7. Hybrid IT: A Definition
http://www.gartner.com/technology/research/technical-professionals/hybrid-cloud.jsp
“Hybrid IT is the result of combining internal and
external services, usually from a combination of
internal and public clouds, in support of a business
outcome.”
16. VPN
Tunnels
Customer VPN
Gateway
Directory
Server
Database
Server
Application
Server
Client
VPC Configuration
• VPC CIDR Network: 10.100.0.0/16
• VPC Subnet 1: 10.100.0.0/23
• VPC Subnet 2: 10.100.2.0/23
• VPN Type: Dynamic BGP
• Security Group: HTTP, HTTPS, SSH, ICMP
Data Center Configuration
• Corporate Network: 10.96.0.0/16
• DC Network: 10.96.24.0/21
• VPN Gateway IP: 54.254.241.240
Your First Virtual Private Cloud
Application
Server
Availability Zone BAvailability Zone A
17. VPN
Tunnels
Customer VPN
Gateway
Directory
Server
Database
Server
Application
Server
Client
Other VPC Features
• Multiple VPCs per account
• Multiple network interfaces per EC2 instance
• Multiple IPs per interface
• Move network interfaces between EC2 instances
• Egress filtering with security groups and network ACLs
• Virtual network peering between VPCs
• Direct Connect cross region routing
• Support for dedicated instance, single tenant EC2
Services: Networking
Application
Server
Availability Zone BAvailability Zone A
VPC Released 2009
• Mature virtual networking service
• Highly scalable, up to 64K hosts per VPC
• Features focused on enterprise integration
18. Integrate your network with Amazon VPC
• Connect via standard IPSEC Internet VPN tunnels, or
• Private link to AWS Direct Connect peering location,
or a combination of both
• Connection port speeds from 50M to 10G, you choose the
connection speed you want
• Connect multiple VPCs using industry standard VLANs and
layer 3 routing protocols
• Integrate your network to your private VPC resources
• Deploy your own network equipment into Direct Connect
peering location, e.g. WAN Optimization Devices
Compute Storage
AWS Global Infrastructure
Database
App Services
Deployment & Administration
Networking
Customer VPC
Internet VPN
Connection
Customer IPSEC
Router/Firewall
Customer Direct
Connect Router
Private Direct
Connect
Customer Corporate
Network
Services: Networking: Direct Connect
23. Application
Server
Virtual
Server
File
Server
Database
Server
Backup
System
On-premise backup server with S3
• Eliminate tape, hardware, off-site storage
• Reduce capital expense for backup infrastructure
• Never worry about backup durability
• Never run out of backup capacity
• Backup gateway integrated to Amazon S3
• Data stored off-site, with high durability, in multiple locations
• Take advantage of advanced storage optimization options,
De-duplication, compression, WAN acceleration
Backup and Archive
Amazon S3
25. On-premise storage appliance with S3
• Reduce capital expense for storage infrastructure
• Never worry about storage durability
• Never run out of storage capacity
• Storage appliance integrated to Amazon S3
• Data durably stored off-site in multiple locations
• Virtual volumes presented to local network as
iSCSI volumes, NFS, CIFS
• Local disk cache to provide fast on-premise access
• Take advantage of advanced storage optimization options,
Block based de-duplication, compression, WAN acceleration
• Security through gateway side encryption
Application
Server
Virtual
Server
File
Server
Database
Server
S3 Integrated
Appliance
Storage Expansion
Amazon S3
30. Securing Your AWS Resources
AWS Identity and Access Management
• AWS IAM enables you to securely control access to AWS
services and resources
• Fine grained control of user permissions, resources and actions.
You get to choose who can do what in your AWS environment
and from where
• You can easily add multi factor authentication using smartphone
apps or hardware tokens
• Create users or groups
• Assign permissions to groups
• Where actions are allowed from
Application
Server
• Who can create subnets
• Who can modify security groups
• Who can launch EC2 instances,
into which subnet
• Grant rights to applications
• To access AWS resources
• With built-in key rotation
• No storing of credentials in code
• Secure access to console
• Require MFA on API action
31. New directory in AWS
Directory Integration
AWS Directory Service
Connect existing directory to AWS
Simple AD AD Connector
Based on Samba 4
Custom federation proxy
On-premises
Microsoft AD
34. Coordinate automated deployment
Scale from 1 instance to thousands
Deploy without downtime
Centralize deployment control and monitoring
Staging
CodeDeployv1, v2, v3
Production
Dev
Just like Amazon
Application
revisions
Deployment groups
35. Set up your target environments (Hybrid or Not)
Agent Agent Agent
Staging
Agent Agent
Agent Agent
Agent
Agent
Production
Deployment group (on-premises)Deployment group (AWS)
Group instances by:
• Auto Scaling group
• Amazon EC2 tag
• On-premises tag
36. Operations On AWS into existing Tools
Management
Portal for vCenter
Management Pack
for SCOM
Systems Manager
for SCVMM
37. Operations On AWS
Integrating AWS into your operations
• AWS CloudWatch provides real-time insight into your AWS
services, integrate your own metrics, create and act on alarms
• AWS SNS allows integration with your alerting systems
• Your current tools still work – install on EC2 instance
• Your tools already have AWS API integration