A Qatar-based ICT, OT, and Telecom solutions provider — serving Telecom, Banking and Finance, Armed Forces, Oil and Gas, Healthcare, Aerospace, Education, Hospitality, and Utilities clients — partnered with stc Bahrain to modernize its production ERPNext platform. As an ISO 9001 and ISO 45001 certified provider serving regulated clients under Qatar's National Information Assurance (NIA) framework, the customer needed to operate its own internal platforms with the same data sovereignty, security, and availability standards it advises its clients to adopt.
This transformation moved ERPNext from a self-managed single-server deployment in Doha to a managed, multi-AZ, globally distributed AWS architecture hosted in the AWS Middle East (Bahrain) Region — consolidating fragmented operations, accelerating release cadence, and satisfying Qatar NIA data residency requirements.
The Challenge
Before the engagement, the customer faced significant delivery, compliance, and performance risks:
• 2–3 Day Deployment Cycles: Manual SSH-based releases for every custom DocType, server script, or Frappe app update — with no automated test gate to validate custom modules before production.
• Single-Server Architecture: No Multi-AZ redundancy meant any hardware failure could halt procurement, asset tracking, payroll, and financial reporting across every industry vertical at once.
• Fragmented Operational Data: Disconnected spreadsheets and legacy tools produced duplicated data entry and 5–7 business days for cross-vertical financial consolidation.
• Compliance Exposure: No KMS-managed encryption at rest, no immutable audit trail, and limited evidence for ISO 27001 and Qatar NIA — material risk for a provider serving Armed Forces, Banking, and Oil and Gas clients.
• Poor Global Performance: Page-load times of 3–5 seconds against the Doha-only deployment eroded productivity for the customer's distributed workforce in Qatar, South Asia, and international project sites.
Our Solution
stc Bahrain designed and delivered a multi-account AWS DevOps architecture in the AWS Middle East (Bahrain) Region:
1. Multi-Account Landing Zone with Data Sovereignty
• AWS Organizations structure with dedicated production, staging, shared-services, and security/logging accounts.
• All workloads hosted in the AWS Middle East (Bahrain) Region to satisfy Qatar NIA data residency requirements.
• Service Control Policies, AWS Config aggregator, and organization-wide CloudTrail with S3 Object Lock (WORM).
2. AWS-Native CI/CD with Immutable Deployments
• AWS CodeCommit → CodePipeline → CodeBuild orchestrating Frappe bench test execution against ephemeral MariaDB sidecars.
• Multi-container Docker image build and packaging into Elastic Beanstalk application bundles.
• Elastic Beanstalk's immutable deployment policy provisions new instances and only routes traffic after the ALB confirms healthy targets via the Frappe /api/method/ping endpoint, with automatic rollback on failure.
3. Multi-Container Application Runtime
• ERPNext deployed on AWS Elastic Beanstalk with Gunicorn web workers, the Frappe Scheduler, and Redis cache as separate, independently scalable containers.
• Multi-AZ Auto Scaling driven by CPU, memory, request count, and Frappe-worker queue depth.
• Application Load Balancer with AWS WAF protection in front of private application subnets.
4. Resilient Data and Encryption
• Amazon RDS for MariaDB in Multi-AZ mode with synchronous replication, automatic failover, and Point-in-Time Recovery.
• Amazon EFS with KMS encryption and TLS-encrypted mounts for shared ERPNext filestore.
• AWS KMS customer-managed keys across RDS, EFS, EBS, S3, and AWS Backup; AWS Secrets Manager for runtime injection of database and SMTP credentials.
5. Global Edge and Distributed Tracing
• Amazon CloudFront edge caching, TLS termination, and AWS Shield Standard DDoS protection in front of the ALB.
• Amazon Route 53 health-checked records supporting failover routing.
• AWS X-Ray distributed tracing across the full request path — from CloudFront edge through the ALB, into Gunicorn workers, and down to MariaDB queries — eliminating the need for bespoke instrumentation.
6. DevOps Enablement
• Structured 12-week enablement program covering Terraform, Elastic Beanstalk operations, CI/CD, observability, ERPNext bench administration, and AWS Well-Architected practices, ensuring the customer can independently operate and extend the platform.
Key Benefits
• Deployment Lead Time Reduced from 2–3 Days to Under 15 Minutes
Through automated CodePipeline delivery with built-in immutable-deployment safety and automatic rollback.
• Sub-200 ms Global Page Loads (Down from 3–5 Seconds)
Via CloudFront edge caching for the distributed workforce in Qatar, South Asia, and international project sites.
• 99.9% Availability Target Achieved
Through Multi-AZ RDS MariaDB with automatic failover and ALB health-aware routing.
• ~50% Reduction in ERP Infrastructure Cost
Through managed AWS services and elimination of on-call hardware administration, while preserving ERPNext's open-source licensing economics.
• Validated 4-Hour RTO / 15-Minute RPO
Multi-AZ resilience with cross-AZ snapshot replication and EFS data protection.
• Qatar NIA and ISO 27001 Alignment
Data residency in AWS Middle East (Bahrain), KMS encryption at rest, immutable audit trails, and documented control mapping for regulator and client review.
AWS Services Used
Governance & Management
• AWS Organizations, AWS Config, AWS CloudTrail, Service Control Policies (SCPs)
CI/CD
• AWS CodeCommit, AWS CodePipeline, AWS CodeBuild
Compute & Application
• AWS Elastic Beanstalk (Multi-Container Docker), Amazon EC2, Application Load Balancer
Data & Storage
• Amazon RDS for MariaDB (Multi-AZ), Amazon EFS, Amazon S3 (Object Lock), AWS Backup
Edge & Networking
• Amazon CloudFront, AWS Shield Standard, AWS WAF, Amazon Route 53, Amazon VPC, AWS PrivateLink
Security & Identity
• AWS KMS, AWS Certificate Manager, IAM Identity Center, AWS Secrets Manager
Observability & Audit
• Amazon CloudWatch, AWS X-Ray, VPC Flow Logs
Conclusion
This engagement demonstrates how stc Bahrain, as an AWS Premier Tier Services Partner, helps regulated ICT providers consolidate fragmented operations onto a single, compliant, and globally performant ERP platform. The solution delivers data sovereignty, resilience, and release velocity simultaneously — strengthening the customer's competitive position across its most regulated industry verticals.
Contact our AWS DevOps specialists today at [email protected] to learn how we can transform your ERP platform through AWS-native automation, security, and global content delivery.
