Delivering a Multi-Tenant Platform to Host the Next Generation of Applications in the Cloud
A department within the UK Central Government currently has critical systems running from physical data centres. The department has previously stated a desire to retire these particular data centres due to multiple at-risk services on legacy tin.
The department that this project was delivered for hosts in the region of 80+ services and is used by 140,000+ users across the UK. These services are all considered of national importance. There are also other national systems hosted by third parties whose contracts are seen as costly and of poor value by the department.
Version 1 worked with the department to deliver a multi-tenant IaaS and PaaS platform to host the next generation of applications in the cloud and facilitate migration from legacy hosting environments.
Building the Platform
Establishing a Framework
Version 1 worked closely with the department to establish a framework on how a multi-tenant platform could operate in the cloud, while meeting the needs of the user community, and incorporating a security ‘golden thread’ throughout the whole of the solution. The challenge from the customer was to deliver the platform, support gaining authority to go live and onboarding the first wave of application services to the platform.
As an AWS Premier Consulting Partner, Version 1 adapted the reference Landing Zone architecture from AWS into a full multi-tenant platform. This solution provided the ability to enforce strong governance over platform and tenant accounts while providing high levels of autonomy to foster innovation.
The landing zone is composed of a highly multi-account structure based on AWS best practice, to segment parts of the platform, to provide separate development and production environments, whilst also maintaining isolation boundaries between platform and application teams, creating a clear, representative route to live for the platform, while maintaining a control plane of security to separate people and technology from each other and keep people away from data. Using Control Tower and its Guard Rails, we were able to turn the security controls mandated by the customer into code and build in compliance at a foundational level that gave security to the platform by default, removing the need for an onerous governance regime and in turn allowing more time for innovation and service delivery.
The platform supports a variety of tenant IaaS and PaaS workloads; including EC2 (using CIS hardened Golden Images), container workloads running on EKS and Serverless running on Lambda as well as various AWS PaaS services such as AWS RDS and Aurora, AWS WAF and AWS MSK.
Utilising AWS Technologies
Version 1 worked to deploy Splunk as a SIEM tool onto the platform that gave the customer insights into the environment that was never before possible. This was all highly automated and deployed to ensure separation of duties was always maintained.
We made extensive use of AWS Cloudwatch for operational monitoring and alerting. This is used by the department’s first-line support team and the platform and tenant teams as their principal monitoring tool. Monitoring is automatically added to services when they are deployed as part of the platform’s automation tooling. On top of this platform, Version 1 developed a shared services zone, providing a common set of cloud-native development tools for consumption by both the platform and application teams.
The shared tooling zone provided a suite of tools and services for tenants and the platform, including:
Infrastructure as Code
The platform is fully composed using Infrastructure as Code, with extensive use of Terraform, Ansible, and Python. The platform had to employ novel techniques to meet strict security requirements, while still adopting modern methods of provisioning infrastructure and services. Deployments were highly automated through the build, test (including automated security tests), and deployment process for all platform changes. This facilitated the change and security controls required by the highly regulated environment of the platform.
Version 1 delivered the project in three phases:
- The Alpha phase allowed for the fast initial iteration of the platform that facilitated rapid feature delivery.
- The Beta phase allowed for early adoption by some early adopter application teams to fast track their projects to help deliver value early.
- The Production phase allowed production data to be hosted, service transition to complete and the platform handed to the customer.
Version 1 worked closely on a daily basis with the customer’s internal architecture and DevOps resources while also holding regular workshops with the department’s technical leadership. These ways of working and regular forums helped the customer, with Version 1 guidance, define the technology standards and choices for the platform that then enabled Version 1 to design and build a said platform to well understood technical guidelines.
Version 1 followed the customer’s governance process and helped to define a more cloud-friendly approach to this that catered for the fast pace of change cloud brings with it.
Application Tenant Onboarding
To help with the challenge of adopting a new platform and hosting environment, Version 1 also supported the onboarding of two application teams to the new environment. These teams were delivering workload migrations and greenfield projects. They required support from the platform team to facilitate day-to-day support, whilst Version 1 also advised them on architectural best practices, platform governance, and providing feature feedback that helped deliver improvements to the platform.
Version 1 ran regular drop-in sessions to facilitate cross-team collaboration and idea-sharing while also using these to capture any new requirements that could be added to the feature backlog. There were regular project management team meetings to ensure that platform dependency was aligned for delivery with the tenant teams’ plans and to ensure that requirements were also captured as they emerged. We used these alongside side various developer collaboration tools mentioned above. This allowed fast and efficient team collaboration and reduced the feedback loop on any open issues.
This support ran for several months while the platform builds were completed and the platform transitioned to a production state. It helped the tenant teams overcome the challenge of meeting tight deadlines by allowing them to get going quickly and delivering value back to the customer by helping them to meet their project timelines. It also provided good communication channels while delivering projects with everyone working remotely.
The platform enables a forward-looking hosting environment that will allow the hosting of applications into the future. The platform promotes the use of common services and technologies that facilitates cost-saving and improved delivery velocity via the use of DevOps automation best practice and Agile delivery mechanisms. With the platform in a position where it can operate with live data, tenants can exit existing data centre arrangements, either where facilities are closing, or where poor value contracts can be exited, saving taxpayer money, as well as providing greenfield projects a secure foundation to build their offering to the department.
With the saving of taxpayer money being a big driver in this project Version 1 kept an eye on costs by:
- Enabled economies of scale for smaller application tenants to take advantage of this shared hosting capability. This will facilitate a lower TCO for the department across its application portfolio.
- Enabling the move away from the high CapEx the department has currently for their systems.
- Made use of platform automation to shut down non-production platform services out of business hours.
- Services were right-sized in all environments to meet the current needs of the platform. All services were able to easily scale by a re-deployment using updated code run on a pipeline.
- Using AWS native services, Version 1 set up reporting and alerting on platform usage and costs, in addition to transferring knowledge to the customer’s senior stakeholders, giving them a new found visibility in their legacy hosting environments.
To ensure a smooth transition to the UK Government department and its suppliers, Version 1 worked with the customer’s incumbent team members to ensure they were bought along with the build of the platform. This ensured that there was knowledge sharing throughout the project lifecycle, not only with the customer but also with other suppliers.
About Version 1
For over 25 years, Version 1 has gained in-depth experience and portrayed excellence in the public sector, delivering successful solutions to many public-sector clients. Version 1 is a leading UK partner with Microsoft, Oracle, and AWS across application, database, infrastructure and cloud technology which allows us to deliver the highest levels of service and value to our central and local government customers. Version 1’s public sector solutions are proven to reduce operating costs and support the Government’s agenda for digital and cloud first, whilst ensuring availability and reliability for key enterprise systems.
News & Insights
National Highways is the government company that operates, maintains, and improves England’s motorways and major A roads. In line with National Highways digital, data and technology strategy, Version...
Blog: May 11, 2022
Background This is the fourth and final article in a Digital Identity series. The previous articles discussed the growing demand and importance of digital identity solutions, how the landscape for digital...