AWS를 활용한 금융권 hybrid cloud 구축하기 :: Felix Candelario :: AWS Finance Seminar

Hybrid Architectures in AWSA view on FinServ

Felix CandelarioGlobal Solutions Architect – Financial Services

Time : 13:00 – 13:40

Hybrid Overview

Consumption of Cloud Services and On-Premises Infrastructure into an aggregated pool of resources.

On-Premises Infrastructure

Services

Platform

Solutions

Cloud Services

Infrastructure

Layers

Data

Applications

Management Services

Operating Systems

Hypervisors

Network

Data Center

On-Premises DC

AWS

Corporate Data Centers

Store, Replicate, Archive

Burst, Scale, x86

Management Services

Operating Systems

Amazon EC2

VPC, Direct Connect

Availability Zones, Regions

Hybrid Comes in Many Forms

VPCVPN Backup & archive

Storage expansion

IntegratedStacks

AWS Direct Connect

Authentication Federation Operations Tools and Monitoring

Start

IntegratedPatterns

IntegratedInfrastructure

IntegratedServices

IntegratedPlatform

IntegratedSolution

CI/CDManaged AWS Services

Split Tiers

Integrated Patterns

Split Tiers – AWS Front End

AWS region

WebLayer Private

Connection

Your Data Center

Internet

AppLayer

DatabaseLayer

Split Tiers – On-premises DMZ

AWS region

PrivateConnection

Internet

WebLayer

AppLayer

DBLayer

Your Data Center

WebLayer

Split Tiers – One Arm

AWS region

PrivateConnection

Internet

AppLayer

WebLayer

DBLayer

WebLayer

Your Data Center

AppLayer

Integrated Infrastructure

AWS Virtual Private Network (IPSec VPN)

• IPSec hardware VPN connection Supported VPN appliances:

• Encryption and Validation• Private RFC 1918 Addressing• Uses Border Gateway Protocol (BGP)

for routing and fail-over• VPN Service provides managed

redundant end-points

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html

VirtualGateway

On-PremesisUsers

Data center router

Servers

Internet

IPSec VPN

VPC SubnetAvailability

Zone

Security Group


Zone

Security Group

AWS Direct Connect

• Requires Layer 2 single mode fiber 1000BASE-LX or 10GBASE-LR

• Requires 802.1Q VLANs across connection.

– Tagging of IP traffic

• Routing uses BGP A/A or A/P multipath.• Each DX is mapped to a single AWS

Region

http://aws.amazon.com/directconnect/

Customer router

AWS Direct Connect Location

AWS Direct Connect routers

On-PremisesUsers

Data center router

Servers

VPC SubnetAvailability Zone

Security Group


Security GroupVirtual

Gateway

AWS Direct Connect + AWS VPN

• Dedicated network path with assured bandwidth

• More secure than Internet-based IPSecVPN – avoids internet traverse

• Reduced IPSec network transfer costs• Additional Network Security

http://aws.amazon.com/directconnect/

Customer router



On-PremiseUsers

Data center router

Servers


Security Group


Security GroupVirtual

Gateway

IPSec VPN

Integrated Services

Active Directory and LDAP

• Reduced back-reach Traffic• Reduced Latency for Authentication• Additional Resiliency• Enablement of both:

– Multi-Master Read/Write Domain Controllers

– Read-only Domain Controllers (RODCs)

• Requires IPSec VPN or Direct Connect connectivity

Customer router



VirtualGateway

On PremisesUsers

Data center router

Servers


Security Groups


Security Groups

AD.Domain

Domain controller

Domain controller

Domain controller

Active Directory Replication

AWS Directory Service

• Three types of directories– Microsoft AD– AD Connector– Simple AD - built on Samba 4 Active

Directory compatible server• Simplifies IAM Federation• Avoids complexity and cost of hosting

SAML-based federation infrastructure• Acts as a proxy - no data is stored on

AWS infrastructure• Supports existing RADIUS-based MFA• Requires IPSec VPN or Direct Connect

connectivityhttp://aws.amazon.com/directoryservice/

Customer router

AWS DirectConnect Location


VirtualGatewa

y

On-Premesis

Users

Data center router

Servers


Security Groups


Security Groups

AD.Domain

Domain controller

AD Connector

AD Connector

AD Connector

Identity Federation

Customer (Identity Provider) AWS Cloud (Relying Party)

AWS Resources

User Application

Active Directory

Federation Proxy

4 Get FederationToken Request

3

2

Amazon S3 Bucket

with Objects

Amazon DynamoDB

Amazon EC2

Request Session 1

Receive Session6

5Get Federation TokenResponse

• Access Key• Secret Key• Session Token

APP

Federation Proxy

• Uses a set of IAM user credentials to make a GetFederationTokenRequest()

• IAM user permissions need to be the union of all federated user permissions

• Proxy needs to securely store these privileged credentials

Call AWS APIs7

Operational Tools and Monitoring

• Security Monitoring integration points with with CloudTrail and SIEM Aggregator.

• Logging with CloudTrail and SNMP MIBs to SIEM Aggregator.

• Platform and App Health to SIEM Aggregator via agent on EC2 guest.

• Access to Patching and Updates for AMI by on premises Update Server.

Customer router



VirtualGatewa

y

On-PremisesUsers

Data center router


Security Group


Security Group

UpdateServer

s SIEMAggregator

CloudTrail

CloudWatch

CloudTrail S3 Bucket

Integrated Platform

Continuous Integration and Deployment

• Automates application deployments for both On-Premise and AWS EC2 instances with use of CodeDeploy

• Reuse existing scripts and tools– Bash, PowerShell, Chef, Puppet,

anything…

• Integrate with developer tool chain– GitHub, Jenkins, CloudBees, TravisCI,

Eclipse…Customer

router



VirtualGateway

On-PremisesUsers

Data center router


Zone

Security Group


Zone

Security Group

AWS CodeDeploy

Servers

AWS CloudFormation

S3 bucket

AgentAgentAgent

AgentAgentAgent

Managed AWS Services

• AWS Managed Services:– Compute: Amazon ECR/ECS AWS

Lambda, AWS Elastic Beanstalk– Storage: Amazon EFS– Databases: Amazon RDS, Amazon

DynamoDB, Amazon Elasticache– Analytics: Amazon EMR, Amazon

Elasticsearch Service, Amazon Kinesis, Amazon Redshift

– Security:: AWS Directory Service, AWS KMS

• Managed Services Advantages– Flexibility and Agility, Scalability– Security– Automated Maintenance & Upgrade

Customer router



VirtualGateway

On-Premises

Users

Data center router


Security Group


Security Group

Servers

S3 bucket

MySQL MySQL

ApacheKafka

Amazon RedshiftAmazon EMR

Amazon RedshiftAmazon EMR

Integrated Solution

Backup and Archive

• Backup gateways integrated with Amazon S3

– Leverage Amazon S3 archival to Amazon Glacier

• Take advantage of current investments and solutions for options

– De-duplication– Compression– WAN Acceleration

Customer router

AWS Direct ConnectLocation


VirtualGatewa

y

On-premises

Users

Data center router


Security Group


Security Group

Amazon S3

Amazon Glacier VTL

AWS Storage Gateway

iSCSI

Backup System

VTL

AWS Storage Gateway

iSCSI

Servers

VTL AWS Storage Gateway

Hybrid Examples

“For our market surveillance systems, we are looking at about 40% [savings with AWS], but the real benefits are the business benefits: We can do things that we physically weren’t able to do before, and that is priceless.”

- Steve Randich, CIO

What FINRA needed• Infrastructure for its market surveillance platform• Support of analysis and storage of approximately 30

billion market events every day

Why they chose AWS• Fulfillment of FINRA’s security requirements• Ability to create a flexible platform using dynamic

clusters (Hadoop, Hive, and HBase), Amazon EMR, and Amazon S3

Benefits realized• Increased agility, speed, and cost savings• Estimated savings of $10-20m annually by using AWS

Case Study: Re-architecting Compliance

“Using AWS helps us reduce a 10-day process to 10 minutes.

That’s trans-formative: it broadens our ability to discover.”

- Peter Phillips, Managing Director

What Aon needed• Perform actuarial calculations with greater computing

power• Information delivery within shorter time frames and less

cost

Why they chose AWS• Ability to spin up large numbers of Graphical Processing

Units (or GPUs) quickly and inexpensively• Quick delivery of an entire environment and functionality

Benefits realized• By processing on AWS, recalculating policies takes

minutes rather than hours or days• Ability to deliver client solutions more quickly, with richer

risk assessments

Case Study: High Performance Computing (HPC)

What Nasdaq needed• Replacement of on-premises legacy warehouse • Reduction of cost and increase in data capacity

Why they chose AWS (specifically Amazon Redshift)• Fulfillment of security and regulatory requirements• Cost efficiencies without sacrificing functionalities

Benefits realized• System that moves an average of 5.5 billion rows into

Amazon Redshift every day (with 14 billion on a peak day in Oct of 2014)

• Ability to increase accessibility of historic data to a growing number of internal groups

“The Nasdaq Group has been a user of Amazon Redshift since it was released and we are extremely happy with it…. Currently, our system is moving an average of 5.5 billion rows into Amazon Redshift every day.”

- Nate Simmons, Principal Architect

Case Study: Big Data Analytics

What ISE needed• SEC determined ISE’s disaster recovery was not

geographically diverse. They needed to build a robust and resilient DR solution with a 2 hour RTO

Why they chose AWS• Global reach to enable geographic diversity• Performance of products and services• Easy automation

Benefits realized• Abstracted away physical infrastructure• Ability to add capacity as required• Mobility associated with global reach

Case Study: Re-architecting ISE’s DR Solution

Thank you

Economy & Finance

AWS를 활용한 금융권 hybrid cloud 구축하기 :: Felix Candelario :: AWS Finance Seminar