OpsMate by Triont · triont.com.au
OpsMate performed an AI-driven contextual discovery of a single AWS account responsible for network ingress — routing external traffic from global IoT devices and partners to backend processing systems. This is not a checkbox compliance scan. OpsMate explores your infrastructure the way a senior engineer would, following relationships between resources and identifying patterns that automated scanners miss.
In a single read-only pass, OpsMate discovered:
88 of 152 target groups (58%) have no healthy targets. These target groups serve IoT device hub endpoints across global locations including Ireland, New Zealand, Portugal, Australia, UAE, and West Africa.
All unhealthy target groups trace back to just 3 backend EC2 instances with consistently failing health checks. If any of these instances fail, connectivity to field devices across multiple international sites would be lost simultaneously with no automated failover.
This isn't a theoretical risk. The infrastructure currently serving global IoT traffic has a 58% unhealthy rate across its target groups, concentrated on a small number of backend instances. A single instance failure could cascade into loss of telemetry from dozens of field devices across multiple countries — potentially affecting operations, SLAs, and regulatory reporting.
OpsMate mapped the complete ingress topology from internet-facing load balancers through to backend targets, including listener configurations, port mappings, and health status.
| Name | Type | Scheme | AZs | Listeners |
|---|---|---|---|---|
| Port Forwarder NLB | NLB | Internet-facing | 1 AZ | 32 |
| FTP Gateway NLB | NLB | Internet-facing | 3 AZs | 24 |
| Service NLB (public) | NLB | Internet-facing | 3 AZs | 3 |
| Application ALB | ALB | Internet-facing | 3 AZs | 2 |
| Device NLB — AZ-A | NLB | Internet-facing | 1 AZ | 28 |
| Device NLB — AZ-B | NLB | Internet-facing | 1 AZ | 28 |
| Internal Service NLB | NLB | Internal | 3 AZs | 3 |
| Internal Application ALB | ALB | Internal | 3 AZs | 3 |
| VPN Endpoint NLB | NLB | Internal | 2 AZs | 1 |
| Backend Service NLB | NLB | Internal | 1 AZ | 1 |
OpsMate didn't just count unhealthy targets — it traced the pattern. The 88 unhealthy target groups aren't 88 independent problems. They cluster into three root causes:
24 target groups across global locations all route to one instance with failed health checks. Covers Ireland, NZ, Portugal, Australia, UAE, and West Africa.
Two EC2 instances serving device-specific target groups across two availability zones. Both showing failed health checks. Pattern suggests a systemic issue rather than isolated service failures.
Several target groups appear unused or orphaned, including one with no registered targets at all. These add operational noise and make it harder to identify genuine issues.
13 EC2 instances identified across the account. Instance types range from t3.nano to m5.xlarge. One instance has been running since August 2023 without replacement — potential patching and lifecycle management concern. Mix of Amazon Linux 2, Amazon Linux 2023, and Ubuntu AMIs.
Prioritised and actionable — every recommendation includes effort estimates and deferral risk.
The single instance serving 24 global hub target groups has consistently failing health checks. Determine if this is a misconfiguration or genuine service degradation.
Two instances serving ~46 device target groups are both unhealthy. Review whether these need replacement, scaling, or architectural redesign for proper failover.
Remove or decommission unused target groups to reduce operational noise. At least one has no registered targets at all.
Two internet-facing NLBs are deployed in a single availability zone, creating an AZ-level single point of failure.
One instance has been running since August 2023. Review AMI currency, patch levels, and whether replacement with a current AMI is warranted.
This is a sample report for demonstration purposes. Data points and metrics are generalised from multiple real OpsMate assessments across different production AWS environments. Account identifiers, instance IDs, and specific infrastructure details have been anonymised.