Jersey Mike's: Securely Scaling Cloud Capabilities to Meet Demand
In This Case Study
About Jersey Mike's
Starting as a small sub sandwich shop in the seaside town of Point Pleasant, NJ in 1956, Jersey Mike's Franchise Systems Inc. now oversees approximately 1,800 sub sandwich franchises and catering locations across the U.S. Jersey Mike's offers a wide range of sub sandwiches, prepared in front of the customer, with high quality vegetables, spices, oils, meats, cheeses and fresh-baked breads for a taste that will completely satisfy even the most discerning sandwich enthusiast and foodie.
Several years ago, Jersey Mike's started a partnership with WWT to create a new digital experience for customers and franchise owners.
For Jersey Mike's, giving back to the community is just as important as providing a high-quality sub sandwich. In that spirit, Jersey Mike's ran an advertising campaign during the COVID pandemic offering 50 percent off all sandwiches and free delivery. The demand on their legacy mobile application in response was unprecedented. The number of inbound orders processed by the mobile app went from 800 per day to 80,000+ within four hours of the deal announcement.
Simply put, Jersey Mike's mobile app could not handle the influx. While technology in the cloud space evolves at incredible speeds, with new services and capabilities unveiled monthly that can increase efficiency, performance and stability while lowering costs, Jersey Mike's had not updated its cloud infrastructure in some time.
Paired with the increase in mobile demand, Jersey Mike's realized it needed to improve the cloud infrastructure supporting its mobile app with a focus on optimized security, scalability and high availability.
To accomplish this, Jersey Mike's turned to the multicloud experts WWT.
WWT's Application Services team worked closely with Jersey Mike's team to build a new mobile app and an eCommerce platform that offers customers more ordering options. Amazon Web Services (AWS) was chosen as the public cloud platform for its extensive service offerings and infrastructure flexibility. Our team used modern software development practices and a DevOps-centric approach to architect and automate the infrastructure and application deployments.
As part of WWT's Cloud Foundation service offering, our combined team of cloud architects, engineers and consultants used AWS best practices ad prior experience to design and deploy a custom cloud landing zone -- the underlying core configuration of any cloud adoption environment -- to address Jersey Mike's unique cloud security, networking and operational challenges. Cloud landing zones offer a pre-configured environment, provisioned through code, to host an organization's workloads in private, hybrid or public clouds.
For the eCommerce platform, we used container technology and the ubiquitous Kubernetes (K8s). We built the environment in AWS using a mix of Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) for software development and production deployment. We built the K8s environment on top of EC2 and used Amazon RDS for database services.
– Scott Scherer, CIO
AWS Control Tower
Jersey Mike's new cloud foundation in AWS started with a deployment centered around AWS Control Tower. Control Tower's key cloud services include AWS Organizations, AWS Single-Sign On, CloudTrail, Config, SNS and the ability to have a repeatable, secure account deployment process via Account Factory.
Using the Account Factory feature in Control Tower allowed us to employ a repeatable and automated account provisioning strategy. Account Factory automates the provisioning of AWS Config Logs and CloudTrail Logs and enables a secure framework of centralized logging for long-term archive and central analysis.
Infrastructure as Code (IaC)
With the deployment of Control Tower and the creation of the core AWS accounts completed, our software developers started creating bespoke code to provision the infrastructure within the accounts based on Jersey Mike's requirements. We used CloudFormation because it was native and fully supported by AWS.
Below are some examples of CloudFormation templates we used to set up the AWS account:
- We deployed CloudFormation StackSets to create an Identify and Access Management (IAM) password policy in alignment with Security Hub best practices.
- A CloudFormation Stack was deployed within each account to perform the following:
- To enable CIS AWS Foundations Benchmark Log Metric Filters to address CIS checks 3.1 – 3.14.
- To deploy the bulk of the infrastructure components, including a VPC that enabled VPC Flow Logs to send out to a central S3 bucket, subnets, route tables, an internet gateway, NAT gateways and an S3 endpoint.
- To attach the VPC (created in the previous template) to an AWS Transit Gateway in the Shared Services account and update any relevant route tables.
VPC Flow Logs feature
After we deployed the new AWS foundation, we took additional steps to secure the environment. Each AWS Account in which a VPC was created had the VPC Flow Logs feature enabled. VPC Flow Logs captures information about IP traffic leaving and entering the network interfaces within a VPC.
For Jersey Mike's, these flow logs are aggregated into a centralized S3 bucket in the Shared Services account. This approach allows for ease of use when monitoring for potential threats or performing root cause analysis. It also allows for easy integration with third-party network and threat analysis tools.
AWS Security Hub and GuardDuty
Our cloud experts enabled AWS Security Hub to provide compliance, security monitoring and guidance by following the Center for Internet Security (CIS) AWS foundation benchmark. CIS is focused on IAM, logging, monitoring and networking and adds another tool to maintain a strong security posture in a multi-account environment. The Security Account designated the Security Hub Management Account to allow all findings to be analyzed from a central location.
We then implemented Amazon GuardDuty as a threat detection service to continuously monitor for malicious activity in each AWS Account. GuardDuty analyzes events across many surfaces and sends all findings to the central management account where it stores the findings for long-term archive and analysis.
With the custom cloud landing zone in place for building and deploying workloads, Jersey Mike's and WWT's cloud teams next tackled the application environment and operational challenges. This work included:
- Optimizing the container environment for the new mobile application
- Securing remote access
- Developing high availability (HA) and disaster recovery (DR) strategies
- Developing log analysis and visualization
- Developing Day-2 operational tasks and repeatable processes
AWS EKS and Fargate
The teams analyzed performance data, application metrics and usage patterns for the existing environment to determine the appropriate sizing for the new cloud environment. However, maintaining a business-critical application requires more than just core counts and memory. The team considered other factors -- often overlooked but equally essential -- including staff availability, skillsets and experience.
With all those data points in hand, Jersey Mike's decided that a managed service like AWS Elastic Kubernetes Service (EKS) running on Fargate -- AWS' serverless compute engine -- met or exceeded their requirements. This approach would allow Jersey Mike's to deploy a robust mobile application that could scale with demand while eliminating the need to provision and manage the servers that host containers. AWS Fargate allocates the appropriate amount of compute to ensure Jersey Mike's only pays for the resources required to run the mobile app.
We we easily able to integrate EKS and Fargate into existing Jersey Mike's application pipelines thanks to the availability of extensive APIs (which is typical for most AWS services).
Our solution deployed both AWS Cloud9 and Amazon WorkSpaces to support secure remote access into the environment.
AWS Cloud9 is a cloud-based integrated development environment (IDE) that lets you write, run and debug your code using a standard browser from any internet-connected machine. Ideally, Cloud9 environments will be created within the Shared Services account. Features of Cloud9 include:
- A code editor, debugger and terminal
- The ability to quickly share your development environment with your team, enabling you to pair program and track each other's inputs in real time
- Direct terminal access to AWS
Amazon WorkSpaces lets an organization deploy virtual Windows or Linux cloud-based desktops. For Jersey Mike's, we deployed WorkSpaces to provide an alternative remote connection method to Cloud9 should an administrator be more comfortable with a virtual desktop as opposed to a Cloud9 IDE.
Cloud security defends valuable corporate assets that have moved outside the traditional enterprise perimeter and onto the public internet. At WWT, we help customers enable business growth by designing and deploying reliable, scalable and secure environments across public, private and hybrid clouds.
The starting point for any application deployment in AWS is a secure, reliable and automated foundation. Security in AWS requires a multi-tier approach that starts at the foundation and is applied at every tier of an application.
By executing on WWT's Cloud Foundation services offering through AWS, Jersey Mike's was significantly enhanced its security posture with better data protection and compliance. It also has can more consistently apply security policies across its cloud environment, all while simplifying management and operations.
Reliability, performance efficiency and cost optimization
Using AWS EKS and Fargate provides a stable and scalable infrastructure for Jersey Mike's mobile application. The company is now able to meet heavy user demand, optimize its cloud spend and reduce operational burdens on its cloud team.
In addition, the team followed cloud ops best practices and designed the architecture across multiple Availability Zones to ensure uptime in case of underlying infrastructure issues.
WWT believes that education and knowledge-sharing with the customer are central to any successful project. This is particularly true in the cloud space. In each cloud engagement, one of our key goals is to teach the customers how to manage and maintain their cloud environment once our tasks are complete.
Throughout the duration of the project, Jersey Mike's and WWT met daily to discuss progress, challenges and successes. In addition to daily infrastructure meetings, more in-depth training sessions were conducted to make sure Jersey Mike's felt comfortable taking control of the environment post-deployment. For example, training included a walkthrough on creating VPC infrastructure with CloudFormation.
At the end of the project, WWT presented Jersey Mike's with all operational documents and runbooks that detailed their new custom cloud setup along with guides for supporting the environment on a daily basis going forward.