Jersey Mike's: Securely Scaling to Meet Demand
In This Case Study
About Jersey Mike's
Starting as a small sub sandwich shop in the seaside town of Point Pleasant, NJ in 1956, Jersey Mike's Franchise Systems Inc. now oversees approximately 1800 sub sandwich franchises and catering locations across the United States. Jersey Mike's offers their customers a wide range of sub sandwiches, prepared in front of the customer, with high quality vegetables, spices, oils, meats, cheeses and fresh-baked breads for a taste that will completely satisfy even the most discerning sandwich enthusiast and foodie.
A few years ago, Jersey Mike's started a partnership with WWT to create a new digital experience for customers and franchise owners. Working with WWT Application Teams, new mobile applications and an eCommerce platform were built to provide more ordering options for customers. The platform chosen for this next-generation technology was Amazon Web Services (AWS), for its extensive service offerings and infrastructure flexibility. Modern development practices were used along with a DevOps-centric approach to infrastructure and application deployments.
For the eCommerce platform, the use of container technology was chosen as well as utilizing the ubiquitous Kubernetes (K8s). An environment was built in AWS utilizing a mix of IaaS and PaaS for both development efforts and production deployment. The K8s environment was built on top of EC2 and Amazon RDS was used for database services.
At Jersey Mike's, giving back to the community is just as important as providing a high-quality sub sandwich and, in that spirit, Jersey Mike's ran an advertising campaign during the COVID pandemic offering 50 percent off all sandwiches and free delivery. The demand on the mobile application was unprecedented! The number of orders processed by the mobile application went from 800 a day to 80,000+ within 4 hours of the deal announcement.
Technology in the cloud space evolves at incredible speeds, new services and capabilities are unveiled monthly that can increase efficiency, performance and stability while still lowering costs. New technology availability, coupled with the rapidly increasing demand for mobile ordering and delivery, provided the impetus for improving the infrastructure supporting the mobile application with a focus on optimized security, scalability and high availability.
To accomplish this, Jersey Mike's Cloud Team utilized their strong partnership with WWT to work together with our Cloud Architects and Engineers to design and deploy a Landing Zone as part of our Cloud Foundations Service Offering. Based on AWS Best Practices and experience working with other enterprise customers, the Cloud Foundations Service Offering is designed to provide organizations with a customized Landing Zone to address their unique cloud security, networking and operational challenges.
A secure foundation in AWS started with a new deployment centered around AWS Control Tower. Control Tower offered many key services that included AWS Organizations, AWS Single-Sign On, CloudTrail, Config, SNS and the ability to have a repeatable, secure account deployment process with Account Factory.
Utilizing the Account Factory Feature in Control Tower allowed for a repeatable and automated account provisioning strategy. Account Factory automates the provisioning of AWS Config Logs and CloudTrail Logs and enables a secure framework of centralized logging for long term archive and central analysis.
With the deployment of Control Tower and the creation of the core AWS accounts completed. The team started the tasks of creating customized code to provision the infrastructure within the accounts, based on unique customer requirements. CloudFormation was chosen because it was native and fully supported by AWS.
Some examples of CloudFormation templates used to setup an AWS account:
- A CloudFormation Stack Set was deployed to create an IAM password policy in alignment with Security Hub best practices checks.
- A CloudFormation Stack was deployed within each account to perform the following:
- Enable CIS AWS Foundations Benchmark Log Metric Filters to address CIS checks 3.1 – 3.14.
- Deploy the bulk of the infrastructure components including a VPC, enable VPC Flow Logs and send to a central S3 bucket, Subnets, Route Tables, an Internet Gateway, NAT Gateways and an S3 endpoint.
- Attach the VPC created in the previous template to an AWS Transit Gateway in the Shared Services account and updates any relevant route tables.
After the new AWS Foundation was deployed, additional steps were taken to continue to secure the environment. Each AWS Account in which a VPC was created has VPC Flow logs enabled. VPC flow logs capture information about the IP traffic leaving and entering the network interfaces within a VPC. For Jersey Mike's, these flow logs are aggregated into a centralized S3 bucket in the Shared Services account. Doing this allows for ease of use when monitoring for potential threats, doing root cause analysis, and also allows for easy integration with third party network and threat analysis tools.
AWS Security Hub was enabled in order to provide compliance and security monitoring and guidance by following Center for Internet Security (CIS) AWS foundation benchmark. CIS is focused on IAM, Logging, Monitoring and Networking and adds another tool to maintain a strong security posture in a multi-account environment. The Security Account was designated the Security Hub Management Account to allow all findings to be analyzed from a central location.
Amazon GuardDuty was implemented as a threat detection service that continuously monitors for malicious activity in each AWS Account. GuardDuty analyzes events across many services and send all findings to the central management account and stores the findings for long term archive and analysis.
With the customized Landing Zone in place, providing for a solid Cloud Foundation to build and deploy workloads into, the Jersey Mike's Cloud Team and WWT Cloud Architects next tackled the application environment and operational challenges.
- Optimize container environment for mobile application.
- Secure Remote Access.
- HA and DR strategies.
- Log Analysis and Visualization.
- Day 2 Operational tasks and repeatable processes.
The team analyzed performance data, application metrics and usage patterns for the existing environment to determine the appropriate sizing for the new environment. However, maintaining a business-critical application is more than just core counts and memory. The team looked at other factors, including staff availability, skillsets and experience. Factors that are sometimes overlooked but equally essential.
With all those data points in hand, the Jersey Mike's cloud team decided that using a managed service like AWS EKS on Fargate met or exceeded their requirements. Using EKS and Fargate allowed Jersey Mike's to deploy a robust mobile application that scales with demand while also eliminating the need to provision and manage servers which host containers. Fargate allocates the appropriate amount of compute to ensure Jersey Mike's only pays for the resources required to run the mobile application.
With the availability of extensive APIs typical of most AWS services, EKS and Fargate were easily integrated into existing application pipelines.
To support secure remote access into the environment, both AWS Cloud9 and Amazon WorkSpaces were deployed.
AWS Cloud9 is a cloud-based integrated development environment (IDE) that lets you write, run and debug your code using a standard browser from any internet-connected machine. Ideally, Cloud9 environments will be created within the Shared Services account.
- Includes a code editor, debugger and terminal.
- You can also quickly share your development environment with your team, enabling you to pair program and track each other's inputs in real time.
- Provides direct terminal access to AWS.
Amazon WorkSpaces enables an organization to deploy virtual Windows or Linux cloud-based desktops. For Jersey Mike's, WorkSpaces was deployed to provide an alternative remote connection method to Cloud9 should an administrator be more comfortable with a virtual desktop as opposed to a Cloud9 IDE.
"WWT's dedication to our success allowed Jersey Mike's to accelerate our capabilities to serve our customers online during the COVID-19 pandemic." - Scott Scherer, CIO
At WWT we help customers enable business growth by designing and deploying reliable, scalable and secure AWS environments. The starting point for any application deployment in AWS is a secure, reliable and automated Foundation. Security in AWS is a multi-tier approach that starts at the foundation, applied at every tier of an application and continuously monitored and alerted on. The AWS security posture of Jersey Mike's was increased by executing on WWT's Cloud Foundation Offering.
The use of EKS and Fargate provides a stable and scalable infrastructure for Jersey Mike's mobile application. They are able to meet heavy user demand, optimize their cloud spend and reduce the operational burden on their cloud team.
In addition, the team followed best practices and designed the architecture across multiple Availability Zones to ensure uptime in case of underlying infrastructure issues.
At WWT, we believe that informing customers and knowledge sharing is required for any successful project, particularly in the cloud space. One of our goals is to teach our customers so they can easily maintain the environment once our tasks are complete.
Throughout the duration of the project, the Jersey Mike's and WWT teams met daily to discuss progress, challenges and successes. In addition to the daily infrastructure meetings, more in-depth training sessions were conducted such as a walkthrough on the use of creating VPC infrastructure with CloudFormation to ease with the eventual support transition from the WWT to Jersey Mike's Cloud Team. At the end of the project, WWT presented Jersey Mike's with operational documents and runbooks detailing the custom setup and guides for daily support of the environment.