Many enterprises on their hybrid cloud journey into the cloud require consistent and highly secure connectivity between their existing data center and AWS footprints. In this session, we walk through the different architecture options for establishing this connectivity using AWS Direct Connect and VPN. As we walk through these options, we try to answer some of the most common questions that typically arise from enterprises that tackle design and implementation. You'll learn how to make connectivity decisions that are suitable for your workloads, and how to best prepare against business impact in the event of failure.
3. DEVELOPMENT
& TEST
ALL TOGETHER NEW
APPLICATIONS
DIGITAL
ANALYTICS
BIG DATA
MOBILE
DC MIGRATION
MISSION
CRITICAL APPS
ALL IN
1 2 3 4
The journey to AWS is a well-trodden path
HYBIRD
4. Integrated
networking
Integrated
access control
and VDI
Integrated
storage and
backups and
DR
Integrated
Management
# 10.0.100.0
# 10.0.200.0
Microsoft Active
Directory
Custom
LDAP
App 1
AWS Storage
Gateway
Integrating AWS with existing On-Premises
Infrastructure
Amazon
Workspaces
Amazon
S3
11’s 9
durability
AWS Directory
Service
18. Managed NAT Gateways
• 1 managed NAT per AZ
• No down time in case of failure –
AWS managed availability
Note:
• NAT Gateways Exist within a
public subnet (OR rather their
ENI’s do)
25. Customer
data center
AWS Direct Connect
location
AWS Direct Connect Private Virtual
Interface (PVI) connects to VGW on
VPC
• 1 PVI per VPC
• 802.1Q VLAN Tags isolate traffic
across AWS Direct Connect
Private fiber connection
One or multiple
50 – 500 Mbps,
1 Gbps or 10 Gbps pipes
Simplify with AWS Direct Connect
Public-facing
web app
AWS
region
Prod QA Dev
31. AWS Direct Connect Requirements
• 1 Gbps: 1000BASE-LX (1310nm) over single-mode fiber (SMF)
• 10 Gbps: 10GBASE-LR (1310nm) over single-mode fiber (SMF)
• Single Connector (SC)
• 802.1Q VLAN Tags
• Auto-negotiation is off
• Full Duplex. Speed is 1Gbps
• Cannot downgrade to 100Mbps
• Private
• AWS will allocate private IPs (/30) in the 169.x.x.x range for the BGP
session and will advertise the VPC CIDR block over BGP
• Public
• A public or private ASN. If you are using a public ASN, you must own
it. If you are using a private ASN, it must be in the 65000 range
• Public IPs (/30) allocated by you for the BGP session
36. Using AWS Direct Connect
Corporate Data Center
aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_First
aws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new
virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing,
amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24,
virtualGatewayId=vgw-f9da06e7
Redundant VPN connection
37. Remote Connectivity Best Practices
Corporate Data Center
Availability Zone Availability Zone
Each VPN connection consists of
2 IPSec tunnels.
Use Border Gateway Protocol
(BGP) for failure recovery.
38. Remote Connectivity Best Practices
Corporate Data Center
Availability Zone Availability Zone
A pair of VPN
connections (4 IPSec
tunnels total) protects
against failure of your
customer gateway
39. Corporate Data Center
Availability Zone Availability Zone
Redundant AWS Direct
Connect connections
with VPN backup
Remote Connectivity Best Practices
42. I love AWS what about … ?
??
Hybrid
Management ?
Migration ?
Reliability ?
Scalability
Availability ?
Performance ?
Support ?
Skills to adopt
quickly ?
Security ?
Compliance and Audit
?
43. Certifications and accreditations for
workloads that matter
AWS CloudTrail - AWS API call logging for
governance & compliance
Stores data in S3, or
archive to Glacier
Log and review user
activity
Architected for Enterprise Security Requirements
44. You are making
API calls...
On a growing set
of services around
the world…
AWS CloudTrail
is continuously
recording API
calls…
And delivering
log files to you
Redshift
AWS CloudFormation
AWS Elastic Beanstalk
AWS CloudTrail
45. Store/
archive
Troubleshoot
Monitor and alarm
You are
making API
calls...
On a growing set
of AWS services
around the world..
CloudTrail is
continuously
recording API
calls
Amazon Elastic
Block Store
(Amazon EBS)
Amazon S3
bucket
Using CloudWatch and AWS CloudTrail for Real-time Alert
47. AWS Config is a fully managed service that provides you with an
inventory of your AWS resources, lets you audit the resource
configuration history and notifies you of resource configuration
changes.
AWS Config
51. World Class Storage Systems Amazon EBS
• Increases Performance and Capacity of General Purpose (SSD) and
Provisioned IOPS (SSD) volumes + Encryption using AWS KMS
AWS EBS Volume Types Capacity IOPS Throughput
Amazon EBS General Purpose (SSD) 16 TB
(up from 1TB)
10000 IOPS
(up from 3000 IOPS)
160 MB/s *
Amazon EBS Provisioned IOPS (SSD) 16 TB
(up from 1TB)
20000 IOPS
(up from 4000 IOPS)
320 MB/s *
EBS
52. Tamper-resistant customer controlled hardware security
modules within your VPC
• Industry-standard SafeNet Luna devices. Common Criteria
EAL4+, NIST FIPS 140-2 certified
• No access from Amazon administrators who manage and
maintain the appliance
• High availability and replication with on-premise HSMs
Reliable & Durable Key Storage
• Use for transparent data encryption on self-managed
databases and natively with AWS Redshift
• Integrate with applications using Java APIs and AWS SDKs
• Integration with marketplace disk-encryption and SSL
You can store your encryption keys in AWS CloudHSM
53. AWS IAM (Identity and Access Management)
• Various authentication token issued for each user
Access key and Secret key for authentication upon use of SDKs
Security Certificate (X.509)
Login password for AWS management console
Multi-Factor Authentication (MFA) device
For providing additional level of security for management console
AWSDevelopers O&M
54. AWS IAM (Identity and Access Management) Continue…
Authorizes every request from API
and Management Console
All
operations
granted
All S3
operations
granted
S3 Read-only
access
granted
Administrator group
Developer group
O&M group
55. New directory in AWS Connect existing directory to AWS
Simple AD AD Connector
Based on Samba 4 Custom federation proxy
On-premises
AWS Directory Services
Directory
Connect
DX
56. p2.16xlarge
vCPU = 16
732GB RAM
x1.32xlarge
vCPU = 128
2TB RAM
X1 Memory Optimized Instances
Intel® Xeon E7-8880 v3 (Haswell) Processors
This custom processor, designed specifically for EC2
Support Enhanced Networking (SRIOV)
I/O Performance: Very High (20 Gigabit Ethernet) via ENA
Broad Set of Compute Instance Types …
P2 GPU Instances
Intel® Xeon® E5-2686 v4 (Broadwell) processors
NVIDIA K80 GPU
Support Enhanced Networking (SRIOV)
I/O Performance: Very High (20 Gigabit Ethernet) via ENA
16 x NVIDIA GPUs
2496 Cores
12GB Memory
GPU P2P
63. Customer
premises
Application users
AWS
• Start a replication instance
• Connect to source and target
databases
• Select tables, schemas, or
databases
Let AWS DMS create tables,
load data, and keep them in
sync
Switch applications over to the
target at your convenience
AWS
DMS
AWS DX
Amazon Database Migration Services (DMS)
65. Run Command Maintenance
Window
Inventory
State Manager Parameter Store
Patch Manager
Automation
Deploy, Configure,
and Administer
Track and
Update
Shared
Capabilities
Amazon EC2 System Manager (Manage Hybrid Environment)
66. Support for many language stacks and tools
Android iOS Java nodeJS .NET PHP Python Ruby
and specialized cloud tools integrated in your development environment
Eclipse Visual Studio CLI Powershell
AWS provide Rich set of APIs for programming platform or language
68. AWS Instructor-Led
Training Courses
24x7 AWS Business
and Enterprise
Support
AWS
Professional
Services
AWS are ready to serve you !
• Cloud Adoption Framework
• Architecture Jumpstart
• Application Portfolio Assessment
• Security Operations Playbook
• Resident Architect
1 VPC to 1 VGW to 1 PVI
VLAN tags configured on physical port connection of customer side switch – all tags, sub interfaces
VLANs can extend on into customer network
on AWS side, VLAN ends at the Virtual interface
Traffic is NOT routed between VPCs on the AWS end – it must come down into your network and be routed back out according to your policies.
Showing link local Ips for interfaces, but you can assign your own internal network private Ips if you want
BGP ASNs also don’t have to be unique on your end – you are only connecting to the 1 BGP neighbor.
Design options for bringing many VPCs and possibly many VPCs in many regions, back into your on premise facilities
Add Direct Connect
Timing: ~8
You might have questions about security in the cloud, but our biggest and most conservative customers have found that we’re able to meet their security requirements, and often we can provide a better security profile than what they can deliver internally. The AWS cloud infrastructure has been designed and managed in alignment with regulations, standards, and best-practices including HIPAA and ISO 27001.
Recently we announced AWS CloudTrail, a service that records API calls made on your account and delivers log files to your Amazon S3 bucket. CloudTrail provides increased visibility into AWS user activity that occurs within an AWS account and allows you to track changes that were made to AWS resources. This allows enterprises to run comprehensive security analysis, but better manage their governance and compliance efforts.
Exciting new service – OK, exciting if you’re a security professional like me, perhaps not exciting as my kids view the world. CloudTrail is your eyes behind the scenes at AWS. It gives you insight into all of the API calls made which are associated with your account(s). It lets you understand the who did what from where, when.
Log files can be processed using a separate service, with from AWS, such as Elastic Map Reduce/Kinesis or and external partner like Splunk
CloudTrail records API call in your account and delivers a log file to your S3 bucket
Typically delivers and event within 15 mins of the API call
Log files are delivered approximately every 5 minutes
Multiple partners off integrated solutions to analyze log files
Partners: Loggly, Splunk, AlertLogic, Datapipe, 2ndWatch, FogHorn, Stack Driver, Sumologic, Boundary Cognizant, Cloud Assured, Smarttronix
Example of automating an action on Flow Log data
You should know the exact traffic patterns and protocols running on your Private Subnets
If anyone is repeatedly trying to login from non approved source IPs, ALARM.
ENABLE Flow Logs on all Private Subnets to track all REJECTs
DEFINE a metric filter that matches SSH REJECTs in the Flow Log
CREATE an alarm that will trigger if you reach more than 10 REJECT SSH’s in an hour
IF ALARM triggered, send a message to SNS that will in turn trigger a LAMBDA function which will:
(with the help of some meaningful data in the Alarm Description field such as Flow Log group name)
Search the log data for the source IPs of the SSH Rejects
Associate source IPs with ENIs
Quarantine those ENIs
Or send an email / page if source IP is outside your network
Whiteboard opportunity:
Q: How can Security Groups provide more protection than traditional network firewalls?
A: They filter traffic between hosts, whereas network firewalls only filter traffic between subnets.
Whiteboard opportunity:
Q: How can Security Groups provide more protection than traditional network firewalls?
A: They filter traffic between hosts, whereas network firewalls only filter traffic between subnets.
Nvidia GPUs (cg1.4xlarge)
Intel Nehalem (cc1.4xlarge)
2TB of SSD 120,000 IOPS (hi1.4xlarge)
Intel Sandy Bridge E5-2670 (cc2.8xlarge)
Sandy Bridge, NUMA, 240GB RAM (cr1.4xlarge)
48 TB of ephemeral storage (hs1.8xlarge)
2.6 GHz Sandy Bridge CPU w/ Turbo enabled
1 NVIDIA GK104 GPU (Kepler)
8 vCPUs, 15 GiB of RAM
60GB SSD storage
Ideally suited for remote desktop and 3D
Supports DirectX, OpenGL, CUDA, OpenCL
Wide range of platform partnersincluding Citrix, Otoy, NICE Software
Key benefits:
Using AWS CloudHSM means you can now run high-assurance encryption within your AWS VPC without the need for on-premise integration
CloudHSM gives customers a high level of assurance that their sensitive encryption keys are protected within their AWS VPC, in a manner that protects them from unauthorised disclosure
Whiteboard opportunity:
Q: How can Security Groups provide more protection than traditional network firewalls?
A: They filter traffic between hosts, whereas network firewalls only filter traffic between subnets.
Whiteboard opportunity:
Q: How can Security Groups provide more protection than traditional network firewalls?
A: They filter traffic between hosts, whereas network firewalls only filter traffic between subnets.
2 choices
Why would you choose Simple AD?
*Brand new domain*Based on Samba 4*Highly available & AWS Manages patching, backups, monitoring, recovery
*Works for most simple needs
Why would you choose AD Connector
*You have AD, want to connect it to AWS
*It is a custom federation proxy
*No information is replicated
*Integrates with AWS
Active, active was the holy grail, now its available to everybody
Low RTO, Low RPO
Lowered the cost barriers to entry for building highly available applications.
And of course, all of this functionality is available through a web console, so whether you want to drive the cloud by the click of a mouse or the call of an API, the power is at your disposal.
And of course, all of this functionality is available through a web console, so whether you want to drive the cloud by the click of a mouse or the call of an API, the power is at your disposal.
And of course, all of this functionality is available through a web console, so whether you want to drive the cloud by the click of a mouse or the call of an API, the power is at your disposal.
And of course, all of this functionality is available through a web console, so whether you want to drive the cloud by the click of a mouse or the call of an API, the power is at your disposal.
Let’s explore how it is that DMS can enable near zero downtime migration. The customer starts by launching a DMS instance in their AWS account. (click) Then the customer provides database connection information to connect out to their on-premises database, and in to their AWS database. (click) Next the customer will select which tables, schemas or databases they want to migrate, (click) and DMS will load the data, and keep it in sync on an ongoing basis. (click) Finally, at the time of the customer’s choosing, they can simply change the application to point to the new AWS database, instead of their old on-premises database. (click)
Let’s explore how it is that DMS can enable near zero downtime migration. The customer starts by launching a DMS instance in their AWS account. (click) Then the customer provides database connection information to connect out to their on-premises database, and in to their AWS database. (click) Next the customer will select which tables, schemas or databases they want to migrate, (click) and DMS will load the data, and keep it in sync on an ongoing basis. (click) Finally, at the time of the customer’s choosing, they can simply change the application to point to the new AWS database, instead of their old on-premises database. (click)