Content: Not VMworld 2017 - RainFocus ... o Integration with AWS Lambda o Amazon API Gateway o AWS WAF

  • View
    1

  • Download
    0

Embed Size (px)

Text of Content: Not VMworld 2017 - RainFocus ... o Integration with AWS Lambda o Amazon API Gateway o AWS...

  • Paul Bockelman, AWS Principal Solutions Architect (WWPS)

    Haider Witwit, AWS Senior Solutions Architect (WWPS)

    LHC3376BUS

    #VMworld #LHC3376BUS

    AWS Native Services Integration with VMware Cloud on AWS

    Technical Deep Dive

    VMw orld

    201 7 C

    onte nt: N

    ot f or p

    ublic atio

    n or dis

    tribu tion

  • What to expect from the session

    #LHC3376BUS CONFIDENTIAL

    • Technical recap – VMware Cloud on AWS

    • {Sample} Integration use case

    • Services introduction & solution designs

    • Solution summary

    VMw orld

    201 7 C

    onte nt: N

    ot f or p

    ublic atio

    n or dis

    tribu tion

  • #LHC3376BUS CONFIDENTIAL

    VMware Cloud on AWS Technical Recap

    VMw orld

    201 7 C

    onte nt: N

    ot f or p

    ublic atio

    n or dis

    tribu tion

  • #LHC3376BUS CONFIDENTIAL

    VMware Cloud on AWS: Overview

    vRealize Suite, PowerCLI

    VMware Cloud on AWS

    AWS Global Infrastructure Customer data

    center

    Management

    (vCenter

    Server)

    vCenter Server Single pane of glass and API across on-premises and cloud

    Access to all AWS services

    Amazon EC2

    Amazon S3

    Amazon RDS

    AWS Direct Connect

    IAMAmazon Redshift

    AWS CloudFormation, AWS CLI, AWS SDK

    AWS Global InfrastructureVMw orld

    201 7 C

    onte nt: N

    ot f or p

    ublic atio

    n or dis

    tribu tion

  • #LHC3376BUS CONFIDENTIAL

    VMware Cloud on AWS: AWS view

    VMware operated, supported,

    and maintained

    … Fully configured VMware software stack running on state-of-the-art infrastructure

    provisioned on-demand in minutes

    Latest software

    • VCSA, ESXi, NSX, VSAN, H5 client

    Dynamic capacity

    • DRS/HA compute cluster (Intel x86)

    • VSAN storage cluster (SSD)

    • NSX network virtualization (10 Gbps+)

    Flexible topology

    • Standalone cloud cluster

    • Hybrid connectivity to on-premises

    • Cloud-to-cloud connectivity

    Overview

    ESXi

    ESXi

    ESXi

    …ESXi

    …ESXi

    …ESXi

    Single-tenant (dedicated) bare-metal

    Amazon EC2 hardware

    vCenter

    Server

    Gateway

    NSX Manager

    VMware Cloud on AWS

    VMw orld

    201 7 C

    onte nt: N

    ot f or p

    ublic atio

    n or dis

    tribu tion

  • #LHC3376BUS CONFIDENTIAL

    AWS Global Infrastructure

    VMware Cloud on AWS: AWS integration

    Access to all native AWS services

    Amazon EC2

    Amazon S3

    Amazon RDS

    AWS Direct Connect

    IAMAWS IoT

    VMware Cloud on AWS

    VMw orld

    201 7 C

    onte nt: N

    ot f or p

    ublic atio

    n or dis

    tribu tion

  • VMware Cloud on AWS: Base Topology

    AWS Customer VPC

    AZ A AZ B AZ C

    VMware Cloud ENI

    Customer

    Data Center

    IGW

    AWS Region Services D

    M Z-

    O u

    t (P

    u b

    lic )

    VPC S3

    Endpoint

    Amazon

    CloudWatch

    AWS

    CloudTrail

    Amazon S3

    VMware Cloud VPC

    ESXi

    Amazon EC2

    ESXi ESXi ESXi

    Resource Pool

    D M

    Z -I

    n

    (P ri v a

    te )

    A p

    p

    (P ri v a

    te )

    D M

    Z -O

    u t

    (P u

    b lic

    )

    IGW

    Compute Gateway

    Compute Gateway

    Management Gateway

    OS

    DB1

    OS

    DB2

    OS

    RWP

    OS

    APP2

    OS

    APP1

    VMw orld

    201 7 C

    onte nt: N

    ot f or p

    ublic atio

    n or dis

    tribu tion

  • #LHC3376BUS CONFIDENTIAL

    {Sample} Integration Use Case

    VMw orld

    201 7 C

    onte nt: N

    ot f or p

    ublic atio

    n or dis

    tribu tion

  • #LHC3376BUS CONFIDENTIAL

    Integration Use Case: Overview

    VMware Cloud on AWS customer, ACME Distribution, is hosting two (2) web-based and internet-facing applications in their VMware Cloud on AWS SDDC account and are launching a third web application in their AWS account.

    ACME is seeking to meet the following requirements from an integration with native AWS Services:

    • Horizontally scale SDDC ‘Application 2’ and consolidate public application access across accounts (require SSL)

    • Globally distributed (from a single origins) application(s) with effective mitigation of DDoS and L3/L4/L7 attacks

    • Increased security visibility and (near) real-time access control

    VMware Cloud VPC

    ESXi

    Amazon EC2

    ESXi ESXi ESXi

    Resource Pool

    D M

    Z -I

    n

    (P ri v a

    te )

    A p

    p

    (P ri v a

    te )

    D M

    Z -O

    u t

    (P u

    b lic

    )

    OS

    DB1

    IGW

    Compute Gateway

    Management Gateway

    OS

    DB2

    OS

    RWP

    OS

    APP2

    OS

    APP1

    VMw orld

    201 7 C

    onte nt: N

    ot f or p

    ublic atio

    n or dis

    tribu tion

  • #LHC3376BUS CONFIDENTIAL

    Services introduction & solution designs

    VMw orld

    201 7 C

    onte nt: N

    ot f or p

    ublic atio

    n or dis

    tribu tion

  • #LHC3376BUS CONFIDENTIAL

    Req #1 – Scale and Consolidate Public Access

    The following native AWS Services will be used to horizontally scale Application 2...

    • AWS Storage Gateway (File Interface)

    - A virtual appliance that uses industry-standard storage protocols to connect to AWS cloud storage services

    - Files are stored as objects in your S3 buckets, accessed through a Network File System (NFS) mount point

    - Once in S3, objects can be managed as native S3 objects, and bucket policies such as versioning, lifecycle management, and cross-region replication apply directly to objects stored in your bucket

    • Amazon Elastic Compute Cloud (Amazon EC2) - Deployed as a cluster of reverse web proxy instances for traffic forwarding to

    VMware Cloud on AWS virtual machines (for Applications 1 & 2) - Reverse web proxy cluster is deloyed as an Auto Scaling Group and registered

    as an Application Load Balancer Target GroupVMw orld

    201 7 C

    onte nt: N

    ot f or p

    ublic atio

    n or dis

    tribu tion

  • #LHC3376BUS CONFIDENTIAL

    Req #1 – Scale and Consolidate Public Access

    The following native AWS Services will be used to horizontally scale Application 2...

    • Amazon Relational Database Service (Amazon RDS)

    - Using the Amazon Aurora MySQL engine, Amazon RDS is a managed relational database service built on a fully distributed and self-healing storage system

    - Provides enterprise-level capabilities including database monitoring, database cloning, cross-region copying and replication

    - Amazon Aurora's storage is fault-tolerant and self-healing (each 10GB chunk of your database volume is replicated six ways, across three Availability Zones)

    - On entire instance failure, Amazon Aurora will automatically failover to one of up to 15 read replicas

    VMw orld

    201 7 C

    onte nt: N

    ot f or p

    ublic atio

    n or dis

    tribu tion

  • #LHC3376BUS CONFIDENTIAL

    • Elastic Load Balancing (ELB) – Application Load Balancer mode - Routing decisions are at the application layer (HTTP/HTTPS) - Supports host-based routing that can route requests to one or more ports on

    each EC2 instance - Native integration with other AWS services such as Auto Scaling groups, AWS

    WAF Web ALCs, and Amazon CloudWatch - Native IPv6 support (users can connect to the ALB using IPv4 or v6)

    Req #1 – Scale and Consolidate Public Access

    The following native AWS Services will be used to consolidate public access for all

    applications…

    • AWS Certificate Manager (ACM)

    - Provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services such as Elastic Load Balancers, Amazon CloudFront distributions, and APIs on API Gateway

    - Supports the import of SSL/TLS certificates issued by third-party Certificate Authorities (CAs) and deploy them with your supported AWS resources

    - AWS Certificate Manager can easily handle certificate renewals

    VMw orld

    201 7 C

    onte nt: N

    ot f or p

    ublic atio

    n or dis

    tribu tion

  • #LHC3376BUS CONFIDENTIAL

    Req #1 – Scale and Consolidate Public Access

    The following native AWS Services will be used to consolidate public access for all

    applications…

    • Amazon Route 53

    - A highly available and scalable global Domain Name System (DNS) service

    - Designed to propagate DNS updates to the

View more