cloud migration

Arelion’s partial division from
Telia Company as the main aim to the cloud direction

Arelion faced the challenge of building quickly its own, independent IT infrastructure. Thanks to Amazon Web Services, Chaos Gears, and well-planned strategy the crucial applications were migrated according to the plan.

Client

time limited project

The Challenge

How did it start?

In January 2022, Telia Carrier unveiled its new brand Arelion. Despite the name change, the goal is the same - delivering the highest quality global connectivity services to the world's largest operators, content providers and enterprises. Arelion is the most connected network in the world, spanning Europe, North America and Asia, with over 70,000 km of fiber and 1,700 MPLS endpoints, connecting customers in 125 countries.

Due to the separation from Telia and the limited time allocated to building their own IT architecture, they decided to migrate the Arelion to the cloud. Amazon Web Services has become a natural partner in this migration.

First, migration crucial applications

Recognizing that it needed a more agile and scalable IT infrastructure, Arelion asked AWS Partner, Chaos Gears for support. Chaos Gears took care of all the migration processes. First, planning and migration of the first wave of apps. It has been identified as a critical part of the infrastructure that needs to be moved immediately which is devoted to services for internal users.

It was a complex process that required proper planning and continuous management. 

Due to the structural changes, the wave's first migration had to be done quickly. The applications from the first wave depend backward on the on-prem environment, which Chaos Gears had to take into account. These are all areas which had to be factored into the planning and overall migration process. 

The companies started negotiations in the summer of 2021, and the first wave implementation deadline was set at the end of January 2022. Implementation has already been completed.

No structured organization, no information security, no network

The task was not easy. The main challenge contained the following areas:

- No existing AWS Organization with a multi-account structure.

- No security layer, protecting neither the perimeter nor internal workloads.

- No networking layer established with the existing Data Center.

- No predefined and secured access to the AWS environment.

- No predefined and designed network layer for first containerized workloads.

new architecture's planning

The Solution

To create a security policy of access to the cloud

At first glance, the proposed infrastructure may seem complicated. Chaos Gears proposed it because of the possibility of separating individual resource workloads within the organization. This helps to create a clear and secure policy of access to the environment.

The solution we have created allows for the centralization of logging and environmental management, as well as its configuration in the future. This ensures inexpensive and uncomplicated development.

What was actually done? 

The customer was proposed to a Landing Zone concept, containing multiple, dedicated AWS accounts. The "core" and "non-core" sets of accounts have been designed, coded and implemented via Terraform.

The main goal was to centralize the networking and security features in the non-centralized-accounts structure. In order to achieve that, AWS Transit Gateway with centralized ingress/egress VPC has been implemented in the "Network Account". The former one is a routing layer, directing the traffic from/to the destined account. The latter one is a single entrance/exit to the AWS environment, allowing new future extensions with third-party security solutions.

To make secured AWS access possible, the AWS SSO has been integrated with the customer's AD solution, granting permissions to only defined user groups.

The first "wave" of the applications has been set up on the AWS EKS cluster (located in one of the member AWS accounts) and exposed to either internal or external entities via a combination of AWS Transit Getaway and AWS Load Balancers.

1st wave finished together

The Outcome

'You Build It, You Run It' concept works

The Company adopts a 'You Build It, You Run It' approach to app management. This often happens when migrating legacy applications from physical infrastructure to the cloud. The client wanted to become independent of the Cloud Center of Excellence team which in their opinion slows down the pace in the first stages of the migration.

The division was involved in determining responsibilities, assigning each team to a given area, and according to this principle, the environments were built.

What was achieved in a short time?  

Arelion got fully secured, centralized access to the AWS environment via SSO (Single Sign-On). It is where a company creates, or connects workforce identities in AWS once and manages access centrally across AWS organizations.

It was built, well-organized AWS multi-account structure with SCPs (Service Control Policies). Logging, networking and security layers were deployed in a centralized approach for more productive maintenance and control.

Now, it is securely exposed to the first wave of workloads (2 apps on EKS cluster) for either internal or external entities.  

Last but not least an important topic was security, and the integration of AWS WAF with AWS Shield and AWS CloudFront was recommended as the first layer of protection. Membership accounts have been equipped with additional WAF as a form of team independence, but with overall management provided by AWS Firewall Manager implemented in the Security Account, complementing individual resource workloads in the organization. This helps to create a clear and safe policy on access to the environment. It is thought that the effects will be felt by the company and its customers for many years to come.

In addition to this, high availability was implemented by setting up EKS (Elastic Kubernetes Service) cluster on multiple AZs (Availability Zones) and ALB (Application Load Balancer) as an ingress. AWS Firewall Manager was deliberately deployed in the Security account, allowing centralized policies control over groups of WAFs (Web Application Firewall).

Finally, AWS CloudTrail and AWS Config have been enabled for all accounts with a centralized approach.

Summary

Cloud computing is a complex process that requires proper planning and continuous, step-by-step management. The key steps to a successful migration are the first steps. It is important to take the planning phase seriously and try to anticipate how the architecture will be built in the future. The success of the next ones depends on that. In this case: design, communication between application components, security were especially important.

The first stage has been successfully completed. The next ones are being carefully planned and implemented.