May 25, 2022 | 10 minute read
“Our goal is to build an infrastructure that allows us to deploy services faster and scale on-demand while complying with all government regulations in terms of data residency, security, and privacy. With Oracle Cloud Infrastructure and Oracle Kubernetes, we have made a huge step forward toward achieving that goal.”
The authors want to thank Mohammed Binsabbar, senior expert and DevOps engineer of the integrated solutions unit at Takamol, for his contributions.
Employment is one of the highest priorities for governments throughout the world and serves as the basis for prosperous and successful nations. In many high-income countries, the pandemic has caused seismic shifts in labor markets. From a record number of workers not returning to their jobs after lockdowns to others changing sectors, reassessing their career paths, starting businesses, or freelancing, all of these factors have created labor shortages as workers navigate the labor market seeking better opportunities.
The labor market of Saudi Arabia is experiencing one of the most rapid transformations in the world. Unlike most high-income countries, labor force participation increased during the pandemic. At the same time, foreign workers, who make up over 70% of the workforce in the private sector, are leaving employment in large numbers, driving a sharp and rapid contraction in total employment. Almost 1 million jobs have disappeared since the start of the pandemic.
In Saudi Arabia, evidence of a post-pandemic worker reallocation is emerging, creating even greater demand for services provided by organizations like Takamol Holding. These services target and serve individuals and prominent labor segments, of both the public and private sectors, by creating comprehensive solutions for socioeconomic development and government services for unleashing talent. Takamol aims to empower, achieve, and create a positive, sustainable change in the Saudi Arabian labor market and strives to sustain a lasting impact that will benefit society. For a healthy economy, Takamol offers a full spectrum of programs to enable the society to work, sustain, and develop in the labor market.
Goals for Takamol’s cloud migration
Takamol has previous experience of utilizing the cloud to manage and deliver workloads, through engagement with another local provider. When Takamol announced two new portfolios to be launched, they understood that they needed to quickly find a managed orchestration platform that utilized Kubernetes, while avoiding vendor lock-in.
Managing hundreds of servers through UI and relying on their own tool to enhance the services slowed Takamol's operations down and increased the burden for their teams. The more tools they manage, the more overhead they carry. Takamol operates in a fast-paced environment, where more products need to be launched into market as quickly as possible. Takamol needed a cloud provider that could handle their product volume and could also meet their need for speed.
The ability to use a containerized approach with OKE for developing our applications was one of the triggers to invest in Oracle. We got OKE running in less than five minutes.
Takamol’s goal for cloud migration was to create a secure and dynamically scalable infrastructure that allowed them to quickly launch a higher volume of products while minimizing operational tasks. Takamol also wanted to convert all data into a Postgres-compatible structure that is easy to set up, affordable, and will help drive efficiency and impact. To fully meet their needs, the structure needed to be sufficiently flexible to support Terraform-based e-government applications and services, so Takamol turned to Oracle Cloud Infrastructure (OCI). "We rely on automation and managed services to remove overhead from our teams and become more efficient. We wanted to reduce overhead, support multiple portfolios, and scale dynamically. With OCI and Kubernetes, we can do all that. We are relieved that there’s finally a world-class provider of cloud services in Saudi Arabia," concludes Binsabbar.
The suite of Oracle products used
Oracle Cloud Infrastructure includes all the services needed to migrate, build, and run IT in the cloud, from existing enterprise workloads to new cloud native applications and data platforms.
Oracle Container Engine for Kubernete (OKE): OKE is an Oracle-managed container orchestration service that can reduce the time and cost to build modern cloud native applications. OKE is also Cloud Native Computing Foundation (CNCF) certified. Unlike many other cloud infrastructure vendors, OCI provides OKE as a managed service. The Kubernetes management nodes are provided for free, and the worker nodes are instantiated from customer selected high performance, lower-cost Compute shapes.
Oracle Cloud Infrastructure Registry (OCIR): OCIR, also known as Container Registry, is an Oracle-managed registry that enables you to simplify your development to production workflow. Container Registry makes it easy for you as a developer to store, share, and manage container images, such as Docker images.
Network load balancer: OCI Load Balancing service enables you to distribute web requests across an array of servers and automatically route traffic across availability domains resulting in high availability and fault tolerance for applications or data sources.
OCI Object Storage: OCI Object Storage enables you to securely store any type of data in its native format. OCI Object Storage is ideal for building modern applications that require scale and flexibility, as it can be used to consolidate multiple data sources for analytics, backup, or archive purposes.
OCI Block Storage: Reliable, high-performance block storage designed to work with a range of virtual machines and bare metal instances. With built-in redundancy, block volumes are persistent and durable beyond the lifespan of a virtual machine and can scale to 1 PB per compute instance.
Oracle Database: Oracle Database is the first database designed for enterprise grid computing, the most flexible and cost-effective way to manage information and applications. Enterprise grid computing creates large pools of industry-standard, modular storage and servers. Each new system can be rapidly provisioned from the pool of components with this architecture. Peak workloads aren’t necessary because capacity can be easily added or reallocated from the resource pools as needed. Takamol utilized Oracle Database for data migration purposes.
Oracle MySQL Database service: Oracle MySQL Database service is a fully managed database service that lets developers quickly develop and deploy secure, cloud native applications using the MySQL open source database. Takamol utilized Oracle MySQL Database service for data migration purposes.
Oracle Database Vault: Oracle Vault implements data security controls within Oracle Database to restrict access to application data by privileged users. Reduce the risk of insider and external threats and address compliance requirements, including separation of duties.
Network security groups: Network Security Groups (NSGs) act as a virtual firewall for Compute instances and other kinds of resources. An NSG consists of a set of ingress and egress security rules that apply only to a set of VNICs choice in a single VCN. For example, all the Compute instances that act as web servers in the web tier of a multi-tier application in the VCN.
Security lists: Security lists act as virtual firewalls for Compute instances and other kinds of resources. A security list consists of a set of ingress and egress security rules that apply to all the VNICs in any subnet that the security list is associated with. So, all the VNICs in a given subnet are subject to the same set of security lists.
Oracle Cloud Guard: Oracle Cloud Guard, including the new Threat Detector, detects misconfigured resources, insecure activity across tenants, and malicious threat activities and provides security administrators with the visibility to triage and resolve cloud security issues.
Migration path and Oracle solution
OCI provided numerous managed services and features, such as OKE, managed backup, three fault domains in every availability domain, shared volumes, File Storage service, and S3-compatible storage. These features combined have helped reduced Takamol's operational overhead dramatically.
All of Takamol’s products follow microservice architecture. The main challenge that they faced was operating those individual microservices. OCI was the first provider in Saudi Arabia to provide managed Kubernetes, which allowed them to quickly scale their infrastructure to meet the demand of Takamol's customers during peak times.
Takamol also faced a challenge in managing the infrastructure. OCI solved this issue by providing a solid API and HashiCorp Terraform that allowed Takamol to use Terraform to build the whole infrastructure using code to provision data centers with machine-readable definition files. Takamol is now better equipped to understand their infrastructure components and their uses and can easily manage actions made to the components using GitOps. Utilizing the Cloud Advisory feature, Takamol can better understand their consumption, how much they’re spending, and even provides the ability for Takamol to project how much they will spend in the future.
OCI follows the zero-trust design principle by default, which is noticed by the default deny rules in the networking. This feature gives Takamol better control of traffic within the network, including between internal services (east-west) and external to internal services (north-south). The combination of network traffic logging and the Logging dashboard allows Takamol to have better visibility of their traffic flowing around their networks, a capability that Takamol identified as a vendor differentiator.
Takamol also uses OCI's managed storage services, including using Object Storage and elastic Block Storage for tasks, such as long-term storage and persistent data storage for OKE.
Takamol focused on creating replicated environments, so they can develop and test in an environment that matches production environment. They also created isolated environments and better utilized network security groups and lists to control network traffic. In addition, Takamol focused on controlling outgoing and incoming traffic and the ability to isolate backend and internal components from the internet through a private subnet.
Figure 1. Takamol reference architecture
Since Takamol uses OKE with ArgoCD, an open source, continuous delivery tool designed for Kubernetes and part of the CNCF ecosystem, things were smooth and quick to integrate since ArgoCD did most of the automation. Takamol is following a GitOps approach for their deployments and Terraform for OCI automation. They’re using Teleport by Gravitational to connect securely and privately to OCI services instead of a VPN to access VMs and OKE privately.
After the announcement of OCI launching the availability of the first cloud region in Jeddah, Saudi Arabia, Takamol DevOps engineers immediately took advantage of the 30 days of $300 credits to get familiar with OCI services. They focused on trying OKE and deployed random personal projects to test the service. This opportunity gave Takamol a market and provided additional justification to launch new products on OCI. In parallel, Takamol started testing OCI API with Terraform and building their own OCI modules, which is open source and available on GitHub.
Results achieved with OCI
Takamol developed four core applications in OCI, improving the availability of the services, reducing operations, and ensuring fast disaster recovery. They extended the OCI Terraform provider to realize modules that reflected their application deployment patterns. In doing so, Takmol simplified and accelerated their time to deploy IT infrastructure through the infrastructure-as-code (IaC) model. The IaC model also facilitates the sharing of coding files among team members to edit, review, and version them in real time, which helped streamline the deployment of Takamol's e-services on OCI.
The organization deploys e-services on OCI substantially faster than before. The preparation time for launching a government e-service has been cut from one day to less than an hour because provisioning virtual machines isn’t necessary. OCI's autoscaling feature ensures sufficient capacity to support all concurrent users of a service.
Takamol was able to save many hours of server maintenance as the easy-to-use user interface of OCI gives the company's engineering team a bird's-eye view of security threats. This ability made it simple to implement and enforce segregation between networks and granted clarity and visibility of security lists without installing a firewall. "We have substantially reduced manual work and increased efficiencies. That enables us to focus on innovative solutions and on deployment flows that helped us grow our customer pipeline," says Binsabbar.
The company's development team uses four clusters of OKE to automate building, deploying, and managing cloud native applications. The development team uses containerized application modules built with open source to boost efficiency and bring services to market faster.
Takamol has also utilized OCI's pay-per-use subscription model to reduce IT infrastructure costs. They use Oracle Cloud Advisor to scan the organization's tenancy and receive recommendations for optimizing cloud resources, reducing cloud costs, and addressing potential security vulnerabilities.
With OCI, Takamol also meets the requirements of the Saudi Arabian government in terms of data residency, security, notification of breaches, and data privacy. Using the Oracle Cloud region data center in the Kingdom of Saudi Arabia, Takamol fully complies with the government mandate hosting all data within a country of the Gulf Cooperation Council (GCC) region and meets the requirements of the National Cybersecurity Authority (NCA).
OCI's Cloud Adoption Framework helped facilitate Takamol's transition to the cloud by offering a valuable collection of free-of-charge cloud resources, suggested practices, tutorials, and tools. "The documentation is excellent, it's easily accessible, and the courses are free for one year. Oracle also assigned a solution architect that checks up on us every two weeks. That is extremely useful and ensures a successful journey with Oracle. Additionally, Oracle Support was very responsive and helpful with our requests," Mohammed Binsabbar concludes.