morten/nordbye.it

client · case study

Healthcare Application: RHEL7 to RHEL9 Migration

Lifted a life-critical patient-facing application off RHEL7 before end-of-life, onto a hardened, automated RHEL9 platform, with zero downtime.

All work
Role
Migration and automation lead
Client
Confidential healthcare provider
Period
2023 - 2024

Stack

  • Ansible
  • Red Hat
  • PostgreSQL
  • F5

results

What shipped.

  • /01

    Cutover completed with no patient-facing downtime by running RHEL9 in parallel with RHEL7 until traffic flipped.

  • /02

    Logging consolidated through Filebeat and Logstash into a centralised log path.

  • /03

    F5 WAF configuration standardised across environments, fewer one-off rules, fewer surprises.

  • /04

    SIEM integration with Mnemonic for end-to-end security monitoring and incident response.

  • /05

    Locked-down jumphost replaced ad-hoc admin paths.

architecture

How it fits together.

Hover a node to highlight its connections. Click one to read what it does and why it is there.

Hardened production estatemigratedexternalPatient trafficlegacyRHEL 7 — legacygitopsAnsible rolessecurityF5 WAFcomputeRHEL 9 app serversdataPostgreSQLsecurityJumphostobservabilityFilebeatobservabilityLogstashsecurityMnemonic SIEM

The brief

A patient-facing application was running on RHEL7. It was past its useful life and close to losing vendor support. The customer needed it on RHEL9, with stronger logging, a tighter security perimeter and automation good enough that the next migration would not take as long. The application integrated with Norsk Helsenett (NHN, the regulated clinical network with strict peering and compliance controls) for clinical data exchange, adding a live compliance dependency to the migration.

The hard constraint was zero downtime. Patients depend on the service.

What I did

I led the migration from start to finish.

  • Audit first. Mapped the existing test and production environments and noted where the documentation disagreed with the actual systems.
  • Automation next. Wrote Ansible roles to provision the new RHEL9 estate, both application servers and PostgreSQL, next to the existing infrastructure rather than on top of it.
  • Cutover last. Traffic only switched after the parallel environment was clearly equivalent.

A few supporting pieces were rebuilt as part of the same move.

  • Filebeat reconfigured to forward into a fresh Logstash layer for centralised log analysis.
  • F5 WAF rules standardised and put under version control.
  • SIEM integration with Mnemonic for security event correlation.
  • Jumphost access path replaced with a controlled, audited one.

Why it mattered

Healthcare infrastructure has a different cost curve from most things. Downtime here is not measured in lost revenue, it is measured in patients waiting. Getting this migration right also means the next one will be cheaper, faster and less stressful for everyone involved.