Version 1 work with Goodbody to future-proof their IT provision with a multi-cloud hybrid environment

Goodbody is a leading, global financial services firm serving and growing client relationships for over 150 years. Goodbody offer wealth management, asset management, private capital and investment banking services.

The trusted partnership between Goodbody and Version 1 has spanned more than a decade. This has included engagements on Cloud infrastructure projects as well as providing ongoing Managed Services and support for many Goodbody systems and services.

Customer situation/challenge

Goodbody had dual drivers for the project:

1. Several key on-premises hardware systems running in their existing 3rd party datacentre were approaching the end of their planned operational life

2. Goodbody were looking to respond to European Union (EU) Digital Operational Resiliency Act (DORA) legislation introduced in January 2023 and to be enforced in January 2025

Goodbody maintain both core IT services and an in-house developed suite of web-based applications which are used both internally and provided for external customer access.

Goodbody’s existing environment was primarily hosted on-premises with the majority of both application and IT services running from 3rd party datacentre hosting facilities. They maintained small presences in both AWS and Azure with all network traffic leaving these cloud environments being routed back to their datacentres for onward routing.

One significant element of this, however, is the databases supporting both development and production web services were already hosted in AWS RDS and data securely traversed a VPN over AWS Direct Connect to be consumed by the on-premises hosted web applications.

The following strategic guidance was provided by Goodbody for their future hosting model:

• A desire to rearchitect their existing hosting environments and associated networking to adopt a hybrid cloud-first approach, leveraging both Microsoft Azure and AWS
• Architectural alignment to Microsoft and AWS best practice for secured landing zones, and take into consideration a consistent architectural and account design across all environments
• Applications coupled with the AWS RDS databases would be migrated to AWS
• All other services would be migrated to Azure
• A reduced on-premises footprint would be maintained in their datacentres for specific resilience purposes and to maintain secured access to the secure third-party network hub
• The design would facilitate agility enabling the movement of workloads between cloud providers in the event of external factors requiring it

Due to the existing workloads on AWS, the migration approach had to be considerate of any changes to networking to ensure they did not impact the existing production workloads.

Considering the DORA legislation, Goodbody were looking to provide a high level of resiliency, redundancy, and contingency planning within their new architecture. They were looking for both in-region and cross-region capability within AWS and Azure individually and have a design which could potentially offer cross-cloud capabilities in the future, as well as connectivity back to their on-premises environments. They also wished to maintain cost control over these resources.

Solution proposed and delivered by Version 1

In Quarter 3, 2023 Version 1 were engaged to provide the following:

• Detailed account and network design for AWS
• Detailed subscription and network design for Azure
• Detailed network design for connectivity between AWS, Azure and On-Premises Datacentres
• Implementation plan for cloud and networking updates
• Migration plan for migrating existing systems from on-premises to AWS or Azure as identified by Goodbody

To achieve this, we embarked on a detailed Discovery and Assessment phase to identify existing cloud connectivity and infrastructure, and systems and services that would need to be migrated. Our team were able to leverage their existing knowledge of the customer environment and systems to accelerate discovery and focus workshops with Goodbody Technology Leadership on future requirements and meeting the customer interpretation of DORA implementation.

During the discovery phase Goodbody indicated that they wished to pursue a design which leveraged their preferred gateway security appliances across all environments rather than to use cloud provider solutions. We were able to incorporate this requirement into their designs using vendor approved design patterns.

Goodbody also indicated that they wish to centralise their Infrastructure as Code (IaC) and deployment pipelines for all environments in their existing Azure DevOps (ADO) environment, we were able to accommodate this and provide a management and deployment solution covering both AWS and Azure in ADO.

To meet their expectations for resiliency and redundancy Goodbody were looking for solutions that met or exceeded their existing local datacentre deployment which provided a 5-minute Recovery Point Objective (RPO) and 1-hour Recovery Time Objective (RTO) server and database disaster recovery solution. They also need a solution that provided the option to relocate resources to a 2nd geographical region if required.

Due to hardware warranty expirations and the associated risk with running aging physical hardware, Goodbody were looking for the complete implementation and migration project to be completed by the end of Quarter 1, 2024.

In response we were able to rapidly scale up teams to ensure that implementation teams were working alongside design architects during the design phase to reduce transition time and increase familiarity with the existing environments and updates designs prior to implementation starting.
With the multi-cloud nature of the project, two implementation teams were stood up with dedicated skills for AWS and Azure.

These were augmented with dedicated networking resources from our existing Managed Services team who provided in depth experience of the customer’s existing network systems and topology. Version 1 provided a delivery manager to provide a centralised point of contact and co-ordination to keep the individual teams on-track and streamline communications with the customer.

Azure

To start the delivery process with Azure, we designed and deployed an Azure Landing Zone for the client to host Azure subscriptions, aligned with Cloud Adoption Framework best practices. This multi-subscription deployment provided a hub and spoke network topology, resource management capability including a new management group, and Role Based Access Control (RBAC) mechanisms to ensure the deployment was secure and scalable.
With the Azure Landing Zone in place, our team set about migrating workloads from the on-premises data centres. This included:

• Rehosting specific Windows Server 2019 and 2016 servers
• Rehosting SQL Server databases
• Replatforming services to latest operating systems
• Refactoring a traditional file server to a modern solution leveraging Azure File Sync

Migrations were completed by our Cloud Migration Factory team using tried and tested methods that ensured minimal downtime or business disruption. Migrations were organised into waves according to risk profile and scheduled in agreement with the customer.

To meet the customer resiliency and redundancy requirements, multiple Azure regions were included in the solution to provide a primary and secondary regional hosting model, with Availability Zones being leveraged in region for further resilience. Azure Site Recovery was configured to automate failover and recovery between regions, whilst immutable Azure Backup was adopted for backup of services. Microsoft Defender for Cloud was enabled on all subscriptions and workloads to ensure monitoring of security posture and alerting for security related incidents within the environment.

AWS

To expedite the deployment phase, the Version 1 team leveraged aspects of their Multi-Region AWS Landing Zone Service Offering to expand the functionality of their existing single region landing zone implementation. The existing AWS Landing Zone was updated to incorporate additional Organizational Units (OUs) for better delegation of management and application of Service Control Policies (SCPs) by grouping accounts of a similar function together and new accounts were added to meet the customer requirements.

A second, parallel, network, based on AWS Transit Gateway, was built in parallel to the existing network to avoid impacting the production database workloads prior an agreed changeover period. The customer’s preferred network security appliances were deployed in line with the vendor best practice reference designs.

The customer’s resiliency and redundancy requirements were met through a combination of solutions including deploying systems across multiple in region availability zones, AWS Elastic Disaster Recovery (DRS), immutable AWS Backup and through provisioning of a secondary region to which several key datasources were replicated. The secondary region was deployed to the same design and specifications as the primary region allowing for a rapid mirror deployment, through the same IaC pipelines, in the event of a complete region loss.

Migration of existing development and production systems followed a phased approach using a mixture of refactoring some services to newly provisioned services in AWS and re-platforming systems where an OS upgrade was already planned or viable and redeploying applications to newly built systems,.

Results and benefits

The Cloud migration project delivered the following benefits for Goodbody:

• Removed risk associated with legacy hardware that was out of support
• The newly adopted Cloud operating model resulted in a significant reduction in TCO, particularly for Capital Expenditure
• Increased stability and lower operating overhead as a result of leveraging Cloud native platform services
• Increased flexibility with access to scale and reach of Cloud platforms