Innovating at the Speed of the Market

Automation, best practices and self-service capabilities

NTT DATA helped Flexport implement automation that delivers infrastructure built with cloud and security best practices. Self-service capabilities reduce the complexity of multiple AWS account architectures.

Flexport needed a baseline to establish a secure foundation for workloads. It used NTT DATA’s Build Cloud Foundations solution to create a secure, scalable and extendable cloud structure with AWS services, including AWS Control Tower. With a sound foundation, these services work together to form a security baseline that enables greater agility and flexibility.

Using AWS Control Tower

AWS Control Tower makes it easy to set up, govern and secure multiple accounts using built-in AWS services. New accounts can be provisioned quickly through the AWS Control Tower dashboard, which provides built-in guardrails to protect AWS accounts. The first step to deploying the new Flexport solution was enabling and enhancing AWS Control Tower’s Account Factory with a customization pipeline that deploys:

• Centralized log gathering that includes AWS CloudTrail, VPC Flow Logs and AWS Config to support traceability and strengthen compliance
• AWS Security Hub and Amazon GuardDuty to give security teams full visibility across AWS Organizations
• Notifications to the security team for corrective action when the system detects guardrail changes
• Amazon CloudWatch customized metrics and alerts to enhance security and compliance for AWS Organizations

Self-Service Networking at Scale

To avoid networking challenges that can crop up when creating new accounts, NTT DATA helped Flexport achieve networking at scale. Self-service patterns create a unified, secure, scalable and extendable cloud foundation.

"Our goal is to empower engineering to focus on building Flexport’s platform for global logistics rather than worrying about the complexity of underlying multi-account AWS infrastructure. We do this by abstracting away the foundational infrastructure, giving the team an AWS-as-a-Service offering managed and maintained by our Cloud Infrastructure teams,” says Taylor Merry, Flexport Director of Security Operations. “Thanks to new layers of automation, this offering has improved our overall productivity while standardizing security efforts, which means we can spend more time on the company’s growth initiatives.”

Within the AWS Service Catalog self-service solution, engineers can access a portfolio of pre-approved network products. This ability streamlines the coordination between teams for network product requests while providing standardized network solutions. The self-service pattern includes VPC deployment, IP address space management, AWS Transit Gateway and network connectivity.

1. VPC deployment: AWS Service Catalog provides a convenient user interface to the VPC solution portfolio. It shares the solution with the whole AWS organization and configures role-based access. The VPC solution portfolio includes multiple on-demand products so users can create new VPCs for different use cases, such as number of tiers, CIDR block sizes and availability zones. AWS CloudFormation deploys VPC as infrastructure as code.
2. IP address management (IPAM): Unique CIDR blocks are used to avoid overlaps between different network segments. The system requests available CIDR blocks from IPAM for the VPCs using AWS CloudFormation Custom Resources. Amazon SNS message service creates a custom resource that sends messages to the SNS topics to request or release CIDR blocks. Netbox IPAM is used as the single source of truth. It deploys with help from Lambda, AWS Fargate containers and a PostgreSQL database deployed in AWS RDS.
3. AWS Transit Gateway: Flexport connects VPCs and on-premises networks to a single AWS Transit Gateway that acts as a hub. It controls how traffic is routed among all the connected networks, which act like spokes. New VPCs connected to the AWS Transit Gateway are automatically available to every other network connected via that gateway. This hub-and-spoke model simplifies management and reduces operational costs because each network only has to connect to the AWS Transit Gateway, not to every other network.
4. Network connectivity: The AWS Serverless Transit Network Orchestrator (STNO) automates the AWS Transit Gateway. In turn, this automates the process of setting up and managing transit networks in distributed AWS environments. As part of the STNO solution, the AWS Transit Gateway is set up such that Flexport can configure different styles of communication between VPCs and network segmentation. The result is a scalable network solution that scales across regions and accounts.

Secure account best practices

Every AWS account is provisioned to provide built-in security best practices with:

• AWS Control Tower guardrails. A policy control mechanism prevents account actions that can cause issues. It also detects and provides alerts to actions that trigger certain rules or thresholds.
• AWS Security Hub. This provides security alerts and enables CIS AWS Foundations standards.
• Account hardening with AWS CloudTrail, identity and access management (IAM) groups, VPC management, Amazon GuardDuty and more. AWS CloudTrail trails are integrated with Amazon CloudWatch logs to audit accounts and track resources.

The entire Flexport solution is based on AWS and industry best practices. The result is a foundational architecture built with security best practices. “Security by design is a key element to everything we build,” says Merry. “As a rapidly growing company, we have the opportunity to establish security standards as we build from the ground up. The AWS-as-a-Service offering embodies that principle.”

Solution benefits

Flexport has established automation that delivers self-service capabilities to its engineers. It removes the underlying complexity so they can focus on building the company’s platform for global logistics. With a network that scales to fully deliver on the cloud’s promise of greater agility, Flexport has business flexibility. It can quickly pivot to meet changing market demands and customer needs, ensuring its continued momentum.