As AWS continues to expand, enterprise customers are increasingly looking to our partner ecosystem to assist in migrating their workloads to the cloud. This session describes the challenges, lessons learned and best practices for large scale application migrations. We will use real examples from our consulting partners and AWS Professional Services to illustrate how to move workloads to the cloud while modernizing the associated applications to take advantage of AWS’ unique benefits. We will also dive into how to use an array of AWS services and features to improve a customer’s security posture as they are migrating and once they are up and running in the cloud.

1. ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Cloud Migration, Application Modernization,
and Security for Partners
Tom Laszewski, Sr. Manager, GSI Solutions Architecture
Matt Yanchyshyn, Sr. Manager, ISV Solutions Architecture

2. AWS Migration Methodology

3. People,
process,
technology
Migration
experience
Knowledge &
training
Not primary
business activity
Fear
Attempting too
much at once
Migration challenges

4. Discover Design Transform Transition Operate Optimize
Plan RunBuild
• Detailed
migration plan
• Estimate effort
• Security & risk
assessment
• Network
topology
• Migrate
• Deploy
• Validate
• Assessment &
profiling
• Prioritization
• Data
requirements &
classification
• Business logic
& infrastructure
dependencies
• Pilot testing
• Transition to
support
• Release
management
• Cutover &
decommission
• Staff training
• Monitoring
• Incident
management
• Provisioning
• Monitoring-
driven
optimization
• Continuous
integration and
continuous
deployment
App migration
assessment
Re-hosting
(lift and shift)
App portfolio optimization
Re-platforming
(lift and reshape)
Migration methodology

5. Planning your migration
Migrating to the cloud can take one of many paths
Discover,
Assess (Enterprise
Architecture and
Applications)
Lift and Shift
(Minimal
Change)
Migration and
UAT Testing Operate
Refactor
for AWS
Application
Lift and shift
Move the App
Infrastructure
Plan Migration
and Sequencing
Determine
Migration Path
Decommission
Do Not Move
Create Cloud
Strategy
Design, Build AWS
Environment
Move the
Application
Determine
Migration
Process
Manually Move
App and Data
Third-Party Tools
AWS VM Import
Refactor
for AWS
Rebuild Application
Architecture
Vendor
S/PaaS
(if available)
Third-Party Migration Tool
Manually Move App and Data
Determine
Migration Process
Replatform
(typically legacy
applications)
Recode App
Components
Rearchitect
Application
Recode
Application
Architect AWS Environment
and Deploy App, Migrate Data
Signoff
Tuning Cutover
Org/Ops
Impact
Analysis
Identify
Ops Changes
Change
Management
Plan

6. End-state Architecture

7. Architecting your AWS environment
Design and architecture of the cloud environment is important to realize
cloud benefits such as agility and cost savings
Networking
• Convergence of
on-premises and
cloud
• Cloud-oriented
protocols
• IP scheme and
addressing
• VPC and account
configuration
Security
• SSO
• Access policies
• Least privilege
• Audits
• Compliance
• Intrusion detection
& prevention
• Logging
Governance
• Billing & cost
management
• Service
catalogs
• Configuration
management
• Architecture
Standards
• SLA/SLO
• Procurement
Data management
• RPO/RTO
• Retention policies
• Replication
• Storage
optimization
• ILM
• Data quality
Monitoring
• Notifications &
alerting
• Application level
awareness
• Thresholds
• Service desk
integration

8. On-premises infrastructure mapped to AWS
Technology On-premises AWS
Network VPN, MPLS Amazon VPC, AWS Direct Connect
Storage DAS, SAN, NAS, SSD
Amazon Elastic Block Store, Amazon S3, Amazon EC2
instance storage, distributed & clustered FS on Amazon EC2
Compute Hardware, virtualization Amazon EC2, Amazon ECS, AWS Lambda
Content delivery Third-party CDN Amazon CloudFront
Databases
MS SQL Server, MySQL, Oracle, DB2,
PostgreSQL, MongoDB,. …
Amazon RDS, Amazon DynamoDB, Amazon Amazon
ElastiCache, DB software on Amazon EC2
Load balancing Hardware and software load balancers Elastic Load Balancing, software load balancers
Scaling & cluster
management
Hardware and software clustering
tools
Auto Scaling, software clustering solutions
DNS BIND, Windows Server, third party Amazon Route 53, third-party DNS software on EC2

9. Technology On-premises AWS
Analytics & data warehouse
Hadoop, Vertica, Cassandra, specialized
hardware and software
Amazon EMR, Amazon Redshift, software on Amazon EC2
Messaging and workflow RabbitMQ, ActiveMQ, Kafka, … Amazon SQS, Amazon SNS, Amazon SWF, software on EC2
Caching Redis, Memcached, … Amazon ElastiCache, Memcached, SAP Hana
Archiving Tape library, off-site data storage Amazon S3, Amazon Glacier
Email Email software Amazon SES
Identity, authoritzation, &
authentication
AD/ADFS, LDAP, SAML, third party…
AWS Identity and Access Management/AWS STS, Amazon
Cognito, AWS Directory Service, AD & LDAP on Amazon EC2
Deployment & configuration
management
Chef, Puppet, Salt, Ansible, PowerShell
DSC
AWS CloudFormation, AWS OpsWorks, AWS Elastic Beanstalk,
AWS CodeDeploy, Amazon ECS
Management and
monitoring
CA, BMC, Rightscale
Amazon CloudWatch, AWS Config, AWS CloudTrail, AWS
Trusted Advisor
On-premises infrastructure mapped to AWS

10. Security Comes First!

11. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge
locations
AWS is responsible for the security of the cloud

12. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge
Locations
Client-side data
encryption
Server-side data
encryption
Network traffic
protection
Platform, applications, identity & access management
Operating system, network, & firewall configuration
Customer applications & contentCustomers
Customers configure their security in the cloud

13. AWS security offerings
Auditability
• Compliance
reports
Visibility
• Amazon CloudWatch
• AWS CloudTrail
• AWS Config
• “Describe” APIs
Control
• IAM
• AWS CloudHSM
• AWS CloudFormation
• AWS KMS

14. Defense-in-depth
AWS compliance
program
Third-party
attestations
Physical
Security groups
VPC configuration
Network
Web application
firewalls
Bastion hosts
Encryption
in-transit
Hardened AMIs
OS and app
patch mgmt.
IAM roles for EC2
IAM credentials
Systemsecurity
Logical access
controls
User authentication
Encryption
at-rest
Datasecurity

15. Encryption: data at rest
EBS
Volume encryption
EBS encryption OS tools
AWS
marketplace/partner
Object encryption
S3 server side
encryption (sse)
S3 SSE w/ customer
provided keys Client-side encryption
Database encryption
Amazon Redshift
encryption
RDS
PostgreSQL
KMS
RDS
MYSQL
KMS
RDS
ORACLE
TDE/HSM
RDS MSSQL
TDE

16. Built-in firewall: security groups and NACLs
• VPC security groups (mandatory)
– Instance level, stateful
– Supports ALLOW rules only
– Default deny inbound, allow outbound
– Use as “whitelist” – least privilege
• VPC NACLs (optional)
– Subnet level, stateless
– Supports ALLOW and DENY
– Default allow all
– Use as “blacklist”/“guardrails”(port 135,21,23…)
• Separation of duties
• Changes audited via AWS CloudTrail
• Additional cost for SGs/NACLs: $0
Physical Interfaces
Customer 1
Hypervisor
Customer 2 Customer n…
…
Virtual Interfaces
Firewall
Customer 1
Security
Groups
Customer 2
Security
Groups
Customer n
Security
Groups
Security Groups

17. AWS partner solutions extend & enhance security
• Some examples:
– Cisco CSR (VPN)
– Sophos UTM (firewall, …)
– Alert Logic Web Security Manager (WAF)
– Alert Logic Threat Manager (NIDS)
– Trend Micro Deep Security (IDPS)
– Trend Micro SecureCloud (encryption)
– Dome9 SecOps (security group audit & management)
– …

18. Migration Approach & Best Practices

19. Identifying applications to move
Standalone applications are easy to move
Application with loosely coupled SOA-based
integrations are good candidates
Tightly integrated application needs more planning
‘Low hanging fruit’
• Dev/Test applications, self-contained web applications (LAMP stack), social media product
marketing campaigns, training envrionments, pre-sales demo portal, software downloads, trial
applications
Watch out for
• 32 bit, non-Linux/Windows, multi-cast (Oracle RAC), client/server applications, engineered
systems (Exadata, Netezza), massive file servers, vertically challenged software/applications

20. Getting a bread box estimate: minimum information
Compute : Number of servers/VMs including RAM,
CPU, OS, and boot drive size (Amazon EC2)
Storage mapping to transactional, backup, archival,
and log/file system/applications (Amazon EBS, Amazon Glacier, and Amazon S3)
Data transfer out for networking
Internet or dedicated networking including security
requirements (AWS Direct Connect and VPN)
Region where processing is happening

21. Getting a bread box estimate: nice to have
HA requirements for each workload (ELB, Route53)
Scalability requirements for each workload (ELB,
Route53, Auto Scaling, CloudFront)
DR requirements for each workload
Storage IOPS requirements for each workload
Compute requirements for management/monitoring
Backup requirements for each workload that can
not be supported by EBS snapshots

22. Getting a bread box estimate: really nice
Workload stratification file servers, security, RDBMS,
ERP, big data, security, management/monitoring etc.
HIPPA and PCI requirements for each workload
HPC requirements for each workload
Extremely high CPU, memory requirements
Top third-party vendors for packaged apps
IDS/IPS, WAF, management, monitoring, logging, etc.

23. Invest in proof of concept early
Proof of concept will answer tons of questions and get your
feet wet with AWS quickly
Will help identify gaps and touch points
Give you a good estimation of the migration costs
Give you a good estimation of the AWS runtime costs

24. Migrating data into AWS cloud
• File transfer to Amazon S3 or EC2 using S/FTP, SCP, UDP, Attunity
• NFS mount accessible from on premise and AWS
• Configure on-premises backup application (like NetBackup, CA,
CommVault, Riverbed) to use Amazon S3
• AWS Storage Gateway for asynchronous backup to Amazon S3
• AWS Import/Export service: Ship your disk to AWS
• Database backup tools like Oracle Secure Backup
• Database replication tools like GoldenGate, Dbvisit
• AWS Direct Connect 100 Mbps to 10 Gbps

25. Migrating data into AWS
Data size*
* relative to Internet bandwidth and latency
Datavelocityrequired
UDP transfer software
(e.g., Aspera, Tsunami, …)
Attunity CloudBeam
AWS Storage Gateway,
Riverbed, NFS
AWS Import / ExportTransfer to S3
over Internet
One-time upload with
constant delta updates
Days
Hours
TBsGBs

26. Security Best Practices

27. Enforce consistent security on your hosts
Launch
instance
EC2
AMI catalog Running instance
Your instance
Hardening
Audit and logging
Vulnerability management
Malware and HIPS
Whitelisting and integrity
User administration
Operating system
Configure
instance
Configure and harden EC2 instances based on security and compliance needs
Host-based protection software
Restrict access where possible
Connect to existing services

28. Separate static assets
and move servers away from the edge
Inbound HTTP
CloudFront
Amazon S3
WAFDynamic
App
App
AppPeering

29. Identity and Access Management
Create appropriate principles, authorization, and privileges for AWS resources
Multi-factor authentication
AWS Identify and
Access Management
Policies
User
Groups
Roles
Principle of least privilege
User User Hardware Virtual
IAM AWS administrative users
Root account
Note: Always associate the account owner ID with
an MFA device and store it in a secured place!

30. AWS IAM hierarchy of privileges
AWS account owner
(root)
AWS IAM
User
Temporary
security
creds
Permissions Example
Unrestricted access to all
enabled services and
resources.
Action: *
Effect: Allow
Resource: *
(implicit)
Access restricted by
group and user policies
Action:
[‘s3:*’,’sts:Get*’]
Effect: Allow
Resource: *
Access restricted by
generating identity and
further by policies used
to generate token
Action: [ ‘s3:Get*’ ]
Effect: Allow
Resource:
‘arn:aws:s3:::mybucket/*’
Enforce principle of least privilege with Identity and Access Management (IAM)
users, groups, and policies and temporary credentials

31. Principle of least privilege with IAM
• Login to an account with a less privileged user
– Read-only
– EC2 launch-only
• Change role for privileged action
– Administer IAM
– Terminate instance
– Delete snapshots
Protection against accidents or mistakes
(e.g., similar to DisableApiTermination=true)

32. Consolidate your IAM users
• Put all IAM users and groups in
one account
• All other accounts use AWS IAM
roles
Best practices:
• Tie into consolidated billing hierarchy
• Users in IAM account are only
authorized to assume roles in other
accounts
• No AWS-billable resources in this
account

33. Governance through IAM policies
...
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:region:account:network-interface/*"
],
"Condition": {
"ArnNotEquals": {
"ec2:Subnet": "arn:aws:ec2:region:account:subnet/subnet-12345678"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:region::image/ami-12345678",
"arn:aws:ec2:region:account:subnet/subnet-12345678",
"arn:aws:ec2:region:account:security-group/sg-12345678"
]
"Condition": {
"StringEquals": {
"ec2:ResourceTag/BillingCode": “4000"
},
"StringEquals": {
"ec2:ResourceTag/Environnent": “Prod”
...
Deny RunInstances without
appropriate subnet
Require RunInstances to
have specific AMI, subnet,
security group, …
Require RunInstances to
have specific tags

34. Implementing “smart” AWS policies
• The 5 Ws of auditability:
– Who?
– What?
– Where?
– When?
– Why?
• What we really want is an “if and only if” statement:
– You can deploy this change in production “if and only if” it
actually worked in test
Controlled by AWS IAM
Not controlled by IAM

35. Federate with AWS Directory Service & IAM
Directory Users
Directory Groups
IAM_Admins
Read_Only
EC2_Admin
Group ‘n’
…
AWS Directory Services
Mgmt Acct
IAM_Admin
IAM Role Mapping
Read_Only
EC2_Admin
Role ‘n’

36. Case Study:
Condé Nast Data Center Migration

37. Condé Nast data center migration drivers
• Existing data center needed >$1 million in upgrades
• Financial pressure to close facility by July 2014
• Increase resource efficiency, both people and technology

38. Condé Nast data center migration scope
• 47 application groups
• 350+ servers
• 400+ TB storage

39. Application migration methodology
• Condé Nast provided a detailed inventory of their Delaware DC assets
• Utilization metrics were critical for Reserved Instance analysis and to
explore elasticity
• Application assessment determined migration order
• Migration scheduled in waves
• Change window: Migrations occurred over weekends
• Coordinating the change window with various teams was key
• Applications run in hybrid mode during the migration
• Once a server was migrated successfully it was decommissioned

40. Application migration: virtual machines
• Condé Nast was highly virtualized (VMware)
• Veeam: stage VMs to Amazon S3
– Supports change block tracking which minimizes downtime during migration
• AWS VM Import/Export: migrate staged VMs to Amazon EC2
– Eliminates VM data migration as a part of the change window
• Large databases: created directly on AWS and then data
synchronized

41. AWS VPC and networking
Key criteria to support waves of migration:
• AWS Direct Connect: 10 GB DX to AWS
• IP addressing: Avoid overlapping IPs
• Service names

42. AWS Identity and Access Management (IAM)
Key criteria:
• IAM policies
• Identify groups and permissions
• Application tagging

43. Phased migration
• Live migration from premises was too slow
– Large change windows meant that production systems were
frozen for a long time
• Solutions:
– Use a tool (Veeam) to backup and ongoing synchronization of
VMs to Amazon S3
– Use a staging farm to run VM Import/Export

44. VM Import/Export considerations
• Root partitions cannot span multiple disks
– Solution: Eliminate this on premises before migration
• Volumes > 1 TB not supported
– Solution: Spread data across volumes
• VM Import/Export requires stream-optimized VMDK
– Solution: conversion process was scripted
• Nonvirtualized servers were virtualized on premises
before migration
• Unsupported operating systems were upgraded to
supported OS before migrating

45. Lessons learned at Condé Nast
• Know your limitations
• Evaluate and understand your infrastructure environment
• Sign-up for enterprise support early and involve a TAM early on
• Get your operations staff trained on AWS
• Challenge yourself and make sound architecture decisions;
changing in future can be difficult
• Document every decision made, especially the anti-patterns
• Work directly with application owners; nothing beats hands-on
experience

46. SAN FRANCISCO