Achieved a high level of application security on AWS
Transitioned smoothly to the cloud
Overcame the limitations of AWS’s ELB
Maintaining the previous level of security
Making an incident-free transition to AWS
Avoiding on-premises system limitations
Golf Digest Online (GDO) recently moved its on-premises infrastructure to Amazon Web Services (AWS). It chose F5 products to maintain a highly secure application environment while ensuring a total, disruption-free transition into the cloud in only two months.
GDO is a specialty online retailer for golfers, providing golfing equipment, accessories, course reservation services, golf publications, and more. It boasts astonishing conversion rates of 10 percent for reservations and 30 percent for golf accessory sales. GDO’s business model is built on numerous systems serving its online shop, media sites, golf course reservation site, administrative interfaces for golf courses, and various internal systems—almost all of them running with on-premises infrastructure.
GDO’s most recent infrastructure system, G10, was built in 2011 with the hope that it would be used for 10 years. It ran on over 300 virtual machines (VMs) hosted by virtualization boards installed in nearly 100 physical servers.
GDO chose F5 BIG-IP Local Traffic Manager (LTM) for load balancing, which it did by analyzing URL parameters and automatically directing user queries to the appropriate destinations according to a set of F5 iRules. In 2014, GDO further deployed BIG-IP Application Security Manager (ASM) to act as a web application firewall (WAF) for tightening protection of applications. GDO made this choice at the recommendation of its security operations center (SOC) vendor, F5 partner Mitsui Bussan Secure Direction, Inc. (MBSD). This combination enabled GDO to achieve a solid security foundation for visualizing and preventing even sophisticated cyberattacks—such as SQL injections—targeting web applications.
But GDO’s hopes of using G10 for 10 years were dashed in 2016 when the manufacturer of its virtualization boards announced that it was terminating support in late 2017. GDO decided with its vendors to completely transition its infrastructure into the cloud with a move to AWS.
“Our alternatives were an on-premises, cloud-hybrid configuration or to go full cloud,” recalls Ryo Shirao, manager of GDO’s Infrastructure Management Office. He says that GDO settled on the full-cloud option because it is better suited to addressing several business challenges: reducing fixed assets, freeing GDO from storage capacity limitations, enabling the infrastructure to keep up with the pace of business developments, and making visible the costs and profitability of specific projects.
Deploying BIG-IP ASM on AWS to screen all incoming traffic gave us the same high level of security on AWS that we had with an on-premises system.
Of course, making such a transition brought issues of its own. The first was how to achieve the same high degree of application security on AWS that GDO had with its on-premises infrastructure. “We were concerned that AWS’s standard security wouldn’t be enough,” says Kazuhiro Tamazaki of GDO’s Infrastructure Management Office. Another problem was that AWS’s elastic load balancing (ELB) would not have enabled them to direct traffic as efficiently as their existing iRules did.
Making a smooth switchover was also a concern. GDO wanted to pull off the move to AWS without disruption and without having to make major changes to the configuration of its on-premises environment: “We wanted to avoid repeating the traumatic experience we had when launching G10,” says Shirao. “Building it entailed a major overhaul of all our systems that precipitated a three-day, full system shutdown at its launch.”
GDO chose the virtual editions of several F5 products to ensure an incident-free transition. Panasonic Information Systems (PIS) completed the planning for GDO’s deployment to AWS, and Tokyo Electron Device (TED) provided technical support. “PIS knows both our systems and AWS through and through, so we’re quite satisfied that they gave us optimal advice. TED put their impeccable technical capabilities to work in verifying that our existing iRules would work as they should on AWS before we started the transition,” says Shirao.
Combining SNI and iRules allowed us to transition several hundred services with a single BIG-IP instance.
The newly built, AWS-hosted infrastructure is accessed from outside the company via the Internet and from inside, via a VPN. Adding BIG-IP DNS during the transition enabled GDO to put resources to more efficient use by reconfiguring BIG-IP ASM from active/standby to active/active redundancy mode. Once BIG-IP ASM makes security threats visible and eliminates them, user queries are passed on to BIG-IP LTM and routed to the appropriate servers. These procedures are all completed by BIG-IP virtual editions. As a result, GDO’s system completely bypasses AWS’s ELB.
“Deploying BIG-IP ASM on AWS to screen all incoming traffic gave us the same high level of security on AWS that we had with the on-premises system,” says Shirao. The ability to continue using MBSD’s BIG-IP ASM-based SOC services was also a relief, since it meant that Shirao and his team could continue running GDO’s system with the confidence that it is as secure as ever.
GDO could use its existing iRules without modification for a smooth transition of its on-premises systems into the cloud. “Combining SNI and iRules allowed us to transition several hundred services with a single BIG-IP instance,” says Tamazaki. This enabled GDO to get around the limits AWS puts on the number of IP addresses for each instance of EC2.
Moving to AWS freed GDO from the need to own and maintain its own servers and associated equipment. That meant GDO didn’t have to pay down the depreciation on that infrastructure anymore and could book almost all systems costs as running expenses. GDO also gained the agility that comes with being able to rapidly add VMs and later take them offline as dictated by fluctuations in accesses. “We can put together new VMs three to five times more quickly than before,” says Shirao. “And we believe we’ll be able to leverage advantages like these when we have to fire up new servers as well.”