MMC2820BE Live Demo: 3 Best Practices for Deploying, · PDF fileLive Demo: 3 Best Practices for Deploying, Managing and Securing AWS EC2 Apps with VMware Cloud Services ... AWS VPCs,

Bahubali Shetti and Dan Illson

MMC2820BE

#VMworld #MMC2820BE

Live Demo: 3 Best Practices for Deploying, Managing and Securing AWS EC2 Apps with VMware Cloud Services

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

2#MMC2820BE CONFIDENTIAL



bution

VMware Cloud Strategy –

VMware Cloud Services Positioning and overview

Managing and Operating an application in AWS EC2 with VMware Cloud

Services

Access and use of VMware Cloud Services

Q&A

Agenda

#MMC2820BE CONFIDENTIAL 3



bution

Consistent InfrastructureVM Infrastructure • Container Infrastructure

Consistent OperationsManagement and Operations • Across Clouds

VMware Cloud Infrastructure Public Cloud IaaS

VISIBILITY OPERATIONS AUTOMATION SECURITY GOVERNANCE

Cloud Management

VMware Cloud Services

Cloud Native AppsTime to market • Innovation • Scale • Differentiation

Existing AppsReduce Costs • Security • Reliability • Control

CONTAINERSVIRTUAL MACHINES

VMware CloudRun, Manage, Connect, Secure Any App on Any Cloud to Any Device

VMware Cloud on AWSfor VMware




bution

Application sprawl

Inefficient cost management

across multiple clouds

Compliance gaps due to different architectures

Inconsistent security architectures and policies

that aren’t aligned to different solutions

Lack of expertise on specific platforms and

exposure to human error

Lack of visibility into and across multiple clouds

Integration of multiple clouds has introduced new cloud silos leading to

Operations Complexity Increased Risk Exposure+




bution

ON PREMISES DATA CENTER

APPS APPS APPS APPS

Discovery Cost Insight Network Insight NSX Cloud AppDefense Wavefront


GOVERNANCE SECURITY APP VISIBILITY

VMware Cloud Services

VMware Cloud SolutionsInitial set of services to Manage, Secure, Monitor and Automate Public and Private Cloud Infrastructure, and Applications




bution

VMware Cloud ServicesManage, Govern and Secure Public and Private Cloud Apps

7

Discovery

Cost Insight

NSX Cloud

Network Insight

AppDefense

Wavefront


Visibility into apps and resources they consume. Analyze usage and utilization across clouds.

Accounting and cost optimization for multiple clouds. Track and analyze your costs and trends.

Secure networks with micro-segmentationCreate private networks within or across clouds.

Operational visibility, control, and compliance across clouds. Optimize performance, health, and availability.

Metrics-driven monitoring and real-time analytics.

Governance for running workloads.

#MMC2820BE CONFIDENTIAL



bution

8

Reduce Management Complexity and Speed

Time-to-Market

Improve Operational Efficiency and Lower OpEx

Optimize Visibility and Decision-Making About Cloud Costs and Spend

Protect Sensitive Data and Reduce Risk to the

Business

Innovate in the clouds you choose

Allow operations to focus on applications, rather than infrastructure




bution



Managing and operating an application in AWS EC2 with VMware Cloud

Services


Q&A

Agenda




bution

Typical New Age Cloud DeploymentUsing AWS, and on-prem Resources

AWS

AWS

Vsphere

DEV DEV DEV

APPS APPS APPS

DB DB DB

New age company

Launching new product

Preparing for influx of large product requests

Distributed deployment AWS and vSphere

App deployed in AWS us-West, and us-east with DB in vSphere in SF

Typical 3 tier app

Using AWS to develop and deploy for production application to take

product requests




bution

Demo Overview


Review operations surrounding the app (Wavefront)

CIO/Finance/Infra-Cloud

Admin

Developers/DevOps

Infra/Cloud Admin

Functionality CoveredUsers

Infra/Cloud AdminIdentify deployment risks, and issues in AWS (Network Insights)

Correct deployment and prevent future issues in AWS (NSX Cloud)

Optimize deployment across all clouds (Cost Insights)VMworld 2017 Content: Not fo


bution


Application being managed for demoTypical three tier app

NGINX (WEB) NGINX (WEB)

DJANGO (APP) DJANGO (APP) DJANGO (APP)

DBLB

(HAPROXY)

MYSQL MYSQL

Web Tier

Standard NGINX Servers acting as a pair of redundant load balancers to

App servers

App Tier

Django based app designed to serve up the web pages, and process

requests

DBLB Tier

DB Load Balancer

DB Tier

Standard MySQL Master-Slave pair

AWS VPC



bution

Wavefront Demo



Admin

Developers/DevOps

Infra/Cloud Admin




Optimize deployment across all clouds (Cost Insights)




bution

Real-time metrics monitoring at scale

Gathers high-velocity telemetry from cloud applications into a real-time metrics store to

query advanced analytics, render visualizations for anomaly detection, analyze trends,

and get intelligent alerts.

"First Pane of Glass" Visibility

Overlay on top of log data, APM, traditional up/down checks, and other data silos to

provide end-to-end visibility on every level of the application stack – from compute,

network, and storage up through containers, application code, user behavior, and

business metrics.

Shared model of application/system for both developers

and ops

Enable DevOps culture and AIOps through common tooling, instant shared context

through shareable active links, self-serve instrumentation, and formalizing application

domain knowledge into custom queries/dashboards/alerts.

APP VISIBILITY

ON PREMISES

DATA CENTER

Wavefront

14

Unified Visibility for Cloud Applications




bution

Network Insights Demo



Admin

Developers/DevOps

Infra/Cloud Admin








bution

Plan and manage security across clouds

Analyze traffic flow patterns across AWS and private clouds to understand application

dependencies and to accelerate your cloud micro-segmentation strategy.

Quickly troubleshoot issues with 360-degree cloud visibility

Get comprehensive visibility into AWS and SDDC hybrid cloud infrastructure including

physical network devices, AWS VPCs, and security groups; Resolve connectivity

issues by examining the flow of data between virtual and physical network layers.

Maximize the returns on your investment in VMware NSX

Manage and troubleshoot NSX at scale to ensure health and availability of deployment

leveraging standard networking knowledge.

GOVERNANCE

ON PREMISES

DATA CENTER

Network Insight

16

Comprehensive network visibility and analytics to simplify network and security planning, troubleshooting and operations




bution

NSX Cloud Demo



Admin

Developers/DevOps

Infra/Cloud Admin








bution

Single Pane of Glass Management and Common API

Enables cloud IT to simplify and scale operations, improve standardization and

compliance, and lower OpEx for applications running in public clouds.

Scalable Micro Segmentation Security for Applications

Micro Segmentation security allows for easy control over East-West traffic between

application instances – define and deploy policy once.

Control and Agility via Overlay Networking

Overlay Networking gives you precise control over the networking topologies, traffic

flows, IP addressing, and protocols.

SECURITY

NSX Cloud

18

Consistent networking and security for applications running in public clouds




bution

Cost Insights Demo



Admin

Developers/DevOps

Infra/Cloud Admin








bution

Avoid blind spots with comprehensive cost visibility

Get comprehensive visibility necessary to understand total costs, whether public or

private, as well as the ability to drill deeper to understand key cost drivers.

Ensure systematic cost control

Proactively monitor cost trends and compare them against planned budgets to avoid

cost overruns.

Lower costs by identifying cloud waste

Identify powered off or idle virtual machines, unused cloud storage resources and

optimize license costs to minimize wastage.

GOVERNANCE

ON PREMISES

DATA CENTER

Cost Insight

20

Analyze and compare cloud spend, find savings opportunities and communicate the cost of services to the business




bution

Holistic view of Cloud resources

Discovery understands the intricacies of different public and private clouds

and automates the tedious process of building those cloud integration

points so that you can quickly gather the inventory data from

multiple sources.

See your cloud the way you want

Discovery offers you the flexibility to organize your cloud resources into

custom groups such as projects, teams, applications or cloud

environments to mirror your business requirements.

Continuous and automated inventory detection

Once users configure cloud accounts and inventory collectors, they can

automatically detect any changes to inventory and continuously monitor

the state of cloud workloads over time.

ON PREMISES

DATA CENTER

Discovery

21

Automated inventory detection system that brings together inventory information from public and private clouds GOVERNANCE




bution

Reliable threat detection for data center endpoints

AppDefense understands what an application should look like – the application’s

“intended state” – and detects changes from this intended state that indicate a

potential threat.

Automated threat response

When a threat is detected, AppDefense leverages NSX and the vSphere hypervisor

to automate a number of different responses depending on the nature of the threat.

Increased isolation from attack surface

Because AppDefense is installed in the hypervisor, it is isolated from the attack

surface. Even if malware or a bad actor gain access to an endpoint, they will not be

able to compromise AppDefense itself.

SECURITY

ON PREMISES

DATA CENTER

No Demo

AppDefense

22

Data center endpoint threat detection and response




bution

Analysis of an application issue by Developer (Wavefront)

Monitoring and analysis of MySQL metrics in correlation with app network metrics

Resolving an application issue and finding security

violations in AWS VPCs by Cloud Admin (Network Insight)

Pinpointing the issue and resolution. Additional analysis of security policies across

multiple applications in multiple AWS VPCs and across vCenter locations.

Understanding security issues/violations by developer

Locking down an application in AWS with appropriate

security policy by Cloud Admin (NSX Cloud)

Develop and apply a policy for all tiers in application against development

deployment.

Reviewing and understanding developers spend on AWS

by VP of Cloud Engineering (Cost Insight/Discovery)

Analyze resources used, and cost of development

Summary – What was demonstrated in VMware Cloud Services?Pinpoint issue, resolution, and improve security deployments in a multi-cloud environment

23



DBLB

(HAPROXY)

MYSQL MYSQL

AWS VPC

Developer’s dev deployment




bution

APPLICATION SECURITY POLICY A:

Only allow SSH traffic from within subnet (i.e. jumpbox)

Only allow port 80/443 into WEB Tier

Only allow App Tier to accept traffic from Web tier

Only allow DB Tier to accept Port 3306 traffic from App

Tier

Allow DB Tier to talk to DB Tier

Summary – Security Policy Deployed using NSX CloudNSX Cloud secures dev environment

24



DBLB

(HAPROXY)

MYSQL MYSQL

AWS VPC





bution

Cloud Administrator used NSX Cloud to secure dev

environment

Security Policy A developed – firewall rules across all tiers.

Developer deploys Production application

Cloud Administrator Security Policy A to production

environment

What can be done next?Use NSX Cloud to apply policy in ALL deployments during development lifecycle

25

NGINX

(WEB)

NGINX

(WEB)

DJANGO

(APP)

DJANGO

(APP)

DJANGO

(APP)

DBLB

(HAPROXY)

MYSQL MYSQL

AWS VPC

NGINX

(WEB)

NGINX

(WEB)

DJANGO

(APP)

DJANGO

(APP)

DJANGO

(APP)

DBLB

(HAPROXY)

MYSQL MYSQL

AWS VPC


Production deployment

Application Security

Policy A



bution

Understand Application Entry Point(s)

26

Will the application be accessed via a private network (VPN/Direct

Connect) or the internet?

In accessed via the internet, will an instance be directly accessed, or

will a load balancer be used?

What IP address space / DNS zone will be used for instance

management? Will this be reachable from corporate network(s)?

Operational Best Practice 1

All points will facilitate building security policy and how to enforce via

NSX Cloud, Amazon Security Groups, or a combination of the two




bution

Perform Security Analysis

27

Use Network Insight to determine required flows between application

components

Group components with like requirements into NSX Cloud network

security groups

Build an NSX Cloud firewall section per application(s) with like policy

requirements

Instantiate firewall rules as identified through Network Insight

Enable AppDefense collection of intended and runtime state behavior


All points will facilitate building security policy and how to enforce via

NSX Cloud, Amazon Security Groups, or a combination of the two




bution

How to prepare and build images (AMIs) for EC2 instance creation

28

For existing applications:

Install Wavefront Proxy and metrics agents (Telegraf) on all instances that need monitoring and analysis

Install NSX Cloud Agents on all instances in ALL VPCs that need security management

Install Cost insight, and Network Insight vCenter Proxy VMs in all vCenter locations tied to AWS resources.

Build application “models” in Network Insight to manage applications across all AWS VPCs

For new applications:

Embed metrics agents (Telegraf) and NSX Cloud Agent in all images used by development

Install Cost insight, and Network Insight vCenter Proxy VMs in all vCenter locations tied to AWS resources.

Security Posture based on Operational Practice 2:

Build appropriate security policies (firewall rule sets) in NSX Cloud to consistently deploy across ALL applications

Ensure developers use predefined “approved” security groups for AWS





bution

Enable developers to monitor and analyze applications using Wavefront

Monitoring and analysis of application and compute metrics

Continuously monitor and analyze application security and network configuration in AWS/vSphere with Network

Insights

Understanding violations, app vulnerabilities, the resolution, and continuous analysis of security policies across multiple applications in multiple AWS VPCs,

Regions and across vCenter locations.

Develop, deploy and manage consistent security policies using NSX Cloud

Develop and apply a policy for all tiers in application against development deployment across all AWS VPCs and Regions

Continuously review and understand developers spend on AWS with Discovery and Cost Insight

Analyze resources used, and cost of development, both predictively, historically, find efficiencies, and waste.

Deploy and manage applications and security policies with VMware Cloud Services




bution



Managing & Operating an application in AWS EC2 with VMware Cloud

Services


Q&A

Agenda




bution

Getting Started with VMware Cloud Services is also Easy

Visit

cloud.vmware.comRequest Access

and Get Approved

Log onto

console.cloud.vmware.comand start using




bution

“Stay Informed” @cloud.vmware.com

Sign up for the interest list, learn more and stay updated about when VMware Cloud services are coming to your region



bution

33

Sessions, Booth and Theatre Presentations for VMware Cloud Services

All 3 Days

Solutions Exchange Talk to our experts and learn more about VMware Cloud Services

Hands On Labs Self services Experience: Try out VMware Cloud Services yourself

Tuesday

MMC1532BE Using VMware NSX for Enhanced Networking and Security for AWS Native Workloads

MMC3164BE How Data Science is Transforming Operations: Introduction to Wavefront by VMware

Wednesday

MMC2888GE How We’ve Accelerated Innovation While Keeping Our Cloud Spending in Check

MMC3074BEThree Ways to Use New VMware Cross-Cloud Services to Efficiently Run Workloads Across AWS, Azure, and

vSphere: VMware and Customer Technical Session

Thursday

MMC2820BE Live Demo: 3 Best Practices for Deploying, Managing and Securing AWS EC2 Apps with VMware Cloud Services

MMC3066BEHow Do You Use Network Insights' SaaS to Secure Multitier Hybrid Apps Running on vSphere, VMware Cloud on

AWS, and AWS Native?



bution



bution



bution

Documents

MMC2820BE Live Demo: 3 Best Practices for Deploying, · PDF fileLive Demo: 3 Best Practices for Deploying, Managing and Securing AWS EC2 Apps with VMware Cloud Services ... AWS VPCs,