Company specializing in medical devices that produces and distributes endoscopes and surgical tools.

Azure Kubernetes service, Terraform, Azure DevOps pipeline, Ingress controller, Cert-manager, network policy, ArgoCD, Helm Chart, Velero

The client must store vast amounts of data in various formats from multiple sources in a unified data platform, accessible to machine learning engineers and data scientists within the organization for the development of machine learning applications and data analysis. The data platform is constructed on Azure cloud and handles pictures, videos from operational recordings, and sensor stream data from various operational devices. These data will be annotated, pre-processed using various data tools, and then used for model training. This is crucial for creating new machine-learning services such as cancer detection and patient anonymization

The client’s big data platform encompasses various Azure services, in-house developed applications, and data applications. The platform’s central components are Azure storage accounts for big data storage, Azure Machine Learning Workspace for model training, and various web applications for data management and monitoring. Prior to Datics DevOps engineers joining the project, the entire data platform infrastructure was built manually. Most of the applications were hosted on Azure via the Azure Web Application Service, and each application’s deployment and setup were completed manually, leading to a time-consuming process with a higher risk of inaccuracies and longer bug-fixing times. Additionally, the security of deployed applications was not given adequate consideration, and data backup was also a weakness.

In light of the aforementioned challenges, we, as DevOps engineers from Datics, took on the following major tasks:
• Designed the entire infrastructure using Azure best practices and implemented Infrastructure as Code (IaC) using Terraform and Azure DevOps pipeline. This automated approach creates a single source of truth for the data platform and greatly reduces deployment efforts across environments.
• To centralize application management, we opted to use Azure Kubernetes Service (AKS). All applications were efficiently containerized and automated, with Docker images securely stored in Azure Container Registry.
• Implemented GitOps with ArgoCD and Helm Chart to continuously monitor and automatically compare live application states to desired states specified in the Git repository, ensuring error-free deployment.
• Created backup strategies for the AKS cluster using Velero and storage accounts.
• Implemented network security. On the AKS side, we set up SSL/TLS for applications with an ingress controller and cert-manager, and enabled a WAF on the ingress controller for filtering and monitoring HTTP traffic. We also used network policies to isolate internal and external traffic in the Kubernetes cluster, and network security groups to define security rules for subnets or VMs. To secure storage accounts, we set up network firewalls and restricted access to only specific private subnets where AKS or Azure Machine Learning Workspace is allocated.

With the help of Datics DevOps engineers, the data platform infrastructure is now streamlined and can be easily recreated with just a pipeline trigger. The same pipeline configuration can be used for provisioning in dev, stage, and prod environments, freeing up valuable time for the team. Applications are centrally deployed and monitored with ArgoCD, and developers have access to the ArgoCD UI for troubleshooting. The platform now meets important security requirements outlined in the pen test report, and data backup strategies are in place with azure monitoring services.