HR in the always-on economy

For almost 100 years, Liantis has offered support to anyone who owns an enterprise and employs people. Headquartered in Bruges, Belgium, Liantis provides the HR systems that self-employed entrepreneurs and employers use for everything from recruitment to retirement. Three companies—and their IT management systems—merged to form Liantis in 2018, which supports payroll, benefits, insurance, and many more for its clients. More than 100 software developers and other teams update apps frequently in response to ever-changing government regulations, pension guidance, and tax laws.

“As Liantis has gone through a digital transformation, more and more of our portfolio features digital products delivered through our flagship portal, My Liantis,” notes Kurt Roggen, Liantis Infrastructure and Security Architect.

A few years ago, the company upgraded its IT platforms on-premises to meet the growing customer demand. The move helped the company stay flexible even during the COVID-19 pandemic, when so many Liantis customers needed help all at once. However, the company’s on-premises datacenter began to meet its capacity limits during peak usage, such as end-of-month payroll time and during annual accounting submissions.

“Infrastructure shouldn’t be a bottleneck,” Roggen observes. “Liantis has a cloud-first strategy.” That means during the creation of the business case, we compare the benefits of on-premises, infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). “We apply these cloud models to unburden our IT teams, meaning they don't need to worry about all the infrastructure. We want to go for the PaaS or SaaS solution rather than traditional virtual machines and IaaS.”

Roggen calls Liantis IT a “software factory” where the development teams are focused on delivering great digital experiences and value to customers. But the developers were building new products and apps faster than the on-premises infrastructure could support them. It was time for a new approach.

“We wanted to spend less time keeping base infrastructure, including virtual machines and containers, in the air,” Roggen recalls, “and more time delivering and adding value for our customers.”

The flagship My Liantis portal provides access to the Liantis portfolio.

Loosening the infrastructure bottleneck

With hundreds of Java services at stake, Liantis began a careful evaluation process. Every solution had to meet the company’s high standards for security, manageability, cost, and performance. IT teams use the popular Java Spring Framework with the Spring Boot technology to simplify the development of microservices-based applications, so Liantis looked at several Azure options, including Azure Kubernetes Service (AKS) and Azure Red Hat OpenShift.

“We tend to always start from the right in our evaluation process—meaning the right side of the as-a-service spectrum where we have SaaS,” Roggen explains. “The more we can delegate to someone who makes infrastructure and platform services its core business, the better. That's how we look at things.”

Around this time, Microsoft announced a partnership with VMware to create Azure Spring Apps, a platform that makes it simpler to deploy and operate Spring Cloud applications. The platform abstracts away the complexity of managing infrastructure and Spring Cloud middleware.

After thoroughly evaluating security, manageability, cost, performance, and other key criteria across the various services, Liantis chose Azure Spring Apps.

“Azure Spring Apps was a strategic fit for Liantis because we can really focus on building the application, whereas Microsoft provides and secures the application platform. That’s why Azure Spring Apps is a great fit,” Roggen concludes.

Liantis was an early adopter of Azure Spring Apps and provided input to the Microsoft product team during the service’s preview period. According to Roggen, the transition was very straightforward. The Java developers can focus on building their business logic while Azure takes care of dynamic scaling, security patches, compliance standards, and high availability.

A secure application architecture

For the past few years, Liantis has approached application development using event-driven and microservices-based architectures. “Our huge, monolithic HR payroll engine is being sliced into many, many microservices. And this is where Azure Spring Apps also fits in,” Roggen explains. Azure Spring Apps is at the center of an architectural approach that Liantis can stamp out consistently for all its workloads.

Most of the Liantis applications consist of multiple Spring Boot services plus an Angular front end. They require both synchronous and asynchronous connectivity to services and legacy systems on-premises, and the architecture is representative of other Liantis apps.

Liantis exposes its web apps through the flagship My Liantis portal. Customers have secure access through an easy, single sign-on experience provided by Spring integration with the ForgeRock identity provider and Azure Active Directory. “It was key that we were able to integrate with ForgeRock for our business applications and customer-facing applications,” Roggen reports. “In the end, it was a straightforward integration with Azure Spring Apps.”

Customer requests are sent through Azure Application Gateway, a web traffic load balancer and web application firewall, which routes requests to the back-end Spring Boot services running in Azure Spring Apps.

For access to services and systems on-premises, Liantis takes advantage of the virtual network (VNet) injection feature in Azure Spring Apps. Apps and the service runtime on the Liantis network are isolated from the internet, but VNet injection enables them to interact with systems on-premises and with Azure services in other virtual networks.

“VNet integration was one of our crucial security decisions—to only expose services through another mechanism,” Roggen explains. “In our case, it’s Azure Application Gateway, which exposes the services sitting behind it.”

A hub-spoke virtual network topology also helps add security through workload segmentation. The hub virtual network acts as the central point of connectivity for the spoke virtual networks, where the apps run. Low-latency virtual network peering connects the spokes to the hub. For added security, Liantis also enabled private endpoints for Azure services, which use a private IP address for the network interface.

Structured data associated with the apps is stored in Azure SQL Database, the highly scalable service that has become a Liantis standard. Because it’s only exposed through private endpoints, Roggen says it matches the VNet integration strategy and enables the applications to talk to the back-end databases securely without the public exposure typically associated with PaaS.

Azure Key Vault safeguards keys, passwords, and other secrets used for authentication, allowing secrets to be injected directly into applications through Spring. “Compared to our previous platform, management of secrets and keys is so much easier with Azure Key Vault,” Roggen reports.

External and internal communications are secured using TLS/SSL. “We were very happy to see that Azure Spring Apps—in a very simple, straightforward way—allows us to secure communications end to end, from the applications over the gateway servers, using Key Vault to insert certificates,” he adds.

Automation and end-to-end monitoring are also essential for the company. “It was crucial for Liantis to have hybrid monitoring across on-premises and cloud-based Spring Boot microservices,” Roggen explains. The Liantis team combines Dynatrace observability tools with Azure Monitor and Log Analytics for complete application health metrics. During testing, Liantis developers lean heavily on the log streaming feature, which sends real-time application console logs for troubleshooting. “Now we have a very simple onboarding process for new applications with Azure, Azure Spring Apps, and Dynatrace monitoring.”

Liantis can clone this architecture blueprint for most of its workloads. Spring Boot services run in Azure Spring Apps. Azure SQL Database supports the data layer. Private endpoints help secure service dependencies, while CI/CD and monitoring tools automate end to end. 

End-to-end integration where everything is automated

As Java and Angular fans, the Liantis developers continue to work with their chosen developer tools, such as IntelliJ IDEA. Azure Spring Apps supports popular integrated development environments (IDEs) and frameworks, plus tools for continuous integration and continuous deployment (CI/CD).

At the beginning of the project, Liantis was using Maven as a build tool, Bitbucket for version control, and Jenkins to run the CI/CD jobs. As part of its DevSecOps journey, the company looked for a DevOps platform. An investment in HashiCorp Terraform and GitHub paved the way for infrastructure as code (IaC).

“In our search for a DevOps platform, we took a different approach. We believe that there’s enormous value in the existing integrations of a platform like GitHub,” Roggen explains.

The move to IaC is helping the team speed apps into production. “Whether it’s the development, test, acceptance, or production environment, everything has to be deployed and managed through Terraform and IaC to stay consistent and avoid configuration drift,” he notes.

The team is also starting to provision the infrastructure for new deployments through GitHub Enterprise and GitHub Actions. Azure Spring Apps provides an action workflow for GitHub Actions to automate app deployments.

“We are in a transition phase,” Roggen points out. “GitHub Actions is key to engineering and development for automation. We get end-to-end visibility into our apps, systems, and end user experiences so we can detect challenges as they arise."

The first of many to follow

According to Roggen, Azure Spring Apps is helping Liantis deliver on its vision, and the migration of these applications is just the beginning. “It’s the first of many to follow,” he predicts. “For Liantis, this project has become a kind of development pattern that we reuse for many new developments, or use when we’re refactoring an existing app. It's become our standard.”

In moving to Azure Spring Apps, the company assesses the total cost of ownership by considering the expense of infrastructure maintenance on top of the cost of onboarding developers to a new platform. That’s harder to assess, but Liantis engineers are shifting to a cloud mindset as they become accustomed to allowing Azure to handle the infrastructure.

Roggen reports, “Now they have more time to focus on other interesting tasks that sometimes fall into the background when it gets busy, such as researching security and other innovative technology topics.”

For a company looking to scale with ease, the strategy fits.