Maestro Orchestrator: Product? SaaS? Framework!



In 2012, EPAM Cloud Orchestrator was created as a cloud solution for the EPAM Systems community. It appeared when the issue of redesigning the growing infrastructure of more than 500 projects became critical. After a thorough analysis of the existing solutions, EPAM experts had to admit that none of them fit the company needs.

However, that was not a problem but a challenge. If no perfect solution existed, EPAM created its own from scratch.

In six years, EPAM Cloud Orchestrator evolved into a true hybrid cloud with over 8000 virtual machines in hundreds of projects. In addition to its basic function - hosting virtual resources - it supports a number of related components helping the users to be in full control of their virtual infrastructures, such as audit, monitoring, billing, reporting.

Meanwhile, a time has come to go out of the box of an enterprise solution and meet the market.
This is how the new generation of EPAM Cloud Orchestrator - Maestro was born.

Maestro is neither a product nor SaaS, it is a framework that allows us to deliver the Cloud Orchestrator both in a form of SaaS and as an application, deployed directly for a particular customer. All the features and customizations are available for both forms of deployments.
Maestro backend in written in Java and consists of the server-less part based on AWS Lambda and a server-full part based on AWS EC2. We follow AWS security best practices and use AWS Cognito services for authentication.

Maestro is a hybrid cloud orchestrator that provides unified access to AWS, Azure and Google clouds, as well as Openstack for private datacenters. Terraform is the tool that allows us to provide this kind of variety of cloud providers. 

All Maestro components are designed as standalone units which can be used separately, also for purposes outside the EPAM Cloud. Authentication is done via the Active Directory. The user can access AWS services directly using their domain credentials. In this case, the user is authenticated via the SAML protocol and allowed access within the pre-configured IAM role. This type of authentication requires no interaction with Maestro whatsoever. Access to Maestro is based on the user's domain credentials, as well, however, in this case the OAuth 2.0 protocol is used. Maestro includes a mechanism allowing authentication for any enterprise with an Active Directory.

We ensured that Maestro deployment is cost effective. As AWS services that we use work on pay-as-you-go basis, so does our application. We calculated that our POC installation costed 5$ per day + 1$ for each 100 active users. This number, of course, did not include the infrastructure that users created. It only included the services that Maestro application consumes.

Another aspect we use to ensure security is an approval framework, which we can wrap around any action an end user performs. In case an approval is not required, the system just executes the command. But different enterprises have different restriction policies regarding infrastructure management, so it is sometimes necessary to secure a potentially dangerous feature under an approval. In such case an action is performed only if it was manually approved by a responsible person. Approval works via convenient email messages with approve and reject buttons. From the back-end point of view this mechanism is implemented using AWS StepFunctions according to the reference architecture.




Popular posts from this blog

Maestro Analytics: Essentials at the Fingertips

Image
Infrastructure analytics is one of the cornerstones for effective cloud management. Each cloud provider offers its own set of features and services for such purpose. We can say that AWS QuickSight, Google Data Studio, and Microsoft BI are among the top of the native analytics and BI offerings. They are deeply integrated into their native infrastructures, provide the detailed review of the infrastructure state, events and cost, and allow to take a deep dive into details, being powered by strong internal mechanisms and AI/ML engines. However, in many cases they provide a huge volume of data which needs a BI expert to cope with, as well as may have limited customization possibilities in terms of the covered data scope. Also, if you use more than one cloud, or have private datacenters, the fact that each of these tools is limited to its vendor, may be a reason for you to find a third-party analytics tool. Here is where you may consider solutions such as CloudHealth, AppOptics, or IBM C
Read more

Maestro: Greeting the Green Dragon

Image
The year is coming to the end, and it's high time for our traditional lookback on Maestro evolution, changes, and important events. The year of 2023 has been dynamic and full of updates, both technical and strategic.  We kept to our previous commitments , meanwhile adjusting to the new trends in Cloud and technologies in general.  We met our user's expectation and need for  cross-cloud FinOps, automated infrastructure analytics, security assessment and the "Fix it" button , aimed to simplify issues remediation. We also took into account the rising demand for  Open Stack-based resources, Cloud Native approaches,  AI/ML integrations .  As a result, we came up with our standard "six release per year" cycle, highlighted with the following milestones: Maestro Insights With the ML technologies growth, the amount of services offering infrastructure recommendations and analytics, grow. This is true for the public cloud providers' native services, as well as thir
Read more