Travizory Leverages GitOps and AI to Help Countries Unlock Safe Travel in Just 4 Weeks

Guest post by: Barry McLaughlin – Senior Software Architect, Travizory and Vladyslav Shkola – Startup Solutions Architect

As the world begins to reconsider international travel, the challenge many governments now face is how to reopen borders to revive their economies, while keeping local communities safe and minimizing health risks. Lengthy lines and unfamiliar screening processes at many airports make it clear that existing systems simply can’t cope with the ‘new normal’ of traveling. Anticipating the need to navigate this incredibly complex and high-stakes landscape, border security experts Travizory developed a world-leading secure SaaS border security and management platform using cutting-edge biometrics, AI and machine learning technologies that enables countries to safely welcome visitors within a matter of weeks.

How the Seychelles opened their border in 2 weeks

Our Visitor Management Platform offers an easy to deploy, highly available, secure, system for governments around the world, including the idyllic islands of the Seychelles in the Indian Ocean.

In September 2020, Seychelles implemented a facial travel authorization system to streamline travel for visitors, requiring tourists to pre-submit information about their trip online, including hotel address, passport information, and vitally, proof of a negative PCR test before being granted permission to enter the Seychelles. Without this pre-authorization, airlines operating in Seychelles are instructed not to allow the passenger to board the flight.

The ability to risk assess and pre-approve passengers before arrival significantly reduces the burden on immigration officials and allows staff to focus only on the handful of cases that require additional attention. Easy access to rich, real-time data sets improves decision-making and planning as departments are able to quickly identify trends, e.g. increasing number of infected passengers, within the data.

Not only is this more efficient for staff behind-the-scenes, but it also helps to reduce delays from start to finish: at check-in, through to health and immigration checks on arrival. Crucially though, it also provides certainty to passengers that their holiday can go ahead without a hitch.

Finding a solution with AWS

The problem was clear: how could Travizory maintain the speed and agility of a startup, while working with regulated government customers? Classic software providers for governments could spend years in developing and months in deployment, but not Travizory. Despite a number of technical challenges that make this difficult to realize, by leveraging AWS’s vast ecosystem of services and on-demand infrastructure, Travizory is able to concentrate on what matters to their customers – providing safe and secure experiences to international travelers, and ensure fast deployment, high compliance and data protection standards, and delivering an always-on experience for travelers, especially during border checks.

Automating a deployment process with GitOps

At Travizory, one of the things that helps us to deploy fast is our GitOps approach. A term introduced by Weaveworks, it’s an operational model for Kubernetes (k8s) and other Cloud Native technologies which consists of a few main principles:

• The entire system described declaratively
• Git is a source of truth for the desired state of the whole system, not only application code, but infrastructure as well
• Any approved changes to the state in git are automatically applied to a system
• Infrastructure defined as a Code (e.g., Terraform, CDK or CloudFormation)

Travizory’s GitOps approach

Let’s dive deeper into how these principles are implemented in Travizory.

• Declaratively: All our services are defined declaratively with Helm Charts and are deployed on Amazon EKS. Helm uses a packaging format called charts; a chart is a collection of files that describe a related set of Kubernetes resources. A single chart might be used to deploy something simple, like a memcached pod, or something complex, like a full web app stack with HTTP servers, databases, caches, and so on. With EKS, the Kubernetes control plane runs in an account managed by AWS, the Kubernetes API is exposed via the Amazon EKS endpoints associated with our cluster. Actual worker nodes run in our AWS account and connect to a control plane via the API server endpoint.
• Git, source of truth: All the current code that defines our services and infrastructure is stored in Git. Developers push updates to individual components all the time. We have different Helm Charts stored in Git, per environment and per customer. This means that our infrastructure is always immediately reproducible based on the Git repository.
• Any approved changes to the state in Git are automatically applied to a system: Once commit is pushed, a build process with AWS CodeBuild starts and the system is updated. That helps to maintain Operational Excellence, including monitoring and observability: we always know what is currently deployed. If a new system must deploy, it would be just a new branch for a new customer that will be automatically deployed. Currently we have a rolling update deployment with Helm and AWS CodeDeploy, firstly we deploy our code to the Test account and once all the health checks passed and QA team did the test, we deploy the same code into Production account. In the future we plan to have a Blue-Green Deployment, which is supported by the service.
• Infrastructure defined as a Code: We use CloudFormation templates to automate the infrastructure deployment.

Why this approach

Our customers are governments for the most part, and we handle a lot of personal information regarding travelers. This means we need to be able to completely separate data for different customers – using different AWS accounts and separate Virtual Public Clouds (VPC).

To support this, we need to be able to reproduce everything in our stack: the infrastructure (k8s, elasticsearch, network config, etc), the security and monitoring, and our applications. Therefore, we employ a GitOps approach – where everything is code and everything is reproducible. It also allows us to know what is deployed where and to rollback when things go wrong.

Compliance

In highly-regulated industries, compliance is everything. This is where Travizory has benefitted from working with AWS on a so-called Shared Responsibility Model. AWS is responsible for the protection of the whole infrastructure that runs all the services and Travizory is responsible to keep their own services and data compliant and secure, leveraging managed services reduces the attack surface for our infrastructure and allows us to offload the undifferentiated heavy lifting.

Such features as encryption at rest and in transit, auto-expiration, and data retention policies of data help Travizory to keep highly sensitive customer data compliant and secure.

General Architecture

High-level architecture of Travizory

Our architecture consists of two main parts – main account and customer accounts. Main account consists of multiple CI/CD pipelines, general configurations, monitoring, development, testing and demo environments and Customer accounts are separate AWS accounts with Staging and Prod environments of our services

We are heavy users of Kubernetes, where all the services with business logic are located. In order to reduce costs, we evaluated Spot and Reserved instances and decided to go with Reserved due mainly to predictable demand per customer. By purchasing Reserved instances we were able to save up to 37% in comparison with standard on-demand instances.

Managed compute and database services

Amazon EKS helped Travizory to upgrade a major version of k8s on production with zero downtime, which would be much harder to achieve with self-managed k8s cluster.

The user data and application data is stored in Amazon Aurora, enabling speed and full text search features and scale up and down according to the demand and handle almost any load, be it just a few new customers or a new country.

Managed ML services

Heavy use of managed services, powered by AWS’s ML offerings, helps Travizory to develop features faster and deploy them in weeks or even days, instead of month or years, how it usually happens in environments with high compliance standards.

For instance, we are using managed ML services such as Amazon Rekognition, AWS’s image recognition AI to match user photos to passport photos, to get likelihood percentage of facial match as well as suggest whether a selfie is a good match as passport photo; Amazon Textract allows us to process customer documents and extract information, such as date and test result from the COVID certificates, Amazon Comprehend and its NLP services allow the system to extracts additional information from documents: entities, such as places, people, locations and personally identifiable information (PII), which are used to fill up a tourist profile and maintain our data quality

Conclusion

In just 4 weeks, Travizory enabled local authorities to safely and securely reopen to international tourists. Since March 2021, numbers of tourists have shot back up to 50% of pre-COVID levels. Our flexible and agile approach allows us to reopen borders almost immediately, so that travelers can seamlessly visit destinations and tourist dependent countries can support their healthy economies. Working with AWS, Travizory is paving the way for what post-COVID travel can and should look like, safe, seamless and fast.

	Barry McLaughlin is Senior Software Architect with Travizory. He aims to be always learning and trying new thing, with a dedication to continuously improving our software. Currently focused on cloud based technologies, Kubernetes, CI/CD pipelines and anything that helps make the boat go faster.
	Vladyslav Shkola is a Startup Solution Architect at Amazon Web Services (AWS) where he is helping startups to make sure that they can deploy the best, most scalable, and most secure architectures possible. Vladyslav has a Master degree in Distributed Systems Engineering.