Pragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlay
86
A Pragmatic Approach to Workload Migrations Carlos Conde – Technology Evangelist
-
Upload
amazon-web-services -
Category
Technology
-
view
397 -
download
1
Transcript of Pragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlay
A Pragmatic Approach to Workload MigrationsCarlos Conde – Technology Evangelist
Many enterprises worry that these are the only two choices:
Build a “Private” Cloud
Rip everything out and move to AWS#1 #2
Cloud isn’t an “All or Nothing” choice
Corporate Data Centers
On-Premises Resources
Cloud ResourcesIntegration
SPEED & AGILITYInfrastructure in minutes, not weeks.
COST REDUCTION50 price reductions since 2006.
Replace capital expenditure with variable expense.
AWS Assurance Programs
aws.amazon.com / compliance
FOCUS ON YOUR BUSINESSNo time & resources spent on undifferentiated IT.
Prepare full migration to AWS.
HYBRID WORKLOADS
Dev & Test environments • Burst capacity • Highly secure apps • App migration • Storage & Archiving • Disaster recovery • Production app enrichment • Load testing • Remote monitoring •
etc.
On-premises
IT
Datacenter Regions, AZs
Cloud Services
Network VPC, Direct Connect
Hypervisors AMIs, EC2 instances
Access Control IAM, Directory Services
Data storage & Applications
Development & Operations
On-premises
IT
Datacenter Regions, AZs
Cloud Services
On-premises
IT
Datacenter Regions, AZs
Cloud Services
Network VPC, Direct Connect
Oracle Secure Backup ModuleOracle RManÚ Amazon S3
RESTORE TIMES REDUCED FROM 15 TO 2½ HOURS
Amazon Storage Gateway
Virtual tape libraryOn-premises snapshots to AWS
AWS Virtual Private Network (IPSec VPN)
o IPSec hardware VPN connection Supported VPN appliances: https://aws.amazon.com/vpc/faqs/#C9
o Encryption and Validation
o Private RFC 1918 Addressing
o Uses Border Gateway Protocol (BGP) for routing and fail-over
o VPN Service provides managed redundant end-points
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html Virtual
Gateway
Corporate data center
Users
Data center router
Servers
Internet
IPSec VPN
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
DEV & TEST ENVIRONMENTS
AWS region
WeblayerPrivate
connection
Your data center
Internet
Applicationlayer
Databaselayer
Auto Scaling
AWS region
Public-facingweb app
Public appw/back-endintegration
Your Data Center
Private appw/back-endintegration
Core/sharedservices
AWS Direct ConnectLocation
AWS Direct Connect
o Requires Layer 2 single mode fiber 1000BASE-LX or 10GBASE-LR
o Requires 802.1Q VLANs across
connection.Ø Tagging of IP traffic
o Routing uses BGP A/A or A/P
multipath.
o Each DX is mapped to a single AWS Region
o Various Partners for every Regionhttp://aws.amazon.com/directconnect/ Virtual
Gateway
Corporate data center
Users
Data center router
Servers
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Customer router
AWS Direct ConnectLocation
AWS Direct Connect routers
With AWS regions just another spoke on your global network,it’s easy to bring the cloud to you as you expand around the world.
US customer data center
EU-West-1 region
EU customer data center
Customer MPLS backbone
AWS Direct Connect PoP
Ireland or London
US-West-1 region
AWS Direct Connect PoPVirginia or NYC
AP-Southeast-1 region
AWS Direct Connect PoPSingapore
AP customer data center
On-premises
IT
Datacenter Regions, AZs
Cloud Services
Network VPC, Direct Connect
Access Control IAM, Directory Services
AWS Direct ConnectLocation
AWS Direct Connect routers
Active Directory and LDAP
o Reduced back-reach Traffic
o Reduced Latency for Authentication
o Additional Resiliency
o Enablement of both: Ø Multi-Master Read/Write Domain
ControllersØ Read-only Domain Controllers (RODCs)
² Requires IPSec VPN or Direct Connect connectivity
http://aws.amazon.com/microsoft/whitepapers/ad-reference-architecture/
VirtualGateway
Corporate data center
Users
Data center router
Servers
VPC Subnet
Availability Zone
Security Groups
VPC Subnet
Availability Zone
Security Groups
AD.Domain
Domain controller
Domain controller
Domain controller
Active Directory Replication
Customer router
AWS Direct ConnectLocation
AWS Direct Connect routers
AWS Directory Service
o Deploys in two modesØ Directory Service Connect
Ø Simple AD - built on Samba 4 Active
Directory compatible server
o Simplifies IAM FederationØ Avoids complexity and cost of hosting
SAML-based federation infrastructure
Ø Acts as a proxy - no data is stored on AWS infrastructure
Ø Supports existing RADIUS-based MFA
² Requires IPSec VPN or Direct Connect connectivity
http://aws.amazon.com/directoryservice/Virtual
Gateway
data centerUsers
Data center router
Servers
VPC Subnet
Availability Zone
Security Groups
VPC Subnet
Availability Zone
Security Groups
AD.Domain
Domain controller
AD Connector
AD Connector
AD Connector
Customer router
Integrate identity management with AWS
• Secure access to AWS resources using your IDM• Provide SSO to AWS Management Console or API’s• Build your own SSO federation using AWS STS service, or• Federate with on-premise directories like Active Directory,
TFIM, OAM or another SAML 2.0 compliant IdP
AWS Federation/Account Governance
Financial users, controllers SOC/AuditorsGlobal AWS admin
Billing account
Software development
Non-‐prodaccount #1
Production account #1
User managementaccount
Security / Auditaccount
Non-‐prodaccount. #2
App ownersDevOps teams
Security/auditProductionDev/test/sandboxFinancial
Consolidated Billing, Billing Alerts
Read-‐only access for all accounts
On-premises
IT
Datacenter Regions, AZs
Cloud Services
Network VPC, Direct Connect
Hypervisors AMIs, EC2 instances
Access Control IAM, Directory Services
Management Portal for vCenter
Management Pack for SCOM
Systems Manager for SCVMM
AWS Management Portal for vCenter
vCenter Image Migration
1. The vSphere client authorizes import to the environment.
2. The management portal verifies that the user has permission to migrate VMs to the environment and returns a token.
3. The vSphere client sends an import request to the connector along with the token.
4. The connector verifies the token.5. The connector verifies that the user has permission to export the VM.
6. The connector starts the migration.7. The connector sends a response to the vSphere client with the import task ID.
Bidirectional Gold Image Replication
AWS Cloud
Legacy DC
EC2 AMIsVM Images
On-premises
IT
Datacenter Regions, AZs
Cloud Services
Network VPC, Direct Connect
Hypervisors AMIs, EC2 instances
Access Control IAM, Directory Services
Development & Operations
Integrating AWS into your operations•
AWS CloudWatch provides real-time insight into your AWS services, integrate your own metrics, create and act on alarms
• AWS SNS allows integration with your alerting systems • Your current tools still work – install on EC2 instance• Your tools already have AWS API integration• Established processes don’t get thrown away
AWS Direct ConnectLocation
AWS Direct Connect routers
Operations Tools and Monitoring
o Security Monitoring integration points with with CloudTrail and
SIEM Aggregator.
o Logging with CloudTrail and SNMP MIBs to SIEM Aggregator.
o Platform and App Health to SIEM Aggregator via agent on EC2 guest.
o Access to Patching and Updates for
AMI by on premises Update Server.
VirtualGateway
data centerUsers
Data center router
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
UpdateServers
SIEMAggregator
CloudTrail
CloudWatch
CloudTrail S3 Bucket
Customer router
Customer router
AWS Direct ConnectLocation
AWS Direct Connect routers
Continuous Integration and Deployment
o Automates application deployments for both On-Premise and AWS EC2
instances with use of CodeDeploy
o Reuse existing scripts and tools
Ø Bash, PowerShell, Chef,
Puppet, anything…
o Integrate with developer tool chain
Ø GitHub, Jenkins, CloudBees, TravisCI, Eclipse…
VirtualGateway
data centerUsers
Data center router
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
AWS CodeDeployServers
AWS CloudFormation
S3 bucket
AgentAgentAgent
AgentAgentAgent
On-premises
IT
Datacenter Regions, AZs
Cloud Services
Network VPC, Direct Connect
Hypervisors AMIs, EC2 instances
Access Control IAM, Directory Services
Data storage & Applications
Operations & Automation
Customer router
AWS Direct ConnectLocation
AWS Direct Connect routers
Storage Expansion
o Virtual volumes presented to local network iSCSI, NFS and CIFS volumes
o Local disk cache to provide fast on-premises access
o Gateway side encryption for security
VirtualGateway
Corporate data center
Users
Data center router
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Amazon S3
AWS Storage Gateway
iSCSI
Storage Appliance
AWS Storage Gateway
iSCSI
Servers
AWS Storage Gateway
Customer router
AWS Direct ConnectLocation
AWS Direct Connect routers
Backup &Archivingo Backup gateways
integrated with Amazon S3o Leverage Amazon
S3 archival to Amazon Glacier
o Take advantage of current investments and solutions for options o De-duplicationo Compressiono WAN Acceleration
VirtualGateway
data centerUsers
Data center router
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Amazon S3
Amazon GlacierVTL
AWS Storage Gateway
iSCSI
Backup System
VTL
AWS Storage Gateway
iSCSI
Servers
VTL
AWS Storage Gateway
SAP HANAProduction ready with up to 244 GiB of RAM + clustering
http://aws.amazon.com/blogs/aws/sap-hana-production-ready-on-aws/
– SAP HANA Hybrid deployment
Corporate Data Center
Amazon Virtual Private Cloud (VPC)
Availability ZoneVPC Subnet
BW ABAP 7.31 / NW JAVA 7.40
BW BI-JAVA
DEV QA
2 X 244 GB nodes 2 X 244 GB nodes
BW BI-JAVA
Internet
SAP OSS
BA
C
A = Virtual Private GatewayB = Customer GatewayC = VPN Connection
UAT / DR PRD
BW BI-JAVA BW BI-JAVA
Web DispWeb Disp
HANA
5 X 0.5 TB nodes 5 X 0.5 TB nodes
SAP
HANASAP
HANA
SAP
HANASAP
HANA
Extend Local Applications Capabilities:
Amazon WorkSpaces, WorkDocs, WorkmailAmazon RedshiftAmazon ML
Amazon CloudSearchAmazon CloudHSMAmazon SESAmazon SWF
…
BACKUPS + APPS + IAMè DISASTER RECOVERY
SCENARIO #1
COLD DR
SCENARIO #2
WARM DR
SCENARIO #3
INTERNAL APP
VPC Subnet B
Region
Availability Zone
Client-to-site VPN Site-to-site VPN
S3 Bucketswith Objects
Bastion Host
Internet
On-premiseData Centre A
RemoteDesktops
AWS Direct Connect
On-premiseData Centre B
VPC Subnet D VPC Subnet F
Databases
VPC Subnet E
Applications
VPC Subnet A
SmartSentinel
VPC Subnet G
FileServers
VPC Subnet C
ActiveDirectory
Proxy Server
SCALABILITYMAINTAINABILITYRELIABILITYDURABILITY
CONFIGURABILITY…
RESILIENCEAbility to cope with change
IF SOMETHING IS HARDREPETITION MAKES IT EASIER
SIMULATION ENVIRONMENTFOR CRISIS SITUATIONS
GOOD WEATHER DOESN’T MAKE GOOD SAILORS
CLOUDFORMATIONTEMPLATE
SIMULATE FAILURES
• TERMINATE RESOURCES• CHANGE SECURITY GROUPS• CHANGE IAM ROLES• DISABLE IAM USER• CHANGE /ETC/HOSTS FILE• AMAZON RDS FAIL-OVER TEST
VALIDATE YOUR ASSUMPTIONSPROVE YOUR ARCHITECTUREKNOW YOUR PROCEDURES
LEARN FROM YOUR FAILURES
On-premises
IT
Datacenter Regions, AZs
Cloud Services
Network VPC, Direct Connect
Hypervisors AMIs, EC2 instances
Access Control IAM, Directory Services
Data storage & Applications
Operations & Automation
HYBRID WORKLOADS
Dev & Test environments • Burst capacity • Highly secure apps • App migration • Storage & Archiving • Disaster recovery • Production app enrichment • Load testing • Remote monitoring •
etc.
ON-PREMISES
Experiment Infrequently
Failure is expensiveLess Innovation
Experiment OftenFail quickly at a low costMore Innovation
$ Millions Nearly $0
AWS Cloud Adoption Framework
Describes the perspectives in planning, creating, managing, and supporting a modern IT service.
Offers practical guidance and comprehensive guidelines for establishing, developing and running AWS cloud-enabled environments.
http://bit.ly/AWSCAF
PeoplePerspective
ProcessPerspective
SecurityPerspective
MaturityPerspective
OperationsPerspective
BusinessPerspective
PlatformPerspective
