For my CSUCI IT Bachelors capstone I have created the foundational technology layer for a small to medium modern business in Amazon Web Services. The project includes authentication, storage, compute, backups, security, as well as high availability, ease of connectivity, and a modern website. In addition the configuration for these services implemented using CloudFormation for ease of repeatability and growth. This project is running live in AWS, and should be able to support a small business today with minimal amounts of additional configuration.
Video – Elevator Pitch
Infrastructure Hosted in AWS:
CloudFormation – Remote Desktop Gateway and Terminal Server:
Philosophy and Goals
The erosion of on-premise server infrastructure is happening. For the majority of new companies, or for companies approaching a hardware refresh cycle, the idea of the cloud is enticing – if a bit of a buzz word. My capstone’s goal was to demystify what it would take to re-create a traditional small to medium business’ infrastructure and run it in the AWS cloud.
The move to a cloud first environment comes with a handful of benefits, as well as challenges.
With the most common considerations being:
- Technology Suites
My capstone attempts to tackle the sections above in a reliable, repeatable, secure, cost effective, and accessible way for small to medium business’. In addition, it is designed in such a way that if the company wished to grow their technological footprint the path would be simple for both employee count and region expansion.
Included in the project is a demo company website, showing off the highly available feature set of CloudFront. As well as providing a domain name for resolution to the Microsoft Remote Desktop Services running in AWS’s Virtual Private Cloud. This project should realistically be able to support a small business today with minimal amounts of additional setup.
- CloudFormation – Infastructure as Code
- VPC – Virtual Private Cloud
- CloudFront – Content Delivery Network
- EC2 – Elastic Compute Cloud
- S3 – Simple Storage Service
- Route53 – DNS + Registrar
- Directory Services – AWS Managed Microsoft Active Directory
- AWS Linux – Custom Linux OS for EC2
- Microsoft Windows Server 2019
- Microsoft Remote Desktop Gateway (RDG)
- Microsoft Remote Desktop Service (RDS)
- Let’s Encrypt + Certify The Web
Availability is achieved natively through the various tools included in AWS. In the same way that an on-premise environment would require a second warm or hot server room. AWS allows a technology consultant such as myself to create two identical Virtual Private Clouds in two different Availability Zones, in the same region. Alternatively multiple regions and availability zones could be used to further improve the geographic redundancy if a major outage was to occur.
AWS’ own “Well Architected Framework” (a best practice guideline) depicts what they call the “Reliability Pillar”, below is a quote from their resources:
The reliability pillar focuses on ensuring a workload performs its intended function correctly and consistently when it’s expected to. A resilient workload quickly recovers from failures to meet business and customer demand. Key topics include distributed system design, recovery planning, and how to handle change.Amazon Web Services – Well-Architected
It is clear to see from the quote above that AWS was built from the ground up to support High Availability. In my capstone, the most clear example of this is CloudFront. CloudFront is a Content Delivery Network that provides reliability, accessibility, and security to web servers and other services. In the case of my capstone, the website Joseph-Cherry.com (taken offline) is being hosted with a S3 back-end and distributed with CloudFront. With this combination of highly available services I am able to quickly deploy my website around the world in a redundant and accessible way.
For the technologies that don’t natively support high availability, AWS’ VPC platform allows for LoadBalancing between “traditional” on-premise tools. Take for example the Windows Server 2019 servers with Remote Desktop Services installed that are running currently for my capstone. Windows can natively create a “Terminal Server Farm”, however it’s high availability is traditionally limited when it comes to multi location roll outs. With AWS I created two distinct farms, and utilize a Network Load Balancer to route users to the available server farm. This ensures uptime even if something catastrophic was to happen to one of the Availability Zones.
Availability is a foundation for any technology infrastructure, and AWS’ boasts 5 9’s of uptime (only 5.256 minutes down per year) making it one of the best performers on the internet today. And if there is a problem with AWS themselves, they offer a competitive Service Level Agreement.
Unlike traditional on-premise solutions that require the purchase, maintenance, and installation of servers and advanced networking equipment, AWS does not “tie up” funds in hardware. Rather AWS provides its users with the flexibility to purchase as much, or as little services as they require – with no minimum payment or contracts. AWS instead requires an active credit card, and for the purchaser to understand that services rendered are done by the hour. This provides companies with an extremely low barrier to entry when it comes to running the software they require for their business.
The design created in my capstone not only allows for high availability, but it is intended to grow dynamically with increased complexity, user count, and/or geographic expansion. The design was intended to support (out of the box) a medium to small business with average or below technology standards (think companies without dedicated developers, IT, DevOps, or machine learning tools). With that said, the foundation of the capstone was designed in such a way that a company could easily bring those more sophisticated and modern avenues into the AWS tenant without any problems.
In addition to the design considerations made for easy growth, I have created CloudFormation documents that can quickly, and perfectly replicate the systems in place at this time in other Availability Zones or Regions – removing the need for extensive recreation.
Having a company’s resources in the cloud may seem like a strange idea for a more traditional (read old-school) company, however today’s modern businesses could not function without the cloud in one form or another. Take Microsoft Office 365 or Google’s Gsuite, they are the standard cloud based business productivity applications in addition to being the most prevalent as well as email hosts on the market today. The reality is that hosting the closest equivalent of the Office 365 – Microsoft Exchange – on-premise is a recipe for disaster with CVE-2021-26857 afflicting nearly all MS Exchange servers in the world today. While Amazon has their own tools for productivity “Work Docs”, the point remains that the cloud is designed with security first – and it would take extensive configuration changes to “open up” a VPC like a poorly secured on-premise setup.
Amazon takes security very seriously, dedicating one of their 5 pillars from their “Well-Architected Framework” to it.
The security pillar focuses on protecting information and systems. Key topics include confidentiality and integrity of data, identifying and managing who can do what with privilege management, protecting systems, and establishing controls to detect security events.Amazon Web Services – Well-Architected
AWS’ Security is built around the core principles of the Zero Trust security model. These core elements are Identity Management, Multiple Factor Authentication, network micro-segmentation, least privilege access, asset\intrusion monitoring and management, logging capture\analysis and robust disaster recovery.
AWS’ dedication to Zero Trust – least privilege and micro segmentation, often makes things more difficult for configuration, however the added configuration challenge comes with the benefit of strict ingress and egress rules. I have not personally run into a small to medium business with the level of security that AWS offers out of the box, even those who are required to conform to fairly strict compliance standards.
My project continues the Zero Trust model, mimicking AWS’ strong posture, while allowing the infrastructure to be usable and accessible to those authorized to access it. Security groups, Access Control Lists, Active Directory users, groups and computers all define the Zero Trust model used throughout my capstone.
The infrastructure currently running in AWS costs approximately $345 per month. That number will fluctuate with the amount of data transfer done, however, the base commitment consists of the resources listed above. The three most expensive services are Directory Service, VPC, and EC2 at roughly $90 per month each.
When you compare the price of AWS to a standard small business server room it works our to be more expensive in the long run. For example, if your on-premise server room had $12,000 worth of servers and networking hardware it could be amortized out for 5 years to $200 per month. We can ignore the cost of maintenance, setup , and internet connection(s) as they would be required for both configurations. However, if we consider that the building itself needs to accommodate the server room, and that there is likely no high availability outside of that singular location the no down payment cost of AWS doesn’t seem so steep. Adding onto this calculation we can also include the cost of compliance, as well as accessibility. AWS meets all standard regulatory body requirements such as PCI, and HIPAA. Additionally, as AWS is cloud first it can be easily accessed from anywhere with internet. In stark contrast the on site location would need to go through certification processes for compliance, and often can’t be as easily accessed.
In all AWS can be expensive, however it provides a secure, flexible, reliable, and accessible area that can grow easily with your company. I wouldn’t recommend removing your server room if it has good hardware in it, however, it might just be your next upgrade direction.
Infrastructure as Code with CloudFormation
Create a Virtual Private Cloud with:
- Multi Availability Zones
- Public and Private subnets
- Custom route tables
- Secure ingress security groups
- Internet gateways
- NAT gateways
Create an AWS Managed Microsoft Active Directory within the private subnets of the VPC above
- Utilize the custom domain name for your directory
- Set an “Admin” password
- Save it automatically to the secret’s manager
- Set DHCP rules within the VPC
- Create both an IAM Role and a SSM document for domain joining EC2 instances
Create 4 EC2 instances within the VPC that will connect to the AWS MS AD
- Utilize both the Public and Private Subnets
- Create a load balancer
- Custom ingress rules mapping from Route53’s custom domain name
- Create security groups for ingress
- Call Windows Server 2019 “Gold Image” AMIs with pre-installed “roles and features”
Create 2 AutoScaling Groups for AWS Linux Bastion hosts to go into the public subnet of the VPC to allow for future growth capabilities
Import or purchase custom domain (Joseph-Cherry.com)
- Setup Route53 DNS
Create a demo website Joseph-Cherry.com (taken offline)
- Upload code to S3
- Utilize CloudFront to act as a CDN with SSL to host the website around the world
Create “Gold Image” AMIs
- Include special roles and features from Windows for RDS
- Configure Let’s Encrypt + CertifyTheWeb for SSL to Remote Desktop Services
Start RDS CloudFormation
- Configure Windows instances to join domain
- Apply CALs (Client Access Licenses)
- Test that all roles and features work as intended
- Publish RDS to the internet
Video – Behind The Scenes
Covid-19 has been, and currently is, a challenge for the world. I consider myself fortunate that no loss of life was experienced during this time period. The transition from on campus to remote schooling for CSUCI has been a blessing during a time period of difficulties for many. I have found that being able to dynamically switch between work, school, and life without the requirement to drive anywhere really opened up my time. Subsequently, it allowed me to take on a larger workload – accelerating my school timeline.
My capstone is in direct response to the hardships that many of our clients went through during the rapid deployment of their remote workforce. It is not uncommon for small to medium business to lag behind in technological advances, and movement to the cloud is a common hurdle that many are faced with. As a Technology Consultant it is my job to guide clients to the correct technology fit, while keeping in mind the aspects of their businesses.
My solution focuses on rapid growth, high availability, and security. In the future if a sudden shift is required to take the workplace mobile, there will be no additional setup required to continue day to day operations from any location.
Lessons Learned from Implementation
- Projects – especially documentation – can take a lot of time when you’re both learning and implementing
- Test your deliverables using standard (manual) processes before attempting to automate with CloudFormation or similar
- Have a clearly defined set of goals, but do not be afraid to deviate on the expected path if the outcome is the same
- Understand that the cloud is paid for by the hour, and to not over provision your resources – thus adding more monetary expense
Using a LAMP server to host a dynamic website would not benefit the project.
CloudFront + S3 will host the static website without the compute overhead, lowering cost and raising availability.
AWS offers a built in backup solution for EC2 instances called AWS Backup.
Creating a custom backup solution that utilizes S3 would be unwise when the provided system works perfectly, and can handle image level backups.
By utilizing a load balancer we can forgo the additional SQL server.
This saves us saving time, money, and computational overhead.
Let’s Encrypt + CertifyTheWeb will automating the acquisition of trusted root certificates.
Removing the need to purchase an expensive cert for hundreds of dollars for a single year.
AWS Managed Microsoft AD is cleaner, and more accessible.
AWS Directory Connect integrates with on premise AD, however authentication to Azure AD requires a second cloud hosted (in Azure) domain controller, defeating the purpose of organic cloud to cloud identity management. Hybrid Sync would be the next step for growth.
Custom AMIs provide “Gold Images” that can be easily replicated with special software.
Automating deployment of RDG and TS’ is doable through CloudFormation and large amounts of PowerShell, however it does not solve the problem of using custom programs (like CertifyTheWeb). Additionally, it is currently not possible to auto join a directory on a Windows machine through CloudFormation.
CloudFormation EC2 AutoScaling Groups do not have the same parameters as “Instances”.
Thus they require additional scripting for on the fly re-provisioning. Additionally, Windows machines do not lend themselves fully to the capabilities of the technology.
Connect to the Project
Demo Company Website: joseph-cherry.com (taken offline)
More Capstone Information: joseph-cherry.com/capstone (taken offline)
View the Source Code: Bitbucket
- Provides access to:
- CloudFormation YAML documents
- AWS Hosted Website’s Source Code
Download the Connection Documents: CSUCI Google Drive (project offline)
Use your CSUCI email address Provides access to: AWS Console (ReadOnly) Remote Desktop Hosted in AWS (Domain User)