Running Hybrid Cloud Patterns on AWS

Running Hybrid - AWS

Version 1.0

Shiva N ([email protected])AWS Solution Architect

mailto:[email protected]

v

Our hybrid journey today

VPCVPN Backup & archive

Storage expansion

Common workloads

What/Why? Connectivity

Integrated

AWS Direct Connect

Authentication

Enterprise

integration

Federation

Operations

Start

Split TierCloud bursting

Resource Tracking

Service Catalog

v

What is Hybrid

http://www.gartner.com/technology/research/technical-professionals/hybrid-cloud.jsp

“Hybrid IT is the result of combining internal and external services, usually from a combination of internal and public clouds, in support of a business outcome.”

v

Why Hybrid? (Cloud is the new normal)

• Existing infrastructure investments• Middle ground between CapEx and OpEx models• Regulatory and Compliance requirements• Spreading the risk/Avoiding vendor lock in• Legacy hardware/software requirements• Access unique capabilities• Commercial/Licensing/Support limitations

v

Challenges and Best Practices• Challenges

• Expensive• Comparable services• Transport delays• Customer is limited to the least common denominator• Degraded agility• Complex maintenance and operation

• Some best practices• Defined operating model• Automation… automation… automation• Appropriate tools – No one tool fits all• Use each environment’s native services and features as much as possible• Use cloud-native or made-for-the-cloud products/solutions/services

v



Storage expansion

Common workloads


Integrated

AWS Direct Connect

Authentication

Enterprise

integration

Federation

Operations

Start


Resource Tracking

Service Catalog

v

VPC subnetAvailability

Zone

Security group


Zone

Security group

VirtualGateway

AWS Virtual Private Network (IPSec VPN)

o IPSec hardware VPN connection Supported VPN appliances

o Encryption and Validation

o Private RFC 1918 Addressing

o Uses Border Gateway Protocol (BGP) for routing and fail-over

o VPN Service provides managed redundant end-points

Corporate data center

Users

Data center router

Servers

Internet

IPSec VPN

v

AWS Direct Connect

o Requires Layer 2 single mode fiber

1000BASE-LX or 10GBASE-LR

o Requires 802.1Q VLANs across

connection.

Tagging of IP traffic

o Routing uses BGP A/A or A/P multipath.

o Each DX is mapped to a single AWS

Region


Users


Zone

Security group


Zone

Security group

Data center router

Customer router

Servers

AWS Direct Connectlocation

AWS Direct Connect routers

VirtualGateway

v

AWS Direct Connect

v

VPC SubnetAvailability

Zone

Security group


Zone

Security group

AWS Direct Connect + AWS VPNo Dedicated network path with

assured bandwidth

o More secure than Internet-based

IPSec VPN – avoids internet

traverse

o Reduced IPSec network transfer

costs

o Additional Network Security


Users

Data center router

Customer Router

Servers

IPSec VPN

AWS Direct Connectlocation

AWS Direct Connect routers

VirtualGateway

v

Hybrid infrastructure example

AWS region

WeblayerPrivate

connection

Your data center

Internet

Applicationlayer

Databaselayer

Auto Scaling

v



Storage expansion

Common workloads


Integrated

AWS Direct Connect

Authentication

Enterprise

integration

Federation

Operations

Start


Resource Tracking

Service Catalog

v

Active Directory and LDAP

o Reduced back-reach Traffic

o Reduced Latency for Authentication

o Additional Resiliency

o Enablement of both: Multi-Master Read/Write Domain

Controllers Read-only Domain Controllers (RODCs)

o Requires IPSec VPN or Direct Connect connectivity

Active Directory Replication


Users

AD.Domain

Servers

Domain controller

Domain controller


Zone

Security group

VirtualGateway

Domain controller


Zone

Security groupType

Port Number

TCP54, 88, 135, 137, 139, 389, 445, 464, 636, 3268, 3269, 5722, 49152-65535

UDP

53,67,123, 138, 389, 445, 464, 2535, 5355, 49152-65535

Replication

v

AWS Directory Service

o Deploys in two modes

Directory Service Connect

Simple AD - built on Samba 4 Active

Directory compatible server

o Simplifies IAM Federation

Avoids complexity and cost of hosting

SAML-based federation infrastructure

Acts as a proxy - no data is stored on

AWS infrastructure

Supports existing RADIUS-based MFA Requires IPSec VPN or Direct Connect

connectivity

AWS Directory ServiceConnect


Users

AD.Domain

Servers

Domain controller


Zone

Security group

VirtualGateway


Zone

Security group

v

Enterprise FederationIntegrate identity management with AWS• Secure access to AWS resources using your IDM• Provide SSO to AWS Management Console or API’s• Build your own SSO federation using AWS STS service, or• Federate with on-premise directories like Active Directory,

TFIM, OAM or another SAML 2.0 compliant IdP

v

AWS federation/account governance

Financial users, controllers SOC/AuditorsGlobal AWS

admin

Billing account

Software developmentNon-prod

account #1

Production account #1

User management

accountSecurity / Audit

account

Non-prodaccount. #2

App ownersDevOps teams

Security/auditProductionDev/test/sandbox

Financial

Consolidated Billing, Billing

Alerts

Read-only access for all

accounts

v

Resource Tracking and Cost Allocation Tag and Describe your infrastructure

• Describe every AWS object through an API call• Resources in AWS can have custom tags• Custom tags can be used to control permissions, and• Allocate Costs, enabling charge back of services usage• Dynamically generate a full inventory• Visualize your AWS infrastructure in real-time

Name: APAWSIN001Purpose: ProductionApplication: SharePoint Farm 03Business Unit: MarketingCost Centre: 2384234

v

Operations Monitoringo Security Monitoring integration points

with with CloudTrail and SIEM

Aggregator.

o Logging with CloudTrail and SNMP

MIBs to SIEM Aggregator.

o Platform and App Health to SIEM

Aggregator via agent on EC2 guest.

o Cloudwatch Logs provide scalable low

cost log aggregation.

o Access to Patching and Updates for

AMI by on-premise Update Server. VPC subnetAvailability

Zone

Security group


Zone

Security group

VirtualGateway


Users

Data center router

UpdateServers

Connectivity

CloudTrail

CloudWatch

SIEMAggregat

or

v

Operations On AWSIntegrating AWS into your operations• AWS CloudWatch provides real-time insight into your AWS

services, integrate your own metrics, create and act on alarms

• AWS SNS allows integration with your alerting systems • Your current tools still work – install on EC2 instance• Your tools already have AWS API integration• Established processes don’t get thrown away

v

Integrating AWS Into Your Service Catalog

• Every Object in AWS can be described through an API• Objects can be grouped together and described as templates• Templates can be deployed to form stacks• Templates are standardized, re-useable, Infrastructure as code• Simple or complex reusable architectures• Created and managed by AWS CloudFormation

TestEnvironment

CloudFormationTemplate

CloudFormationStack

ApplicationServer

v

Integrating AWS Into Your Service Catalog

Templates as catalog items• Example: Marketing micro site for 3 month project• Integrate service catalog with AWS CloudFormation via API• Deploy solutions within minutes, not days or weeks• Archive and delete when no longer required Weeks

LaterWeb

ServerApplication

ServerDirectoryServer

DatabaseServer

WebServer

ApplicationServer

DirectoryServer

DatabaseServer

MinutesLater

vCreates portfolio

Adds constraints and grant access

1

4

5

AdministratorPortfolio

Users

Browse Products

6Launch ProductsAWS CloudFormation template

Creates product3Authors template2

ProductX ProductY

ProductZ

7Deploys stacks

NotificationsNotifications

88

AWS Service CatalogComing

v

AWS Migration tools

Management Portal for vCenter

v



Storage expansion

Common workloads


Integrated

AWS Direct Connect

Authentication

Enterprise

integration

Federation

Operations

Start


Resource Tracking

Service Catalog

v

What workloads to migrate?REFACTOR

DON’T MIGRATE HOLD OFF

QUICK WINS

Technical Fit

Busin

ess I

mpa

ct

App 1App 7

App 3

App 12

App 4

App 6

App 2

App 5

App 8

App 11App 10

App 9

Application Assessment Framework

+Application Migration Framework

=Application Migration Factory

v

Backup and archivingo Backup gateways integrated with

Amazon S3o Leverage Amazon S3 archival to Amazon

Glacier

o Take advantage of current investments and solutions for options likeo De-duplicationo Compressiono WAN Acceleration


Amazon Simple Storage Service

Amazon Glacier

Applicationserver

Virtualserver

Fileserver

Databaseserver

Backupsystem

AWS Storage Gateway

iSCSI

Symantec Net Backup

Veeam Backup & ReplicationCloud ONTAP Secure

Cloud-Integrated Backup

AWS Marketplace Partners

v

Storage expansion

o Virtual volumes presented to local network iSCSI, NFS and CIFS volumes

o Local disk cache to provide fast on-premise access

o Gateway side encryption for security


Amazon Simple Storage Service

Applicationserver

Virtualserver

Fileserver

Databaseserver

Storageappliance AWS Storage

Gateway

iSCSI

Cloud ONTAP Secure Cloud-Integrated Backup

Panzura Global NAS

AWS Marketplace Partners

Avere Edge Filer

v

Hybrid architecture: Split-tier

Load Balancers

Master DB Slave DB

Replicate >

End Users

App Servers

Private(On-Premises/

Hosted)

AWS

. . .

AWS Direct ConnectLow latency

private network

v

Hybrid architecture: Cloudbursting

Load Balancers

App Servers

Master DB Slave DB

Replicate >

End Users

Batch Jobs

Private

AWSAWS Direct Connect

Low latencyprivate network

. . . . . .

Example hybrid workloads

v

Kellogs – SAP HANA Hybrid deployment

Corporate Data Center

Amazon Virtual Private Cloud (VPC)

Availability Zone

VPC Subnet

BW ABAP 7.31 / NW JAVA 7.40

BW BI-JAVA

DEV QA

2 X 244 GB nodes 2 X 244 GB nodes

BW BI-JAVA

Internet

SAP OSS

BA

C

A = Virtual Private GatewayB = Customer GatewayC = VPN Connection

UAT / DR PRD

BW BI-JAVA BW BI-JAVA

Web DispWeb Disp

HANA

5 X 0.5 TB nodes 5 X 0.5 TB nodes

SAP

HANASAP

HANA

SAP

HANASAP

HANA

v

Auth0 – Running in multiple cloud providers

v

Methods to achieve a seamless hybrid experience

Sub Optimal methods Optimal Methods …

Running Hybrid Cloud Patterns on AWS

Internet

Transcript of Running Hybrid Cloud Patterns on AWS