EnKash is an all-in-one comprehensive commercial payments platform. Growing number of next gen businesses have trusted EnKash for frictionless payments experience. EnKash is one of the fastest growing platforms in the B2B space, enabling businesses to digitize and simplify their commercial payments.
EnKash has been able to create unique value with the combination of platform and cards. Businesses now can have much desired convenience, savings, control and visibility to improve business productivity & operational efficiencies.
EnKash is leading innovations by enabling simple and technological advance solutions. With state-of-the-art technology, EnKash is committed to help businesses in their cash flow management challenges.
THE CLIENT’S CHALLENGE
Client was looking to modernize its applications and automate the whole CI/CD process. They were keen on having a more modular infrastructure with a micro-services based architecture. Client was also looking forward to use the Infrastructure as a Code (IAAS) which will help to deploy the infrastructure as and when needed.
Since this is a startup, client’s intention was very clear that they need full automated setup which will not just launch the Infrastructure but also build and configure the application seamlessly. They are open to use Micro-services based approach either via Docker or Kubernetes.
The main goal is, there should not be any human interaction during deployment, auto-scaling and monitoring.
CI/CD Process – For production deployment we configured Docker registry to hold versioned docker images. Jenkins jobs were configured to build docker image from code repository and configure it to automatically pull required docker images and deploy to the Kubernetes cluster.
INSIGHT TO ACTION
Techpartner team worked with client and suggested the use of Docker based approach which will reduce the cost of management of VM in terms of its usage. We used Kubernetes for docker orchestration in highly available mode using multiple master, thus making the cluster highly available in case of any base node failures.
We also setup the Application & Pod monitoring and logging which gives the single view to support team to view the current status of running Infra.
With Automated CI/CD process deployment became easy and we followed the Blue/Green deployment approach which helped us seamless deployment without any downtime (during deployment).
SECURITY BEST PRACTICES
- Enable password vault to Safeguard your passwords and configured application not to use any Access/Secret key.
- Application to AWS Services communication only via Role based access.
- MFA is enabled across all the users including root account.
- Using security hub, AWS Config Audit report we made sure that IAM users and their activity closely monitored.
- We tried to use more and more AWS managed services to make sure that infrastructure is highly available.
- Setup detailed monitoring setup for account and its resources including billing which is integrated with CloudWatch.
Client was able to benefit from the microservices architecture with streamlined CI/CD process. By moving to microservices architecture in a containerised environment, they were no longer tied to any proprietary platform. Also by using Jenkins and private docker registry, they were able to restrict deployment process to authorized user only with approval. This led to more streamlined and controlled CI/CD process with minimum downtime and human error.
With auto-scaling enabled. all the peak load was handled without even worrying about the infrastructure. IAAS helped to launch a copy of the infrastructure for Dev, Staging and UAT and DR environments within a few minutes.
WAF for SECURITY and COMPLIANCE
Amazon Web Services’ (AWS) Web Application Firewall (WAF) is a security service that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. After implementing AWS WAF, there are several improvements that we have seen.
- Enhanced security: AWS WAF helps protect web applications from common web exploits such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). With AWS WAF, you can create custom rules to block known attack patterns or suspicious behavior.
- Improved availability: By blocking malicious traffic, AWS WAF can help improve the availability of your web application by reducing the impact of DDoS attacks or other types of web exploits.
- Reduced costs: By reducing the impact of web exploits, AWS WAF can help you save money on infrastructure costs and reduce the risk of reputational damage.
- Simplified management: AWS WAF is a managed service, which means that AWS takes care of the underlying infrastructure and maintenance tasks. This can help simplify management and reduce the burden on your IT team.
- Compliance: AWS WAF can help you comply with various regulatory requirements such as PCI DSS, HIPAA, and GDPR by providing controls to protect your web application from attacks and unauthorized access.
- AWS WAF: Since this is a consumer facing application, WAF is used for better security.
- AWS CloudFront: The frontend of the application is served via CloudFront for quicker response to customers and take advantage of CloudFront edge locations.
- AWS Application Load Balancer (ALB): The application is hosted on private auto scaling group instances and ALB is used to load balance and expose the application to the internet. ACM is used to generate SSL certificates and applications are made to serve only SSL encrypted payload to end customers.
- AWS EC2 Auto Scaling Groups (ASG): The application is set up using auto scaling group ec2 instances so that ASG is used for auto-scaling. Whenever the application usage crosses a threshold of 60% CPU usage, the ASG horizontally scales out to accommodate the inflow of requests, enabling seamless scale and user experience. The ASG scales-in whenever the load subsides; this helps keep costs in control.
- AWS Cloudwatch: AWS Cloudwatch is used for monitoring and alerting. Resource usage of the infrastructure is monitored using Cloudwatch dashboards. Whenever any critical threshold is breached (e.g. too many 5xx on ALB), an alert is sent out to the Operations and Engineering team for investigation. Billing alerts have also been set.
- AWS Route53: Route53 is being used for DNS. DNS zones are set for internal as well as public facing records.
- AWS S3: S3 is used for storing frontend application code and static assets (which are served by CloudFront eventually). S3 is also used to store backup data. Long term data to be retained will be moved to Glacier periodically.
- AWS CodeBuild: It is used to build and compile the application.
- AWS CodeDeploy: It is used for deployment and it helps to make deployment in blue/green.
- AWS Lifecycle Manager: It is used to take instance’s image backup.
- AWS RDS (PostgreSQL): This is the backend for the python applications.
- AWS KMS: It is used for encryption of instance’s disks