drie is a platform that teams use to run software using Amazon Web Services (AWS). We make it really easy to build and run software in your own AWS account whilst meeting security best practices.
drie brings together GitHub and AWS to provide a pipeline for deploying and running software in secure development environments.
When you deploy the drie platform into your AWS account you spin up a set of resources for creating new environments. These are managed through drie's cloud formation template and through EC2 instances that drie creates in your account.
To get started with deploying applications the drie signup process involves installing a GitHub integration onto your GitHub account. This lets you choose which of your repos will build and deploy on drie in you AWS account.
Any commit on any branch in your selected repos generates a new build in your AWS account. When you commit to your repo GitHub generates an event which is posted to the drie platform. You can see the status of this build in the branches panel of your GitHub repo: a tick for a successful build, a cross for failure and an orange dot for a build in progress. Clicking on the icon takes you to the drie dashboard for that build.
When you make the commit, your GitHub account posts an event to your AWS account triggering the build server in your account to pull down the new code and build a deploy artefact. The artefact is encrypted and stored on an Elastic File System volume in your AWS account.
When a branch of your application is first deployed to drie it is run in On Demand mode. This means that it is spun up only when it needs to handle a request. All On Demand applications are run from the same server, with drie's proxy server starting up applications and routing traffic to them on demand. This mode works well for early development and prototyping as it reduces the server capacity required to run an application but still gives you your app, running in your AWS account with the benefits of a unique URL and SSL certificates.
When you add instances to a branch of your application in the drie dashboard, the drie platform creates a dedicated environment for your branch, including an auto-scaling group, separate EC2 instances, SSL certificates, load balancer, and URL. Your application is then deployed onto these instances using ElasticBeanstalk, which provides a zero-downtime deployment mechanism.
We recommend deploying branches that correspond to production or staging environments onto dedicated instances to give you the isolation and performance that you expect from production services.
You can scale these instances up or down using the drie dashboard, where you can also see the most recent application and build logs.
drie follows AWS Security Best Practices in the design and management of our platform. This involves building environments in a secure and repeatable way, taking care to identify vulnerabilities and threats, and mitigating for those with technical and non-technical controls.
Our broad approach is to codify this best practice in the templates and software that we use to build customer environments - we find that automation and careful design means that every time an environment is built it can have good security by default.
Some of the particular measures we take to secure environments include:
- For each application, we define a security group based firewall. This firewall allows traffic to access your application on specific ports only and segregates you from other customers on the drie platform. We provision EC2 instances to run your application on: each instance of your application is run on its own virtual machine giving effective resource allocation and kernel level isolation from other applications.
- Each application gets it's own Elastic Load Balancer (ELB) to route web traffic.
- All web apps get HTTPS termination on the ELB by default. drie manages the re-encryption of connections back to each of your instances using unique certificates generated when the app is created.
- All internet facing certificates are created and managed using AWS's certificate management service so you never have to worry about who has access to the certificate, how to revoke it or when it might expire again.
- drie creates a per customer key management setup using the AWS key management service (KMS). You can use this to encrypt any configuration data that you use to run your application as well as the artefacts that drie builds and deploys from your source code repository.
- drie manages the creation, setup and ongoing changes in each environment with an IAM (Identity and Access Management) role defined specifically for each of your apps.
Each application that you deploy gets it's own copy of this environment - it's own load balancer, security group, certificates and KMS contexts. This allows for complete segregation of concerns between applications and clear auditability of interactions with that application.