0
Selecting the Best VPC Network Architecture
Eric Schultze, AWS
Roshan Vilat & Phil Schulz, Vodafone Australia
Clay Parker,...
Why we’re here
• Choosing a VPC architecture
• Benefits and Challenges
• Lessons Learned
Before we get started…
Selecting the Best VPC Network Architecture
Vodafone Australia Case Study
Roshan Vilat & Phil Schulz, Vodafone Australia
N...
Vodafone Australia

• Presentation:
– Cloud Transformation Roadmap
– Multi VPC Solution
Vodafone Group
– One of the world’s leading
telecommunications groups
– Vodafone operates in more than
30 countries across...
1. Public Facing Website in the Cloud
– Migration from traditional data center to the Cloud
– Saved one year in time to ma...
2. Re-architecting for the Cloud
– AWS Opened a Data Centre in Australia
– Migration from the US to AU
– Re-Architecture i...
3. Business Critical Applications
–
–
–
–
–
–

Greenfield Enabler for Multiple Digital Services
Supporting Customer Sensit...
Project Partners
–
–
–
–
–
–
–

Core Team
InfoSec
Networks
Service Management
Operational Support Services
Vodafone Group
...
To Multi-VPC or not to Multi-VPC?
Project Key Requirements
1.
2.
3.
4.
5.

Secure – protect customer sensitive data
Networked – low latency, stable connecti...
VPC Design Evolution
• 100s of VPCs
• Single VPC
• Multi-VPC
100s of VPCs

TEST
100’s of VPCs
100s of VPCs
Pros
• Strong Isolation

Cons
• Sheer number of VPCs
• Management nightmare
• Networking nightmare
• Equivale...
Single VPC
Single VPC
Pros
• Simplifies AWS Direct
Connect

Cons
• Low isolation – security,
billing implications
• No role separatio...
Single VPC
Pros
• Simplifies AWS Direct
Connect

Cons
• Low isolation – security
implications
• No role separation – IAM
l...
Multi VPC
Multi VPC
Design Benefits
• Multi-account for role separation, cost control
and resource limits
• Balance of isolation and managemen...
Lessons Learned
• Ensure team has domain experts
• Capture all stakeholder requirements
• Differences between traditional ...
Project Outcome
• First cloud-based environment for business
critical apps
• Built in 4 months
• MyAccount (Online Self-Se...
Selecting the Best Virtual Private Cloud
Architecture In AWS
Clay Parker, Trimble Navigation
November 15, 2013

© 2013 Ama...
Trimble Navigation
•
•

•
•
•

A world leader in transforming how work is done across multiple industries
and professions
...
Trimble Hosting Services
•
•
•
•
•
•
•
•
•

We are a Trimble Division
We exist to help Trimble businesses with external
en...
Current use of Amazon Web Services
• Shared Production Account
– Multi-tenant environments in several regions to support m...
Current use of Amazon Web Services
• Shared Development Account
– Multi-tenant environments in several regions to support ...
Current use of Amazon Web Services
• Customer Development Accounts
– One per customer
– VPN connectivity to our developmen...
Current use of Amazon Web Services
• Billing Only Accounts
– One for each customer
– Linked to our master account for cons...
Private / Public / Hybrid Clouds
• Private
– Trimble Private Cloud (TPC)
– THS owns & manages infrastructure
• Public
– Am...
Trimble Integrated Cloud
PHX1
AZ

Cust A Subnet
Cust B Subnet
THS
CSN

LHR1
UK

SJC3

LHR2

CA

UK

MAA1
India
Trimble Cor...
Criteria for using fewer VPCs
• Shared Production & Development Accounts
–
–
–
–
–

Single VPC per region
Modeled after ou...
Advantages of using fewer VPCs
• Reduces complexity of managing internal IP
address space
• Single place to manage:
– Subn...
Challenges of using fewer VPCs
• Perceived customer data bleeding
• Complexity of managing access to individual
resources
...
Questions
• Contact information
– Email parkclay@gmail.com
– Twitter @parkclay
Please give us your feedback on this
presentation

CPN208
As a thank you, we will select prize
winners daily for completed...
Upcoming SlideShare
Loading in...5
×

Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013

8,670

Published on

Which is better: a single VPC with multiple subnets or multiple accounts with many VPCs? Should you simplify management with a single VPC or use multiple VPCs to lessen the blast radius of network changes? In this session, we hear from customers who've implemented each approach and discuss how they addressed management, security, and connectivity for their Amazon EC2 environments.

Published in: Technology, Business
1 Comment
13 Likes
Statistics
Notes
  • Wrote Cloud Design Fundamentals book with alot of Amazon AWS coverage, http://www.amazon.com/Cloud-Design-Fundamentals-Multilayered-Engineers/dp/1508470979/ref=sr_1_1/179-9314079-3914054?s=books&ie=UTF8&qid=1430589752&sr=1-1
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
8,670
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
293
Comments
1
Likes
13
Embeds 0
No embeds

No notes for slide

Transcript of "Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013"

  1. 1. Selecting the Best VPC Network Architecture Eric Schultze, AWS Roshan Vilat & Phil Schulz, Vodafone Australia Clay Parker, Trimble Navigation November 15, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  2. 2. Why we’re here • Choosing a VPC architecture • Benefits and Challenges • Lessons Learned
  3. 3. Before we get started…
  4. 4. Selecting the Best VPC Network Architecture Vodafone Australia Case Study Roshan Vilat & Phil Schulz, Vodafone Australia November 15, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  5. 5. Vodafone Australia • Presentation: – Cloud Transformation Roadmap – Multi VPC Solution
  6. 6. Vodafone Group – One of the world’s leading telecommunications groups – Vodafone operates in more than 30 countries across five continents – 404 million customers globally – One of the top 10 brands in the world
  7. 7. 1. Public Facing Website in the Cloud – Migration from traditional data center to the Cloud – Saved one year in time to market – Saved at least $1,000,000
  8. 8. 2. Re-architecting for the Cloud – AWS Opened a Data Centre in Australia – Migration from the US to AU – Re-Architecture into Cloud Orientated Architecture: Auto Scaling; Elastic IPs; Amazon RDS database; AWS CloudFormation; Highly Available File Storage; Self Healing Environments – Agile Delivery with Cross Functional Teams; Behavior Driven Development; Automated Testing; Continuous Integration; Daytime Deployments
  9. 9. 3. Business Critical Applications – – – – – – Greenfield Enabler for Multiple Digital Services Supporting Customer Sensitive Data Direct Connection into Backend Services Suite of Security Tools Live Business Intelligence New Support Model
  10. 10. Project Partners – – – – – – – Core Team InfoSec Networks Service Management Operational Support Services Vodafone Group My Account App Team
  11. 11. To Multi-VPC or not to Multi-VPC?
  12. 12. Project Key Requirements 1. 2. 3. 4. 5. Secure – protect customer sensitive data Networked – low latency, stable connectivity Automated Supportable Resilient, Scalable, and Available.
  13. 13. VPC Design Evolution • 100s of VPCs • Single VPC • Multi-VPC
  14. 14. 100s of VPCs TEST
  15. 15. 100’s of VPCs
  16. 16. 100s of VPCs Pros • Strong Isolation Cons • Sheer number of VPCs • Management nightmare • Networking nightmare • Equivalent of creating a datacenter per application?
  17. 17. Single VPC
  18. 18. Single VPC Pros • Simplifies AWS Direct Connect Cons • Low isolation – security, billing implications • No role separation – IAM limitation • AWS account and VPC limits • Difficult to contain blast radius!
  19. 19. Single VPC Pros • Simplifies AWS Direct Connect Cons • Low isolation – security implications • No role separation – IAM limitation • AWS account and VPC limits • Difficult to contain blast radius!
  20. 20. Multi VPC
  21. 21. Multi VPC
  22. 22. Design Benefits • Multi-account for role separation, cost control and resource limits • Balance of isolation and management complexity • AWS Direct Connect provides stable inter-VPC and Vodafone-VPC communication • AWS Direct Connect provides central network control point
  23. 23. Lessons Learned • Ensure team has domain experts • Capture all stakeholder requirements • Differences between traditional and cloud-based methodologies • Use multiple constructs to achieve desired isolation – Accounts, VPCs, security groups, etc. • AWS account and VPC limits • IAM access control capabilities
  24. 24. Project Outcome • First cloud-based environment for business critical apps • Built in 4 months • MyAccount (Online Self-Service) in production • Shared security and operational services in production • Next 4 applications in build stage
  25. 25. Selecting the Best Virtual Private Cloud Architecture In AWS Clay Parker, Trimble Navigation November 15, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  26. 26. Trimble Navigation • • • • • A world leader in transforming how work is done across multiple industries and professions Our customers gain significant economic breakthroughs at the same time improving quality, safety, regulatory compliance and reducing environmental impact Our technological capabilities span positioning and sensing, global connectivity, 3D design, modeling & measurement, machine and process automation, and powerful data analytics 2012 Revenue US $2Billion; 6,500 employees Founded in 1978, headquartered in Sunnyvale, California with Offices in 35 countries, partners in 125 countries and customers in 150 – from some of the world’s largest corporations to some of the smallest family firms
  27. 27. Trimble Hosting Services • • • • • • • • • We are a Trimble Division We exist to help Trimble businesses with external end-user-facing application hosting and 24x7x365 support 74 staff in seven locations in five countries Production infrastructure in seven data centers Development infrastructure in six Trimble offices Facilitate hosting in Amazon Web Services (AWS) Our ISMS is ISO27001 certified for hosting in THS infrastructure and in AWS Staff have specific expertise in: Node4 Northampton United Kingdom Ireland AT&T Ashburn Milpitas NOC CT Xi’an Equinix Slough - Server virtualization - Storage management - Network engineering - Database management - Program & project management - Cloud hosting - Operations - Information security - Finance 21Vianet Beijing Global Admin Network SunGard Equinix Dallas Scottsdale Chennai NOC
  28. 28. Current use of Amazon Web Services • Shared Production Account – Multi-tenant environments in several regions to support multiple customers – Single production account with one VPC per region – No tenant write access to the AWS Management Console – VPN connectivity to private cloud production data centers – All AWS resources tagged for customer identification – All AWS resources under change management control
  29. 29. Current use of Amazon Web Services • Shared Development Account – Multi-tenant environments in several regions to support multiple customers – Single development account with one VPC per region – Controlled tenant access to the AWS Management Console – VPN connectivity to private cloud development data centers – All AWS resources tagged for customer identification
  30. 30. Current use of Amazon Web Services • Customer Development Accounts – One per customer – VPN connectivity to our development data centers only – Unlimited access to the AWS Management Console (except Amazon VPC) – Linked to our master account for consolidated billing
  31. 31. Current use of Amazon Web Services • Billing Only Accounts – One for each customer – Linked to our master account for consolidated billing
  32. 32. Private / Public / Hybrid Clouds • Private – Trimble Private Cloud (TPC) – THS owns & manages infrastructure • Public – Amazon Web Services (AWS) – AWS owns & manages infrastructure • Hybrid – Uses infrastructure in both TPC & AWS – Take advantage of the best of both worlds www.myconnectedassets.com Route 53 Hosted Zone Client Users Mobile Client Shared VMware & SAN Infrastructure Common Core Network Elastic Load Balancer Redundant physical and/or virtual Web & Application servers Web Data Center Core Network Web App Server Web App Server Amazon Linux EC2 Instance Amazon Linux EC2 Instance Security Group BGP Routers Core Switches App App Database Redundant physical database cluster SAN ISP VPN Connection Security Group Database Wireless Carrier VPC Subnet Availability Zone A App Web Web ISP Wireless Carrier Other Trimble Hosted Applications Availability Zone B Pipe to DR Data Center AWS Region 1 Amazon CloudWatch Alarms Common Services: Monitoring LAN, SAN management VMware management Other Trimble Mgmt Monitoring Managment
  33. 33. Trimble Integrated Cloud PHX1 AZ Cust A Subnet Cust B Subnet THS CSN LHR1 UK SJC3 LHR2 CA UK MAA1 India Trimble Corporate WAN To A PDX THS Common Services Network / Admin Backbone d Pro v De S T HS TH DA IA rod To P Cust B Subnet v De v st D e C u u st XA A C PD DX P To A IAD THS CSN XIY1 China Cust A Subnet THS CSN IAD2 VA THS CSN Cust B Subnet AWS Virtual Private Gateways Cust B Subnet Cust A Subnet Cust A Subnet IADA AWS US-East N. Virginia China T HS To To Trimble Users PEK1 PDXA AWS US-West Oregon
  34. 34. Criteria for using fewer VPCs • Shared Production & Development Accounts – – – – – Single VPC per region Modeled after our physical data center environment Less confusion for all concerned Able to use a single VPN for connectivity Less complexity for ITOps support
  35. 35. Advantages of using fewer VPCs • Reduces complexity of managing internal IP address space • Single place to manage: – Subnets – Security groups – Routes and VPN configuration
  36. 36. Challenges of using fewer VPCs • Perceived customer data bleeding • Complexity of managing access to individual resources • Complexity of individual tenant billing from a shared account • Risk of users deleting resources that are not theirs
  37. 37. Questions • Contact information – Email parkclay@gmail.com – Twitter @parkclay
  38. 38. Please give us your feedback on this presentation CPN208 As a thank you, we will select prize winners daily for completed surveys!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×