Upload
amazon-web-services
View
916
Download
0
Embed Size (px)
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Wednesday July 6th, 2016
Landing Zone for application migrations
Koen vd Biggelaar Sr Mgr AWS Solutions Architecture - Global Accounts
Application Migration
Create Landing Zone Migrate Apps Operate & Optimize
H
PeoplePerspective
ProcessPerspective
SecurityPerspective
MaturityPerspective
PlatformPerspective
OperationsPerspective
BusinessPerspective
AWS Cloud Adoption Framework
PeoplePerspective
ProcessPerspective
SecurityPerspective
MaturityPerspective
OperationsPerspective
BusinessPerspective
PlatformPerspective
AWS Cloud Adoption Framework
Current State
Account Structure Security Network
Identities&
Access
Cloud Consumers
Our Journey Today
MigrateOperate
&Optimize
Current State
Account Structure Security Network
Identities&
Access
Cloud Consumers Migrate
Operate &
Optimize
Infrastructure Request
Current StateTypical Enterprise Situation
Governance &
Service Management
Central IT
Lines of Business
Provisioning
Characteristics• Lead times ~days/weeks/months• Service Catalogue of components• Often process-heavy Service
Management
Monitor&
Respond
TemplatesPolicy & Practices
Landscape Management
Current StateOpportunity to achieve agility and control
Automation
Lines of Business Central IT Opportunities
• Lead times in minutes• Service Catalogue of
landscapes• Automated Service
Management
Security Automation Consumers
Current StateGuiding Principles
Start Account Structure Security Network
Identities&
Access
Cloud Consumers Migrate
Operate &
Optimize
Account Structure
• Don’t overdo on Day One• Use separate accounts for
Security and Compliance Isolation(production non-prod,
logging)
Cost Allocation Resource Management and Ownership
Account Structure
Payer
Account Structure Opportunity to create linked Accounts
Create Linked Account (CLA) API
• The payer account can programmatically access and manage the new accounts using cross account access and administrative privileges automatically configured during account creation.
• Currently available on whitelisting basis- Connect with your AWS Account Manager or SA- Public API will be rolled out in future, you need to use these new APIs then
Account Structure
Payer
Billing Reports
Service Catalog Logging Audit
Central Services Dev & Test Mobility
IoT
Serverless
Internal business apps Digital Platforms
Option: Per AWS Region
Production Generic
Production Critical
Central Accounts
Services Accounts
Start Account Structure Security Network
Identities&
Access
Cloud Consumers Migrate
Operate &
Optimize
Analyze your CloudTrail Logs
AWSCloudTrail
AWS Management
Console
AWS CLI
SDK
Your Central Amazon S3 logging bucket
Analysis &
Action
AWS Services
You make API calls …
…to AWS Services,
logged by CloudTrail
delivered to your S3 bucket
Changing Resources
Config tracks resource changes
NormalizeRecordChanging Resources
Deliver
Stream
Snapshot (ex. 2014-11-05)AWS Config
APIs
Store
History
Config tracks resource changes
Start Account Structure Security Network
Identities&
Access
Cloud Consumers Migrate
Operate &
Optimize
NetworkKey Considerations
Non-overlapping IP range
VPC Design
Access Control Lists &Security Groups
Logging and Monitoring
Direct Connect
Subnet Design
NetworkDirect Connect for connecting on-prem and AWS environment
Customer Gateway
VPN backup
Direct Connect Location
Virtual Interface #1
Virtual Interface #2
Secondary Direct Connect Location
`
`
Partner Network
NetworkCentral Services in a central VPC
Central common/core services• Authentication/directory• Monitoring• Logging• Remote administration• Scanning• Internet Proxy
ProductionGeneric
ProductionBusiness Critical
Central Services
Non-production
Start Account Structure Security Network
Identities&
Access
Cloud Consumers Migrate
Operate &
Optimize
You get to control who can do what in your AWS environment when and from where
Fine-grained control of your AWS cloud with multi-factor authentication
Integrate with your existing LDAP / Active directory using federation and single sign-on
You can use AWS managed policies or customer generated policies using the policy generator and test with the policy simulator
AWS account owner
Identity and Access ManagementControl access and segregate duties everywhere
Identities and Access ControlSample Access Policy{
"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["ec2:StartInstances","ec2:StopInstances","ec2:RebootInstances"
],"Resource": “arn:aws:ec2:::instance/*”,"Condition": {
"StringEquals": {"ec2:ResourceTag" : "Dev"
}}
}]
}
Allow or Deny access to resource
Service calls allowed to be performed
Resource object or objects that the statement coversConditions to satisfy:EC2 resources must be tagged with “Dev”
Identities and Access ControlExample user types with corresponding access policies
IAM MasterCreate policies
IAM ManagerAssign Policies
AuditRead-Only
Access Managers
ArchitectCreate landscapes
StorageDesign and Build
Network Design and Build Design
DevOpsAPI Access
App OwnerLandscape owner
Application Owners
SupportAccount policy
Empty RoleNo policy
Support and Operations
Typical Access Policy
AdministratorLandscape Mgt
AdministratorService CatalogAdministrators
Corporate Data Center
Browser interface
Identity Store
Identity and Access ManagementFederation with on-prem directory
AD Group
Identity and Authentication
Mapping to specific IAM Role with Access Policy
Access to AWS
Start Account Structure Security Network
Identities&
Access
Cloud Consumers Migrate
Operate &
Optimize
Cloud ConsumersAWS Service Catalog
AWS Service Catalog allows organizations to create and manage catalogs of IT services. It enables users to quickly deploy approved IT services they need in a self-service manner.
Administrator Users
ControlStandardization
Governance
AgilitySelf-service
Time to market
Product = Template
CloudFormation Running Stack
JSON formatted file
Parameter definitionResource creation
Configuration actions
Configured AWS services
Comprehensive service supportService event aware
Customisable
Framework
Stack creationStack updates
Error detection and rollback
Administrator InteractionCloudFormation to create products
Creates portfolio and assigns product portfolio
1
AdministratorAdds constraints, grant access
and add tags
4
2 Creates product
Authors template
Administrator InteractionManaging products
ProductX
Versions
Portfolio BPortfolio A
• Users and Roles• Constraints • Tags
Service Catalog
3
Landscape Architect
Agility and ControlOpportunities to strengthen the handshake
User generated products to foster
innovation
Back-end micro-services acting on the stacks
Administrator Products
Browse Products
5
43
2
1
Portfolio
Cloud Consumers
Select version,Provision Product, configure
parametersDeploy
Notifications and outputs
Notifications and outputs
4Scheduled functions
Administrator
Cloud Consumer InteractionOverview
Cloud Consumer InteractionBrowse Products
Launch Product
Available Products
Launched Products
Cloud Consumer InteractionConfiguring Options
EC2 Instance type
Schedule on/off
Schedule details
End User InteractionLaunched Product
Launched Product details
End User InteractionLaunched Product
End User InteractionCost Overview
Test IT SecurityProd Dev
Prod
Test
Dev
AWS Service CatalogAnnouncing today
• End User APIs are Generally Available w/SDK and CLI support
• CloudTrail support for End User actions in UI and API
• Product version default limit raised to 50 per product
Start Account Structure Security Network
Identities&
Access
Cloud Consumers
Our Journey TodayWhat did we cover?
MigrateOperate
&Optimize
Application Migration Approach
Create Landing Zone Migrate Operate & Optimize
H
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you