Hi all,
I would like to start a discussion about a reference architecture of cloud services to host a production implementation of Open edX.
May it be a starting point of an OEP?
Using Tutor, it is clear that this cannot be achieved with a local installation. Instead, we need to use Kubernetes to deploy in a cluster in the cloud.
First of all, we want the infrastructure to be:
- resilient:
– if a pod stops responding, a new pod should be recreated in the same or another node
– if a node is down, the lost pods should be recreated in other nodes, and a new node should be created
– The nodes should be able to be located in multiple availability zones (AZ). If an AZ is lost, all the lost resources should be recreated in another. - scalable:
– if a pod is consuming over a threshold of resources (cpu, memory, network), a new pod should be created and load should be balanced between them
– if there is no more room in the existing nodes for new pods, a new node should be launched
– scalability should work up (grow) and down (shrink when demand slows down) - secure
– implement security measures to protect the application and data safe from potential attacks
In particular for Open edX, we also want it to:
- allow multiple instances of Open edX in the same infrastructure
- optimize resources as much as possible in order to reduce operational costs.
We have been working on this reference architecture diagram. It was prepared for AWS, but the concepts can be extended to any cloud provider.
Contributions are welcome! If anyone wants to collaborate with this diagram, let me know and I can let you access. It was created in Lucidchart.
References:
- All resources are contained within a dedicated VPC, across three availability zones. There are three types of subnets: one public for Internet access and bastion host and two privates: one for applications and another for databases.
- Route53 is used to point all external domains to internal addresses.
- CloudFront serves static assets for higher performance.
- The ingress is protected with a web application firewall
- Only the bastion host is exposed directly to Internet. Administration access to any other services can only be done from this host. To access the bastion host we use Systems Manager’s Session Manager.
- The core services (LMS, CMS and forum) are implemented in a Kubernetes cluster in EKS, one namespace per instance. The nodes span all the AZs in an ASG and the ingress is controlled by a load balancer. The images are stored in ECR. All secrets are retrieved at deployment time from AWS Secrets Manager
- The Redis services is implemented in AWS ElastiCache for Redis. We use a Redis DB for each namespace.
- AWS OpenSearch (formerly ElasticSearch) is the search engine.
- The relational database is implemented using RDS Aurora for MySQL. The cluster can have replicas in each AZ. We use one database for each namespace in the same RDS cluster.
- MongoDB is implemented using the AWS MongoDB quickstart template in three AZs. We use one database for each namespace in the same cluster.
- Emails are sent by the LMS using AWS SES
- Static assets are stored in an S3 bucket. We have one bucket per namespace.