Various AWS services help us solve the most complex tasks. For example, we have created an IoT + SSO platform for Smart Home that simultaneously monitors up to ≈ 10 million devices.
The platform has two functions:
- Provides functionality for creating and managing user accounts — Single sign-on (SSO) and also provides access to accounts over OAuth2 to such services as Amazon Alexa, Google Assistant, and others.
- Remote control of smart devices. Its main purpose is to deliver control messages from users and responses from devices back to users.
The platform was fully implemented based on AWS in no time. We got a reliable, scalable, and high-performing solution.
Whether it’s infrastructure, software, applications, services, products, or even an operating system, everything is making its way to the cloud. Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) are the three most popular types of cloud service offerings. All of these models for cloud computing can be implemented via any cloud service providers. Today, the majority of top cloud service providers offer various benefits of use and you can choose any that suits you best.
We used Google Cloud Platform (GCP) to build an application which functions as a hub for company business processes. The goal was not to create application for all kinds of business process automation from scratch but seamlessly integrate solutions we were already using and provide experience best tailored for our own internal requirements. No existing product on the market provided such capabilities so we decided to build our own.
One of the challenges was to build multi-cloud application because at some point we as a company transitioned to Microsoft 365 solution.
The key components of application are:
- Backend implemented in Java. It provides RESTful API as a single point of interaction with outside world. It runs on App Engine and provides scalability based on current load. Currently it runs as a monolithic backend but from the very start we have designed it in a way that allows us to break it into micro-services in the future.
- Single Sign-On works via Firebase application, which in turn uses Azure Active Directory as identity provider. For our employees it provides seamless authentication experience between our application and other Microsoft 365 services we are using.
- Asynchronous message queues: application components use Pub/Sub to communicate with each other in a non-blocking way.
- Cloud scheduler: a number of tasks are scheduled to run periodically and perform day-to-day activities such as delivering reports, notifying users about upcoming events, etc.
- Integration with Microsoft 365 (Azure AD, Microsoft Teams, Approvals, OneDrive, Graph API). This provides seamless experience for all employees, who are using Microsoft 365 tools in their daily activities. On the other hand, it also means better control over data flows, authentication and authorization.
- Cloud Storage is used solely for data that is internal to application. This data is not publicly available. We’ve put a lot of efforts to protect it from unauthorized access since this data may contain confidential information and/or data which is essential for us as a company. In order to provide access to authorized personnel application generates pre-signed URLs with limited lifetime.
The application was built to make encryption on files that are stored in OneDrive and SharePoint of Azure Cloud’s users as soon as they appear. This feature provides protection for sensitive files and makes OneDrive and SharePoint even more secure.
The application consists of two Logic Apps. The first one receives a token and updates its value every 50 minutes in Table Storage. The token is required for the second Logic App to get access to users’ OneDrive and SharePoint. This app does encryption using a Function App that runs a Docker container with a Python function for encryption.
Services used for creating this application:
- Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources. After you register your app and get authentication tokens for a user or service, you can make requests to the Microsoft Graph API. The API can provide any info, starting with Azure Users info and finishing with a list of items in users’ drives.
- App registration is a service that creates a trusted identity to be able to access Microsoft Graph API (in our case) or any other sources in Azure. It’s highly configurable and includes such options as: API permissions, authentication, token configuration, etc.
- Logic App is a cloud-based platform for creating and running automated workflows that integrate your apps, data, services, and systems.
- With this platform, you can quickly develop highly scalable integration solutions for your enterprise and B2B scenarios. In our case Logic Apps serve as the heart of the application and are responsible for receiving tokens for Microsoft Graph API and storing them in Table Storage and encrypting the file by calling a Function App.
- Table Storage is a service that stores non-relational structured data (also known as structured NoSQL data) in the cloud, providing a key/attribute store with a schemaless design. Because Table storage is schemaless, it's easy to adapt your data as the needs of your application evolve. Access to Table storage data is fast and cost-effective for many types of applications, and is typically lower in cost than traditional SQL for similar volumes of data. We use this application to store tokens and deltalinks, that contain info about files that appear in Sharepoint and OneDrive.
- Function App is a serverless solution that allows you to write less code, maintain less infrastructure, and save on costs. Instead of worrying about deploying and maintaining servers, the cloud infrastructure provides all the up-to-date resources needed to keep your applications running. Function App service allows us to run Docker containers as well, so that’s how we use it for encryption.