Case Study

Know how we are thinking and executing

TREEBO Infrastructure Architecting

ABOUT TREEBO

Founded in 2015, TREEBO Hotels is India's third largest hotel chain and operates in the budget segment of the hospitality industry, which is estimated to be around $20B in size. TREEBO operates on a franchise model and emphasizes tight quality control.

The Challenge

TREEBO was facing scale issues during the holidays & long weekends as during this period demand for budget hotels was always at peak.

Moreover production deployment was manual process which caused downtime whenever there was a new release to be pushed to production. And they were keen on having a full fledged automated process to run the whole cycle of integration, deployment, testing etc. Since every engineering team works on their own branch they faced challenge to setup up their own environment identical to production to run test cases.

They also wanted to secure the infrastructure and should be protected from DDos attack which took there website down in past.

Insight Action

TECHPARTNER team provided cloud consulting service and did full stack assessment of the existing application and the deployment strategy. Restructured the application to have stateless configuration. Configured the Autoscaling to scale Up and Down as per load with proper load balancing features.

Manual deployment was replaced by CICD tools in combination with AWS-CLI for making API calls to take care of systems in/out of ELB during deployment.

Used AWS Provided Multi-AZ RDS service for database to reduce the overhead of managing DB System.

We designed the custom deployment Jobs for TREEBO Developers by using cloudformation template which they can setup up their own working Environment in minutes which would hold the production masked data for testing.

Security Measured

To secure the infrastructured TECHPARTNER took 3 Layer security approach.

Network Security

  • VPC is reconfigured to have multiple subnet to support 3-Tier architecture of WEB, APP & DB.
  • External Load balancer are kept in WEB subnet which is public subnet and everything else including application and databases are put into APP and DB subnet respectively which is the private subnet.
  • All outgoing traffic from private subnet is via NAT Gateway (Internet access is provided only during patch management)
  • VPC Flow log were enabled.
  • Security group are configured in such a way that there is not direct access from WEB to DB.
  • Explicit application instances are whitelisted in DB Security group.
  • VPN tied up with LDAP is the only way to connect the AWS Infrastructure.
  • Only 443 port is open to the world (Traffic to port 80 is redirected to 443).
  • NACL are configured to connect Whitelisted IP’s/Ports only.
  • Different Subnet and environment for Dev, QA and UAT.

Application Security

  • Customise AMI created for Treebo by following CIS guidelines and same is used across all the instance.
  • Access to any instance in AWS is only Via OpenVPN which is verified against user certificate & user credentials. Validity for user certificate is 1 year & every user has to change the credentials every 6 month.
  • Inactive users for more than 30 days are automatically disabled in the LDAP.
  • LDAP Group is created as per different set of roles in the organisation.
    • Dev Group: Has access to all dev environment
    • QA Group: Has access to all QA environment
    • ITOps: Access to All environment for managing Infrastructure.
    • ITAudit: Read Only access to infra during Audit.
  • Production access is restricted and all deployments are done via Jenkins and Ansible.
  • ELK is configured to view all application logs centrally to avoid dev access access to production system during troubleshooting.
  • Application is tested for VAPT regularly with proper approval from AWS.

WAF

For all Internet facing traffic it is mandatory that it go from WAF which can be configured using standard Treebo cloud formation template. This template will have the following area of security covered and will automatically deploy respective component in the selected VPC.

  • SQL injection and cross-site scripting protection: The solution automatically configures two native AWS WAF rules that protect against common SQL injection or cross-site scripting (XSS) patterns in the URI, query string, or body of a request.
  • IP lists: This component creates two specific AWS WAF rules that allow you to manually insert IP addresses that you want to block (blacklist) or allow (whitelist).
  • HTTP flood protection: This component configures a rate-based rule that automatically blocks web requests from a client once they exceed a configurable threshold.

Other than this TECHPARTNER also implement the Role based access to instance wherever there is need to use of any AWS Services like S3, APIGateway, Lambda etc. Root account is secured and all other sub account are created with restricted access and of course with MFA enabled. AWS Keys are rotated every 6 month with automated ansible script run from the bastion host.

The Benifits
  • AutoScaling Architecture: With this architecture TREEBO was able to serve the clients with improved response time which in turned helped to acquire more business.
  • Performance: As the application are configured in Auto Scaling performance of the website improved with good Response time.
  • Automation: Automation reduced the manual deployment time and no more downtime on production due to this.
  • Innovation: Team was able to concentrate more on development than the infrastructure issues.
AWS STACK

For success of project TECHPARTNER used below AWS Services

  • Amazon EC2 was used for compute with combination of on Demand and Reserved instance. Instance were configured to spin up automatically during Load.
  • Amazon S3 was used to store mainly for the Images which need to be accessible across the instance.
  • AWS NAT Gateway Service was used to provide the Internet to systems in Private subnet during patch management.
  • AWS CloudWatch was used to monitor to the Instance performance.
  • AWS CloudTrail was used to keep track the activity across the AWS Environment.
  • RDS was used in Mulit-AZ for Database so that no more maintenance of DB needed.
  • Auto Scaling was used to handle the peaky traffic.
  • AWS CodeCommit was used to keep track the code repository.
  • AWS CodeDeploy was used with webhook constantly checking CodeCommit changes and automatically execute test cycle & deploy the successful build in Dev/Staging Environment.
  • AWS Cloudformation was used to templatise the infrastructure footprint.
  • AWS Inspector was used to check application and OS security and apply fixes as recommended and ensure consistency.
  • AWS Config was used to track changes for AWS resources and also to alert with resources that are not compliant as per defined rules
  • AWS Identity and Access Management (IAM) was used to provide aws resources access as per company’s policy. Also wherever possible IAM roles were used to provide access to aws resources as per IAM’s best practices