Afreximbank’s infrastructure is running on AWS Cloud while leveraging multiple services of AWS like Elastic Compute Cloud to house the various VMs designated for different operations and applications of Afreximbank and provide secure and resizable compute capacity in the cloud.
Each EC2 instance is attached with the Elastic Block Storage Volume which is a highperformance block storage service designed for use with Amazon Elastic Compute Cloud (EC2) for both throughput and transaction intensive workloads at any scale. This duo of EC2 instances and EBS Volumes resides safely in the AWS Virtual Private Cloud which provisions a logically isolated section of the AWS Cloud where the resources were launched in a virtual network defined. There were primarily 2 subnets created, a public and a private subnet which in turn included different subnets for various applications and grouped VMs.
Afreximbank also used various other services of AWS like CloudTrail which is a service that enables governance, compliance, operational auditing, and risk auditing along with a service for monitoring and observability named Amazon CloudWatch. Amazon Relational Database Service (Amazon RDS) was used to set up, operate, and scale a relational database in the cloud hence providing cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. Along with RDS, Amazon Simple Storage Service (Amazon S3) was used which is an object storage service offering industry-leading scalability, data availability, security, and performance for the static contents of the application
An Elastic Load Balancer was used to distribute incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, IP addresses, and Lambda functions handling varying load of your application traffic across multiple Availability Zones. Amazon Elastic Container Service (Amazon ECS) which is a fully managed container orchestration service was used to run the most sensitive and mission critical applications because of its security, reliability, and scalability. Along with the above services, Amazon ElastiCache was implemented thereby allowing Afreximbank to seamlessly set up, run, and scale popular open-Source compatible in-memory data stores in the AWS cloud. AWS Elastic Beanstalk was also used for the infrastructure architecture of Afreximbank for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS. Along with the abovementioned services, AWS CloudFormation was used to model and provision AWS and thirdparty application resources in the AWS cloud environment. AWS Lambda was used to run the application or backend service code without provisioning or managing servers as an optimization strategy for managing costs and paying for only the consumed compute time.
Apart from the above functional services, AWS Identity and Access Management (IAM) was used for the security purposed which enables Afreximbank to manage access to AWS services and resources securely. Using IAM, they can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources along with AWS Virtual Private Network (AWS VPN) to establish a secure and private encrypted tunnel from Afreximbank’s network or device to the AWS global network.
Afrexim Bank’s banking application’s infrastructure is hosted in Ireland Region of AWS. The infrastructure is designed by following the recommended best practices provided by AWS. The complete Infrastructure is consisting of 3 main environments which are Production, Development, and Staging. Development environment resources are kept in a separate Virtual network and Production and Staging are kept on the same Virtual Network. Secure connections are established with Next-generation Firewall from Bank’s premise to AWS network. To make the environment highly available and sustain from any failure in AWS DC, the infrastructure is expanded to multiple Availability Zones. AWS Elastic Load balancer is used to route requests to all the server in a balanced manner.
For managing the AWS Account, we have used AWS IAM service. AWS Identity and Access Management (IAM) is a web service for securely controlling access to AWS services. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users and applications can access.
For Safeguarding the WEB Applications, we have used AWS WAF Service. AWS WAF is a web application firewall that monitor the HTTP and HTTPS requests that are forwarded to an Amazon API Gateway API, Amazon CloudFront or an Application Load Balancer. AWS WAF also control access to content. Based on conditions that specify, such as the IP addresses that requests originate from or the values of query strings, API Gateway, CloudFront or an Application Load Balancer responds to requests either with the requested content or with an HTTP 403 status code (Forbidden).
To Authenticate the user access to the Application we have used AWS Cognito Service. Amazon Cognito provides authentication, authorization, and user management for web and mobile apps. Users can sign in directly with a username and password, the two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for app users. Identity pools enable to grant users access to other AWS services.
For Monitoring the provisioned resources and Auditing users we have used AWS CloudWatch & AWS CloudTrail services. Amazon CloudWatch monitors your Amazon Web Services (AWS) resources and the applications you run on AWS in real time. You can use CloudWatch to collect and track metrics, which are variables you can measure for your resources and applications. AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.
For Managing the SSL certificates, we have used AWS Certificate Manager (ACM) service. ACM handles the complexity of creating and managing public SSL/TLS certificates for your AWS based websites and applications. We can use public certificates provided by ACM (ACM certificates) or certificates that you import into ACM. ACM certificates can secure multiple domain names and multiple names within a domain. You can also use ACM to create wildcard SSL certificates that can protect an unlimited number of subdomains.
For Afreximbank Infra, we have configured Active Directory(AD) Services, for the purpose of User & DNS Management of Development, Staging and Production Environments. AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud. AWS Managed Microsoft AD is built on actual Microsoft Active Directory and does not require you to synchronize or replicate data from your existing Active Directory to the cloud. You can use standard Active Directory administration tools and take advantage of built-in Active Directory features, such as Group Policy and single sign-on (SSO). With AWS Managed Microsoft AD, you can easily join Amazon EC2 and Amazon RDS for SQL Server instances to your domain and use AWS Enterprise IT applications such as Amazon WorkSpaces with Active Directory users and groups.