Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Application Migrations

1,729 views

Published on

Landing Zone for Application migrations

Published in: Business

Application Migrations

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Wednesday July 6th , 2016 Landing Zone for application migrations Koen vd Biggelaar Sr Mgr AWS Solutions Architecture - GlobalAccounts
  2. 2. Application Migration Create Landing Zone Migrate Apps Operate & Optimize H
  3. 3. People Perspective Process Perspective Security Perspective Maturity Perspective Platform Perspective Operations Perspective Business Perspective AWS Cloud Adoption Framework
  4. 4. People Perspective Process Perspective Security Perspective Maturity Perspective Operations Perspective Business Perspective Platform Perspective AWS Cloud Adoption Framework
  5. 5. Current State Account Structure Security Network Identities & Access Cloud Consumers Our Journey Today Migrate Operate & Optimize
  6. 6. Current State Account Structure Security Network Identities & Access Cloud Consumers Migrate Operate & Optimize
  7. 7. Infrastructure Request Current State Typical Enterprise Situation Governance & Service Management Central IT Lines of Business Provisioning Characteristics • Lead times ~days/weeks/months • Service Catalogue of components • Often process-heavy Service Management
  8. 8. Monitor & Respond Templates Policy & Practices Landscape Management Current State Opportunity to achieve agility and control Automation Lines of Business Central IT Opportunities • Lead times in minutes • Service Catalogue of landscapes • Automated Service Management
  9. 9. Security Automation Consumers Current State Guiding Principles
  10. 10. Start Account Structure Security Network Identities & Access Cloud Consumers Migrate Operate & Optimize
  11. 11. Account Structure • Don’t overdo on Day One • Use separate accounts for Security and Compliance Isolation (production non-prod, logging) Cost Allocation Resource Management and Ownership
  12. 12. Account Structure Payer
  13. 13. Account Structure Opportunity to create linked Accounts Create Linked Account (CLA) API • The payer account can programmatically access and manage the new accounts using cross account access and administrative privileges automatically configured during account creation. • Currently available on whitelisting basis - Connect with your AWS Account Manager or SA - Public API will be rolled out in future, you need to use these new APIs then
  14. 14. Account Structure Payer Billing Reports Service Catalog Logging Audit Central Services Dev & Test Mobility IoT Serverless Internal business apps Digital Platforms Option: Per AWS Region Production Generic Production Critical Central Accounts Services Accounts
  15. 15. Start Account Structure Security Network Identities & Access Cloud Consumers Migrate Operate & Optimize
  16. 16. Analyze your CloudTrail Logs AWS CloudTrail AWS Management Console AWS CLI SDK Your Central Amazon S3 logging bucket Analysis & Action AWS Services You make API calls … …to AWS Services, logged by CloudTrail delivered to your S3 bucket
  17. 17. Changing Resources Config tracks resource changes
  18. 18. NormalizeRecordChanging Resources Deliver Stream Snapshot (ex. 2014-11-05) AWS Config APIs Store History Config tracks resource changes
  19. 19. Start Account Structure Security Network Identities & Access Cloud Consumers Migrate Operate & Optimize
  20. 20. Network Key Considerations Non-overlapping IP range VPC Design Access Control Lists & Security Groups Logging and Monitoring Direct Connect Subnet Design
  21. 21. Network Direct Connect for connecting on-prem and AWS environment Customer Gateway VPN backup Direct Connect Location Virtual Interface #1 Virtual Interface #2 Secondary Direct Connect Location ` ` Partner Network
  22. 22. Network Central Services in a central VPC Central common/core services • Authentication/directory • Monitoring • Logging • Remote administration • Scanning • Internet Proxy Production Generic Production Business Critical Central Services Non-production
  23. 23. Start Account Structure Security Network Identities & Access Cloud Consumers Migrate Operate & Optimize
  24. 24. You get to control who can do what in your AWS environment when and from where Fine-grained control of your AWS cloud with multi- factor authentication Integrate with your existing LDAP / Active directory using federation and single sign-on You can use AWS managed policies or customer generated policies using the policy generator and test with the policy simulator AWS account owner Identity and Access Management Control access and segregate duties everywhere
  25. 25. Identities and Access Control Sample Access Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances" ], "Resource": “arn:aws:ec2:::instance/*”, "Condition": { "StringEquals": { "ec2:ResourceTag" : "Dev" } } } ] } Allow or Deny access to resource Service calls allowed to be performed Resource object or objects that the statement covers Conditions to satisfy: EC2 resources must be tagged with “Dev”
  26. 26. Identities and Access Control Example user types with corresponding access policies IAM Master Create policies IAM Manager Assign Policies Audit Read-Only Access Managers Architect Create landscapes Storage Design and Build Network Design and Build Design DevOps API Access App Owner Landscape owner Application Owners Support Account policy Empty Role No policy Support and Operations Typical Access Policy Administrator Landscape Mgt Administrator Service Catalog Administrators
  27. 27. Corporate Data Center Browser interface Identity Store Identity and Access Management Federation with on-prem directory AD Group Identity and Authentication Mapping to specific IAM Role with Access Policy Access to AWS
  28. 28. Start Account Structure Security Network Identities & Access Cloud Consumers Migrate Operate & Optimize
  29. 29. Cloud Consumers AWS Service Catalog AWS Service Catalog allows organizations to create and manage catalogs of IT services. It enables users to quickly deploy approved IT services they need in a self-service manner. Administrator Users Control Standardization Governance Agility Self-service Time to market
  30. 30. Product = Template CloudFormation Running Stack JSON formatted file Parameter definition Resource creation Configuration actions Configured AWS services Comprehensive service support Service event aware Customisable Framework Stack creation Stack updates Error detection and rollback Administrator Interaction CloudFormation to create products
  31. 31. Creates portfolio and assigns product portfolio 1 Administrator Adds constraints, grant access and add tags 4 2 Creates product Authors template Administrator Interaction Managing products ProductX Versions Portfolio BPortfolio A • Users and Roles • Constraints • Tags Service Catalog 3 Landscape Architect
  32. 32. Agility and Control Opportunities to strengthen the handshake User generated products to foster innovation Back-end micro-services acting on the stacks Administrator Products
  33. 33. Browse Products 5 4 3 2 1 Portfolio Cloud Consumers Select version, Provision Product, configure parameters Deploy Notifications and outputs Notifications and outputs 4 Scheduled functions Administrator Cloud Consumer Interaction Overview
  34. 34. Cloud Consumer Interaction Browse Products Launch Product Available Products Launched Products
  35. 35. Cloud Consumer Interaction Configuring Options EC2 Instance type Schedule on/off Schedule details
  36. 36. End User Interaction Launched Product Launched Product details
  37. 37. End User Interaction Launched Product
  38. 38. End User Interaction Cost Overview Test IT SecurityProd Dev Prod Test Dev
  39. 39. AWS Service Catalog Announcing today • End User APIs are Generally Available w/SDK and CLI support • CloudTrail support for End User actions in UI and API • Product version default limit raised to 50 per product
  40. 40. Start Account Structure Security Network Identities & Access Cloud Consumers Our Journey Today What did we cover? Migrate Operate & Optimize
  41. 41. Application Migration Approach Create Landing Zone Migrate Operate & Optimize H
  42. 42. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you

×