About Moneyou • Full subsidiary of ABN Amro • Online savings since 2008 • Currently • 0.5 mio customers in NL and DE • Combined savings & payments proposition • Small organization (<200 fte) • Focus on UX and customer centricity
Moneyou’s journey to become a fintech Moneyou until 2016 • Label for ABN AMRO products • IT was outsourced to partners • Hosting & development • Core banking & channels Moneyou in 2016 • Started to build a new payment proposition • Need for short time to market & cost efficiency • Need to insource software development in a modern way • Ambition to do DevOps
• Development account per teams • Production account per system • Demonstrably in control of production data • Reduce blast radius • Cost allocation per account • Scalable AWS Organisations: Multi account setup
Infrastructure as code • Everything is code • Features use serverless.com framework • Platform uses • Cloudformation stacksets • Serverless.com framework • Custom build process
Continuous compliance • SCPs to whitelist services • For every service compliant configurations are defined. • AWS config keeps track of all resources • Notifies for in compliant configuration • Notifications send to account owner and platform team (incl. ciso) • All production systems run our most critical CIA rating • Stay away from: EC2 or VPC
On-premise connectivity • Lambdas are best run outside of a VPC • Lambdas in VPC suffer additional cold-start time • Additional complexity managing VPC’s • Connectivity to on-prem done through VPC and Direct-Connect/VPN • Solution: API Gateway and IAM to proxy on-prem services • VPCs centrally managed • Lambda’s/features run outside a VPC • Highly scalable, highly available
On-premise connectivity: Lambda outside VPC - Caveats • NLB uses IP addresses of on-premise servers • API GW Proxy requires Back-end TLS cert to be signed by trusted CA • AWS v4 request signing requires access to underlying HTTP client
• Event driven architectures benefit from • Eventual consistency for scalability • Retry mechanisms for reliability • What if…. strong consistency does matter? Strong consistency • Solution: Use DynamoDB as a lock server • Conditional (atomic) Updates • Consistent reads
General tips • Know your (AWS Service) limits! • DynamoDB OnDemand and PITR • Serverless performance must-read: theburningmonk.com • Outsource availability and scalability to AWS