In this webinar, learn how you evaluate, design, build, and manage distributed applications over hybrid infrastructures using Amazon Web Services. This webinar follows the evolution of a simple legacy data center expansion with basic connectivity into managing complex hybrid applications. Along the way, we investigate best practice designs in use by AWS customers. Topics covered include: interconnectivity, availability, security, hybrid networks with Amazon VPC and AWS Direct Connect as well as how AWS makes it easy to automate provisioning. Learning Objectives: • Learn how to evaluate, design, build, and manage distributed applications over hybrid infrastructures using AWS. • Understand hybrid architecture topology and points of integration with AWS. • See example architectures and hear best practices from successful hybrid implementations Who Should Attend: • Network managers, Infrastructure architects, Application owners

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Yinal Ozkan, Tech Leader, Financial Services
6/17/2015
Deep Dive
Hybrid Architectures

2. Why we are here
In this webinar, you learn how to evaluate, design, build, and
manage distributed applications over hybrid infrastructures using
Amazon Web Services.
This session follows the evolution of a simple legacy data center
expansion with basic connectivity into managing complex hybrid
applications.
Along the way, we investigate best practice designs in use by
AWS customers. Topics covered include: interconnectivity,
availability, security, hybrid networks with Amazon VPC and
AWS Direct Connect as well as automated provisioning with
AWS CloudFormation, and configuration management with AWS
OpsWorks.

3. Agenda
Hybrid architectures and distributed workloads, split tiers
Layers
• Data center
• Network
• Hypervisors
• Operating systems
• Management services
• AWS OpsWorks
• AWS CodeDeploy
• Applications
• Data
Example hybrid architectures

4. Hybrid architecture perception
"...The brand to watch is Tesla Motors, which jumped from 47 points
last year, to fifth position and 88 points this year. Tesla had a strong,
very public year, with soaring stock prices, magazine awards, sterling
crash-test performance, and even claiming the spot as the top-rated
car by Consumer Reports. Innovation, performance, and sleek styling
is clearly gaining attention and making a positive impression. By
accumulating points in several categories, Tesla was able to raise its
overall score. This highlights the value of being good at multiple things,
rather than relying on a single facet..."
Consumer Reports 2014 Car-Brand Perception Survey
http://www.consumerreports.org/cro/2014/02/2014-car-brand-perception-survey/index.htm

5. Split tiers

6. I – Split tiers, AWS front end
AWS region
Web
Layer
Private
Connection
Your Data Center
Internet
App
Layer
Database
Layer

7. II – Split tiers, on-premises DMZ
AWS region
Private
Connection
Internet
Web
Layer
App
Layer
DB
Layer
Your Data Center
Web
Layer

8. III – Split tiers, one arm
AWS region
Private
Connection
Internet
App
Layer
Web
Layer
DB
Layer
Web
Layer
Your Data Center
App
Layer

9. Layers

10. Data
Applications
Management Services
Operating Systems
Hypervisors
Network
Data Center
LEGACY
DC
AWS
Corporate Data
Centers
Layers
Store, Replicate, Archive
Burst, Scale, 86
Management Services
Operating Systems
EC2
VPC, Direct Connect
Availability Zones, Regions

11. Data Center Layer

12. 101 – Data center expansion, dynamic bursting
AWS Cloud
Legacy DC

13. 101 – Data center HA, disaster recovery
AWS Cloud
Legacy DC

14. 101 – Data center compliance / security
AWS Cloud
Legacy DC

15. 301 – Data center layer
An AWS region is more than a data center
Availability Zone is a different construct
Distance determines expansion vs a new data center
• Maximum distance for data center expansion
• Minimum requirements for an independent data center
• How to measure latency for data center interconnects
Security & operations mismatch in design

16. Network layer

17. 101 – Network layer interconnect
Customer Router
Customer Internal
Network
Direct Connect
Router
• Routing selection priority – Static, Direct Connect, VPN
• Overlapping routes only via propagated routes
• Use BGP with VPN configuration for faster failover
• If Direct Connect fails, VPN backup for Private VI
• If Direct Connect fails, Internet backup for Public VI
EC2
Instances
Internet
Customer
Gateway
VPN
connection
Amazon S3
Public Traffic
Private Traffic
AWS Region

18. Customer Routers
Customer Internal
Network
Direct Connect
Routers
• Active / Active links via BGP multi-pathing
• Active / Passive also an option
• AWS ensures different router if same facility
• Can use different facilities and carriers
• Customer can affect return path selection
• AS-PATH prepend, but not on public
• More-specific route
Direct Connect Location(s)
AWS Region
Amazon S3
EC2
Instances
10.10.0.0/16 65500
10.10.0.0/16 65500 6550010.10.9.0/24 65500 65500
201 – Redundancy in AWS Direct Connect connections
Public Traffic
Private Traffic

19. Direct Connect
Equinix, Sxxan Jose
us-west-1
us-west-2
us-east-1
AWS Private Network
VPN to VGW
In the US, with a public VIF, use AWS’s network to:
• Access public resources in remote US regions
• VPN to a remote US region and emulate a private VIF
• Public VIF + VPN is a common AWS GovCloud (US) scenario
Public Traffic
Private Traffic
301 – Direct Connect interregion

20. Direct Connect
Equinix, San Jose
us-west-1
us-west-2
us-east-1
Company establishes Direct Connect to us-west-1 and us-east-1.
Which path should be taken to an S3 resource in us-west-2?
Direct Connect
Equinix, Ashburn
Customer internal
network
Office
• Customer is responsible for their internal routing behaviors
• AWS provides OOB information on region address blocks
• Use BGP Local Pref, for example, for outbound routing
• Use specific routes for inbound routing, avoid asymmetry
• Use BFD for faster routing recovery on link failure
Public Traffic
Private Traffic
301 – Direct Connect interregion

21. Hypervisor layer

22. 101- Bidirectional gold image replication
AWS CloudLegacy DC
EC2 AMIs
VM Images

23. vCenter image migration
1. The vSphere client authorizes import
to the environment.
2. The management portal verifies that
the user has permission to migrate
VMs to the environment and returns
a token.
3. The vSphere client sends an import
request to the connector along with
the token.
4. The connector verifies the token.
5. The connector verifies that the user
has permission to export the VM.
6. The connector starts the migration.
7. The connector sends a response to
the vSphere client with the import
task ID.
Your Data Center
vSphere Client
AWS Management
Portal for vCenter
EC2
AWS Connector
VM Import
vCenter
Server
Federation
Proxy
1
2
3
4
5 6
7

24. 301 – Hybrid considerations
Importing VMs
HVM Only with 64-bit (Linux PVHVM drivers are supported within imported instances)
BYOL for RHEL
The expanded image cannot exceed 1 TiB
Make sure your VM only uses a single disk
Virtual Hard Disk (VHD) images must be dynamic
Single ENI
VM Import does not install the single root I/O virtualization (SR-IOV)
Known limitations for exporting a VM from Amazon EC2
Exporting VMs
Amazon Elastic Block Store (Amazon EBS) data volumes
Make sure your instance only uses a single disk
Single ENI
You cannot export an instance that you did not import

25. Management services layers

26. o Deploys in two modes
 Directory Service connect
 Simple AD - built on Samba 4
Active Directory compatible server
o Simplifies IAM Federation
 Avoids complexity and cost of
hosting SAML-based federation
infrastructure
 Acts as a proxy - no data is stored
on AWS infrastructure
 Supports existing RADIUS-based
MFA
 Requires IPSec VPN or Direct
Connect connectivity
AWS Directory Service
Connect
Corporate
data center
Users
AD.Domain
Servers
Domain
controller
VPC subnet
Availability Zone
Security group
Virtual
Gateway
VPC subnet
Availability Zone
Security group
101 – AWS Directory Service

27. AWS
region
• Domain controllers launched in
internal VPC
• Internal VPC instances join
domain upon launch
• Instances use Dynamic DNS to
register both A and PTR records
• Domain controller replicates
with corporate AD servers
• VPC DNS forwarding to
corporate DNS
Bring your own Active Directory
Public Facing
Web App
Internal
Corporate
App
VPN
Connection
Corporate Data center
corp.example.com
AD Controller
Domain
Controller
+ DNS
example.com
DNS
AD
Replication
Domain Join +
DNS Queries
DNS
Forward
Requests
New Instance:
friendly-vpc-123.corp.example.com

28. 101 – Identity federation
Customer (Identity Provider) AWS Cloud (Relying Party)
AWS Resources
User
Application
Active
Directory
Federation Proxy
4
Get Federation
Token Request
3
2
Amazon S3
Bucket
with Objects
Amazon
DynamoDB
Amazon
EC2
Request
Session 1
Receive
Session6
5
Get Federation Token
Response
• Access Key
• Secret Key
• Session Token
APP
Federation
Proxy
• Uses a set of IAM user credentials to
make a GetFederationTokenRequest()
• IAM user permissions need to be the
union of all federated user permissions
• Proxy needs to securely store these
privileged credentials
Call AWS APIs7

29. Resource tracking and cost allocation
Tag and describe your infrastructure
• Describe every AWS object through an API call
• Resources in AWS can have custom tags
• Custom tags can be used to control permissions, and
• Allocate Costs, enabling charge back of services usage
• Dynamically generate a full inventory
• Visualize your AWS infrastructure in real-time
Name: APAWSIN001
Purpose: Production
Application: SharePoint Farm
03
Business Unit: Marketing
Cost Centre: 2384234

30. o Security monitoring integration
points with with CloudTrail and
SIEM Aggregator
o Logging with CloudTrail and
SNMP MIBs to SIEM
Aggregator
o Platform and app health to
SIEM Aggregator via agent on
EC2 guest
o Cloudwatch Logs provide
scalable low cost log
aggregation
o Access to patching and
updates for AMI by on-
premises update server
VPC subnet
Availability Zone
Security group
VPC subnet
Availability Zone
Security group
Virtual
Gateway
Corporate
data center
Users
Data center router
Update
Servers
Connectivity
CloudTrail
CloudWatch
SIEM
Aggregator
101 – Operations and security integration

31. Operations on AWS
Integrating AWS into your operations
• AWS CloudWatch provides real-time insight into your AWS
services, integrate your own metrics, create and act on alarms
• Amazon SNS allows integration with your alerting systems
• Your current tools still work – install on EC2 instance
• Your tools already have AWS API integration
• Established processes don’t get thrown away

32. Automation with AWS
OpsWorks

33. 101 – AWS OpsWorks

34. 101 – Integration points with AWS
Amazon RDS
Elastic Load Balancing
Amazon CloudWatch
AWS CloudFormation
AWS CloudTrail
AWS IAM
HAProxy
Ruby, Node.js, Java, PHP,
Static Web
Ganglia
Memcached
MySQL

35. 201 –
It works on AWS and on
legacy infrastructure

36. 201 – On-premises availability
Launched on December 8th 2014
2 cents an hour – includes 14 one-minute
Host-level metrics on CloudWatch

37. Some Customer Challenges
Automating deployments
Eliminating manual operations
Minimizing deployment downtime
Scaling deployments as infrastructure grows

38. 201 – Scale out / move
Prepare for large events
that exceed your own data
center capacity in terms of
infrastructure or bandwidth.
On premises
AWS
DB read
DB write

39. Ease the load in your
existing data center by
moving environments to
AWS OpsWorks.
Provide in minutes as many
controlled and secure
stacks for test and
development to your QA
teams or developers.
201 – Move test and dev to AWS
prod teststaging
dev1 dev2

40. 301 – What you didn’t know
• You can override any part of a cookbook and you win
• Proxy Support – you are one step closer to legacy infrastructure
• Docker integration
• Vagrant support
• Use Packer
• Besides on-premises, you can start using OpsWorks with your current
EC2 instances through EC2 import. It enables features like script
execution on EC2 and gives you 14 1-min CloudWatch metrics
• Ansible?
• Faster boot time with GP2
• Instance profiles

41. Automation with AWS
CodeDeploy

42. 101 – AWS CodeDeploy
• Automated application deployments to EC2,
and soon to any Internet-connected computer
• Consistent and reliable releases, without downtime
• Works on AWS
• Works on legacy

43. Benefits
Automates
deployments
Minimize
downtime
Centralized
control
East to Adopt

44. Automated Deployments
Deploy any application and
reuse existing setup code
Consistently deploy applications across
development, testing, and production
environments
Integrates with Auto Scaling
Scales with your infrastructure; deploy
to one EC2 instance or thousands

45. Minimize Downtime
Performs rolling updates across
EC2 instances
Track application deployment health
Deployments can be stopped and
rolled back

46. Centralized Control
Launch, control, and monitor deployments
from the AWS Management Console, CLI,
SDKs, and APIs
Organize your staging or production
environments into Deployment Groups
Track and view deployment history
Inspect change history and success rates

47. Easy to Adopt
Deploy any application and reuse
existing setup code
Integrate with your existing software
delivery toolchain
Use pre-built integrations from AWS
partners

48. 101 – How does CodeDeploy work?
Agent Agent
Agent Agent
Agent
Agent
Deployment Group
Deployment
Amazon S3
GitHub
Application
Bundle

49. 101 – How does CodeDeploy work?
Rolling updates
v2
v1
Auto Scaling support
v2
v2
v2
Customized install
files:
- source: /web_files/
destination: /var/www/html/
hooks:
BeforeInstall:
- location: setup/install_dep.sh
ApplicationStart:
- location: setup/start_server.sh
- location: setup/start_logger.sh
ApplicationStop:
- location: setup/stop_server.sh
- location: setup/flush_logs.sh

50. 201 – How does CodeDeploy work?
• Pulls tail of logs on deployment failures to centralize
error information
• Configurable rolling update speed
• Reuse configuration management cookbooks or other
existing setup tools

51. 201 – CodeDeploy facts
Fully managed service
Centralized visibility and control
Easy to integrate with any type of app
Reuse existing scripts and tools
Bash, PowerShell, Chef, Puppet, anything…
Integrate with developer toolchain
GitHub, Jenkins, CloudBees, TravisCI, Eclipse…

52. 301 – What you didn’t know
• Based on Apollo, used by Amazon for on-premises and
cloud deployments for over a decade
• Apollo performed 50 million deployments in a 12 month
period
• Does AZ striping when deploying across multiple AZs to
maximize redundancy
• Starts deployments with instances in a stale or broken
state to maximize fleet health

53. Data layer

54. o Backup gateways integrated with
Amazon S3
o Leverage Amazon S3 archival to
Amazon Glacier
o Take advantage of current
investments and solutions for
options like
o De-duplication
o Compression
o WAN acceleration
Corporate
data center
Amazon Simple
Storage Service
Amazon Glacier
Application
server
Virtual
server
File
server
Database
server
Backup
system
AWS Storage
Gateway
iSCSI
101 – Data redundancy

55. o Virtual volumes presented to local
network iSCSI, NFS and CIFS volumes
o Local disk cache to provide fast on-
premises access
o Gateway side encryption for security
Corporate
data center
Amazon Simple
Storage Service
Application
server
Virtual
server
File
server
Database
server
Storage
appliance
AWS Storage
Gateway
iSCSI
Cloud ONTAP Secure Cloud-
Integrated Backup
Panzura Global NAS
AWS Marketplace Partners
101 – Data expansion

56. Hybrid architecture examples

57. Kellogs – SAP HANA hybrid deployment
Corporate Data Center
Amazon Virtual Private Cloud (VPC)
Availability Zone
VPC Subnet
BW ABAP 7.31 / NW JAVA 7.40
BW BI-JAVA
DEV QA
2 X 244 GB nodes 2 X 244 GB nodes
BW BI-JAVA
Internet
SAP OSS
BA
C
A = Virtual Private Gateway
B = Customer Gateway
C = VPN Connection
UAT / DR PRD
BW BI-JAVA BW BI-JAVA
Web Disp
Web Disp
HANA
5 X 0.5 TB nodes 5 X 0.5 TB nodes
SAP
HANA
SAP
HANA
SAP
HANA
SAP
HANA

58. Auth0 – Running in multiple cloud providers

59. Architecture of a financial services grid computing

60. Q & A

61. Thank you!
yinal@amazon.com