SlideShare a Scribd company logo

Hybrid Infrastructure Integration

Amazon Web Services
Amazon Web Services

Hybrid Infrastructure Integration is an approach to connect on-premises IT resources with AWS and bridge processes, services, and technologies used in common enterprise customer environments. This session addresses connectivity patterns, security controls, account governance, and operations monitoring approaches successfully implemented in enterprise engagements. Infrastructure architects and IT professionals can get an overview of various integration types, approaches, methodologies, and common service patterns, helping them to better understand and overcome typical challenges in hybrid enterprise environments.

1 of 26
Download to read offline
©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved Hybrid Infrastructure Integration Paul Nau
Objectives •  Examine Integrated Infrastructure •  Review Integrated Services •  Discuss Integrated Platform •  Showcase Integrated Solutions •  Takeaways
Our journey today VPC VPN Backup  &   archive Storage   expansion Integrated Stacks AWS  Direct   Connect AuthenKcaKon FederaKon OperaKons  Tools   and    Monitoring Start What  is  Hybrid   IntegraKon? Integrated Infrastructure Integrated Services Integrated PlaTorm Integrated SoluKon CI/CD Managed  AWS  Services
“Consumption of Cloud Services and On-Premises Infrastructure into an aggregated pool of resources.” Benefits: •  Cost Efficiencies •  Scalability •  Flexibility •  Security Defining Hybrid Integration On-Premises Infrastructure Services Platform Solutions Cloud Services Infrastructure
©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved Integrated Infrastructure
AWS Virtual Private Network (IPSec VPN) o  IPSec hardware VPN connection Supported VPN appliances: https://aws.amazon.com/vpc/faqs/#C9 o  Encryption and Validation o  Private RFC 1918 Addressing o  Uses Border Gateway Protocol (BGP) for routing and fail-over o  VPN Service provides managed redundant end-points http://docs.aws.amazon.com/AmazonVPC/latest/ UserGuide/VPC_VPN.html Virtual   Gateway Corporate   data  center Users Data  center  router Servers Internet IPSec  VPN VPC  Subnet Availability  Zone Security  Group VPC  Subnet Availability  Zone Security  Group
Customer   router AWS  Direct  Connect LocaKon AWS  Direct  Connect   routers AWS Direct Connect o  Requires Layer 2 single mode fiber 1000BASE-LX or 10GBASE-LR o  Requires 802.1Q VLANs across connection. Ø  Tagging of IP traffic o  Routing uses BGP A/A or A/P multipath. o  Each DX is mapped to a single AWS Region http://aws.amazon.com/directconnect/ Corporate   data  center Users Data  center  router Servers VPC  Subnet Availability  Zone Security  Group VPC  Subnet Availability  Zone Security  Group Virtual   Gateway
Customer   router AWS  Direct  Connect LocaKon AWS  Direct  Connect   routers AWS Direct Connect + AWS VPN o  Dedicated network path with assured bandwidth o  More secure than Internet-based IPSec VPN – avoids internet traverse o  Reduced IPSec network transfer costs o  Additional Network Security http://aws.amazon.com/directconnect/ Virtual   Gateway Corporate   data  center Users Data  center  router Servers VPC  Subnet Availability  Zone Security  Group VPC  Subnet Availability  Zone Security  Group IPSec  VPN
©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved Integrated Services
Customer   router AWS  Direct  Connect LocaKon AWS  Direct  Connect   routers Active Directory and LDAP o  Reduced back-reach Traffic o  Reduced Latency for Authentication o  Additional Resiliency o  Enablement of both: Ø  Multi-Master Read/Write Domain Controllers Ø  Read-only Domain Controllers (RODCs) ²  Requires IPSec VPN or Direct Connect connectivity http://aws.amazon.com/microsoft/whitepapers/ad- reference-architecture/ Virtual   Gateway Corporate   data  center Users Data  center  router Servers VPC  Subnet Availability  Zone Security  Groups VPC  Subnet Availability  Zone Security  Groups Type Port  Number TCP 54,  88,  135,  137,  139,  389,  445,  464,  636,  3268,   3269,  5722,  49152-­‐65535 UDP 53,67,123,  138,  389,  445,  464,  2535,  5355,   49152-­‐65535 AD.Domain Domain   controller Domain   controller Domain   controller AcKve  Directory   ReplicaKon
Customer   router AWS  Direct  Connect LocaKon AWS  Direct  Connect   routers AWS Directory Service o  Deploys in two modes Ø  Directory Service Connect Ø  Simple AD - built on Samba 4 Active Directory compatible server o  Simplifies IAM Federation Ø  Avoids complexity and cost of hosting SAML-based federation infrastructure Ø  Acts as a proxy - no data is stored on AWS infrastructure Ø  Supports existing RADIUS-based MFA ²  Requires IPSec VPN or Direct Connect connectivity http://aws.amazon.com/directoryservice/ Virtual   Gateway Corporate   data  center Users Data  center  router Servers VPC  Subnet Availability  Zone Security  Groups VPC  Subnet Availability  Zone Security  Groups AD.Domain Domain   controller AD  Connector AD  Connector AD  Connector
AWS Federation/Account Governance Financial  users,   controllers SOC/Auditors Global  AWS  admin Billing  account Socware  development Non-­‐prod   account  #1 ProducKon   account  #1 User  management account Security  /  Audit account Non-­‐prod   account.  #2 App  owners DevOps  teams Security/audit ProducKon Dev/test/sandbox Financial Consolidated  Billing,   Billing  Alerts Read-­‐only  access   for  all  accounts
Customer   router AWS  Direct  Connect LocaKon AWS  Direct  Connect   routers Operations Tools and Monitoring o  Security Monitoring integration points with with CloudTrail and SIEM Aggregator. o  Logging with CloudTrail and SNMP MIBs to SIEM Aggregator. o  Platform and App Health to SIEM Aggregator via agent on EC2 guest. o  Access to Patching and Updates for AMI by on premise Update Server. Virtual   Gateway Corporate   data  center Users Data  center  router VPC  Subnet Availability  Zone Security  Group VPC  Subnet Availability  Zone Security  Group Update Servers SIEM Aggregator CloudTrail CloudWatch CloudTrail  S3   Bucket
©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved Integrated Platform
Application Deployment Management
AWS  Elas)c   Beanstalk   Automated  resource   management  –  web   apps  made  easy   AWS  OpsWorks   DevOps  framework  for   applica;on  lifecycle   management  and   automa;on   DIY  /     On  Demand   DIY,  on  demand   resources:  EC2,  S3,   custom  AMI’s,  etc.   Convenience Control AWS  CloudForma)on   Templates  to  deploy  &   update  infrastructure  as   code   Deployment and Management
Customer   router AWS  Direct  Connect LocaKon AWS  Direct  Connect   routers Continuous Integration and Deployment o  Automates application deployments for both On-Premise and AWS EC2 instances with use of CodeDeploy o  Reuse existing scripts and tools Ø  Bash, PowerShell, Chef, Puppet, anything… o  Integrate with developer tool chain Ø  GitHub, Jenkins, CloudBees, TravisCI, Eclipse… Virtual   Gateway Corporate   data  center Users Data  center  router VPC  Subnet Availability  Zone Security  Group VPC  Subnet Availability  Zone Security  Group AWS  CodeDeploy Servers AWS  CloudFormaKon S3 bucket Agent Agent Agent Agent Agent Agent
Customer   router AWS  Direct  Connect LocaKon AWS  Direct  Connect   routers Managed AWS Services o  Managed Services Advantages Ø  Flexibility and Agility Ø  Scalability Ø  Security Ø  Automated Maintenance & Upgrade Virtual   Gateway Corporate   data  center Users Data  center  router VPC  Subnet Availability  Zone Security  Group VPC  Subnet Availability  Zone Security  Group Servers S3 bucket MySQL MySQL Apache Kaga Amazon  Redshic Amazon  EMR Amazon  Redshic Amazon  EMR
©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved Integrated Solutions
Customer   router AWS  Direct  Connect LocaKon AWS  Direct  Connect   routers Storage expansion o  Virtual volumes presented to local network iSCSI, NFS and CIFS volumes o  Local disk cache to provide fast on- premises access o  Gateway side encryption for security Virtual   Gateway Corporate   data  center Users Data  center  router VPC  Subnet Availability  Zone Security  Group VPC  Subnet Availability  Zone Security  Group Amazon  S3 AWS  Storage   Gateway iSCSI Storage   Appliance AWS  Storage   Gateway iSCSI Servers AWS  Storage   Gateway Cloud  ONTAP  Secure  Cloud-­‐ Integrated  Backup   Panzura  Global  NAS TwinStrata  CloudArray AWS Marketplace Partners
Customer   router AWS  Direct  Connect LocaKon AWS  Direct  Connect   routers Backup and archiving o  Backup gateways integrated with Amazon S3 o  Leverage Amazon S3 archival to Amazon Glacier o  Take advantage of current investments and solutions for options o  De-duplication o  Compression o  WAN Acceleration Virtual   Gateway Corporate   data  center Users Data  center  router VPC  Subnet Availability  Zone Security  Group VPC  Subnet Availability  Zone Security  Group Amazon  S3 Amazon  Glacier VTL AWS  Storage   Gateway iSCSI Backup   System VTL AWS  Storage   Gateway iSCSI Servers VTL AWS  Storage   Gateway Symantec  Net  Backup Veeam  Backup  &  ReplicaKon Cloud  ONTAP  Secure  Cloud-­‐ Integrated  Backup   AWS Marketplace Partners
Integration Adoption Roadmap - Example Discovery Workshop Cloud Business Case Define Security Requirements Define Network Environment Organizational Structure Operational Integration Security Operations Playbook Cloud Environment Optimization Application Portfolio Analysis Cost and Billing Analysis Skills and Competencies Define Cloud Environments Define EA Policies and Practices Continuous Integration & Delivery
Platform Perspective Helps architects and technology teams understand the relationship of abstractions used to model cloud computing elements that are common across an enterprise. Platform Perspective components describe the fundamental organization of a hybrid IT system spanning multiple environments, that is embodied in its components, their relationships to each other and their design and evolution. The Cloud Adoption Framework whitepaper: http://bit.ly/AWSCAF
AWS Marketplace software •  Launch software on AWS with 1-click •  Pay-by-the-hour, monthly, or annual •  Single invoice for AWS usage & software •  Quick deployment without friction •  Cost reduction by using BYOL functionality in Marketplace •  Used extensively by large enterprises
Takeaways •  Connectivity is a key to a successful hybrid integration between cloud and corporate data center •  Authentication and Authorization is the corner stone of Enterprise Integration •  Hybrid infrastructure enables a variety of hybrid workload implementations •  Application migration is just a piece of large-scale Cloud Adoption –  The Cloud Adoption Framework whitepaper: http://bit.ly/AWSCAF
NEW YORK

More Related Content

Hybrid Infrastructure Integration

  • 1. ©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved Hybrid Infrastructure Integration Paul Nau
  • 2. Objectives •  Examine Integrated Infrastructure •  Review Integrated Services •  Discuss Integrated Platform •  Showcase Integrated Solutions •  Takeaways
  • 3. Our journey today VPC VPN Backup  &   archive Storage   expansion Integrated Stacks AWS  Direct   Connect AuthenKcaKon FederaKon OperaKons  Tools   and    Monitoring Start What  is  Hybrid   IntegraKon? Integrated Infrastructure Integrated Services Integrated PlaTorm Integrated SoluKon CI/CD Managed  AWS  Services
  • 4. “Consumption of Cloud Services and On-Premises Infrastructure into an aggregated pool of resources.” Benefits: •  Cost Efficiencies •  Scalability •  Flexibility •  Security Defining Hybrid Integration On-Premises Infrastructure Services Platform Solutions Cloud Services Infrastructure
  • 5. ©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved Integrated Infrastructure
  • 6. AWS Virtual Private Network (IPSec VPN) o  IPSec hardware VPN connection Supported VPN appliances: https://aws.amazon.com/vpc/faqs/#C9 o  Encryption and Validation o  Private RFC 1918 Addressing o  Uses Border Gateway Protocol (BGP) for routing and fail-over o  VPN Service provides managed redundant end-points http://docs.aws.amazon.com/AmazonVPC/latest/ UserGuide/VPC_VPN.html Virtual   Gateway Corporate   data  center Users Data  center  router Servers Internet IPSec  VPN VPC  Subnet Availability  Zone Security  Group VPC  Subnet Availability  Zone Security  Group
  • 7. Customer   router AWS  Direct  Connect LocaKon AWS  Direct  Connect   routers AWS Direct Connect o  Requires Layer 2 single mode fiber 1000BASE-LX or 10GBASE-LR o  Requires 802.1Q VLANs across connection. Ø  Tagging of IP traffic o  Routing uses BGP A/A or A/P multipath. o  Each DX is mapped to a single AWS Region http://aws.amazon.com/directconnect/ Corporate   data  center Users Data  center  router Servers VPC  Subnet Availability  Zone Security  Group VPC  Subnet Availability  Zone Security  Group Virtual   Gateway
  • 8. Customer   router AWS  Direct  Connect LocaKon AWS  Direct  Connect   routers AWS Direct Connect + AWS VPN o  Dedicated network path with assured bandwidth o  More secure than Internet-based IPSec VPN – avoids internet traverse o  Reduced IPSec network transfer costs o  Additional Network Security http://aws.amazon.com/directconnect/ Virtual   Gateway Corporate   data  center Users Data  center  router Servers VPC  Subnet Availability  Zone Security  Group VPC  Subnet Availability  Zone Security  Group IPSec  VPN
  • 9. ©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved Integrated Services
  • 10. Customer   router AWS  Direct  Connect LocaKon AWS  Direct  Connect   routers Active Directory and LDAP o  Reduced back-reach Traffic o  Reduced Latency for Authentication o  Additional Resiliency o  Enablement of both: Ø  Multi-Master Read/Write Domain Controllers Ø  Read-only Domain Controllers (RODCs) ²  Requires IPSec VPN or Direct Connect connectivity http://aws.amazon.com/microsoft/whitepapers/ad- reference-architecture/ Virtual   Gateway Corporate   data  center Users Data  center  router Servers VPC  Subnet Availability  Zone Security  Groups VPC  Subnet Availability  Zone Security  Groups Type Port  Number TCP 54,  88,  135,  137,  139,  389,  445,  464,  636,  3268,   3269,  5722,  49152-­‐65535 UDP 53,67,123,  138,  389,  445,  464,  2535,  5355,   49152-­‐65535 AD.Domain Domain   controller Domain   controller Domain   controller AcKve  Directory   ReplicaKon
  • 11. Customer   router AWS  Direct  Connect LocaKon AWS  Direct  Connect   routers AWS Directory Service o  Deploys in two modes Ø  Directory Service Connect Ø  Simple AD - built on Samba 4 Active Directory compatible server o  Simplifies IAM Federation Ø  Avoids complexity and cost of hosting SAML-based federation infrastructure Ø  Acts as a proxy - no data is stored on AWS infrastructure Ø  Supports existing RADIUS-based MFA ²  Requires IPSec VPN or Direct Connect connectivity http://aws.amazon.com/directoryservice/ Virtual   Gateway Corporate   data  center Users Data  center  router Servers VPC  Subnet Availability  Zone Security  Groups VPC  Subnet Availability  Zone Security  Groups AD.Domain Domain   controller AD  Connector AD  Connector AD  Connector
  • 12. AWS Federation/Account Governance Financial  users,   controllers SOC/Auditors Global  AWS  admin Billing  account Socware  development Non-­‐prod   account  #1 ProducKon   account  #1 User  management account Security  /  Audit account Non-­‐prod   account.  #2 App  owners DevOps  teams Security/audit ProducKon Dev/test/sandbox Financial Consolidated  Billing,   Billing  Alerts Read-­‐only  access   for  all  accounts
  • 13. Customer   router AWS  Direct  Connect LocaKon AWS  Direct  Connect   routers Operations Tools and Monitoring o  Security Monitoring integration points with with CloudTrail and SIEM Aggregator. o  Logging with CloudTrail and SNMP MIBs to SIEM Aggregator. o  Platform and App Health to SIEM Aggregator via agent on EC2 guest. o  Access to Patching and Updates for AMI by on premise Update Server. Virtual   Gateway Corporate   data  center Users Data  center  router VPC  Subnet Availability  Zone Security  Group VPC  Subnet Availability  Zone Security  Group Update Servers SIEM Aggregator CloudTrail CloudWatch CloudTrail  S3   Bucket
  • 14. ©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved Integrated Platform
  • 16. AWS  Elas)c   Beanstalk   Automated  resource   management  –  web   apps  made  easy   AWS  OpsWorks   DevOps  framework  for   applica;on  lifecycle   management  and   automa;on   DIY  /     On  Demand   DIY,  on  demand   resources:  EC2,  S3,   custom  AMI’s,  etc.   Convenience Control AWS  CloudForma)on   Templates  to  deploy  &   update  infrastructure  as   code   Deployment and Management
  • 17. Customer   router AWS  Direct  Connect LocaKon AWS  Direct  Connect   routers Continuous Integration and Deployment o  Automates application deployments for both On-Premise and AWS EC2 instances with use of CodeDeploy o  Reuse existing scripts and tools Ø  Bash, PowerShell, Chef, Puppet, anything… o  Integrate with developer tool chain Ø  GitHub, Jenkins, CloudBees, TravisCI, Eclipse… Virtual   Gateway Corporate   data  center Users Data  center  router VPC  Subnet Availability  Zone Security  Group VPC  Subnet Availability  Zone Security  Group AWS  CodeDeploy Servers AWS  CloudFormaKon S3 bucket Agent Agent Agent Agent Agent Agent
  • 18. Customer   router AWS  Direct  Connect LocaKon AWS  Direct  Connect   routers Managed AWS Services o  Managed Services Advantages Ø  Flexibility and Agility Ø  Scalability Ø  Security Ø  Automated Maintenance & Upgrade Virtual   Gateway Corporate   data  center Users Data  center  router VPC  Subnet Availability  Zone Security  Group VPC  Subnet Availability  Zone Security  Group Servers S3 bucket MySQL MySQL Apache Kaga Amazon  Redshic Amazon  EMR Amazon  Redshic Amazon  EMR
  • 19. ©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved Integrated Solutions
  • 20. Customer   router AWS  Direct  Connect LocaKon AWS  Direct  Connect   routers Storage expansion o  Virtual volumes presented to local network iSCSI, NFS and CIFS volumes o  Local disk cache to provide fast on- premises access o  Gateway side encryption for security Virtual   Gateway Corporate   data  center Users Data  center  router VPC  Subnet Availability  Zone Security  Group VPC  Subnet Availability  Zone Security  Group Amazon  S3 AWS  Storage   Gateway iSCSI Storage   Appliance AWS  Storage   Gateway iSCSI Servers AWS  Storage   Gateway Cloud  ONTAP  Secure  Cloud-­‐ Integrated  Backup   Panzura  Global  NAS TwinStrata  CloudArray AWS Marketplace Partners
  • 21. Customer   router AWS  Direct  Connect LocaKon AWS  Direct  Connect   routers Backup and archiving o  Backup gateways integrated with Amazon S3 o  Leverage Amazon S3 archival to Amazon Glacier o  Take advantage of current investments and solutions for options o  De-duplication o  Compression o  WAN Acceleration Virtual   Gateway Corporate   data  center Users Data  center  router VPC  Subnet Availability  Zone Security  Group VPC  Subnet Availability  Zone Security  Group Amazon  S3 Amazon  Glacier VTL AWS  Storage   Gateway iSCSI Backup   System VTL AWS  Storage   Gateway iSCSI Servers VTL AWS  Storage   Gateway Symantec  Net  Backup Veeam  Backup  &  ReplicaKon Cloud  ONTAP  Secure  Cloud-­‐ Integrated  Backup   AWS Marketplace Partners
  • 22. Integration Adoption Roadmap - Example Discovery Workshop Cloud Business Case Define Security Requirements Define Network Environment Organizational Structure Operational Integration Security Operations Playbook Cloud Environment Optimization Application Portfolio Analysis Cost and Billing Analysis Skills and Competencies Define Cloud Environments Define EA Policies and Practices Continuous Integration & Delivery
  • 23. Platform Perspective Helps architects and technology teams understand the relationship of abstractions used to model cloud computing elements that are common across an enterprise. Platform Perspective components describe the fundamental organization of a hybrid IT system spanning multiple environments, that is embodied in its components, their relationships to each other and their design and evolution. The Cloud Adoption Framework whitepaper: http://bit.ly/AWSCAF
  • 24. AWS Marketplace software •  Launch software on AWS with 1-click •  Pay-by-the-hour, monthly, or annual •  Single invoice for AWS usage & software •  Quick deployment without friction •  Cost reduction by using BYOL functionality in Marketplace •  Used extensively by large enterprises
  • 25. Takeaways •  Connectivity is a key to a successful hybrid integration between cloud and corporate data center •  Authentication and Authorization is the corner stone of Enterprise Integration •  Hybrid infrastructure enables a variety of hybrid workload implementations •  Application migration is just a piece of large-scale Cloud Adoption –  The Cloud Adoption Framework whitepaper: http://bit.ly/AWSCAF