AWS Deck Template
Berlin
Jumpstart Your Hybrid Cloud Environment Philipp Behre
Objectives • Define hybrid infrastructure integration
• Showcase examples of hybrid implementation patterns
• Discuss common hybrid infrastructure workloads
A path to the cloud Authentication
What is hybrid infrastructure?
Federation
Operations monitoring
Common workloads in hybrid infrastructure
Connectivity
Start
Integrated Enterprise integration
AWS Direct Connect
VPN
Amazon VPC
Backup & archive
Storage expansion
Expand your data center to the cloud
Corporate Data Center
What do we mean by a “hybrid integration”?
Workload Migration and integration
On-premises resources
Enterprise
management tools
Cloud services
Access/authentication control integration
Connectivity
Data center
Cloud infrastructure
Identifying What Needs To Be Done
We examine each of these perspectives with you to identify the goals, implications, and specifically what needs to be addressed
A path to the cloud Authentication
What is hybrid infrastructure?
Federation
Operations monitoring
Common workloads in hybrid infrastructure
Connectivity
Start
Integrated Enterprise integration
AWS Direct Connect
VPN
Amazon VPC
Backup & archive
Storage expansion
AWS Virtual Private Network (IPSec VPN) Users
o
IPSec hardware VPN connection Supported VPN appliances:
Servers
https://aws.amazon.com/vpc/faqs/#C9 Security group
Data center router
Corporate data center
VPC subnet
o
Encryption and Validation
o
Private RFC 1918 Addressing
o
Uses Border Gateway Protocol (BGP)
Availability Zone
for routing and fail-over
o Security group
IPSec VPN
Internet
Virtual Gateway
VPN Service provides managed redundant end-points
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/ VPC_VPN.html VPC subnet Availability Zone
AWS Direct Connect Users
o
Requires Layer 2 single mode fiber 1000BASE-LX or 10GBASE-LR
Servers Security group
o
Data center router
connection.
Corporate data center
VPC subnet Availability Zone
o
Customer router
Virtual Gateway
AWS Direct Connect location
Tagging of IP traffic
Routing uses BGP A/A or A/P multipath.
Security group
AWS Direct Connect routers
Requires 802.1Q VLANs across
o
Each DX is mapped to a single AWS Region
VPC subnet Availability Zone
http://aws.amazon.com/directconnect/
AWS Direct Connect + AWS VPN Corporate data center Users
o
bandwidth
Servers Security group
o
VPC subnet Availability Zone
Customer Router
o
Reduced IPSec network transfer costs
o
Additional Network Security
http://aws.amazon.com/directconnect/ Security group
IPSec VPN
AWS Direct Connect location
More secure than Internet-based IPSec VPN – avoids internet traverse
Data center router
AWS Direct Connect routers
Dedicated network path with assured
Virtual Gateway
VPC Subnet Availability Zone
A path to the cloud Authentication
What is hybrid infrastructure?
Federation
Operations monitoring
Common workloads in hybrid infrastructure
Connectivity
Start
Integrated Enterprise integration
AWS Direct Connect
VPN
Amazon VPC
Backup & archive
Storage expansion
Active Directory and LDAP Users
Servers Domain controller
o
Reduced back-reach Traffic
o
Reduced Latency for Authentication
o
Additional Resiliency
o
Enablement of both:
Security group
AD.Domain
Corporate data center Active Directory Replication
Domain controller
Virtual Gateway
VPC subnet Availability Zone Replication
Type
Port Number
TCP
54, 88, 135, 137, 139, 389, 445, 464, 636, 3268, 3269, 5722, 49152-65535
UDP
53,67,123, 138, 389, 445, 464, 2535, 5355, 49152-65535
Security group
Domain controller VPC subnet Availability Zone
Multi-Master Read/Write Domain Controllers Read-only Domain Controllers (RODCs)
Requires IPSec VPN or Direct Connect connectivity http://aws.amazon.com/microsoft/whitepapers/ad-referencearchitecture/
AWS Directory Service Users
Corporate data center
o
Deploys in two modes
Directory Service Connect
Simple AD - built on Samba 4 Active
Servers Domain controller
AD.Domain
AWS Directory Service Connect
Directory compatible server
Security group
o Virtual Gateway
Simplifies IAM Federation
VPC subnet
Avoids complexity and cost of hosting SAML-based federation infrastructure
Availability Zone
Acts as a proxy - no data is stored on AWS infrastructure
Security group
VPC subnet Availability Zone
Supports existing RADIUS-based MFA
Requires IPSec VPN or Direct Connect connectivity http://aws.amazon.com/directoryservice/
AWS federation/account governance
Financial users, controllers
Billing account
Consolidated Billing, Billing Alerts
Software development
Non-prod account #1
Global AWS admin
SOC/Auditors
User management account
Security / Audit account
Non-prod account. #2 App owners DevOps teams
Read-only access for all accounts
Production account #1
Financial
Dev/test/sandbox
Production
Security/audit
Operations Monitoring Corporate data center
Users
o
Security Monitoring integration points with with CloudTrail and
Update Servers
SIEM Aggregator.
SIEM Aggregator Data center router
Security group
o
SNMP MIBs to SIEM Aggregator.
AWS CloudTrail VPC subnet Availability Zone
Amazon CloudWatch
o
Platform and App Health to SIEM Aggregator via agent on EC2 guest.
Security group
o
Connectivity
Virtual Gateway
Logging with CloudTrail and
VPC subnet Availability Zone
Access to Patching and Updates
for AMI by on-premise Update Server.
A path to the cloud Authentication
What is hybrid infrastructure?
Federation
Operations monitoring
Common workloads in hybrid infrastructure
Connectivity
Start
Integrated Enterprise integration
AWS Direct Connect
VPN
Amazon VPC
Backup & archive
Storage expansion
Backup and archiving Application server
Virtual server
File server
Corporate data center
Database server
o
Backup gateways integrated with Amazon S3 o
o iSCSI Backup system
AWS Storage Gateway
Leverage Amazon S3 archival to Amazon Glacier
Take advantage of current investments and solutions for options like o o o
De-duplication Compression WAN Acceleration
AWS Marketplace Partners Symantec Net Backup Veeam Backup & Replication Amazon Simple Storage Service (S3)
Amazon Glacier
Cloud ONTAP Secure CloudIntegrated Backup
Storage expansion Application server
Virtual server
File server
Corporate data center
Database server
o
Virtual volumes presented to local network iSCSI, NFS and CIFS volumes
o
Local disk cache to provide fast on-premise access
o
Gateway side encryption for security
iSCSI Storage appliance
AWS Storage Gateway
AWS Marketplace Partners TwinStrata CloudArray Panzura Global NAS
Amazon Simple Storage Service
Cloud ONTAP Secure CloudIntegrated Backup
A path to the cloud Authentication
What is hybrid infrastructure?
Federation
Operations monitoring
one more excursion
Common workloads in hybrid infrastructure
Connectivity
Start
Integrated Enterprise integration
AWS Direct Connect
VPN
Amazon VPC
Backup & archive
Storage expansion
An integrated approach to gain transparency Create/Update Validate provision
publish
Service Catalog
Select & provision
IT Admin
Project teams
template change
change notifies notifies
Captures all API interaction
Resource stack
Monitor Change
Monitors AWS & application
monitors
Monitor
Alert initiates
Capture Audit Logs
Secures audit data
Durable Storage
An integrated approach to gain transparency Create/Update Validate provision
publish
Select & provision AWS ServiceCatalog
IT Admin template
Project teams change
change notifies notifies
Catalog (resources & changes)
Captures all API interaction
Resource stack Monitors AWS & application AWS Config
Secures audit data AWS CloudTrail
monitors Amazon S3
initiates alarm
AWS CloudWatch
Takeaway – (some) Services For Hybrid IT
•
Integrated Networking
Integrated Identity
Integrated Managemen t
Amazon Virtual Private Cloud
AWS Directory Service
vCenter & System Center Plugins
On premise AWS Config AWS Direct Connect
Identity Federation
AWS CloudTrail
Deployment
Backups
AWS OpsWorks
AWS Storage Gateway
AWS CodeDeploy
AWS
Takeaways • Connectivity is a key to a successful hybrid integration between cloud and corporate data center • Authentication and Authorization is the corner stone of Enterprise Integration • Hybrid infrastructure enables a variety of hybrid workload implementations
Jumpstart Your Hybrid Cloud Environment Philipp Behre
Objectives • Define hybrid infrastructure integration
• Showcase examples of hybrid implementation patterns
• Discuss common hybrid infrastructure workloads
A path to the cloud Authentication
What is hybrid infrastructure?
Federation
Operations monitoring
Common workloads in hybrid infrastructure
Connectivity
Start
Integrated Enterprise integration
AWS Direct Connect
VPN
Amazon VPC
Backup & archive
Storage expansion
Expand your data center to the cloud
Corporate Data Center
What do we mean by a “hybrid integration”?
Workload Migration and integration
On-premises resources
Enterprise
management tools
Cloud services
Access/authentication control integration
Connectivity
Data center
Cloud infrastructure
Identifying What Needs To Be Done
We examine each of these perspectives with you to identify the goals, implications, and specifically what needs to be addressed
A path to the cloud Authentication
What is hybrid infrastructure?
Federation
Operations monitoring
Common workloads in hybrid infrastructure
Connectivity
Start
Integrated Enterprise integration
AWS Direct Connect
VPN
Amazon VPC
Backup & archive
Storage expansion
AWS Virtual Private Network (IPSec VPN) Users
o
IPSec hardware VPN connection Supported VPN appliances:
Servers
https://aws.amazon.com/vpc/faqs/#C9 Security group
Data center router
Corporate data center
VPC subnet
o
Encryption and Validation
o
Private RFC 1918 Addressing
o
Uses Border Gateway Protocol (BGP)
Availability Zone
for routing and fail-over
o Security group
IPSec VPN
Internet
Virtual Gateway
VPN Service provides managed redundant end-points
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/ VPC_VPN.html VPC subnet Availability Zone
AWS Direct Connect Users
o
Requires Layer 2 single mode fiber 1000BASE-LX or 10GBASE-LR
Servers Security group
o
Data center router
connection.
Corporate data center
VPC subnet Availability Zone
o
Customer router
Virtual Gateway
AWS Direct Connect location
Tagging of IP traffic
Routing uses BGP A/A or A/P multipath.
Security group
AWS Direct Connect routers
Requires 802.1Q VLANs across
o
Each DX is mapped to a single AWS Region
VPC subnet Availability Zone
http://aws.amazon.com/directconnect/
AWS Direct Connect + AWS VPN Corporate data center Users
o
bandwidth
Servers Security group
o
VPC subnet Availability Zone
Customer Router
o
Reduced IPSec network transfer costs
o
Additional Network Security
http://aws.amazon.com/directconnect/ Security group
IPSec VPN
AWS Direct Connect location
More secure than Internet-based IPSec VPN – avoids internet traverse
Data center router
AWS Direct Connect routers
Dedicated network path with assured
Virtual Gateway
VPC Subnet Availability Zone
A path to the cloud Authentication
What is hybrid infrastructure?
Federation
Operations monitoring
Common workloads in hybrid infrastructure
Connectivity
Start
Integrated Enterprise integration
AWS Direct Connect
VPN
Amazon VPC
Backup & archive
Storage expansion
Active Directory and LDAP Users
Servers Domain controller
o
Reduced back-reach Traffic
o
Reduced Latency for Authentication
o
Additional Resiliency
o
Enablement of both:
Security group
AD.Domain
Corporate data center Active Directory Replication
Domain controller
Virtual Gateway
VPC subnet Availability Zone Replication
Type
Port Number
TCP
54, 88, 135, 137, 139, 389, 445, 464, 636, 3268, 3269, 5722, 49152-65535
UDP
53,67,123, 138, 389, 445, 464, 2535, 5355, 49152-65535
Security group
Domain controller VPC subnet Availability Zone
Multi-Master Read/Write Domain Controllers Read-only Domain Controllers (RODCs)
Requires IPSec VPN or Direct Connect connectivity http://aws.amazon.com/microsoft/whitepapers/ad-referencearchitecture/
AWS Directory Service Users
Corporate data center
o
Deploys in two modes
Directory Service Connect
Simple AD - built on Samba 4 Active
Servers Domain controller
AD.Domain
AWS Directory Service Connect
Directory compatible server
Security group
o Virtual Gateway
Simplifies IAM Federation
VPC subnet
Avoids complexity and cost of hosting SAML-based federation infrastructure
Availability Zone
Acts as a proxy - no data is stored on AWS infrastructure
Security group
VPC subnet Availability Zone
Supports existing RADIUS-based MFA
Requires IPSec VPN or Direct Connect connectivity http://aws.amazon.com/directoryservice/
AWS federation/account governance
Financial users, controllers
Billing account
Consolidated Billing, Billing Alerts
Software development
Non-prod account #1
Global AWS admin
SOC/Auditors
User management account
Security / Audit account
Non-prod account. #2 App owners DevOps teams
Read-only access for all accounts
Production account #1
Financial
Dev/test/sandbox
Production
Security/audit
Operations Monitoring Corporate data center
Users
o
Security Monitoring integration points with with CloudTrail and
Update Servers
SIEM Aggregator.
SIEM Aggregator Data center router
Security group
o
SNMP MIBs to SIEM Aggregator.
AWS CloudTrail VPC subnet Availability Zone
Amazon CloudWatch
o
Platform and App Health to SIEM Aggregator via agent on EC2 guest.
Security group
o
Connectivity
Virtual Gateway
Logging with CloudTrail and
VPC subnet Availability Zone
Access to Patching and Updates
for AMI by on-premise Update Server.
A path to the cloud Authentication
What is hybrid infrastructure?
Federation
Operations monitoring
Common workloads in hybrid infrastructure
Connectivity
Start
Integrated Enterprise integration
AWS Direct Connect
VPN
Amazon VPC
Backup & archive
Storage expansion
Backup and archiving Application server
Virtual server
File server
Corporate data center
Database server
o
Backup gateways integrated with Amazon S3 o
o iSCSI Backup system
AWS Storage Gateway
Leverage Amazon S3 archival to Amazon Glacier
Take advantage of current investments and solutions for options like o o o
De-duplication Compression WAN Acceleration
AWS Marketplace Partners Symantec Net Backup Veeam Backup & Replication Amazon Simple Storage Service (S3)
Amazon Glacier
Cloud ONTAP Secure CloudIntegrated Backup
Storage expansion Application server
Virtual server
File server
Corporate data center
Database server
o
Virtual volumes presented to local network iSCSI, NFS and CIFS volumes
o
Local disk cache to provide fast on-premise access
o
Gateway side encryption for security
iSCSI Storage appliance
AWS Storage Gateway
AWS Marketplace Partners TwinStrata CloudArray Panzura Global NAS
Amazon Simple Storage Service
Cloud ONTAP Secure CloudIntegrated Backup
A path to the cloud Authentication
What is hybrid infrastructure?
Federation
Operations monitoring
one more excursion
Common workloads in hybrid infrastructure
Connectivity
Start
Integrated Enterprise integration
AWS Direct Connect
VPN
Amazon VPC
Backup & archive
Storage expansion
An integrated approach to gain transparency Create/Update Validate provision
publish
Service Catalog
Select & provision
IT Admin
Project teams
template change
change notifies notifies
Captures all API interaction
Resource stack
Monitor Change
Monitors AWS & application
monitors
Monitor
Alert initiates
Capture Audit Logs
Secures audit data
Durable Storage
An integrated approach to gain transparency Create/Update Validate provision
publish
Select & provision AWS ServiceCatalog
IT Admin template
Project teams change
change notifies notifies
Catalog (resources & changes)
Captures all API interaction
Resource stack Monitors AWS & application AWS Config
Secures audit data AWS CloudTrail
monitors Amazon S3
initiates alarm
AWS CloudWatch
Takeaway – (some) Services For Hybrid IT
•
Integrated Networking
Integrated Identity
Integrated Managemen t
Amazon Virtual Private Cloud
AWS Directory Service
vCenter & System Center Plugins
On premise AWS Config AWS Direct Connect
Identity Federation
AWS CloudTrail
Deployment
Backups
AWS OpsWorks
AWS Storage Gateway
AWS CodeDeploy
AWS
Takeaways • Connectivity is a key to a successful hybrid integration between cloud and corporate data center • Authentication and Authorization is the corner stone of Enterprise Integration • Hybrid infrastructure enables a variety of hybrid workload implementations
