Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Zone (ARC314)


Published on

With customers migrating workloads to AWS, we are starting to see a need for the creation of a prescribed landing zone, which uses native AWS capabilities and meets or exceeds customers' security and compliance objectives. In this session, we will describe an AWS landing zone and will cover solutions for account structure, user configuration, provisioning, networking and operation automation. This solution is based on AWS native capabilities such as AWS Service Catalog, AWS Identity and Access Management, AWS Config Rules, AWS CloudTrail and Amazon Lambda. We will provide an overview of AWS Service Catalog and how it be used to provide self-service infrastructure to applications users, including various options for automation. After this session you will be able to configure an AWS landing zone for successful large scale application migrations. Additionally, Philips will explain their cloud journey and how they have applied their guiding principles when building their landing zone.

Published in: Technology

AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Zone (ARC314)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ARC314 Create an AWS Landing Zone for Application Migrations Koen vd Biggelaar - Sr Mgr AWS Solutions Architecture Henk van Rossum - Director – Platform Manager Hosting and Storage Scott Macy - Sr Product Manager, Service Catalog John Steiner - Sr Mgr AWS Solutions Architecture
  2. 2. What is a Landing Zone and do I need one? H - A configured secure enterprise multi-account AWS environment based on best practices - A starting point for your application migration journey - An environment that allows for iteration & extension over time
  3. 3. What to Expect from the Session At the end of this session, we hope you - have an understanding of what a initial AWS Landing Zone is and why you would need one - can build an initial AWS Landing Zone, or update your current one - can use the initial Landing Zone to accelerate your application migration journey H
  4. 4. Our Journey Today Domains Direct Connect Start Accounts End User Interaction AutomationService Catalog Central Services Migrate Iterate Operate & Optimize Logging Config Access Identities Federation Network Security Identity & Access Cloud Users What’s Next ? image
  5. 5. Infrastructure Request Current State Typical Enterprise Situation Governance & Service Management Central IT Lines of Business Provisioning Characteristics • Lead times ~days to weeks • Service catalogue of components • Often process-heavy service management
  6. 6. Monitor & Respond Landing Zone Templates Policy & Best Practices Landscape Management Current State Opportunity to achieve agility and control Automation Lines of Business Central IT Opportunities • Lead times in minutes • Service catalogue of landscapes • Automated service management
  7. 7. Security Automation Cloud IT Consumers Current State Guiding Principles
  8. 8. Start Accounts Network Security Identity & Access Cloud Users What’s Next ?
  9. 9. Account Structure • Don’t overdo on Day One • Use separate accounts for: Security and Compliance Isolation (production non-prod, logging) Cost Allocation Resource Management and Ownership
  10. 10. Account Structure Payer Billing Reports Service Catalog Logging Audit Central Services Dev & Test Mobility IoT Serverless Internal business apps Digital Platforms Option: Per AWS Region Production Generic Production Critical Central Accounts Services Accounts
  11. 11. AWS Organizations • New management capability for centrally managing multiple AWS accounts - Simplified billing - Programmatic creation of new AWS accounts - Logically group AWS accounts for management convenience - Apply organization control policies (OCP) • A Consolidated Billing (CB) family automatically migrated to an organization • All organization management activity is logged in AWS CloudTrail • An AWS account can be a member of only one organization • V1 OCP – Control which AWS service APIs accessible in AWS account(s) • Console, SDK, and CLI support for all management tasks Available in limited public preview:
  12. 12. Start Accounts Network Security Identity & Access Cloud Users What’s Next ?
  13. 13. Network Key Considerations Non-overlapping IP range VPC Design Access Control Lists & Security Groups Logging and Monitoring AWS Direct Connect Subnet Design
  14. 14. Network Direct Connect for connecting on-prem and AWS environment Customer Gateway VPN backup Direct Connect Location Virtual Interface #1 Virtual Interface #2 Secondary Direct Connect Location ` ` Partner Network
  15. 15. Network Central services in a central VPC Central common/core services • Authentication/directory • Monitoring • Logging • Bastion host • Remote administration • Scanning • Internet proxy Production Generic Production Business-critical Central Services Non-production
  16. 16. Start Accounts Network Security Identity & Access Cloud Users What’s Next ?
  17. 17. Our Landing Zone needs to be safe and secure Insight is the first step • Who is accessing our Amazon accounts and what are they doing? • How will we know if anyone breaks our security policy? • What does the traffic on our infrastructure look like and are all of our resources isolated? • How can we easily analyze our logs?
  18. 18. AWS CloudTrail records who is accessing APIs Store/archive Central logging account Troubleshoot Monitor & alarm AWS accounts make API call On a growing set of AWS services around the world.. CloudTrail is continuously recording API calls Amazon EBS
  19. 19. AWS Config informs you of policy violations Compliance Guideline Non-compliance Action All storage volumes should be encrypted Automatically encrypt storage volumes Instances must not have unrestricted Internet access on Port 22 Remove Port 22 access from any Internet host Instances must be tagged with environment type Notify developer (email, page, SNS) Pre-configured rules:
  20. 20. VPC flow logs give you network insights • Agentless – AWS collects the logs on your behalf • Enable per network interface, per subnet, or per VPC • Logged to AWS CloudWatch Logs • Create CloudWatch metrics from log data • Alarm on those metrics AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject
  21. 21. Create alarms when metrics are breached Amazon CloudWatch
  22. 22. Log everything centrally for analysis The AWS centralized logging solution makes it easy for security teams to consolidate AWS logs and analyze them to detect incidents Amazon EC2 flow logs VPC subnet AWS CloudTrail Amazon S3 Amazon CloudWatch AWS Lambda Amazon Elasticsearch Service You can do this by simply using: • Amazon ElasticSearch Service • CloudTrail logs • VPC flow logs • EC2 server logs Log Transform Search logging/centralized-logging
  23. 23. Launch instance EC2 AMI catalogue Running instance Your instance Hardening and configuration Audit and logging Vulnerability management Malware and IPS Whitelisting and integrity User administration Operating system Configure instance Configure your environment as you like You get to apply your existing security policy Three options to create or import your own ‘gold’ images 1. Import existing VMs to AWS 2. Procure partner AMI from AWS Marketplace 3. Create and save your own custom images On 3: choose how to build your standard host security environment Choose how to start your compute Private images or import your current ones CIS AMI:
  24. 24. Start Accounts Network Security Identity & Access Cloud Users What’s Next ?
  25. 25. You get to control who can do what in your AWS environment when and from where Fine-grained control of your AWS cloud with multi-factor authentication Integrate with your existing corporate directory and provide SSO to your customers. Support for SAML 2.0 (like your existing Active Directory) and OpenID compatible Identity Providers (IdPs). You can use AWS managed policies, policies for typical job functions or customer-generated policies using the policy generator and test with the policy simulator AWS account owner Identity and Access Management Control access and segregate duties everywhere
  26. 26. Identities and Access Control Example user types with corresponding access policies IAM Master Create policies IAM Manager Assign policies Audit read-only Access Managers Architect Create landscapes Storage Design and build Network Design and build Design DevOps API Access App Owner Landscape owner Application Owners Billing Support UserOther Network Admin Administrator Service Catalog Administrators Managed policies for job functions: Database Admin
  27. 27. Corporate Data Center Browser interface Identity Store Identity and Access Management Federation with on-prem directory AD Group Identity and authentication Mapping to specific IAM role with access policy Access to AWS
  28. 28. Identity and Access Management Federation: Cross-account manager solution Using AWS CloudFormation templates to create and manage roles for a master account and sub accounts - Account onboarding - Role onboarding SEC304 session with deep-dive and demo
  29. 29. Start Accounts Network Security Identity & Access Cloud Users What’s Next ?
  30. 30. Henk van Rossum Director - Platform and Program Manager Hosting and Storage November 2016 Creating a Landing Zone in AWS An Enterprise way of working
  31. 31. Moving from Legacy to Future proof 31 100+ Sites 3500+ Servers Extremely high Fixed costs Old End-of- term Infrastructure No incentives to Decomm & Modernize Governance 42% 3% 25% 1st tier Datacenter 30% Decommission Infra Local compute (Darkroom operated) Workload Split
  32. 32. From Legacy to Cloud First 32 • “Break-Fix” • SLA based managed services • Unplanned business interruptions • Complex supply chain new demand • Wide variety of versions • Not Scalable • Pay for capacity reserved • Reporting “after the fact” • Design for “Always On” • SLA based managed services • Self Provisioning, consumer driven • Standard market available services • Scalable Resources • Pay only for what you use • “real time” usage & performance Does not represent a Philips location
  33. 33. Creating a Landing Zone 33 network application data runtime middleware OS virtual machine server storage network application data runtime middleware OS virtual machine server storage Legacy DCpartnerAMSpartner Mang.PartnerAWSAMSpartner AWSAMSpartner network application data runtime middleware OS virtual machine server storage End State Provider provider Provider On Premise DC Technology Refresh Cloud Close On Premise DC, leverage Cloud
  34. 34. 34 Creating a Landing Zone – Account Architecture ENTERPRISE CONTRACT Market 1 Market X BU X PayerAccount Root accountCore Global services FunctionalAccounts Shared Central Logging Account Backup Account Backup Account Shared Central Audit Account Shared Central Intellectual Property Account Linkedaccounts–Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources PartnerAccounts Other Other Other Shared Users Federation Account Partner 1 Partner 2 Resources Backup AccountBackup Account
  35. 35. Creating a Landing Zone - Internet Centric Networking 35 The Internet Sites Private Network – Provider Internet Edge SaaS Cloud ISP Cloud Gateway 1 Cloud Gateway 2 Cloud Gateway N Partner Tier1 DC siteMPLS Direct Connect MPLS
  36. 36. Start Accounts Network Security Identity & Access Cloud Users What’s Next ?
  37. 37. Organizations Access to standardization Organizational Structure Needs • Control and visibility • Standardization • Access control • Ease of administration • Automation • Standardization • Self-service • Agility • Quick implementation CIO VP of Analytics BI Dev Team VP of Application Development Web Dev Team VP of Infrastructure Resource Team: Security, Networking, Storage…
  38. 38. Customers want to: • Define the resources and landscapes where software and applications are deployed • ‘Approve once and deploy many’ • Enable self-service, deploy with confidence • Automate deployments Agility and Control What do customers tell us about asset management deployment?
  39. 39. Agility and Control AWS Service Catalog AWS Service Catalog allows organizations to create and manage catalogs of IT services. It enables users to quickly deploy approved IT services they need in a self-service manner. Administrator Users Control Standardization Governance Agility Self-service Time to market
  40. 40. Product = Template CloudFormation Running stack JSON formatted file Parameter definition Resource creation Configuration actions Configured AWS services Comprehensive service support Service event-aware Customizable Framework Stack creation Stack updates Error detection and rollback Administrator Interaction CloudFormation to create products
  41. 41. Creates portfolio and assigns product portfolio 1 Administrator Adds constraints, grants access and add tags 4 2 Creates product Authors template Administrator Interaction AWS Service Catalog: Managing products ProductX Versions Portfolio BPortfolio A • Users and roles • Constraints • Tags Service Catalog 3 Landscape Architect
  42. 42. Browse products 4 3 2 1 Portfolio Cloud consumers Select version, Provision product, configure parametersDeploy Notifications and outputs Notifications and outputs 4 Administrator Cloud Consumer Interaction AWS Service Catalog
  43. 43. Service Catalog APIs 11 User API methods Launched July 2016 37 Admin API methods Launched November 2016 Embed Orchestrate Automate
  44. 44. Agility and Control Opportunities to strengthen the handshake User-generated products to foster innovation Back-end microservices acting on the stacks Administrator products
  45. 45. Tagged EC2 instances for one or more AWS accounts IAM cross account roles controls access to AWS accounts Scheduler role Scheduler configuration table Instance state table EC2 Instance information CloudWatch Logs CloudWatch Metrics CloudWatch rule triggers Scheduler Scheduler Lambda function CloudFormation scheduler stack What is the EC2 instance scheduler? A single template deploys all solution components tructure-management/ec2-scheduler/
  46. 46. Agility and Control Service Catalog – End-User View
  47. 47. Agility and Control Service Catalog – End user populating parameters
  48. 48. Agility and Control Service Catalog – Stack deployed with schedule
  49. 49. Deploys stacks and attaches automation parameters as tags AWS Service Catalog Service Catalog Administrator Operators (launch/update/terminate) 3 Browse Provision 5 Populate parameters 2 Portfolio A 1  Specs  Stop/Start  Backup 4 5 Notifications and outputs Backup scheduling SnapshotsLambda Functions Injects dynamic parameters Deploys complex resources Operational Administrator Managing automation functions 6 Operators view/manage AWS Console Service Catalog E2E Architecture Hibernation scheduling
  50. 50. Start Accounts Network Security Identity & Access Cloud Users What’s Next ?
  51. 51. Application Migration Create Landing Zone Migrate apps Operate & optimize H
  52. 52. Managing to the Portfolio Value Portfolio Tier Requirements Operations Model Approx. % Portfolio* IT Spend Against Portfolio Differentiators High rate of change & innovation; Possibly business-critical, but not always DevOps 15% 60% - 70% Table Stakes Business-critical, but low rate of change. Needs high availability, maximum reliability, and durable DR Automated Efficiency 25% Commodity COTS & commodity, minimal risk, low change, standard downtime & reliability requirements Traditional Operations 60% 30% - 40% *estimated numbers Provided Under NDA
  53. 53. The Migration Journey Identify and categorize bulk candidates Analysts identify high-value candidates Pipeline team prepares candidates Applications are migrated based on patterns Patterns are created Greenfield Landing Zone created Existing Operations team manages Portfolios are prioritized Project initiated Innovation teams re-architect the application New operating levers are created Application is implemented on cloud Cloud-native components are patterned Core Landing Zone created Future Landing Zone Library of patterns Future operating model Brown Field Green Field Future State
  54. 54. Sprint 1 Executing Multi-Modal Migrations Program Brown Green Sprint 2 Sprint 3 Sprint 4 Sprint 5 Sprint 6 Sprint 7 Deploy Landing Zone Extend, Integrate and Manage Landing Zone Migration Business Case Discovery Prep Discovery Pipeline Generation Migration Patterns Creation Discovery Greenfield Migrations Innovation Re-Factor Re-Host Complex App (single sprint)
  55. 55. Increasing Levels of Effort with Increasing Levels of Return Mass migration Re-platform / Refactor Re-architectMaturity Maturity Running Multi-Modal Migrations Minimized Staffing Change Mass Migration Capex to Opex Cost Out Facilities Closure Consistent Operations Traditional Operations Operational Transition Cloud Capable Applications Capex to Opex Nascent Services Cloud COE Managed Services Hybrid Operations Cloud Aware Applications Serverless Compute Continuous Integration Disruptive Technology Maximum Efficiency Advanced Architecture Development and Operations
  56. 56. Multi-Modal Operations Shift in Accountability• Many adoptions are tightly coupled with agile delivery adoption. • Not all workloads require a DevOps investment. • Achieving business goals doesn’t always require automation. • Using traditional support models in the wrong places can dilute value. Mass migration Re-platform/ Refactor Re-architect • Data Center-Cloud Connectivity • Server/Storage Provisioning • Patching/Anti-virus • Monitoring • Server Maintenance/ Incident Response • Audit/Risk • Event Management • Web Server • DB Mgmt • Application Software • Development and Deployment Traditional • Data Center-Cloud Connectivity • Patching/Anti-virus • Monitoring • Audit/Risk • Standards/Policy • Stack Templates • Server Maintenance/ Incident Response • Stack Provisioning and Decom • Event Mgmt • Web Server • DB Mgmt • Application Software • Development and Deployment Automated Efficiency • Data Center-Cloud Connectivity • Patching/Anti-virus • Monitoring Lvl 1 • Monitoring Lvl 2 • Server Maintenance/ Incident Response • Stack Templates and Provisioning • Audit/Risk • Event Management • Web Server • DB Mgmt • Application Software • Development and Deployment DevOps Traditional Operations Distributed Responsibility
  57. 57. Direct Connect Service Catalog CloudTrail S3 IAM Config Lambda Applications migrated to your Landing Zone
  58. 58. Available Resources for Landing Zone (1/2) Domain Link What Account Mgt management/limit-monitor/ Limit Monitor – receive notifications when you approach AWS service limits Networking nux-bastion/ & d-gateway Bastion Host Networking /accelerator-pci/ PCI Landing Zone, Including configuration of VPCs, Security Groups, Access Policies & Bastion Host Networking pn-monitor/ VPN Monitoring Networking ansit-vpc/ Transit VPC Security alized-logging Centralized Logging Security Config Rules Repository
  59. 59. Available Resources for Landing Zone (2/2) Domain Link What Security profile?id=6b3b0dc2-c6f4-487b-8f29-9edba5f39eed CIS Security AMI Security foundations-benchmark/ CIS AWS Foundations Benchmark Cross Account Management management/cross-account-manager Manage Roles in accounts centrally Identity and Access Mgt directory-ds/welcome.html Active Directory Quick Start Identity and Access Mgt min-guide/manage_apps_services.html Managing Console Access for AWS Directory Service Identity and Access Mgt adfs/welcome.html Web Application Proxy with ADFS Quick Start Automation management/ec2-scheduler/ EC2 Scheduler
  60. 60. Related Sessions ENT203 – Enterprise Fundamentals: Design Your Account and VPC Architecture for Enterprise Operating Models SAC319 – Architecting Security and Governance Across a Multi-Account Strategy SAC320 – Deep Dive: Implementing Security and Governance Across a Multi-Account Strategy SAC323 - Centrally Manage Multiple AWS Accounts with AWS Organizations SEC304 – Reduce Your Blast Radius by Using Multiple AWS Accounts Per Region and Service
  61. 61. Remember to complete your evaluations!
  62. 62. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you