Innovating at the Speed of the Market
With its freight forwarding cloud solutions in high demand, Flexport sought to maximize its team resources.
Flexport worked with NTT DATA to implement automation that delivers best practice-based infrastructure with built-in security standards and self-service capabilities, allowing its engineering team to focus on building.
Flexport is a rapidly growing organization that is reshaping how global trade gets done. Through its advanced technology, logistics infrastructure and supply chain expertise, Flexport provides modern freight forwarding services. Demand for Flexport’s cloud software and data analytics services has risen so quickly that the company has doubled in size over the past three years to keep pace.
Flexport began its AWS journey with a single account; yet, undergoing multiple years of explosive growth meant the company needed to scale out its AWS infrastructure. With team members’ time already in high demand, Flexport turned to the NTT DATA team to help. Flexport’s Cloud Infrastructure team led the charge, working closely with Flexport Engineering teams and NTT DATA’s AWS consultants.
- Speeds time to market by removing barriers to innovation
- Frees operations from maintenance overhead
- Improves productivity with automation
- Standardizes security for reduced risk and greater repeatability
- Builds in compliance to CIS AWS Foundations standards
- Ensures policy control mechanisms
NTT DATA helped Flexport implement automation that delivers infrastructure built with cloud and security best practices, and self-service capabilities that abstract away the complexity of multi-account AWS account architectures.
To establish a secure foundation for workloads, a baseline is necessary, which was achieved for Flexport with NTT DATA’s Build Cloud Foundations solution. It creates a secure, scalable and extendable cloud structure with AWS services including AWS Control Tower. These services work together to form a security baseline that enables greater agility and flexibility through a sound foundation.
Using AWS Control Tower
AWS Control Tower makes it easy to set up, govern and secure multiple accounts using built-in AWS services. New accounts can be quickly provisioned using the AWS Control Tower dashboard and it provides built-in guardrails to protect AWS accounts. The first step to deploying the new solution was to enable and enhance AWS Control Tower’s Account Factory with a customization pipeline. The customization deploys:
- Centralized log gathering that includes AWS CloudTrail, VPC Flow Logs and AWS Config to support traceability and strengthen compliance
- AWS Security Hub and Amazon GuardDuty to give security teams full visibility across AWS Organizations
- Notifications to the security team for corrective action when guardrail changes are detected
- Amazon CloudWatch custom metrics and alerts to enhance security and compliance for AWS Organizations
Self-Service Networking at Scale
To avoid networking challenges that can crop up when creating new accounts, NTT DATA helped Flexport achieve networking at scale with self-service patterns that create a unified, secure, scalable and extendable cloud foundation.
"Our goal is to empower engineering to focus on building Flexport’s platform for global logistics rather than worrying about the complexity of underlying multi-account AWS infrastructure. We do this by abstracting away the foundational infrastructure, giving the team an AWS-as-a-Service offering managed and maintained by our Cloud Infrastructure teams,” said Taylor Merry, Flexport Director of Security Operations. “Thanks to new layers of automation, this offering has improved our overall productivity while standardizing security efforts, which means we can spend more time on the company’s growth initiatives.”
Within the AWS Service Catalog self-serve solution, engineers can access a portfolio of pre-approved network products, streamlining the coordination between teams for network product requests while providing standardized network solutions. The self-service pattern includes VPC deployment, IP address space management, AWS Transit Gateway, and network connectivity.
- VPC deployment: AWS Service Catalog provides a convenient user interface to the VPC solution portfolio; it shares the solution with the whole AWS Organization and configures role-based access. The VPC solution portfolio includes multiple products that teams can spin up on demand, allowing users to create new VPCs for different use cases, (e.g. number of tiers, CIDR block sizes, availability zones, etc.) AWS CloudFormation deploys VPC as infrastructure as code (IaC).
- IP address management (IPAM): To avoid overlaps between different network segments, unique CIDR blocks are used; the system requests available CIDR blocks from IPAM for the VPCs using AWS CloudFormation Custom Resources. Amazon SNS message service creates a custom resource that sends messages to the SNS topics to request or release CIDR blocks. Netbox IPAM is used as the single source of truth and is deployed with the help of Lambda, AWS Fargate containers, and a PostgreSQL DB deployed in AWS RDS.
- AWS Transit Gateway: Flexport connects VPCs and on-premises networks to a single AWS Transit Gateway that acts as a hub to control how traffic is routed among all the connected networks which act like spokes. New VPCs connected to AWS Transit Gateway are automatically available to every other network connected via AWS Transit Gateway. This hub and spoke model simplifies management and reduces operational costs because each network only has to connect to AWS Transit Gateway and not to every other network.
- Network connectivity: AWS Transit Gateway is automated with AWS’s Serverless Transit Network Orchestrator (STNO) which automates the process of setting up and managing transit networks in distributed AWS environments. As part of the STNO solution, AWS Transit Gateway is set up such that Flexport can configure different styles of communication between VPCs and network segmentation, resulting in a scalable network solution that scales cross region and cross account.
Secure account best practices
Every AWS account is provisioned to ensure security best practices are built in with:
- AWS Control Tower guardrails, a policy control mechanism that prevents account actions that can cause issues, and/or detects and provides alerts to actions that trigger certain rules or thresholds.
- AWS Security Hub for security alerting and the enablement of CIS AWS Foundations standards.
- Account hardening with AWS CloudTrail, IAM groups, VPC management, Amazon GuardDuty, and more. AWS CloudTrail trails are integrated with Amazon CloudWatch logs for account auditing and resource monitoring.
The entire Flexport solution is based on AWS and industry best practices that result in a foundational architecture built with security best practices. “Security by design is a key element to everything we build,” said Merry. “As a rapidly growing company, we have the opportunity to establish security standards as we build from the ground up. The AWS-as-a-Service offering embodies that principle.”
Flexport has established automation that delivers self-service capabilities to its engineers, abstracting away underlying complexity so they can focus on building Flexport’s platform for global logistics. With a network that scales to fully deliver on the cloud’s promise of greater agility, Flexport has the business flexibility it needs to quickly pivot to changing market demands and customer needs, ensuring its continued momentum.
Flexport meets business growth head-on with a secure, self-serve AWS solution that empowers teams to innovate at the speed of the market.