Cases – Cloud Foundation
Bringing cloud native concepts through DevAx to accelerate cloud journey for Big Red Group
DNX Solutions delivered the AWS Developer Acceleration (DevAx) enablement program to Big Red Group (BRG). The program is aimed at increasing the customers’ developer skills for cloud adoption and building developer cloud native fluency across their organisation. A major focus of AWS DevAx is the developer patterns and practices of modernisation and distributed system design, to break down and rearchitect monolithic application architectures.
The DNX team delivered the AWS DevAx enablement as a structured program by running a structured enablement program, working directly with BRG’s development teams for six weeks. A comprehensive curriculum taught through workshops and co-development sessions resulted in the upskilling of BRG’s internal development community.
What is the “Monoliths To Microservices” Program?
The migration from a monolithic architecture to microservices requires both a willingness on the part of the developer and the business as a whole, as well as a thorough understanding of the way in which architectures such as microservices design patterns can be used and the tools that can be utilised in order to deploy them.
The AWS DevAx “Monoliths to Microservices” program aims to increase developers’ knowledge and experience in distributed system design patterns, or to assist developers in gaining more experience in developing on AWS in general. The program takes a theory and patterns-first approach, then introduces the AWS developer tools. It, therefore, targets experienced developers looking to increase their skills, which perfectly reflects the BRG team that undertook the program with DNX Solutions.
Over the 6 weeks that DNX delivered the program, BRG developers started with a Java Springboot Monolith with a large RDBMS backend and methodically broke the monolith into a series of decoupled microservices. The DNX team rehosted the application in AWS, and then refactored the application architecture to utilise application release automation, bounded context based microservices, refactor and rearchitect the databases, implement an event driven system, implement authentication and authorisation systems, and create AI driven services.
Topics like microservices security best practices are covered as a cross-cutting topic across all modules.
- Module 1: Lift & Shift – Migrating The Monolith
- Module 2: Application Release Automation
- Module 3: Create a Microservice
- Module 4: Refactor Your Database
- Module 5: Microservices Decoupled Eventing & Messaging Architectures
- Module 6: Creating an Authenticated Single Page App
- Module 7: Creating Immersive AI Experiences
What is the value of the AWS DevAx program to BRG?
The DevAx enablement contributed to a mindset shift in the BRG Java developers, where they received the knowledge and tools required to alter their way of working from monolithic applications to a microservices-based architecture. This gave them the chance to understand the new technology, the different opportunities it provides and why it is worth adopting. For a company that is dealing with multiple brands all with unique infrastructures and functionalities, merging the data was a mammoth task that required an open-minded and educated developer team. As stated by the BRG Head of Engineering, this complexity is the reason “Devax Academy was extremely important in changing our team’s mindset, encouraging them to get involved with the project”. In addition, the deep understanding and insight into the patterns BRG’s teams need to break the monolithic across different types of architectures at speed will allow developers to reuse those same patterns in the future.
To move from monolith to microservices was a breakthrough for BRG. By moving away from long-running environments and drastically altering the development life cycle, teams can begin doing development with whatever the code repository is, allowing developers to spin up the environments. In addition, the cost of non-production is massively decreased by maintaining production and changing non-production as development is undertaken. In BRG’s case, the new confidence in breaking up and re-architecting monolithic applications that cannot be easily rehosted in the cloud has opened up many more doors, such as making it possible for them to build a secure Infrastructure as a Service (IaaS) that is simple to use and maintain. An additional benefit of microservices is the ability to implement Straight-Through Processing (STP). STP uses automation to increase the speed of financial transactions, which not only simplifies financial processes but its implementation at BRG has also saved them a huge amount in operational expenditure.
Upon completion of the program, the BRG team had gained a thorough foundation of knowledge and insight, meaning they are not only willing but also able, to strive for continual improvement. These benefits are just some of those gained by BRG due to the move from monolith to microservice technology, all of which can be achieved by any business willing to commit to the change.
DNX Solutions values sharing knowledge and is proud to be able to deliver comprehensive programs through the AWS DevAx enablement. For businesses that want to take control of their assets without having to rely on external resources, completing enablement through DevAx is a straightforward and valuable way to increase in-house skills. To see how your business can benefit from this program, contact DNX today.
Big Red Group’s challenge to create a new infrastructure for multiple unique brands
Big Red Group (BRG) is the leading experience partner in Australia and New Zealand.
BRG is the parent company of major experience brands, such as RedBalloon, Adrenaline, Lime&Tonic, and Experience OZ. Each one of them have their unique value proposition to attract and engage diverse audiences, with exclusive distribution channels, B2C and B2B offerings, and unlock access to more than 10,000 experiences across Australia and New Zealand.
The Challenge
After acquiring new brands and inheriting their technology and infrastructure, BRG had to maintain multiple infrastructure sets resulting in the challenge of creating and maintaining new functionalities for each brand. In addition, they had the challenge of providing meaningful reports for the business due to their different data models.
BRG were seeking a cloud consultant partner that could assist them in building a secure infrastructure as a service that was simple to use and maintain from day one. They also sought increasingly leveraging microservices to ensure continuous, agile delivery and flexible deployment of complex, service-oriented applications.
DNX Solutions determined BRG’s business and technical capabilities, such as the interdependencies, storage constraints, release process, and level of security. With the required information at hand and BRG’s required technology, DNX developed a roadmap to meet BRG’s Technical and Business objectives, using AWS best practices “The 7R’s” (retire, retain, relocate, rehost, repurchase, replatform, and refactor).
The Solution
BRG’s project was implemented in two phases where an AWS Foundation, Application Platform (Containers), and Application BluePrints (Static frontEnd and Containers with full CI/CD PIpeline) were delivered.
DNX Well-Architected Foundation entails
- AWS Landing Zones
- 100% infra-as-code
- CI/CD for infrastructure
- CDK in Typescript
- Knowledge transfer
- Cost Report and optimization
- AWS ClientVPN Auditing Strategy
AWS Application Platform
- AWS ECS
- CloudFront + S3 (Static Application)
- Application CI/CD Strategy
- Monitoring strategy
- Auto-scaling strategy
- Logging strategy and retention
- Secrets management
- Application BluePrints
The Outcome
The DNX team designed and implemented a safe infrastructure as a code for AWS Cloud Development Kit (CDK) in typescript to run inside the AWS cloud Formation for their entire foundation as per BRG’s prerequisites.
The typescript was chosen by BRG’s team to provide them with an easier way to write and maintain not just the applications codebase but also infrastructure. TypeScript is a superset of JavaScript which primarily provides optional static typing, classes, and interfaces. One of the big benefits is to enable IDEs to provide a richer environment for spotting common errors as you type the code which BRG’s team was already very familiar with.
It offers all the features of JavaScript, plus an additional layer on top of these – the TypeScript type system. This can help companies to build more robust code, reduce runtime type errors, take advantage of modern features before they are available in JavaScript, and work better with development teams.
DNX also deployed Application Blueprints (Static frontEnd and Containers with full CI/CD Pipeline) so BRG’s team could deploy, migrate, manage and monitor their own applications in the AWS cloud in the future.
As with all of our projects, DNX delivered extensive documentation and sessions on transferring knowledge covering how DNX Foundations works, how to deploy applications, how to run CI/CD pipelines, and more.
Moreover, DNX delivered the AWS Devax Academy training program Monoliths to Microservices for Java developers for six weeks.
Conclusion
No matter your needs or requirements, DNX is able to deliver the right solution for your business.
CreditorWatch Democratises Credit Data
CreditorWatch was founded in 2010 by a small business owner who wanted to create an open source, affordable way for SMBs to access and share credit risk information. Today, CreditorWatch’s subscription-based online platform enables its 55,000+ customers—from sole traders to listed enterprises—to perform credit checks and determine the risk to their businesses. It also offers additional integrated products and services that help customers make responsible, informed credit decisions.
CreditorWatch helps businesses understand who they are trading with and any creditor issues associated with that particular business. They analyse data from 30 different sources, including both private and government sources. Some of their most powerful behaviour data is crowdsourced from their very own customers providing insights into businesses. Ultimately, CreditorWatch customers get access to Australia’s most insightful business credit rating.
The Challenge of Australia’s Largest Commercial Credit Bureau
An expansion phase saw major corporations, including Australia’s Big Four banks, looking to leverage CreditorWatch’s rich dataset and granular analytics capabilities. As a result, CreditorWatch decided to increase its agility and efficiency. With the need to provide a continuously secure and compliant environment, with reduced costs and increased time to market, CreditorWatch engaged with DNX Solutions. DNX was tasked with creating and executing a roadmap for the improvements, targeting cloud-native concepts, and bringing more efficiency to the IT and Operations teams.
Through workshops during the discovery phase, DNX determined CreditorWatch’s business and technical capabilities, such as the interdependencies, storage constraints, release process, and level of security. With the required information at hand, DNX developed a roadmap to meet CreditorWatch’s Technical and Business objectives, using AWS best practices “The 7R’s” (retire, retain, relocate, rehost, repurchase, replatform, and refactor).
A Safe Environment to Meet ISO Standards
To continue delivering a safe platform to their customers and meeting the requirements of ISO and other compliance standards, DNX constructed a new secure AWS environment utilising its DNX.one Foundation.
Rather than undergoing a lengthy and expensive process each time a safe environment needs to be recreated, DNX.one helps customers build secure and scalable container platforms at high-availability and low-cost. This unique marketplace solution designed for AWS with well-architected principles combines years of cloud experience in a platform focused on simplicity, infrastructure-as-code and open sources technologies. In addition, DNX.one provides a consistent approach to implementing designs that will scale CreditorWatch’s application needs over time.
Once CreditorWatch’s environment was secured with the best AWS and industry practices, it was time to move to the modernisation phase.
Instant Cost Reduction of 120K per Year With Data Modernisation
Due to the amount of data received on a daily basis, CreditorWatch’s database increases considerably in size and cost.
The DNX data team worked on the data Engineering by optimising CreditorWatch’s Aurora database and its tools to full capability.
Amazon Aurora is a MySQL and PostgreSQL-compatible relational database built for the cloud that combines the performance and availability of traditional enterprise databases with the simplicity and cost-effectiveness of open source databases.
Amazon Aurora features a distributed, fault-tolerant, self-healing storage system that auto-scales up to 128TB per database instance. It delivers high performance and availability with up to 15 low-latency read replicas, point-in-time recovery, continuous backup to Amazon S3, and replication across three Availability Zones.
Aurora data is stored in the cluster volume, which is a single, virtual volume that uses solid state drives (SSDs). A cluster volume consists of copies of the data across three Availability Zones in a single AWS Region. Because the data is automatically replicated across Availability Zones, customers’ data is highly durable with less possibility of data loss. This replication also ensures that databases are more available during a failover.
The Aurora cluster volume contains all user data, schema objects, and internal metadata, such as the system tables and the binary log. Its volumes automatically grow as the amount of data in the customer’s database increases.
With extensive data knowledge and years of experience with AWS solutions and tools, DNX provided a unique solution to configure Aurora Database leveraging its full capabilities, which resulted in an instant cost reduction of over 90K per year related to instant threshold of data availability.
The DNX team also created an automated archiving process utilising AWS Airflow, which analyses CreditorWatch’s database tables, identifying data which is unused for a period of time. Unused data is then archived with a different type of file storage at a cheaper rate than S3. This process resulted in an additional cost reduction of 30K per year.

The Unique Value DNX brought to the CreditorWatch Project
DNX Solutions utilised its knowledge on DevOps, Cloud, data, and Software Engineering to provide CreditorWatch with a secure environment that continually meets ISO and other compliance standards. The diversity of experience integrated within the DNX team allowed for instant identification of areas for improvement in CreditorWatch’s systems. In addition, DNX assisted CreditorWatch in bringing about a cultural change by transferring its DevOps mindset approach. Not only was the goal of agility and efficiency reached by the close of the project, but significant storage cost reductions were made enabling CreditorWatch to compete to a higher standard and continue to expand.
A eficacia de uma líderança depende do uso de dados para tomar decisões importantes, é preciso ter um olhar amplo com informações assertivas para ter ações significativas, assim é contruida uma estratégia de dados moderna para fornecer insights às pessoas e aplicações que precisam, com segurança e em qualquer escala. A DNX Brasil ajuda sua empresa a aplicar análise de dados em seus casos de uso mais críticos para os negócios com soluções completas que precisam de experiência em dados. Descubra o valor dos dados
Payble Accelerates Path to CDR Compliance with DNX Solutions
About Payble
Based in Australia, Payble helps businesses increase their revenue by offering their customers flexible payment options as required. The Payble platform uses open banking to identify consumers who would benefit from flexible payment options and engages them with installment plans or payment extensions.
Navigating the Journey to CDR Compliance
When Australia lawmakers signed the Consumer Data Right (CDR) initiative into law in 2020, financial services firms across the country became eligible for open banking—the practice of giving consumers access to and control over their banking data. However, to receive customer open banking data, banks and other institutions needed to become accredited as a Data Recipient (ADR) by the Australian Competition and Consumer Commission (ACCC), by implementing stringent privacy safeguards and rules to ensure secure protection and management of data. This path to CDR accreditation is complex and time-consuming.
It’s a challenge Payble knows all too well. The Australian fintech uses open banking technology to help customers prevent missed or late payments before they happen. CDR data is a critical component of Payble’s solution. “CDR is incredibly complex, and because it’s new in Australia, there’s no easy method to copy and implement,” says Elliott Donazzan, CEO of Payble. “In addition to specific requirements, there are nuances that don’t apply to the general regulations we’re accustomed to. Plus, a lot of work is required to build the right technology to support everything. CDR is not our core business, so we needed the right partners to help achieve accreditation.”
Collaborating with AWS Partners to Solve the CDR Challenge
Payble has been running on the Amazon Web Services (AWS) Cloud since the company’s inception, using a range of AWS services to support its application environment. Through its relationship with AWS, Payble was introduced to a group of AWS Partners that specialize in accelerating the financial technology industry’s CDR accreditation and technology solutions. This network of partners includes DNX Solutions, an AWS Advanced Consulting Partner; AssuranceLab, a modern assurance firm that provides accreditations for CDR and global standards; Astero, a cybersecurity company specializing in open banking and CDR; and Adatree, a proprietary, AWS-built CDR Platform for Data Recipients. “We had conversations with Adatree and began sharing engineering strategies,” says Helder Klemp, CEO of DNX. “After discussing with AWS about some of the other partners that we could work with, we decided to jointly develop a solution to help businesses become accredited.”
Developing CDR in a Box Solution
The partners created CDR in a Box, an AWS-based, compliant CDR platform. The modular platform is based on the AWS Well-Architected Framework and features core AWS security components including AWS Security Hub, Amazon GuardDuty, AWS Identity and Access Management (IAM), and AWS Key Management Service (KMS).
CDR in a Box includes the ADR Accelerator, a business solution jointly developed by Adatree and Astero. The template-based solution is designed to help enterprises accelerate their Accredited Data Recipient (ADR) application, a key part of CDR compliance. An accredited data recipient is a business that has been accredited by the ACCC to receive data from a data holder.
Adatree’s platform is built on AWS and runs on a range of AWS services.
Astero used its cybersecurity expertise to support CDR in a Box with security solutions including technical security documentation and controls assessment services required for accreditation. “CDR in a Box ensures customers follow a security and risk-first approach to compliance,” says Sandeep Kumar, CEO of Astero. “This starts by helping customers define the boundary and data flows of their CDR data environment, performing threat assessments, and implementing appropriate security controls.”
AssuranceLab contributed to CDR in a Box by using its accreditation expertise and skillset to build the required technical security documentation for CDR audits. “As a group, we brought four expert offerings together into one seamless solution for Payble,” says Paul Wenham, CEO of AssuranceLab. “By understanding each other’s approach, and working effectively together, it removed the guesswork and business disruption for Payble to focus on what they do best.”
Payble used the ADR Accelerator to provide the business readiness documentation for the company’s ADR application audit. DNX also supported Payble throughout the auditing process, offering automated compliance capabilities. The overall combined partner offering includes guidance and support specifically tailored to Payble’s business.
Building Audit-Ready CDR Environment in 4 Weeks
Because the AWS partners worked together to build a well-architected AWS solution for ADR applicants, Payble gained an audit-ready environment and a completed audit, in four weeks. AssuranceLab carried out the audit, in parallel to the implementation activities before the audit took place.
Payble also took advantage of ADR Accelerator to provide business readiness documentation for the company’s ADR application six months faster than the normal timeframe for accreditation. “The sentiment in the industry in Australia is that the CDR is too hard to get into because of cost and time commitments, but startups need it in order to provide something compelling to market,” Kumar says. “We’re trying to make CDR access simpler while still meeting all the compliance requirements.”
“As a startup, we need to move quickly and access the benefits of CDR compliance as fast as possible,” says Donazzan. “By working with AWS partners to complete the ADR application process faster than we could have by ourselves, we can focus on our core business instead of the accreditation process.” In addition to accreditation, Payble benefits from having a strong security and compliance foundation for its business, built by DNX based on AWS Well-Architected principles.
Eliminating the Need to Hire Specialized Staff
Payble reduced the need to hire specialized internal audit staff due to the AWS partners’ combined controls assessment, technology, documentation, and security services. “We only have one point person to work on compliance issues, and the AWS partner solution helped us avoid hiring more people to work on the accreditation process,” says Donazzan.
The solution has streamlined the engagement between Payble and compliance auditors. “Becoming CDR compliant is important, but startups don’t necessarily have the resources to hire a fulltime security compliance person or expensive engineers,” says Kumar. “By using our solution’s automation, Payble did not have to begin with a blank sheet and try to understand CDR rules and create security policies. They could move quickly on the entire process.”
Cuts Accreditation Costs by 50%
Rather than investing time and money into hiring a specialized compliance professional, learning everything required for CDR, and preparing all the documentation, Payble streamlined the entire process via the CDR in a Box solution on AWS. “We were considering a compliance solution that would’ve cost twice as much as the AWS partner option,” says Donnazan. Overall, Payble spent less than $90,000 on infrastructure, documentation, and audit costs. “In the financial services industry, complete compliance solutions can cost many, many times more than that,” says Kumar.
As of November 2021, Payble received accreditation as an unrestricted Data Recipient. Weeks later, it reached Active Status through Adatree’s platform. This required passing of technical conformance tests to ensure compliance with the rigorous technical standards. This the only business in Australia to reach this status through an intermediary.
The four AWS partners are continuing to work alongside Payble. “Audits can be complex and painful, but as a team, we worked together to simplify the process,” says Kumar. “Our relationship with Payble will continue into the future.”
Benefits
- Builds audit-ready CDR environment in 4 weeks
- Provides ADR application documentation 6 months faster than industry average
- Eliminates the need to hire specialized staff
- Reduces accreditation costs by 50 percent
AWS services used
Scalamed: Building a HIPAA compliance environment while migrating from Heroku to AWS

About Scalamed
Scalamed is an Aussie startup that allows patients to receive prescriptions directly from their clinician to their mobile phones.
Taking a patient-centred approach, Scalamed believes the company must empower patients with the right information at their fingerprints to make health personalised for them.
Combining the experience of patients, care-givers, doctors, pharmacists, and geeks in a single solution, Scalamed aims to provide a friendly, personal, intuitive, secure, and caring healthcare solution.
For Dr Tal Rapske, Scalamed Founder, the journey to helping patients manage their health simply, conveniently, and on-the-go starts with medication management. As Rapske explained it, ScalaMed is in-effect a ‘digital prescription inbox’, secured by blockchain technology, which patients can access from their smartphone and share with their treating doctors and pharmacists.
“We identified a gap where a next-generation technology could improve the experience of medication management and increase adherence. By allowing patients to securely store their prescriptions digitally, doing away with paper, we can reduce medication errors, allergy mix-ups, and unnecessary hospitalisations, while giving patients their prescription history and information, and improving the convenience and ease of managing and purchasing one’s prescriptions,” Rapske explained.
The Business Challenge
While uncovering the market’s needs, Scalamed identified that the main concerns and questions about the solution are around security, ease of use, administration burden, and how difficult the system is to use. In response to the security topic, Scalamed has decided to prepare the application to be compliant with HIPAA standards for sensitive patient data protection.
Another challenge is that Scalamed was scaling up the business globally, was looking to improve the resource-usage, looking to grow more dynamically, remaining light on infrastructure operations, and wanting more control in the long-run. However, as Heroku was the current cloud platform, Scalamed was not able to achieve this due to some Heroku platform limits.
So, Scalamed needed to find a partner that solves both challenges; building a HIPAA compliant environment and preparing the business for future growth. DNX Solutions was engaged to support these challenges using AWS as a cloud solutions provider.
The 5-step Solution
Step 1: Identifying issues, risks, and opportunities
DNX started by assessing the current state of the application infrastructure, delivering a Well-Architected Review Framework where DNX identified risks and opportunities against operational excellence, security, reliability, performance efficiency, and cost optimisation pillars. Also, a HIPAA Best Practices was considered while assessing the workloads.

About 39 items were classified as high risk. Security and reliability were the main focuses for the business, followed by solving performance efficiency. Some of those are identities and permissions management, network resources, networking configuration, security events, design workload service architecture to adapt to and perform better, and data protection.
With a clear understanding of both business and technical needs in-hand, DNX and Scalamed determined that an Application Transformation would be the best path to solve those challenges.
A Transformation journey was defined as a deliverable scope, with security as a main topic to be covered in order to achieve the desired outcome.
Step 2: Enhancing security through DNX.One Well-Architected Foundation
The project started by deploying DNX.One Well-Architected Foundation (aka DNX.One) – an automated platform built with simplicity in-mind, Infrastructure as Code (IaC), open source technologies, and designed for AWS with well-architected principles. It enables the application to thrive while the business can remain focused on customer solutions.
DNX.One is a ready-to-go solution that aims to solve the most common business needs regarding cloud infrastructure as it fits different application architectures (including containers), has flexibility and automation for distinct platforms, and enhances security and management to keep business under control.
Some high-level security best practices that were leveraged while building Scalamed’s infrastructure were:
- Networking using security best practices for VPC
- Multiple Availability Zone
- Security groups and network Access Control List as an optional layer of security for VPC
- IAM policies to control access
- AWS tools to monitor VPC components and VPC connections such as CloudWatch
- A secure dedicated and isolated subnet for the database which is not accessible to the public internet
- A Centralised CloudTrail to monitor events history
- GuardDuty to provide continuous monitoring of AWS accounts
- AWS Key Management Service (KMS) to create and manage cryptographic keys and control their use across AWS services
While building a HIPAA compliant environment for Scalamed, DNX provided substantial changes on DNX.One which is default for any new customer such as having account-level separation to isolate distinct environments, granular access control for each workload, and list-grants-permission.
Having a separate audit only account was another crucial topic to be covered, enabling the HIPAA audit team to access everything with integrity.

Figure 1- IAM – single sign-on

Figure 2 – Networking

Figure 3: account management and separation
Step 3: Application Transformation Strategy
With minimum infrastructure operations in mind, DNX started the application transformation strategy. A migration from Heroku to AWS while using Elastic Container Service cluster in EC2 instances was proposed as it enhances performance and resource usage. It is important to note that DNX used spot instances for the ECS cluster, focusing on availability while reducing AWS costs.
Upon deployment of DNX.One, we migrated Scalamed deployment to Docker containers using Elastic Container Service (ECS) bringing together both the existing automated tests and database migration scripts to its CI/CD pipeline.

An internal Application Load Balancer was used to control internal access through Network Access Control List (NACLs) and/or Security Groups.
As a security best practice, environment variables were used while passing secret or sensitive data securely to containers. SSM Parameter was used to store secret keys and variables (values in plaintext), enabling only authorised services to access this and change it when convenient.
An AWS Key Manage Service (AWS KMS) customer master keys (CMKs) was used to encrypt the data at rest.
To enhance security in this phase, the environments were separated into accounts (non-prod and prod), allowing better access control for the Scalamed team to the environments through roles and policies. VPNs were also implemented in each environment (non-prod and prod), so that access to resources such as databases were only carried out through VPN, allowing authenticity, confidentiality, and integrity of data in transit.

Step 4: Build a secure CI/CD Pipelines
We used AWS EC2 instances to run complex CI/CD pipelines using spot instances, optimising steps such as database migration and automated tests running in parallel steps via Gitlab. Hundreds of pipelines are triggered daily at minimal operational cost. Moreover, this reduced the number of production incidents, increased their current test capacity, and enhanced security while running the pipeline in a private instance, avoiding public or shared instances.
DNX uses its own runners to execute the pipelines. In summary, instances are created in AWS to execute the pipelines without the need to configure SECRETS within the CICD SaaS platforms. Our instances that are created for this purpose already have the specific policies and roles to execute the pipelines only with the necessary permissions, without the need to expose the execution of pipelines inside third-party runners.

AWS stack:
- AWS Identity and Access Management (IAM)
- AWS Key Management Service (AWS KMS)
- Network ACLs + Security Groups
- AWS Systems Manager
- AWS CloudTrail
- AWS Organisations Service Control Policy
- AWS Secrets Manager
- Amazon CloudWatch
- AWS CloudWatch Events
- Amazon GuardDuty
- AWS Certificate Manager (ACM)
- AWS Single Sign-On
- AWS Consolidate Billing
Step 5: Knowledge Transfer
DNX works closely with companies to spread the AWS Well-Architected Framework pillars, bring teams together, and focus on delivery. As part of DNX Transformation Journey, a showcase was delivered at the end of the project in order to upskill the Scalamed’ team regarding what was delivered.
Conclusion
From conception to conclusion, the migration project of Heroku to AWS was completed in approximately one month. Now they have a HIPAA compliant environment as well as Well-Architected. In order to address the first challenge, the critical issues identified on the previous assessment were fixed (under security and reliability pillars) while delivering a resilient, secure, and reliable foundation.
The new Docker+AWS environment implementation allowed Scalamed to improve performance and efficacy as compared to their previous Heroku environment. Their production quality and their ability to release more products frequently have increased. Furthermore, developer and QA productivity has improved significantly.
Building a HIPAA compliance environment, improving the security of application components, automating security components and CI/CD, and applying AWS cloud-based products have enhanced the environment to seat the customer data. It enables the Scalamed team to focus on delivering Dr Tal Rapske’s passion; to reorient healthcare towards the patient and empower patients with their data seamlessly, while addressing the quadruple aim of health – improved health outcomes, reduced cost, improved patient experience, and reduced paperwork for providers.
Na DNX Brasil, rabalhamos para trazer uma melhor experiência em nuvem e aplicações para empresas nativas digitais. Trabalhamos com foco em AWS, Well-Architected Solutions, Containers, ECS, Kubernetes, Integração Contínua/Entrega Contínua e Malha de Serviços. Estamos sempre em busca de profissionais experiêntes em cloud computing para nosso time, focando em conceitos cloud-native. Confira nossos projetos open-souce em https://github.com/DNXLabs e siga-nos no Twitter, Linkedin or YouTube.
Verifier: Building a compliant CDR data environment and supporting Verifier on their Accredited Data Recipient journey

Introduction to CDR Australia
Consumer Data Right (CDR) is well underway across Australia. Under the CDR framework, Data Holders (Australian banks and credit unions) will enable consented sharing of consumers’ data through standardised open Application Programming Interfaces (APIs) with Accredited Data Recipients (ADRs). By streamlining and securing the transfer of personal data, the CDR framework will completely transform the way that consumers interact with financial services in numerous sectors. With a variety of customer-centric use cases already proven in the United Kingdom and across Europe, Australian consumers now stand to benefit immensely from this next stage in the democratisation of data.
About Verifier
Verifier is the leading-edge multi-source, multi-access method solution to consumer data sharing, using the secure courier method of accessing data. This way respects the information security and privacy needs of both consumers and income data providers, while at the same time delivering ease of online processing for lenders.
Verifier has been a pioneer in consent-driven data sharing even before the rollout of CDR, providing frictionless proof of income across the Australian market using the existing data access rights within Australia’s Privacy Act (Privacy Principle 12), and has been working towards ADR status for some time. With privacy-by-design at its heart, the Regtech leader has advocated for a non-screen-scraping approach to accessing consumer data since 2014 and has actively supported the ACCC since CDR inception, becoming one of the 10 ADRs to test the framework with the four big banks. Verifier’s CEO Lisa Schutz also serves on the Consumer Data Right Advisory Committees that support standards setting in the banking and energy sectors.
The Business Challenge
To receive consumer data directly from other financial institutions through the CDR regime, an organisation must become an Accredited Data Recipient (ADR). ADRs must meet rigorous, ongoing regulatory requirements (in areas such as consent management, infrastructure, and compliance reporting) to achieve and maintain their accreditation.
When planning their participation in CDR, Verifier recognised a need for a highly automated solution that would allow the company to scale up their offerings, and constantly adapt to the evolving standards of CDR. Rather than burden their own software engineers, who were instead building Verifier’s own use cases, they turned to a community of experienced partners to help them prepare their business for becoming an ADR.
In October 2019, Verifier selected Adatree and its single API Data Recipient platform to be the CDR ‘rails’ to help them access CDR data. DNX was engaged to act as a key support for their DevOps team in tailoring a compliant CDR data environment, which is a key requirement for accreditation.
The DNX Solution
Gaining accreditation in Australia is a complex challenge, so working with experienced partners is a worthy consideration to accelerate the CDR journey. To build and deliver a compliant CDR environment, DNX (in addition to its work with Adatree) worked closely with Trend Micro Cloud One Conformity that provides tools for mapping and automating regulatory controls, and RSM as an auditor responsible for assessing compliance of what DNX delivered.
DNX.One Foundation
We started assessing the existing Verifier infrastructure against the five pillars of AWS Well-Architected Framework. It enables DNX to understand customers’ environment and identify best practices gaps, then provide a remediation plan and roadmap to resolve issues based on Security, Operational Excellence, Performance Efficiency, Cost Optimisation, and Reliability.

The following illustrates an example of the IAM topology that was implemented for Verifier. As AWS IAM policies are version controlled and securely managed, accomplishing high standard compliance with CDR was possible. The access to AWS accounts are role-based where users assume one or multiple roles across accounts and environments.

Delivery Networking using security best practices for VPC, plus the extra ‘DNX layer’ of security is another advantage of DNX.One. Multiple Availability Zone, security groups and network ACLs, IAM policies to control access, and tools to monitor VPC components and VPC connections are default for DNX.One and were automatically deployed to Verifier’s infrastructure. Having a dedicated and isolated subnet for the database and file system was considered to enhance the security around the networking infrastructure, therefore, there are policies, permissions, and flow access to have access to sensitive data.

Another DNX.One best practice implemented for the Verifier environment was account management and separation. This practice isolates production workloads from development, test, and shared services workloads, and also provides a strong logical boundary between workloads that process data of different sensitivity levels, as defined by CDR requirements. The granular access control defines who can have access to each workload, as well as what they can do with that access. In addition, It allows Verifier to set guardrails as its workloads grow.

CDR Deployment + Cloud Conformity Remediation
Once we have prepared the foundation, we started deploying the CDR environment and running the Trend Micro Cloud One Conformity tool to enable automated security and compliance checks of the infrastructure. This enabled the DNX team to identify which items were not covered by DNX.One yet, focusing on building or fixing them to meet the technical security requirements requested.
It’s worthy to note that every new requirement was implemented or remediated on our DNX.One Foundation. The DNX.One Foundation has been improved and developed through ‘tried and tested’ applications, and this evolution is enabling companies to accelerate their journey to building an infrastructure compliant with the CDR.
The following are the core security aspects that DNX CDR infrastructure environment has(but not limited to):
- Networking (private networking, stateless and stateful firewalls, networking logs)
- Encryption (at rest and transit with dedicated customer keys and rotation policy)
- IAM (least privilege, SSO)
- Compute protection; and
- Incident response: anomaly detection, continuous compliance mechanisms, and alerting.
Some of the AWS Services provisioned
Conclusion
DNX achieved great outcomes working with Verifier, building a Well-Architected and Cloud Conformity AWS environment compliant with the CDR. This has effectively accelerated the audit process for Verifier by certifying that it is automatically compliant with many CDR requirements due to the DNX.One foundation already in-place, and at the same time has implemented security, reliability, operational excellence, performance efficiency, and cost optimisation using Infrastructure as Code (IaC). Cost optimisation was further enhanced with new benefits being prepared for the future. Verifier is now primed to participate in the CDR environment sooner, more dynamically, and in a more compliant manner.
Na DNX Brasil, rabalhamos para trazer uma melhor experiência em nuvem e aplicações para empresas nativas digitais. Trabalhamos com foco em AWS, Well-Architected Solutions, Containers, ECS, Kubernetes, Integração Contínua/Entrega Contínua e Malha de Serviços. Estamos sempre em busca de profissionais experiêntes em cloud computing para nosso time, focando em conceitos cloud-native. Confira nossos projetos open-souce em https://github.com/DNXLabs e siga-nos no Twitter, Linkedin or YouTube.
Brighte Capital restructures its AWS organisations, improves security, and achieves a 50-60% cost reduction.

About Brighte
Brighte Capital is a rapidly growing Australian FinTech founded in 2015, making solar, battery, and home improvements affordable for Aussies all over the country.
Its mission is to make every home sustainable, offering Aussie families affordable access to sustainable energy solutions through an easy payment platform.
The company offers financing and zero-interest payment solutions for the installation of solar panels, batteries, air conditioning, and lighting equipment.
The process is simple and fast, all managed via Brighte’s website or smartphone app. Once your application is approved, you get access to highly vetted vendors offering interest-free products. Brighte recently received the Finder Green Awards 2021 in the category of Green Lender of the Year, an incredible achievement that recognises and solidifies its position in the Australian market.
As a company operating in both the Energy Industry and Financial Services Industry, Brighte must comply with numerous standards, rules, and regulations highlighting operations, security, and data protection as key topics. Australian Privacy Principles, Anti-Money Laundering and Counter-Terrorism Financing Act 2006, and National Consumer Credit Protection Act 2009 are just some examples.
But as a customer-centric company, Brighte goes beyond mere compliance requirements. Transparency and making life easier are two of its most important values, so Brighte is alert to other factors which can bring damage to their clients, well beyond compulsory minimum standards.
The Business Challenge: consolidate and improve the core digital platform architecture while prioritising security
Brighte’s business model is impressive and there has been considerable investment in a robust digital platform to support the different areas of the company. There is substantial technology in-place behind the scenes, with the business headed by a dedicated team of professionals with diverse backgrounds and skills, all contributing to a strong work culture.
As a relatively young company, Brighte has experienced exponential growth. Even with best practices in-place, it was difficult to continually manage or upgrade the various IT solutions the business was using.
Most of Brighte’s applications were developed in-house and based on a range of different programming languages and technologies. While its infrastructure was hosted on AWS, different services were being used to support each application, causing issues around ease of management and knowledge retention and sharing, but on top of that, increased vulnerability and manual interactions should have been fixed, retaining and improving security.
Brighte needed to revamp its landscape and reevaluate the current architecture of its core digital platform. The business reached out to DNX, seeking a solution that would improve its cloud strategy, apply DevOps best practices, reduce infrastructure operational overheads, and achieve overall cost optimisation. However, because of its financial conditions, these challenges need to go hand-in-hand with security. Therefore, DNX understood that the challenge is to provide those improvements while prioritising security.
The DNX Solution: infrastructure, pipelines, AWS Stack, deliverables, project, UI, frontend + backend
Prior to project kick-off, DNX began a discovery phase to maximise the information collected about the challenges faced by Brighte’s team. A Well-Architected Review Framework was delivered to identify risks and opportunities against operational excellence, security, reliability, performance efficiency, and cost optimisation pillars. This enabled DNX to ensure and maintain focus on the most important priorities, such as security and operational excellence, while the team went through the DevOps Transformation guidelines to draft a plan for the required changes, working towards continuous innovation during the course of the project.

Comparing best practices enables the team to identify new opportunities and highlight concerns that may not be apparent at the beginning.
From an infrastructure perspective, DNX recognised that Brighte needed to improve control over its AWS resources using IaC (Infrastructure as Code) and restructure its AWS organisation and accounts strategy.
To achieve this, DNX suggested its DNX.One Well-Architected Foundation (aka DNX.One) to provide the following benefits:
- New structure of AWS organisation following the best practices in the market.
- Ability to manage all infrastructure resources across all of their AWS accounts based on Terraform and CI/CD pipelines.
- Designed for AWS with Well-Architected principles
It is important to mention that DNX.One is a ready-to-go solution that aims to solve the most common business needs regarding cloud infrastructure, fitting different application architectures (including containers), has flexibility and automation for distinct platforms, and enhances management to keep business under control.
An extra layer of high-level security best practices as default for architecture guarantees continuous security at any stage. It ensures that regardless of the challenges that customers need to achieve, they will do it in a secure way.

From the applications point of view, DNX identified Brighte was using different types of AWS services to deploy their applications, including ElasticBeanstalk, ECS with Fargate, and EC2 instances.
Having these different types of application deployments is expensive, as the company needs to utilise multiple operational processes to manage the environment, but is also less secure because no single consistent security module is provided, effectively introducing risk.
With its Application Modernisation strategy, DNX suggested containerisation of the client’s main applications and deployment via ECS with spot instances. This change would substantially reduce Brighte’s costs, create a pattern for new applications that may be necessitated by future business growth, and improve security while having a single security pathway to improve the AWS responsibility under the Shared Responsibility Model, making security simpler by using ECS.
The CI/CD pipeline strategy was also evaluated and Brighte’s team demonstrated a willingness to adopt solutions that would reduce the complexity of managing new deployments and providing faster response times to deploy new applications in their landscape.
Key Project Phases:
Cloud Foundation (aka AWS Foundation)
With our automated solutions based on Terraform (IaC), DNX restructured Brighte’s AWS resources such as AWS organisation, accounts, network, domains, VPN, and all the security controls for account access via SSO using Azure AD as their Identity Provider.
Building a strong and secure foundation for Brighte’s applications was a critical first step prior to modernisation. With a multi-AZ strategy with ECS nodes running on spot instances deployed in their environments, Brighte was able to run a cluster of Docker containers across availability zones and EC2 instances, while optimising costs and simplifying the security operating model.

Security:
Although security is considered and addressed at many stages by now, and several cloud technologies have been put in-place to protect data, systems, and assets in a manner to improve security through best-practice guidance, there are some AWS services that still need to be highlighted.
AWS Cloudwatch
The logs from all systems, applications, and AWS services have been centralised in the highly scalable AWS CloudWatch service. It allows easy visualisation and filtering based on specific fields, or archiving them securely for future analysis. CloudWatch Logs enables you to see all of your logs, regardless of their source, as a single and consistent flow of events ordered by time, and you can query and sort them based on other dimensions, group them by specific fields, create custom computations with a powerful query language, and visualise log data in dashboards.
AWS Cloudtrail
All AWS events are reported to a centralised CloudTrail and exported to an S3 bucket in an Audit account.
AWS Organisations
The setup of new accounts has been automated by service control policies (SCPs) which apply permission guardrails at the organisation.
AWS Guardduty:
DNX implemented a centralised Guardduty to detect unexpected behaviour in API calls. The Amazon GuardDuty alerts when unexpected and potentially unauthorized or malicious activity occurs within the AWS accounts.
DNX has helped Brighte to strengthen its workload security along with a number of other relevant AWS resources, such as Amazon Cloudfront, ECR image scanners, AWS IAM identity provider, VPC endpoints, Amazon WAF, and AWS Systems Manager Parameter Store.
Cost savings:
There were three main cost optimisation drivers used for this project. The combined use of these three strategies brought savings in the order of 60%, compared with the same workloads on the previous environment, while allowing Brighte to use several new resources delivering more value with less cost to its clients.
- Using ECS clusters with EC2 Spot Instances: Spot instances are unused AWS capacity that is available for a fraction of the normal On-Demand prices on a bidding model. Spot instances can be reclaimed by AWS when there is no available capacity, so DNX uses an auto-scaling model with several instance types that ensure availability while saving around 75% compared with On-Demand. For instance, an On-Demand t3.xlarge instance costs $0.2112 per hour while the same Spot instance costs $0.0634.
- Savings plans for Databases: As the databases are stable and their use can be predicted over a long duration, AWS allows us to reserve a DB instance for one, two, or three years, with monthly or upfront payments, charging a discounted hourly rate saving from 30% to 60%, according to the chosen plan.
- Automatic scheduler for turning on and off resources according to a usage calendar: For Development and Testing environments, which are not meant to be used on a 24/7 basis, Brighte can easily schedule when these environments are available for the teams and when it should be turned off (scaling them to zero), saving around 50% compared to a full-time available environment. The scheduler mechanism allows the resources to be used at any desired time, bypassing the default calendar, in an easy to use way.
Application Modernisation:
Brighte had a good set of applications based on different technologies deployed across multiple AWS services. During this phase, the DNX team focused on the refactoring of the main applications to deploy the content via Docker containers and subsequently make use of ECS with spot instances.
They had previously adopted some of the 12-factor principles, but needed to improve their control over sensitive data and credentials. DNX proposed the use of AWS System Manager Parameter Store and adapted all the applications to follow this pattern.
A few serverless applications and UI static pages were deployed as part of this phase, even without demanding a strong code refactoring. We adapted the remaining apps to the 12-factor app methodology and made use of our CI/CD pipeline strategy.
Each environment in AWS was made identical, varying only in EC2 instance types in each environment (dev, uat, production). The same immutable application image was deployed and tested across these environments. By adopting this approach, Brighte has improved its operational resilience, greatly reducing production incidents to zero through its self-healing platform.
Logs:
Due to the high volume of logs, Brighte was using the ELK stack (ElasticSearch, Logstash, and Kibana) in legacy accounts to aggregate all of its application logs and avoid losing data during the process. The solution was working fine, but since it’s not a fully managed solution, the operational overhead was a point of impact.
DNX suggested the replacement of Logstash with Kinesis Firehose and CloudWatch Subscription Logs to send the data directly to ElasticSearch cluster. This way, Brighte was able to avoid the need of having dedicated resources to manage the solution and take advantage of the automatic transfer of logs between the applications, CloudWatch and ElasticSearch.

CI/CD pipeline:
Brighte was using Bitbucket as a provider for its applications pipelines. DNX adjusted the pipeline strategy reducing the complexity of deployments across different environments and included tools to automate the replacement of data used for automated tests using AWS System Manager Parameter Store. In addition, the bitbucket pipelines have been integrated with AWS using OpenID Connect (OIDC). As a result, there is no need for creating AWS IAM users and managing AWS Keys to access AWS resources. This strategy improved security and removed any kind of sensitive data from Brighte’s codebase.


Databases:
The databases were already deployed in RDS prior to this project, but DNX increased security by encrypting all of the database workloads and improving redundancy by activating Multi-AZ strategy during the database migration phase. Also, the databases were created in dedicated and isolated subnets which allow only incoming traffic from private subnets. Therefore, the network ACLS restricts inbound traffic for specific private subnet CIDR ranges and the RDS security groups allow only inbound traffic from ECS instances.

Conclusion
From conception to its conclusion, the project was completed in approximately five months, with the restructure of AWS accounts, infrastructure resources, and a total of 15 applications migrated to the new AWS environments.
The performance of the applications is working consistently based on auto-scaling of the clusters and without any risk of downtime due to the redundancy and self-healing strategies delivered by DNX products. The infrastructure and application deployment operational overhead has reduced significantly and this is reflected directly in Brighte’s ability to release products more frequently.
With the new pattern adopted across all applications and the use of ECS clusters with spot instances, Brighte has achieved a cost reduction of 50-60% – an outstanding result for such a large set of applications and infrastructure resources used by its digital platform.
Finally, having a very secure foundation helped Brighte to provide operational cost reduction through security and best practices, as Brighte fundamentally is saving money on operating it as the complexity was going down, therefore now they are able to run faster and safer.
Na DNX Brasil, rabalhamos para trazer uma melhor experiência em nuvem e aplicações para empresas nativas digitais. Trabalhamos com foco em AWS, Well-Architected Solutions, Containers, ECS, Kubernetes, Integração Contínua/Entrega Contínua e Malha de Serviços. Estamos sempre em busca de profissionais experiêntes em cloud computing para nosso time, focando em conceitos cloud-native. Confira nossos projetos open-souce em https://github.com/DNXLabs e siga-nos no Twitter, Linkedin or YouTube.
Plezzel: Migrating an on-premise application to AWS cloud

About Plezzel
Plezzel is a company that provides unique consumer journeys within the Real Estate sector. The Platform as a Service (PaaS) solution provides marketing automation software. Plezzel’s solution provides the time-saving and marketing tools that agents need to get more listings, grow their rent roll, and build better relationships with their prospects.
The Business Challenge
With the speed of innovation occurring in the Real Estate industry and the pace of change in Digital Marketing, the Plezzel management team decided to upgrade their platform infrastructure to cater for planned growth and uptake.
Running Plezzel’s platform on-premise technologies on the same server was challenging for the Plezzel team. This required lots of computing power and 3rd party supplier labour to manage the platform. The main challenges were their environmental complexity. DNX took up the challenge to build the best solution possible for Plezzel, designing and sharing a simple and efficient architecture on AWS with their team.
The Solution
There’s nothing better than starting your cloud journey with a fresh, Well-Architected account and getting your DNX.One Foundation in-place, leveraging all 5 pillars of the AWS Well-Architected framework, operational excellence, security, reliability, performance efficiency, and cost optimisation (check more about our AWS foundations here).
Moving to the cloud with the DNX.One Foundation established was a decisive step to improve Plezzel operations and made way for a series of DevOps automations, using Infrastructure as Code (IaC) – one of many DNX deliverables.
Then, the DNX team started to modernise Plezzel API workloads and prepare them for their new platform in the cloud. The application platform includes ECS for container orchestration using spot instances that are up to 70% cheaper with on-demand instances. It also has zero-downtime deployments in test and production environments using CodeDeploy and its own custom CI/CD pipeline for the application.
Once API workloads were relieved from the on-premise server, we enabled the team to migrate the on-premise hosting platform to AWS. Initially, it’s a complex ‘lift and shift’ task, designing the new equivalent services on AWS and converting any local application or service to cloud managed services.
As moving to a cloud-hosted solution was a priority for Plezzel, moving the on-premise hosting platform to AWS was critical.
As soon as DNX team got the on-premise hosted server up-and-running in the cloud, we started to convert a few services to AWS resources such as the database, to an AWS managed database service with multi availability zones for a Disaster Recovery Strategy. Email service was converted to SES reducing significant costs with storage and reducing the load in the server along with moving DNS services. These actions were necessary to relieve the load and operations contained in the server that was sharing hardware and network resources with other services.
Some of the AWS Services provisioned:
Conclusion
We achieved both high availability and disaster recovery in their new AWS cloud, plus a range of features. The Plezzel team can focus on improving their product in a new cloud-native way with modern architectures, now the main challenges have been solved by DNX and Plezzel teams. The new environments have AWS managing a few services like email, storage, DNS, deployments, and database, so Plezzel team can dedicate more time to what they do best – building solutions to connect their users with clients and innovate their features in a production-mirrored environment, eliminating variances from testing to release steps.
Na DNX Brasil, rabalhamos para trazer uma melhor experiência em nuvem e aplicações para empresas nativas digitais. Trabalhamos com foco em AWS, Well-Architected Solutions, Containers, ECS, Kubernetes, Integração Contínua/Entrega Contínua e Malha de Serviços. Estamos sempre em busca de profissionais experiêntes em cloud computing para nosso time, focando em conceitos cloud-native. Confira nossos projetos open-souce em https://github.com/DNXLabs e siga-nos no Twitter, Linkedin or YouTube.
Airboard: Improving time-to-market on AWS, a DNX Startup Case

About Airboard
Airboard is a digital queueing application that removes physical queues to improve the passenger experience at airports and on commercial flights. It currently uses machine learning and its unique patent-pending technology to benefit airports and airlines around the world.
The Business Challenge
As a startup, Airboard had done their homework on the industry, created a great product using agile concepts, and achieved an excellent MVP (Minimum Valuable Product). Airboard was seeking a development team for expedient development (in a two-week timeframe) of a Well-Architected global framework to achieve performance excellence concurrently with high security, reliability, availability, and efficiency for its airline industry customers. A key priority for the digital queuing application is to achieve low latency across multiple, global locations with a highly scalable framework. This requires leveraging the capability of the AWS cloud, anticipating the potential for an exponential increase in the number of simultaneous users as sector adoption grows. Time savings are a significant benefit of the Airboard system, so the accuracy of timing in multiple simultaneous locations remains essential to its success. To achieve these conditions within their desired parameters, Airboard chose to team up with the highly skilled and experienced AWS architects and engineers of DNX to design and build a solution for their first release.
In the initial development phase, the Airboard team were using AWS Lightsail for front-end and back-end PHP applications running on a single EC2 instance, which enabled rapid prototyping in its initial product development phase. However, given the increased sector demand during COVID and as part of a post-COVID recovery solution for the aviation industry, the Airboard team were looking for a way to enable automated deployments that can support global adoption with enough elasticity to allow for spikes in usage during global travel seasons.
Furthermore, an ambitious customer deadline was imminent for the Airboard team and it was under pressure to prepare the application for its first release. DNX was engaged to not just design and apply a solution for these challenges, but requested by the Airboard team to assist in providing comprehensive documentation and further enhancing its DevOps best-practices on AWS. As a certified DevOps competency AWS partner, DNX pushed hard during knowledge transfer sessions and detailed documentation about our solutions.
At first, going for an event-driven architecture using serverless computing was tempting but required lots of refactoring in the current product at that time, so DNX elaborated a container-based solution on AWS. With critical compliance requirements and strict security concerns, especially in US airports, the due date was close and DNX could modernise the Airboard application while building its AWS foundations.
The Solution
DNX allocated more Cloud Engineers for this project due to its critical deadline, so while a team was building Airboard’s AWS Foundations from the ground up, another one started to modernise the application that was written in PHP with front and back-end separated, both using Laravel Framework and classic LAMP stack (Linux, Apache, MySQL, and PHP). Also, the Continuous Delivery strategy with CI/CD pipelines, essential to fulfilling the customer requirements, started to be designed as the team ran the App discovery phase by the DNX Cloud Architect.
Our well-known DNX.One Well-Architected Foundation was applied – leveraging our considerable developer experience, and using Terraform to manage our IaC, we could also accomplish high-standard compliance with Airboard’s clients as AWS IAM policies are version controlled and securely managed. Using our IAM topology, the access to AWS accounts are role-based where users assume one or multiple roles across accounts and environments.

Additionally, each policy role has its version tracked using GIT, where any modification or inclusion to a role is approved using Pull Requests. This is a benefit of using IaC, where any change in a policy is tracked and can be compared using git diff.

Application Modernisation
To achieve a cloud-native solution, the PHP application was enhanced with the modernisation process where our engineers review the code and apply 12-factor principles, preparing it for container orchestration on ECS and making sure that performance would not be compromised.
As a result, we could build the application containers for ECS orchestration, by moving configurations stored in the application to the environments using CI/CD pipelines and ensuring that no state was kept by the application processes. We also automated existing database migrations and deployments that were previously manual processes, providing the team confidence to release new features that can be easily tested in a production-like environment before every deployment.
Continuous Integration and Continuous Delivery
Airboard is a growing business with the foresight to build its foundations on a framework that can scale easily. When DNX were engaged, the team was ready to transition to enhanced pipeline architecture, to support new features and future releases. Prior to engaging us, the Airboard team would connect to the EC2 Instance manually to release new features, as the application was already living in Bitbucket with a pipeline solution. At DNX, we utilised the client’s existing CI/CD tool to provide the best pipeline architecture, focusing on the best approach for the client’s needs. Along with regular feedback, architecture reviews, and Knowledge Transfer sessions, the DNX team designed and delivered a long-term solution to secure Airboard’s scalability in the cloud.
AWS Pipeline

Application pipeline

Some of the AWS Services provisioned:
Customer Benefits
Now Airboard has a future-proofed, scalable solution on AWS with elasticity, global high-availability, CICD, and ongoing automation supporting their application. All infrastructure built in this project uses spot instances that can save up to 70% in costs, maintaining a great Developer Experience. Applying the multi-region strategy created during the AWS Foundation and CI/CD pipelines phase, Airboard can now scale its solution and development team seamlessly around the globe without a significant increase on the current TCO (Total Cost of Ownership), improving passenger experience, supporting the growth of the business, and keeping passengers around the world safe.
Na DNX Brasil, rabalhamos para trazer uma melhor experiência em nuvem e aplicações para empresas nativas digitais. Trabalhamos com foco em AWS, Well-Architected Solutions, Containers, ECS, Kubernetes, Integração Contínua/Entrega Contínua e Malha de Serviços. Estamos sempre em busca de profissionais experiêntes em cloud computing para nosso time, focando em conceitos cloud-native. Confira nossos projetos open-souce em https://github.com/DNXLabs e siga-nos no Twitter, Linkedin or YouTube.
Sem spam - apenas novidades, atualizações e informações técnicas.Tenha informações das últimas previsões e atualizações tecnológicas
Agyle Time: Protecting customer data while reducing TCO and computing costs

About Agyle Time
Agyle Time simplifies Workforce Management, ensuring cost optimisation of your resources and allowing you to better schedule to actual workload, manage costs, and improve customer satisfaction. Agyle Time uses a modern development approach with cloud technologies to engage teams and their customers with a secure and go-anywhere platform that takes just minutes to set up.
The Business Challenge
Agyle Time’s SaaS platform and its connectors are dynamic and fit different customers’ needs. However, tenant isolation along with their individual data was crucial and a mandatory requirement for large customers. In addition, due to the increase of demo requests and new tenants coming on board, building automation that delivers security was vital to keep innovating and delivering the best to Agyle Time’s users while protecting sensitive data.
Security Services on Cloud is critical for customer success in the cloud space. Data protection has become more important than ever before and every company will need high-level encryption capabilities for sensitive data, as the customers expect compliance and need governance, risk management and reporting.
DNX was engaged to elaborate and implement their new cloud operations, taking into consideration the AWS Well-Architected pillars:
- Operational Excellence
- Security
- Reliability
- Performance Efficiency
- Cost Optimisation
The Solution
Multiple perspectives should be considered while architecting automation for an SaaS arrangement like Agyle Time’s. Aspects like cross-tenant prevention, data protection, and tenant isolation are essential.
For a SaaS environment, these benefits extend beyond deployment configurations, including data encryption and security controls. This allows Agyle Time to ensure tenant isolation by encrypting their data during transit between services and in storage via their database and Amazon S3. Using Terraform also allowed Agyle Time to quickly automate their key management infrastructure, allowing employees to set up accounts for the system instantly with no third-party involvement or risk of misconfiguration.
Using Buildkite for CI/CD self-hosted pipelines, DNX has implemented automation on the CI/CD tool improving the security layer in the deployment process. For better pipeline control we decided to use self-hosted runners in our project with a custom hardware configuration which offers us better control on the builds.
It is feasible to check that secure code is deployed using CI/CD by imposing certain regulations during build time and deployment time. We’ve been able to enforce these checks with little effort because we’re utilizing Buildkite. To implement this security check, DNX used a number of plugins together with Buildkite.
The first step to an automated security architecture is to understand the kind of threats you need to protect against. Threat modelling is a technique for identifying and classifying threats that could impact your operations. It’s important to remember that any threat you document in this process is only one possible scenario out of many, but documenting it helps you better prepare yourself for how to handle it. It’s also not essential that you identify every threat, as long as you understand the general types of threats that are possible in your environment.
Going one step further, DNX has implemented a security plugin that takes care of the authentication process in Buildkite. This plugin adds some new functionalities to ensure that only authorized and authenticated users can access the CI/CD pipeline data.
The results were an automated data pipeline that brought the benefits of IaC to Agyle Time’s managed service. Each tenant’s data is isolated from the rest of Agyle Time, making it possible to enforce their multi-tenant architecture and hosting strategy using Terraform. The pipeline also allows each tenant to manage their own key infrastructure, removing any single point of failure in the account creation process.






Images regarding Buildkite demo
DNX.One Foundation
We started assessing the existing Agyle Time infrastructure against the five pillars of AWS Well-Architected Framework. It enables DNX Solutions to understand customers’ environments and identify best practices gaps, then provides a remediation plan and roadmap to resolve issues based on Security, Operational Excellence, Performance Efficiency, Cost Optimisation, and Reliability.
With a thorough awareness of and recognition of infrastructure issues, DNX delivered the DNX.One Well-Architected Foundation (aka DNX.One) – an automated platform built with simplicity in mind, Infrastructure as Code (IaC), open-source technologies, and designed for AWS with well-architected principles. It means that the platform is already built based on reference architectures and continuous assurance testing to regulatory audits and analytics, removing many regulatory and compliance hurdles involved throughout an organisation’s entire lifecycle.
The following illustrates an example of the IAM topology implemented for Agyle Time. As AWS IAM policies are controlled and securely managed, accomplishing high standard compliance was possible. The access to AWS accounts is role-based, where users assume multiple roles across accounts and environments.

Delivery Networking using security best practices for VPC, plus the extra ‘DNX layer’ of protection, is another advantage of DNX.One. Multiple Availability Zone, security groups and network ACLs, IAM policies to control access, and tools to monitor VPC components and VPC connections are the default for DNX.One and were automatically deployed to the infrastructure. In addition, having a dedicated and isolated subnet for the database and file system was considered to enhance the security around the networking infrastructure. Therefore, there are policies, permissions, and flow access to have access to sensitive data.

Another DNX.One best practice implemented for the customer was account management and separation. This practice isolates production workloads from development, test, and shared services workloads and also provides a robust logical boundary between workloads that process data of different sensitivity levels. The granular access control determines who can access each workload and what they can do with that access. In addition, it allows the customer to set guardrails as its workloads grow.

Some of the AWS Services provisioned:
Business Outcome
One of the most important topics around CI/CD pipelines is security. In public runners, provided by the pipeline tool, we cannot have control of or know if our builds are running in an isolated environment, or sharing resources across several other customers. Bringing the runners in-house, we have a stable and secure environment that enables the customer to run all the application build and deployments in isolating workspaces. Everything wrapped around the DNX.One foundation, bringing more control and confidence to the customer. Now, Agyle Time’s team can deploy releases for current and new customers automatically in a secure, elastic, and highly available way on AWS and their customers can take advantage of the workforce management platform with no data concerns.
Na DNX Brasil, rabalhamos para trazer uma melhor experiência em nuvem e aplicações para empresas nativas digitais. Trabalhamos com foco em AWS, Well-Architected Solutions, Containers, ECS, Kubernetes, Integração Contínua/Entrega Contínua e Malha de Serviços. Estamos sempre em busca de profissionais experiêntes em cloud computing para nosso time, focando em conceitos cloud-native. Confira nossos projetos open-souce em https://github.com/DNXLabs e siga-nos no Twitter, Linkedin or YouTube.
Sem spam - apenas novidades, atualizações e informações técnicas.Tenha informações das últimas previsões e atualizações tecnológicas
Law of the Jungle: Applying modern DevOps concepts in AWS

About Law of the Jungle
Law of the Jungle (LOTJ) is a cloud-based solution for risk-proofing marketing and making compliance agile and effortless. Their solution encourages effective compliance by improving productivity and reducing time to market. LOTJ brings agile methodologies to marketing teams and guides them through compliance using artificial intelligence on AWS.
The vision behind LOTJ is to allow its clients to turn marketing compliance into a competitive advantage.
The Business Challenge
Law of the Jungle was already running workloads in AWS, however they experienced challenges with configuration management and complex deployments. So, LOTJ looked to reduce time to market by reducing the environment complexity. Another challenge which was brought to the table was how to improve and make the best use of knowledge and information management.
DNX Solutions was engaged by LOTJ to provide support and implement solutions for these challenges. Together, we decided to push immutability concepts on a new AWS platform which uses an Infrastructure as a Code (IaC) process improving knowledge and information management. Building a demonstration environment for potential LOTJ customers will enable the sales team to expand their reach.
The Solution
Before starting the project, DNX’s team evaluated the organisation’s requirements and utilised DNX’s DevOps approach. This approach guides the team through the DevOps journey while building a perfect foundation, standardising and automating processes, and uses technologies to deliver applications quickly and reliably.
Our solution for this scenario was to modernise the current Java microservices leveraging Docker containers and orchestrate them using AWS Elastic Container Service clusters.
With a focus on reducing configuration management, we modernised the application by applying the 12-factor concepts and we improved the continuous deployment process by using environment variables in SSM Parameter Stores. The ECS Service uses task definitions, a powerful tool to achieve immutability and run multiples containers across the cluster instances sharing the same file system, where EFS have mounted targets across the different availability zones.

AWS Foundation
As with most projects at DNX, we start with deploying our AWS platform as this is the first layer of modernisation. DNX built the AWS Well-Architected Foundation by applying effective infrastructure code patterns, bringing instant value to our clients as it covers the essential aspects for an organisation which has DevOps culture in its DNA.
AWS Well-Architected Framework Pillars

AWS Well-Architect Framework pillars
You can see more details about our AWS Platform solution at this link.
Once we have prepared the foundation, we start the modernisation phase in which the DNX team prepares the microservices for the new cloud environment. We eliminated the need for configuration management by applying immutable concepts into the building stage of the Bitbucket pipelines that deploy the application to production in AWS. There is no need to access production or staging servers once they are up-and-running. If an exceptional need arises, the connection is secured by the SSM Session manager.
DNX uses spot instances for the ECS cluster, generating an estimated 70% cost reduction on average. Our solution implements a well-architected account topology in AWS. Law of the Jungle can have testing and development environments identical to production with reduced or similar computing power. Adding a management account facilitates security and audit aspects, keeping production and non-production environments secure and available, even during an audit process or security tests.

Continuous Delivery:
The container built during the building stage will be deployed across both AWS accounts and environments. This ensures the same application that is tested is deployed to production, providing consistency during bug fixes and new releases.

Steps:
- Application build
- Application Docker Build and Push to ECR
- Application ECS Blue-Green Deployment using AWS Code Deploy
- Automatic deploy to QA / Staging
- Automatic deployment to production with manual approval
During the whole project, DNX executes knowledge transfer sections to Law of the Jungle with our AWS Certified professionals. DNX believes this builds a healthy relationship with customers and partners.
Some of the AWS Services provisioned:
- AWS ECS
- AWS Elastic File System (EFS)
- System Manager
- CloudTrail
- Aurora Cluster
- Cloud Watch
- Code Deploy
- AWS Config
Customer Benefits
DNX Solutions looked to provide a stress-free environment and a safe place for experimentation with faster time to market for new features. DNX provided the conditions and tools in AWS to apply modern and efficient DevOps practices for LOTJ. As a result, LOTJ was able to deploy more features to its users. We also provided a new demo environment where potential customers can trial the solution in a secure and isolated approach on AWS.
To help LOTJ with its knowledge management challenge, the AWS foundation phase and knowledge transfer sections with the DNX team accommodated all knowledge in the code, reducing time on-boarding new team members.
Na DNX Brasil, rabalhamos para trazer uma melhor experiência em nuvem e aplicações para empresas nativas digitais. Trabalhamos com foco em AWS, Well-Architected Solutions, Containers, ECS, Kubernetes, Integração Contínua/Entrega Contínua e Malha de Serviços. Estamos sempre em busca de profissionais experiêntes em cloud computing para nosso time, focando em conceitos cloud-native. Confira nossos projetos open-souce em https://github.com/DNXLabs e siga-nos no Twitter, Linkedin or YouTube.
Sem spam - apenas novidades, atualizações e informações técnicas.Tenha informações das últimas previsões e atualizações tecnológicas
UORDERIT: AWS Platform, CICD and Application Migration

DNX is all about helping our customers to leverage effective scalability, security and zero downtime deployments.
About Uorderit
UORDERIT is an Australian B2B platform for customers to source, rate and review Technology Companies.
The platform enables customers to browse and choose from a comprehensive list of Australian and Global Technology firms.
The platform is based on two primary users.
Businesses that are looking for a specialist, digital and IT professional which suits clients’ needs. From app and software development to blockchain, SEO, and cybersecurity; UORDERIT has certified and verified professionals for projects of all sizes.
Providers: Its a part of the platform where a professional can register their skills sets and interests. The platform matches this information to the right project.
The Business Challenge
UORDERIT was struggling to achieve a reliable, secure, and future prove cloud platform that supports the MVP launch, keep cloud costs under control, and simultaneously move new features to production quickly. Adopting Serverless in AWS, UORDERIT intended to effectively launch new features to the market and get Continuous Integration across on-shore and off-shore teams.
With the suggested development pipeline UORDERIT expected to release code to production twice a month on the end of each sprint.

The Solution
Before start running the project, DNX’s team evaluated the organisation’s requirements also plunged into the processes through DNX’s DevOps approach which drives the team over the DevOps journey while building a perfect foundation, standardising and automating processes, and use the technologies to deliver applications quickly and reliably.
As lift-and-shift was not the right approach for this scenario, firstly we moved the current application to AWS utilising the DNX open source, infrastructure-as-code software Terraform to provide a solid, secure, and cost-efficient AWS platform to enable UORDERIT to deploy their workloads. After the AWS foundation phase, continuous integration and continuous delivery (CI/CD) platform were introduced to deploy AWS infrastructure and application changes. Lastly, the UORDERIT applications and databases were migrated to the new platform using Containers, CICD and ECS with blue/green deployment concepts relying on DNX best practices.
Application Transformation Phase
DNX was engaged as a trusted advisor to design, implement and deploy UORDERIT’s cloud platform and application stacks.
By using DNX One — our all-in-one AWS platform based on open source Terraform modules — UORDERIT could promptly start planning the deployment phase into the AWS platform. The following features were implemented:
-
AWS Design and Documentation
-
Infrastructure-as-code using Terraform and DNX open source modules
-
CI/CD Pipelines for Terraform Projects
-
Application Container Strategy
-
Application Blue/Green Deployment
-
AWS ECS Cluster Configuration
-
AWS RDS Setup and Configuration
The diagram below illustrates the high-level design used for UORDERIT:

After this first approach, DNX built from ground up the path to serverless where UORDERIT benefits from faster time to market and rapid continuous integration between teams. Leveraging AWS Amplify and API Gateway with Lambdas.
With the serverless approach UORDERIT could move reduced infrastructure operation and use their time to think about the business and new features to the market.
Serverless Approach

AWS service utilized:
- Lambda Functions
- CloudFormation
- API Gateway
- Cognito
- AWS Amplify
Conclusion
The project for UORDERIT was delivered in less than one (1) month, and the velocity was due to automation and CI/CD pipelines — both core DNX principles.
With the project completed, UORDERIT can now deploy workloads in an automated way with on-shore and off-shore teams, promoting continuous integration for both and full control. With the full automation of cloud platforms to enable UORDERIT to approve and release code twice a month as intended originally. As adopting a serverless approach, the bill is under control as you pay per usage, avoiding over-provisioning by using Lambda functions, the infrastructure grows with the company.
As security was a key concern, DNX has built a secure AWS foundation to host the current data-base, enable to scale and grow the application. Adding CICD pipelines, the team could focus on delivering features instead of infrastructure. UORDERIT is set on the path to the success, which can turn its MVP into a product without any rebuild.
“As a Start-Up company, there are many challenges that can potentially derail your project. These usually revolve around the governance of the project, or the lack thereof. Most of our web-development was outsourced overseas, therefore it was vital for us to partner with DNX Solutions, to future proof our development pipeline. DNX Solutions architected our environments in a way where it would scale and more importantly be secure. This solution means we can work with a developer anywhere in the world and be assured that we remain in control of our development.”
Jon Altringer Founder & Managing Director”
Na DNX Brasil, rabalhamos para trazer uma melhor experiência em nuvem e aplicações para empresas nativas digitais. Trabalhamos com foco em AWS, Well-Architected Solutions, Containers, ECS, Kubernetes, Integração Contínua/Entrega Contínua e Malha de Serviços. Estamos sempre em busca de profissionais experiêntes em cloud computing para nosso time, focando em conceitos cloud-native. Confira nossos projetos open-souce em https://github.com/DNXLabs e siga-nos no Twitter, Linkedin or YouTube.
Sem spam - apenas novidades, atualizações e informações técnicas.Tenha informações das últimas previsões e atualizações tecnológicas