In this session, learn how SunTrust Banks re-architected and released a critical customer-facing application for better reliability and scale. Learn how a serverless architecture enabled the successful architecture, development, test and deployment of an AWS Lambda based solution to over 1 million customers. SunTrust and Candid Partners will discuss the complete architecture plus details of the CI/CD methodology to create a multi-region, active/active configuration.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Re-architecting a Consumer Banking
Application for Better Scale and Reliability
Chris Lofton
SVP, Cloud Program
SunTrust Bank
23094
Aaron Bawcom
Chief Architect
Candid Partners

3. 5
The Challenge
• How fast can we go
using AWS?
• What changes do we
need to make to go
that fast consistently?
• How do we make sure
our security
requirements are met?
• How far can we push
the technical limits?
Can a bank win a race?
• How can we
demonstrate success
early in cloud journey?
• How much can we
simplify the
development process?
• How do we decrease
TAS and increase GSD?
• What’s the lowest cost
we can operate?

4. 6
The application requirements
Millions of banking
consumersMassive scalability
Zero
downtime
deployments
Frequent
deployments
100% uptime
Bank level
security
Crazy fast
performance

5. 7
Problem
Massive Scalability
Waves of user
onboarding
Minimum of 10,000
concurrent users per second
Spikes

6. 8
Solution
AWS Lambda +
Amazon API Gateway
Use AWS Lambda for request
processing
Use API Gateway to process API requests
Allocate enough IP space to satisfy
Lambda Elastic Network Interface
(ENI) attachment to VPC
Use NodeJS for language

7. 9
Ease of use
Problem
Millions of bank
consumers
Development
Legal compliance

8. 10
JavaScript
Solution
Single Page
Application
User experience
Deployment
Fast

9. 11
Problem
Bank Level Security
Secure content
Logging
Configuration management
Regulated data
Data obfuscation
Compliance

10. 12
Solution
Cloud Native Services
+ Splunk
Secure content
Logging
Configuration
management
Regulated data
Data Obfuscation
Compliance
Amazon CloudFront, API Gateway,
Amazon S3, AWS WAF, AWS Shield
Advanced, AWS Certificate Manager
AWS CloudTrail, Amazon
CloudWatch, Amazon Kinesis,
VPC
AWS CodeCommit
Proprietary hashing
Custom Development
Config, Lambda, GuardDuty

11. 13
Sub 500ms latency
Problem
Need crazy fast
performance Heavy load

12. 14
CloudFront
Solution
Lambda, CloudFront,
Amazon ElastiCache
NodeJS
Lambda
Amazon ElastiCache
Results

13. 15
Initial deployment
Initial
Deploy
20 Hours!

14. 16
Daily deployments
Problem
Frequent
deployments
Automated tests
Automated promotion
Zero downtime
Continuous delivery
Traceability

15. 17
Solution
Pipeline as code,
automated promotion
Daily deployments
Automated tests
Automated promotion
Zero downtime requirement
Continuous delivery
Traceability
Go-CD
NodeJS, BlazeMeter, BrowserStack,
CloudWatch
Go-CD
CloudFront, Lambda@Edge
Go-CD
Go-CD, CloudTrail,
AWS CodeCommit

16. 18
Account vs application infrastructure
pipelines
Global
Region 1
Region 2
Account
Account
global
Account
regional
Account
regional

17. 19
Account vs application infrastructure
pipelines
Global
Region 1
Region 2
Account Application
App
sec
App code
App code
App
global
App ops
App ops
Account
global
Account
regional
Account
regional

18. 20
Canary
deploys - UI Us-east-1
Us-east-2
CloudFront distribution
CookieCookie
AWS Cloud
InternetUser
request
Primary Canary
Primary Canary
Go-CD

19. 21
Canary deploys - API
Canary version of the
Lambda function is
installed Routing
config.
AWS Cloud
New (Canary)
version
Release (Current)
version
Go-CD

20. 22
Canary Deploys – API – 1%
Routing
Config.
AWS Cloud
New (Canary)
version
Release (Current)
version
1%
CloudWatch
logging
Process logs
to determine
success
99%
Routing configuration
is updated
99% / 1% split
Go-CD

21. 23
Canary deploys – API – 100%
Routing
config.
AWS Cloud
New (Canary)
version
Release (Current)
version
CloudWatch
logging
Process logs
to determine
success
100%
Routing configuration
is updated
0% / 100% split
Go-CD

22. 24
Canary deploy – API - finished
Routing
config.
AWS Cloud
New (Canary )
version
Release (Current)
version
CloudWatch
logging
Process logs
to determine
success
100%
Canary Alias
becomes release
Routing configuration
is updated
100% Release
Go-CD

23. 25
Continuous improvement
Initial deploy
Added Dev, QE, Staging environments
Added 2 way Canary deploys
Experienced outage in us-east-1
due to SSM
2 Weeks

24. 26
Problem
100% Uptime
requirement
Availability
Business Recovery
Dependent Services
Security
Performance

25. 27
Solution
Multi-Region
Active/Active
Availability + performance
Business recovery +
dependent services
Security
API Gateway, Amazon S3
JS, CloudFront,
Amazon Route53
API Gateway, CloudFront,
Amazon S3, Route53

26. 28
Multi-Region Active/Active
CloudFront Lambda@Edge logic - UI
app.org.com
Request
from
Florida
ui.geo.app.org.com
app-ui-us-east-1.s3.amazonaws.com
Geographic latency records
Fail over Alias records
app.org.com
Origin
request
Lambda@Edge
NodeJS DNS CNAME
Lookup for
ui.geo.app.org.com
API
Gateway
(regional)
IAM secured
method request
+ VTL to zero
out content
CF Amazon S3 Request
Bucket: app-ui
Region: us-east-1
Origin Access Identity secured Amazon
S3 request
1
2
app-ui-us-east-2.s3.amazonaws.com

27. 29
Continuous improvement
Initial deploy
Added 2 way
Canary deploys
Experienced
outage in us-east-
1 due to SSM
Deployed Multi
Region Support
us-east-2 full
region outage
2 way
canary
deploys
1 way
canary
deploys
Redis cluster
outage
Cost optimized
24 weeks of
weekly releases
• Zero downtime results
due to deploys!
• No service
interruptions after
adding multi region!
5 Weeks
2 Weeks

28. ui.geo.app.org.com
app.ui.us.east-1-
s3.amazonaws.com
app.ui.us.east-2-
s3.amazonaws.com
api.geo.app.com
API Gateway Custom Target Domain
name
API Gateway Custom Target Domain
name
Amazon S3
Origin access
identity
Service
Lambda
Service
Lambda
API
us-east-1 us-east-2
api.geo.app.org.com
api.geo.app.org.com
AWS Cloud
Role
Amazon
S3
Role

29. 31
The unexpected
Long canary deployments
AWS region outage
API Security

30. Candid Partners Proprietary & Confidential 32
Incorporating the learnings

31. 33
Can a bank win a race? Just as good as any Unicorn
How fast can we go using AWS? Rapid prototyping in hours using
appropriately secured sandbox accounts
What changes do we need to make
to go that fast consistently?
Change the release process to allow for
same-day deployments based off of
automated testing and security checks
How do we make sure our security
requirements are met?
Make the pipeline a security control.
Implement compliance Policies as Code.
How far can we push the technical
limits?
Innovate Infrastructure as Code
compliance policies change the physics of
the release process
How can we demonstrate success
early in cloud journey?
Re-architect a smaller application to
Serverless to demonstrate success
How much can we simplify the
development process?
A lot! All application components are
serverless eliminating the need to manage,
maintain, and upgrade servers
How do we decrease TAS and
increase GSD?
Embed empowered team members and
require accountability
What’s the lowest cost we can
operate?
Thousands of dollars per month. No 2X for
business continuity.

32. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Chris Lofton
Chris.Lofton@SunTrust.com
Aaron Bawcom
Aaron.Bawcom@CandidPartners.com

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.