Aarogyasri Health Care Trust wanted to streamline service delivery of application management life cycle, reduce provisioning timelines, ensure disaster recovery for applications and data, and accelerate the development of new features and capabilities for products aimed at cutting edge customer experience. Beyond operational IT measures, Aarogyasri wanted service assurance to their business across airline providers to be undisrupted, due to digital transformation.
There were more than 10 mission critical applications that needed high resilience, and Aarogyasri sought efficient Storage and Infrastructure services to reduce operational overheads. To support several thousands of passenger queries during any given day, the storage services had to scale according to demand.
Also earlier, Aarogyasri applications were hosted in a DC at Hyderabad. The Disaster Recovery Centre was also located in same premises. This also posed high risk of unavailability.
- Dataevolve proposed to move the DC to AWS so that both the transformation of the DC and enablement of DR at different site location could be achieved.
- Leverage native AWS Cloud services for Aarogyasri to take advantage of faster and intelligent storage and application modernization.
- Re-host applications from on premise to a target AWS environment by using suitable cloud storage services.
- To use Amazon S3 as primary backup location for Aarogyasri storing access logs, Audit logs, object files and backups of data.
- To use Amazon EBS volumes as the primary data storage for EC2 instances provisioned for running applications.
- To use Amazon Glacier as a cost-effective storage location, transitioning old data from S3.
- To migrate the data from on premise oracle database to Amazon RDS.
- To migrate Application Database to Aurora PostgreSQL Database.
- To use Commvault to create backups and to store the backups in S3.
- To use Science Logic to monitor storage.
- To migrate SVN to AWS Code Commit.
- To migrate Aarogyasri Applications from IBM Stack to Open Source (Java/Spring).
- Implement CI/CD for Aarogyasri Application.
- Cloud has enabled unprecedented (100%) scaling of Storage.
- Eliminated license costs and storage operation rationalization as reduced TCO of data operations by 80%.
- 100% of the estate virtualized and thus 99.99% infra-availability.
- 100% continuity with 0% degradation.
- Moving to cloud helps Aarogyasri on any given day to seamlessly process almost 750,000 health claim requests, track 1 million, of requests status for hospitals and help over 400,000,000 utilize the government aided health schemes.
- The move to cloud and modernization of cloud operations has armed Aarogyasri with the agility and scale that synergize operations across 31 districts.
- Amazon S3 is used to store all logs and backups, AWS Key Management Service (KMS) is leveraged to encrypt data in S3 and access to S3 buckets are restricted based on IAM roles user policy.
- VPC endpoints are created for applications hosted in EC2 instances to access the S3 bucket securely without going to internet.
- S3 Versioning is enabled in Aarogyasri environment to provide an additional layer of protection for sensitive objects stored in S3 bucket.
- Each S3 bucket associated with the applications hosted in target environment will be monitored using CloudWatch metrics.
- Tagging is used for bucket, which store logs and classify them based on the dates and prefix of various services.
- Lifecycle policy is in place to change the object class to Intelligent Tiering and expire after confined days.
- S3 Intelligent-Tiering is ideal for data with unknown or changing access patterns and which need not stored for very long time.
- Glacier is used to archive the least frequently accessed files like logs, objects and so on stored in S3 due to its cost effectiveness by defining Lifecycle policies The data stored in glaciers are not immediately available, retrieving data takes time and it is tolerable.
Amazon EBS volume is used as the primary block-level data storage for EC2 instances provisioned.
The following volume types are leveraged in Aarogyasri
- General purpose SSD: Used for applications have less than 1000 IOPS. Balanced for economy and performance.
- Provisioned IOPS SSD: Applications, which require high performance, for critical Aarogyasri applications which require higher IOPS greater than 1000.
- Amazon EBS in Aarogyasri AWS Cloud platform is encrypted with AWS KMS. EBS snapshots taken from an encrypted volume will inherit the encryption scheme to the snapshot file.
- EBS Optimization is done based on metrics from CloudWatch and science logic, and after discussion with customer technical counterpart, alignment to resize the EBS has been done.
- Trusted Advisor findings on EBS and S3 are also leveraged and active upon regularly. EBS underutilized volumes are thus listed from here and acted upon.
- ScienceLogic metrics are monitored to check the utilization. Upon receiving the alert, operations team after approval from customer, adjust the size of the EBS.
- Runs in Multi AZ mode to ensure high availability.
- RDS is encrypted with AWS KMS at rest for security.
- Aurora database has a read replica provisioned to reduce read contingency.
- RDS is in a private subnet group with public endpoint as disabled.
- Automated snapshots are enabled and stored for the specified duration. These are used to restore during failure of the database.
Preferred Backup Window & Preferred Maintenance Window is defined & aligned
Automated backups are enabled on oracle production RDS DB Instances. The automated backup enables point-in-time recovery.
- Commvault is used for data backup and recovery, retention policy and compliance in Aarogyasri Environment for Volumes and EC2. Commvault is used in Cloud Exponence to backup data across customer applications, databases on the public clouds. Master Servers, Media agents, Commvault proxy provided in high availability mode.
- Both Filesystem backups and VM backups are created and stored in a centralized account.
- Backups are tagged appropriately by Commvault.
- This back up is integrated with ITSM workflow. Commvault Web Console and CommCell Console will be used for reporting which includes capacity, performance, and failure of backups. Commvault, backup failure alerts will be sent to Service Now and the alerts will be triggered as incidents to Operations team.
- Integrating Backup with Service now deeply offers integrated solution for backup failure notifications. This provides consistent, repeatable processes for backup of data.
- Snap backups has been configured for STAR Staging & production account through Media agent hosted in customer account using individual VSA proxy server in each account which will result in faster backup & restore job action.
- Aarogyasri Backup retention policy for production accounts is set 30 days and 15 days for staging accounts.
- Backups are maintained in the same region in a centralized bucket in shared services account.
- Backups run every 24 hours.
- Amazon RDS runs in Multi AZ. Failure of One AZ should be tolerated. If both AZ fails, with the latest snapshot of RDS instances RDS will be provisioned.
- Amazon EC2 instances will spun up with latest AMI images in DR site or the backup snapshots created from Commvault
- Amazon EBS can be restored from the volume backup created by Commvault.
- Glacier is used to archive the least frequently accessed files like CloudTrail logs stored in S3 due to its cost effectiveness by defining Lifecycle policies. The data stored in glaciers are not immediately available; retrieving data takes time and tolerable to customer. AWS generates separate unique encryption keys for each Amazon Glacier archive and encrypts it using AES-256.
- Lifecycle policy is in place to change the object class to Intelligent Tiering for data with unknown or changing access patterns. This is not stored for a long time and accessing the data does not cause any delay.
- AWS DMS Pre-requisites and limitations
- AWS FARGATE limitations
- Transit GW implementation to reduce the network complexity.
- AWS EFS limitation (overcome by Distributed Replication Block Device technique)
- Always perform POC before choosing the service/solution for implementation
- Machine image creation will help building EC2 instance faster.