Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Expandindo seu Data Center com uma infraestrutura hibrida

2,638 views

Published on

Expandindo seu Data Center com uma infraestrutura hibrida
Angelo Carvalho
Arquiteto de Soluções

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Expandindo seu Data Center com uma infraestrutura hibrida

  1. 1. ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved Expandindo seu Data Center com uma infraestrutura hibrida Angelo Carvalho, Solutions Architect
  2. 2. Agenda • Hybrid architectures and distributed workloads, split tiers • Layers – Data center – Network – Hypervisors – Operating systems – Management services • AWS OpsWorks • AWS CodeDeploy – Applications – Data • Example hybrid architectures
  3. 3. Split tiers
  4. 4. I—Split tiers, AWS front end AWS region Web Layer Private Connection Your Data Center Internet App Layer Database Layer
  5. 5. II—Split tiers, on-premises DMZ AWS region Private Connection Internet Web Layer App Layer DB Layer Your Data Center Web Layer
  6. 6. III—Split tiers, one arm AWS region Private Connection Internet App Layer Web Layer DB Layer Web Layer Your Data Center App Layer
  7. 7. Layers
  8. 8. Data Applications Management Services Operating Systems Hypervisors Network Data Center LEGACY DC AWS Corporate Data Centers Layers Store, Replicate, Archive Burst, Scale, 86 Management Services Operating Systems Amazon EC2 VPC, Direct Connect Availability Zones, Regions
  9. 9. Data center layer
  10. 10. 101—Data center expansion, dynamic bursting AWS Cloud Legacy DC
  11. 11. 101—Data center HA, disaster recovery AWS Cloud Legacy DC
  12. 12. 101—Data center compliance/security AWS Cloud Legacy DC
  13. 13. 301—Data center layer • An AWS region is more than a data center • Availability Zone is a different construct • Distance determines expansion vs. a new data center – Maximum distance for data center expansion – Minimum requirements for an independent data center – How to measure latency for data center interconnects • Security and operations mismatch in design
  14. 14. Network layer
  15. 15. 101—Network layer interconnect Customer Router Customer Internal Network Direct Connect Router • Routing selection priority—Static, Direct Connect, VPN • Overlapping routes only via propagated routes • Use BGP with VPN configuration for faster failover • If Direct Connect fails, VPN backup for Private VI • If Direct Connect fails, Internet backup for Public VI EC2 Instances Internet Customer Gateway VPN connection Amazon S3 Public Traffic Private Traffic AWS Region
  16. 16. VLAN Y VLAN X virtual private cloud 1 virtual private cloud 2 virtual private cloud N … public endpoints Region Direct Connect VLAN Z VLAN N Direct Connect Router Customer Router Each interface can be associated with a different AWS account. (Hosted Virtual Interfaces) 201—Private and public interconnects
  17. 17. Customer Routers Customer Internal Network Direct Connect Routers • Active/Active links via BGP multi-pathing • Active/Passive also an option • AWS ensures different router if same facility • Can use different facilities and carriers • Customer can affect return path selection • AS-PATH prepend, but not on public • More specific route Direct Connect Location(s) AWS Region Amazon S3 EC2 Instances 10.10.0.0/16 65500 10.10.0.0/16 65500 6550010.10.9.0/24 65500 65500 201—Redundancy in AWS Direct Connect connections Public Traffic Private Traffic
  18. 18. VPC 1 Private Virtual Interface 1 VLAN Tag 101 BGP ASN 7224 BGP Announce 10.1.0.0/16 Interface IP 169.254.251.5/30 10.1.0.0/16 VGW 1 Multiple VPCs over AWS Direct Connect Customer Switch + Router Customer Interface 0/1.101 VLAN Tag 101 BGP ASN 65001 BGP Announce 10.0.0.0/8 Interface IP 169.254.251.6/30 VLAN 101 VLAN 102 VLAN 103 VPC 2 10.2.0.0/16 VGW 2 VPC 3 10.3.0.0/16 VGW 3 Private Virtual Interface 2 VLAN Tag 102 BGP ASN 7224 BGP Announce 10.2.0.0/16 Interface IP 169.254.251.9/30 Customer Interface 0/1.102 VLAN Tag 102 BGP ASN 65002 BGP Announce 10.0.0.0/8 Interface IP 169.254.251.10/30 Customer Interface 0/1.103 VLAN Tag 103 BGP ASN 65003 BGP Announce 10.0.0.0/8 Interface IP 169.254.251.14/30 Private Virtual Interface 3 VLAN Tag 103 BGP ASN 7224 BGP Announce 10.3.0.0/16 Interface IP 169.254.251.13/30 Route Table Destination Target 10.1.0.0/16 PVI 1 Customer Internal Network 10.2.0.0/16 PVI 2 10.3.0.0/16 PVI 3
  19. 19. Direct Connect Equinix, San Jose us-west-1 us-west-2 us-east-1 AWS Private Network VPN to VGW In the US, with a public VIF, use the AWS network to: • Access public resources in remote US regions • VPN to a remote US region and emulate a private VIF • Public VIF + VPN is a common AWS GovCloud (US) scenario Public Traffic Private Traffic 301—Direct Connect interregion
  20. 20. Direct Connect Equinix, San Jose us-west-1 us-west-2 us-east-1 Company establishes Direct Connect to us-west-1 and us-east-1. Which path should be taken to an S3 resource in us-west-2? Direct Connect Equinix, Ashburn Customer internal network Office • Customer is responsible for their internal routing behaviors • AWS provides OOB information on region address blocks • Use BGP Local Pref, for example, for outbound routing • Use specific routes for inbound routing, avoid asymmetry • Use BFD for faster routing recovery on link failure Public Traffic Private Traffic 301—Direct Connect interregion
  21. 21. US customer data center eu-west-1 region EU customer data center Customer IPVPN MPLS backbone Direct Connect PoP Ireland or London us-east-1 region Direct Connect PoP Virginia or NYC ap-southeast-1 region Direct Connect PoP Singapore AP customer data center Public Traffic Private Traffic 301- Global multi-region Direct Connect
  22. 22. Hypervisor layer
  23. 23. 101- Bidirectional gold image replication AWS CloudLegacy DC EC2 AMIs VM Images
  24. 24. vCenter image migration 1. The vSphere client authorizes import to the environment. 2. The management portal verifies that the user has permission to migrate VMs to the environment and returns a token. 3. The vSphere client sends an import request to the connector along with the token. 4. The connector verifies the token. 5. The connector verifies that the user has permission to export the VM. 6. The connector starts the migration. 7. The connector sends a response to the vSphere client with the import task ID. Your Data Center vSphere Client AWS Management Portal for vCenter EC2 AWS Connector VM Import vCenter Server Federation Proxy 1 2 3 4 5 6 7
  25. 25. 301—Hybrid considerations Importing VMs • HVM Only with 64-bit (Linux PVHVM drivers are supported within imported instances) • BYOL for RHEL • The expanded image cannot exceed 1 TiB • Make sure your VM only uses a single disk • Virtual Hard Disk (VHD) images must be dynamic • Single ENI • VM Import does not install the single root I/O virtualization (SR-IOV) • Known limitations for exporting a VM from Amazon EC2 Exporting VMs • Amazon Elastic Block Store (Amazon EBS) data volumes • Make sure your instance only uses a single disk • Single ENI • You cannot export an instance that you did not import
  26. 26. Management services layers
  27. 27. o Deploys in two modes § Directory Service connect § Simple AD—built on Samba 4 Active Directory compatible server o Simplifies AWS IAM federation § Avoids complexity and cost of hosting SAML-based federation infrastructure § Acts as a proxy—no data is stored on AWS infrastructure § Supports existing RADIUS-based MFA ² Requires IPSec VPN or Direct Connect connectivity AWS Directory Service Connect Corporate data center Users AD.Domain Servers Domain controller VPC subnet Availability Zone Security group Virtual Gateway VPC subnet Availability Zone Security group 101—AWS Directory Service
  28. 28. AWS region • Domain controllers launched in internal VPC • Internal VPC instances join domain upon launch • Instances use Dynamic DNS to register both A and PTR records • Domain controller replicates with corporate AD servers • VPC DNS forwarding to corporate DNS Bring your own Active Directory Public Facing Web App Internal Corporate App VPN Connection Corporate Data Center corp.example.com AD Controller Domain Controller + DNS example.com DNS AD Replication Domain Join + DNS Queries DNS Forward Requests New Instance: friendly-vpc-123.corp.example.com
  29. 29. 101—Identity federation Customer (Identity Provider) AWS Cloud (Relying Party) AWS Resources User Application Active Directory Federation Proxy 4 Get Federation Token Request 3 2 Amazon S3 Bucket with Objects Amazon DynamoDB Amazon EC2 Request Session 1 Receive Session6 5 Get Federation Token Response • Access Key • Secret Key • Session Token APP Federation Proxy • Uses a set of IAM user credentials to make a GetFederationTokenRequest() • IAM user permissions need to be the union of all federated user permissions • Proxy needs to securely store these privileged credentials Call AWS APIs7
  30. 30. Resource tracking and cost allocation Tag and describe your infrastructure • Describe every AWS object through an API call • Resources in AWS can have custom tags • Custom tags can be used to control permissions and allocate costs, enabling charge-back of services usage • Dynamically generate a full inventory • Visualize your AWS infrastructure in real time Name: APAWSIN001 Purpose: Production Application: SharePoint Farm 03 Business Unit: Marketing Cost Centre: 2384234
  31. 31. o Security monitoring integration points with AWS CloudTrail and SIEM Aggregator o Logging with CloudTrail and SNMP MIBs to SIEM Aggregator o Platform and app health to SIEM Aggregator via agent on EC2 guest o Amazon CloudWatch Logs provide scalable low cost log aggregation o Access to patching and updates for AMI by on- premises update serverVPC subnet Availability Zone Security group VPC subnet Availability Zone Security group Virtual Gateway Corporate data center Users Data center router Update Servers Connectivity CloudTrail CloudWatch SIEM Aggregator 101—Operations and security integration
  32. 32. Operations on AWS Integrating AWS into your operations • Amazon CloudWatch provides real-time insight into your AWS services, integrate your own metrics, create and act on alarms • Amazon SNS allows integration with your alerting systems • Your current tools still work—install on EC2 instance • Your tools already have AWS API integration • Established processes don’t get thrown away
  33. 33. Automation with AWS OpsWorks
  34. 34. 101—AWS OpsWorks
  35. 35. 101—Integration points with AWS • Amazon RDS • Elastic Load Balancing • Amazon CloudWatch • AWS CloudFormation • AWS CloudTrail • AWS IAM • HAProxy • Ruby, Node.js, Java, PHP, Static Web • Ganglia • Memcached • MySQL
  36. 36. 201— It works on AWS and on legacy infrastructure
  37. 37. 201—On-premises availability • Launched on December 8, 2014 • 2 cents an hour—includes 14 one-minute host-level metrics on CloudWatch
  38. 38. Some customer challenges • Automating deployments • Eliminating manual operations • Minimizing deployment downtime • Scaling deployments as infrastructure grows
  39. 39. 201—Scale out/move Prepare for large events that exceed your own data center capacity in terms of infrastructure or bandwidth. On premises AWS DB read DB write
  40. 40. Ease the load in your existing data center by moving environments to AWS OpsWorks. Provide in minutes as many controlled and secure stacks for test and development to your QA teams or developers. 201—Move test and dev to AWS prod teststaging dev1 dev2
  41. 41. 301—What you didn’t know • You can override any part of a cookbook and you win • Proxy support—you are one step closer to legacy infrastructure • Docker integration • Vagrant support • Use Packer • Besides on-premises, you can start using OpsWorks with your current EC2 instances through EC2 import. It enables features like script execution on EC2 and gives you 14 1-minute CloudWatch metrics. • Ansible? • Faster boot time with GP2 • Instance profiles
  42. 42. 101—AWS CodeDeploy • Automated application deployments to EC2, and soon to any Internet-connected computer • Consistent and reliable releases, without downtime • Works on AWS • Works on legacy
  43. 43. 301—What you didn’t know • Based on Apollo, used by Amazon for on-premises and cloud deployments for over a decade • Apollo performed 50 million deployments in a 12 month period • Does AZ striping when deploying across multiple AZs to maximize redundancy • Starts deployments with instances in a stale or broken state to maximize fleet health
  44. 44. Data layer
  45. 45. o Backup gateways integrated with Amazon S3 o Leverage Amazon S3 archival to Amazon Glacier o Take advantage of current investments and solutions for options like o De-duplication o Compression o WAN acceleration Corporate data center Amazon S3 Amazon Glacier Application server Virtual server File server Database server Backup system VTL AWS Storage Gateway iSCSI 101—Data redundancy
  46. 46. o Virtual volumes presented to local network iSCSI, NFS and CIFS volumes o Local disk cache to provide fast on- premises access o Gateway side encryption for security Corporate data center Amazon S3 Application server Virtual server File server Database server Storage appliance AWS Storage Gateway iSCSI Cloud ONTAP Secure Cloud- Integrated Backup Panzura Global NAS AWS Marketplace Partners 101—Data expansion
  47. 47. Hybrid architecture examples
  48. 48. Kellogg’s—SAP HANA hybrid deployment
  49. 49. Q & A
  50. 50. Obrigado!

×