AWS re:Invent 2016: Workshop: AWS Professional Services Effective Architecting Workshop (ARC320)

397 views

Published on

The AWS Professional Services team will be facilitating an architecture workshop exercise for certified AWS Architects. Class size will be limited to 48. This workshop will be a highly interactive architecture design exercise where the class will be randomly divided into teams and given a business case for which they will need to design an effective AWS solution. Past participants have found the interaction with people from other organizations and the creative brainstorming that occurs across 6 different teams greatly enhances the learning experience. Flipcharts will be provided and students are encouraged to bring their laptops to document their designs. Each team will be expected to present their solution to the class.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
397
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
37
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

AWS re:Invent 2016: Workshop: AWS Professional Services Effective Architecting Workshop (ARC320)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. November 29, 2016 ARC320 Effective Architecting Workshop AWS Professional Services Mark Statham
  2. 2. Meet our Team Reuben Frost Mark Statham Rodney Lester CK Tan Cam Maxwell Nicolas Malaval
  3. 3. What to Expect from the Session • Practical architecture, design and planning session • Test your skills as an AWS architect, to migrate and transform • Deliver business outcomes, under time constraints • Learn new approaches from your peers • Meet new people and have fun!
  4. 4. Session Timeline 10 mins – The scenario and key considerations 75 mins – Get architecting! 50 mins – Architecture presentations & discussion 10 mins – Our approach bit.ly/aws-arc320
  5. 5. The Scenario – “ACMEdigi” • Provider of offline scanned mail in digital format – ”ACMEbox” • Originally started as an experiment and now increasing in popularity • Business is under cost pressures – underestimated TCO • Major changes required within 18 months for service to continue • CEO wants to explore how AWS can help and requests • Target architecture, consider cost, availability, and scalability • Migration plan detailing how to move the service to AWS • Application optimization roadmap • DR options available and considerations
  6. 6. IDS Load Balancer App Cluster #2 App Cluster #1 App Cluster #2 App Cluster #1 Web Server DNS Servers Web Server DB Cluster Member #1 DB Cluster Member #2 HSMNAS Storage Virtual IP Co-location Data Center DNS HTTPS SFTP HTTP NFS DB HTTPS ALL TRAFFIC HTTPS Digitizers Digitizers HTTPS SFTP Server SFTP DR Data Center App Cluster #2 App Cluster #1 Web Server Web Server Load Balancer Firewall NAS Storage HSMDB Cluster Member #3 Replication Log Shipping External Third Party Users TCP Firewall NFS DB HTTPS Mail Ingestion Center Scanning devices bit.ly/aws-arc320
  7. 7. Recommended approach bit.ly/aws-arc320  Determine priority based on the compelling events  Contract expiry  Resource and performance constraints  Cost optimization  Application transformation  Look for quick wins  Leverage services where possible  Rearchitect self-contained application modules  Ask questions—your AWS consultant can help you 
  8. 8. Meeting the deadline bit.ly/aws-arc320  Read the case study (if you haven’t already)  Quickly determine what skills you have on your team  Divide and conquer some tasks, form the following sub-teams  Listen to new ideas and approaches  Get something on paper quickly and iterate, iterate, iterate  Focus on action over planning  Save a few minutes to compose your “final solution”  Have fun and make new friends!  Migration Architecture  Migration Planning  Future State Architecture  Project Management
  9. 9. Architecture Concepts bit.ly/aws-arc320  Design for failure and nothing fails  Loose coupling sets you free  Implement elasticity  Build security in every layer  Think parallel  Don’t fear constraints  Leverage different storage options
  10. 10. LET’S GO!
  11. 11. TIME REMAINING HOURS MINUTES Meeting the deadline bit.ly/aws-arc320  Read the case study (if you haven’t already)  Quickly determine what skills you have on your team  Divide and conquer some tasks, consider the following sub-teams  Listen to new ideas and approaches  Get something on paper quickly and iterate, iterate, iterate  Save a few minutes to compose your “final answer”  Have fun and make new friends!  Migration Architecture  Migration Planning  Future State Architecture  Project Management TIME’S UP!
  12. 12. Let’s see how you did: Team Presentations
  13. 13. Our approach
  14. 14. VPC Architecture Single region. Production, minimum two Availability Zones for high availability. DR, instantiated via AWS CloudFormation. Subnet structure Public: Only subnets routed to the Internet. Contains Internet-facing resources (ELB, WAF, Proxy…). Application and Data: Contains application (Apache, JBOSS) and database, AWS CloudHSM components, VPC Endpoint to S3. Internal routing only. Ingestion: Only subnet routed to the internal network. Contains bastion hosts and digitizers. public route table internal route table Ingestion route table AWS Availability Zone 1 Public subnet Application subnet Ingestion subnet Data subnet Availability Zone 2 Public subnet Application subnet Ingestion subnet Data subnet Virtual Private Gateway Internet Gateway VPC Production VPC
  15. 15. time Network – Step 2  VPN replaced by AWS Direct Connect for a more consistent network experience  Two Direct Connect locations for resiliency Network – Step 1  VPC architecture implemented  Connected with ingestion network using VPN T0 App – Step 1  “Lift and shift” with some re-platforming quick-wins (Amazon RDS, Amazon Route 53…)  Data Access Service module redeveloped to replace NFS by Amazon S3  Web static content served by Amazon CloudFront/S3  IDS replaced by a WAF solution available in AWS Marketplace T0 + 7 months
  16. 16. Users DNS HTTPS HTTPS SFTP server External Third Party DB EFS file system CloudFront distribution Static content S3 bucket Uploads and SFTP config Application Load Balancer Web Application Firewall instances HTTP App Cluster 1 & 2 instances Web Server instances EC2 instance with EC2 Auto Recovery Auto Scaling group with scaling policies Route 53 hosted zone AWS Registration Login Payment Doc Manager Presentation Core Batch Processing Encryption Administration Digitizer Data Access Service Modules redeveloped Step 1 Amazon S3 + Lifecycle Configuration Digital documents Oracle DB instance Standby instance CloudHSM 1 CloudHSM 2 HTTPS Bastion host Administrators Scanning devices Digitizers TCP SFTP Egress proxy instances Internet
  17. 17. Migration highlights On-premise Step 1  Servers: AWS Server Migration Service (SMS) if the source is VMware. Otherwise 3rd-party solution (Racemi, CloudEndure…)  Databases: Migration to RDS Oracle EE with AWS Database Migration Service (DMS)  Digital documents: Initial upload using Snowball appliance twice. Delta sync with 3rd-party solution (ExpeDat, Atunity, Aspera…)  Encryption keys: SafeNet key replication to CloudHSM  DR Consideration: AWS service features meet customer requirements and risk profile, e.g. multi-AZ design vs. physical DC  DR Recovery: infrastructure automation to recover within defined RTO, use RDS point in time recovery, EC2 snapshots to meet RPO
  18. 18. time Network – Step 2  VPN replaced by Direct Connect for a more consistent network experience  Two Direct Connect locations for resiliency Network – Step 1  VPC architecture implemented  Connected with ingestion network using VPN T0 App – Step 2  Auto Scaling for automated resiliency and scalability, caching for session handling  Encryption module redeveloped to use AWS KMS instead of CloudHSM for data and file encryption  Micro-services developed for registration and login  Use of serverless services (Amazon API Gateway, AWS Lambda, Amazon DynamoDB…)  Oracle database migrated to Amazon Aurora T0 + 12 months App – Step 1  “Lift and shift” with some re-platforming quick-wins (RDS, Route 53…)  Data Access Service module redeveloped to replace NFS by S3  Web static content served by CloudFront/S3  IDS replaced by a WAF solution available in AWS Marketplace
  19. 19. Users DNS HTTPS HTTPS SFTP server External Third Party DB EFS file system CloudFront distribution Static content S3 bucket Uploads and SFTP config Application Load Balancer Web Application Firewall instances HTTP App Cluster 1 & 2 instances Web Server instances EC2 instance with EC2 Auto Recovery Auto Scaling group with scaling policies Route 53 hosted zone AWS Registration Login Payment Doc Manager Presentation Core Batch Processing Encryption Administration Digitizer Data Access Service Modules redeveloped Step 1 Amazon S3 + Lifecycle Configuration Digital documents Oracle DB instance Standby instance CloudHSM 1 CloudHSM 2 HTTPS Bastion host Administrators Scanning devices Digitizers TCP SFTP Egress proxy instances Internet
  20. 20. App Cluster 1 instances App Cluster 2 instances HTTPS Digitizers Scanning devices TCP Lambda function KMS ElastiCache Redis Multi-AZ Path-based routing HTTP Web Application Firewall instances AWS EC2 instance with EC2 Auto Recovery Auto Scaling group with scaling policies Auto Scaling group with fixed capacity Registration Login Payment Doc Manager Presentation Core Batch Processing Encryption Administration Digitizer Data Access Service Modules redeveloped Step 2 CloudHSM 1 CloudHSM 2 Amazon S3 + Lifecycle Configuration KMS Digital documents Registration service Table Users Login service Table Sessions External Third Party Administrators Bastion host Aurora DB instance Standby instance DB S3 pre-signed upload URL Static content Egress proxy instances Internet Users DNS HTTPS Route 53 hosted zone CloudFront distribution Application Load Balancer S3 bucket
  21. 21. time Network – Step 2  VPN replaced by Direct Connect for a more consistent network experience  Two Direct Connect locations for resiliency T0 + 17 months Network – Step 1  VPC architecture implemented  Connected with ingestion network using VPN T0 App – Step 2  Auto Scaling for automated resiliency and scalability, caching for session handling  Encryption module redeveloped to use KMS instead of CloudHSM for data and file encryption  Oracle database migrated to AWS Aurora  Micro-services developed for registration and login  Use of serverless services (API Gateway, Lambda, DynamoDB…) App – Step 3  AWS API Gateway and AWS WAF implemented  Micro-services developed for payment and doc manager  Administration, presentation, and core modules migrated to use AWS Elastic Beanstalk web environment  Batch processing module redeveloped for a more real-time delivery using Lambda and Elastic Beanstalk worker environment App – Step 1  “Lift and shift” with some re-platforming quick-wins (RDS, Route 53…)  Data Access Service module redeveloped to replace NFS by S3  Web static content served by CloudFront / S3  IDS replaced by a WAF solution available in AWS Marketplace
  22. 22. App Cluster 1 instances App Cluster 2 instances Digitizers Scanning devices TCP Lambda function KMS ElastiCache Redis Multi-AZ Path-based routing HTTP Web Application Firewall instances AWS EC2 instance with EC2 Auto Recovery Auto Scaling group with scaling policies Auto Scaling group with fixed capacity Registration Login Payment Doc Manager Presentation Core Batch Processing Encryption Administration Digitizer Data Access Service Modules redeveloped Step 2 Amazon S3 + Lifecycle Configuration KMS Digital documents Registration service Table Users Login service Table Sessions External Third Party Administrators Bastion host Aurora DB instance Standby instance DB S3 pre-signed upload URL Static content Egress proxy instances Internet Users DNS HTTPS Route 53 hosted zone CloudFront distribution Application Load Balancer S3 bucket
  23. 23. Doc Manager service Table Document Administration service Web Environment Doc Processing service Worker Environment Presentation & Core service Web Environment AWS WAF Step 3 Private service (API authentication required) Public service Elastic Beanstalk container Host-based IPS solution CloudFront distribution Payment service Table Subscription API gateway Egress proxy instances Internet Registration Login Payment Doc Manager Presentation Core Batch Processing Encryption Administration Digitizer Data Access Service Modules redeveloped Amazon S3 + Lifecycle Configuration KMS Digital documents ElastiCache Redis Multi-AZ Aurora DB instance Standby instance Registration service Table Users Login service Table Sessions Lambda function External Third Party S3 pre-signed upload URL Digitizers Scanning devices TCP Administrators Bastion host Users DNS HTTPS Route 53 hosted zone S3 bucket AWS
  24. 24. Thank you!
  25. 25. Remember to complete your evaluations!

×