The Chartered Institute of Public Finance and Accountancy (CIPFA) is a UK-based international accountancy membership and the only standard-setting body dedicated to public financial management.
CIPFA provides its members and clients with many services including a suite of online training and qualifications services. CIPFA had a complex legacy IT estate, with their applications running on physical infrastructure hosted inside an MPLS network that impeded collaboration with third parties. The historical and continued growth of the legacy infrastructure had impacts on developing modern, flexible applications.
CIPFA wanted to address these challenges and saw the Public Cloud as the enabler for them to drive a strategic step-change for their IT services and to address all their challenges – by migrating all of CIPFA services out of its traditional data centers and onto the AWS Cloud.
CirrusHQ was chosen to migrate all legacy systems, and re-factoring them for AWS, as well as ensuring that the base infrastructure landscape was in-line with current AWS best practice. CirrusHQ delivered CIPFA a single location for all the workloads in each phase and an AWS best-practice blueprint to rapidly move forward to maximise the benefits of AWS Cloud. CirrusHQ also ensured CIPFA has robust, governed, secure building blocks needed to protect and build out the CIPFA brand and workloads upon.
By addressing those challenges, CIPFA now has a robust, resilient environment that allows them to adopt modern practices and support their ambitious roadmap for future Digital Transformation. The successful end result has met CIPFA’s strategic future IT vision, to save time from managing physical hardware and gain more operational efficiency.
The Chartered Institute of Public Finance and Accountancy (CIPFA), is the only professional accountancy body in the world exclusively dedicated to public finance services. Founded in Manchester in 1885 as the Corporate Treasurers and Accountants Institute, CIPFA has helped shape public financial management in the UK, and increasingly globally.
CIPFA’s suite of training and qualifications is sought after and highly respected around the world. They deliver on training contracts to transnational organisations such as the agencies of the United Nations and the World Bank and have operated in Colombia, Kosovo, Morocco, Pakistan, Turkmenistan, Gabon, Mali, Thailand, and Senegal.
From multiple locations across the UK, they employ over 200 people, train almost 600 apprentices, and manage the work of over 14,000 members across public services, national audit agencies, major accountancy firms, and ancillary bodies where public money needs to be effectively and efficiently managed.
CIPFA had a complex legacy IT estate, with their applications running on physical infrastructure hosted inside an MPLS network that impeded collaboration with third parties. The historical and continued growth of the legacy infrastructure had impacts on developing modern, flexible applications. Additional factors included the natural build-up of technical debt, and the need to baseline environments between Dev, UAT, and Production. A singular architectural view across the infrastructure was complex and single points of failure could occur.
The challenge was to overhaul this landscape to allow modern architecture and deployment practices, as well as architectural patterns to be created. It was integral to allow third parties to integrate securely with CIPFA, plus important to clarify and define hosting environments (Dev, UAT, Prod). CIPFA needed to mitigate single points of failure, and clearly define existing operating procedures for when an alert/incident occurs.
CIPFA also required to migrate away from their hosting MPLS network and remove the interdependencies with their network infrastructure. Previous events involving aspects of the hosting failing had impacted on brand reputation, which provided a driver to moving to a more resilient cloud-based architecture solution.
CIPFA wanted to address all of these challenges and saw the Public Cloud as the enabler for them to drive a strategic step-change for their IT services and to address all their challenges.
Why CirrusHQ were chosen
With such a complex set of challenges and legacy issues the customer required a mature, experienced and accredited partner who could meet their aspirations to use hyperscale Public Cloud services as an enabler to drive the needed strategic change in the delivery of their IT services.
Having successfully partnered with CIPFA on their Serverless API Proxy, CirrusHQ were selected as the best mix of experience, value, commercial flexibility and competency to take on the critical and complex project. As a 100% dedicated AWS Advanced Consulting partner with 14 years experience in designing, implementing and migrating customers to AWS, CirrusHQ provided the highest level of accredited skills, resources and project management to ensure this critical customer project was delivered on time and within budget.
CIPFA chose a mature and highly experienced AWS partner in CirrusHQ to migrate all of its services out of its traditional data centres and onto the AWS Cloud to enable the strategic future IT vision, to save time from managing physical hardware and gain more operational efficiency.
CirrusHQ Migration Planning to de-risk the Project
This was a complex and large scale migration from a disparate and failing legacy IT estate. Whilst there is a simple directive to “Move some applications to the cloud”, to do this, there are bewildering choices. This meant that utilisation of a mature migration framework was key to its success.
CirrusHQ underpinned the project with the mature AWS 6’r migration strategies which is built on the Gartner 5 Rs migration strategy. The experience of CirrusHQ and a mature migration framework delivers each phase of the project in a structured way and removes risk from the end to end migration.
CirrusHQ prepared and deployed a ‘landing zone’ architecture within AWS to enable the key building blocks for the workloads to be successfully deployed onto and supported.
With the landing zone created, the detailed discovery was utilised to investigate all of the requirements for each workload. Assessments were carried out on the legacy IT estate capturing server builds, partitions, applications and environments. CirrusHQ produced a migration plan from the discovery detail to proposed a mature migration plan to pursue.
Landing Zone Architecture
To move to AWS and ensure key aspects of AWS governance, security, and support are in place for ‘day 1 on cloud’, CirrusHQ proposed adopting a ‘landing zone’ architecture. AWS provides a service AWS Landing Zone service, which provides an out-of-the-box setup for a base AWS landscape. CirrusHQ utilised those concepts and implemented a reference architecture for a base AWS landscape configured for CIPFA’s requirements.
The concepts of the base landscape include:
- Core accounts for logging security, shared services, and networking.
- The ability to securely access accounts with a given role
- Splitting out workloads, and then having separate accounts for controlled (production) and development / UAT environments
- Ensuring that all traffic has a single ingress and egress points for the entire landscape
Once in place, AWS services were centrally set up, including the utilisation of AWS Organisations for AWS account consolidation, Service Control Policies, billing, and organisational units.
During the migration, a transit gateway was set up to ensure the secure, dedicated connection between AWS and on-prem for the migration activities.
A centralised logging account was created which allows for a scalable but secure point for privileged roles to debug and analyse log data across all accounts. This means that there is a single point for analysis, leading to faster response times. The benefit to CIPFA is a significant step-change from their historical challenges, but most importantly giving them a base to build out workloads and services with a core logging solution. In addition, AWS Kibana has been implemented to gain deep insights and filtering on the log data.
AWS Single Sign-on was used to give an easy and centrally managed solution to accessing AWS accounts and applications. This central source allows for managing privileges and user permissions in one place rather than managing on an AWS account basis this means that the solution scales out accordingly.
Cloudformation was used throughout to deploy all aspects of the end-to-end infrastructure. This is vital in ensuring day one usage of AWS is built into code, repeatable, and ensures the environments are modeled and provisioned as designed.
These backbone services were coupled with AWS Cloudtrail, AWS Config, and AWS CloudWatch which are implemented on each account by default to ensure base metrics and governance have been added to all AWS accounts.
The base setup delivers the infrastructure into a known, repeatable, highly secure, scalable, adaptable AWS landscape for CIPFA’s future plans. The ability to have this level of governance on day 1 on AWS cloud is an immense boost for CIPFA and something CirrusHQ believes is mandatory in driving success when migrating to and using AWS.
Networking and Shared Services Architecture
To ensure scalability and adaptability whilst also maintaining the rigor and control of their network on AWS, an AWS networking account was created. The diagram below illustrates the critical components, a central location for all VPCs, the access points, and the flow through the Account to the other workloads.
Central to the solution, there is a single ingress and egress point through the account, which ensures best practice and the ability to manage network traffic. In addition, any access and integration points can be managed securely through this point.
Other key shared services included the CIPFA SMTP relay through AWS SES, Microsoft domain controller, DNS resolution through AWS Route53, and backup policies per workload using AWS backup.
All these AWS services ensure AWS best practices are implemented for all workloads on AWS. These take their existing landscape and transform the base into a coded (via AWS Cloudformation), repeatable, and secure setup. These services, and the data within them, are centrally managed, governed, and supported, meaning greater adaptability and faster response times if and when incidents occur.
Each phase migrated individual workloads, or set of workloads to AWS. For each workload, a minimum of UAT and Production environments were configured, each within its own AWS account.
In addition, each migration was reviewed against the 6 R’s (re-host, re-purchase, re-factor, re-platform, retire, retain), in all cases, there was a decision to re-host and/or re-factor each build. The effort was collated during the discovery phase, and Cloudendure (from AWS) was utilised to help in proving the outcomes of each discovery phase before the migration took place.
CloudEndure was key to the migration process, though not fully used in some phases, it was always used to interrogate the workload. The use of CloudEndure in this way meant that once in place, the tool would analyse the server, ensure compatibility with Amazon EC2 instances, migrate data, keep data in-sync until cutover ready, and highlight suggested instance sizes.
In a couple of places, re-factoring was required to ensure they were ‘cloud ready’ before migration. This meant recreating the VMs with smaller storage to ensure they were compatible with AWS EBS 2Tb root volume limits.
Once migrated a typical architecture was structured as below:
An AMI was taken once the migration was successfully completed, and deployments taken from that AMI. For each workload, deployments are fulfilled using AWS CloudFormation and updated via AWS CodePipeline from a GitHub repository.
This means that CIPFA has full CI/CD deployment methodologies for their development teams for each workload on AWS. Meaning, that control, security, and access can be managed and a process is known for all, especially as they are transitioning to utilising Cloud as standard.
This also means that critical updates can still be deployed via CIPFA change processes, but the overhead and automation means that deployments, rollbacks and governance can now be orchestrated with greater controls.
For all workloads, backup policies were key, ensuring that critical data (governed by data classification), was backed up appropriately. A backup plan and backup vault was created in each AWS account in which a backup is created. These backups can be restored to the associated resource when required. In addition, backup monitoring from AWS backup manager was also put in place. The frequency of backups was agreed on a pre-workload basis.
Finally, Amazon Route53 was configured and DNS was switched once testing and go-live was agreed upon and the cut-over activities approved.
Optimising the environment after migration
CirrusHQ planned the Optimise step well ahead of the migration and as part of the Migration Planning. Once the migration was completed to AWS, and using live data over a pre-agreed period, CirrusHQ began work optimising and right-sizing the migrated workloads and applications by reviewing their usage patterns, improving efficiency, reviewing against AWS Well Architected best practice and improving performance. This step also took into consideration how the platform performed with live data over a pre-agreed period.
Results and Benefits
The migration process was challenging and complex yet fulfilled the vision set out by CIPFA. Migrating such a volume of legacy systems, and re-factoring them for AWS, as well as ensuring that the base infrastructure landscape was in-line with current AWS best practice was fulfilled. The successful end result has meant that CIPFA has a single location for all the workloads in each phase. In addition, CIPFA now has an AWS best-practice blueprint to rapidly move forward with to ensure they can maximise the benefits of AWS Cloud, while ensuring they have the robust, governed, secure building blocks needed to protect and build out the CIPFA brand and workloads upon.
CIPFA Enterprise Architect:
By addressing those challenges, we now have a robust, resilient environment that is decoupled from our corporate network infrastructure, that allows us to adopt modern practices, that eliminates single points of failure, and that will really support our roadmap for Digital Transformation going forwards.
Customer Knowledge Transfer and Support
In order for the large-scale migration to be a success for CIPFA then staff needed training and support. CirrusHQ worked with CIPFA at each stage of the project, as well as supporting the infrastructure going forwards.
During the project, CirrusHQ walked through each key deliverable with CIPFA teams, these sessions were recorded to create a knowledge source for the team.
At the end of the migration, large dedicated knowledge transfer sessions were set up. These sessions took CIPFA through each major component and gave a foundation of all components used across all accounts and services. The sessions were interactive, recorded, and ensured a base level of knowledge and understanding.
Finally, CirrusHQ is supporting the teams and the infrastructure, setting up monitors and alerts and ensuring that operations are in safe hands for these critical workloads, and ensuring that their key migration to AWS becomes an enabler for them going forward.
As an AWS Advanced Consultancy with 50+ staff certifications, we are 100% exclusively AWS cloud which enables us to have a broad and deep expertise on the platform. Customer Service is also critical to us as our NPS score +78 validates that we care about our customers and provide excellent service.