Lifting and shifting workloads at scale to AWS

“Bukhatir’s environment was quite complex,” says Hamzeh Shaghlil, Technical Account Manager at Bespin Global MEA, “with a lot of legacy applications. If we have the time and budget, we usually identify the optimal migration strategy for each workload, which might entail rehosting, refactoring, revising, rebuilding, or retiring and replacing applications based on a structured approach. However, Bukhatir wanted us to migrate all of their applications to the cloud as quickly and seamlessly as possible, after which they would assess and optimize the environment.”

Choosing the Right Strategy
After evaluating Bukhatir’s environment using Bespin’s proven cloud readiness assessment, the team decided to leverage AWS’s lift and shift migration methodology, CloudEndure Migration (now called AWS Application Migration Service), due to the number and variety of applications.

Automatically converting any application running on a supported operating system, CloudEndure simplifies, expedites, and automates migrations from physical, virtual, and cloud-based infrastructure to AWS, enabling full functionality while eliminating compatibility issues. During the replication process, applications continue to run with minimal downtime and no performance impact while non-disruptive tests occur in the new environment. After a relatively short cutover window, migrated workloads can run natively on AWS.

Ensuring Connectivity
“While using CloudEndure to migrate workloads with sounds relatively simple and straightforward, it’s not,” says Shaghlil. “Bukhatir’s environment encompasses many branches spanning different locations and industries. Our challenge was to migrate all of the applications and ensure fast, stable connectivity between AWS and the branches.”

A further complication was that not all AWS regions support CloudEndure, so the Bespin team had to choose one that best covered the sphere of Bukhatir’s operations, especially considering that CloudEndure’s control plane is hosted in northern Virginia on the east coast of the USA. In the end, they migrated the environment to the Europe (Ireland) region which offered the best balance between availability and performance, with the option to replicate to other regions if required.

Facilitating secure connectivity via VPNs from remote branches and data centers, Bespin set up a shared services cloud incorporating multiple private and public subnets spanning availability zones for maximum availability and security. Simplifying access to Amazon EC2 instances and supporting many AWS services and third-party applications, AWS Active Directory (AD) was implemented to provide a cost-effective and highly-available primary directory in the AWS cloud for managing users, groups, and devices.

Maximizing Availability
One of the first things Bespin did was split Bukhatir’s infrastructure into two—production and user acceptance testing (UAT)—using Amazon Virtual Private Cloud (VPC) spanning multiple subnets separating Bukhatir’s private, internal applications and Microsoft SQL databases from publicly-accessible applications. VPC is an AWS service enabling users to define logically-isolated virtual networks for complete control over resource placement, connectivity, and security.

Once VPC was set up through the AWS service console, Bespin added Amazon Elastic Compute Cloud (EC2) and Amazon Simple Storage Service (Amazon S3) resources, providing Bukhatir with a reliable platform matching the demands of the workload—including industry-leading data availability and performance. The Bespin team also implemented AWS Transit Gateway to connect VPCs, AWS accounts, and on-premises networks via a single, scalable central hub, simplifying the network and eliminating the need for complex peering relationships.

Enhancing Security
Ensuring data protection for Bukhatir’s business, customers, and employees, Bespin secured the environment with AWS Certificate Manager (ACM) and AWS Key Management Service (KMS). ACM eliminates the time-consuming and error-prone manual certificate acquisition process by simplifying the provisioning, deployment, and management of SSL/TLS certificates across applications and websites. KMS delivers a single control point for managing keys and defining consistent policies spanning integrated AWS services and in-house applications. In addition, KMS is integrated with AWS CloudTrail to provide an audit log of key usage.

With Bukhatir’s content delivery network (CDN) vulnerable to DDoS attacks, Bespin implemented AWS Web Application Firewall (WAF) to protect the environment, providing control over which traffic is allowed or blocked according to clearly-defined security rules. In addition, AWS WAF protects web applications and APIs against common web exploits and bots that may compromise security or consume excessive resources, impacting availability.

Bespin also implemented AWS Control Tower, Amazon GuardDuty, and AWS Security Hub for increased protection and visibility. Control Tower offers an easy way to set up and govern a secure, multi-account AWS environment using best practices. GuardDuty is a threat detection service continuously monitoring AWS accounts, workloads, and data stored in Amazon S3s for malicious activity and unauthorized behavior. At the same time, Security Hub is a powerful security tool for aggregating, organizing, and prioritizing security alerts across multiple AWS services.

Maximizing Observability
Aligned with the overall AWS strategy and offering simplified operational analysis and troubleshooting of both applications and infrastructure, Bespin replaced Bukhatir’s legacy monitoring tools with AWS CloudTrail, AWS CloudWatch, and Amazon Inspector. Monitoring and recording user activity and API usage, CloudTrail helps to meet compliance obligations and improve the organization’s security posture, while CloudWatch collects monitoring and operational data for on-premises environments and more than 70 AWS services.

The data and actionable insights collected allow Bukhatir’s IT team to monitor applications, detect anomalous behavior, respond to system-wide performance changes, and optimize resource utilization. In addition, an automated vulnerability management service, Amazon Inspector, continually scans Bukhatir’s AWS workloads for software vulnerabilities and unintended network exposure.

Optimizing Costs
“Bespin’s initial mandate was to ensure availability, connectivity, and reliability irrespective of cost,” explains Shaghlil. “Once that was accomplished, we looked for ways to optimize costs—especially for Amazon EC2—and reallocate the savings to other areas.”

Leveraging the powerful machine-learning insights of AWS Compute Optimizer, Bespin’s consultants identified optimal compute resources across Bukhatir’s EC2 instances, including those allocated to Amazon EC2 Auto Scaling groups. The team also disabled several unused services and optimized costs at the infrastructure level using AWS Saving Plans, a flexible pricing model offering savings of up to 72% on AWS compute in exchange for a specific usage commitment over either a one- or three-year term.