Portal Revamp for Pine Cove Staff Operations
Modernizing a legacy internal reporting portal with secure, VPN-restricted access and faster performance.
Pine Cove’s staff reporting system faced reliability, security, and access control issues under a legacy monolithic setup. The goal was to containerize the portal, improve resilience across Availability Zones, and enforce VPN-only access to sensitive endpoints like /designer, while delivering faster load times for frequently accessed reports.
Challenges
- Legacy monolithic deployment: Rigid releases with limited flexibility for scaling and failover.
- Access control complexity: Sensitive paths like /designer needed fine-grained VPN and internal IP based restrictions.
- Limited resilience across AZs: The previous architecture did not fully leverage multi-AZ capabilities.
- Limited observability and scaling: Troubleshooting and scaling were constrained without ECS orchestration and integrated logging.
The Solution
- Containerized the report portal on Amazon ECS (Fargate) behind an Application Load Balancer (ALB) in a dedicated Reporting VPC.
- Deployed Amazon Aurora MySQL in private subnets with multi-AZ failover, enabling secure connectivity from ECS tasks.
- Enforced VPN-only access and route protections using AWS Lambda request routing and rewrite logic, including returning HTTP 403 for non-VPN access to /designer.
- Served static assets through Amazon S3 and Amazon CloudFront to reduce origin load and improve response times.
- Implemented least-privilege access using AWS IAM roles for ECS tasks and Lambda functions.
- Added monitoring and audit support using Amazon CloudWatch (ECS logs, Lambda metrics), plus ALB access logs and VPC flow logs.
The Impact
With KnackForge Cloud Services in place, the customer experienced:
- Faster portal performance: Load times improved from ~4 to 6 seconds to ~1.5 to 2 seconds.
- Faster deployments: Deployment time reduced from 3 to 5 hours (manual) to under 15 minutes using ECS CI/CD pipelines.
- Improved availability during updates: Downtime during updates reduced from ~1 to 2 hours per month to near-zero using rolling ECS deployments.
- Stronger access enforcement: Unauthorized access attempts dropped to 0, with all non-VPN traffic correctly blocked for restricted routes.
- Lower operational overhead and cost: Ops labor reduced by ~40%, compute costs reduced by ~25% vs fixed provisioning, and a 12-month model showed ~20 to 25% overall infrastructure and operations cost reduction.
Technologies Used:
- Amazon ECS (Fargate)
- Application Load Balancer (ALB)
- Amazon Aurora MySQL
- Amazon VPC and VPN Gateway
- AWS Lambda
- Amazon S3
- Amazon CloudFront
- AWS IAM
- Amazon CloudWatch
- AWS Global Accelerator and AWS WAF (existing setup)
- Amazon Route 53