Hybrid Infrastructure Integration is an approach to connect on-premises IT resources with AWS and bridge processes, services, and technologies used in common enterprise customer environments. This session addresses connectivity patterns, security controls, account governance, and operations monitoring approaches successfully implemented in enterprise engagements. Infrastructure architects and IT professionals can get an overview of various integration types, approaches, methodologies, and common service patterns, helping them to better understand and overcome typical challenges in hybrid enterprise environments.
6. AWS Virtual Private
Network (IPSec VPN)
o IPSec hardware VPN connection
Supported VPN appliances:
https://aws.amazon.com/vpc/faqs/#C9
o Encryption and Validation
o Private RFC 1918 Addressing
o Uses Border Gateway Protocol
(BGP) for routing and fail-over
o VPN Service provides managed
redundant end-points
http://docs.aws.amazon.com/AmazonVPC/latest/
UserGuide/VPC_VPN.html
Virtual
Gateway
Corporate
data center
Users
Data center router
Servers
Internet
IPSec VPN
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
7. Customer
router
AWS Direct Connect
LocaKon
AWS Direct Connect
routers
AWS Direct Connect
o Requires Layer 2 single mode fiber
1000BASE-LX or 10GBASE-LR
o Requires 802.1Q VLANs across
connection.
Ø Tagging of IP traffic
o Routing uses BGP A/A or A/P
multipath.
o Each DX is mapped to a single AWS
Region
http://aws.amazon.com/directconnect/
Corporate
data center
Users
Data center router
Servers
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Virtual
Gateway
8. Customer
router
AWS Direct Connect
LocaKon
AWS Direct Connect
routers
AWS Direct Connect
+ AWS VPN
o Dedicated network path with
assured bandwidth
o More secure than Internet-based
IPSec VPN – avoids internet
traverse
o Reduced IPSec network transfer
costs
o Additional Network Security
http://aws.amazon.com/directconnect/
Virtual
Gateway
Corporate
data center
Users
Data center router
Servers
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
IPSec VPN
10. Customer
router
AWS Direct Connect
LocaKon
AWS Direct Connect
routers
Active Directory and
LDAP
o Reduced back-reach Traffic
o Reduced Latency for Authentication
o Additional Resiliency
o Enablement of both:
Ø Multi-Master Read/Write Domain
Controllers
Ø Read-only Domain Controllers
(RODCs)
² Requires IPSec VPN or Direct
Connect connectivity
http://aws.amazon.com/microsoft/whitepapers/ad-
reference-architecture/
Virtual
Gateway
Corporate
data center
Users
Data center router
Servers
VPC Subnet
Availability Zone
Security Groups
VPC Subnet
Availability Zone
Security Groups
Type
Port Number
TCP
54, 88, 135, 137, 139, 389, 445, 464, 636, 3268,
3269, 5722, 49152-‐65535
UDP
53,67,123, 138, 389, 445, 464, 2535, 5355,
49152-‐65535
AD.Domain
Domain
controller
Domain
controller
Domain
controller
AcKve Directory
ReplicaKon
11. Customer
router
AWS Direct Connect
LocaKon
AWS Direct Connect
routers
AWS Directory
Service
o Deploys in two modes
Ø Directory Service Connect
Ø Simple AD - built on Samba 4 Active
Directory compatible server
o Simplifies IAM Federation
Ø Avoids complexity and cost of hosting
SAML-based federation infrastructure
Ø Acts as a proxy - no data is stored on
AWS infrastructure
Ø Supports existing RADIUS-based MFA
² Requires IPSec VPN or Direct Connect
connectivity
http://aws.amazon.com/directoryservice/
Virtual
Gateway
Corporate
data center
Users
Data center router
Servers
VPC Subnet
Availability Zone
Security Groups
VPC Subnet
Availability Zone
Security Groups
AD.Domain
Domain
controller
AD Connector
AD Connector
AD Connector
12. AWS Federation/Account Governance
Financial users,
controllers
SOC/Auditors
Global AWS admin
Billing account
Socware development
Non-‐prod
account #1
ProducKon
account #1
User management
account
Security / Audit
account
Non-‐prod
account. #2
App owners
DevOps teams
Security/audit
ProducKon
Dev/test/sandbox
Financial
Consolidated Billing,
Billing Alerts
Read-‐only access
for all accounts
13. Customer
router
AWS Direct Connect
LocaKon
AWS Direct Connect
routers
Operations Tools and
Monitoring
o Security Monitoring integration
points with with CloudTrail and
SIEM Aggregator.
o Logging with CloudTrail and SNMP
MIBs to SIEM Aggregator.
o Platform and App Health to SIEM
Aggregator via agent on EC2 guest.
o Access to Patching and Updates for
AMI by on premise Update Server.
Virtual
Gateway
Corporate
data center
Users
Data center router
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Update
Servers
SIEM
Aggregator
CloudTrail
CloudWatch
CloudTrail S3
Bucket
16. AWS
Elas)c
Beanstalk
Automated
resource
management
–
web
apps
made
easy
AWS
OpsWorks
DevOps
framework
for
applica;on
lifecycle
management
and
automa;on
DIY
/
On
Demand
DIY,
on
demand
resources:
EC2,
S3,
custom
AMI’s,
etc.
Convenience Control
AWS
CloudForma)on
Templates
to
deploy
&
update
infrastructure
as
code
Deployment and Management
17. Customer
router
AWS Direct Connect
LocaKon
AWS Direct Connect
routers
Continuous Integration
and Deployment
o Automates application deployments
for both On-Premise and AWS EC2
instances with use of CodeDeploy
o Reuse existing scripts and tools
Ø Bash, PowerShell, Chef,
Puppet, anything…
o Integrate with developer tool chain
Ø GitHub, Jenkins, CloudBees,
TravisCI, Eclipse…
Virtual
Gateway
Corporate
data center
Users
Data center router
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
AWS CodeDeploy
Servers
AWS CloudFormaKon
S3 bucket
Agent
Agent
Agent
Agent
Agent
Agent
18. Customer
router
AWS Direct Connect
LocaKon
AWS Direct Connect
routers
Managed AWS
Services
o Managed Services Advantages
Ø Flexibility and Agility
Ø Scalability
Ø Security
Ø Automated Maintenance & Upgrade
Virtual
Gateway
Corporate
data center
Users
Data center router
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Servers
S3 bucket
MySQL MySQL
Apache
Kaga
Amazon Redshic
Amazon EMR
Amazon Redshic
Amazon EMR
20. Customer
router
AWS Direct Connect
LocaKon
AWS Direct Connect
routers
Storage expansion
o Virtual volumes presented to local
network iSCSI, NFS and CIFS
volumes
o Local disk cache to provide fast on-
premises access
o Gateway side encryption for security
Virtual
Gateway
Corporate
data center
Users
Data center router
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Amazon S3
AWS Storage
Gateway
iSCSI
Storage
Appliance
AWS Storage
Gateway
iSCSI
Servers
AWS Storage
Gateway
Cloud ONTAP Secure Cloud-‐
Integrated Backup
Panzura Global NAS
TwinStrata CloudArray
AWS Marketplace Partners
21. Customer
router
AWS Direct Connect
LocaKon
AWS Direct Connect
routers
Backup and
archiving
o Backup gateways integrated with
Amazon S3
o Leverage Amazon S3 archival
to Amazon Glacier
o Take advantage of current
investments and solutions for options
o De-duplication
o Compression
o WAN Acceleration
Virtual
Gateway
Corporate
data center
Users
Data center router
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Amazon S3
Amazon Glacier
VTL
AWS Storage
Gateway
iSCSI
Backup
System
VTL
AWS Storage
Gateway
iSCSI
Servers
VTL AWS Storage
Gateway
Symantec Net Backup
Veeam Backup & ReplicaKon
Cloud ONTAP Secure Cloud-‐
Integrated Backup
AWS Marketplace Partners
22. Integration Adoption Roadmap - Example
Discovery
Workshop
Cloud
Business
Case
Define
Security
Requirements
Define
Network
Environment
Organizational
Structure
Operational
Integration
Security
Operations
Playbook
Cloud
Environment
Optimization
Application
Portfolio
Analysis
Cost and
Billing
Analysis
Skills and
Competencies
Define Cloud
Environments
Define EA
Policies and
Practices
Continuous
Integration &
Delivery
23. Platform Perspective
Helps architects and technology
teams understand the relationship of
abstractions used to model cloud
computing elements that are common
across an enterprise.
Platform Perspective components
describe the fundamental
organization of a hybrid IT system
spanning multiple environments, that
is embodied in its components, their
relationships to each other and their
design and evolution.
The Cloud Adoption Framework
whitepaper: http://bit.ly/AWSCAF
24. AWS Marketplace
software
• Launch software on
AWS with 1-click
• Pay-by-the-hour,
monthly, or annual
• Single invoice for AWS
usage & software
• Quick deployment without friction
• Cost reduction by using BYOL functionality in Marketplace
• Used extensively by large enterprises
25. Takeaways
• Connectivity is a key to a successful hybrid integration
between cloud and corporate data center
• Authentication and Authorization is the corner stone of
Enterprise Integration
• Hybrid infrastructure enables a variety of hybrid workload
implementations
• Application migration is just a piece of large-scale Cloud
Adoption
– The Cloud Adoption Framework whitepaper: http://bit.ly/AWSCAF