Cloud Migration, Application Modernization and Security for Partners

©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

Cloud Migration, Application Modernization,

and Security for Partners

Tom Laszewski, Sr. Manager, GSI Solutions Architecture

Matt Yanchyshyn, Sr. Manager, ISV Solutions Architecture

AWS Migration Methodology

People, process,

technology

Migration experience

Knowledge & training

Not primary business activity

Fear

Attempting too much at once

Migration challenges

Discover Design Transform Transition Operate Optimize

Plan RunBuild

• Detailed

migration plan

• Estimate effort

• Security & risk

assessment

• Network

topology

• Migrate

• Deploy

• Validate

• Assessment &

profiling

• Prioritization

• Data

requirements &

classification

• Business logic

& infrastructure

dependencies

• Pilot testing

• Transition to

support

• Release

management

• Cutover &

decommission

• Staff training

• Monitoring

• Incident

management

• Provisioning

• Monitoring-

driven

optimization

• Continuous

integration and

continuous

deployment

App migration

assessment

Re-hosting

(lift and shift)App portfolio optimization

Re-platforming

(lift and reshape)

Migration methodology

Planning your migration

Migrating to the cloud can take one of many paths

Discover,

Assess (Enterprise

Architecture and

Applications)

Lift and Shift

(Minimal

Change)

Migration and

UAT Testing Operate

Refactor

for AWS

Application

Lift and shift

Move the App

Infrastructure

Plan Migration

and Sequencing

Determine

Migration Path

Decommission

Do Not Move

Create Cloud

Strategy

Design, Build AWS

Environment

Move the

Application

Determine

Migration

ProcessManually Move

App and Data

Third-Party Tools

AWS VM ImportRefactor

for AWS

Rebuild Application

Architecture

Vendor

S/PaaS

(if available)

Third-Party Migration Tool

Manually Move App and Data

Determine

Migration Process

Replatform

(typically legacy

applications)

Recode App

Components

Rearchitect

Application

Recode

Application

Architect AWS Environment

and Deploy App, Migrate Data

Signoff

Tuning Cutover

Org/Ops

Impact

Analysis

Identify

Ops Changes

Change

Management

Plan

End-state Architecture

Architecting your AWS environment

Design and architecture of the cloud environment is important to realize

cloud benefits such as agility and cost savings

Networking

• Convergence of

on-premises and

cloud

• Cloud-oriented

protocols

• IP scheme and

addressing

• VPC and account

configuration

Security

• SSO

• Access policies

• Least privilege

• Audits

• Compliance

• Intrusion detection

& prevention

• Logging

Governance

• Billing & cost

management

• Service

catalogs

• Configuration

management

• Architecture

Standards

• SLA/SLO

• Procurement

Data management

• RPO/RTO

• Retention policies

• Replication

• Storage

optimization

• ILM

• Data quality

Monitoring

• Notifications &

alerting

• Application level

awareness

• Thresholds

• Service desk

integration

On-premises infrastructure mapped to AWS

Technology On-premises AWS

Network VPN, MPLS Amazon VPC, AWS Direct Connect

Storage DAS, SAN, NAS, SSDAmazon Elastic Block Store, Amazon S3, Amazon EC2

instance storage, distributed & clustered FS on Amazon EC2

Compute Hardware, virtualization Amazon EC2, Amazon ECS, AWS Lambda

Content delivery Third-party CDN Amazon CloudFront

DatabasesMS SQL Server, MySQL, Oracle, DB2,

PostgreSQL, MongoDB,. …

Amazon RDS, Amazon DynamoDB, Amazon Amazon

ElastiCache, DB software on Amazon EC2

Load balancing Hardware and software load balancers Elastic Load Balancing, software load balancers

Scaling & cluster

management

Hardware and software clustering

toolsAuto Scaling, software clustering solutions

DNS BIND, Windows Server, third party Amazon Route 53, third-party DNS software on EC2

Technology On-premises AWS

Analytics & data warehouseHadoop, Vertica, Cassandra, specialized

hardware and software Amazon EMR, Amazon Redshift, software on Amazon EC2

Messaging and workflow RabbitMQ, ActiveMQ, Kafka, … Amazon SQS, Amazon SNS, Amazon SWF, software on EC2

Caching Redis, Memcached, … Amazon ElastiCache, Memcached, SAP Hana

Archiving Tape library, off-site data storage Amazon S3, Amazon Glacier

Email Email software Amazon SES

Identity, authoritzation, &

authenticationAD/ADFS, LDAP, SAML, third party…

AWS Identity and Access Management/AWS STS, Amazon

Cognito, AWS Directory Service, AD & LDAP on Amazon EC2

Deployment & configuration

management

Chef, Puppet, Salt, Ansible, PowerShell

DSC

AWS CloudFormation, AWS OpsWorks, AWS Elastic Beanstalk,

AWS CodeDeploy, Amazon ECS

Management and

monitoringCA, BMC, Rightscale

Amazon CloudWatch, AWS Config, AWS CloudTrail, AWS

Trusted Advisor

On-premises infrastructure mapped to AWS

Security Comes First!

AWS Foundation Services

Compute Storage Database Networking

AWS Global

Infrastructure Regions

Availability ZonesEdge

locations

AWS is responsible for the security of the cloud

AWS Foundation Services

Compute Storage Database Networking

AWS Global

Infrastructure Regions

Availability ZonesEdge

Locations

Client-side data

encryption

Server-side data

encryptionNetwork traffic

protection

Platform, applications, identity & access management

Operating system, network, & firewall configuration

Customer applications & contentC

usto

mers

Customers configure their security in the cloud

AWS security offerings

Auditability

• Compliance

reports

Visibility

• Amazon CloudWatch

• AWS CloudTrail

• AWS Config

• “Describe” APIs

Control

• IAM

• AWS CloudHSM

• AWS CloudFormation

• AWS KMS

Defense-in-depth

AWS compliance

program

Third-party

attestationsPh

ysic

al

Security groups

VPC configuration

Netw

ork Web application

firewalls

Bastion hosts

Encryption in-transit

Hardened AMIs

OS and apppatch mgmt.

IAM roles for EC2

IAM credentials

Syste

m s

ecu

rity

Logical access controls

User authentication

Encryption at-rest

Data

se

cu

rity

Encryption: data at rest

EBS

Volume encryption

EBS encryption OS toolsAWS

marketplace/partner

Object encryption

S3 server side

encryption (sse)

S3 SSE w/ customer provided keys Client-side encryption

Database encryption

Amazon Redshift

encryption

RDS

PostgreSQL

KMS

RDS

MYSQL

KMS

RDS

ORACLE

TDE/HSM

RDS MSSQL

TDE

Built-in firewall: security groups and NACLs

• VPC security groups (mandatory)– Instance level, stateful

– Supports ALLOW rules only

– Default deny inbound, allow outbound

– Use as “whitelist” – least privilege

• VPC NACLs (optional)– Subnet level, stateless

– Supports ALLOW and DENY

– Default allow all

– Use as “blacklist”/“guardrails”(port 135,21,23…)

• Separation of duties

• Changes audited via AWS CloudTrail

• Additional cost for SGs/NACLs: $0

Physical Interfaces

Customer 1

Hypervisor

Customer 2 Customer n…

…

Virtual Interfaces

Firewall

Customer 1

Security

Groups

Customer 2

Security

Groups

Customer n

Security

Groups

Security Groups

AWS partner solutions extend & enhance security

• Some examples:– Cisco CSR (VPN)

– Sophos UTM (firewall, …)

– Alert Logic Web Security Manager (WAF)

– Alert Logic Threat Manager (NIDS)

– Trend Micro Deep Security (IDPS)

– Trend Micro SecureCloud (encryption)

– Dome9 SecOps (security group audit & management)

– …

Migration Approach & Best Practices

Identifying applications to move

Standalone applications are easy to move

Application with loosely coupled SOA-based

integrations are good candidates

Tightly integrated application needs more planning

‘Low hanging fruit’• Dev/Test applications, self-contained web applications (LAMP stack), social media product

marketing campaigns, training envrionments, pre-sales demo portal, software downloads, trial

applications

Watch out for• 32 bit, non-Linux/Windows, multi-cast (Oracle RAC), client/server applications, engineered

systems (Exadata, Netezza), massive file servers, vertically challenged software/applications

Getting a bread box estimate: minimum information

Compute : Number of servers/VMs including RAM,

CPU, OS, and boot drive size (Amazon EC2)

Storage mapping to transactional, backup, archival,

and log/file system/applications (Amazon EBS, Amazon Glacier, and Amazon S3)

Data transfer out for networking

Internet or dedicated networking including security

requirements (AWS Direct Connect and VPN)

Region where processing is happening

Getting a bread box estimate: nice to have

HA requirements for each workload (ELB, Route53)

Scalability requirements for each workload (ELB,

Route53, Auto Scaling, CloudFront)

DR requirements for each workload

Storage IOPS requirements for each workload

Compute requirements for management/monitoring

Backup requirements for each workload that can

not be supported by EBS snapshots

Getting a bread box estimate: really nice

Workload stratification file servers, security, RDBMS,

ERP, big data, security, management/monitoring etc.

HIPPA and PCI requirements for each workload

HPC requirements for each workload

Extremely high CPU, memory requirements

Top third-party vendors for packaged apps

IDS/IPS, WAF, management, monitoring, logging, etc.

Invest in proof of concept early

Proof of concept will answer tons of questions and get your

feet wet with AWS quickly

Will help identify gaps and touch points

Give you a good estimation of the migration costs

Give you a good estimation of the AWS runtime costs

Migrating data into AWS cloud

• File transfer to Amazon S3 or EC2 using S/FTP, SCP, UDP, Attunity

• NFS mount accessible from on premise and AWS

• Configure on-premises backup application (like NetBackup, CA, CommVault, Riverbed) to use Amazon S3

• AWS Storage Gateway for asynchronous backup to Amazon S3

• AWS Import/Export service: Ship your disk to AWS

• Database backup tools like Oracle Secure Backup

• Database replication tools like GoldenGate, Dbvisit

• AWS Direct Connect 100 Mbps to 10 Gbps

Migrating data into AWS

Data size*

* relative to Internet bandwidth and latency

Data

velo

city r

equ

ired UDP transfer software

(e.g., Aspera, Tsunami, …)

Attunity CloudBeam

AWS Storage Gateway,

Riverbed, NFS

AWS Import / ExportTransfer to S3

over Internet

One-time upload with

constant delta updates

Days

Hours

TBsGBs

Security Best Practices

Enforce consistent security on your hosts

Launch

instanceEC2

AMI catalog Running instance

Your instance

Hardening

Audit and logging

Vulnerability management

Malware and HIPS

Whitelisting and integrity

User administration

Operating system

Configure

instance

Configure and harden EC2 instances based on security and compliance needs

Host-based protection software

Restrict access where possible

Connect to existing services

Separate static assets

and move servers away from the edge

Inbound HTTP

CloudFront

Amazon S3

WAFDynamic

App

App

AppPeering

Identity and Access ManagementCreate appropriate principles, authorization, and privileges for AWS resources

Multi-factor authenticationAWS Identify and

Access Management

Policies

User

Groups

Roles

Principle of least privilege

User User Hardware Virtual

IAM AWS administrative users

Root account

Note: Always associate the account owner ID with

an MFA device and store it in a secured place!

AWS IAM hierarchy of privileges

AWS account owner (root)

AWS IAM User

Temporary

security

creds

Permissions Example

Unrestricted access to all

enabled services and

resources.

Action: *Effect: AllowResource: *(implicit)

Access restricted by

group and user policies

Action: [‘s3:*’,’sts:Get*’]Effect: AllowResource: *

Access restricted by

generating identity and

further by policies used

to generate token

Action: [ ‘s3:Get*’ ]Effect: AllowResource:‘arn:aws:s3:::mybucket/*’

Enforce principle of least privilege with Identity and Access Management (IAM)

users, groups, and policies and temporary credentials

Principle of least privilege with IAM

• Login to an account with a less privileged user– Read-only

– EC2 launch-only

• Change role for privileged action– Administer IAM

– Terminate instance

– Delete snapshots

Protection against accidents or mistakes

(e.g., similar to DisableApiTermination=true)

Consolidate your IAM users

• Put all IAM users and groups in

one account

• All other accounts use AWS IAM

roles

Best practices:

• Tie into consolidated billing hierarchy

• Users in IAM account are only

authorized to assume roles in other

accounts

• No AWS-billable resources in this

account

Governance through IAM policies...

"Effect": "Deny","Action": "ec2:RunInstances","Resource": [

"arn:aws:ec2:region:account:network-interface/*"],"Condition": {

"ArnNotEquals": {"ec2:Subnet": "arn:aws:ec2:region:account:subnet/subnet-12345678"

}}

},{

"Effect": "Allow","Action": "ec2:RunInstances","Resource": [

"arn:aws:ec2:region::image/ami-12345678","arn:aws:ec2:region:account:subnet/subnet-12345678","arn:aws:ec2:region:account:security-group/sg-12345678"]

"Condition": {"StringEquals": {

"ec2:ResourceTag/BillingCode": “4000"},"StringEquals": {

"ec2:ResourceTag/Environnent": “Prod”...

Deny RunInstances without

appropriate subnet

Require RunInstances to

have specific AMI, subnet,

security group, …

Require RunInstances to

have specific tags

Implementing “smart” AWS policies

• The 5 Ws of auditability:

– Who?

– What?

– Where?

– When?

– Why?

• What we really want is an “if and only if” statement:

– You can deploy this change in production “if and only if” it

actually worked in test

Controlled by AWS IAM

Not controlled by IAM

Federate with AWS Directory Service & IAM

Directory Users

Directory Groups

IAM_Admins

Read_Only

EC2_Admin

Group ‘n’

…

AWS Directory Services

Mgmt Acct

IAM_Admin

IAM Role Mapping

Read_Only

EC2_Admin

Role ‘n’

Case Study:

Condé Nast Data Center Migration

Condé Nast data center migration drivers

• Existing data center needed >$1 million in upgrades

• Financial pressure to close facility by July 2014

• Increase resource efficiency, both people and technology

Condé Nast data center migration scope

• 47 application groups

• 350+ servers

• 400+ TB storage

Application migration methodology

• Condé Nast provided a detailed inventory of their Delaware DC assets

• Utilization metrics were critical for Reserved Instance analysis and to

explore elasticity

• Application assessment determined migration order

• Migration scheduled in waves

• Change window: Migrations occurred over weekends

• Coordinating the change window with various teams was key

• Applications run in hybrid mode during the migration

• Once a server was migrated successfully it was decommissioned

Application migration: virtual machines

• Condé Nast was highly virtualized (VMware)

• Veeam: stage VMs to Amazon S3– Supports change block tracking which minimizes downtime during migration

• AWS VM Import/Export: migrate staged VMs to Amazon EC2– Eliminates VM data migration as a part of the change window

• Large databases: created directly on AWS and then data

synchronized

AWS VPC and networking

Key criteria to support waves of migration:

• AWS Direct Connect: 10 GB DX to AWS

• IP addressing: Avoid overlapping IPs

• Service names

AWS Identity and Access Management (IAM)

Key criteria:

• IAM policies

• Identify groups and permissions

• Application tagging

Phased migration

• Live migration from premises was too slow– Large change windows meant that production systems were

frozen for a long time

• Solutions: – Use a tool (Veeam) to backup and ongoing synchronization of

VMs to Amazon S3

– Use a staging farm to run VM Import/Export

VM Import/Export considerations

• Root partitions cannot span multiple disks– Solution: Eliminate this on premises before migration

• Volumes > 1 TB not supported– Solution: Spread data across volumes

• VM Import/Export requires stream-optimized VMDK– Solution: conversion process was scripted

• Nonvirtualized servers were virtualized on premises before migration

• Unsupported operating systems were upgraded to supported OS before migrating

Lessons learned at Condé Nast

• Know your limitations

• Evaluate and understand your infrastructure environment

• Sign-up for enterprise support early and involve a TAM early on

• Get your operations staff trained on AWS

• Challenge yourself and make sound architecture decisions;

changing in future can be difficult

• Document every decision made, especially the anti-patterns

• Work directly with application owners; nothing beats hands-on

experience

SAN FRANCISCO