HDFC Life is one of the top insurers with a lot of sensitive customer information that must be kept secure at the highest level. To ensure that this sensitive data is protected at the highest level, Ajay and our team at OpsLyft decided to move forward with zero-trust architecture.
To make deployments a breeze and one less responsibility for developers, we moved forward with automation achieved through scalable CI/CD pipelines set up on Gitlab.
While scalability and maximum security were the major requirements of Ajay and his team at HDFC Life, we had to keep costs in check, too, because cloud infrastructure costs can shoot up exponentially. Constant infrastructure monitoring was set up using New Relic and OpsLyft’s cloud cost management tool to maintain cost efficiency.
While setting up the infrastructure, OpsLyft faced some fundamental challenges to ensure there was no scope for any security and efficiency lapse.
Ajay and his team wanted that according to CIS benchmarks, we should take an Amazon-managed base image and do manual hardening upon it. While configuring the same, our team realized that it was too complex, and a better approach would be to purchase hardened images from the Amazon marketplace.
Ajay wanted to use MongoDB, but to save costs, our team and Ajay’s team decided that we would be manually setting it up rather than using MongoDB Atlas. For the same, we set up MongoDB on the EC2 instance. The challenge with it was that the image of the EC2 instance was the hardened one that we purchased from the AWS marketplace and many permissions were restricted in it for security reasons. We manually allowed many policies in SELinux and rules in the IP table.
We had to set up MongoDB on a single EC2 instance for both the dev and staging environments. We resolved this by making SElinux and MongoDB compatible with each other. We made this possible by using an open-source project on GitHub and making custom changes.
We set up the CloudFlare tunnel on an EC2 instance and connected it to the CloudFlare zero-trust network.
We set up logging in the dev, staging and prod environment and the logs are being sent to CloudWatch. Additionally, logs are being exported to s3 as well for log retention for up to 1 year.
OpsLyft and HDFC Life decided on the following tech stack so that the infrastructure is cost-efficient and as well has zero-trust capabilities:
AWS was chosen as the trusted cloud provider because of the vast feature set and Terraform for Infrastructure as Code.
For security, CloudFlare was selected because of its zero-trust network and because as it has easy integration, provides WAF and CDN under a single control panel, has great performance and has many locations in India.
Backend microservices were deployed on AWS ECS Fargate. For Frontend applications, nextjs was used, which also runs on ECS. Static contents were stored in s3 buckets and cached by CDN, resulting in better performance overall.
MongoDB was selected as the database solution. To save cost on it, OpsLyft is self-managing MongoDB by setting up the MongoDB cluster on EC2 instances.
For version control, Gitlab Premium was used. CI/CD Pipelines were also written to deploy microservices to dev/staging and production environments.
New Relic has been integrated with AWS accounts for infrastructure monitoring and observability.
AWS Elasticache Redis cluster was used to manage user sessions.
AWS Control Tower was used to manage multiple AWS accounts and Organisational Units as it provides centralized visibility into all other AWS accounts.
Cypress was also integrated such that automated test cases ran every time a new temporary environment was spun up. Based on the results produced by Cypress, the CICD pipeline either failed or passed.
Ajay and his team got a production-ready cost-efficient zero-trust architecture in under 4 weeks.
Developers can just focus on developing applications without worrying about deployment.
Their infrastructure is running on CIS standard machines maximizing their security.
Integration of Cloudflare as a zero-trust network and its CDN has sped up the delivery time significantly.
Use of Cloudflare CDN has helped reduce data transfer costs.
With enhanced CI/CD pipelines developers can launch a new temporary environment to see their pull request changes live in action before merging, which increases developer speed a lot by removing the time developers have to wait in review before the changes can be merged and seen live.
Changes in GitLab CICD made possible a temporary environment that made feature testing really fast.