Telecom Company Maximizes Security With AWS Digital Transformation
This telecom provider wanted to seamlessly implement new services as part of its security product line but was challenged to manage traffic flow effectively and efficiently.
The company removed any direct connection to the web tier, replacing it with a transparent proxy that maintains authentication and authorization controls for maximum security.
Business Needs
This leading telecom company touts a corporate culture of continuous innovation, a value reflected in a division that develops security software solutions. It regularly introduces new features and services to its customers. The firm is transforming its leading applications—following Amazon Web Services (AWS) Well Architected Framework guidelines--to become cloud-native and improve its deployment architecture.
These new services are being implemented outside the firm’s legacy application server.
This presents a challenge when intercepting traffic between an end user’s browser or sensors and the application’s respective end points. In addition, the development team identified a few improvements they wanted to make including:
- Enhancing network routing for layer four and layer seven
- Avoiding cross availability zone (AZ) traffic
- Managing domain name systems (DNS) during patch management and product upgrades, and
- Reducing the attack surface while addressing customers who want to whitelist IPs for their sensors
The company also had several web servers directly connected to the internet to facilitate communication that it needed to more strongly protect.
Outcomes
- Achieves best practices with a reverse proxy/DMZ
- Grows security with a reduced direct attack surface
- Allows the team to focus on incident remediation
- Gains flexibility to add additional security functions in high-assurance environments
- Decouples UI assets to serve them from a CDN
Solution
Growing security with digital transformation
To address the organization’s evolving needs, the AWS experts at NTT DATA helped design a front-end proxy cluster to the customer’s application that intercepts all inbound traffic, intelligently re-routing it to the correct destination—whether it be a new service or within the legacy application. In the process, the firm’s existing web servers were removed from the network and the IP address pool stabilized.
Initially, the customer spoke to a control node on a web server to obtain information from the application. In re-architecting the communications flow, the teams decoupled the sensors from the control node, replacing them with communications to HAProxy. With the introduction of HAProxy as part of the decoupling solution, a user or sensor now requests information from the solution, and it is received by the HAProxy and routed to the appropriate backend—based on compute functions that keep track of the several backends in an Amazon DynamoDB table as a single source of truth.
In the process, a layer of control was added; the HAProxy now acts as a buffer between the web servers and direct access from the internet. This step greatly decreases the attack surface, growing system security.
Maximizing availability
For extreme uptime and reliability, the NTT DATA team kept the software developer’s solution region based. Using Terraform, the consulting team deployed 33 HAProxy clusters—an HAProxy cluster in each AWS AZ. This means that each proxy cluster only directs requests within its AZ. NTT DATA’s AWS consultants also used Amazon Route 53 failover with health checks for basic failover.
Steeped in DevOps best practices, this company treats its servers as replaceable components, frequently deploying new ones. The system then must update the communications process with a new IP address. To help facilitate this process, NTT DATA consultants use AWS Lambda to dynamically update the HAProxy configuration. The AWS Lambda function watches for Amazon Elastic Compute Cloud (Amazon EC2) state changes and then populates an Amazon DynamoDB table with the new data, becoming the master configuration file for all the HAProxy clusters.
The teams created a failsafe mechanism and a highly reliable system for the development team. If something were to fail, safety checks and routing flows are in place to ensure uptime for the sensor application and the end user’s sessions. In addition, the teams created a second AWS Lambda function that runs periodically to keep everything in order, operating primarily as a backup utility for changes that the main function might miss.
The team also created a transmission control protocol (TCP) load specific load-testing toolset as part of the pipeline. It serves to ensure that when the HAProxy is deployed in production, the organization can be sure the chosen instance will effectively handle the traffic.
Innovation is the lifeblood of this telecom provider and transforming digital platforms to continue to deliver cutting-edge solutions to its customers is an essential component. To do so, this telecom provider now has an agile and secure serverless solution that dynamically facilitates communication for customers and sensors to its legacy application and new cloud-native services alike.
About Telecom Company
Leading telecom provider achieves an agile and secure serverless solution that dynamically facilitates communication for customers to its legacy application and new cloud-native services.