I’m a decent developer, but Trellis is really my first foray into any sort of infrastructure. I don’t have any kind of background in web server config, so the following comes from a place of ignorance; please understand that while reading
I have a client with offices located around the globe, and they’re requesting an “intranet” (internal, employee-facing-only) site which is available and fast for all of their worldwide users. They currently host a site on their internal VMWare environment at one of their US locations, but have found that tasks like watching training videos over their site-to-site VPNs to their global locations is prohibitively slow.
So… how do you do something like that? I’m comfortable suggesting a solution hosted at AWS or Digital Ocean and somehow locking down access only to their locations’ IPs (suggestions welcome there, too), but the geographic load-balancing and mirroring of the application server is frankly beyond my current experience.
Have any of you set something like this up? Can you give me an idea of how complex this kind of setup is, and how much maintenance it might require? I want to set realistic expectations.
If anything I’ve asked is unclear please let me know and I’ll clarify. Thanks for any insight you can provide!
That would be quite the task to undertake. If the biggest issue they have is streaming video on an intranet, I might suggest simply trying to have assets like videos served via S3 rather than an intranet. It could still quite possibly work the same, S3 has a lot of options for restricting access to objects. It could work in a relatively similar fashion with some set up.
S3 combined with Cloudfront should get assets served pretty quickly with a view to worldwide distribution. Without requiring actual servers in each location they’re being served.
If you have never set up load balancing yourself, you don’t consider yourself a sysadmin, I’m going to strongly suggest you do not attempt to do this without help. Let alone for a company intranet which they will depend on.
Another side of this is the fact that you will need to get into setting up sticky sessions (session affinity) because of the fact that they will most likely all be using unique logins, and you will most likely be needing authentication.
That being said, considering they are using what seems to be a self hosted solution, running on VMWare, also using VPN tunneling, which any one of those 3 situations themselves could cause considerable latency problems on their own. Not to mention putting them all together. To many things can go wrong there if the person who put it together didn’t know exactly what they were doing.
You can probably get them a considerable boost by just moving them to a robust, single server, cloud setup (AWS or Google Cloud), pick the most centrally located region, and as @kalenjohnson suggested offloading their video hosting. Then you can most likely cut the VPN out completely by using enterprise grade authentication, I suggest something like Auth0, I use them and they also have a solid WP plugin. This gets you Active Directory SSO, plus any other SSO authentication you can think of for a good price.
Also another idea to kick around, if they are all windows based and use Office365 or internal Windows Server Active Directory, is looking into Azure AD on the Microsoft cloud.
Feel free to hit me up if you feel like you might need more help on this. We deal with this sort of stuff a lot, the other girl I work with is legit when it comes to AD setups.