©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved Hybrid Infrastructure Integration Paul Nau Sr. Consultant
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Hybrid Infrastructure Integration Paul Nau
Sr. Consultant
Objectives
• Examine Integrated Infrastructure
• Review Integrated Services
• Discuss Integrated Platform
• Showcase Integrated Solutions
• Takeaways
Our journey today
VPC VPN Backup & archive
Storage expansion
Integrated Stacks
AWS Direct Connect
AuthenKcaKon FederaKon OperaKons Tools and Monitoring
Start
What is Hybrid IntegraKon?
Integrated Infrastructure
Integrated Services
Integrated PlaTorm
Integrated SoluKon
CI/CD Managed AWS Services
“Consumption of Cloud Services and On-Premises
Infrastructure into an
aggregated pool of
resources.”
Benefits: • Cost Efficiencies
• Scalability
• Flexibility
• Security
Defining Hybrid Integration
On-Premises Infrastructure
Services
Platform
Solutions
Cloud Services
Infrastructure
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Integrated Infrastructure
AWS Virtual Private Network (IPSec VPN)
o IPSec hardware VPN connection Supported VPN appliances: https://aws.amazon.com/vpc/faqs/#C9
o Encryption and Validation
o Private RFC 1918 Addressing
o Uses Border Gateway Protocol (BGP) for routing and fail-over
o VPN Service provides managed redundant end-points
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html
Virtual Gateway
Corporate data center
Users
Data center router
Servers
Internet
IPSec VPN
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Customer router
AWS Direct Connect LocaKon
AWS Direct Connect routers
AWS Direct Connect o Requires Layer 2 single mode fiber
1000BASE-LX or 10GBASE-LR
o Requires 802.1Q VLANs across connection.
Ø Tagging of IP traffic
o Routing uses BGP A/A or A/P
multipath.
o Each DX is mapped to a single AWS
Region http://aws.amazon.com/directconnect/
Corporate data center
Users
Data center router
Servers
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Virtual Gateway
Customer router
AWS Direct Connect LocaKon
AWS Direct Connect routers
AWS Direct Connect + AWS VPN
o Dedicated network path with assured bandwidth
o More secure than Internet-based IPSec VPN – avoids internet
traverse
o Reduced IPSec network transfer
costs
o Additional Network Security http://aws.amazon.com/directconnect/
Virtual Gateway
Corporate data center
Users
Data center router
Servers
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
IPSec VPN
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Integrated Services
Customer router
AWS Direct Connect LocaKon
AWS Direct Connect routers
Active Directory and LDAP
o Reduced back-reach Traffic
o Reduced Latency for Authentication
o Additional Resiliency
o Enablement of both: Ø Multi-Master Read/Write Domain
Controllers Ø Read-only Domain Controllers
(RODCs) ² Requires IPSec VPN or Direct
Connect connectivity http://aws.amazon.com/microsoft/whitepapers/ad-reference-architecture/
Virtual Gateway
Corporate data center
Users
Data center router
Servers
VPC Subnet
Availability Zone
Security Groups
VPC Subnet
Availability Zone
Security Groups
Type Port Number
TCP 54, 88, 135, 137, 139, 389, 445, 464, 636, 3268, 3269, 5722, 49152-‐65535
UDP 53,67,123, 138, 389, 445, 464, 2535, 5355, 49152-‐65535
AD.Domain
Domain controller
Domain controller
Domain controller
AcKve Directory ReplicaKon
Customer router
AWS Direct Connect LocaKon
AWS Direct Connect routers
AWS Directory Service
o Deploys in two modes Ø Directory Service Connect
Ø Simple AD - built on Samba 4 Active
Directory compatible server
o Simplifies IAM Federation
Ø Avoids complexity and cost of hosting
SAML-based federation infrastructure
Ø Acts as a proxy - no data is stored on
AWS infrastructure
Ø Supports existing RADIUS-based MFA
² Requires IPSec VPN or Direct Connect connectivity
http://aws.amazon.com/directoryservice/
Virtual Gateway
Corporate data center
Users
Data center router
Servers
VPC Subnet
Availability Zone
Security Groups
VPC Subnet
Availability Zone
Security Groups
AD.Domain
Domain controller
AD Connector
AD Connector
AD Connector
AWS Federation/Account Governance
Financial users, controllers SOC/Auditors Global AWS admin
Billing account
Socware development
Non-‐prod account #1
ProducKon account #1
User management account
Security / Audit account
Non-‐prod account. #2
App owners DevOps teams
Security/audit ProducKon Dev/test/sandbox Financial
Consolidated Billing, Billing Alerts
Read-‐only access for all accounts
Customer router
AWS Direct Connect LocaKon
AWS Direct Connect routers
Operations Tools and Monitoring
o Security Monitoring integration points with with CloudTrail and
SIEM Aggregator.
o Logging with CloudTrail and SNMP
MIBs to SIEM Aggregator.
o Platform and App Health to SIEM
Aggregator via agent on EC2 guest.
o Access to Patching and Updates for
AMI by on premise Update Server.
Virtual
Gateway
Corporate data center
Users
Data center router
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Update Servers
SIEM Aggregator
CloudTrail
CloudWatch
CloudTrail S3 Bucket
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Integrated Platform
Application Deployment Management
AWS Elas)c Beanstalk
Automated resource management – web apps made easy
AWS OpsWorks
DevOps framework for applica;on lifecycle management and
automa;on
DIY / On Demand DIY, on demand
resources: EC2, S3, custom AMI’s, etc.
Convenience Control
AWS CloudForma)on
Templates to deploy & update infrastructure as
code
Deployment and Management
Customer router
AWS Direct Connect LocaKon
AWS Direct Connect routers
Continuous Integration and Deployment
o Automates application deployments for both On-Premise and AWS EC2
instances with use of CodeDeploy
o Reuse existing scripts and tools
Ø Bash, PowerShell, Chef,
Puppet, anything…
o Integrate with developer tool chain
Ø GitHub, Jenkins, CloudBees,
TravisCI, Eclipse…
Virtual
Gateway
Corporate data center
Users
Data center router
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
AWS CodeDeploy
Servers
AWS CloudFormaKon
S3 bucket
Agent Agent Agent
Agent Agent Agent
Customer router
AWS Direct Connect LocaKon
AWS Direct Connect routers
Managed AWS Services
o Managed Services Advantages
Ø Flexibility and Agility
Ø Scalability
Ø Security
Ø Automated Maintenance & Upgrade
Virtual Gateway
Corporate data center
Users
Data center router
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Servers
S3 bucket
MySQL MySQL
Apache Kaga
Amazon Redshic Amazon EMR
Amazon Redshic Amazon EMR
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Integrated Solutions
Customer router
AWS Direct Connect LocaKon
AWS Direct Connect routers
Storage expansion o Virtual volumes presented to local
network iSCSI, NFS and CIFS volumes
o Local disk cache to provide fast on-premises access
o Gateway side encryption for security
Virtual Gateway
Corporate data center
Users
Data center router
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Amazon S3
AWS Storage Gateway
iSCSI
Storage Appliance
AWS Storage Gateway
iSCSI
Servers
AWS Storage Gateway
Cloud ONTAP Secure Cloud-‐Integrated Backup
Panzura Global NAS
TwinStrata CloudArray
AWS Marketplace Partners
Customer router
AWS Direct Connect LocaKon
AWS Direct Connect routers
Backup and archiving
o Backup gateways integrated with Amazon S3 o Leverage Amazon S3 archival
to Amazon Glacier o Take advantage of current
investments and solutions for options o De-duplication o Compression o WAN Acceleration
Virtual Gateway
Corporate data center
Users
Data center router
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Amazon S3
Amazon Glacier VTL
AWS Storage Gateway
iSCSI
Backup System
VTL
AWS Storage Gateway
iSCSI
Servers
VTL AWS Storage Gateway
Symantec Net Backup
Veeam Backup & ReplicaKon
Cloud ONTAP Secure Cloud-‐Integrated Backup
AWS Marketplace Partners
Integration Adoption Roadmap - Example
Discovery Workshop
Cloud Business
Case
Define Security
Requirements
Define Network
Environment
Organizational Structure
Operational Integration
Security Operations Playbook
Cloud Environment Optimization
Application Portfolio Analysis
Cost and Billing
Analysis
Skills and Competencies
Define Cloud Environments
Define EA Policies and
Practices
Continuous Integration &
Delivery
Platform Perspective Helps architects and technology teams understand the relationship of abstractions used to model cloud computing elements that are common across an enterprise. Platform Perspective components describe the fundamental organization of a hybrid IT system spanning multiple environments, that is embodied in its components, their relationships to each other and their design and evolution. The Cloud Adoption Framework whitepaper: http://bit.ly/AWSCAF
AWS Marketplace software • Launch software on
AWS with 1-click
• Pay-by-the-hour, monthly, or annual
• Single invoice for AWS usage & software
• Quick deployment without friction • Cost reduction by using BYOL functionality in Marketplace • Used extensively by large enterprises
Takeaways
• Connectivity is a key to a successful hybrid integration between cloud and corporate data center
• Authentication and Authorization is the corner stone of Enterprise Integration
• Hybrid infrastructure enables a variety of hybrid workload implementations
• Application migration is just a piece of large-scale Cloud Adoption
– The Cloud Adoption Framework whitepaper: http://bit.ly/AWSCAF
SAN FRANCISCO