Building a cost-efficient and zero-trust cloud infrastructure for HDFC Life’s Retirement Fund

HDFC Life is one of the leading insurance providers in India, with more than 9,00,000 customers. They have a suite of 50-plus products and are adding more at a rapid pace. HDFC Life has been at the forefront of technology advancements with a fully digitized platform that enables customers to get an insurance policy online within hours.

Industry

Insurance

Type

For Profit

Location

India

Challenge

HDFC Life is launching a new retirement pension fund named retire100 and unlike their previous products, they wanted to move on from on-prem systems and wanted to build it on cloud infrastructure from scratch for cost-efficiency and easy scalability while ensuring maximum security. Ajay Poddar, CTO of Retire100 is an industry veteran with over 20 years of experience and he has built the tech of shaadi.com from scratch and scaled it up to the enormous success that it is now. Ajay was looking for a reliable and experienced DevOps partner that could get their infrastructure up and running in a couple of weeks while ensuring that it has maximum security standards and is cost-efficient with the ability to scale quickly. He partnered with OpsLyft because he believed in our abilities.

It's fantastic to work with team OpsLyft on building a cost-efficient & secure infrastructure—a stellar product and excellent customer support. The keenness towards understanding the business use cases of our vision and the commitment to deliver things rapidly is delightful to watch.

Ajay Poddar

CTO for Retirement Tech

Deciding on the building blocks

HDFC Life is one of the top insurers with a lot of sensitive customer information that must be kept secure at the highest level. To ensure that this sensitive data is protected at the highest level, Ajay and our team at OpsLyft decided to move forward with zero-trust architecture.

To make deployments a breeze and one less responsibility for developers, we moved forward with automation achieved through scalable CI/CD pipelines set up on Gitlab.

While scalability and maximum security were the major requirements of Ajay and his team at HDFC Life, we had to keep costs in check, too, because cloud infrastructure costs can shoot up exponentially. Constant infrastructure monitoring was set up using New Relic and OpsLyft’s cloud cost management tool to maintain cost efficiency.

Navigating through the challenges

While setting up the infrastructure, OpsLyft faced some fundamental challenges to ensure there was no scope for any security and efficiency lapse.

• Ajay and his team wanted that according to CIS benchmarks, we should take an Amazon-managed base image and do manual hardening upon it. While configuring the same, our team realized that it was too complex, and a better approach would be to purchase hardened images from the Amazon marketplace.

• Ajay wanted to use MongoDB, but to save costs, our team and Ajay’s team decided that we would be manually setting it up rather than using MongoDB Atlas. For the same, we set up MongoDB on the EC2 instance. The challenge with it was that the image of the EC2 instance was the hardened one that we purchased from the AWS marketplace and many permissions were restricted in it for security reasons. We manually allowed many policies in SELinux and rules in the IP table.

• We had to set up MongoDB on a single EC2 instance for both the dev and staging environments. We resolved this by making SElinux and MongoDB compatible with each other. We made this possible by using an open-source project on GitHub and making custom changes.

• We set up the CloudFlare tunnel on an EC2 instance and connected it to the CloudFlare zero-trust network.

• We set up logging in the dev, staging and prod environment and the logs are being sent to CloudWatch. Additionally, logs are being exported to s3 as well for log retention for up to 1 year.

Tech Stack for Maximum Cost Efficiency and Security:

OpsLyft and HDFC Life decided on the following tech stack so that the infrastructure is cost-efficient and as well has zero-trust capabilities:

• AWS was chosen as the trusted cloud provider because of the vast feature set and Terraform for Infrastructure as Code.

• For security, CloudFlare was selected because of its zero-trust network and because as it has easy integration, provides WAF and CDN under a single control panel, has great performance and has many locations in India.

• Backend microservices were deployed on AWS ECS Fargate. For Frontend applications, nextjs was used, which also runs on ECS. Static contents were stored in s3 buckets and cached by CDN, resulting in better performance overall.

• MongoDB was selected as the database solution. To save cost on it, OpsLyft is self-managing MongoDB by setting up the MongoDB cluster on EC2 instances.

• For version control, Gitlab Premium was used. CI/CD Pipelines were also written to deploy microservices to dev/staging and production environments.

• New Relic has been integrated with AWS accounts for infrastructure monitoring and observability.

• AWS Elasticache Redis cluster was used to manage user sessions.

• AWS Control Tower was used to manage multiple AWS accounts and Organisational Units as it provides centralized visibility into all other AWS accounts.

• Cypress was also integrated such that automated test cases ran every time a new temporary environment was spun up. Based on the results produced by Cypress, the CICD pipeline either failed or passed.

Business Goals Achieved:

• Ajay and his team got a production-ready cost-efficient zero-trust architecture in under 4 weeks.

• Developers can just focus on developing applications without worrying about deployment.

• Their infrastructure is running on CIS standard machines maximizing their security.

• Integration of Cloudflare as a zero-trust network and its CDN has sped up the delivery time significantly.

• Use of Cloudflare CDN has helped reduce data transfer costs.

• With enhanced CI/CD pipelines developers can launch a new temporary environment to see their pull request changes live in action before merging, which increases developer speed a lot by removing the time developers have to wait in review before the changes can be merged and seen live.

• Changes in GitLab CICD made possible a temporary environment that made feature testing really fast.