Hybrid Architectures in AWS A view on FinServ Felix Candelario Global Solutions Architect – Financial Services Time : 13:00 – 13:40
Jan 13, 2017
Hybrid Architectures in AWSA view on FinServ
Felix Candelario
Global Solutions Architect – Financial Services
Time : 13:00 – 13:40
Hybrid Overview
Consumption of Cloud Services and On-Premises Infrastructure into an
aggregated pool of resources.
On-Premises
InfrastructureServices
Platform
Solutions
Cloud
Services
Infrastructure
Layers
Data
Applications
Management Services
Operating Systems
Hypervisors
Network
Data Center
On-Premises
DC
AWS
Corporate Data
Centers
Store, Replicate, Archive
Burst, Scale, x86
Management Services
Operating Systems
Amazon EC2
VPC, Direct Connect
Availability Zones, Regions
Hybrid Comes in Many Forms
VPCVPN Backup &
archive
Storage
expansion
Integrated
Stacks
AWS Direct
Connect
Authentication FederationOperations Tools
and Monitoring
Start
Integrated
Patterns
Integrated
Infrastructure
Integrated
Services
Integrated
Platform
Integrated
Solution
CI/CDManaged AWS
Services
Split Tiers
Split Tiers – AWS Front End
AWS region
Web
LayerPrivate
Connection
Your Data Center
Internet
App
Layer
Database
Layer
Split Tiers – On-premises DMZ
AWS region
Private
Connection
Internet
Web
Layer
App
Layer
DB
Layer
Your Data Center
Web
Layer
Split Tiers – One Arm
AWS region
Private
Connection
Internet
App
Layer
Web
Layer
DB
Layer
Web
Layer
Your Data Center
App
Layer
AWS Virtual Private Network (IPSec VPN)
• IPSec hardware VPN connection
Supported VPN appliances:
• Encryption and Validation
• Private RFC 1918 Addressing
• Uses Border Gateway Protocol (BGP)
for routing and fail-over
• VPN Service provides managed
redundant end-points
http://docs.aws.amazon.com/AmazonVPC/latest/UserGui
de/VPC_VPN.html
Virtual
Gateway
On-Premesis
Users
Data center router
Servers
Internet
IPSec VPN
VPC Subnet
Availability
Zone
Security Group
VPC Subnet
Availability
Zone
Security Group
AWS Direct Connect
• Requires Layer 2 single mode fiber
1000BASE-LX or 10GBASE-LR
• Requires 802.1Q VLANs across
connection.
– Tagging of IP traffic
• Routing uses BGP A/A or A/P multipath.
• Each DX is mapped to a single AWS
Region
http://aws.amazon.com/directconnect/
Customer
router
AWS Direct
Connect Location
AWS Direct
Connect routers
On-Premises
Users
Data center router
Servers
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Virtual
Gateway
AWS Direct Connect + AWS VPN
• Dedicated network path with assured
bandwidth
• More secure than Internet-based IPSec
VPN – avoids internet traverse
• Reduced IPSec network transfer costs
• Additional Network Security
http://aws.amazon.com/directconnect/
Customer
router
AWS Direct
Connect Location
AWS Direct
Connect routers
On-Premise
Users
Data center router
Servers
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Virtual
Gateway
IPSec
VPN
Active Directory and LDAP
• Reduced back-reach Traffic
• Reduced Latency for Authentication
• Additional Resiliency
• Enablement of both:
– Multi-Master Read/Write Domain
Controllers
– Read-only Domain Controllers (RODCs)
• Requires IPSec VPN or Direct Connect
connectivity
Customer
router
AWS Direct Connect
Location
AWS Direct
Connect routers
Virtual
Gateway
On Premises
Users
Data center router
Server
s
VPC Subnet
Availability Zone
Security Groups
VPC Subnet
Availability Zone
Security Groups
AD.Domain
Domain
controller
Domain
controller
Domain
controller
Active Directory
Replication
AWS Directory Service
• Three types of directories
– Microsoft AD
– AD Connector
– Simple AD - built on Samba 4 Active Directory compatible server
• Simplifies IAM Federation
• Avoids complexity and cost of hosting SAML-based federation infrastructure
• Acts as a proxy - no data is stored on AWS infrastructure
• Supports existing RADIUS-based MFA
• Requires IPSec VPN or Direct Connect connectivity
http://aws.amazon.com/directoryservice/
Customer
router
AWS Direct
Connect Location
AWS Direct
Connect routersVirtual
Gatewa
y
On-Premesis
Users
Data center
router
Server
s
VPC Subnet
Availability Zone
Security Groups
VPC Subnet
Availability Zone
Security Groups
AD.Domain
Domain
controller
AD Connector
AD Connector
AD Connector
Identity Federation
Customer (Identity Provider) AWS Cloud (Relying Party)
AWS Resources
User
Application
Active
Directory
Federation Proxy
4Get Federation
Token Request
3
2
Amazon S3
Bucket
with Objects
Amazon
DynamoDB
Amazon
EC2
Request
Session 1
Receive
Session6
5Get Federation Token
Response
• Access Key
• Secret Key
• Session Token
APP
Federation
Proxy
• Uses a set of IAM user credentials to
make a GetFederationTokenRequest()
• IAM user permissions need to be the
union of all federated user permissions
• Proxy needs to securely store these
privileged credentials
Call AWS APIs7
Operational Tools and Monitoring
• Security Monitoring integration points
with with CloudTrail and SIEM
Aggregator.
• Logging with CloudTrail and SNMP
MIBs to SIEM Aggregator.
• Platform and App Health to SIEM
Aggregator via agent on EC2 guest.
• Access to Patching and Updates for
AMI by on premises Update Server.
Customer
router
AWS Direct
Connect Location
AWS Direct
Connect routersVirtual
Gatewa
y
On-Premises
Users
Data center router
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Update
Server
s SIEM
Aggregator
CloudTrail
CloudWatch
CloudTrail
S3 Bucket
Continuous Integration and Deployment
• Automates application deployments for
both On-Premise and AWS EC2
instances with use of CodeDeploy
• Reuse existing scripts and tools
– Bash, PowerShell, Chef, Puppet,
anything…
• Integrate with developer tool chain
– GitHub, Jenkins, CloudBees, TravisCI,
Eclipse…Customer
router
AWS Direct
Connect Location
AWS Direct Connect
routersVirtual
Gateway
On-Premises
Users
Data center router
VPC Subnet
Availability
Zone
Security Group
VPC Subnet
Availability
Zone
Security Group
AWS CodeDeploy
Servers
AWS
CloudFormation
S3 bucket
AgentAgentAgent
AgentAgentAgent
Managed AWS Services
• AWS Managed Services:
– Compute: Amazon ECR/ECS AWS
Lambda, AWS Elastic Beanstalk
– Storage: Amazon EFS
– Databases: Amazon RDS, Amazon
DynamoDB, Amazon Elasticache
– Analytics: Amazon EMR, Amazon
Elasticsearch Service, Amazon Kinesis,
Amazon Redshift
– Security:: AWS Directory Service, AWS
KMS
• Managed Services Advantages
– Flexibility and Agility, Scalability
– Security
– Automated Maintenance & Upgrade
Customer
router
AWS Direct
Connect Location
AWS Direct
Connect routersVirtual
Gateway
On-Premises
Users
Data center router
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Servers
S3 bucket
Apache
Kafka
Amazon RedshiftAmazon EMR
Amazon RedshiftAmazon EMR
Backup and Archive
• Backup gateways integrated with
Amazon S3
– Leverage Amazon S3 archival to
Amazon Glacier
• Take advantage of current investments
and solutions for options
– De-duplication
– Compression
– WAN AccelerationCustomer
router
AWS Direct Connect
Location
AWS Direct
Connect routersVirtual
Gatewa
y
On-premises
Users
Data center router
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Amazon S3
Amazon
Glacier
AWS Storage
Gateway
iSCSI
Backup
System
AWS Storage
Gateway
iSCSI
Servers
AWS
Storage
Gateway
“For our market
surveillance systems, we
are looking at about 40%
[savings with AWS], but the
real benefits are the
business benefits: We can
do things that we physically
weren’t able to do before,
and that is priceless.”
- Steve Randich, CIO
What FINRA needed
• Infrastructure for its market surveillance platform
• Support of analysis and storage of approximately 30
billion market events every day
Why they chose AWS
• Fulfillment of FINRA’s security requirements
• Ability to create a flexible platform using dynamic
clusters (Hadoop, Hive, and HBase), Amazon EMR,
and Amazon S3
Benefits realized
• Increased agility, speed, and cost savings
• Estimated savings of $10-20m annually by using AWS
Case Study: Re-architecting Compliance
“Using AWS helps us
reduce a 10-day process
to 10 minutes.
That’s trans-formative: it
broadens our ability to
discover.”
- Peter Phillips,
Managing Director
What Aon needed
• Perform actuarial calculations with greater computing
power
• Information delivery within shorter time frames and less
cost
Why they chose AWS
• Ability to spin up large numbers of Graphical Processing
Units (or GPUs) quickly and inexpensively
• Quick delivery of an entire environment and functionality
Benefits realized
• By processing on AWS, recalculating policies takes
minutes rather than hours or days
• Ability to deliver client solutions more quickly, with richer
risk assessments
Case Study: High Performance Computing (HPC)
What Nasdaq needed
• Replacement of on-premises legacy warehouse
• Reduction of cost and increase in data capacity
Why they chose AWS (specifically Amazon Redshift)
• Fulfillment of security and regulatory requirements
• Cost efficiencies without sacrificing functionalities
Benefits realized
• System that moves an average of 5.5 billion rows into
Amazon Redshift every day (with 14 billion on a peak
day in Oct of 2014)
• Ability to increase accessibility of historic data to a
growing number of internal groups
“The Nasdaq Group has
been a user of Amazon
Redshift since it was
released and we are
extremely happy with it….
Currently, our system is
moving an average of 5.5
billion rows into Amazon
Redshift every day.”
- Nate Simmons,
Principal Architect
Case Study: Big Data Analytics
What ISE needed
• SEC determined ISE’s disaster recovery was not
geographically diverse. They needed to build a robust
and resilient DR solution with a 2 hour RTO
Why they chose AWS
• Global reach to enable geographic diversity
• Performance of products and services
• Easy automation
Benefits realized
• Abstracted away physical infrastructure
• Ability to add capacity as required
• Mobility associated with global reach
Case Study: Re-architecting ISE’s DR Solution