AWS Deck Template - Amazon Web Servicesaws-de-media.s3. Summit Berlin 2015...solutions for options like

  • View
    212

  • Download
    0

Embed Size (px)

Text of AWS Deck Template - Amazon Web Servicesaws-de-media.s3. Summit Berlin 2015...solutions for options...

  • Berlin

  • Jumpstart Your Hybrid Cloud

    EnvironmentPhilipp Behre

  • Objectives

    Define hybrid infrastructure integration

    Showcase examples of hybrid implementation

    patterns

    Discuss common hybrid infrastructure workloads

  • Amazon VPCVPNBackup & archive Storage

    expansion

    Common workloads in hybrid infrastructure

    What is hybrid infrastructure?

    Connectivity

    Integrated

    AWS Direct Connect

    Authentication

    Enterprise integration

    FederationOperations monitoring

    Start

    A path to the cloud

  • Corporate Data

    Center

    Expand your data center to the cloud

  • What do we mean by a hybrid integration?

    On-premises resources

    Data center

    Cloud services

    Cloud infrastructure

    Workload Migration

    and integration

    Enterprise

    management tools

    Access/authentication

    control integration

    Connectivity

  • Identifying What Needs To Be Done

    We examine each of

    these perspectives with

    you to identify the

    goals, implications,

    and specifically what

    needs to be addressed

  • A path to the cloud

    Amazon VPCVPNBackup & archive Storage

    expansion

    Common workloads in hybrid infrastructure

    What is hybrid infrastructure?

    Connectivity

    Integrated

    AWS Direct Connect

    Authentication

    Enterprise integration

    FederationOperations monitoring

    Start

  • VPC subnet

    Availability Zone

    Security group

    VPC subnet

    Availability Zone

    Security group

    VirtualGateway

    AWS Virtual Private Network (IPSec VPN)

    o IPSec hardware VPN connection

    Supported VPN appliances:

    https://aws.amazon.com/vpc/faqs/#C9

    o Encryption and Validation

    o Private RFC 1918 Addressing

    o Uses Border Gateway Protocol (BGP)

    for routing and fail-over

    o VPN Service provides managed

    redundant end-points

    http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/

    VPC_VPN.html

    Corporate data center

    Users

    Data center router

    Servers

    Internet

    IPSec VPN

    https://aws.amazon.com/vpc/faqs/#C9http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html

  • AWS Direct Connect

    o Requires Layer 2 single mode fiber

    1000BASE-LX or 10GBASE-LR

    o Requires 802.1Q VLANs across

    connection.

    Tagging of IP traffic

    o Routing uses BGP A/A or A/P

    multipath.

    o Each DX is mapped to a single AWS

    Region

    http://aws.amazon.com/directconnect/

    Corporate data center

    Users

    VPC subnet

    Availability Zone

    Security group

    VPC subnet

    Availability Zone

    Security group

    Data center router

    Customer router

    Servers

    AWS Direct Connectlocation

    AWS Direct Connect routers

    VirtualGateway

    http://aws.amazon.com/directconnect/

  • VPC Subnet

    Availability Zone

    Security group

    VPC subnet

    Availability Zone

    Security group

    AWS Direct Connect + AWS VPN

    o Dedicated network path with assured

    bandwidth

    o More secure than Internet-based IPSec

    VPN avoids internet traverse

    o Reduced IPSec network transfer costs

    o Additional Network Security

    http://aws.amazon.com/directconnect/

    Corporate data center

    Users

    Data center router

    Customer Router

    Servers

    IPSec VPN

    AWS Direct Connectlocation

    AWS Direct Connect routers

    VirtualGateway

    http://aws.amazon.com/directconnect/

  • Amazon VPCVPNBackup & archive Storage

    expansion

    Common workloads in hybrid infrastructure

    What is hybrid infrastructure?

    Connectivity

    Integrated

    AWS Direct Connect

    Authentication

    Enterprise integration

    FederationOperations monitoring

    Start

    A path to the cloud

  • Active Directory and LDAP

    o Reduced back-reach Traffic

    o Reduced Latency for Authentication

    o Additional Resiliency

    o Enablement of both:

    Multi-Master Read/Write Domain

    Controllers

    Read-only Domain Controllers

    (RODCs)

    Requires IPSec VPN or Direct Connect

    connectivityhttp://aws.amazon.com/microsoft/whitepapers/ad-reference-

    architecture/

    Active Directory Replication

    Corporate data center

    Users

    AD.Domain

    Servers

    Domain controller

    Domain controller

    VPC subnet

    Availability Zone

    Security group

    VirtualGateway

    Domain controller

    VPC subnet

    Availability Zone

    Security groupType Port Number

    TCP54, 88, 135, 137, 139, 389, 445, 464, 636, 3268, 3269, 5722, 49152-65535

    UDP53,67,123, 138, 389, 445, 464, 2535, 5355, 49152-65535

    Replication

    http://aws.amazon.com/microsoft/whitepapers/ad-reference-architecture/

  • AWS Directory Service

    o Deploys in two modes

    Directory Service Connect

    Simple AD - built on Samba 4 Active

    Directory compatible server

    o Simplifies IAM Federation

    Avoids complexity and cost of hosting

    SAML-based federation infrastructure

    Acts as a proxy - no data is stored on

    AWS infrastructure

    Supports existing RADIUS-based MFA

    Requires IPSec VPN or Direct Connect

    connectivityhttp://aws.amazon.com/directoryservice/

    AWS Directory ServiceConnect

    Corporate data centerUsers

    AD.Domain

    Servers

    Domain controller

    VPC subnet

    Availability Zone

    Security group

    VirtualGateway

    VPC subnet

    Availability Zone

    Security group

    http://aws.amazon.com/directoryservice/

  • AWS federation/account governance

    Financial users, controllers SOC/AuditorsGlobal AWS admin

    Billing account

    Software development

    Non-prodaccount #1

    Production account #1

    User managementaccount

    Security / Auditaccount

    Non-prodaccount. #2

    App ownersDevOps teams

    Security/auditProductionDev/test/sandboxFinancial

    Consolidated Billing, Billing Alerts

    Read-only access for all accounts

  • Operations Monitoring

    o Security Monitoring integration

    points with with CloudTrail and

    SIEM Aggregator.

    o Logging with CloudTrail and

    SNMP MIBs to SIEM Aggregator.

    o Platform and App Health to SIEM

    Aggregator via agent on EC2

    guest.

    o Access to Patching and Updates

    for AMI by on-premise Update

    Server. VPC subnet

    Availability Zone

    Security group

    VPC subnet

    Availability Zone

    Security group

    VirtualGateway

    Corporate data center

    Users

    Data center router

    UpdateServers

    Connectivity

    AWS CloudTrail

    Amazon CloudWatch

    SIEMAggregator

  • Amazon VPCVPNBackup & archive Storage

    expansion

    Common workloads in hybrid infrastructure

    What is hybrid infrastructure?

    Connectivity

    Integrated

    AWS Direct Connect

    Authentication

    Enterprise integration

    FederationOperations monitoring

    Start

    A path to the cloud

  • Backup and archiving

    o Backup gateways integrated with Amazon S3

    o Leverage Amazon S3 archival to Amazon Glacier

    o Take advantage of current investments and

    solutions for options like

    o De-duplication

    o Compression

    o WAN Acceleration

    Corporate data center

    Amazon Simple Storage Service (S3)

    Amazon Glacier

    Applicationserver

    Virtualserver

    Fileserver

    Databaseserver

    Backupsystem

    AWS Storage Gateway

    iSCSI

    Symantec Net Backup

    Veeam Backup & Replication

    Cloud ONTAP Secure Cloud-

    Integrated Backup

    AWS Marketplace Partners

  • Storage expansion

    o Virtual volumes presented to local network

    iSCSI, NFS and CIFS volumes

    o Local disk cache to provide fast on-premise

    access

    o Gateway side encryption for security

    Corporate data center

    Amazon Simple Storage Service

    Applicationserver

    Virtualserver

    Fileserver

    Databaseserver

    Storageappliance

    AWS Storage Gateway

    iSCSI

    Cloud ONTAP Secure Cloud-

    Integrated Backup

    Panzura Global NAS

    TwinStrata CloudArray

    AWS Marketplace Partners

  • Amazon VPCVPNBackup & archive Storage

    expansion

    Common workloads in hybrid infrastructure

    What is hybrid infrastructure?

    Connectivity

    Integrated

    AWS Direct Connect

    Authentication

    Enterprise integration

    FederationOperations monitoring

    Start

    A path to the cloudone more

    excursion

  • An integrated approach to gain transparency

    changechange

    publishService

    Catalog

    notifies

    Monitor

    ChangeMonitors AWS

    & application

    initiates

    notifies

    Monitor Alert

    monitors

    Secures audit data

    Captures all API

    interaction

    Capture

    Audit

    Logs

    Durable

    Storage

    template

    Create/Update

    Validate

    provision

    IT Admin

    Resource

    stack

    Select & provision

    Project teams

  • An integrated approach to gain transparency

    AWS

    ServiceCatalog

    publish

    AWS CloudTrail

    Amazon S3

    monitors

    Secures audit data

    Captures all API

    interaction

    AWS

    CloudWatchalarm

    Monitors AWS

    & application

    initiates