Using Virtual Machines for Virtual IT Infrastructure

Virtual Infrastructure Guide for Remote Nonprofits

A Technical Implementation Guide for IT Staff

Architecture Overview: Fully Virtualized Remote Organization

Based on current AWS best practices and the 2025 infrastructure landscape, here's the recommended architecture for a nonprofit that wants to embrace complete virtualization:

Core Infrastructure Components

1. Amazon WorkSpaces Family (Primary Virtual Desktops) Amazon WorkSpaces provides persistent virtual desktops that eliminate the need to procure and deploy hardware or install complex software, with users able to access their virtual desktops from multiple devices or web browsers.

Recommended Configuration:

• WorkSpaces Personal: For full-time staff requiring persistent, personalized environments

• WorkSpaces Pools: For volunteers and temporary workers using standardized, non-persistent desktops

• Instance Types: Standard bundles for general office work, Performance bundles for design/development staff

2. Containerized Application Infrastructure Modern organizations in 2025 are transitioning from traditional virtual machines toward Kubernetes-native architectures to achieve greater efficiency, lower costs, and simplify infrastructure management.

Service Selection Strategy:

• Amazon EKS (Elastic Kubernetes Service): For complex, multi-service applications requiring full Kubernetes features

• Amazon ECS (Elastic Container Service): For simpler containerized applications with less orchestration complexity

• AWS Fargate: For serverless container execution without managing underlying infrastructure

Database and Data Management Strategy

Multi-Database Approach:

• Amazon RDS: For traditional relational data (donor management, financial records)

• Amazon DocumentDB: MongoDB-compatible service for flexible document storage

• ArangoDB on ECS/EKS: For complex relationship mapping (donor networks, program impact tracking)

ArangoDB Implementation: ArangoDB can be deployed on AWS using Docker containers in either ECS or EKS environments, providing a multi-model database supporting graphs, documents, and key-value pairs.

# Example ArangoDB deployment on EKS

apiVersion: apps/v1

kind: Deployment

metadata:

  name: arangodb

spec:

  replicas: 3

  selector:

    matchLabels:

      app: arangodb

  template:

    metadata:

      labels:

        app: arangodb

    spec:

      containers:

      - name: arangodb

        image: arangodb/arangodb:latest

        ports:

        - containerPort: 8529

        env:

        - name: ARANGO_ROOT_PASSWORD

          valueFrom:

            secretKeyRef:

              name: arangodb-secret

              key: password

Security Architecture

Zero Trust Implementation: Organizations should implement Zero Trust security models with Software Defined Perimeters to provide least-privilege access to network resources, especially important for nonprofits handling sensitive donor and beneficiary data.

Key Security Components:

1. AWS IAM Identity Center: Centralized identity management with multi-factor authentication

2. AWS Systems Manager Session Manager: Secure shell access without exposing ports

3. Amazon GuardDuty: Automated threat detection across all services

4. AWS Security Hub: Centralized security compliance monitoring

5. AWS Config: Continuous compliance monitoring and remediation

Network Security Design:

Internet Gateway

    ↓

Application Load Balancer (Public Subnets)

    ↓

WorkSpaces & EKS Worker Nodes (Private Subnets)

    ↓

RDS & ArangoDB (Private Database Subnets)

    ↓

VPC Endpoints (S3, SecretsManager, etc.)

Infrastructure as Code Implementation

Recommended Stack:

• AWS CDK (Cloud Development Kit) for type-safe infrastructure definitions

• Terraform for multi-cloud compatibility and state management

• Helm Charts for Kubernetes application deployment

• AWS CodePipeline for automated deployment workflows

Sample CDK Structure:

export class NonprofitInfrastructureStack extends Stack {

  constructor(scope: Construct, id: string, props?: StackProps) {

    super(scope, id, props);

    // VPC with public/private subnets across 3 AZs

    const vpc = new Vpc(this, 'NonprofitVPC', {

      maxAzs: 3,

      natGateways: 2

    });

    // EKS Cluster for applications

    const cluster = new Cluster(this, 'NonprofitEKS', {

      vpc,

      version: KubernetesVersion.V1_30,

      defaultCapacity: 3

    });

    // WorkSpaces Directory

    const directory = new CfnWorkspaceDirectory(this, 'WorkspacesDir', {

      directoryId: props.directoryId,

      subnetIds: vpc.privateSubnets.map(subnet => subnet.subnetId)

    });

  }

}

Monitoring and Observability

Comprehensive Monitoring Stack: OpenTelemetry is becoming a key solution for monitoring diverse cloud environments, offering unified, agnostic logging mechanisms that help organizations monitor effectively while managing costs.

Implementation Components:

1. Amazon CloudWatch: AWS-native monitoring and logging

2. AWS X-Ray: Distributed tracing for microservices

3. Prometheus + Grafana: Open-source monitoring stack on EKS

4. OpenTelemetry Collector: Unified telemetry data collection

Cost Optimization Strategies

Right-Sizing and Automation: Organizations are managing cloud costs through automation of manual processes (65%), containerization (62%), and Infrastructure as Code (59%).

Cost Control Measures:

1. AWS Compute Optimizer: Automated right-sizing recommendations

2. Scheduled scaling: Auto-shutdown of non-production environments

3. Spot instances: Use for non-critical batch workloads

4. Reserved Instance planning: For predictable WorkSpaces usage

Disaster Recovery and Business Continuity

Multi-Region Strategy:

• Primary Region: US-East-1 (Virginia) for lowest latency to East Coast

• Secondary Region: US-West-2 (Oregon) for disaster recovery

• RTO Target: 4 hours for critical systems

• RPO Target: 1 hour for data loss tolerance

Backup Strategy:

# Example backup configuration

apiVersion: batch/v1

kind: CronJob

metadata:

  name: database-backup

spec:

  schedule: "0 2 * * *"  # Daily at 2 AM

  jobTemplate:

    spec:

      template:

        spec:

          containers:

          - name: backup

            image: backup-tool:latest

            command:

            - /bin/bash

            - -c

            - |

              # Backup ArangoDB

              arangodump --server.endpoint tcp://arangodb:8529 \

                         --output-directory /backup/$(date +%Y%m%d)

              # Upload to S3

              aws s3 sync /backup s3://nonprofit-backups/

Implementation Roadmap

Phase 1 (Weeks 1-2): Foundation

• Set up AWS Organizations structure

• Configure IAM Identity Center

• Deploy VPC and basic networking

• Establish monitoring baseline

Phase 2 (Weeks 3-4): Core Services

• Deploy EKS cluster

• Set up WorkSpaces directories

• Configure basic security services

• Implement backup systems

Phase 3 (Weeks 5-6): Applications

• Deploy containerized applications

• Configure databases (RDS, ArangoDB)

• Set up CI/CD pipelines

• User acceptance testing

Phase 4 (Weeks 7-8): Production & Optimization

• Production cutover

• Performance tuning

• Cost optimization

• Staff training completion

Ongoing Maintenance

Daily Tasks (Automated):

• Security scan reports

• Backup verification

• Cost monitoring alerts

• Performance metrics review

Weekly Tasks:

• Security patch assessment

• Capacity planning review

• User access audit

• Incident post-mortems

Monthly Tasks:

• Disaster recovery testing

• Cost optimization review

• Security compliance audit

• Infrastructure updates planning