Page 1
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ARC314
Create an AWS Landing Zone for
Application Migrations
Koen vd Biggelaar - Sr Mgr AWS Solutions Architecture
Henk van Rossum - Director – Platform Manager Hosting and Storage
Scott Macy - Sr Product Manager, Service Catalog
John Steiner - Sr Mgr AWS Solutions Architecture
Page 2
What is a Landing Zone and do I need one?
H
- A configured secure enterprise multi-account AWS
environment based on best practices
- A starting point for your application migration journey
- An environment that allows for iteration & extension over time
Page 3
What to Expect from the Session
At the end of this session, we hope you
- have an understanding of what a initial AWS Landing Zone
is and why you would need one
- can build an initial AWS Landing Zone, or update your
current one
- can use the initial Landing Zone to accelerate your
application migration journey
H
Page 4
Our Journey Today
Domains Direct Connect
Start Accounts
End User Interaction
AutomationService Catalog
Central Services
Migrate
Iterate
Operate & Optimize
Logging Config Access Identities Federation
Network SecurityIdentity &
AccessCloud Users
What’s Next ?
image
Page 5
Infrastructure
Request
Current StateTypical Enterprise Situation
Governance
&
Service
Management
Central IT
Lines of
Business
Provisioning
Characteristics
• Lead times ~days to weeks
• Service catalogue of components
• Often process-heavy service
management
Page 6
Monitor
&
Respond
Landing Zone
Templates
Policy &
Best Practices
Landscape
Management
Current StateOpportunity to achieve agility and control
Automation
Lines of
BusinessCentral IT Opportunities
• Lead times in minutes
• Service catalogue of
landscapes
• Automated service
management
Page 7
Security Automation Cloud IT
Consumers
Current StateGuiding Principles
Page 8
Start Accounts Network SecurityIdentity &
AccessCloud Users
What’s Next ?
Page 9
Account Structure
• Don’t overdo on Day One
• Use separate accounts for:
Security and
Compliance Isolation
(production non-prod,
logging)
Cost Allocation Resource Management
and Ownership
Page 10
Account Structure
Payer
Billing
Reports
Service
CatalogLogging Audit
Central
ServicesDev & Test Mobility
IoT
Serverless
Internal business apps Digital Platforms
Option: Per AWS Region
Production
Generic
Production
Critical
Central
Accounts
Services
Accounts
Page 11
AWS Organizations
• New management capability for centrally managing multiple AWS accounts
- Simplified billing
- Programmatic creation of new AWS accounts
- Logically group AWS accounts for management convenience
- Apply organization control policies (OCP)
• A Consolidated Billing (CB) family automatically migrated to an organization
• All organization management activity is logged in AWS CloudTrail
• An AWS account can be a member of only one organization
• V1 OCP – Control which AWS service APIs accessible in AWS account(s)
• Console, SDK, and CLI support for all management tasks
Available in limited public preview: http://aws.amazon.com/organizations/preview
Page 12
Start Accounts Network SecurityIdentity &
AccessCloud Users
What’s Next ?
Page 13
NetworkKey Considerations
Non-overlapping
IP range
VPC Design
Access Control Lists &
Security Groups
Logging and
Monitoring
AWS Direct
Connect
Subnet Design
Page 14
NetworkDirect Connect for connecting on-prem and AWS environment
Customer
Gateway
VPN backup
Direct Connect Location
Virtual
Interface #1
Virtual
Interface #2
Secondary Direct
Connect Location
`
`
Partner
Network
Page 15
NetworkCentral services in a central VPC
Central common/core services
• Authentication/directory
• Monitoring
• Logging
• Bastion host
• Remote administration
• Scanning
• Internet proxy
Production
Generic
Production
Business-critical
Central
Services
Non-production
Page 16
Start Accounts Network SecurityIdentity &
AccessCloud Users
What’s Next ?
Page 17
Our Landing Zone needs to be safe and secureInsight is the first step
• Who is accessing our Amazon accounts and what
are they doing?
• How will we know if anyone breaks our security
policy?
• What does the traffic on our infrastructure look like
and are all of our resources isolated?
• How can we easily analyze our logs?
Page 18
AWS CloudTrail records who is accessing APIs
Store/archiveCentral logging
account
Troubleshoot
Monitor & alarm
AWS accounts make API
call
On a growing set of AWS
services around the world..
CloudTrail is continuously
recording API calls
Amazon
EBS
Page 19
AWS Config informs you of policy violations
Compliance
Guideline
Non-compliance
Action
All storage
volumes should
be encrypted
Automatically
encrypt storage
volumes
Instances must
not have
unrestricted
Internet access
on Port 22
Remove Port 22
access from any
Internet host
Instances must
be tagged with
environment type
Notify developer
(email, page,
SNS) Pre-configured rules:
https://github.com/awslabs/aws-config-rules
Page 20
VPC flow logs give you network insights
• Agentless – AWS collects the logs on your behalf
• Enable per network interface, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept
or reject
Page 21
Create alarms when metrics are breached
Amazon
CloudWatch
Page 22
Log everything centrally for analysis
The AWS centralized logging
solution makes it easy for
security teams to consolidate
AWS logs and analyze them to
detect incidents
Amazon
EC2
flow
logs
VPC subnet
AWS
CloudTrail
Amazon S3
Amazon
CloudWatch
AWS
Lambda
Amazon
Elasticsearch
Service
You can do this by simply using:
• Amazon ElasticSearch Service
• CloudTrail logs
• VPC flow logs
• EC2 server logs
Log Transform Search
https://aws.amazon.com/answers/
logging/centralized-logging
Page 23
Launch
instanceEC2
AMI catalogue Running instanceYour instance
Hardening and configuration
Audit and logging
Vulnerability management
Malware and IPS
Whitelisting and integrity
User administration
Operating system
Configure
instance
Configure your environment as you like
You get to apply your existing security policy
Three options to create or import your own ‘gold’ images
1. Import existing VMs to AWS
2. Procure partner AMI from AWS Marketplace
3. Create and save your own custom images
On 3: choose how to build your standard host security
environment
Choose how to start your compute Private images or import your current ones
CIS AMI: https://aws.amazon.com/marketplace/seller-profile?id=6b3b0dc2-c6f4-487b-8f29-9edba5f39eed
Page 24
Start Accounts Network SecurityIdentity &
AccessCloud Users
What’s Next ?
Page 25
You get to control who can do what in your AWS environment when and
from where
Fine-grained control of your AWS cloud with multi-factor authentication
Integrate with your existing corporate directory and provide SSO to
your customers. Support for SAML 2.0 (like your existing Active Directory)
and OpenID compatible Identity Providers (IdPs).
You can use AWS managed policies, policies for typical job functions
or customer-generated policies using the policy generator and test
with the policy simulator
AWS account owner
Identity and Access ManagementControl access and segregate duties everywhere
Page 26
Identities and Access ControlExample user types with corresponding access policies
IAM MasterCreate policies
IAM ManagerAssign policies
Auditread-only
Access
Managers
ArchitectCreate landscapes
StorageDesign and build
Network Design and build
Design
DevOps
API Access
App OwnerLandscape owner
Application
Owners
Billing Support UserOther
Network Admin AdministratorService Catalog
Administrators
Managed policies for job functions:
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html
Database
Admin
Page 27
Corporate Data Center
Browser interface
Identity
Store
Identity and Access ManagementFederation with on-prem directory
AD Group
Identity and
authentication
Mapping to specific
IAM role with
access policy
Access to AWS
http://docs.aws.amazon.com/directoryservice/latest/admin-guide/manage_apps_services.html
Page 28
Identity and Access Management Federation: Cross-account manager solution
Using AWS CloudFormation
templates to create and
manage roles for a master
account and sub accounts
- Account onboarding
- Role onboarding
https://aws.amazon.com/answers/account-management/cross-account-manager
SEC304 session with deep-dive and demo
Page 29
Start Accounts Network SecurityIdentity &
AccessCloud Users
What’s Next ?
Page 30
Henk van Rossum
Director - Platform and Program Manager Hosting and Storage
November 2016
Creating a Landing Zone in AWS An Enterprise way of working
Page 31
Moving from Legacy to Future proof
31
100+ Sites3500+
ServersExtremely high
Fixed costs
Old End-of-term
Infrastructure
No incentives to Decomm & Modernize
Governance
42%
3%
25%
1st tier Datacenter
30% Decommission Infra
Local compute(Darkroom operated)
Workload Split
Page 32
From Legacy to Cloud First
32
• “Break-Fix” • SLA based managed services• Unplanned business interruptions• Complex supply chain new demand• Wide variety of versions• Not Scalable • Pay for capacity reserved• Reporting “after the fact”
• Design for “Always On” • SLA based managed services• Self Provisioning, consumer driven• Standard market available services• Scalable Resources• Pay only for what you use• “real time” usage & performance
Does not represent a Philips location
Page 33
Creating a Landing Zone
33
network
application
data
runtime
middleware
OS
virtual machine
server
storage
network
application
data
runtime
middleware
OS
virtual machine
server
storage
Legacy
DC
par
tner
AM
S p
artn
er
Man
g. P
artn
erA
WS
AM
S p
artn
er
AW
S A
MS
par
tner
network
application
data
runtime
middleware
OS
virtual machine
server
storage
End State
Pro
vid
er
pro
vid
er
Pro
vid
er
On Premise DC Technology Refresh Cloud
Close On Premise DC, leverage Cloud
Page 34
34
Creating a Landing Zone – Account Architecture
ENTERPRISE CONTRACT
Market 1 Market X BU X
Paye
r Acc
ount
Root accountCore
Global services
Func
tiona
l Acc
ount
s Shared Central Logging Account
Backup Account Backup Account
Shared Central Audit Account
Shared Central Intellectual Property Account
Linke
d ac
coun
ts –
Reso
urce
s
Reso
urce
s
Reso
urce
s
Reso
urce
s
Reso
urce
s
Reso
urce
s
Reso
urce
s
Reso
urce
s
Reso
urce
s
Reso
urce
s
Reso
urce
s
Reso
urce
s
Partn
er A
ccou
nts
Other Other Other
Shared Users Federation Account
Partner 1
Partner 2
Reso
urce
s
Backup Account Backup Account
Page 35
Creating a Landing Zone - Internet Centric Networking
35
The Internet
Sites
Private Network – Provider
Internet Edge
SaaS Cloud
ISP
Cloud
Gateway
1
Cloud
Gateway
2
Cloud
Gateway
N
Partner Tier1 DC
siteMPLS
Direct Connect
MPLS
Page 37
Start Accounts Network SecurityIdentity &
AccessCloud Users
What’s Next ?
Page 38
OrganizationsAccess to standardization
Organizational Structure Needs
• Control and visibility
• Standardization
• Access control
• Ease of administration
• Automation
• Standardization
• Self-service
• Agility
• Quick implementation
CIO
VP of Analytics
BI Dev Team
VP of Application Development
Web Dev Team
VP of Infrastructure
Resource Team: Security, Networking, Storage…
Page 39
Customers want to:
• Define the resources and
landscapes where software and
applications are deployed
• ‘Approve once and deploy many’
• Enable self-service, deploy with
confidence
• Automate deployments
Agility and ControlWhat do customers tell us about asset management deployment?
Page 40
Agility and ControlAWS Service Catalog
AWS Service Catalog allows organizations to create and manage
catalogs of IT services. It enables users to quickly deploy approved IT
services they need in a self-service manner.
Administrator Users
Control
Standardization
Governance
Agility
Self-service
Time to market
Page 41
Product =
Template
CloudFormation Running stack
JSON formatted file
Parameter definition
Resource creation
Configuration actions
Configured AWS services
Comprehensive service support
Service event-aware
Customizable
Framework
Stack creation
Stack updates
Error detection and rollback
Administrator InteractionCloudFormation to create products
Page 42
Creates portfolio and
assigns product portfolio
1
Administrator
Adds constraints, grants access
and add tags
4
2 Creates
product
Authors
template
Administrator InteractionAWS Service Catalog: Managing products
ProductX
Versions
Portfolio BPortfolio A
• Users and roles
• Constraints
• Tags
Service Catalog
3
Landscape
Architect
Page 43
Browse
products
43
2
1
Portfolio
Cloud
consumers
Select version,
Provision
product,
configure
parametersDeploy
Notifications
and outputs
Notifications and outputs
4
Administrator
Cloud Consumer InteractionAWS Service Catalog
Page 44
Service CatalogAPIs
11 User API methods Launched July 2016
37 Admin API methods Launched November 2016
Embed
Orchestrate
Automate
Page 45
Agility and ControlOpportunities to strengthen the handshake
User-generated
products to foster
innovation
Back-end microservices
acting on the stacks
Administrator
products
Page 46
Tagged
EC2
instances
for one or
more AWS
accounts
IAM cross
account roles
controls
access to
AWS accounts
Scheduler
role
Scheduler
configuration
table
Instance state
table
EC2 Instance
information
CloudWatch
LogsCloudWatch
Metrics
CloudWatch rule
triggers Scheduler
Scheduler
Lambda
function
CloudFormation
scheduler
stack
What is the EC2 instance scheduler?
A single template
deploys all solution
components
https://aws.amazon.com/answers/infras
tructure-management/ec2-scheduler/
Page 47
Agility and ControlService Catalog – End-User View
Page 48
Agility and ControlService Catalog – End user
populating parameters
Page 49
Agility and ControlService Catalog – Stack deployed with schedule
https://aws.amazon.com/answers/infrastructure-management/ec2-scheduler/
Page 50
Deploys stacks and attaches
automation parameters as tags
AWS Service
Catalog
Service Catalog
Administrator
Operators
(launch/update/terminate)
3
Browse
Provision
5
Populate
parameters
2
Portfolio A
1
Specs
Stop/Start
Backup
4
5
Notifications
and outputs
Backup
scheduling
SnapshotsLambda
Functions
Injects dynamic parameters
Deploys complex resources
Operational
Administrator
Managing
automation
functions
6
Operators
view/manage
AWS Console
Service CatalogE2E Architecture
Hibernation
scheduling
Page 51
Start Accounts Network SecurityIdentity &
AccessCloud Users
What’s Next ?
Page 52
Application Migration
Create Landing Zone Migrate apps Operate & optimize
H
Page 53
Managing to the Portfolio Value
Portfolio Tier RequirementsOperations
Model
Approx.
%
Portfolio*
IT Spend
Against
Portfolio
Differentiators
High rate of change & innovation;
Possibly business-critical, but not
always
DevOps 15%
60% - 70%
Table Stakes
Business-critical, but low rate of
change. Needs high availability,
maximum reliability, and durable DR
Automated
Efficiency25%
Commodity
COTS & commodity, minimal risk,
low change, standard downtime &
reliability requirements
Traditional
Operations60% 30% - 40%
*estimated numbers
Provided Under NDA
Page 54
The Migration Journey
Identify and categorize bulk
candidates
Analysts identify high-value
candidates
Pipeline team prepares
candidates
Applications are migrated
based on patterns
Patterns are created
Greenfield Landing Zone
created
Existing Operations team
manages
Portfolios are prioritized
Project initiated
Innovation teams re-architect
the application
New operating levers are
created
Application is implemented
on cloud
Cloud-native components
are patterned
Core Landing Zone created
Future
Landing Zone
Library
of patterns
Future
operating
model
Brown Field Green Field
Future State
Page 55
Sprint 1
Executing Multi-Modal Migrations
Program
Brown
Green
Sprint 2 Sprint 3 Sprint 4 Sprint 5 Sprint 6 Sprint 7
Deploy
Landing ZoneExtend, Integrate and Manage Landing Zone
Migration Business Case
Discovery Prep Discovery
Pipeline Generation
Migration Patterns Creation
DiscoveryGreenfield Migrations
Innovation
Re-Factor
Re-Host
Complex App (single sprint)
Page 56
Increasing Levels of Effort with Increasing Levels of Return
Mass
migration
Re-platform /
RefactorRe-architectMaturity Maturity
Running Multi-Modal Migrations
Minimized
Staffing
Change
Mass
Migration
Capex to
Opex
Cost Out
Facilities
Closure
Consistent
Operations
Traditional Operations
Operational
Transition
Cloud
Capable
Applications
Capex to
Opex
Nascent
Services
Cloud COEManaged
Services
Hybrid Operations
Cloud
Aware
Applications
Serverless
Compute
Continuous
Integration
Disruptive
Technology
Maximum
Efficiency
Advanced
Architecture
Development and
Operations
Page 57
Multi-Modal OperationsShift in
Accountability• Many adoptions
are tightly
coupled with agile
delivery adoption.
• Not all workloads
require a DevOps
investment.
• Achieving
business goals
doesn’t always
require
automation.
• Using traditional
support models in
the wrong places
can dilute value.
Mass migrationRe-platform/
RefactorRe-architect
• Data Center-Cloud
Connectivity
• Server/Storage
Provisioning
• Patching/Anti-virus
• Monitoring
• Server
Maintenance/
Incident Response
• Audit/Risk
• Event Management
• Web Server
• DB Mgmt
• Application Software
• Development and
Deployment
Traditional
• Data Center-Cloud
Connectivity
• Patching/Anti-virus
• Monitoring
• Audit/Risk
• Standards/Policy
• Stack Templates
• Server
Maintenance/
Incident Response
• Stack Provisioning
and Decom
• Event Mgmt
• Web Server
• DB Mgmt
• Application Software
• Development and
Deployment
Automated Efficiency
• Data Center-Cloud
Connectivity
• Patching/Anti-virus
• Monitoring Lvl 1
• Monitoring Lvl 2
• Server
Maintenance/
Incident Response
• Stack Templates
and Provisioning
• Audit/Risk
• Event Management
• Web Server
• DB Mgmt
• Application Software
• Development and
Deployment
DevOps
Traditional
Operations
Distributed
Responsibility
Page 58
Direct Connect
Service
Catalog
CloudTrail
S3
IAM Config
Lambda
Applications migrated to your Landing Zone
Page 59
Available Resources for Landing Zone (1/2)Domain Link What
Account Mgt https://aws.amazon.com/answers/account-
management/limit-monitor/
Limit Monitor – receive notifications when
you approach AWS service limits
Networking http://docs.aws.amazon.com/quickstart/latest/li
nux-bastion/ &
http://docs.aws.amazon.com/quickstart/latest/r
d-gateway
Bastion Host
Networking https://aws.amazon.com/quickstart/architecture
/accelerator-pci/
PCI Landing Zone, Including
configuration of VPCs, Security Groups,
Access Policies & Bastion Host
Networking https://aws.amazon.com/answers/networking/v
pn-monitor/
VPN Monitoring
Networking https://aws.amazon.com/answers/networking/tr
ansit-vpc/
Transit VPC
Security https://aws.amazon.com/answers/logging/centr
alized-logging
Centralized Logging
Security https://github.com/awslabs/aws-config-rules Config Rules Repository
Page 60
Available Resources for Landing Zone (2/2)
Domain Link What
Security https://aws.amazon.com/marketplace/seller-
profile?id=6b3b0dc2-c6f4-487b-8f29-9edba5f39eed
CIS Security AMI
Security https://aws.amazon.com/blogs/security/tag/cis-aws-
foundations-benchmark/
CIS AWS Foundations
Benchmark
Cross Account
Management
https://aws.amazon.com/answers/account-
management/cross-account-manager
Manage Roles in
accounts centrally
Identity and Access
Mgt
http://docs.aws.amazon.com/quickstart/latest/active-
directory-ds/welcome.html
Active Directory Quick
Start
Identity and Access
Mgt
http://docs.aws.amazon.com/directoryservice/latest/ad
min-guide/manage_apps_services.html
Managing Console
Access for AWS
Directory Service
Identity and Access
Mgt
http://docs.aws.amazon.com/quickstart/latest/wap-
adfs/welcome.html
Web Application Proxy
with ADFS Quick Start
Automation https://aws.amazon.com/answers/infrastructure-
management/ec2-scheduler/
EC2 Scheduler
Page 61
Related Sessions
ENT203 – Enterprise Fundamentals: Design Your Account and VPC Architecture for Enterprise
Operating Models
SAC319 – Architecting Security and Governance Across a Multi-Account Strategy
SAC320 – Deep Dive: Implementing Security and Governance Across a Multi-Account Strategy
SAC323 - Centrally Manage Multiple AWS Accounts with AWS Organizations
SEC304 – Reduce Your Blast Radius by Using Multiple AWS Accounts Per Region and Service
Page 62
Remember to complete
your evaluations!
Page 63
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you