Maestro Orchestrator: Product? SaaS? Framework!
However, that was not a problem but a challenge. If no perfect solution existed, EPAM created its own from scratch.
In six years, EPAM Cloud Orchestrator evolved into a true hybrid cloud with over 8000 virtual machines in hundreds of projects. In addition to its basic function - hosting virtual resources - it supports a number of related components helping the users to be in full control of their virtual infrastructures, such as audit, monitoring, billing, reporting.
Meanwhile, a time has come to go out of the box of an enterprise solution and meet the market.
This is how the new generation of EPAM Cloud Orchestrator - Maestro was born.
Maestro is neither a product nor SaaS, it is a framework that allows us to deliver the Cloud Orchestrator both in a form of SaaS and as an application, deployed directly for a particular customer. All the features and customizations are available for both forms of deployments.
Maestro backend in written in Java and consists of the server-less part based on AWS Lambda and a server-full part based on AWS EC2. We follow AWS security best practices and use AWS Cognito services for authentication.
Maestro is a hybrid cloud orchestrator that provides unified access to AWS, Azure and Google clouds, as well as Openstack for private datacenters. Terraform is the tool that allows us to provide this kind of variety of cloud providers.
Maestro is a hybrid cloud orchestrator that provides unified access to AWS, Azure and Google clouds, as well as Openstack for private datacenters. Terraform is the tool that allows us to provide this kind of variety of cloud providers.
All Maestro components are designed as standalone units which can be used separately, also for purposes outside the EPAM Cloud. Authentication is done via the Active Directory. The user can access AWS services directly using their domain credentials. In this case, the user is authenticated via the SAML protocol and allowed access within the pre-configured IAM role. This type of authentication requires no interaction with Maestro whatsoever. Access to Maestro is based on the user's domain credentials, as well, however, in this case the OAuth 2.0 protocol is used. Maestro includes a mechanism allowing authentication for any enterprise with an Active Directory.
We ensured that Maestro deployment is cost effective. As AWS services that we use work on pay-as-you-go basis, so does our application. We calculated that our POC installation costed 5$ per day + 1$ for each 100 active users. This number, of course, did not include the infrastructure that users created. It only included the services that Maestro application consumes.
Another aspect we use to ensure security is an approval framework, which we can wrap around any action an end user performs. In case an approval is not required, the system just executes the command. But different enterprises have different restriction policies regarding infrastructure management, so it is sometimes necessary to secure a potentially dangerous feature under an approval. In such case an action is performed only if it was manually approved by a responsible person. Approval works via convenient email messages with approve and reject buttons. From the back-end point of view this mechanism is implemented using AWS StepFunctions according to the reference architecture.
We ensured that Maestro deployment is cost effective. As AWS services that we use work on pay-as-you-go basis, so does our application. We calculated that our POC installation costed 5$ per day + 1$ for each 100 active users. This number, of course, did not include the infrastructure that users created. It only included the services that Maestro application consumes.
Another aspect we use to ensure security is an approval framework, which we can wrap around any action an end user performs. In case an approval is not required, the system just executes the command. But different enterprises have different restriction policies regarding infrastructure management, so it is sometimes necessary to secure a potentially dangerous feature under an approval. In such case an action is performed only if it was manually approved by a responsible person. Approval works via convenient email messages with approve and reject buttons. From the back-end point of view this mechanism is implemented using AWS StepFunctions according to the reference architecture.