About the Client
The Client is a global medical device company and leader in new product development and medical education in orthopedics. With a corporate mission of helping surgeons treat their patients better, the Client has pioneered the field of arthroscopy and developed more than 8,500 innovative products and surgical procedures to advance minimally invasive orthopedics worldwide.
The Client is privately held with 1750 employees worldwide.
Privacy and Control Challenges
As with any company in the medical field, privacy is a top priority. As one employee put it:
"We plan on deploying applications that we simply don’t want to ever expose publicly."
This extreme need for privacy rules out the use of many popular multi-tenant platforms, as well as SaaS products that expose datastores to the public Internet, as many do.
With most PaaS and SaaS providers ruled out, the Client turned to low-level infrastructure on AWS, but this presented a host of new challenges. Correctly configuring access control was cumbersome, so developers ended up with too much direct access to AWS accounts. This led to sprawl, with disparate architectures being created in several different accounts.
Convox’s Solutions via Convox Console and AWS Best Practices
Convox’s privacy story is second to none. In minutes the Client was able to install a Convox Rack into one of their own AWS accounts. The Rack gave them the high-level PaaS experience they were looking for without the privacy risks associated with a multitenant platform. Since the Rack runs in their account it is impossible for Convox employees or other Convox users to access their apps accidentally or maliciously. All datastores managed by Convox are provisioned inside the Rack VPC, and none of their interfaces are exposed to the public Internet.
Using Convox also brought a great deal of consistency and control. All Convox Racks and apps are set up programmatically in the same way. The architecture is informed by years of hard-won devops experience on the Convox team and contributions by the open source community. A one-command updating system ensures that the architecture across all deployments stays consistent over time. Since any DevOps task can be done through Convox, developers no longer needed access to the AWS account, further reducing privacy and operational risks, and Convox-level access can be controlled through the Convox Console.
A team of about 11 web developers is using Convox, with plans to expand to more teams within the company.
The Client is currently running 3 racks comprised of 13 EC2 instances which host about 50 apps in total, and usage is growing consistently.
"With the addition of console, we now have a fully private AWS based PAAS installable with a single command. We have come to rely on the Convox team to create/curate the AWS best practices for container deployment & management, and could not be more pleased."
- Client Engineering Team
Leveraging Open Source
The Client was able to get started immediately and for free (except nominal AWS expenses) to evaluate the platform and see how it worked for them. They found the platform intuitive and easy to use, but wanted to add even more privacy features.
Since Convox Rack is open source, a Client engineer was able to directly submit patches for his desired changes. With help from Convox engineers and members of the open-source community, the Client was able to contribute a powerful private networking feature, placing all AWS servers behind NAT gateways and isolating them from the public Internet. Since this was contributed back to the open-source project, all Convox users can now take advantage of it.
The Economics of Convox
After initial success, the Client agreed to enter a paid support engagement with Convox. This deal includes white glove setup and configuration, a Convox engineer on-call 24/7 with a guaranteed response SLA, and prioritization of feature requests, among other benefits.
The Client also chose to continue on their privacy mission by commissioning a private, Enterprise version of Convox Console. Console offers team management, multiple-rack management and integrations with 3rd-party services like GitHub and Slack. The standard Console is a SaaS product, but Convox was able to quickly deliver a private, self-hosted version customized to integrate with GitHub Enterprise Edition.
The Client was able to get an ideal, private, customized platform in a few months paying Convox a fraction of what it would have cost to hire just one ops engineer. If they’d built their own team and platform it would have taken at least a year, and cost a minimum of hundreds of thousands of dollars in engineer salaries. It would have been difficult to assemble a team with Convox’s depth of experience, and there wouldn’t have been a huge open-source community to help, so their custom-built platform would have likely run into pitfalls that Convox already knows to avoid.