How the cloud can help provide personal health assistance

Reliability, compliance and security are critical

As a digital health platform stemming from Germany, Vivy is subject to strict compliance and governance regulations.

Vivy's healthcare app comes under strict legal requirements and is making data safety-critical. Any failures in this area could lead to severe consequences. Reliability, high availability and security are necessary to meet legal regulations and gain users' trust. Medical data is vulnerable, so keeping it safe was a pillar of our job. All information stored should be encrypted and access to it strictly regulated.

The solution

Our team helped Vivy navigate those issues while working on modernizing their environment following DevOps best practices – including migration of their entire codebase and infrastructure to a globally scalable infrastructure as code model.

We created a multi-account AWS Organization with a secure and highly available network infrastructure to separate workloads based on different security and high availability needs founded on client requirements.

Using multiple AWS accounts helps isolate and manage business applications and data, which is critical for scalability, reliability and security. AWS Single Sign-On makes navigation around them a pleasure while still allowing fine-grained permission setup.

On the other hand, the foundation of high available cloud solutions is a well-designed network that at the same time allows interconnectivity between VPCs located on different accounts while keeping them fully isolated if needed. We achieved this by using separate Transit Gateways for production and non-production environments. Vivy is planning to release the app to new markets. We used separate AWS Accounts and Transit Gateways route tables for each region to achieve logical isolation between region environments.

These were fundamentals for the next steps, including migrating the microservices from AWS ECS to the AWS Managed EKS clusters backed up by encrypted S3 Buckets, DynamoDB and RDS databases for data storage and protection.

Many AWS services increase the security of the created infrastructure. Starting from Service Control Policies restricting the available services and AWS regions, VPC Flow Logs captures the IP traffic ending up on Organizations level CloudTrail logs. All the records are stored on encrypted S3 buckets on separate AWS accounts. Furthermore, Fluent Bit DaemonSet on EKS clusters sends the cluster logs to CloudWatch Logs while deployed microservices are integrated with Amazon CloudWatch Container Insights.

We created it using Terraform in the role of infrastructure as code tool.