AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Zone (ARC314)

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

ARC314

Create an AWS Landing Zone for

Application Migrations

Koen vd Biggelaar - Sr Mgr AWS Solutions Architecture

Henk van Rossum - Director – Platform Manager Hosting and Storage

Scott Macy - Sr Product Manager, Service Catalog

John Steiner - Sr Mgr AWS Solutions Architecture

What is a Landing Zone and do I need one?

H

- A configured secure enterprise multi-account AWS

environment based on best practices

- A starting point for your application migration journey

- An environment that allows for iteration & extension over time

What to Expect from the Session

At the end of this session, we hope you

- have an understanding of what a initial AWS Landing Zone

is and why you would need one

- can build an initial AWS Landing Zone, or update your

current one

- can use the initial Landing Zone to accelerate your

application migration journey

H

Our Journey Today

Domains Direct Connect

Start Accounts

End User Interaction

AutomationService Catalog

Central Services

Migrate

Iterate

Operate & Optimize

Logging Config Access Identities Federation

Network SecurityIdentity &

AccessCloud Users

What’s Next ?

image

Infrastructure

Request

Current StateTypical Enterprise Situation

Governance

&

Service

Management

Central IT

Lines of

Business

Provisioning

Characteristics

• Lead times ~days to weeks

• Service catalogue of components

• Often process-heavy service

management

Monitor

&

Respond

Landing Zone

Templates

Policy &

Best Practices

Landscape

Management

Current StateOpportunity to achieve agility and control

Automation

Lines of

BusinessCentral IT Opportunities

• Lead times in minutes

• Service catalogue of

landscapes

• Automated service

management

Security Automation Cloud IT

Consumers

Current StateGuiding Principles

Start Accounts Network SecurityIdentity &

AccessCloud Users

What’s Next ?

Account Structure

• Don’t overdo on Day One

• Use separate accounts for:

Security and

Compliance Isolation

(production non-prod,

logging)

Cost Allocation Resource Management

and Ownership

Account Structure

Payer

Billing

Reports

Service

CatalogLogging Audit

Central

ServicesDev & Test Mobility

IoT

Serverless

Internal business apps Digital Platforms

Option: Per AWS Region

Production

Generic

Production

Critical

Central

Accounts

Services

Accounts

AWS Organizations

• New management capability for centrally managing multiple AWS accounts

- Simplified billing

- Programmatic creation of new AWS accounts

- Logically group AWS accounts for management convenience

- Apply organization control policies (OCP)

• A Consolidated Billing (CB) family automatically migrated to an organization

• All organization management activity is logged in AWS CloudTrail

• An AWS account can be a member of only one organization

• V1 OCP – Control which AWS service APIs accessible in AWS account(s)

• Console, SDK, and CLI support for all management tasks

Available in limited public preview: http://aws.amazon.com/organizations/preview

Start Accounts Network SecurityIdentity &

AccessCloud Users

What’s Next ?

NetworkKey Considerations

Non-overlapping

IP range

VPC Design

Access Control Lists &

Security Groups

Logging and

Monitoring

AWS Direct

Connect

Subnet Design

NetworkDirect Connect for connecting on-prem and AWS environment

Customer

Gateway

VPN backup

Direct Connect Location

Virtual

Interface #1

Virtual

Interface #2

Secondary Direct

Connect Location

`

`

Partner

Network

NetworkCentral services in a central VPC

Central common/core services

• Authentication/directory

• Monitoring

• Logging

• Bastion host

• Remote administration

• Scanning

• Internet proxy

Production

Generic

Production

Business-critical

Central

Services

Non-production

Start Accounts Network SecurityIdentity &

AccessCloud Users

What’s Next ?

Our Landing Zone needs to be safe and secureInsight is the first step

• Who is accessing our Amazon accounts and what

are they doing?

• How will we know if anyone breaks our security

policy?

• What does the traffic on our infrastructure look like

and are all of our resources isolated?

• How can we easily analyze our logs?

AWS CloudTrail records who is accessing APIs

Store/archiveCentral logging

account

Troubleshoot

Monitor & alarm

AWS accounts make API

call

On a growing set of AWS

services around the world..

CloudTrail is continuously

recording API calls

Amazon

EBS

AWS Config informs you of policy violations

Compliance

Guideline

Non-compliance

Action

All storage

volumes should

be encrypted

Automatically

encrypt storage

volumes

Instances must

not have

unrestricted

Internet access

on Port 22

Remove Port 22

access from any

Internet host

Instances must

be tagged with

environment type

Notify developer

(email, page,

SNS) Pre-configured rules:

https://github.com/awslabs/aws-config-rules

VPC flow logs give you network insights

• Agentless – AWS collects the logs on your behalf

• Enable per network interface, per subnet, or per VPC

• Logged to AWS CloudWatch Logs

• Create CloudWatch metrics from log data

• Alarm on those metrics

AWS

account

Source IP

Destination IP

Source port

Destination port

Interface Protocol Packets

Bytes Start/end time

Accept

or reject

Create alarms when metrics are breached

Amazon

CloudWatch

Log everything centrally for analysis

The AWS centralized logging

solution makes it easy for

security teams to consolidate

AWS logs and analyze them to

detect incidents

Amazon

EC2

flow

logs

VPC subnet

AWS

CloudTrail

Amazon S3

Amazon

CloudWatch

AWS

Lambda

Amazon

Elasticsearch

Service

You can do this by simply using:

• Amazon ElasticSearch Service

• CloudTrail logs

• VPC flow logs

• EC2 server logs

Log Transform Search

https://aws.amazon.com/answers/

logging/centralized-logging

Launch

instanceEC2

AMI catalogue Running instanceYour instance

Hardening and configuration

Audit and logging

Vulnerability management

Malware and IPS

Whitelisting and integrity

User administration

Operating system

Configure

instance

Configure your environment as you like

You get to apply your existing security policy

Three options to create or import your own ‘gold’ images

1. Import existing VMs to AWS

2. Procure partner AMI from AWS Marketplace

3. Create and save your own custom images

On 3: choose how to build your standard host security

environment

Choose how to start your compute Private images or import your current ones

CIS AMI: https://aws.amazon.com/marketplace/seller-profile?id=6b3b0dc2-c6f4-487b-8f29-9edba5f39eed

Start Accounts Network SecurityIdentity &

AccessCloud Users

What’s Next ?

You get to control who can do what in your AWS environment when and

from where

Fine-grained control of your AWS cloud with multi-factor authentication

Integrate with your existing corporate directory and provide SSO to

your customers. Support for SAML 2.0 (like your existing Active Directory)

and OpenID compatible Identity Providers (IdPs).

You can use AWS managed policies, policies for typical job functions

or customer-generated policies using the policy generator and test

with the policy simulator

AWS account owner

Identity and Access ManagementControl access and segregate duties everywhere

Identities and Access ControlExample user types with corresponding access policies

IAM MasterCreate policies

IAM ManagerAssign policies

Auditread-only

Access

Managers

ArchitectCreate landscapes

StorageDesign and build

Network Design and build

Design

DevOps

API Access

App OwnerLandscape owner

Application

Owners

Billing Support UserOther

Network Admin AdministratorService Catalog

Administrators

Managed policies for job functions:

http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html

Database

Admin

Corporate Data Center

Browser interface

Identity

Store

Identity and Access ManagementFederation with on-prem directory

AD Group

Identity and

authentication

Mapping to specific

IAM role with

access policy

Access to AWS

http://docs.aws.amazon.com/directoryservice/latest/admin-guide/manage_apps_services.html

Identity and Access Management Federation: Cross-account manager solution

Using AWS CloudFormation

templates to create and

manage roles for a master

account and sub accounts

- Account onboarding

- Role onboarding

https://aws.amazon.com/answers/account-management/cross-account-manager

SEC304 session with deep-dive and demo

Start Accounts Network SecurityIdentity &

AccessCloud Users

What’s Next ?

Henk van Rossum

Director - Platform and Program Manager Hosting and Storage

November 2016

Creating a Landing Zone in AWS An Enterprise way of working

Moving from Legacy to Future proof

31

100+ Sites3500+

ServersExtremely high

Fixed costs

Old End-of-term

Infrastructure

No incentives to Decomm & Modernize

Governance

42%

3%

25%

1st tier Datacenter

30% Decommission Infra

Local compute(Darkroom operated)

Workload Split

From Legacy to Cloud First

32

• “Break-Fix” • SLA based managed services• Unplanned business interruptions• Complex supply chain new demand• Wide variety of versions• Not Scalable • Pay for capacity reserved• Reporting “after the fact”

• Design for “Always On” • SLA based managed services• Self Provisioning, consumer driven• Standard market available services• Scalable Resources• Pay only for what you use• “real time” usage & performance

Does not represent a Philips location

Creating a Landing Zone

33

network

application

data

runtime

middleware

OS

virtual machine

server

storage

network

application

data

runtime

middleware

OS

virtual machine

server

storage

Legacy

DC

par

tner

AM

S p

artn

er

Man

g. P

artn

erA

WS

AM

S p

artn

er

AW

S A

MS

par

tner

network

application

data

runtime

middleware

OS

virtual machine

server

storage

End State

Pro

vid

er

pro

vid

er

Pro

vid

er

On Premise DC Technology Refresh Cloud

Close On Premise DC, leverage Cloud

34

Creating a Landing Zone – Account Architecture

ENTERPRISE CONTRACT

Market 1 Market X BU X

Paye

r Acc

ount

Root accountCore

Global services

Func

tiona

l Acc

ount

s Shared Central Logging Account

Backup Account Backup Account

Shared Central Audit Account

Shared Central Intellectual Property Account

Linke

d ac

coun

ts –

Reso

urce

s

Reso

urce

s

Reso

urce

s

Reso

urce

s

Reso

urce

s

Reso

urce

s

Reso

urce

s

Reso

urce

s

Reso

urce

s

Reso

urce

s

Reso

urce

s

Reso

urce

s

Partn

er A

ccou

nts

Other Other Other

Shared Users Federation Account

Partner 1

Partner 2

Reso

urce

s

Backup Account Backup Account

Creating a Landing Zone - Internet Centric Networking

35

The Internet

Sites

Private Network – Provider

Internet Edge

SaaS Cloud

ISP

Cloud

Gateway

1

Cloud

Gateway

2

Cloud

Gateway

N

Partner Tier1 DC

siteMPLS

Direct Connect

MPLS

Start Accounts Network SecurityIdentity &

AccessCloud Users

What’s Next ?

OrganizationsAccess to standardization

Organizational Structure Needs

• Control and visibility

• Standardization

• Access control

• Ease of administration

• Automation

• Standardization

• Self-service

• Agility

• Quick implementation

CIO

VP of Analytics

BI Dev Team

VP of Application Development

Web Dev Team

VP of Infrastructure

Resource Team: Security, Networking, Storage…

Customers want to:

• Define the resources and

landscapes where software and

applications are deployed

• ‘Approve once and deploy many’

• Enable self-service, deploy with

confidence

• Automate deployments

Agility and ControlWhat do customers tell us about asset management deployment?

Agility and ControlAWS Service Catalog

AWS Service Catalog allows organizations to create and manage

catalogs of IT services. It enables users to quickly deploy approved IT

services they need in a self-service manner.

Administrator Users

Control

Standardization

Governance

Agility

Self-service

Time to market

Product =

Template

CloudFormation Running stack

JSON formatted file

Parameter definition

Resource creation

Configuration actions

Configured AWS services

Comprehensive service support

Service event-aware

Customizable

Framework

Stack creation

Stack updates

Error detection and rollback

Administrator InteractionCloudFormation to create products

Creates portfolio and

assigns product portfolio

1

Administrator

Adds constraints, grants access

and add tags

4

2 Creates

product

Authors

template

Administrator InteractionAWS Service Catalog: Managing products

ProductX

Versions

Portfolio BPortfolio A

• Users and roles

• Constraints

• Tags

Service Catalog

3

Landscape

Architect

Browse

products

43

2

1

Portfolio

Cloud

consumers

Select version,

Provision

product,

configure

parametersDeploy

Notifications

and outputs

Notifications and outputs

4

Administrator

Cloud Consumer InteractionAWS Service Catalog

Service CatalogAPIs

11 User API methods Launched July 2016

37 Admin API methods Launched November 2016

Embed

Orchestrate

Automate

Agility and ControlOpportunities to strengthen the handshake

User-generated

products to foster

innovation

Back-end microservices

acting on the stacks

Administrator

products

Tagged

EC2

instances

for one or

more AWS

accounts

IAM cross

account roles

controls

access to

AWS accounts

Scheduler

role

Scheduler

configuration

table

Instance state

table

EC2 Instance

information

CloudWatch

LogsCloudWatch

Metrics

CloudWatch rule

triggers Scheduler

Scheduler

Lambda

function

CloudFormation

scheduler

stack

What is the EC2 instance scheduler?

A single template

deploys all solution

components

https://aws.amazon.com/answers/infras

tructure-management/ec2-scheduler/

Agility and ControlService Catalog – End-User View

Agility and ControlService Catalog – End user

populating parameters

Agility and ControlService Catalog – Stack deployed with schedule

https://aws.amazon.com/answers/infrastructure-management/ec2-scheduler/

Deploys stacks and attaches

automation parameters as tags

AWS Service

Catalog

Service Catalog

Administrator

Operators

(launch/update/terminate)

3

Browse

Provision

5

Populate

parameters

2

Portfolio A

1

Specs

Stop/Start

Backup

4

5

Notifications

and outputs

Backup

scheduling

SnapshotsLambda

Functions

Injects dynamic parameters

Deploys complex resources

Operational

Administrator

Managing

automation

functions

6

Operators

view/manage

AWS Console

Service CatalogE2E Architecture

Hibernation

scheduling

Start Accounts Network SecurityIdentity &

AccessCloud Users

What’s Next ?

Application Migration

Create Landing Zone Migrate apps Operate & optimize

H

Managing to the Portfolio Value

Portfolio Tier RequirementsOperations

Model

Approx.

%

Portfolio*

IT Spend

Against

Portfolio

Differentiators

High rate of change & innovation;

Possibly business-critical, but not

always

DevOps 15%

60% - 70%

Table Stakes

Business-critical, but low rate of

change. Needs high availability,

maximum reliability, and durable DR

Automated

Efficiency25%

Commodity

COTS & commodity, minimal risk,

low change, standard downtime &

reliability requirements

Traditional

Operations60% 30% - 40%

*estimated numbers

Provided Under NDA

The Migration Journey

Identify and categorize bulk

candidates

Analysts identify high-value

candidates

Pipeline team prepares

candidates

Applications are migrated

based on patterns

Patterns are created

Greenfield Landing Zone

created

Existing Operations team

manages

Portfolios are prioritized

Project initiated

Innovation teams re-architect

the application

New operating levers are

created

Application is implemented

on cloud

Cloud-native components

are patterned

Core Landing Zone created

Future

Landing Zone

Library

of patterns

Future

operating

model

Brown Field Green Field

Future State

Sprint 1

Executing Multi-Modal Migrations

Program

Brown

Green

Sprint 2 Sprint 3 Sprint 4 Sprint 5 Sprint 6 Sprint 7

Deploy

Landing ZoneExtend, Integrate and Manage Landing Zone

Migration Business Case

Discovery Prep Discovery

Pipeline Generation

Migration Patterns Creation

DiscoveryGreenfield Migrations

Innovation

Re-Factor

Re-Host

Complex App (single sprint)

Increasing Levels of Effort with Increasing Levels of Return

Mass

migration

Re-platform /

RefactorRe-architectMaturity Maturity

Running Multi-Modal Migrations

Minimized

Staffing

Change

Mass

Migration

Capex to

Opex

Cost Out

Facilities

Closure

Consistent

Operations

Traditional Operations

Operational

Transition

Cloud

Capable

Applications

Capex to

Opex

Nascent

Services

Cloud COEManaged

Services

Hybrid Operations

Cloud

Aware

Applications

Serverless

Compute

Continuous

Integration

Disruptive

Technology

Maximum

Efficiency

Advanced

Architecture

Development and

Operations

Multi-Modal OperationsShift in

Accountability• Many adoptions

are tightly

coupled with agile

delivery adoption.

• Not all workloads

require a DevOps

investment.

• Achieving

business goals

doesn’t always

require

automation.

• Using traditional

support models in

the wrong places

can dilute value.

Mass migrationRe-platform/

RefactorRe-architect

• Data Center-Cloud

Connectivity

• Server/Storage

Provisioning

• Patching/Anti-virus

• Monitoring

• Server

Maintenance/

Incident Response

• Audit/Risk

• Event Management

• Web Server

• DB Mgmt

• Application Software

• Development and

Deployment

Traditional

• Data Center-Cloud

Connectivity

• Patching/Anti-virus

• Monitoring

• Audit/Risk

• Standards/Policy

• Stack Templates

• Server

Maintenance/

Incident Response

• Stack Provisioning

and Decom

• Event Mgmt

• Web Server

• DB Mgmt

• Application Software

• Development and

Deployment

Automated Efficiency

• Data Center-Cloud

Connectivity

• Patching/Anti-virus

• Monitoring Lvl 1

• Monitoring Lvl 2

• Server

Maintenance/

Incident Response

• Stack Templates

and Provisioning

• Audit/Risk

• Event Management

• Web Server

• DB Mgmt

• Application Software

• Development and

Deployment

DevOps

Traditional

Operations

Distributed

Responsibility

Direct Connect

Service

Catalog

CloudTrail

S3

IAM Config

Lambda

Applications migrated to your Landing Zone

Available Resources for Landing Zone (1/2)Domain Link What

Account Mgt https://aws.amazon.com/answers/account-

management/limit-monitor/

Limit Monitor – receive notifications when

you approach AWS service limits

Networking http://docs.aws.amazon.com/quickstart/latest/li

nux-bastion/ &

http://docs.aws.amazon.com/quickstart/latest/r

d-gateway

Bastion Host

Networking https://aws.amazon.com/quickstart/architecture

/accelerator-pci/

PCI Landing Zone, Including

configuration of VPCs, Security Groups,

Access Policies & Bastion Host

Networking https://aws.amazon.com/answers/networking/v

pn-monitor/

VPN Monitoring

Networking https://aws.amazon.com/answers/networking/tr

ansit-vpc/

Transit VPC

Security https://aws.amazon.com/answers/logging/centr

alized-logging

Centralized Logging

Security https://github.com/awslabs/aws-config-rules Config Rules Repository

Available Resources for Landing Zone (2/2)

Domain Link What

Security https://aws.amazon.com/marketplace/seller-

profile?id=6b3b0dc2-c6f4-487b-8f29-9edba5f39eed

CIS Security AMI

Security https://aws.amazon.com/blogs/security/tag/cis-aws-

foundations-benchmark/

CIS AWS Foundations

Benchmark

Cross Account

Management

https://aws.amazon.com/answers/account-

management/cross-account-manager

Manage Roles in

accounts centrally

Identity and Access

Mgt

http://docs.aws.amazon.com/quickstart/latest/active-

directory-ds/welcome.html

Active Directory Quick

Start

Identity and Access

Mgt

http://docs.aws.amazon.com/directoryservice/latest/ad

min-guide/manage_apps_services.html

Managing Console

Access for AWS

Directory Service

Identity and Access

Mgt

http://docs.aws.amazon.com/quickstart/latest/wap-

adfs/welcome.html

Web Application Proxy

with ADFS Quick Start

Automation https://aws.amazon.com/answers/infrastructure-

management/ec2-scheduler/

EC2 Scheduler

Related Sessions

ENT203 – Enterprise Fundamentals: Design Your Account and VPC Architecture for Enterprise

Operating Models

SAC319 – Architecting Security and Governance Across a Multi-Account Strategy

SAC320 – Deep Dive: Implementing Security and Governance Across a Multi-Account Strategy

SAC323 - Centrally Manage Multiple AWS Accounts with AWS Organizations

SEC304 – Reduce Your Blast Radius by Using Multiple AWS Accounts Per Region and Service

Remember to complete

your evaluations!

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Thank you