About Client
AWS Environment Setup
Tonkin + Taylor is New Zealand’s leading environment and engineering consultancy with offices located globally. They shape interfaces between people and the environment which includes earth, water and air. They have won awards like Beaton Client Choice Award for Best Provider to Government and Community-2022 and IPWEA Award for Excellence in Water Projects for the Papakura Water Treatment Plan-2021.
- https://www.tonkintaylor.co.nz/
- Location: New Zealand
Project Background
Tonkin + Taylor were embarking on the journey for launching a full suite of digital products and chose AWS as their cloud environment. They wanted to create new applications and migrate to cloud services to improve scalability, availability, latency, and cost efficiency. They also aimed to accelerate digital transformation and build SaaS-based offerings. To achieve this, an AWS Environment Setup was required following best practices and compliance standards to serve as a foundation for future applications.
Scope & Requirement
In the first phase of the AWS Environment Setup, implementation was discussed as follows:
- Setting up AWS environment for multi-account, multi-environment setup.
- Ensuring all AWS accounts follow consistent policies and comply with legal and regulatory requirements.
- Setting up connectivity between AWS accounts and on-premise networks.
- Setting up AWS Security Hub to provide a comprehensive security view.
- On-premise to cloud migration to modernize infrastructure, reduce costs, improve scalability, enhance performance, and ensure business continuity through a secure and reliable cloud platform.
Implementation
Technology and Architecture
Read more on the key components which defined the Architecture for AWS Environment Setup for Tonkin + Taylor
Technology/ Services used
- We used AWS services and helped them to setup below
- Cloud: AWS
- Organization setup: Control Tower
- AWS SSO for authentication using existing AzureAD credentials
- Policies setup: Created AWS service control policies
- Templates created for using common AWS services
Security & Compliance
- Tagging Policies
- AWS config for compliance checks
- NIST compliance
- Guardrails
- Security Hub
Network Architecture
- Site to Site VPN Architecture using Transit Gateway
- Distributed AWS Network Firewall
- Monitoring with CloudWatch and VPC flow logs
Backup and Recovery
Cloud systems and components used followed AWS’s well-Architected framework and the resources were all Multi-zone availability with uptime of 99.99% or more.
Cost Optimization
Alerts and notifications are configured in the AWS cost
Code Management, Deployment
Cloudformation scripts for creating stacksets and scripts for generating AWS services was handed over to the client
Challenges of AWS Environment Setup
- It was a bit of a challenge to ensure the new environment meets all of the compliance criteria and still remain cost effective.
- As per best practices we need to have a set of Unique machines and each may need to have its own VPC but that may incur a cost to the client. So we discussed and agreed for a specific 75% to be achieved which would be deemed as acceptable.
- We have some non compliance being generated by standard AWS services
- We got feedback from AWS support stating that Control Tower managed artifacts may appear non-compliant in conformance packs, but these are expected and should not be modified or deleted. These are treated as exceptions.
Support
- 1 month extended support
- A template for CloudFormation stack to create more AWS resources using the available stacks
- Screen sharing sessions with demo of how the services and new workloads can be deployed
- Offer support during the initial transition phase post-migration
- Provide ongoing technical support, monitoring, and optimization services
Next Phase
We are now looking at the next phase of the project which involves:
- Launching new digital products with the help of AWS environments which have been set up
- Any ad-hoc change requests for managing the cloud environment
