Top Banner
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Wednesday July 6 th , 2016 Landing Zone for application migrations Koen vd Biggelaar Sr Mgr AWS Solutions Architecture - Global Accounts
42

Application Migrations

Apr 21, 2017

Download

Business

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Application Migrations

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Wednesday July 6th, 2016

Landing Zone for application migrations

Koen vd Biggelaar Sr Mgr AWS Solutions Architecture - Global Accounts

Page 2: Application Migrations

Application Migration

Create Landing Zone Migrate Apps Operate & Optimize

H

Page 3: Application Migrations

PeoplePerspective

ProcessPerspective

SecurityPerspective

MaturityPerspective

PlatformPerspective

OperationsPerspective

BusinessPerspective

AWS Cloud Adoption Framework

Page 4: Application Migrations

PeoplePerspective

ProcessPerspective

SecurityPerspective

MaturityPerspective

OperationsPerspective

BusinessPerspective

PlatformPerspective

AWS Cloud Adoption Framework

Page 5: Application Migrations

Current State

Account Structure Security Network

Identities&

Access

Cloud Consumers

Our Journey Today

MigrateOperate

&Optimize

Page 6: Application Migrations

Current State

Account Structure Security Network

Identities&

Access

Cloud Consumers Migrate

Operate &

Optimize

Page 7: Application Migrations

Infrastructure Request

Current StateTypical Enterprise Situation

Governance &

Service Management

Central IT

Lines of Business

Provisioning

Characteristics• Lead times ~days/weeks/months• Service Catalogue of components• Often process-heavy Service

Management

Page 8: Application Migrations

Monitor&

Respond

TemplatesPolicy & Practices

Landscape Management

Current StateOpportunity to achieve agility and control

Automation

Lines of Business Central IT Opportunities

• Lead times in minutes• Service Catalogue of

landscapes• Automated Service

Management

Page 9: Application Migrations

Security Automation Consumers

Current StateGuiding Principles

Page 10: Application Migrations

Start Account Structure Security Network

Identities&

Access

Cloud Consumers Migrate

Operate &

Optimize

Page 11: Application Migrations

Account Structure

• Don’t overdo on Day One• Use separate accounts for

Security and Compliance Isolation(production non-prod,

logging)

Cost Allocation Resource Management and Ownership

Page 12: Application Migrations

Account Structure

Payer

Page 13: Application Migrations

Account Structure Opportunity to create linked Accounts

Create Linked Account (CLA) API

• The payer account can programmatically access and manage the new accounts using cross account access and administrative privileges automatically configured during account creation.

• Currently available on whitelisting basis- Connect with your AWS Account Manager or SA- Public API will be rolled out in future, you need to use these new APIs then

Page 14: Application Migrations

Account Structure

Payer

Billing Reports

Service Catalog Logging Audit

Central Services Dev & Test Mobility

IoT

Serverless

Internal business apps Digital Platforms

Option: Per AWS Region

Production Generic

Production Critical

Central Accounts

Services Accounts

Page 15: Application Migrations

Start Account Structure Security Network

Identities&

Access

Cloud Consumers Migrate

Operate &

Optimize

Page 16: Application Migrations

Analyze your CloudTrail Logs

AWSCloudTrail

AWS Management

Console

AWS CLI

SDK

Your Central Amazon S3 logging bucket

Analysis &

Action

AWS Services

You make API calls …

…to AWS Services,

logged by CloudTrail

delivered to your S3 bucket

Page 17: Application Migrations

Changing Resources

Config tracks resource changes

Page 18: Application Migrations

NormalizeRecordChanging Resources

Deliver

Stream

Snapshot (ex. 2014-11-05)AWS Config

APIs

Store

History

Config tracks resource changes

Page 19: Application Migrations

Start Account Structure Security Network

Identities&

Access

Cloud Consumers Migrate

Operate &

Optimize

Page 20: Application Migrations

NetworkKey Considerations

Non-overlapping IP range

VPC Design

Access Control Lists &Security Groups

Logging and Monitoring

Direct Connect

Subnet Design

Page 21: Application Migrations

NetworkDirect Connect for connecting on-prem and AWS environment

Customer Gateway

VPN backup

Direct Connect Location

Virtual Interface #1

Virtual Interface #2

Secondary Direct Connect Location

`

`

Partner Network

Page 22: Application Migrations

NetworkCentral Services in a central VPC

Central common/core services• Authentication/directory• Monitoring• Logging• Remote administration• Scanning• Internet Proxy

ProductionGeneric

ProductionBusiness Critical

Central Services

Non-production

Page 23: Application Migrations

Start Account Structure Security Network

Identities&

Access

Cloud Consumers Migrate

Operate &

Optimize

Page 24: Application Migrations

You get to control who can do what in your AWS environment when and from where

Fine-grained control of your AWS cloud with multi-factor authentication

Integrate with your existing LDAP / Active directory using federation and single sign-on

You can use AWS managed policies or customer generated policies using the policy generator and test with the policy simulator

AWS account owner

Identity and Access ManagementControl access and segregate duties everywhere

Page 25: Application Migrations

Identities and Access ControlSample Access Policy{

"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["ec2:StartInstances","ec2:StopInstances","ec2:RebootInstances"

],"Resource": “arn:aws:ec2:::instance/*”,"Condition": {

"StringEquals": {"ec2:ResourceTag" : "Dev"

}}

}]

}

Allow or Deny access to resource

Service calls allowed to be performed

Resource object or objects that the statement coversConditions to satisfy:EC2 resources must be tagged with “Dev”

Page 26: Application Migrations

Identities and Access ControlExample user types with corresponding access policies

IAM MasterCreate policies

IAM ManagerAssign Policies

AuditRead-Only

Access Managers

ArchitectCreate landscapes

StorageDesign and Build

Network Design and Build Design

DevOpsAPI Access

App OwnerLandscape owner

Application Owners

SupportAccount policy

Empty RoleNo policy

Support and Operations

Typical Access Policy

AdministratorLandscape Mgt

AdministratorService CatalogAdministrators

Page 27: Application Migrations

Corporate Data Center

Browser interface

Identity Store

Identity and Access ManagementFederation with on-prem directory

AD Group

Identity and Authentication

Mapping to specific IAM Role with Access Policy

Access to AWS

Page 28: Application Migrations

Start Account Structure Security Network

Identities&

Access

Cloud Consumers Migrate

Operate &

Optimize

Page 29: Application Migrations

Cloud ConsumersAWS Service Catalog

AWS Service Catalog allows organizations to create and manage catalogs of IT services. It enables users to quickly deploy approved IT services they need in a self-service manner.

Administrator Users

ControlStandardization

Governance

AgilitySelf-service

Time to market

Page 30: Application Migrations

Product = Template

CloudFormation Running Stack

JSON formatted file

Parameter definitionResource creation

Configuration actions

Configured AWS services

Comprehensive service supportService event aware

Customisable

Framework

Stack creationStack updates

Error detection and rollback

Administrator InteractionCloudFormation to create products

Page 31: Application Migrations

Creates portfolio and assigns product portfolio

1

AdministratorAdds constraints, grant access

and add tags

4

2 Creates product

Authors template

Administrator InteractionManaging products

ProductX

Versions

Portfolio BPortfolio A

• Users and Roles• Constraints • Tags

Service Catalog

3

Landscape Architect

Page 32: Application Migrations

Agility and ControlOpportunities to strengthen the handshake

User generated products to foster

innovation

Back-end micro-services acting on the stacks

Administrator Products

Page 33: Application Migrations

Browse Products

5

43

2

1

Portfolio

Cloud Consumers

Select version,Provision Product, configure

parametersDeploy

Notifications and outputs

Notifications and outputs

4Scheduled functions

Administrator

Cloud Consumer InteractionOverview

Page 34: Application Migrations

Cloud Consumer InteractionBrowse Products

Launch Product

Available Products

Launched Products

Page 35: Application Migrations

Cloud Consumer InteractionConfiguring Options

EC2 Instance type

Schedule on/off

Schedule details

Page 36: Application Migrations

End User InteractionLaunched Product

Launched Product details

Page 37: Application Migrations

End User InteractionLaunched Product

Page 38: Application Migrations

End User InteractionCost Overview

Test IT SecurityProd Dev

Prod

Test

Dev

Page 39: Application Migrations

AWS Service CatalogAnnouncing today

• End User APIs are Generally Available w/SDK and CLI support

• CloudTrail support for End User actions in UI and API

• Product version default limit raised to 50 per product

Page 40: Application Migrations

Start Account Structure Security Network

Identities&

Access

Cloud Consumers

Our Journey TodayWhat did we cover?

MigrateOperate

&Optimize

Page 41: Application Migrations

Application Migration Approach

Create Landing Zone Migrate Operate & Optimize

H

Page 42: Application Migrations

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Thank you