About the customer
Eurosport is the market leader in the sports retail industry in Malta holding exclusive local distributorship to a long list of world-renowned brands including Adidas, Reebok, Kappa, Robe di Kappa, Skechers, Head and others. Operating since 1992, Eurosport offers the most complete end to end sports products in the Maltese Islands and is synonymous with powerful brands in each product category. The Maltese group aims to be a one stop shop for all lovers of sport.
The Challenge
Eurosport’s website ran on a non-highly-available environment without any segregation between the e-commerce tier and the asynchronous background tasks tier required to keep the site up-to date. This resulted in a high level of reputational and revenue risk, resulting from frequent downtimes. These downtimes were even more frequent when coupled with larger than usual stock and price changes on the site, something which happened on a constant basis due to flash sales and an increase in traffic due to the Covid-19 pandemic.
The Solution
Eurosport and 56Bit, decided to solve these challenges by investing in a highly-available AWS platform to host the same underlying code. The solution’s main requirements were redundancy, scalability, security and predictable costs. One main change to the architecture included decoupling the synchronous e-commerce tier from the asynchronous background tasks tier, to ensure that any downtime in one tier does not affect the other. Coupled with an automatically scalable system over multiple AWS availability zones, and use of the latest hosting technologies ensured that the above requirements were met and exceeded.
Why AWS?
After evaluating various options, AWS was chosen as the public cloud provider of choice. The reason was not just based on costs, which were considerably less when compared like with like, but also the maturity, scalability potential and unparalleled feature set provided by the AWS service portfolio.
Why 56Bit?
56Bit provides peace of mind to technology-driven business through best-in-class cloud solutions. Eurosport, whose business and reputation would be severely impacted by any failures of the underlying technology required an experienced partner with profound knowledge on AWS technologies that could deliver a high-quality service on time and within budget. Eurosport teamed up with 56Bit to consult, design, build and maintain this platform, working hand-in-hand with the software development team.
Solution Details
The solution is based on the AWS Well-Architected Framework and includes the following components (see Figure 1 below).
CMS ENGINE
The e-commerce site is powered by NopCommerce, a popular open-source Content Management System (CMS) built using Microsoft’s .Net Framework.
CONTENT DELIVERY
The site makes use of AWS Cloudfront as a CDN, ensuring that all static and dynamic calls are routed as quickly as possible through the AWS backbone. The CDN also caches any static files like product images to serve content faster and at lower cost.
E-COMMERCE TIER
The NopCommerce powered website is hosted on Windows EC2 instances running IIS. These instances have the capability of autoscaling depending on traffic, make use of multiple AZs for high-availability and are load-balanced by an AWS Application Load Balancer.
BACKGROUND TASKS TIER
Another instance of the NopCommerce engine is run separately from the customer facing tier, and is used to run any background tasks such as stock synchronizations and price reductions. This tiered approach allowed us to reduce the blast radius of the different components of the system ensuring that any downtime in this tier does not affect the E-commerce tier.
It also allowed us to speed up the execution of the background tasks because previously these tasks were run on a batch basis at the end of the day to ensure there would be no affect on the public facing functions of the site. By decoupling this tier we were able to run these background tasks on a continuous basis, greatly improving the efficiency of the client’s operations.
FULLY MANAGED SQL SERVER
Amazon RDS was chosen to host a fully managed cluster of Microsoft SQL Servers on multiple availability zones.
SERVERLESS STORAGE
Amazon S3 is used as a static file storage system. Considering it was designed with 99.99% availability and 99.999999999% (that’s 11 x 9s!) durability, the decision was easy. Multiple buckets, some fronted by the Amazon Cloudfront CDN are used for static file hosting, logging and code archiving.
SERVERLESS SECURITY AND COMPLIANCE
- The system uses multiple AWS accounts, one for each of the Staging and Production environments. Another account acts as the master account with centralized billing, DNS, Single-Sign On, etc. Finally 2 accounts are used for security logging, with one account acting as a black hole (i.e. an immutable highly secure dump of security logs) and another acting as a single pane of glass for everything security related. Security logging is handled using AWS Config, AWS Cloudwatch and AWS Cloudtrail.
- The above accounts are provisioned using AWS Control Tower, which creates the AWS Organization, an SSO entry point, an AWS Account factory (using AWS Service Catalog), as well as a number of Guardrails to protect the accounts from unintended changes. All management users are assigned MFA-backed credentials onto the SSO endpoint which in turn provides role-based temporary access to the different accounts.
- All system components are deployed in private VPCs.
- Non-public S3 buckets are encrypted at rest with strong cryptographic keys (AES256) managed by AWS KMS. All data is also in transit with TLS-enabled network protocols. Even the backups and its transfer to a second physical location are encrypted. All secrets like database passwords are stored in a highly available and secure secrets vault powered by AWS Secrets Manager. PKI Certificates are provisioned using AWS Certificate Manager.
DEPLOYMENT AND ORCHESTRATION
- The infrastructure was fully built using CloudFormation, which is released using a CI/CD pipeline built on top of the AWS Code family of products (Codecommit, Codebuild, Codepipeline).
- This Infrastructure as Code passes through the full commit-build-test-deploy lifecycle, incorporating the development, staging and production environments. The NopCommerce code base also passed through a CI/CD pipeline, built using similar infrastructure. In this case AWS CodeDeploy is used to deploy the code to the appropriate servers.
- Environment separation is implemented by using completely independent VPCs in different AWS accounts. New releases can always be tested in a staging environment, where unit and integration tests along with load and stress tests can be conducted by the same testing suite. This mitigates the risk of unexpected functional changes and performance degradation. The master account serves as a CI/CD single pane of glass for the teams working on the project, whilst cross-account IAM roles enable the pipelines to test, build and deploy code in different AWS accounts.
Possible future improvements
IMPLEMENT A DISASTER RECOVERY (DR) SOLUTION THAT HANDLES REGION-WIDE FAILURES.
Whilst the system is already highly-available, since everything runs in multiple AZs, this can be improved further with a cross-region solution. It will not be very hard to move to another region, since everything is implemented using IaC (Cloudformation).
IMPLEMENT DATABASE CACHING
At the moment we do not envisage the need for database caching, but a database caching layer can easily be spun up using AWS Elasticache (Redis) to add a very fast caching layer between the EC2 compute and the RDS database. This will increase performance, reduce database hosting costs and decouple the architecture even further.
