How to run a bank on Apache CloudStack
- 1. How to run a bank! on
- 2. Me: Gérard de Vos MCE @ Schuberg Philis 2008-current. Previously @ Shell, Ziggo, POIS, TNO, … Now: “full stack”, *-lead. Then: infrastructure, hardware, HPC, Linux, provisioning, web & such @gr4rd ! ! ! “Schuberg Philis is an innovative business technology company. We focus on the mission critical applications that our customers and society rely on 24/7.” Customers include:
- 3. What we had • 2009: new internet savings bank! • Way-of-working 2009: ! • Dedicated DC space, ! • Dedicated servers, ! • Dedicated network, ! • Dedicated team! • Growth: 0€, 0 customers -> 4B€, 120k customers! • “Classic” application stack
- 5. Trigger 1. Contract to expire in <1 year 2. Evaluated current environment: • Dev environment(s). Not enough, clashes. • Data refreshes. Too hard <> not done often enough. • Different environments are different. • And the usual suspects: lack of flexibility, underutilization of resources, huggable snowflake servers. 3. Time moved on: • Agile development is reaching the enterprise. • Agile infrastructure is not just for startups & unicorns anymore. • "The Lean Startup" is for everybody.
- 6. Way-we-work now • Dedicated team (we kept something the same!) • Shared infra • MCC: Apache CloudStack • Shared services • Chef, chef cookbooks • Github enterprise • SBP is more Lean & Agile & Devopsy • Contribute • Software is eating the world • Focus on the value chain. Reduce waste
- 8. source: Adrian Cockcroft http://www.slideshare.net/adriancockcroft/qcon-new-york-speed-and-scale
- 9. Public site http://www.leaseplanbank.nl Secure site https://sparen.leaseplanbank.nl LeasePlan Infrastructure Services (LPIS) Dublin - Ireland email2sms email WebLogic lpbpapp1/2 active/standby lpbpws101/102 active/active lpbpws1/2 active /standby lpbpapp101/102 active/active lpbpsan1/2 FCDB High available SAN (FCAL) via synchronous mirroring Site to Site VPN Site to Site VPN Managed by LPIS Apache Hippo container Tomcat Back Office Front End Services x equens get x KYC put x and other file exchange Oracle Reporting Content publication CMS and Public Web Content http File system FC Rep FC UBS https Direct Banking email2sms Alphen a/d Rijn http FC Gateway (active/active) FCUBS (active/standby) Once a month postcode file is retrieved ssmtp SFTP Manual reporting Logius/DigiPort interface tbd SFTP Hippo http http BKR FC DB Site to Site VPN Back office and Customer Care Center Services Active standby Standby active Operations jms LeasePlan Infrastructure Services (LPIS) Dublin - Ireland Direct Banking Bank Admin GUI 1. Direct Banking: - Bank Admin GUI - Super Admin GUI 2. Core Banking - UBS Admin 3. CMS incl preview to content staging web site 4. OBIEE reporting FTP-S WebLogic lpbpmx1/2 active/active Apache (s)smtp ssmtp Almere mail Home Office users Marketing ICT Finance Control lpbprep2/1 active/standby Apache Scoring and Business rule System (SBS) Verification of new customers Verificatie Informatie Customer CRM screening Postcode Table Rensageg file transfer FLEXCUBE Core Banking and Gateway Oracle database lpbpd1/2 active/standby Central Storage Array Network (SAN) for SFTP, application, database and some management servers Secure site Sorry site KYC file Equens files OBIEE App Server VPN VPN VPN FLEXCUBE Direct Banking MySQL Hippo CMS Data upload / KYC download http:7002 sftp http(s) http(s) smtp http mysql scp SQL*Net V2 SQL*Net V2 SQL*Net V2 FCAL FCAL FCAL / VIS Other files equens put KYC get smtp smtp NMUT/betOPD/batch VerwINF FTP-S (get + put) equens Payment Services For CMS + staging and OBIEE http Public site HTTPS Upload list of customers lpbprep1/2 active/standby Savings calculator XML smtp Antivirus + antispam email customers LPB office Email 2 sms Multi homed internet acces Direct Banking Bank Admin GUI Direct Banking VPN x BankAdmin interface for CCC x BankAdmin + SuperAdmin interface for LPB BackOffice Customers DMZ for mail, public and secure web sites Customer Contact Center VPN VPN
- 11. We came up with this • Private storage for datastores • Private hypervisors for transaction processing systems • Kept existing internet facing network connections kit • Shared cloud for • Dev/dev2/../test(UAT) environments with anonymised data • Admin env. monitoring, deployment, etc.
- 13. Shopping list • Shared MCC zone: • Network: I don’t care, • Hypervisors: I don’t care • CloudStack Primary secondary storage: I don’t care
- 14. Shopping list • Private customer zone: • Two pods - 2 datacentres • Network: Arista 10GbE Top-of-rack, • Hypervisors: HP DL380G8 8core, 192GB • CloudStack Primary secondary storage: NetApp • NFS storage for datavolumes: NetApp metroclustre • Runs the production and preproduction environments
- 15. The challenges • New tech • CloudStack SDN • git • Chef • Many others • New thinking • WayWeWork (highly in flux) • Shared infra • Shared svcs • Design-for-failure vs Enterprisey apps
- 18. The nice things • Infra-as-code. We now think things go slow when it takes 10 minutes to go from nothing to functioning server. • Re-re-re-rebuilds. Process maturity, Cookbook maturity, DR/BCP maturity confidence. • Infra is almost a non-topic in discussions with the customer around new applications services. • SBP cloud HW performance. CPU/mem IOPS/ mbps EndOfDay 2hr - 45m • MCC matured a lot. • WayWeWork is maturing.
- 19. 20/20 hindsight • Pushed/pulled the shared services team more. They are providing a service, not tech. • Sales/mgt/engineers overestimated what IAAS brings. • Sales/mgt/engineers underestimated what IAAS brings. • Put more of the stack into shared cloud. • DBMS redundancy higher in the stack. (e.g. ASM vs metroclustre)
- 20. What do we need help with? • How do we run in multitenant environments and have everything secure? • How do we explain this to auditors so they agree?
- 22. Thank you!