premise file storage, users can take advantage of AWS Storage Gateway, and multiple AWS services to connect to on-premise license servers. RONIN can also be used to create and expose data lakes to specific users for secure analysis using scalable tools. Research IT personnel can think of RONIN as an extension to their data center, and a secure bridge from on-premise resources to AWS assets.
Learn more about the design of RONIN to understand how this solution can make AWS an extension of your research IT environment and empower your researchers with the scalability and flexibility of the cloud. Contact us or attend our webinar.