# Appendix: Application onboarding questionnaire Use this questionnaire to describe your deployment elements and structure so AMS can determine what infrastructure components are needed. The onboarding requirements for Line-of-Business (LoB) applications are significantly different than product applications, so this questionnaire is designed to address both. **Topics** + [ # Deployment summary ](deployment-summary.md) + [ # Infrastructure deployment components ](apx-aog-infra-components.md) + [ # Application hosting platform ](app-host-platform.md) + [ # Application deployment model ](app-deploy-model.md) + [ # Application dependencies ](app-depends.md) + [ # SSL certificates for product applications ](ssl-certs-for-prod-apps.md) # Deployment summary A description of the deployment. For example: + This account is for a Line-of-Business (LoB) application deployment (as opposed to a product application deployment). + The deployment involves an auto-scaled ARP (authenticated reverse proxy) within the account’s public/DMZ subnet. + Web and application servers will be deployed within the account's private subnet. + An Amazon RDS (Amazon Relational Database Service) instance will also be deployed within the account’s private subnet. + The servers (ARP, web, application, database, load balancer, and so on) are separated into distinct security groups. + The account requires an HA (high availability) design spread across Availability Zones (AZs), that is, *Multi-AZ*. # Infrastructure deployment components What are all the different components that will need configuring to support your application? + Region: What AWS Region or Regions are needed? + High Availability (HA): What Availability Zones will be used? + Virtual Private Cloud (VPC): What is the CIDR block for the VPC? + What server instances are needed? + Authenticated Reverse Proxy (ARP): OS, AMI, instance type, subnet ID, security group, ingress port? + Application Deployment Tool server: OS, AMI, instance type, subnet ID, security group, ingress port (Chef, Puppet) or egress port (Ansible, Saltstack) port? + Amazon RDS with MySQL: DB version, Usage Type, instance class, subnet ID, security group, DB instance ID, storage size, Multi-AZ, Auth type, encryption? + Storage: Is your app stateless? Do you require S3 buckets? Do you require persistent storage? Do you require data at rest encryption on your EBS volumes? Do you require DB encryption? + External (to the Managed Services VPC) server endpoints: SMTP? LDAP? + Network requirements: Network filtering (based on security groups?)? Web traffic inspection (inbound?outbound?)? + Tagging: What tags should be used to group resources into logical collections? For example, all resources for an application stack. Select tags for your use case; for example, `backup=true` to enable backups. Additionally, you must use the tag `name=value` in order for any EC2 instances you create to display a name in the console. + Security groups: + What security groups are needed? + Security group ingress rules? + Security group egress rules? # Application hosting platform For your application hosting platform, consider the following possible requirements: + Databases encrypted? + Encryption keys managed by whom? + All data in-transit and at-rest encrypted? + All user access to the system via HTTPS? + All system-to-system interactions approved by your security operations team? # Application deployment model Considerations of how you plan your application deployments. See [What is my operating model?](op-model-aog.md) + Automated or manual? No deployment automation means no Auto Scale. If you request access and log in and manually update your application, and your update fails. AMS would expect you to rollback your update or alert us through a service request so we can assist you. + If automated, what is the framework? Scripts? Agent-based (puppet/chef)? Agentless (SALT/Ansible)? CodeDeploy? Agent-based and agentless deployment tooling require a separate instance be created and deployed as the master server for the tooling. AMS expects you to be aware of all of the elements necessary for successful application deployment tooling; however, we are happy to help with related infrastructure questions. + Do your Line-of-Business applications (those applications that you use to create and manage your applications) require patching? # Application dependencies Do you need instances for Line-of-Business (LoB) applications? For product applications? What do your Product applications need to function properly? + Network level dependencies: For example, Direct Connect + Package dependencies: For example, `pip` + Applications that this application depends on: For example, MySql + Firewall dependencies? What do your LoB applications need to function properly? + Network level dependencies: For example, Direct Connect + Package dependencies: For example, Firefox Saucy + Applications that this application depends on: For example, MySql + Firewall dependencies? # SSL certificates for product applications What SSL certificates will your servers need so your applications (LoB and product) can reach everything they need to run and be accessible? + Auto Scaling Group? + Database (Amazon RDS)? + Load Balancer? + Deployment tool server? + Web application firewall (AWS WAF)? + Other instances? As an example, for each of the instances listed above you might need the following certificates: WAF (cert 1) - > ELB-Ext (cert 2) - > ARP (cert 3) - > ELB-Int (cert 4) -> Website (cert 5) - > ELB-Int (cert 6) -> Web service (cert 7).