AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
Running Hybrid Cloud Patterns on AWS
-
Upload
shiva-narayanaswamy -
Category
Internet
-
view
1.762 -
download
1
Transcript of Running Hybrid Cloud Patterns on AWS
v
Our hybrid journey today
VPCVPN Backup & archive
Storage expansion
Common workloads
What/Why? Connectivity
Integrated
AWS Direct Connect
Authentication
Enterprise
integration
Federation
Operations
Start
Split TierCloud bursting
Resource Tracking
Service Catalog
v
Our hybrid journey today
VPCVPN Backup & archive
Storage expansion
Common workloads
What/Why? Connectivity
Integrated
AWS Direct Connect
Authentication
Enterprise
integration
Federation
Operations
Start
Split TierCloud bursting
Resource Tracking
Service Catalog
v
What is Hybrid
http://www.gartner.com/technology/research/technical-professionals/hybrid-cloud.jsp
“Hybrid IT is the result of combining internal and external services, usually from a combination of internal and public clouds, in support of a business outcome.”
v
Why Hybrid? (Cloud is the new normal)
• Existing infrastructure investments• Middle ground between CapEx and OpEx models• Regulatory and Compliance requirements• Spreading the risk/Avoiding vendor lock in• Legacy hardware/software requirements• Access unique capabilities• Commercial/Licensing/Support limitations
v
Challenges and Best Practices• Challenges
• Expensive• Comparable services• Transport delays• Customer is limited to the least common denominator• Degraded agility• Complex maintenance and operation
• Some best practices• Defined operating model• Automation… automation… automation• Appropriate tools – No one tool fits all• Use each environment’s native services and features as much as possible• Use cloud-native or made-for-the-cloud products/solutions/services
v
Our hybrid journey today
VPCVPN Backup & archive
Storage expansion
Common workloads
What/Why? Connectivity
Integrated
AWS Direct Connect
Authentication
Enterprise
integration
Federation
Operations
Start
Split TierCloud bursting
Resource Tracking
Service Catalog
v
VPC subnetAvailability
Zone
Security group
VPC subnetAvailability
Zone
Security group
VirtualGateway
AWS Virtual Private Network (IPSec VPN)
o IPSec hardware VPN connection Supported VPN appliances
o Encryption and Validation
o Private RFC 1918 Addressing
o Uses Border Gateway Protocol (BGP) for routing and fail-over
o VPN Service provides managed redundant end-points
Corporate data center
Users
Data center router
Servers
Internet
IPSec VPN
v
AWS Direct Connect
o Requires Layer 2 single mode fiber
1000BASE-LX or 10GBASE-LR
o Requires 802.1Q VLANs across
connection.
Tagging of IP traffic
o Routing uses BGP A/A or A/P multipath.
o Each DX is mapped to a single AWS
Region
Corporate data center
Users
VPC subnetAvailability
Zone
Security group
VPC subnetAvailability
Zone
Security group
Data center router
Customer router
Servers
AWS Direct Connectlocation
AWS Direct Connect routers
VirtualGateway
v
AWS Direct Connect
v
VPC SubnetAvailability
Zone
Security group
VPC subnetAvailability
Zone
Security group
AWS Direct Connect + AWS VPNo Dedicated network path with
assured bandwidth
o More secure than Internet-based
IPSec VPN – avoids internet
traverse
o Reduced IPSec network transfer
costs
o Additional Network Security
Corporate data center
Users
Data center router
Customer Router
Servers
IPSec VPN
AWS Direct Connectlocation
AWS Direct Connect routers
VirtualGateway
v
Hybrid infrastructure example
AWS region
WeblayerPrivate
connection
Your data center
Internet
Applicationlayer
Databaselayer
Auto Scaling
v
Our hybrid journey today
VPCVPN Backup & archive
Storage expansion
Common workloads
What/Why? Connectivity
Integrated
AWS Direct Connect
Authentication
Enterprise
integration
Federation
Operations
Start
Split TierCloud bursting
Resource Tracking
Service Catalog
v
Active Directory and LDAP
o Reduced back-reach Traffic
o Reduced Latency for Authentication
o Additional Resiliency
o Enablement of both: Multi-Master Read/Write Domain
Controllers Read-only Domain Controllers (RODCs)
o Requires IPSec VPN or Direct Connect connectivity
Active Directory Replication
Corporate data center
Users
AD.Domain
Servers
Domain controller
Domain controller
VPC subnetAvailability
Zone
Security group
VirtualGateway
Domain controller
VPC subnetAvailability
Zone
Security groupType
Port Number
TCP54, 88, 135, 137, 139, 389, 445, 464, 636, 3268, 3269, 5722, 49152-65535
UDP
53,67,123, 138, 389, 445, 464, 2535, 5355, 49152-65535
Replication
v
AWS Directory Service
o Deploys in two modes
Directory Service Connect
Simple AD - built on Samba 4 Active
Directory compatible server
o Simplifies IAM Federation
Avoids complexity and cost of hosting
SAML-based federation infrastructure
Acts as a proxy - no data is stored on
AWS infrastructure
Supports existing RADIUS-based MFA Requires IPSec VPN or Direct Connect
connectivity
AWS Directory ServiceConnect
Corporate data center
Users
AD.Domain
Servers
Domain controller
VPC subnetAvailability
Zone
Security group
VirtualGateway
VPC subnetAvailability
Zone
Security group
v
Enterprise FederationIntegrate identity management with AWS• Secure access to AWS resources using your IDM• Provide SSO to AWS Management Console or API’s• Build your own SSO federation using AWS STS service, or• Federate with on-premise directories like Active Directory,
TFIM, OAM or another SAML 2.0 compliant IdP
v
AWS federation/account governance
Financial users, controllers SOC/AuditorsGlobal AWS
admin
Billing account
Software developmentNon-prod
account #1
Production account #1
User management
accountSecurity / Audit
account
Non-prodaccount. #2
App ownersDevOps teams
Security/auditProductionDev/test/sandbox
Financial
Consolidated Billing, Billing
Alerts
Read-only access for all
accounts
v
Resource Tracking and Cost Allocation Tag and Describe your infrastructure
• Describe every AWS object through an API call• Resources in AWS can have custom tags• Custom tags can be used to control permissions, and• Allocate Costs, enabling charge back of services usage• Dynamically generate a full inventory• Visualize your AWS infrastructure in real-time
Name: APAWSIN001Purpose: ProductionApplication: SharePoint Farm 03Business Unit: MarketingCost Centre: 2384234
v
Operations Monitoringo Security Monitoring integration points
with with CloudTrail and SIEM
Aggregator.
o Logging with CloudTrail and SNMP
MIBs to SIEM Aggregator.
o Platform and App Health to SIEM
Aggregator via agent on EC2 guest.
o Cloudwatch Logs provide scalable low
cost log aggregation.
o Access to Patching and Updates for
AMI by on-premise Update Server. VPC subnetAvailability
Zone
Security group
VPC subnetAvailability
Zone
Security group
VirtualGateway
Corporate data center
Users
Data center router
UpdateServers
Connectivity
CloudTrail
CloudWatch
SIEMAggregat
or
v
Operations On AWSIntegrating AWS into your operations• AWS CloudWatch provides real-time insight into your AWS
services, integrate your own metrics, create and act on alarms
• AWS SNS allows integration with your alerting systems • Your current tools still work – install on EC2 instance• Your tools already have AWS API integration• Established processes don’t get thrown away
v
Integrating AWS Into Your Service Catalog
• Every Object in AWS can be described through an API• Objects can be grouped together and described as templates• Templates can be deployed to form stacks• Templates are standardized, re-useable, Infrastructure as code• Simple or complex reusable architectures• Created and managed by AWS CloudFormation
TestEnvironment
CloudFormationTemplate
CloudFormationStack
ApplicationServer
v
Integrating AWS Into Your Service Catalog
Templates as catalog items• Example: Marketing micro site for 3 month project• Integrate service catalog with AWS CloudFormation via API• Deploy solutions within minutes, not days or weeks• Archive and delete when no longer required Weeks
LaterWeb
ServerApplication
ServerDirectoryServer
DatabaseServer
WebServer
ApplicationServer
DirectoryServer
DatabaseServer
MinutesLater
vCreates portfolio
Adds constraints and grant access
1
4
5
AdministratorPortfolio
Users
Browse Products
6Launch ProductsAWS CloudFormation template
Creates product3Authors template2
ProductX ProductY
ProductZ
7Deploys stacks
NotificationsNotifications
88
AWS Service CatalogComing
v
AWS Migration tools
Management Portal for vCenter
v
Our hybrid journey today
VPCVPN Backup & archive
Storage expansion
Common workloads
What/Why? Connectivity
Integrated
AWS Direct Connect
Authentication
Enterprise
integration
Federation
Operations
Start
Split TierCloud bursting
Resource Tracking
Service Catalog
v
What workloads to migrate?REFACTOR
DON’T MIGRATE HOLD OFF
QUICK WINS
Technical Fit
Busin
ess I
mpa
ct
App 1App 7
App 3
App 12
App 4
App 6
App 2
App 5
App 8
App 11App 10
App 9
Application Assessment Framework
+Application Migration Framework
=Application Migration Factory
v
Backup and archivingo Backup gateways integrated with
Amazon S3o Leverage Amazon S3 archival to Amazon
Glacier
o Take advantage of current investments and solutions for options likeo De-duplicationo Compressiono WAN Acceleration
Corporate data center
Amazon Simple Storage Service
Amazon Glacier
Applicationserver
Virtualserver
Fileserver
Databaseserver
Backupsystem
AWS Storage Gateway
iSCSI
Symantec Net Backup
Veeam Backup & ReplicationCloud ONTAP Secure
Cloud-Integrated Backup
AWS Marketplace Partners
v
Storage expansion
o Virtual volumes presented to local network iSCSI, NFS and CIFS volumes
o Local disk cache to provide fast on-premise access
o Gateway side encryption for security
Corporate data center
Amazon Simple Storage Service
Applicationserver
Virtualserver
Fileserver
Databaseserver
Storageappliance AWS Storage
Gateway
iSCSI
Cloud ONTAP Secure Cloud-Integrated Backup
Panzura Global NAS
AWS Marketplace Partners
Avere Edge Filer
v
Hybrid architecture: Split-tier
Load Balancers
Master DB Slave DB
Replicate >
End Users
App Servers
Private(On-Premises/
Hosted)
AWS
. . .
AWS Direct ConnectLow latency
private network
v
Hybrid architecture: Cloudbursting
Load Balancers
App Servers
Master DB Slave DB
Replicate >
End Users
Batch Jobs
Private
AWSAWS Direct Connect
Low latencyprivate network
. . . . . .
Example hybrid workloads
v
Kellogs – SAP HANA Hybrid deployment
Corporate Data Center
Amazon Virtual Private Cloud (VPC)
Availability Zone
VPC Subnet
BW ABAP 7.31 / NW JAVA 7.40
BW BI-JAVA
DEV QA
2 X 244 GB nodes 2 X 244 GB nodes
BW BI-JAVA
Internet
SAP OSS
BA
C
A = Virtual Private GatewayB = Customer GatewayC = VPN Connection
UAT / DR PRD
BW BI-JAVA BW BI-JAVA
Web DispWeb Disp
HANA
5 X 0.5 TB nodes 5 X 0.5 TB nodes
SAP
HANASAP
HANA
SAP
HANASAP
HANA
v
Auth0 – Running in multiple cloud providers
v
Methods to achieve a seamless hybrid experience
Sub Optimal methods Optimal Methods …