Migrating a portfolio of legacy applications to AWS cloud infrastructure requires careful planning as each phase needs balancing between risk tolerance and the speed of migration. This session will present a set of successful best practices, tools and techniques that help migration speed of delivery and increase success rate. We will also cover the complete lifecycle of an application portfolio migration including a special focus on how to organise and conduct the assessment and identify elements that can benefit from cloud architecture.

1. A Pragmatic Approach to
Workload Migrations
Carlos Conde – Technology Evangelist

2. Many
enterprises
worry
that
these
are
the
only
two
choices:
Build a
“Private” Cloud
Rip everything out
and move to AWS
#1 #2

3. Cloud
isn’t
an
“All
or
Nothing”
choice
Corporate
Data Centers
On-­Premises
Resources
Cloud
Resources
Integration

4. SPEED & AGILITY
Infrastructure in minutes, not weeks.

5. COST REDUCTION
50 price reductions since 2006.
Replace capital expenditure with variable expense.

7. AWS Assurance Programs
aws.amazon.com / compliance

8. FOCUS ON YOUR BUSINESS
No time & resources spent on undifferentiated IT.
Prepare full migration to AWS.

9. HYBRID WORKLOADS
Dev & Test environments • Burst capacity •
Highly secure apps • App migration • Storage &
Archiving • Disaster recovery • Production app
enrichment • Load testing • Remote monitoring •
etc.

10. On-­
premises
IT
Datacenter Regions, AZs
Cloud
Services
Network VPC, Direct Connect
Hypervisors AMIs, EC2 instances
Access Control IAM, Directory Services
Data storage & Applications
Development & Operations

11. On-­
premises
IT
Datacenter Regions, AZs
Cloud
Services

12. On-­
premises
IT
Datacenter Regions, AZs
Cloud
Services
Network VPC, Direct Connect

13. Oracle Secure
Backup Module
Oracle RMan Ú Amazon S3

14. RESTORE TIMES REDUCED FROM 15 TO 2½ HOURS

15. Amazon
Storage Gateway
Virtual tape library
On-­premises snapshots to AWS

20. AWS Virtual Private Network (IPSec VPN)
o IPSec hardware VPN connection
Supported VPN appliances:
https://aws.amazon.com/vpc/faqs/#C9
o Encryption and Validation
o Private RFC 1918 Addressing
o Uses Border Gateway Protocol (BGP)
for routing and fail-­over
o VPN Service provides managed
redundant end-­points
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide
/VPC_VPN.html
Virtual
Gateway
Corporate
data
center
Users
Data
center
router
Servers
Internet
IPSec
VPN
VPC
Subnet
Availability
Zone
Security
Group
VPC
Subnet
Availability
Zone
Security
Group

21. DEV & TEST ENVIRONMENTS

28. AWS region
Web
layerPrivate
connection
Your data center
Internet
Application
layer
Database
layer
Auto Scaling

29. AWS region
Public-­facing
web app
Public app
w/back-­end
integration
Your Data
Center
Private app
w/back-­end
integration
Core/shared
services
AWS Direct Connect
Location

30. AWS Direct Connect
o Requires Layer 2 single mode fiber
1000BASE-­LX or 10GBASE-­LR
o Requires 802.1Q VLANs across
connection.
Ø Tagging of IP traffic
o Routing uses BGP A/A or A/P
multipath.
o Each DX is mapped to a single AWS
Region
o Various Partners for every Region
http://aws.amazon.com/directconnect/
Virtual
Gateway
Corporate
data
center
Users
Data
center
router
Servers
VPC
Subnet
Availability
Zone
Security
Group
VPC
Subnet
Availability
Zone
Security
Group
Customer
router
AWS
Direct
Connect
Location
AWS
Direct
Connect
routers

31. With AWS regions just another spoke on your global network,
it’s easy to bring the cloud to you as you expand around the world.
US customer
data center
EU-­West-­1 region
EU customer
data center
Customer MPLS
backbone
AWS Direct
Connect PoP
Ireland or London
US-­West-­1 region
AWS Direct
Connect PoP
Virginia or NYC
AP-­Southeast-­1
region
AWS Direct
Connect PoP
Singapore
AP customer
data center

32. On-­
premises
IT
Datacenter Regions, AZs
Cloud
Services
Network VPC, Direct Connect
Access Control IAM, Directory Services

33. AWS
Direct
Connect
Location
AWS
Direct
Connect
routers
Active Directory and LDAP
o Reduced back-­reach Traffic
o Reduced Latency for Authentication
o Additional Resiliency
o Enablement of both:
Ø Multi-­Master Read/Write Domain
Controllers
Ø Read-­only Domain Controllers (RODCs)
² Requires IPSec VPN or Direct Connect
connectivity
http://aws.amazon.com/microsoft/whitepapers/ad-­reference-­
architecture/
Virtual
Gateway
Corporate
data
center
Users
Data
center
router
Servers
VPC
Subnet
Availability
Zone
Security
Groups
VPC
Subnet
Availability
Zone
Security
Groups
AD.Domain
Domain
controller
Domain
controller
Domain
controller
Active
Directory
Replication
Customer
router

34. AWS
Direct
Connect
Location
AWS
Direct
Connect
routers
AWS Directory Service
o Deploys in two modes
Ø Directory Service Connect
Ø Simple AD -­ built on Samba 4 Active
Directory compatible server
o Simplifies IAM Federation
Ø Avoids complexity and cost of hosting
SAML-­based federation infrastructure
Ø Acts as a proxy -­ no data is stored on
AWS infrastructure
Ø Supports existing RADIUS-­based MFA
² Requires IPSec VPN or Direct Connect
connectivity
http://aws.amazon.com/directoryservice/
Virtual
Gateway
data
center
Users
Data
center
router
Servers
VPC
Subnet
Availability
Zone
Security
Groups
VPC
Subnet
Availability
Zone
Security
Groups
AD.Domain
Domain
controller
AD
Connector
AD
Connector
AD
Connector
Customer
router

35. Integrate identity management with AWS
• Secure access to AWS resources using your IDM
• Provide SSO to AWS Management Console or API’s
• Build your own SSO federation using AWS STS service, or
• Federate with on-­premise directories like Active Directory,
TFIM, OAM or another SAML 2.0 compliant IdP

36. AWS Federation/Account Governance
Financial
users,
controllers SOC/AuditorsGlobal
AWS
admin
Billing
account
Software
development
Non-­‐prod
account
#1
Production
account
#1
User
management
account
Security
/
Audit
account
Non-­‐prod
account.
#2
App
owners
DevOps teams
Security/auditProductionDev/test/sandboxFinancial
Consolidated
Billing,
Billing
Alerts
Read-­‐only
access
for
all
accounts

37. On-­
premises
IT
Datacenter Regions, AZs
Cloud
Services
Network VPC, Direct Connect
Hypervisors AMIs, EC2 instances
Access Control IAM, Directory Services

38. Management
Portal for vCenter
Management Pack
for SCOM
Systems Manager
for SCVMM

39. AWS Management Portal for vCenter

40. vCenter Image Migration
1. The vSphere client authorizes
import to the environment.
2. The management portal verifies
that the user has permission to
migrate VMs to the environment
and returns a token.
3. The vSphere client sends an
import request to the connector
along with the token.
4. The connector verifies the token.
5. The connector verifies that the user
has permission to export the VM.
6. The connector starts the migration.
7. The connector sends a response to
the vSphere client with the import
task ID.

41. Bidirectional Gold Image Replication
AWS Cloud
Legacy DC
EC2 AMIs
VM Images

42. On-­
premises
IT
Datacenter Regions, AZs
Cloud
Services
Network VPC, Direct Connect
Hypervisors AMIs, EC2 instances
Access Control IAM, Directory Services
Development & Operations

43. Integrating AWS into your operations
•
AWS CloudWatch provides real-­time insight into your AWS
services, integrate your own metrics, create and act on alarms
• AWS SNS allows integration with your alerting systems
• Your current tools still work – install on EC2 instance
• Your tools already have AWS API integration
• Established processes don’t get thrown away

44. AWS
Direct
Connect
Location
AWS
Direct
Connect
routers
Operations Tools and Monitoring
o Security Monitoring integration
points with with CloudTrail and
SIEM Aggregator.
o Logging with CloudTrail and SNMP
MIBs to SIEM Aggregator.
o Platform and App Health to SIEM
Aggregator via agent on EC2 guest.
o Access to Patching and Updates for
AMI by on premises Update Server.
Virtual
Gateway
data
center
Users
Data
center
router
VPC
Subnet
Availability
Zone
Security
Group
VPC
Subnet
Availability
Zone
Security
Group
Update
Servers
SIEM
Aggregator
CloudTrail
CloudWatch
CloudTrail
S3
Bucket
Customer
router

45. Customer
router
AWS
Direct
Connect
Location
AWS
Direct
Connect
routers
Continuous Integration and Deployment
o Automates application deployments
for both On-­Premise and AWS EC2
instances with use of CodeDeploy
o Reuse existing scripts and tools
Ø Bash, PowerShell, Chef,
Puppet, anything…
o Integrate with developer tool chain
Ø GitHub, Jenkins, CloudBees,
TravisCI, Eclipse…
Virtual
Gateway
data
center
Users
Data
center
router
VPC
Subnet
Availability
Zone
Security
Group
VPC
Subnet
Availability
Zone
Security
Group
AWS
CodeDeployServers
AWS
CloudFormation
S3 bucket
AgentAgentAgent
AgentAgentAgent

46. On-­
premises
IT
Datacenter Regions, AZs
Cloud
Services
Network VPC, Direct Connect
Hypervisors AMIs, EC2 instances
Access Control IAM, Directory Services
Data storage & Applications
Operations & Automation

47. Customer
router
AWS
Direct
Connect
Location
AWS
Direct
Connect
routers
Storage
Expansion
o Virtual volumes presented to
local network iSCSI, NFS
and CIFS volumes
o Local disk cache to provide
fast on-­premises access
o Gateway side encryption for
security
Virtual
Gateway
Corporate
data
center
Users
Data
center
router
VPC
Subnet
Availability
Zone
Security
Group
VPC
Subnet
Availability
Zone
Security
Group
Amazon
S3
AWS
Storage
Gateway
iSCSI
Storage
Appliance
AWS
Storage
Gateway
iSCSI
Servers
AWS
Storage
Gateway

48. Customer
router
AWS
Direct
Connect
Location
AWS
Direct
Connect
routers
Backup &
Archiving
o Backup gateways
integrated with Amazon S3
o Leverage Amazon
S3 archival to
Amazon Glacier
o Take advantage of current
investments and solutions
for options
o De-­duplication
o Compression
o WAN Acceleration
Virtual
Gateway
data
center
Users
Data
center
router
VPC
Subnet
Availability
Zone
Security
Group
VPC
Subnet
Availability
Zone
Security
Group
Amazon
S3
Amazon
Glacier
VTL
AWS
Storage
Gateway
iSCSI
Backup
System
VTL
AWS
Storage
Gateway
iSCSI
Servers
VTL
AWS
Storage
Gateway

51. SAP HANA Production ready with up to 244 GiB of
RAM + clustering
http://aws.amazon.com/blogs/aws/sap-­hana-­production-­ready-­on-­aws/

52. – SAP HANA Hybrid deployment
Corporate Data Center
Amazon Virtual Private Cloud (VPC)
Availability Zone
VPC Subnet
BW ABAP 7.31 / NW JAVA 7.40
BW BI-­JAVA
DEV QA
2 X 244 GB nodes 2 X 244 GB nodes
BW BI-­JAVA
Internet
SAP OSS
BA
C
A = Virtual Private Gateway
B = Customer Gateway
C = VPN Connection
UAT / DR PRD
BW BI-­JAVA BW BI-­JAVA
Web Disp
Web Disp
HANA
5 X 0.5 TB nodes 5 X 0.5 TB nodes
SAP
HANA
SAP
HANA
SAP
HANA
SAP
HANA

53. Extend Local Applications Capabilities:
Amazon WorkSpaces, WorkDocs, Workmail
Amazon Redshift
Amazon ML
Amazon CloudSearch
Amazon CloudHSM
Amazon SES
Amazon SWF
…

54. BACKUPS + APPS + IAM
è DISASTER RECOVERY

55. SCENARIO #1
COLD DR

59. SCENARIO #2
WARM DR

62. SCENARIO #3
INTERNAL APP

69. VPC Subnet B
Region
Availability Zone
Client-to-site VPN Site-to-site VPN
S3 Buckets
with Objects
Bastion Host
Internet
On-premise
Data Centre A
Remote
Desktops
AWS Direct Connect
On-premise
Data Centre B
VPC Subnet D VPC Subnet F
Databases
VPC Subnet E
Applications
VPC Subnet A
SmartSentinel
VPC Subnet G
File
Servers
VPC Subnet C
Active
Directory
Proxy Server

70. SCALABILITY
MAINTAINABILITY
RELIABILITY
DURABILITY
CONFIGURABILITY
…

71. RESILIENCE
Ability to cope with change

75. IF SOMETHING IS HARD
REPETITION MAKES IT EASIER

76. SIMULATION ENVIRONMENT
FOR CRISIS SITUATIONS

77. GOOD WEATHER DOESN’T MAKE GOOD SAILORS

78. CLOUDFORMATION
TEMPLATE

79. SIMULATE FAILURES

80. • TERMINATE RESOURCES
• CHANGE SECURITY GROUPS
• CHANGE IAM ROLES
• DISABLE IAM USER
• CHANGE /ETC/HOSTS FILE
• AMAZON RDS FAIL-­OVER TEST

81. VALIDATE YOUR ASSUMPTIONS
PROVE YOUR ARCHITECTURE
KNOW YOUR PROCEDURES
LEARN FROM YOUR FAILURES

82. On-­
premises
IT
Datacenter Regions, AZs
Cloud
Services
Network VPC, Direct Connect
Hypervisors AMIs, EC2 instances
Access Control IAM, Directory Services
Data storage & Applications
Operations & Automation

83. HYBRID WORKLOADS
Dev & Test environments • Burst capacity •
Highly secure apps • App migration • Storage &
Archiving • Disaster recovery • Production app
enrichment • Load testing • Remote monitoring •
etc.

84. ON-­PREMISES
Experiment Infrequently
Failure is expensive
Less Innovation
Experiment Often
Fail quickly at a low cost
More Innovation
$ Millions Nearly $0

85. AWS Cloud Adoption
Framework
Describes the perspectives in planning,
creating, managing, and supporting a modern
IT service.
Offers practical guidance and comprehensive
guidelines for establishing, developing and
running AWS cloud-­enabled environments.
http://bit.ly/AWSCAF
People
Perspective
Process
Perspective
Security
Perspective
Maturity
Perspective
Operations
Perspective
Business
Perspective
Platform
Perspective