by: VMware Software Engineer III Abhishek Anand
Due to the sensitive nature of certain products and technologies, companies are required to comply with the U.S. export control laws, which mandate that the classification of their offerings be assessed for potential military or strategic use. The export control classification number (ECCN) is a system used to categorize products and technologies based on their level of sensitivity. The ECCN helps determine whether the item can be exported and under what conditions. To determine the appropriate ECCN for a product, VMware requires all released products complete a product classification questionnaire (PCQ), which is based on Part 742, Supplement 6 of the export administration regulations (EAR).
How product classification process works
To facilitate the entire product classification process, an application is required. The product team release manager (RM) fills out the PCQ form for a new product to be classified, reviewed, approved, and launched.
The legal (trade compliance) team reviews the form and requests more details if necessary. When satisfied with the feedback and information provided, the PCQ request is approved by the legal (compliance) team and ECCN number is provided.
Additionally, the legal team submits applications to obtain foreign regulatory approvals, if required
VMware had an existing software-as-a-service (SaaS) application to manage the entire PCQ process, but there were challenges, such as poor user experience, slow performance, no collaborative experience for contributors, poor integration with other VMware applications and it was managed by a third-party vendor. Therefore, the plan is to bring the process in-house and improve the workflows.
There is an intricate workflow that needed to be streamlined and incorporated into the application. See Figure 1.
Figure 1. The PCQ workflow.
The release manager (RM) for the product logs into the application and has the option to either create a new PCQ or copy an existing, approved PCQ. The process for creating a new PCQ involves several steps:
- The RMs provide the product name, version, and the general availability (GA) date and starts the questionnaire. They are presented with approximately 50 questions that need to be filled out.
- If the RM is unsure of the answers to certain questions, she/he can assign them to the product team members who can submit the answers for review.
- If the RM is not satisfied with the answers provided, she/he can send it back for further clarification and revision.
- Once all questions are answered, the RM submits the questionnaire for trade team review.
- The trade team carefully reviews each answer and, if they feel that some questions have not been answered satisfactorily, they send it back to the RM for review.
- The RM can review those questions and resubmit the PCQ.
- The Trade Administrator then assigns the classification number and other details and approves the PCQ.
- The system then generates the product classification assessment document and foreign regulatory approval documents.
Alternatively, the RM can choose an existing, approved PCQ to start the process. She/he provides a new version and GA date and all the answers from the copied PCQ are automatically added. If none of the answers have changed, the RM can submit the PCQ, and it will be automatically approved. If there are changes, it goes through the regular process.
We engaged in a thorough and collaborative process, including multiple brainstorming sessions with business stakeholders, release managers, architects, and the user experience (UX) team, to come up with an architecture (see Figure 2) and develop a solution that effectively addresses all identified pain points, improves user experience, ensures scalability, and provides resilience.
Figure 2: System architecture of the PCQ application.
The solution was developed using the following components:
- VMware Workspace ONE®: manages access control and provide users with single sign-on (SSO) functionality for the application.
- VMware Tanzu® Kubernetes Grid™: an enterprise-ready Kubernetes runtime for consistent deployment across data centers, public clouds, and edge locations.
- AVI Kubernetes Ingress: for routing traffic and providing secure sockets layer (SSL) termination, path-based routing, and load balancing.
- Spring Boot® conventions: a widely used framework for building microservice-based applications; the entire business logic was coded using Java version 17, Spring Boot 2.7.x, VMware Spring Cloud® 2021.x and Spring Cloud® Gateway for Kubernetes.
- Angular with VMware Clarity: a popular choice for building single-page applications, offering rich user experiences, fast responsiveness, and code maintainability, paired with Clarity’s accessible and reusable UI components.
- VMware Application Catalog™: (previously VMware Tanzu® Application Catalog™) provided the base images for building the Docker files for Spring Boot and Angular containers.
- VMware Aria Operations™ for Applications: used for monitoring container logs and providing a dashboard for viewing events with filtering options and alert setup.
- VMware Aria Operations™ for Applications (previously VMware Tanzu® Observability™ by Wavefront): for in-depth monitoring of applications running on Tanzu Kubernetes Grid.
- MySQL: a relational database for storing the requests and workflow states.
- Dell S3: used for storing documents generated from Jasper templates with server-side encryption.
- Vault by HashiCorp: a reliable secrets engine for storing credentials.
The application is deployed across two availability zones, each with a minimum of three pods per service, to ensure high availability and resilience. We implemented an active-passive disaster recovery strategy, using the second availability zone as a warm standby.
The new application addresses the previous issues along with automating various components of the PCQ process, providing users with:
- An enhanced user experience that streamlines the submission of requests, access to helpful resources and progress tracking in a central location.
- Increased visibility into request status and identification of the responsible parties for approval at each step, resulting in a clear understanding of the request progression through the system.
- Detailed reports of PCQs, which can be used for further analysis and decision making.
The successful completion of this project is the result of a seamless collaboration between VMware IT, Trade Compliance business, and Legal business teams.
In the next phase of this journey, VMware IT plans to integrate this application with BOSS-D, an internal platform designed to be the single source of truth for all VMware products. This platform provides a one-stop shop for RMs to manage all aspects of their product and service lifecycle. Additionally, we intend to provide self-service capabilities for administrators to modify existing questionnaires or add new questions.
The topic continues to evolve, so contact your account team to schedule a briefing with a VMware IT expert to hear the latest. For more about how VMware IT addresses queries related to modern apps, check out more blogs on the topic. For other questions, contact firstname.lastname@example.org.
We look forward to hearing from you.
VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. To learn more about how VMware IT uses VMware products and technology to solve critical challenges, visit our microsite, read our blogs and IT Performance Annual Report and follow us on SoundCloud, Twitter and YouTube. All VMware trademarks and registered marks (including logos and icons) referenced in the document remain the property of VMware.