AWS Enterprise Day | Hybrid IT with AWS: Best of Both Worlds

2,178 views

Published on

One of the first steps to achieving the benefits of a robust Hybrid IT strategy is the integration of existing on-premise workloads with cloud resources. Learn how to leverage the AWS platform to create your first Hybrid IT solutions based on real-life enterprise customer use cases. Understand how to build your own Virtual Private Cloud, the robust security controls and network connectivity options at your disposal to create fast and reliable connectivity as the foundation of your Hybrid IT vision with AWS.

Published in: Technology, Business

AWS Enterprise Day | Hybrid IT with AWS: Best of Both Worlds

  1. 1. Mark Statham Solution Architect, AWS Hybrid IT with AWS: Best of Both Worlds
  2. 2. Database NetworkStorage Backup & Archive Storage Expansion Common Hybrid Workloads What is Hybrid IT? AWS Service Building Blocks Next Steps DEMOS VPC/VPN/EC2/Redshift Compute Control Enterprise Integration Federation Catalog OperationsTracking Today we’ll cover
  3. 3. What is Hybrid IT?
  4. 4. Hybrid IT: A Definition           h#p://www.gartner.com/technology/research/technical-­‐professionals/hybrid-­‐cloud.jsp   “Hybrid IT is the result of combining internal and external services, usually from a combination of internal and public clouds, in support of a business outcome.”
  5. 5. Build   Deliver   Hybrid IT: A Definition Services   Business   Outcomes   Solu1ons  
  6. 6. AWS Service Building Blocks
  7. 7. Services: AWS Platform AWS Global Infrastructure Application Services Networking Deployment & Administration DatabaseStorageCompute
  8. 8. Oregon   Beijing   Tokyo   Singapore   Ireland   GovCloud   Northern   California   Sydney  São  Paulo   Services: AWS Global Infrastructure 10 Regions 25+ Availability Zones 51 Edge Locations Continuous Expansion APAC AWS Edge Locations Chennai, India Mumbai, India Hong Kong, China (2) Tokyo, Japan Osaka, Japan Singapore (2) Sydney, Australia Manila, Philippines Seoul, Korea Taipei, Taiwan Asia Pacific (Singapore) Region Availability Zones: 2 Launched 2010 Asia Pacific (Sydney) Region Availability Zones: 2 Launched 2012 Asia Pacific (Japan) Region Availability Zones: 3 Launched 2011 Asia Pacific (China) Region Availability Zones: TBA Launched TBD
  9. 9. Our “Hybrid” Focus Cloud AppsOn-Premise Apps Private Connections Workload Migrations Access Control Integration Work with Existing Management Tools Your Data Centers
  10. 10. Tools to Support Hybrid IT Architectures VM Import/Export VPC Network IAM Policies Virtual Images On-Premise Apps Private Network Your Data Centers VPC Corporate Directory Your Cloud Apps Your Data Our Storage
  11. 11. Elastic Load Balancing Elastic Cloud Compute (EC2) Services: Compute
  12. 12. Amazon Elastic Compute Cloud (EC2) •  Wide selection of Instance types, with range of CPU, memory & local storage options •  Run Microsoft Windows or Linux •  Full stateful firewall per instance via Security Groups •  Your have full control and access to operating system •  VMimport your virtual server images Services: Compute: EC2 Compute   Storage   AWS  Global  Infrastructure   Database   App  Services   Deployment  &  AdministraLon   Networking   General purpose Compute optimized Storage and IO optimized GPU enabled Memory optimized
  13. 13. Services: Compute: ELB Compute   Storage   AWS  Global  Infrastructure   Database   App  Services   Deployment  &  AdministraLon   Networking   Amazon Elastic Load Balancing (ELB) •  Load Balancing as a service •  Automatically distributes incoming application traffic across multiple Amazon EC2 instances •  Enables you to achieve greater levels of fault tolerance in your applications •  Built-in application health detection, serve traffic only to operational instances •  Seamlessly providing the required amount of load balancing capacity needed to distribute application traffic •  Available as either Internet-facing or internal VPC endpoint
  14. 14. Simple Storage Service (S3) Elastic Block Store (EBS) Services: Storage
  15. 15. Compute   Storage   AWS  Global  Infrastructure   Database   App  Services   Deployment  &  AdministraLon   Networking   Services: Storage: S3 Amazon Simple Storage Service (S3) •  Unlimited storage of objects of any type •  99.999999999% durability, replicated across multiple facilities •  Cost effective storage, US$0.03/GB Month •  Granular access control and permissions over objects •  Encryption at rest using AES 256bit server side encryption •  Encryption in transit using HTTPS protocol •  High performance throughput supporting parallelized upload or download •  Import or export data via physical device handling service •  Data remains in geographic location chosen
  16. 16. Services: Storage: EBS Compute   Storage   AWS  Global  Infrastructure   Database   App  Services   Deployment  &  AdministraLon   Networking   Amazon Elastic Block Storage (EBS) •  High performance block storage device, up to 4000 IOPS per volume •  Volume sizes from 1GB to 1TB of usable storage •  No mirroring required, replicated within Availability Zone •  Mount as drives to instances, multiple drives per instance •  Format and encrypt as required, or use as raw storage •  Private to your Amazon EC2 instances •  Volumes can be snapshotted for point in time restore, durably stored on Amazon S3 in multiple facilities
  17. 17. RedshiftRelational Database Service (RDS) Services: Database
  18. 18. Amazon Relational Database Service (RDS) •  Database as a Service with 99.95% uptime SLA* •  No need to install or manage database instances •  Scalable and fault-tolerant configurations •  Automated backups, point in time recovery •  Automated failover to slave in event of a failure •  Easily create read-replicas of your data, seamlessly replicate data across availability zones or regions* Services: Database: RDS Compute   Storage   AWS  Global  Infrastructure   Database   App  Services   Deployment  &  AdministraLon   Networking   * Varies based on database engine  
  19. 19. App  Services   Deployment  &  AdministraLon   Services: Database: Redshift Compute   Storage   AWS  Global  Infrastructure   Database   Networking   Amazon Redshift •  Fully managed, petabyte-scale data warehouse service •  One-tenth the cost of traditional data warehouse systems •  Scalable, resizable and fault-tolerant, clustered •  Seamlessly integrates with industry leading tools •  Automatic incremental snapshot backup, replication •  Available in minutes, in a range of sizes
  20. 20. Direct ConnectVirtual Private Cloud (VPC) Services: Networking
  21. 21. Services: Networking: VPC Compute   Storage   AWS  Global  Infrastructure   Database   App  Services   Deployment  &  AdministraLon   Networking   Extend your data center with Amazon VPC
  22. 22. Compute   Storage   AWS  Global  Infrastructure   Database   App  Services   Deployment  &  AdministraLon   Networking   Services: Networking: VPC Extend your data center with Amazon VPC •  Create logically isolated section of AWS Cloud using your own network address space 10.100.0.0/16  
  23. 23. Compute   Storage   AWS  Global  Infrastructure   Database   App  Services   Deployment  &  AdministraLon   Networking   Availability Zone BAvailability Zone A 10.100.2.0/23  10.100.0.0/23   Services: Networking: VPC Extend your data center with Amazon VPC •  Create logically isolated section of AWS Cloud using your own network address space •  Complete control over your virtual networking environment including creation of subnets, IP addressing, routing tables and network gateways •  Create private or public subnets in multiple Availability Zones
  24. 24. Compute   Storage   AWS  Global  Infrastructure   Database   App  Services   Deployment  &  AdministraLon   Networking   Services: Networking: VPC Extend your data center with Amazon VPC •  Create logically isolated section of AWS Cloud using your own network address space •  Complete control over your virtual networking environment including creation of subnets, IP addressing, routing tables and network gateways •  Create private or public subnets in multiple Availability Zones •  You choose where to deploy EC2 instances •  You manage network security at subnet level using NACLs •  You manage EC2 Instance Security Groups, providing stateful network firewall per instance Application Server   Availability Zone BAvailability Zone A
  25. 25. Compute   Storage   AWS  Global  Infrastructure   Database   App  Services   Deployment  &  AdministraLon   Networking   Services: Networking: Direct Connect Integrate your network with Amazon VPC
  26. 26. Integrate your network with Amazon VPC •  Connect via standard IPSEC Internet VPN tunnels, or •  Private link to AWS Direct Connect peering location, or a combination of both •  Connection port speeds from 50M to 10G, you choose the connection speed you want •  Connect multiple VPCs using industry standard VLANs and layer 3 routing protocols •  Integrate your network to your private VPC resources •  Deploy your own network equipment into Direct Connect peering location, e.g. WAN Optimization Devices Compute   Storage   AWS  Global  Infrastructure   Database   App  Services   Deployment  &  AdministraLon   Networking   Customer VPC Internet VPN Connection   Customer IPSEC Router/Firewall   Customer Direct Connect Router   Private  Direct   Connect Customer Corporate Network Services: Networking: Direct Connect
  27. 27. VPN Tunnels   Customer VPN Gateway   Directory Server   Database Server   Application Server   Client VPC Configuration •  VPC CIDR Network: 10.100.0.0/16 •  VPC Subnet 1: 10.100.0.0/23 •  VPC Subnet 2: 10.100.2.0/23 •  VPN Type: Dynamic BGP •  Security Group: HTTP, HTTPS, SSH, ICMP Data Center Configuration •  Corporate Network: 10.96.0.0/16 •  DC Network: 10.96.24.0/21 •  VPN Gateway IP: 54.254.241.240 Your First Virtual Private Cloud Application Server   Availability Zone BAvailability Zone A
  28. 28. VPN Tunnels   Customer VPN Gateway   Directory Server   Database Server   Application Server   Client Other VPC Features •  Multiple VPCs per account •  Multiple network interfaces per EC2 instance •  Multiple IPs per interface •  Move network interfaces between EC2 instances •  Egress filtering with security groups and network ACLs •  Virtual network peering between VPCs •  Direct Connect cross region routing •  Support for dedicated instance, single tenant EC2 Services: Networking Application Server   Availability Zone BAvailability Zone A VPC Released 2009 •  Mature virtual networking service •  Highly scalable, up to 64K hosts per VPC •  Features focused on enterprise integration
  29. 29. Common Hybrid Workloads
  30. 30. Common Hybrid Workloads
  31. 31. Application Server   Virtual Server   File Server   Database Server   Backup System   On-premise backup server with S3 •  Eliminate tape, hardware, off-site storage •  Reduce capital expense for backup infrastructure •  Never worry about backup durability •  Never run out of backup capacity •  Backup gateway integrated to Amazon S3 •  Data stored off-site, with high durability, in multiple locations •  Take advantage of advanced storage optimization options, De-duplication, compression, WAN acceleration Backup and Archive Amazon S3  
  32. 32. Application Server   Virtual Server   File Server   Database Server   Amazon S3   Solutions supporting backup and archive to S3 Veeam Backup & Replication Symantec Net Backup Oracle RMAN and Secure Backup Module CommVault Simpana AWS Storage Gateway VTL Riverbed Whitewater Backup System   Backup and Archive
  33. 33. On-premise storage appliance with S3 •  Reduce capital expense for storage infrastructure •  Never worry about storage durability •  Never run out of storage capacity •  Storage appliance integrated to Amazon S3 •  Data durably stored off-site in multiple locations •  Virtual volumes presented to local network as iSCSI volumes, NFS, CIFS •  Local disk cache to provide fast on-premise access •  Take advantage of advanced storage optimization options, Block based de-duplication, compression, WAN acceleration •  Security through gateway side encryption Application Server   Virtual Server   File Server   Database Server   S3 Integrated Appliance   Storage Expansion Amazon S3  
  34. 34. Application Server   Virtual Server   File Server   Database Server   S3 Integrated Appliance   Solutions supporting storage expansion to S3 TwinStrata CloudArray Riverbed Whitewater Panzura Global NAS Aspera on-demand AWS Storage Gateway Cached Volumes Storage Expansion Amazon S3  
  35. 35. Storage Expansion •  A popular hybrid storage appliance for storing backup data on AWS •  De-dupes, encrypts, optimizes – you manage the encryption keys •  Connects to Amazon S3 •  Physical or virtual appliance •  30:1 storage reduction over 3 years is pretty typical AVAILABLE IN Third party solutions
  36. 36. Amazon S3 $0.03 per GB / month 30:1 storage reduction over 3 years That’s $1/Terabyte/month After Whitewater $0.001 per GB / month Storage Expansion AVAILABLE IN Third party solutions
  37. 37. Common Hybrid Workloads
  38. 38. Enterprise Integration
  39. 39. How do I integrate AWS? Access Control Identity Federation Resource Tracking Service Catalog Operations
  40. 40. Every Customer Gets the Same AWS Security Foundations Independent validation by experts •  Every AWS Region is in scope •  SOC 1 (SSAE 16 & ISAE 3402) Type II •  SOC 2 Type II and public SOC 3 report •  ISO 27001 Certification •  Certified PCI DSS Level 1 Service Provider •  FedRAMP Certification, HIPAA capable AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations
  41. 41. Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers Security is a Shared Responsibility Between AWS and our Customers Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations AWS Foundation Services
  42. 42. Your  own   compliant   soluLons   •  Culture of security and continual improvement •  Ongoing audits and assurance •  Protection of large-scale service endpoints Your Own Auditor Can Still Audit your AWS Environment Your  own  ISO     cerLficaLons   Your  own   external  audits   and  assurance   •  Achieve PCI, HIPAA and MPAA compliance •  Certify against ISO27001 with a reduced scope •  Have key controls audited or publish your own independent attestations Customers   Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations AWS Foundation Services
  43. 43. Securing Your AWS Resources AWS Identity and Access Management •  AWS IAM enables you to securely control access to AWS services and resources
  44. 44. Securing Your AWS Resources AWS Identity and Access Management •  AWS IAM enables you to securely control access to AWS services and resources •  Fine grained control of user permissions, resources and actions. You get to choose who can do what in your AWS environment and from where •  Create users or groups •  Assign permissions to groups •  Where actions are allowed from
  45. 45. •  Which accounts have access •  Who can access which files •  With what access rights Securing Your AWS Resources AWS Identity and Access Management •  AWS IAM enables you to securely control access to AWS services and resources •  Fine grained control of user permissions, resources and actions. You get to choose who can do what in your AWS environment and from where
  46. 46. Securing Your AWS Resources AWS Identity and Access Management •  AWS IAM enables you to securely control access to AWS services and resources •  Fine grained control of user permissions, resources and actions. You get to choose who can do what in your AWS environment and from where Application Server   •  Who can create subnets •  Who can modify security groups •  Who can launch EC2 instances, into which subnet
  47. 47. Your   ApplicaLon   •  Grant rights to applications •  To access AWS resources •  With built-in key rotation •  No storing of credentials in code Securing Your AWS Resources AWS Identity and Access Management •  AWS IAM enables you to securely control access to AWS services and resources •  Fine grained control of user permissions, resources and actions. You get to choose who can do what in your AWS environment and from where
  48. 48. •  Secure access to console •  Require MFA on API action Securing Your AWS Resources AWS Identity and Access Management •  AWS IAM enables you to securely control access to AWS services and resources •  Fine grained control of user permissions, resources and actions. You get to choose who can do what in your AWS environment and from where •  You can easily add multi factor authentication using smartphone apps or hardware tokens
  49. 49. Enterprise Federation Integrate identity management with AWS •  Secure access to AWS resources using your IDM •  Provide SSO to AWS Management Console or API’s •  Build your own SSO federation using AWS STS service, or •  Federate with on-premise directories like Active Directory, TFIM, OAM or another SAML 2.0 compliant IdP
  50. 50. Instance! Name! VPC ID! Subnet ID! Instance type! Security Groups! i-5ef40608! SharePoint App Server! vpc-ebfd0283! subnet-e1fd0289! c3.xlarge! Admin, App! i-59f4060f! SharePoint App Server! vpc-ebfd0283! subnet-e1fd0289! c3.xlarge! Admin, App! i-f6be9aa0! Web Server! vpc-ebfd0283! subnet-e1fd0289! m3.large! Admin, Web! i-ec50e1ba! Web Server! vpc-ebfd0283! subnet-e1fd0289! m3.large! Admin, Web! i-9f50e1c9! Database Server! vpc-ebfd0283! subnet-f9a51991! r3.2xlarge! Admin, Database! i-77ab8f21! Database Server! vpc-ebfd0283! subnet-f9a51991! r3.2xlarge! Admin, Database! i-d9912f8f! Directory Server! vpc-ebfd0283! subnet-f9a51991! c3.medium! Admin, Directory! i-407b3316! Directory Server! vpc-ebfd0283! subnet-f9a51991! c3.medium! Admin, Directory! Resource Tracking and Cost Allocation Tag and Describe your infrastructure •  Describe every AWS object through an API call
  51. 51. Resource Tracking and Cost Allocation Tag and Describe your infrastructure •  Describe every AWS object through an API call •  Resources in AWS can have custom tags Name: APAWSIN001 Purpose: Production Application: SharePoint Farm 03 Business Unit: Marketing Cost Centre: 2384234
  52. 52. Resource Tracking and Cost Allocation Tag and Describe your infrastructure •  Describe every AWS object through an API call •  Resources in AWS can have custom tags •  Custom tags can be used to control permissions, and Name: APAWSIN001 Purpose: Production Application: SharePoint Farm 03 Business Unit: Marketing Cost Centre: 2384234
  53. 53. Resource Tracking and Cost Allocation Tag and Describe your infrastructure •  Describe every AWS object through an API call •  Resources in AWS can have custom tags •  Custom tags can be used to control permissions, and •  Allocate Costs, enabling charge back of services usage
  54. 54. Status   LocaLon   Group   Product   A#ributes   SLA   Life  Cycle   Resource Tracking and Cost Allocation Tag and Describe your infrastructure •  Describe every AWS object through an API call •  Resources in AWS can have custom tags •  Custom tags can be used to control permissions, and •  Allocate Costs, enabling charge back of services usage •  Dynamically generate a full inventory
  55. 55. Resource Tracking and Cost Allocation Tag and Describe your infrastructure •  Describe every AWS object through an API call •  Resources in AWS can have custom tags •  Custom tags can be used to control permissions, and •  Allocate Costs, enabling charge back of services usage •  Dynamically generate a full inventory •  Visualize your AWS infrastructure in real-time
  56. 56. Operations On AWS Integrating AWS into your operations •  AWS CloudWatch provides real-time insight into your AWS services, integrate your own metrics, create and act on alarms
  57. 57. Operations On AWS Integrating AWS into your operations •  AWS CloudWatch provides real-time insight into your AWS services, integrate your own metrics, create and act on alarms •  AWS SNS allows integration with your alerting systems
  58. 58. Operations On AWS Integrating AWS into your operations •  AWS CloudWatch provides real-time insight into your AWS services, integrate your own metrics, create and act on alarms •  AWS SNS allows integration with your alerting systems •  Your current tools still work – install on EC2 instance
  59. 59. Operations On AWS Integrating AWS into your operations •  AWS CloudWatch provides real-time insight into your AWS services, integrate your own metrics, create and act on alarms •  AWS SNS allows integration with your alerting systems •  Your current tools still work – install on EC2 instance •  Your tools already have AWS API integration
  60. 60. Operations On AWS Integrating AWS into your operations •  AWS CloudWatch provides real-time insight into your AWS services, integrate your own metrics, create and act on alarms •  AWS SNS allows integration with your alerting systems •  Your current tools still work – install on EC2 instance •  Your tools already have AWS API integration
  61. 61. Integrating AWS Into Your Service Catalog Reusable architectures •  Every Object in AWS can be described through an API Test Environment  
  62. 62. Integrating AWS Into Your Service Catalog Reusable architectures •  Every Object in AWS can be described through an API •  Objects can be grouped together and described as templates Test Environment   CloudFormation Template  
  63. 63. Integrating AWS Into Your Service Catalog Reusable architectures •  Every Object in AWS can be described through an API •  Objects can be grouped together and described as templates •  Templates can be deployed to form stacks Test Environment   CloudFormation Template   CloudFormation Stack  
  64. 64. Integrating AWS Into Your Service Catalog Reusable architectures •  Every Object in AWS can be described through an API •  Objects can be grouped together and described as templates •  Templates can be deployed to form stacks •  Templates are standardized, re-useable, Infrastructure as code Test Environment   CloudFormation Template   CloudFormation Stack  
  65. 65. Integrating AWS Into Your Service Catalog Reusable architectures •  Every Object in AWS can be described through an API •  Objects can be grouped together and described as templates •  Templates can be deployed to form stacks •  Templates are standardized, re-useable, Infrastructure as code •  Simple or complex reusable architectures CloudFormation Stack   Application Server  
  66. 66. Integrating AWS Into Your Service Catalog Reusable architectures •  Every Object in AWS can be described through an API •  Objects can be grouped together and described as templates •  Templates can be deployed to form stacks •  Templates are standardized, re-useable, Infrastructure as code •  Simple or complex reusable architectures •  Created and managed by AWS CloudFormation CloudFormation Stack  
  67. 67. Integrating AWS Into Your Service Catalog Templates as catalog items •  Example: Marketing micro site for 3 month project
  68. 68. Integrating AWS Into Your Service Catalog Templates as catalog items •  Example: Marketing micro site for 3 month project Weeks Later   Web Server   Application Server   Directory Server   Database Server   Web Server   Application Server   Directory Server   Database Server  
  69. 69. Integrating AWS Into Your Service Catalog Templates as catalog items •  Example: Marketing micro site for 3 month project •  Integrate service catalog with AWS CloudFormation via API
  70. 70. Integrating AWS Into Your Service Catalog Templates as catalog items •  Example: Marketing micro site for 3 month project •  Integrate service catalog with AWS CloudFormation via API •  Deploy solutions within minutes, not days or weeks Minutes Later  
  71. 71. Integrating AWS Into Your Service Catalog Templates as catalog items •  Example: Marketing micro site for 3 month project •  Integrate service catalog with AWS CloudFormation via API •  Deploy solutions within minutes, not days or weeks •  Archive and delete when no longer required Minutes Later  
  72. 72. Your Next Steps
  73. 73. Try It!
  74. 74. Try It! Proof  of  concept  will   answer  tons  of   ques1ons   Amazon Redshift
  75. 75. Amazon Redshift   Alfresco Server   Availability Zone A Availability Zone B Directory Server   Database Server   Application Server   Client Corporate Data Centre   Your First VPC – Lets Add Amazon Redshift
  76. 76. Try It! Proof  of  concept  will   answer  tons  of   ques1ons   Amazon Redshift Think  cloud  first     for  all  new  deployments  
  77. 77. Thank You

×