Download pdf - Content: Not VMworld 2017 - RainFocus...o Integration with AWS Lambda o Amazon API Gateway o AWS WAF o AWS Shield VMworld 2017 Content: Not for publication or distribution #LHC3376BUS

Paul Bockelman,AWS Principal Solutions Architect (WWPS)

Haider Witwit,AWS Senior Solutions Architect (WWPS)

LHC3376BUS

#VMworld #LHC3376BUS

AWS Native Services Integration with VMware Cloud on AWS

Technical Deep Dive

VMworld 2017 Content: Not fo

r publication or distri

bution

What to expect from the session

#LHC3376BUS CONFIDENTIAL

• Technical recap – VMware Cloud on AWS

• {Sample} Integration use case

• Services introduction & solution designs

• Solution summary



bution


VMware Cloud on AWSTechnical Recap



bution


VMware Cloud on AWS: Overview

vRealize Suite, PowerCLI

VMware Cloud on AWS

AWS Global InfrastructureCustomer data

center

Management

(vCenter

Server)

vCenter ServerSingle pane of glass and API across on-premises and cloud

Access to all AWS services

Amazon EC2

AmazonS3

AmazonRDS

AWS Direct Connect

IAMAmazon Redshift

…

…

…

…

AWS CloudFormation, AWS CLI, AWS SDK

AWS Global InfrastructureVMworld 2017 Content: Not fo


bution


VMware Cloud on AWS: AWS view

VMwareoperated, supported,

and maintained

… Fully configured VMware software stack

running on state-of-the-art infrastructure

provisioned on-demand in minutes

Latest software

• VCSA, ESXi, NSX, VSAN, H5 client

Dynamic capacity

• DRS/HA compute cluster (Intel x86)

• VSAN storage cluster (SSD)

• NSX network virtualization (10 Gbps+)

Flexible topology

• Standalone cloud cluster

• Hybrid connectivity to on-premises

• Cloud-to-cloud connectivity

Overview

…

…

…

ESXi

ESXi

ESXi

…ESXi

…ESXi

…ESXi

Single-tenant (dedicated) bare-metal

Amazon EC2 hardware

vCenter

Server

Gateway

NSX Manager

VMware Cloud on AWS



bution


AWS Global Infrastructure

VMware Cloud on AWS: AWS integration

Access to all native AWS services

Amazon EC2

AmazonS3

AmazonRDS

AWS Direct Connect

IAMAWS IoT

…

…

…

…

VMware Cloud on AWS



bution

VMware Cloud on AWS: Base Topology

AWS Customer VPC

AZ A AZ B AZ C

VMware Cloud ENI

Customer

Data Center

IGW

AWS Region ServicesD

MZ-

Ou

t (P

ub

lic)

VPC S3

Endpoint

Amazon

CloudWatch

AWS

CloudTrail

Amazon S3

VMware Cloud VPC

ESXi

Amazon EC2

ESXi ESXi ESXi

Resource Pool

DM

Z-I

n

(Priva

te)

Ap

p

(Priva

te)

DM

Z-O

ut

(Pu

blic

)

IGW

Compute Gateway

Compute Gateway

Management Gateway

OS

DB1

OS

DB2

OS

RWP

OS

APP2

OS

APP1



bution


{Sample} Integration Use Case



bution


Integration Use Case: Overview

VMware Cloud on AWS customer, ACME Distribution, is hosting two (2) web-based and internet-facing applications in their VMware Cloud on AWS SDDC account and are launching a third web application in their AWS account.

ACME is seeking to meet the following requirements from an integration with native AWS Services:

• Horizontally scale SDDC ‘Application 2’ and consolidate public application access across accounts (require SSL)

• Globally distributed (from a single origins) application(s) with effective mitigation of DDoS and L3/L4/L7 attacks

• Increased security visibility and (near) real-time access control

VMware Cloud VPC

ESXi

Amazon EC2

ESXi ESXi ESXi

Resource Pool

DM

Z-I

n

(Priva

te)

Ap

p

(Priva

te)

DM

Z-O

ut

(Pu

blic

)

OS

DB1

IGW

Compute Gateway

Management Gateway

OS

DB2

OS

RWP

OS

APP2

OS

APP1



bution


Services introduction & solution designs



bution


Req #1 – Scale and Consolidate Public Access

The following native AWS Services will be used to horizontally scale Application 2...

• AWS Storage Gateway (File Interface)

- A virtual appliance that uses industry-standard storage protocols to connect to AWS cloud storage services

- Files are stored as objects in your S3 buckets, accessed through a Network File System (NFS) mount point

- Once in S3, objects can be managed as native S3 objects, and bucket policies such as versioning, lifecycle management, and cross-region replication apply directly to objects stored in your bucket

• Amazon Elastic Compute Cloud (Amazon EC2)- Deployed as a cluster of reverse web proxy instances for traffic forwarding to

VMware Cloud on AWS virtual machines (for Applications 1 & 2)- Reverse web proxy cluster is deloyed as an Auto Scaling Group and registered

as an Application Load Balancer Target GroupVMworld 2017 Content: Not fo


bution



The following native AWS Services will be used to horizontally scale Application 2...

• Amazon Relational Database Service (Amazon RDS)

- Using the Amazon Aurora MySQL engine, Amazon RDS is a managed relational database service built on a fully distributed and self-healing storage system

- Provides enterprise-level capabilities including database monitoring, database cloning, cross-region copying and replication

- Amazon Aurora's storage is fault-tolerant and self-healing (each 10GB chunk of your database volume is replicated six ways, across three Availability Zones)

- On entire instance failure, Amazon Aurora will automatically failover to one of up to 15 read replicas



bution


• Elastic Load Balancing (ELB) – Application Load Balancer mode- Routing decisions are at the application layer (HTTP/HTTPS)- Supports host-based routing that can route requests to one or more ports on

each EC2 instance- Native integration with other AWS services such as Auto Scaling groups, AWS

WAF Web ALCs, and Amazon CloudWatch- Native IPv6 support (users can connect to the ALB using IPv4 or v6)


The following native AWS Services will be used to consolidate public access for all

applications…

• AWS Certificate Manager (ACM)

- Provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services such as Elastic Load Balancers, Amazon CloudFront distributions, and APIs on API Gateway

- Supports the import of SSL/TLS certificates issued by third-party Certificate Authorities (CAs) and deploy them with your supported AWS resources

- AWS Certificate Manager can easily handle certificate renewals



bution



The following native AWS Services will be used to consolidate public access for all

applications…

• Amazon Route 53

- A highly available and scalable global Domain Name System (DNS) service

- Designed to propagate DNS updates to the world-wide network of authoritative DNS servers within 60 seconds (under normal conditions)

- Fully compliant with IPv6



bution

Req #1 – Scale and Consolidate Public Access (base)

AWS Customer VPC

AZ A AZ B AZ C

VMware Cloud ENI

Customer

Data Center

IGW

AWS Region ServicesD

MZ-

Ou

t (P

ub

lic)

VMware Cloud VPC

ESXi

Amazon EC2

ESXi ESXi ESXi

Resource Pool

DM

Z-I

n

(Priva

te)

Ap

p

(Priva

te)

DM

Z-O

ut

(Pu

blic

)

IGW

Compute Gateway

Compute Gateway

Management Gateway

OS

DB1

OS

DB2

OS

RWP

OS

APP2

OS

APP1

VPC S3

Endpoint

Amazon CloudWatch

AWS CloudTrail

Amazon S3



bution


VMware Cloud VPC

ESXi

Amazon EC2

ESXi ESXi ESXi

Resource Pool

RDS Aurora

(shared)

AWS Customer VPC

AZ A AZ B AZ C

VMware Cloud ENI

App3ASG

OS

DB1

Customer

Data Center

Route53

Amazon EFS

SSL Encrypted

Traffic

Compute Gateway

Compute Gateway

AWS Region Services

OS

APP2

OS

APP1

OS

RWP

Management Gateway

DM

Z-O

ut

(Pu

blic

)

DM

Z-I

n

(Priva

te)

Ap

p

(Priva

te)

DM

Z-O

ut

(Pu

blic

) ACM

IGW IGW

RWP (SDDC)

ELB

VPC S3

Endpoint

Amazon CloudWatch

AWS CloudTrail

Amazon S3

NFS S3-backed Cluster File System

Reverse Web Proxy

& Application Load-

Balancer

OS

APP2

OS

APP2

OS



bution

Req #1 - Demo



bution

Req #2 – Globally distributed with DDoS Mitigation

The following native AWS Service will be used to protect the environment…

• Amazon CloudFront

- A global content delivery network (CDN) service that securely delivers data, videos, applications, and APIs with low latency and high transfer speeds

- 79 edge locations and 11 regional edge cache locations across 22 countries and 48 cities (as of 03-Aug-2017)

- Can deliver secure APIs or applications via SSL/TLS, with advanced SSL features

- Native IPv6 support

- Deeply integrated with AWS services including:

o Amazon S3

o Amazon EC2

o Elastic Load Balancing (ELB)

o Integration with AWS Lambda

o Amazon API Gateway

o AWS WAF

o AWS Shield



bution




• AWS WAF

- A web application firewall that helps detect and block malicious web requests targeted at your web applications like SQL injection and cross-site scripting

- Able to be integrated with ALB and/or a CloudFront distribution

- Provides real-time metrics and captures raw requests that include details about IP addresses, geo locations, URIs, User-Agent and Referrers



bution




• AWS Shield/Shield Advanced

- A managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS

- Provides always-on detection and automatic inline mitigations that minimize application downtime and latency

- For web applications running on Elastic Load Balancing (ELB), Amazon CloudFront, and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced

- AWS Shield Advanced also gives you access to the AWS DDoS Response Team(DRT) and protection against DDoS related spikes in your protect resources



bution


VMware Cloud VPC

ESXi

Amazon EC2

ESXi ESXi ESXi

Resource Pool

RDS Aurora

(shared)

AWS Customer VPC

AZ A AZ B AZ C

ELB

VMware Cloud ENI

App3ASG

RWP (SDDC)

Amazon EFS

OS

DB1

Customer

Data Center

VPC S3

Endpoint

AWS Shield

Amazon CloudWatch

Route53

WAF & ACM-

enabled Edge

Location(s)

CloudFront

SSL Encrypted

Traffic


Compute Gateway

Compute Gateway

AWS Region Services

Reverse Web Proxy

& Application Load-

Balancer

OS

APP2

OS

APP2

OS

APP2

OS

APP1

OS

RWP

Management Gateway

OS

DM

Z-O

ut

(Pu

blic

)

DM

Z-I

n

(Priva

te)

Ap

p

(Priva

te)

DM

Z-O

ut

(Pu

blic

) ACM

IGW IGW

AWS CloudTrail

Amazon S3



bution


Req #2 - Demo



bution


Req #3 – Increased Security Visibility

The following native AWS Service will be used to create network insight…

• Amazon Virtual Private Cloud (Amazon VPC) – Flow Logs

- Enables the capture of information about the IP traffic going to and from network interfaces within a VPC (minus the payload)

- A flow log can be created for a VPC, a subnet, or a network interface

- Flow log data is stored using Amazon CloudWatch Logs

2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 20641 22 6 20 4249 1438530010 1438530070 ACCEPT OK



bution



The following native AWS Service will be used to monitor resources…

• Amazon CloudWatch

- Collect and track metrics, collect and monitor log files (including custom logs), set alarms, and automatically react to changes in your AWS resources

- Metrics such as CPU utilization, latency, and request counts are provided automatically

- Using CloudWatch Logs, you can monitor your logs, in near real-time, for specific phrases, values or patterns (metrics)



bution



The following native AWS Service will be used to durably store logs…

• Amazon Simple Storage Service (Amazon S3)

- An object storage built to store and retrieve any amount of data from anywhere

- Designed to deliver 99.999999999% durability

- Data is stored as objects within resources called "buckets”

- Unlimited objects can be contained within a bucket with individual object size of up to a limit of 5 terabytes

- Buckets are accessible via IPv6 addresses via “dual-stack” endpoints



bution



The following native AWS Service will be used to ingest data streams…

• Amazon Kinesis Firehose

- Ingest real-time data in near real-time such as application logs, website clickstreams, IoT telemetry data, and more into databases, data lakes and data warehouses

- Will be used to stream VPC Flow Logs, Application Load-Balancer, and CloudFront application logs from CloudWatch into the Amazon Elastic Search service

- Process and analyze data as it arrives and respond in real-time for downstream processing (supports hundreds of thousands of data sources simultaneously)

Amazon ES

Amazon Kinesis Firehose

Amazon S3

Amazon Redshift

Amazon

QuckSight

Amazon

Athena

Streaming Data Source(s)



bution



The following native AWS Service will be used to index log data…

• Amazon Elasticsearch Service (Amazon ES)

- An open-source search and analytics engine for big data use cases such as log and click stream analysis

- Ingest structured and unstructured data from a variety of sources

- Amazon Elasticsearch Service manages the capacity, scaling, patching, and administration of Elasticsearch clusters

- Direct access to the Elasticsearch API

- Includes built-in support for Kibana (an open-source analytics and visualization platform) and AWS services including: Amazon Kinesis Firehose, AWS Lambda, and Amazon CloudWatch



bution



The following native AWS Service will be used to analyze and visualize…

• Amazon Athena

- Interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL (uses Presto with ANSI SQL support)

- Uses Amazon S3 as its underlying data store (highly durable)

- Quickly tap into data in Amazon S3 without the need to set up complex processes to extract, transform, and load the data (ETL)

• Amazon QuickSight

- A business analytics service that makes it easy to build visualizations, perform ad-hoc analysis

- Uses SPICE – The Super-fast, Parallel, In-memory, Calculation Engine

- Upload (CSV or XLS) and/or ingest data from AWS data sources such as Amazon Redshift, Amazon RDS, Amazon Aurora, Amazon Athena, Amazon S3, and Amazon EMR (Presto and Apache Spark)

- Connect to databases like SQL Server, MySQL, and PostgreSQL (in the cloud or on-premises)



bution


VMware Cloud VPC

ESXi

Amazon EC2

ESXi ESXi ESXi

Resource Pool

RDS Aurora

(shared)

AWS Customer VPC

AZ A AZ B AZ C

ELB

VMware Cloud ENI

App3ASG

RWP (SDDC)

Amazon EFS

OS

DB1

Customer

Data Center

VPC S3 Endpoint

AWS Shield

Amazon ES

Route53

CloudFront

WAF & ACM-

enabled Edge

Location(s)

SSL Encrypted

Traffic


Compute Gateway

Compute Gateway

AWS Region Services

AWS CloudTrail

VPC Flow logs

Reverse Web Proxy

& Application Load-

Balancer

OS

APP2

OS

APP2

OS

APP2

OS

APP1

OS

RWP


Amazon CloudWatch

Amazon QuckSight

Amazon Athena

Management Gateway

OS

DM

Z-O

ut

(Pu

blic

)

DM

Z-I

n

(Priva

te)

Ap

p

(Priva

te)

DM

Z-O

ut

(Pu

blic

) ACM

Amazon S3

IGW IGW



bution


Req #3 - Demo



bution


But wait…



bution


{BONUS}: Automation and ‘Touchless Management’

The following native AWS Service can be used to automate…

• AWS Lambda

- Serverless Compute service that can execute code in response to triggers such as changes in data, shifts in system state, or actions by users

- Automatically parses access logs to identify suspicious behavior and add the corresponding source IP addresses to an AWS WAF block list

- Automatically checks third-party IP reputation lists hourly for malicious IP addresses to add to an AWS WAF block list

• AWS CodeDeploy

- A service that automates code deployments to any instance, including Amazon EC2 instances and instances running on-premises

- Rapidly release and automate software deployments, eliminating the need for error-prone manual operations

- Centralize control to launch and track the status of application deployments through the AWS Management Console or the AWS CLI



bution

WAF & ACM-

enabled Edge

Location(s)

AWS Lambda


VMware Cloud VPC

ESXi

Amazon EC2

ESXi ESXi ESXi

Resource Pool

RDS Aurora

(shared)

AWS Customer VPC

AZ A AZ B AZ C

ELB

VMware Cloud ENI

App3ASG

RWP (SDDC)

Amazon EFS

OS

DB1

Customer

Data Center

VPC S3 Endpoint

AWS Shield

Amazon ES

Route53

CloudFront

SSL Encrypted

Traffic


Compute Gateway

Compute Gateway

AWS Region Services

AWS CloudTrail

VPC Flow logs

Reverse Web Proxy

& Application Load-

Balancer

OS

APP2

OS

APP2

OS

APP2

OS

APP1

OS

RWP


Amazon CloudWatch

Amazon QuckSight

Amazon Athena

Management Gateway

OS

DM

Z-O

ut

(Pu

blic

)

DM

Z-I

n

(Priva

te)

Ap

p

(Priva

te)

DM

Z-O

ut

(Pu

blic

) ACM

Amazon S3

IGW IGW



bution


WAF & ACM-

enabled Edge

Location(s)

VMware Cloud VPC

ESXi

Amazon EC2

ESXi ESXi ESXi

Resource Pool

RDS Aurora

(shared)

AWS Customer VPC

AZ A AZ B AZ C

ELB

VMware Cloud ENI

App3ASGAmazon

EFS

OS

DB1

Customer

Data Center

VPC S3 Endpoint

AWS Shield

Amazon ES

Route53

CloudFront

SSL Encrypted

Traffic


Compute Gateway

Compute Gateway

AWS Region Services

AWS CloudTrail

VPC Flow logs

Reverse Web Proxy

& Application Load-

Balancer

OS

APP2

OS

APP2

OS

APP2

OS

APP1


Amazon CloudWatch

Amazon QuckSight

Amazon Athena

Management Gateway

OS

DM

Z-O

ut

(Pu

blic

)

DM

Z-I

n

(Priva

te)

Ap

p

(Priva

te)

DM

Z-O

ut

(Pu

blic

) ACM

Amazon S3

IGW IGW

AWS Lambda

RWP (SDDC)

OS

RWP

Remember the Reverse Web

Proxys?

Manage them using

AWS CodeDeploy



bution



EditConfiguration

File(s)

Push updatesfile(s) to a

code repository

Commitchange(s)

AWS CodeDeploydetects the

update

AWS CodeDeploydoes a rolling

deployment of updates



bution


Solution Summary



bution


Solution Summary

Requirement #1• AWS Storge Gateway

• Amazon EC2

• Amazon RDS

• AWS Certificate Manager

• Elastic Load Balancing

• Amazon Route 53

Requirement #2• Amazon CloudFront

• AWS WAF

• AWS Shield/Shield

Advanced

Requirement #3• VPC Flow Logs

• Amazon CloudWatch

• Simple Storage Service

(S3)

• Amazon Kinesis Firehose

• Amazon Elasticsearch

Service (ES)

• Amazon Athena

• Amazon QuickSight

• AWS Lambda

• AWS CodeDeploy



bution


AWS Booth Demos

• Demo 1: Securing Workloads in VMware Cloud on AWS

Understand the added value of using native AWS security features with workloads running in VMware Cloud on AWS

• Demo 2: VM Workload Analytics

Learn how to use native AWS services integration to manage and analyze VM workloads running in a VMware Cloud on AWS SDDC cluster

• Demo 3: Dev/Test Workloads with VMware Cloud on AWS

Demonstrate the use of an Oracle RAC (two-node cluster) test environment running in VMware Cloud on AWS

• Demo 4: Microsoft Applications on VMware Cloud on AWS

Demonstrate a Microsoft SharePoint deployment using native AWS web front-end services and backed by Microsoft SQL Server (Always-On Availability Groups) in VMware Cloud on AWS



bution



bution



bution