Embed Size (px)
Citation preview
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Deep Dive: Hybrid Architectures
Yinal Ozkan, Global Tech Leader, Financial Services
Why we are here
• In this webinar, you learn how to evaluate, design, build, and
manage distributed applications over hybrid infrastructures using
Amazon Web Services.
• This session follows the evolution of a simple legacy data center
expansion with basic connectivity into managing complex hybrid
applications.
• Along the way, we investigate best practice designs in use by AWS
customers. Topics covered include: interconnectivity, availability,
security, hybrid networks with Amazon VPC and AWS Direct
Connect as well as automated provisioning with AWS
CloudFormation, and configuration management with AWS
OpsWorks.
Agenda
• Hybrid architectures and distributed workloads, split tiers
• Layers– Data center
– Network
– Hypervisors
– Operating systems
– Management services• AWS OpsWorks
• AWS CodeDeploy
– Applications
– Data
• Example hybrid architectures
Hybrid architecture perception
"...The brand to watch is Tesla Motors, which jumped from 47 points last year, to fifth position and 88 points this year. Tesla had a strong, very public year, with soaring stock prices, magazine awards, sterling crash-test performance, and even claiming the spot as the top-rated car by Consumer Reports. Innovation, performance, and sleek styling is clearly gaining attention and making a positive impression. By accumulating points in several categories, Tesla was able to raise its overall score. This highlights the value of being good at multiple things, rather than relying on a single facet..."
Consumer Reports 2014 Car-Brand Perception Surveyhttp://www.consumerreports.org/cro/2014/02/2014-car-brand-perception-survey/index.htm
Split tiers
I—Split tiers, AWS front end
AWS region
Web
Layer
Private
Connection
Your Data Center
Internet
App
Layer
Database
Layer
II—Split tiers, on-premises DMZ
AWS region
Private
Connection
Internet
Web
Layer
App
Layer
DB
Layer
Your Data Center
Web
Layer
III—Split tiers, one arm
AWS region
Private
Connection
Internet
App
Layer
Web
Layer
DB
Layer
Web
Layer
Your Data Center
App
Layer
Layers
Data
Applications
Management Services
Operating Systems
Hypervisors
Network
Data Center
LEGACY
DC
AWS
Corporate Data
Centers
Layers
Store, Replicate, Archive
Burst, Scale, 86
Management Services
Operating Systems
Amazon EC2
VPC, Direct Connect
Availability Zones, Regions
Data center layer
101—Data center expansion, dynamic bursting
AWS Cloud
Legacy DC
101—Data center HA, disaster recovery
AWS Cloud
Legacy DC
101—Data center compliance/security
AWS Cloud
Legacy DC
301—Data center layer
• An AWS region is more than a data center
• Availability Zone is a different construct
• Distance determines expansion vs. a new data center– Maximum distance for data center expansion
– Minimum requirements for an independent data center
– How to measure latency for data center interconnects
• Security and operations mismatch in design
Network layer
101—Network layer interconnect
Customer Router
Customer Internal
Network
Direct Connect
Router
• Routing selection priority—Static, Direct Connect, VPN
• Overlapping routes only via propagated routes
• Use BGP with VPN configuration for faster failover
• If Direct Connect fails, VPN backup for Private VI
• If Direct Connect fails, Internet backup for Public VI
EC2
InstancesInternet
Customer
GatewayVPN
connection
Amazon S3
Public Traffic
Private Traffic
AWS Region
VLAN Y
VLAN X
virtual private cloud 1
virtual private cloud 2
virtual private cloud N
…
public endpoints
RegionDirect Connect Location
VLAN Z
VLAN N
Direct Connect
RouterCustomer
Router
Each interface can be
associated with a different
AWS account. (Hosted
Virtual Interfaces)
201—Private and public interconnects
Customer Routers
Customer Internal
Network
Direct Connect
Routers
• Active/Active links via BGP multi-pathing
• Active/Passive also an option
• AWS ensures different router if same facility
• Can use different facilities and carriers
• Customer can affect return path selection
• AS-PATH prepend, but not on public
• More specific route
Direct Connect Location(s)
AWS Region
Amazon S3
EC2 Instances
10.10.0.0/16 65500
10.10.0.0/16 65500 6550010.10.9.0/24 65500 65500
201—Redundancy in AWS Direct Connect connections
Public Traffic
Private Traffic
Direct Connect
Equinix, San Jose
us-west-1
us-west-2
us-east-1
AWS Private Network
VPN to VGW
In the US, with a public VIF, use the AWS network to:
• Access public resources in remote US regions
• VPN to a remote US region and emulate a private VIF
• Public VIF + VPN is a common AWS GovCloud (US) scenario
Public Traffic
Private Traffic
301—Direct Connect interregion
Direct Connect
Equinix, San Jose
us-west-1
us-west-2
us-east-1
Company establishes Direct Connect to us-west-1 and us-east-1.
Which path should be taken to an S3 resource in us-west-2?
Direct Connect
Equinix, Ashburn
Customer internal
network
Office
• Customer is responsible for their internal routing behaviors
• AWS provides OOB information on region address blocks
• Use BGP Local Pref, for example, for outbound routing
• Use specific routes for inbound routing, avoid asymmetry
• Use BFD for faster routing recovery on link failure
Public Traffic
Private Traffic
301—Direct Connect interregion
Hypervisor layer
101- Bidirectional gold image replication
AWS CloudLegacy DC
EC2 AMIs
VM Images
vCenter image migration
1. The vSphere client authorizes
import to the environment.
2. The management portal verifies
that the user has permission to
migrate VMs to the environment
and returns a token.
3. The vSphere client sends an
import request to the connector
along with the token.
4. The connector verifies the token.
5. The connector verifies that the
user has permission to export the
VM.
6. The connector starts the
migration.
7. The connector sends a response
to the vSphere client with the
import task ID.
Your Data Center
vSphere Client
AWS Management
Portal for vCenter
EC2
AWS Connector
VM ImportvCenter
Server
Federation
Proxy
1
2
3
4
5 6
7
Management services layers
o Deploys in two modes
Directory Service connect
Simple AD—built on Samba 4
Active Directory compatible server
o Simplifies AWS IAM federation
Avoids complexity and cost of
hosting SAML-based federation
infrastructure
Acts as a proxy—no data is stored
on AWS infrastructure
Supports existing RADIUS-based
MFA
Requires IPSec VPN or Direct Connect connectivity
AWS Directory ServiceConnect
Corporate data center
Users
AD.Domain
Servers
Domain controller
VPC subnet
Availability Zone
Security group
VirtualGateway
VPC subnet
Availability Zone
Security group
101—AWS Directory Service
AWS
region
• Domain controllers
launched in internal VPC
• Internal VPC instances join
domain upon launch
• Instances use Dynamic
DNS to register both A and
PTR records
• Domain controller
replicates with corporate
AD servers
• VPC DNS forwarding to
corporate DNS
Bring your own Active Directory
Public Facing
Web App
Internal
Corporate
App
VPN
Connection
Corporate Data Center
corp.example.com
AD Controller
Domain
Controller
+ DNS
example.com
DNS
AD
Replication
Domain Join +
DNS Queries
DNS
Forward
Requests
New Instance:
friendly-vpc-123.corp.example.com
101—Identity federationCustomer (Identity Provider) AWS Cloud (Relying Party)
AWS Resources
User
Application
Active
Directory
Federation Proxy
4Get Federation
Token Request
3
2
Amazon S3
Bucket
with Objects
Amazon
DynamoDB
Amazon
EC2
Request
Session 1
Receive
Session6
5Get Federation Token
Response
• Access Key
• Secret Key
• Session Token
APP
Federation
Proxy
• Uses a set of IAM user credentials to
make a GetFederationTokenRequest()
• IAM user permissions need to be the
union of all federated user permissions
• Proxy needs to securely store these
privileged credentials
Call AWS APIs7
Resource tracking and cost allocation
Tag and describe your infrastructure
• Describe every AWS object through an API call
• Resources in AWS can have custom tags
• Custom tags can be used to control permissions and
allocate costs, enabling charge-back of services usage
• Dynamically generate a full inventory
• Visualize your AWS infrastructure in real time
Name: APAWSIN001
Purpose: Production
Application: SharePoint Farm 03
Business Unit: Marketing
Cost Centre: 2384234
o Security monitoring integration
points with AWS CloudTrail
and SIEM Aggregator
o Logging with CloudTrail and
SNMP MIBs to SIEM
Aggregator
o Platform and app health to
SIEM Aggregator via agent on
EC2 guest
o Amazon CloudWatch Logs
provide scalable low cost log
aggregation
o Access to patching and
updates for AMI by on-
premises update server VPC subnet
Availability Zone
Security group
VPC subnet
Availability Zone
Security group
VirtualGateway
Corporate data center
Users
Data center router
UpdateServers
Connectivity
CloudTrail
CloudWatch
SIEMAggregator
101—Operations and security integration
Operations on AWS
Integrating AWS into your operations
• Amazon CloudWatch provides real-time insight into
your AWS services, integrate your own metrics,
create and act on alarms
• Amazon SNS allows integration with your alerting
systems
• Your current tools still work—install on EC2
instance
• Your tools already have AWS API integration
• Established processes don’t get thrown away
Automation with AWS OpsWorks
101—AWS OpsWorks
101—Integration points with AWS
• Amazon RDS
• Elastic Load Balancing
• Amazon CloudWatch
• AWS CloudFormation
• AWS CloudTrail
• AWS IAM
• HAProxy
• Ruby, Node.js, Java, PHP, Static Web
• Ganglia
• Memcached
• MySQL
201—
It works on AWS and on
legacy infrastructure
201—On-premises availability
• Launched on December 8, 2014
• 2 cents an hour—includes 14 one-minute
host-level metrics on CloudWatch
Some customer challenges
• Automating deployments
• Eliminating manual operations
• Minimizing deployment downtime
• Scaling deployments as infrastructure grows
201—Scale out/move
Prepare for large events
that exceed your own data
center capacity in terms of
infrastructure or bandwidth.
On premises
AWS
DB read
DB write
Ease the load in your
existing data center by
moving environments to
AWS OpsWorks.
Provide in minutes as many
controlled and secure
stacks for test and
development to your QA
teams or developers.
201—Move test and dev to AWS
prod teststaging
dev1 dev2
301—What you didn’t know
• You can override any part of a cookbook and you win
• Proxy support—you are one step closer to legacy infrastructure
• Docker integration
• Vagrant support
• Use Packer
• Besides on-premises, you can start using OpsWorks with your current
EC2 instances through EC2 import. It enables features like script
execution on EC2 and gives you 14 1-minute CloudWatch metrics.
• Ansible?
• Faster boot time with GP2
• Instance profiles
101—AWS CodeDeploy
• Automated application deployments to EC2,
and soon to any Internet-connected computer
• Consistent and reliable releases, without
downtime
• Works on AWS
• Works on legacy
301—What you didn’t know
• Based on Apollo, used by Amazon for on-premises
and cloud deployments for over a decade
• Apollo performed 50 million deployments in a 12
month period
• Does AZ striping when deploying across multiple
AZs to maximize redundancy
• Starts deployments with instances in a stale or
broken state to maximize fleet health
Data layer
o Backup gateways integrated with Amazon S3o Leverage Amazon S3 archival to
Amazon Glacier
o Take advantage of current investments and solutions for options likeo De-duplication
o Compression
o WAN acceleration
Corporate data center
Amazon S3 Amazon Glacier
Applicationserver
Virtualserver
Fileserver
Databaseserver
Backupsystem
AWS Storage Gateway
iSCSI
101—Data redundancy
o Virtual volumes presented to local
network iSCSI, NFS and CIFS volumes
o Local disk cache to provide fast on-
premises access
o Gateway side encryption for security
Corporate data center
Amazon S3
Applicationserver
Virtualserver
Fileserver
Databaseserver
Storageappliance
AWS Storage Gateway
iSCSI
Cloud ONTAP Secure Cloud-
Integrated Backup
Panzura Global NAS
AWS Marketplace Partners
101—Data expansion
Hybrid architecture examples
Kellogg’s—SAP HANA hybrid deployment
Corporate Data Center
Amazon Virtual Private Cloud (VPC)
Availability Zone
VPC Subnet
BW ABAP 7.31/NW JAVA 7.40
BW BI-JAVA
DEV QA
2 X 244 GB nodes 2 X 244 GB nodes
BW BI-JAVA
Internet
SAP OSS
BA
C
A = Virtual Private Gateway
B = Customer Gateway
C = VPN Connection
UAT/DR PRD
BW BI-JAVA BW BI-JAVA
Web DispWeb Disp
HANA
5 X 0.5 TB nodes 5 X 0.5 TB nodes
SAP
HANASAP
HANA
SAP
HANASAP
HANA
Auth0—Running in multiple cloud providers
Architecture of a financial services grid computing
Q & A
