Hybrid IT Approach and Technologies with the AWS Cloud

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Craig Roach, Solutions Architect, Amazon Web Services
Hugh Evans, System Architect, Australian Medical Council
Hybrid IT Approach and
Technologies with the AWS Cloud

Session agenda
• Why make the hybrid journey to AWS?
• Implementing Hybrid Operations
• Common Hybrid Application Patterns
• Use Case: Australian Medical Council

Why make the hybrid IT journey ?
Agility

Agility
Cost
savings

Agility
Cost
savings
Elasticity

Agility
Cost
savings
Elasticity
Service
depth &
breadth

TECHNICAL &
BUSINESS
SUPPORT
Account
Management
Support
Professional
Services
Solutions
Architects
Training &
Certification
Security
& Pricing
Reports
Partner
Ecosystem
AWS
MARKETPLACE
Backup
Big Data
& HPC
Business
Apps
Databases
Development
Industry
Solutions
Security
MANAGEMENT
TOOLS
Queuing
Notifications
Search
Orchestration
Email
ENTERPRISE
APPS
Virtual
Desktops
Storage
Gateway
Sharing &
Collaboration
Email &
Calendaring
Directories
HYBRID CLOUD
MANAGEMENT
Backups
Deployment
Direct
Connect
Identity
Federation
Integrated
Management
SECURITY &
MANAGEMENT
Virtual Private
Networks
Identity &
Access
Encryption
Keys
Configuration Monitoring Dedicated
INFRASTRUCTURE
SERVICES
Regions
Availability
Zones
Compute
Storage
(object,
block)
Databases
SQL, NoSQL,
Caching
CDNNetworking
PLATFORM
SERVICES
APP
Mobile
& Web
Front-end
Functions
Identity
Data Store
Real-time
DEVELOPMENT
Containers
Source
Code
Build
Tools
Deployment
DevOps
MOBILE
Sync
Identity
Push
Notifications
Mobile
Analytics
Mobile
Backend
ANALYTICS
Data
Warehousing
Hadoop
Streaming
Data
Pipelines
Machine
Learning

* As of 1 June 2016
2009
48
280
722
82
2011 2013 2015
AWS has been continually expanding its’ services to support virtually any cloud workload
and now has more than 70 services that range from compute, storage, networking,
database, analytics, application services, deployment, management and mobile. AWS
has launched a total of 368 new features and/or services year to date* - for a total of
2,263new features and/or services since inception in 2006.
AWS Pace of Innovation

Agility
Cost
savings
Elasticity
Service
depth &
breadth
Security

Access a deep set of cloud security tools
Encryption
AWS KMS AWS CloudHSM Server-side
encryption
Networking
Amazon VPC AWS WAF
Compliance
AWS ConfigAWS CloudTrailAWS Service
Catalog
Identity
AWS IAM Active
Directory
integration
SAML-based
federation

Agility
Cost
savings
Elasticity
Service
depth &
breadth
Security
Compliance

Broad accreditations and certifications

• Secure, flexible networking between
cloud and on-premises
• Secure, federated access
management
• Management tools for hybrid
environments
• Integrated monitoring tools
HYBRID OPS - REQUIREMENTS

Secure, flexible networking
OPS | NETWORKING
Amazon Virtual Private Cloud
• Create a software-defined network as a
seamless extension of your on-premises
network including private and public
subnets (RFC1918), routing, firewall
policies and NAT
• Connect VPCs together using peering
• Implement network isolation at any level,
e.g. App environment, tier, business unit,
team, application / project and data
classification

Secure, flexible connectivity
OPS | NETWORKING
AWS Direct Connect (DX)
• Extend your data center network to the
AWS cloud using a leased-line/circuit
• Secure, consistent performance on a
private network - avoid internet traversal
• Lower data transfer costs (vs VPN)
• 1 Mbps to multiple 10 Gbps
• Simpler management of multi-VPC
environments
Option:
IPSEC VPNs can be used for POCs and
small deployments.

DX and VPN Implementation Standards
OPS | NETWORKING
• Dedicated port DXs (1 & 10 Gbps) use 802.1q VLANs to slice
the layer-1 single-mode fibre into multiple virtual interfaces,
each attached to a different VPC.
• DX uses BGP to dynamically advertise VPC subnet routes to
your on-premises network, and to advertise your on-premises
subnets to the VPC.
• VPNs use IPSEC tunnel mode with AES-256 (also 128), IKE
pre-shared keys, Diffie-Hellman perfect forward secrecy, and
dead peer detection. VPN must be initiated from customer.
• VPNs can use BGP dynamic routes, or static routes.
• DXs and VPNs can optionally use Bidirectional Forwarding
Detection (BFD) for fast failover to alternative routes.
• VPNs can use Internet alone, or DX with Internet failover.

Your Data Center
IPSEC VPN
Tunnels(x2)
AWS Direct Connect
Peering Location
Carrier Circuit e.g MPLS
AWS
Fibre cross connect
Terminated on an AWS
virtual private gateway
(Internet)
Network Extension
OPS | NETWORKING

(Optional) Bring your favorite security tools
Unified Threat
Management & WAF
VPN / Routing,
Application Delivery,
Key Management
AVAILABLE NOW

• Secure, flexible networking
between cloud and on-premises
management
environments
Amazon Virtual Private
Cloud (Amazon VPC)
AWS Direct Connect

Federated Access Management
OPS | SECURE ACCESS MANAGEMENT
AWS Directory Service – AD Connector
• Easily federate your corporate Active
Directory environment to AWS and enable
single sign-on
• Connects to your on-premises Domain
Controllers (Kerberos & LDAP)
• No need for SAML infrastructure
• Proxy only – does not store credentials
• Supports RADIUS-based MFA
• Always deployed as multi-AZ
Customers can also use ADFS or partner
solutions

AWS Identity & Access Management
AWS Identity and Access Management
• Securely control access to AWS services
and resources
• Combine IAM and AD Connector to
develop role based security policies for
AWS resources using your existing AD
identities
• Fine grained control of permissions
• IAM actions and console logins are
auditable using AWS CloudTrail

AWS Management
Console
Your Identity Provider
e.g., Active Directory
IAM
(Federated users)
Policies AWS Services &
Resources
AD Connector – (Proxy only)
AWS Directory Service
Forward Authentication
Access per IAM
policies
Authentication
Authorization
Allow / deny

AWS Identity Federation Partners

between cloud and on-premise
management
environments
Cloud (Amazon VPC)
AWS Direct Connect
AWS Identity & Access
Management (IAM)

management
environments
Cloud (Amazon VPC)
AWS Direct Connect
AWS Identity & Access
Management (IAM)

Step 1 –
Use a “cloud broker”
OPS | MANAGEMENT

Start by experimenting with
different tools
(and try open source)

ANSIBLE
Configuration management
HASHICORP PACKER
Build machine and container
images (cross platform)
HASHICORP TERRAFORM
Create and deploy application
templates (cross platform)
AWS CLOUDFORMATION
Application templates
(AWS only)
Common
Examples
OPS | MANAGEMENT

HASHICORP PACKER
Build cross platform machine
and container images
VMWare
(vmx or ISO)
AWS
(Amazon Machine Image)
OpenStack, etc…
Parallel Build
Source
config
OPS | MANAGEMENT

resource "aws_elb" "frontend" {
name = "frontend-load-balancer"
listener {
instance_port = 8000
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}
instances = ["${aws_instance.app.*.id}"]
}
resource "aws_instance" "app" {
count = 5
ami = "ami-043a5034"
instance_type = "m1.small"
}
HASHICORP TERRAFORM
Application Templates
Ex: Create 5 servers and put them behind a load balancer
OPS | MANAGEMENT

Stack Template
References
Post-
processing
Executes
API / CLI
App Stack
E.g. 3 Tier
Prod Web
Configures
Deploys
(App)
Configures
Deploys
(Infra)
AnsiblePacker
Terraform
Build automation for hybrid environments
OPS | MANAGEMENT

Importing existing VM images
AWS Management Portal for
VMWARE vCenter
AWS VM Import
Point and click
migration for VMware
Migrate VMWare, Hyper-V
and Citrix Xen images
OPS | MANAGEMENT

management
environments
VPC & Direct Connect IAM, Directory Service
Packer, Terraform, Ansible and VM Import

Amazon
CloudWatch
APPLICATION
PERFORMANCE
OPERATIONAL
ANALYTICS
AWS platform &
service metrics
Splunk App for AWS
API Integration
AppDynamics
OPS | MONITORING

COST/Performance/
Reliability
MANAGEMENT
• Track cloud best practices with reports,
dashboards, and email alerts
• Recommendations via historical usage
analytics
• Assure you are using Best Practices in the
AWS cloud
OPS | MONITORING
AWS Trusted
Advisor

management
environments
VPC & Direct Connect IAM, Directory Service

between cloud and on-premise
management
environments
VPC & DirectConnect IAM, Directory Service

Cloud adoption patterns &
common use cases
Hybrid Apps

Starting out
Dev & Test
Production
Disaster
Recovery

Dev & Test on AWS
Performant Lower costAutomated Available
Automate
environment
builds and release
processes
(CI/CD)
Deploy and test
code at full scale
and in replica
environments
Pay as you go –
but turn it off
when idle
On demand
resources in 12
regions globally –
no need to wait
for hardware

On-Demand Development Environments
Amazon Workspaces
• Secure and isolated virtual desktop
environments
• Windows 7 desktop experience
• Fully customizable image and apps
• Active Directory integration & MFA
• Pay as you go
Amazon Workspaces
On-demand
virtual desktops
Dev Environments
Great for Government contractors or
isolated development environments

Gaining confidence
Dev & Test
Production
Disaster
Recovery

Disaster Recovery on AWS
Performant No secondary
site expense
Highly
Secure
Geo DR
AWS data
centers are
compliant to
15+
international
security
standards
Provision DR
environments
to production
scale
Turn it on when
you need it
and run DR
tests frequently
without financial
penalties
Back up your
systems to 11
AWS regions
globally
Eliminate
Tape
Use more
durable disk
based storage
for backup,
archive and
compliance
workloads

Maturing
Dev & Test
Production
(Legacy)
Disaster
Recovery
Production
(Digital Apps)

Production on AWS
Highly
Secure
AWS data centers
are compliant to
15+ international
security standards
Digital
Ready
Extensive set of
services for big
data, predictive
analytics, IoT, and
mobile apps
Global
Footprint
13 regions, 35
availability zones,
56 edge locations
Open &
Flexible
Language and
operating system
agnostic

Digital Applications
You code. AWS builds and deploys
Amazon Elastic Beanstalk (PaaS)
Mobile and Web
Supports: Supports Java, .NET, PHP,
Node.js, Python, Ruby, Go, and Docker
Mobile only
AWS Mobile Hub
A complete mobile platform
Features: User sign-in and data storage
(Cognito), cloud logic (Lambda), Push
notifications (SNS), analytics, content delivery
& app testing (Device Farm)

Split tier deployment
DirectConnect
DirectConnect
Web tier
Web tier
App & DB tier
App & DB tier with push notifications and search
Amazon SNS
Amazon ElasticSearch

Case Study:
Australian Medical Council
Hugh Evans, System Architect

Australian Medical Council’s
Hybrid IT solution
What we’ve developed over the last 18 months

About the AMC
• Accreditation of Australian
Medical Schools and Specialist
Colleges
• The verification and assessment
of overseas trained doctors
wishing to practice medicine in
Australia
• Offices in Canberra and
Melbourne – examinations around
the world

1. Internal DevOps culture
Started with the basics –
• Version control (git)
• Automated configuration management
• Monitoring
• Continuous integration
• Chat Ops

2. Consolidation of external services
Replacing multiple providers –
• Domain registration and DNS (Route 53)
• Static websites (S3/CloudFront)
• Email delivery (SES)
• HTTP/S health checks (Cloud Watch)
• AMC website (↪)

3. Starting to use the goodies
Integrating on-premise production systems –
• Object storage (S3)
• Queuing (SQS)
• Push notifications (SNS)
• Video encoding (Elastic Transcoder)
• Content distribution (CloudFront)
• Monitoring (CloudWatch and PagerDuty)

4. Production VPC – “Cloud DC”
Developed a VPC for running critical production workloads –
• Infrastructure and application resources provisioned with CloudFormation
• AMIs provisioned with Ansible
• Palo Alto Networks VM-Series firewalls
• Everything deployed in HA, including databases (RDS)
• VPN connection for deployment/administration

5. Redundant path routing
A fault-tolerant WAN design –
• 2 x Direct Connect connections
• Fail-over routing
• New WAN fibre build with diverse paths
• Confidence to create inter-site dependencies
• With thanks to AWS, TPG and Correct Comms

Summary
• With careful planning we’ve avoided any downtime on our AWS services
• A veritable Swiss army knife of tools now at our disposal
• Furthered our journey into DevOps and embraced infrastructure as code
• AWS Training & Certification is a very good thing™
• Top-level executive support from stage 2 onwards
• Inhibiters to future project delivery greatly decreased

AWS Import / Export Snowball
• Helped us archive a large
amount of data prior to our
Direct Connect connections
• Simple to use and extremely
cost effective
• Impressive physical product
design

Secure video delivery
• Processing large amounts of
examination video recordings
• HLS playlists with AES-128
encryption
• Portal for AMC examiners to
review appealed Clinical
Examination outcomes

Cloud is an ALL or NOTHING proposition

Resources…
Hybrid Cloud Architectures:
http://aws.amazon.com/enterprise/hybrid/
Cloud Adoption Framework – assists organisations to plan
an efficient and effective journey to the cloud
https://aws.amazon.com/professional-services/CAF/

AWS Training & Certification
Intro Videos & Labs
Free videos and labs to
help you learn to work with
30+ AWS services –
in minutes!
Training Classes
In-person and online
courses to build
technical skills –
taught by accredited
AWS instructors
Online Labs
Practice working with
AWS services in live
environment –
Learn how related
services work together
AWS Certification
Validate technical skills
and expertise - identify
qualified IT talent or show
you are AWS cloud ready
Learn more: aws.amazon.com/training

Hybrid IT Approach and Technologies with the AWS Cloud

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Hybrid IT Approach and Technologies with the AWS Cloud

Similar to Hybrid IT Approach and Technologies with the AWS Cloud (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

Hybrid IT Approach and Technologies with the AWS Cloud