Embedded Files
ESTABLISHING A MATURITY BASELINE AND PLANNING A CLOUD MODERNIZATION ROAD MAP
Establishing a maturity baseline
Cloud Modernization Maturity Level
Cloud Modernization Maturity Evaluation Process
Evaluating Layers
Network Layer
A Network Layer is the foundation of a cloud infrastructure. It establishes a set of connections, rules and routing specifications and defines an application's boundary.
Layer modernization opportunities example
<Image>
Layer maturity rules
MATURITY LEVEL 1
Detected AWS EC2 instances in Classic EC2-VPCs;
Unused AWS NAT resources;
Overlapping VPC CIDR;
SSH port is open worldwide;
No AWS Network Firewall configured.
MATURITY LEVEL 2
AWS NAT resources with no EIP associate;
NACL rules are not configured;
VPC Flow Logs are not enabled;
No Network Load Balancer;
No security groups configured.
MATURITY LEVEL 3
Ensure routing tables for VPC peering are "least access";
No overlapping VPC CIDR;
Unused AWS Internet Gateway;
AWS resources are allowing access via HTTP;
ELB is using an unencrypted protocol.
MATURITY LEVEL 4
All SSH ports are closed to access by a private connection;
AWS Network Firewall is configured;
VPC Flow Logs are enabled and encrypted at rest using KMS;
AWS NAT Gateway is configured;
Route tables for VPC Peering have the authorization to communicate.
MATURITY LEVEL 5
Web Application Firewall (WAF) is enabled;
Amazon GuardDuty is enabled;
NACL rules are configured;
Blocklisted IP Address in AWS Infrastructure is configured;
Security Groups are restricting inbound rules from anywhere.
Computing Layer
Application layer is usually related to the use of application components, such as EC2, ECS, EKS, Lambda, and others. The idea of evaluating this layer is to understand how it implements application best practices
Layer modernization opportunities example
Layer maturity rules
MATURITY LEVEL 1
Autoscaling disabled for EC2 instances;
Elastic Load Balancer disabled for EC2 instances;
Missing snapshots for EBS volumes;
Unencrypted EBS volumes;
Public subnet open ports to EC2 instances.
MATURITY LEVEL 2
Public Lambda function without exception;
EBS snapshots with public access;
Public AMI;
EC2 Instance Status Checks Failed;
Lambda environment variables without CMK encryption enabled.
MATURITY LEVEL 3
Underutilized (<10%) AWS ECS cluster;
Underutilized (< 30% capacity on avg for last week) EC2 instances;
There are EC2 Instance status checks failed;
Out of-date AMIs;
There are EC2 Scheduled maintenance events.
MATURITY LEVEL 4
EC2 instances are rightsized;
EBS is encrypted by default;
EC2 Lifecycle Manager is enabled for EC2 backup;
There are EBS not attached in EC2;
Cloudwatch alarms are configured.
MATURITY LEVEL 5
EC2 Instances are utilizing termination protection;
Elastic Load Balancers are utilizing multiple availability zones;
There is no EIP disassociated;
AMIs are private;
All resources are tagged.
Database Layer
The data tier, also known as the database layer, is where all of the information about user information and transactions is stored. It basically contains any data that has to be stored in the data tier for a long time.
This data is delivered back to the application layer for logic processing, and then to the web layer for rendering to the user.
Layer modernization opportunities example
Layer maturity rules
MATURITY LEVEL 1
No use of RDS;
Unencrypted RDS instances;
RDS with public subnets with open ports;
Public RDS snapshot;
Disabled point-in-time recovery for RDS instances.
MATURITY LEVEL 2
Disabled multi-az RDS instances;
Review RDS instance size;
RDS instance idle;
AWS RDS Engine is not updated;
Underutilized AWS RDS provisioned IOPS.
MATURITY LEVEL 3
Disabled automated backup;
Reserved instance plan is available;
No CloudWatch monitoring to check disk, CPU, and RAM memory;
Missing Tags for RDS resources;
RDS instances are running on default ports.
MATURITY LEVEL 4
AWS RDS engine is updated automatically;
RDS is private accessibly;
AWS RDS instances are rightsized;
Automated backup is enabled;
No AWS RDS instance idle.
MATURITY LEVEL 5
RDS environment running RDS Amazon Aurora;
RDS instances are encrypted by default;
CloudWatch is implemented to check disk, RAM Memory, and CPU;
No RDS instances public subnet with open ports;
Enabled point-in-time recovery for RDS instances.
Front-end Layer
The front-end layer is the interface layer that allows users, both internal and external customers, to engage with the application. Any application has input and output interactions.
Layer modernization opportunities example
Layer maturity rules
MATURITY LEVEL 1
No use of Cloudfront distributions;
No use of SSL/TLS certificates;
No use of Route 53;
No use of S3;
No use of EFS.
MATURITY LEVEL 2
No S3 bucket encrypted with SSE-S3;
No versioning enabled;
AWS S3 buckets have public read/write access;
Public AMI identified;
Autoscaling is disabled for Instance with microservices.
MATURITY LEVEL 3
Review EC2 instance size;
No lifecycle policy enabled;
Underutilized (<10%) AWS ECS clusters;
No CloudWatch to check CPU and RAM memory from microservices;
No EFS multi-AZ.
MATURITY LEVEL 4
S3 buckets with encryption SSE-S3 by default;
AWS ELB enabled;
Autoscaling enabled;
ECS/EC2/EBS are tagged;
EFS with multi-az.
MATURITY LEVEL 5
Cloudfront distributions;
Route53 is enabled;
AMI is updated;
SSL/TLS certificates;
WAF enabled.
Caching Layer
It's a software component that saves the outcome of a time-consuming request, generally in memory, so that similar requests can be handled much faster in the future.
A component that saves data in memory rather than loading it from a database, the network, or the disk. It can save I/O expenditures in this way.
Layer modernization opportunities example
Layer maturity rules
MATURITY LEVEL 1
No use of Cloudfront;
No use of ElastiCache;
No use of EBS with provisioned IOPS;
Unencrypted S3 buckets;
S3 buckets with public read/write access.
MATURITY LEVEL 2
No automated backup on RDS;
Disabled Multi-AZ Elasticache instances;
Security group with exposed ports to the world;
AMI out of date;
Disabled bucket versioning.
MATURITY LEVEL 3
Missing tags for Elasticache resource;
Review Elasticache rightsize;
Overlapping VPC CIDR;
No EBS encrypted;
No AWS ELB enabled.
MATURITY LEVEL 4
Cloudfront enabled;
S3 encryption SSE-S3 enabled by default;
Backup versioning is enabled;
Multi-AZ Elasticache instances are enabled;
No Security groups with open ports.
MATURITY LEVEL 5
AWS WAF is enabled;
AWS Elasticache is rightsized;
RDS instances multi-az;
EBS encrypted by default;
Private AMI.
Costs Layer
Cost management in the cloud is a broad notion. Take some time to examine why you need the cloud, who is responsible, and where to begin before diving into specific techniques to minimize your cloud bill. While application performance, speed to market, and other considerations may take precedence in a development organization, resource efficiency is what allows development and IT teams to meet their objectives.
Layer modernization opportunities example
Layer maturity rules
MATURITY LEVEL 1
No budget configured;
No Savings Plans in use for Compute Resources;
No Reserved Instances in use for RDS instances;
More than 50% of the resources with over-provisioned capacity;
No cost allocation tags.
MATURITY LEVEL 2
Low traffic AWS EC2 instances;
Unused EBS;
Check buckets, S3 storage class;
Metrics to check resources with less than 30% utilization on CPU and RAM Memory;
No alerts when the threshold has exceeded the forecast of over 80%.
MATURITY LEVEL 3
Unused AWS Elastic IP resources;
Review EC2 instance size;
Infrequently accessed S3 buckets;
Infrequently accessed EFS resources;
Underutilized (<10%) AWS ECS cluster.
MATURITY LEVEL 4
Review GP2 to GP3;
RDS instance is sized;
RDS instance idle;
Utilized AWS EBS provisioned IOPS;
Redshift Cluster Nodes is utilized.
MATURITY LEVEL 5
Alerts to check billing forecast;
EBS is sized GP3;
No missing EBS;
AWS NAT resources are used;
Disabled idle resources.
Report abuse