Treebo infrastructure automation on AWS

ABOUT TREEBO
Founded in 2015, Treebo Hotels is India’s third-largest hotel chain and operates in the budget segment of the hospitality industry, which is estimated to be around $20 Bn. in size. Treebo operates on a franchise model and emphasizes tight quality control.


THE CHALLENGE
Treebo was facing scale issues during the holidays & long weekends as during this period, demand for budget hotels was always at the peak.

Moreover, production deployment was a manual process which caused downtime whenever there was a new release to be pushed to production. They were keen on having a full-fledged automated process to run the whole cycle of integration, deployment, testing etc. Since every engineering team works on their own branch they faced the challenge to setup up their own environment identical to production to run test cases.

They also wanted to secure the infrastructure and should be protected from a distributed denial-of-service (DDoS) attack which took their website down in the past.


INSIGHT ACTION
The Techpartner team provided cloud consulting service and did a full-stack assessment of the existing application and the deployment strategy and restructured the application to have a stateless configuration. They also, configured the autoscaling to scale up and down as per load with proper load balancing features.

Manual deployment was replaced by CI/CD tools in combination with AWS-CLI for making API calls to take care of systems in/out of ELB during deployment. We use AWS Provided Multi-AZ RDS service for the database to reduce the overhead of managing DB System.

We designed the custom deployment Jobs for Treebo developers by using cloud formation template from which they can setup up their own working environment in minutes which would hold the production masked data for testing.


SECURITY MEASURED

To secure the infrastructure, Techpartner took a three layer security approach.


Network Security

○ VPC is reconfigured to have multiple subnets to support 3-Tier architecture of WEB, APP & DB

○ External load balancers are kept in WEB subnet which is public subnet and everything else including application and databases are put into APP and DB subnet respectively which is the private subnet

○ All outgoing traffic from private subnet is via NAT gateway (Internet access is provided only during patch management)

○ VPC flow log were enabled

○ Security group are configured in such a way that there is no direct access from WEB to DB

○ Explicit application instances are whitelisted in DB Security group

○ VPN tied up with LDAP is the only way to connect the AWS Infrastructure

○ Only 443 port is open to the world (traffic to port 80 is redirected to 443)

○ NACL is configured to connect Whitelisted IP’s/ports only

○ Different subnet and environment for Dev, QA and UAT


Application Security

○ Customise AMI created for Treebo by following CIS guidelines and same is used across all the instances

○ Access to any instance in AWS is only via OpenVPN which is verified against user certificate & user credentials. Validity for user certificate is one year & every user has to change the credentials every six months.

○ Inactive users for more than 30 days are automatically disabled in the LDAP

○ LDAP group is created as per the different set of roles in the organisation

i. Dev Group: Has access to all Dev environment

ii. QA Group: Has access to all QA environment

iii. IT Ops: Access to all environments for managing infrastructure

iv. IT Audit: Read only access to infra during Audit.

○ Production access is restricted and all deployments are done via Jenkins and Ansible.

○ ELK is configured to view all application logs centrally to avoid Dev access to production system during troubleshooting.

○ Application is tested for VAPT regularly with proper approval from AWS.


WAF

For all Internet-facing traffic, it is mandatory that it goes from WAF which can be configured using standard Treebo cloud formation template. This template will have the following area of security covered and will automatically deploy the respective component in the selected VPC.

○ SQL injection and cross-site scripting protection: The solution automatically configures two native AWS WAF rules that protect against common SQL injection or cross-site scripting (XSS) patterns in the URI, query-string or body of a request

○ IP lists: This component creates two specific AWS WAF rules that allow you to manually insert IP addresses that you want to block (blacklist) or allow (whitelist)

○ HTTP flood protection: This component configures a rate-based rule that automatically blocks web requests from a client once they exceed a configurable threshold.

Other than this Techpartner also implement the role-based access to instance wherever there is a need to use any AWS services like S3, API Gateway, Lambda etc. Root account is secured and all other sub-account are created with restricted access and with MFA enabled. AWS keys are rotated every six months with automated Ansible script run from the bastion host.


THE BENEFITS

● Auto Scaling Architecture: with this architecture, Treebo was able to serve the clients with improved response time which in turn helped to acquire more business

● Performance: as the application is configured in the Auto Scaling performance of the website improved with good response time

● Automation: automation reduced the manual deployment time and due to this, there was no more downtime on production

● Innovation: team was able to concentrate more on development than the infrastructure issues. AWS STACK for the success of project Techpartner used below AWS services

● Amazon EC2 was used for computing with a combination of on-demand and reserved instance which was configured to spin up automatically during load

● Amazon S3 was used to store mainly for the images which need to be accessible across the instance

● AWS NAT Gateway Service was used to provide the Internet to systems in private subnet during patch management

● AWS CloudWatch was used to monitor the instance performance

● AWS CloudTrail was used to keep track of the activity across the AWS environment

● RDS was used in multi-AZ for Database so that no more maintenance of DB was needed

● Auto Scaling was used to handle the peaky traffic

● AWS CodeCommit was used to keep track of the code repository

● AWS CodeDeploy was used with webhook constantly checking CodeCommit changes and automatically executing test cycles & deploying the successful build in Dev/staging environment

● AWS CloudFormation was used to templatize the infrastructure footprint

● AWS Inspector was used to check application and OS security and apply fixes as recommended and ensure consistency

● AWS Config was used to track changes for AWS resources and also to alert with resources that are not compliant as per defined rules

● AWS Identity and Access Management (IAM) was used to provide AWS resources access as per company’s policy. Also, wherever possible, IAM roles were used to provide access to AWS resources as per IAM’s best practices


For more, visit www.techpartner.in or contact us at info@techpartner.in.