Tel Aviv
HYBRID ARCHITECTURES Jean-Pierre Le Goaller Solutions Architect
Our journey today Security and Compliance Operational Processes What is hybrid infrastructure? Why? Connectivity Common workloads in hybrid infrastructure Application Migration Operations Integration AWS Direct Connect VPN Amazon VPC Backup & Archive DR Dev & Test Resource Intensive Applications
Why the Cloud? Why Hybrid?
In the new world, it is not the big fish which eats the small fish, it s the fast fish which eats the slow fish Klaus Schwab Founder and Executive Chairman World Economic Forum
SPEED & AGILITY Infrastructure in minutes, not weeks.
FOCUS ON YOUR BUSINESS No time & resources spent on undifferentiated IT. Prepare full migration to AWS.
COST REDUCTION 40+ price reductions since 2006. Replace capital expenditure with variable expense.
$3.01M $0.90M 70% LOWER 5 YEAR TCO PER APP ON-PREMISE AWS Source IDC Whitepaper, sponsored by Amazon, The Business Value of Amazon Web Services Accelerates Over Time. July 2012
FRIENDS DON T LET FRIENDS BUILD DATA CENTERS ANYMORE
These are NOT the only two choices: Build or Keep a Private Cloud #1 #2 Rip everything out and move to AWS
Hybrid Architectures On-Premises Resources Integration Cloud Resources Corporate Data Centers
Hybrid Architectures Hybrid IT is the result of combining internal and external services, usually from a combination of internal and public clouds, in support of a business outcome. http://www.gartner.com/technology/research/technical-professionals/hybrid-cloud.jsp
Hybrid Workloads Storage & Archiving Disaster recovery Dev & Test, Load testing, application migration Burst capacity Resource-Intensive apps Remote monitoring etc
Operations Checklist Connectivity and Networking Security and Compliance Operations Integration Billing and Account Governance
Our journey today Security and Compliance Operational Processes What is hybrid infrastructure? Why? Connectivity Common workloads in hybrid infrastructure Application Migration Operations Integration AWS Direct Connect VPN Amazon VPC Backup & Archive DR Dev & Test Resource Intensive Applications
Internet Your data center AWS region Application layer Auto Scaling Database layer Internet Web layer
AWS Virtual Private Network (IPSec VPN) Corporate data center Users Servers Data center router Security Group VPC Subnet Availability Zone IPSec VPN Internet Virtual Gateway Security Group VPC Subnet Availability Zone
Internet Your data center AWS region Application layer Auto Scaling Database layer Private connection Web layer
AWS Direct Connect Corporate data center Users Servers Data center router Security Group VPC Subnet Availability Zone Customer router AWS Direct Connect routers AWS Direct Connect Location Virtual Gateway Security Group VPC Subnet Availability Zone
Connect to Multiple VPCs AWS region Public-facing web app Public app w/back-end integration Private app w/back-end integration Core/shared services AWS Direct Connect Location Your Data Center
Connect to Multiple AWS Regions US-West-1 EU-West-1 AP-Southeast-1 AWS Direct Connect PoP Ireland or London AWS Direct Connect PoP Virginia or NYC US customer data center EU customer data center Customer MPLS backbone AWS Direct Connect PoP Singapore AP customer data center
Our journey today Security and Compliance Operational Processes What is hybrid infrastructure? Why? Connectivity Common workloads in hybrid infrastructure Application Migration Operations Integration AWS Direct Connect VPN Amazon VPC Backup & Archive DR Dev & Test Resource Intensive Applications
Our journey today Security and Compliance Operational Processes What is hybrid infrastructure? Why? Connectivity Common workloads in hybrid infrastructure Application Migration Operations Integration AWS Direct Connect VPN Amazon VPC Backup & Archive DR Dev & Test Resource Intensive Applications
AWS Assurance Programs aws.amazon.com/compliance
Security Design Logical Access Control Account Structure Network Configuration Data Encryption Asset Configuration Logging and Monitoring Patching Security testing Pre-audit procedures Amazon VPC AWS Directory Service IAM AWS CloudTrail Encryption Keys Amazon EMR
Security Design Logical Access Control Account Structure Network Configuration Data Encryption Asset Configuration Logging and Monitoring Patching Security testing IAM users, groups and roles AWS Management Console MFA IAM Key Management LDAP/Active Directory Identity Federation
Access Management: Active Directory and LDAP Corporate data center Users Servers Domain controller AD.Domain Data center router Domain controller Security Groups VPC Subnet Availability Zone Customer router AWS Direct Connect routers Active Directory Replication AWS Direct Connect Location Virtual Gateway Domain controller Security Groups VPC Subnet Availability Zone
Access Management: AWS Directory Service data center Users Servers Domain controller AD.Domain Data center router Customer router AD Connector Security Groups VPC Subnet Availability Zone AWS Direct Connect routers AD Connector AWS Direct Connect Location Virtual Gateway AD Connector Security Groups VPC Subnet Availability Zone
Access Management: Identity Federation
Security Design Logical Access Control Account Structure Network Configuration Data Encryption Asset Configuration Logging and Monitoring Patching Security testing Dedicated Security Accounts: CloudTrail and Logs IAM Master Account IAM User Account Resource Accounts with IAM roles Auditor
AWS Account Governance Financial controllers Billing account Developers Non-prod account #1 Devops Production account #1 Global AWS admin / IAM MAster Root account SOC/Auditors Security / Audit account Non-prod account. #2 Production account #2 Consolidated Billing, Billing Alerts User management account Consolidated CloudTrail Logs Financial Dev/test/sandbox Production User Management Security/audit
Security Design Logical Access Control Account Structure Network Configuration Data Encryption Asset Configuration Logging and Monitoring Patching Security testing VPC VPN Encrypted Direct Connect Subnet NACLs Routing Tables Security Groups Bastion Hosts
Security Design Logical Access Control Account Structure Network Configuration Data Encryption Asset Configuration Logging and Monitoring Patching Security testing Data at rest: AWS Key Management Service AWS CloudHSM Data in-flight Data and Application Tiering Dev/Test Policy
Security Design Logical Access Control Account Structure Network Configuration Data Encryption Asset Configuration Logging and Monitoring Patching Security testing CMDB: On-premises On Amazon EC2 AWS Config AWS Service Catalog
Security Design Logical Access Control Account Structure Network Configuration Data Encryption Asset Configuration Logging and Monitoring Patching Security testing AWS CloudTrail Log aggregation Log analysis Cloudwatch Logs and Alerts 3 rd party monitoring solution
Security Design Logical Access Control Account Structure Network Configuration Data Encryption Asset Configuration Logging and Monitoring Patching Security testing AMI OS and Applications
Security Design Logical Access Control Account Structure Network Configuration Data Encryption Asset Configuration Logging and Monitoring Patching Security testing Penetration Testing Denial of Service
Our journey today Security and Compliance Operational Processes What is hybrid infrastructure? Why? Connectivity Common workloads in hybrid infrastructure Application Migration Operations Integration AWS Direct Connect VPN Amazon VPC Backup & Archive DR Dev & Test Resource Intensive Applications
Organization Operations Best Practices Covers cloud deployment categories such as: Billing and Account Governance Asset Management Application HA/Resilience Application Backup and DR Monitoring and Incident Management Configuration and Change Management Release and Deployment Management
AWS Operations Monitoring Corporate data center Users Update Servers SIEM Aggregator Data center router Security group AWS CloudTrail VPC subnet Availability Zone Amazon CloudWatch Security group Connectivity Virtual Gateway VPC subnet Availability Zone
AWS Operations Monitoring
Our journey today Security and Compliance Operational Processes What is hybrid infrastructure? Why? Connectivity Common workloads in hybrid infrastructure Application Migration Operations Integration AWS Direct Connect VPN Amazon VPC Backup & Archive DR Dev & Test Resource Intensive Applications
Backup & Archiving data center Users Backup System Servers Data center router Customer router AWS Storage Gateway Amazon Glacier Amazon S3 AWS Storage Gateway AWS Storage Gateway iscsi Security Group VPC Subnet Availability Zone AWS Direct Connect routers AWS Direct Connect Location Virtual Gateway iscsi Security Group VPC Subnet Availability Zone
Oracle Secure Backup Module Oracle RMAN Amazon S3
RESTORE TIMES REDUCED FROM 15 TO 2½ HOURS
Amazon Storage Gateway Virtual Tape Library On-premises snapshots to AWS
Our journey today Security and Compliance Operational Processes What is hybrid infrastructure? Why? Connectivity Common workloads in hybrid infrastructure Application Migration Operations Integration AWS Direct Connect VPN Amazon VPC Backup & Archive DR Dev & Test Resource Intensive Applications
SCENARIO #1 COLD DR
SCENARIO #2 WARM DR
On-premise Data Centre A On-premise Data Centre B Internet AWS Direct Connect Active Directory Bastion Host VPC Subnet A SmartSentinel Client-to-site VPN Site-to-site VPN VPC Subnet B Proxy Server VPC Subnet C Remote Desktops Applications Databases File Servers VPC Subnet D VPC Subnet E VPC Subnet F VPC Subnet G Availability Zone Region S3 Buckets with Objects
Our journey today Security and Compliance Operational Processes What is hybrid infrastructure? Why? Connectivity Common workloads in hybrid infrastructure Application Migration Operations Integration AWS Direct Connect VPN Amazon VPC Backup & Archive DR Dev & Test Resource Intensive Applications
Continuous Integration and Deployment Source control Issue Tracking Deployment Targets Continuous Integration AWS OpsWorks Elastic Beanstalk EC2
Continuous Integration and Deployment Source control Continuous Integration AWS CodeCommit * AWS CodePipeline * Deployment Targets Deployment Service AWS CodeDeploy EC2 On-premises Servers
Hybrid Continuous Integration and Deployment data center Users Servers AWS CodeDeploy Agent Agent Agent Data center router Customer router S3 bucket Security Group VPC Subnet Availability Zone Agent Agent Agent AWS CloudFormation AWS Direct Connect routers AWS Direct Connect Location Virtual Gateway Security Group VPC Subnet Availability Zone
Testing on AWS Unit & Regression Scale up and parallel run unit and regression plans in a fraction of the time A/B Run A/B scenario testing with replica stacks Load & Performance Utilize spot market for generating load and test how applications perform Security Create sandboxes for aggressive security testing
Load Testing in the Cloud
Our journey today Security and Compliance Operational Processes What is hybrid infrastructure? Why? Connectivity Common workloads in hybrid infrastructure Application Migration Operations Integration AWS Direct Connect VPN Amazon VPC Backup & Archive DR Dev & Test Resource Intensive Applications
Cloudbursting End Users Load Balancers App Servers Batch Jobs...... Master DB Slave DB Direct Connection Low latency private network Cloud Replicate > Private
Enterprise Applications
SAP HANA Hybrid deployment Corporate Data Center BW ABAP 7.31 / NW JAVA 7.40 BW BI-JAVA BW BI-JAVA BW BI-JAVA BW BI-JAVA A B Web Disp Web Disp DEV QA C UAT / DR PRD SAP SAP HANA HANA SAP SAP HANA HANA HANA 2 X 244 GB nodes 2 X 244 GB nodes 5 X 0.5 TB nodes 5 X 0.5 TB nodes VPC Subnet Availability Zone Amazon Virtual Private Cloud (VPC) A = Virtual Private Gateway B = Customer Gateway C = VPN Connection Internet SAP OSS
SharePoint Reference Implementation Public Subnet Private Subnet Private Subnet Private Subnet Private Subnet Remote Admin NAT RDGW IIS & SharePoint Web Front End Central Admin & SharePoint Services Primary DB SQL Server Primary DC/DNS Web Tier Application Tier Availability Zone 1 Database Tier Active Directory Users VPN Gateway ELB Web Tier IIS & SharePoint Web Front End Application Tier Central Admin & SharePoint Services Database Tier Mirror DB Active Directory Backup DC/DNS RDGW Witness NAT Public Subnet Private Subnet Private Subnet Private Subnet Private Subnet Availability Zone 2 AWS Region
Amazon Workdocs: Enterprise storage and sharing service Internet Corporate network AWS region Users AD Domain Controller Internet AWS Directory Service AD Connector
Amazon WorkSpaces: Virtual Desktop Infrastructure Internet Corporate network AWS region Users AD Domain Controller Internet AWS Directory Service AD Connector Amazon WorkSpaces
Amazon WorkSpaces: Virtual Desktop Infrastructure Secure Persistent AD & MFA Backed Up Centrally Managed Fully Customizable No Infrastructure Mobile-enabled
Data Warehouse Internet of Things Big Data
How many big ticket technology ideas can your budget tolerate?
Big Data, Data Warehousing and IoT CLOUD BIG DATA PORTFOLIO COLLECT STORE ANALYZE Amazon Kinesis Amazon S3 Amazon EMR AWS Storage Gateway Amazon Glacier Amazon Redshift Amazon EC2 Amazon RDS Amazon SWF AWS Import/Export Amazon Glacier Amazon EC2
Cloud Data Warehouse Corporate Data Center Amazon S3 Amazon EMR Amazon Redshift
(Big) Data Warehouse Architecture Join via Facebook Add a Skill Page Invite Friends Web Servers Raw Data Amazon S3 User Action Trace Events Amazon Redshift Get Data Aggregated Data Raw Events Amazon S3 Excel Data Analyst Tableau EMR Hive Scripts Process Content Process log files with regular expressions to parse out the info we need. Processes cookies into useful searchable data such as Session, UserId, API Security token. Filters surplus info like internal varnish logging. Internal Web
Our journey today Security and Compliance Operational Processes What is hybrid infrastructure? Why? Connectivity Common workloads in hybrid infrastructure Application Migration Operations Integration AWS Direct Connect VPN Amazon VPC Backup & Archive DR Dev & Test Resource Intensive Applications
Cloud Readiness Assessment Create application inventory and interface dependencies Capture associated inventory of on-premises hardware Identify special operating systems (proprietary, ancient) Determine timeframe?
Application portfolio assessment Collecting application portfolio inventory Defining segmentation and prioritization criteria Determining application migration options Creating application migration roadmap
Segmentation and prioritization criteria Business criticality Technology complexity Sizing HA/DR/BCP
What workloads to migrate first? Complexity App 1 App 7 App 5 App 6 App 2 App 4 App 3 App 8 App 10 App 11 App 9 App 12 Business Impact
A possible prioritization Complexity App 1 App 7 App 5 App 6 App 2 App 4 App 3 App 8 App 10 App 11 App 9 App 12 Business Impact
Application Migration Methodology Plan Build Run Strategy Analysis Design Transition Operations Improvement App Migration Assessment Re-hosting (Lift & Shift) Re-platforming (Lift & Reshape) App Portfolio Optimization
Actual application migration patterns Manual install Manual config Migration Tools Automated Manual deploy Determine migration path Modify underlying infrastructure Transition Discover/assess/prioritize applications Test Production Retain / not moving Purchase COTS/ SaaS & licensing Provision & setup Retire / decommission Redesign application/ Infrastructure architecture App code development Full ALM / SDLC Integration
The Migration Continuum Rehost Replatform Refactor Effort Benefits Operational Burden
Migration Tools
VM Import/Export: Bidirectional Gold Image Replication VM Images EC2 AMIs Legacy DC AWS Cloud
AWS add-ons/plug-ins AWS Management Portal for vcenter Systems Manager for Microsoft System Center Virtual Machine Manager (SCVMM) Management Pack for Microsoft System Center Operations Manager (SCOM)
Application Migration - AWS Partners Discover Plan Migrate Integrate Validate Operate Optimize Discovery Tools Risc Networks ScienceLogic ServiceNow CopperEgg AppDynamics TCO Tools Cloudamize Apptio CTP PaaSLane Migration Tools Racemi CloudVelox Rivermeadow C3DNA AppZero Veeam HotLink CI/CD Orchestration Jenkins Puppet Labs Ansible Chef Cloud Test Tools SOASTA BlaceMeter Service Management ServiceNow ServiceMesh ScienceLogic Cloud Management Service Cognizant Cloud360 BMC Cloud Lifecycle Management InfoSys Cloud Ecosystem Hub Cloudnexa vnoc App Performance Management New Relic AppDynamic CA APM Compuware APMaaS Cost Optimization Cloudability Newvem
Business Perspective Platform Perspective AWS Cloud Adoption Framework Maturity Perspective Operations Perspective People Perspective Security Perspective Process Perspective Describes the perspectives in planning, creating, managing, and supporting a modern IT service. Offers practical guidance and comprehensive guidelines for establishing, developing and running AWS cloud-enabled environments. http://bit.ly/awscaf
Hess Corporation Migration Operating Environment: 500+ Servers 750+ TB storage w/piops Thousands of users on two continents Mix of Windows 2003-2008R2 Software Landscape Web & Client Applications Vendor & Custom Applications SQL Server 2005-2012 Oracle 10 and 11g Infrastructure & Services Citrix for Application Distribution Netscaler for Citrix Load Balancing F5 for Application Security BizTalk AD SharePoint User & Departmental File Shares
Datacenter Migrations: Dow Jones & Company 1. Evaluate infrastructure costs & architecture 2. Make business case 3. Enable decision to move to the cloud VS From over 40 data centers down to 6 Planning to migrate 3,000 apps Saving $100M over 3 Years
The beginning of a new journey? Security and Compliance Operational Processes What is hybrid infrastructure? Why? Connectivity Common workloads in hybrid infrastructure Application Migration Operations Integration AWS Direct Connect VPN Amazon VPC Backup & Archive DR Dev & Test Resource Intensive Applications
SPEED OF ITERATION BEATS QUALITY OF ITERATION GET STARTED EARLY WITH POC/PILOT BE NIMBLE
First Hybrid Architecture On-Premises Resources Corporate Data Centers
Iterate On-Premises Resources Corporate Data Centers
Keep Iterating On-Premises Resources Cloud Resources Corporate Data Centers
Keep Iterating
HYBRID ARCHITECTURES Jean-Pierre Le Goaller Solutions Architect jplg@amazon.lu