Migrating a portfolio of legacy applications to AWS cloud infrastructure requires careful planning as each phase needs balancing between risk tolerance and the speed of migration. This session will present a set of successful best practices, tools and techniques that help migration speed of delivery and increase success rate. We will also cover the complete lifecycle of an application portfolio migration including a special focus on how to organise and conduct the assessment and identify elements that can benefit from cloud architecture.
20. AWS Virtual Private Network (IPSec VPN)
o IPSec hardware VPN connection
Supported VPN appliances:
https://aws.amazon.com/vpc/faqs/#C9
o Encryption and Validation
o Private RFC 1918 Addressing
o Uses Border Gateway Protocol (BGP)
for routing and fail-over
o VPN Service provides managed
redundant end-points
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide
/VPC_VPN.html
Virtual
Gateway
Corporate
data
center
Users
Data
center
router
Servers
Internet
IPSec
VPN
VPC
Subnet
Availability
Zone
Security
Group
VPC
Subnet
Availability
Zone
Security
Group
29. AWS region
Public-facing
web app
Public app
w/back-end
integration
Your Data
Center
Private app
w/back-end
integration
Core/shared
services
AWS Direct Connect
Location
30. AWS Direct Connect
o Requires Layer 2 single mode fiber
1000BASE-LX or 10GBASE-LR
o Requires 802.1Q VLANs across
connection.
Ø Tagging of IP traffic
o Routing uses BGP A/A or A/P
multipath.
o Each DX is mapped to a single AWS
Region
o Various Partners for every Region
http://aws.amazon.com/directconnect/
Virtual
Gateway
Corporate
data
center
Users
Data
center
router
Servers
VPC
Subnet
Availability
Zone
Security
Group
VPC
Subnet
Availability
Zone
Security
Group
Customer
router
AWS
Direct
Connect
Location
AWS
Direct
Connect
routers
31. With AWS regions just another spoke on your global network,
it’s easy to bring the cloud to you as you expand around the world.
US customer
data center
EU-West-1 region
EU customer
data center
Customer MPLS
backbone
AWS Direct
Connect PoP
Ireland or London
US-West-1 region
AWS Direct
Connect PoP
Virginia or NYC
AP-Southeast-1
region
AWS Direct
Connect PoP
Singapore
AP customer
data center
32. On-
premises
IT
Datacenter Regions, AZs
Cloud
Services
Network VPC, Direct Connect
Access Control IAM, Directory Services
33. AWS
Direct
Connect
Location
AWS
Direct
Connect
routers
Active Directory and LDAP
o Reduced back-reach Traffic
o Reduced Latency for Authentication
o Additional Resiliency
o Enablement of both:
Ø Multi-Master Read/Write Domain
Controllers
Ø Read-only Domain Controllers (RODCs)
² Requires IPSec VPN or Direct Connect
connectivity
http://aws.amazon.com/microsoft/whitepapers/ad-reference-
architecture/
Virtual
Gateway
Corporate
data
center
Users
Data
center
router
Servers
VPC
Subnet
Availability
Zone
Security
Groups
VPC
Subnet
Availability
Zone
Security
Groups
AD.Domain
Domain
controller
Domain
controller
Domain
controller
Active
Directory
Replication
Customer
router
34. AWS
Direct
Connect
Location
AWS
Direct
Connect
routers
AWS Directory Service
o Deploys in two modes
Ø Directory Service Connect
Ø Simple AD - built on Samba 4 Active
Directory compatible server
o Simplifies IAM Federation
Ø Avoids complexity and cost of hosting
SAML-based federation infrastructure
Ø Acts as a proxy - no data is stored on
AWS infrastructure
Ø Supports existing RADIUS-based MFA
² Requires IPSec VPN or Direct Connect
connectivity
http://aws.amazon.com/directoryservice/
Virtual
Gateway
data
center
Users
Data
center
router
Servers
VPC
Subnet
Availability
Zone
Security
Groups
VPC
Subnet
Availability
Zone
Security
Groups
AD.Domain
Domain
controller
AD
Connector
AD
Connector
AD
Connector
Customer
router
35. Integrate identity management with AWS
• Secure access to AWS resources using your IDM
• Provide SSO to AWS Management Console or API’s
• Build your own SSO federation using AWS STS service, or
• Federate with on-premise directories like Active Directory,
TFIM, OAM or another SAML 2.0 compliant IdP
36. AWS Federation/Account Governance
Financial
users,
controllers SOC/AuditorsGlobal
AWS
admin
Billing
account
Software
development
Non-‐prod
account
#1
Production
account
#1
User
management
account
Security
/
Audit
account
Non-‐prod
account.
#2
App
owners
DevOps teams
Security/auditProductionDev/test/sandboxFinancial
Consolidated
Billing,
Billing
Alerts
Read-‐only
access
for
all
accounts
37. On-
premises
IT
Datacenter Regions, AZs
Cloud
Services
Network VPC, Direct Connect
Hypervisors AMIs, EC2 instances
Access Control IAM, Directory Services
40. vCenter Image Migration
1. The vSphere client authorizes
import to the environment.
2. The management portal verifies
that the user has permission to
migrate VMs to the environment
and returns a token.
3. The vSphere client sends an
import request to the connector
along with the token.
4. The connector verifies the token.
5. The connector verifies that the user
has permission to export the VM.
6. The connector starts the migration.
7. The connector sends a response to
the vSphere client with the import
task ID.
42. On-
premises
IT
Datacenter Regions, AZs
Cloud
Services
Network VPC, Direct Connect
Hypervisors AMIs, EC2 instances
Access Control IAM, Directory Services
Development & Operations
43. Integrating AWS into your operations
•
AWS CloudWatch provides real-time insight into your AWS
services, integrate your own metrics, create and act on alarms
• AWS SNS allows integration with your alerting systems
• Your current tools still work – install on EC2 instance
• Your tools already have AWS API integration
• Established processes don’t get thrown away
44. AWS
Direct
Connect
Location
AWS
Direct
Connect
routers
Operations Tools and Monitoring
o Security Monitoring integration
points with with CloudTrail and
SIEM Aggregator.
o Logging with CloudTrail and SNMP
MIBs to SIEM Aggregator.
o Platform and App Health to SIEM
Aggregator via agent on EC2 guest.
o Access to Patching and Updates for
AMI by on premises Update Server.
Virtual
Gateway
data
center
Users
Data
center
router
VPC
Subnet
Availability
Zone
Security
Group
VPC
Subnet
Availability
Zone
Security
Group
Update
Servers
SIEM
Aggregator
CloudTrail
CloudWatch
CloudTrail
S3
Bucket
Customer
router
45. Customer
router
AWS
Direct
Connect
Location
AWS
Direct
Connect
routers
Continuous Integration and Deployment
o Automates application deployments
for both On-Premise and AWS EC2
instances with use of CodeDeploy
o Reuse existing scripts and tools
Ø Bash, PowerShell, Chef,
Puppet, anything…
o Integrate with developer tool chain
Ø GitHub, Jenkins, CloudBees,
TravisCI, Eclipse…
Virtual
Gateway
data
center
Users
Data
center
router
VPC
Subnet
Availability
Zone
Security
Group
VPC
Subnet
Availability
Zone
Security
Group
AWS
CodeDeployServers
AWS
CloudFormation
S3 bucket
AgentAgentAgent
AgentAgentAgent
46. On-
premises
IT
Datacenter Regions, AZs
Cloud
Services
Network VPC, Direct Connect
Hypervisors AMIs, EC2 instances
Access Control IAM, Directory Services
Data storage & Applications
Operations & Automation
47. Customer
router
AWS
Direct
Connect
Location
AWS
Direct
Connect
routers
Storage
Expansion
o Virtual volumes presented to
local network iSCSI, NFS
and CIFS volumes
o Local disk cache to provide
fast on-premises access
o Gateway side encryption for
security
Virtual
Gateway
Corporate
data
center
Users
Data
center
router
VPC
Subnet
Availability
Zone
Security
Group
VPC
Subnet
Availability
Zone
Security
Group
Amazon
S3
AWS
Storage
Gateway
iSCSI
Storage
Appliance
AWS
Storage
Gateway
iSCSI
Servers
AWS
Storage
Gateway
48. Customer
router
AWS
Direct
Connect
Location
AWS
Direct
Connect
routers
Backup &
Archiving
o Backup gateways
integrated with Amazon S3
o Leverage Amazon
S3 archival to
Amazon Glacier
o Take advantage of current
investments and solutions
for options
o De-duplication
o Compression
o WAN Acceleration
Virtual
Gateway
data
center
Users
Data
center
router
VPC
Subnet
Availability
Zone
Security
Group
VPC
Subnet
Availability
Zone
Security
Group
Amazon
S3
Amazon
Glacier
VTL
AWS
Storage
Gateway
iSCSI
Backup
System
VTL
AWS
Storage
Gateway
iSCSI
Servers
VTL
AWS
Storage
Gateway
49.
50.
51. SAP HANA Production ready with up to 244 GiB of
RAM + clustering
http://aws.amazon.com/blogs/aws/sap-hana-production-ready-on-aws/
52. – SAP HANA Hybrid deployment
Corporate Data Center
Amazon Virtual Private Cloud (VPC)
Availability Zone
VPC Subnet
BW ABAP 7.31 / NW JAVA 7.40
BW BI-JAVA
DEV QA
2 X 244 GB nodes 2 X 244 GB nodes
BW BI-JAVA
Internet
SAP OSS
BA
C
A = Virtual Private Gateway
B = Customer Gateway
C = VPN Connection
UAT / DR PRD
BW BI-JAVA BW BI-JAVA
Web Disp
Web Disp
HANA
5 X 0.5 TB nodes 5 X 0.5 TB nodes
SAP
HANA
SAP
HANA
SAP
HANA
SAP
HANA
53. Extend Local Applications Capabilities:
Amazon WorkSpaces, WorkDocs, Workmail
Amazon Redshift
Amazon ML
Amazon CloudSearch
Amazon CloudHSM
Amazon SES
Amazon SWF
…
69. VPC Subnet B
Region
Availability Zone
Client-to-site VPN Site-to-site VPN
S3 Buckets
with Objects
Bastion Host
Internet
On-premise
Data Centre A
Remote
Desktops
AWS Direct Connect
On-premise
Data Centre B
VPC Subnet D VPC Subnet F
Databases
VPC Subnet E
Applications
VPC Subnet A
SmartSentinel
VPC Subnet G
File
Servers
VPC Subnet C
Active
Directory
Proxy Server
85. AWS Cloud Adoption
Framework
Describes the perspectives in planning,
creating, managing, and supporting a modern
IT service.
Offers practical guidance and comprehensive
guidelines for establishing, developing and
running AWS cloud-enabled environments.
http://bit.ly/AWSCAF
People
Perspective
Process
Perspective
Security
Perspective
Maturity
Perspective
Operations
Perspective
Business
Perspective
Platform
Perspective