This document discusses hybrid IT with AWS and provides an overview of key concepts:
- Hybrid IT is defined as combining internal and external services from internal and public clouds to support business outcomes.
- AWS provides global infrastructure across regions and availability zones as well as services for compute, storage, databases, networking, and more to support hybrid architectures.
- Common hybrid workloads discussed include backup and archive to AWS S3 for reduced costs, and storage expansion using S3 integrated appliances.
2. Database NetworkStorage
Backup &
Archive
Storage
Expansion
Common Hybrid
Workloads
What is
Hybrid IT?
AWS Service
Building Blocks
Next
Steps
DEMOS
VPC/VPN/EC2/Redshift
Compute Control
Enterprise
Integration
Federation Catalog OperationsTracking
Today we’ll cover
4. Hybrid IT: A Definition
h#p://www.gartner.com/technology/research/technical-‐professionals/hybrid-‐cloud.jsp
“Hybrid IT is the result of combining internal and
external services, usually from a combination of
internal and public clouds, in support of a business
outcome.”
5. Build
Deliver
Hybrid IT: A Definition
Services
Business
Outcomes
Solu1ons
8. Oregon
Beijing
Tokyo
Singapore
Ireland
GovCloud
Northern
California
Sydney
São
Paulo
Services: AWS Global Infrastructure
10 Regions
25+ Availability Zones
51 Edge Locations
Continuous Expansion
APAC AWS Edge Locations
Chennai, India Mumbai, India Hong Kong, China (2) Tokyo, Japan Osaka, Japan
Singapore (2) Sydney, Australia Manila, Philippines Seoul, Korea Taipei, Taiwan
Asia Pacific (Singapore) Region
Availability Zones: 2 Launched 2010
Asia Pacific (Sydney) Region
Availability Zones: 2 Launched 2012
Asia Pacific (Japan) Region
Availability Zones: 3 Launched 2011
Asia Pacific (China) Region
Availability Zones: TBA Launched TBD
9. Our “Hybrid” Focus
Cloud AppsOn-Premise Apps
Private Connections
Workload Migrations
Access Control Integration
Work with Existing
Management Tools
Your Data Centers
10. Tools to Support Hybrid IT Architectures
VM Import/Export
VPC Network
IAM Policies
Virtual Images
On-Premise Apps
Private Network
Your Data Centers
VPC
Corporate Directory
Your Cloud Apps
Your Data Our Storage
12. Amazon Elastic Compute Cloud (EC2)
• Wide selection of Instance types, with range of CPU,
memory & local storage options
• Run Microsoft Windows or Linux
• Full stateful firewall per instance via Security Groups
• Your have full control and access to operating system
• VMimport your virtual server images
Services: Compute: EC2
Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraLon
Networking
General
purpose
Compute
optimized
Storage and IO
optimized
GPU
enabled
Memory
optimized
13. Services: Compute: ELB
Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraLon
Networking
Amazon Elastic Load Balancing (ELB)
• Load Balancing as a service
• Automatically distributes incoming application traffic across
multiple Amazon EC2 instances
• Enables you to achieve greater levels of fault tolerance
in your applications
• Built-in application health detection, serve traffic only to
operational instances
• Seamlessly providing the required amount of load balancing
capacity needed to distribute application traffic
• Available as either Internet-facing or internal VPC endpoint
15. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraLon
Networking
Services: Storage: S3
Amazon Simple Storage Service (S3)
• Unlimited storage of objects of any type
• 99.999999999% durability, replicated across multiple facilities
• Cost effective storage, US$0.03/GB Month
• Granular access control and permissions over objects
• Encryption at rest using AES 256bit server side encryption
• Encryption in transit using HTTPS protocol
• High performance throughput supporting parallelized
upload or download
• Import or export data via physical device handling service
• Data remains in geographic location chosen
16. Services: Storage: EBS
Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraLon
Networking
Amazon Elastic Block Storage (EBS)
• High performance block storage device,
up to 4000 IOPS per volume
• Volume sizes from 1GB to 1TB of usable storage
• No mirroring required, replicated within Availability Zone
• Mount as drives to instances, multiple drives per instance
• Format and encrypt as required, or use as raw storage
• Private to your Amazon EC2 instances
• Volumes can be snapshotted for point in time restore,
durably stored on Amazon S3 in multiple facilities
18. Amazon Relational Database Service (RDS)
• Database as a Service with 99.95% uptime SLA*
• No need to install or manage database instances
• Scalable and fault-tolerant configurations
• Automated backups, point in time recovery
• Automated failover to slave in event of a failure
• Easily create read-replicas of your data, seamlessly
replicate data across availability zones or regions*
Services: Database: RDS
Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraLon
Networking
* Varies based on database engine
19. App
Services
Deployment
&
AdministraLon
Services: Database: Redshift
Compute
Storage
AWS
Global
Infrastructure
Database
Networking
Amazon Redshift
• Fully managed, petabyte-scale data warehouse service
• One-tenth the cost of traditional data warehouse systems
• Scalable, resizable and fault-tolerant, clustered
• Seamlessly integrates with industry leading tools
• Automatic incremental snapshot backup, replication
• Available in minutes, in a range of sizes
21. Services: Networking: VPC
Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraLon
Networking
Extend your data center with Amazon VPC
22. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraLon
Networking
Services: Networking: VPC
Extend your data center with Amazon VPC
• Create logically isolated section of AWS Cloud using
your own network address space
10.100.0.0/16
23. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraLon
Networking
Availability Zone BAvailability Zone A
10.100.2.0/23
10.100.0.0/23
Services: Networking: VPC
Extend your data center with Amazon VPC
• Create logically isolated section of AWS Cloud using
your own network address space
• Complete control over your virtual networking environment
including creation of subnets, IP addressing, routing tables
and network gateways
• Create private or public subnets in multiple Availability Zones
24. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraLon
Networking
Services: Networking: VPC
Extend your data center with Amazon VPC
• Create logically isolated section of AWS Cloud using
your own network address space
• Complete control over your virtual networking environment
including creation of subnets, IP addressing, routing tables
and network gateways
• Create private or public subnets in multiple Availability Zones
• You choose where to deploy EC2 instances
• You manage network security at subnet level using NACLs
• You manage EC2 Instance Security Groups,
providing stateful network firewall per instance
Application
Server
Availability Zone BAvailability Zone A
25. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraLon
Networking
Services: Networking: Direct Connect
Integrate your network with Amazon VPC
26. Integrate your network with Amazon VPC
• Connect via standard IPSEC Internet VPN tunnels, or
• Private link to AWS Direct Connect peering location,
or a combination of both
• Connection port speeds from 50M to 10G, you choose the
connection speed you want
• Connect multiple VPCs using industry standard VLANs and
layer 3 routing protocols
• Integrate your network to your private VPC resources
• Deploy your own network equipment into Direct Connect
peering location, e.g. WAN Optimization Devices
Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraLon
Networking
Customer VPC
Internet VPN
Connection
Customer IPSEC
Router/Firewall
Customer Direct
Connect Router
Private
Direct
Connect
Customer Corporate
Network
Services: Networking: Direct Connect
27. VPN
Tunnels
Customer VPN
Gateway
Directory
Server
Database
Server
Application
Server
Client
VPC Configuration
• VPC CIDR Network: 10.100.0.0/16
• VPC Subnet 1: 10.100.0.0/23
• VPC Subnet 2: 10.100.2.0/23
• VPN Type: Dynamic BGP
• Security Group: HTTP, HTTPS, SSH, ICMP
Data Center Configuration
• Corporate Network: 10.96.0.0/16
• DC Network: 10.96.24.0/21
• VPN Gateway IP: 54.254.241.240
Your First Virtual Private Cloud
Application
Server
Availability Zone BAvailability Zone A
28.
29. VPN
Tunnels
Customer VPN
Gateway
Directory
Server
Database
Server
Application
Server
Client
Other VPC Features
• Multiple VPCs per account
• Multiple network interfaces per EC2 instance
• Multiple IPs per interface
• Move network interfaces between EC2 instances
• Egress filtering with security groups and network ACLs
• Virtual network peering between VPCs
• Direct Connect cross region routing
• Support for dedicated instance, single tenant EC2
Services: Networking
Application
Server
Availability Zone BAvailability Zone A
VPC Released 2009
• Mature virtual networking service
• Highly scalable, up to 64K hosts per VPC
• Features focused on enterprise integration
32. Application
Server
Virtual
Server
File
Server
Database
Server
Backup
System
On-premise backup server with S3
• Eliminate tape, hardware, off-site storage
• Reduce capital expense for backup infrastructure
• Never worry about backup durability
• Never run out of backup capacity
• Backup gateway integrated to Amazon S3
• Data stored off-site, with high durability, in multiple
locations
• Take advantage of advanced storage optimization options,
De-duplication, compression, WAN acceleration
Backup and Archive
Amazon S3
33. Application
Server
Virtual
Server
File
Server
Database
Server
Amazon S3
Solutions supporting backup and archive to S3
Veeam Backup & Replication
Symantec Net Backup
Oracle RMAN and Secure Backup Module
CommVault Simpana
AWS Storage Gateway VTL
Riverbed Whitewater
Backup
System
Backup and Archive
34. On-premise storage appliance with S3
• Reduce capital expense for storage infrastructure
• Never worry about storage durability
• Never run out of storage capacity
• Storage appliance integrated to Amazon S3
• Data durably stored off-site in multiple locations
• Virtual volumes presented to local network as
iSCSI volumes, NFS, CIFS
• Local disk cache to provide fast on-premise access
• Take advantage of advanced storage optimization options,
Block based de-duplication, compression, WAN acceleration
• Security through gateway side encryption
Application
Server
Virtual
Server
File
Server
Database
Server
S3 Integrated
Appliance
Storage Expansion
Amazon S3
35. Application
Server
Virtual
Server
File
Server
Database
Server
S3 Integrated
Appliance
Solutions supporting storage expansion to S3
TwinStrata CloudArray
Riverbed Whitewater
Panzura Global NAS
Aspera on-demand
AWS Storage Gateway
Cached Volumes
Storage Expansion
Amazon S3
36. Storage Expansion
• A popular hybrid storage appliance for storing backup data on AWS
• De-dupes, encrypts, optimizes – you manage the encryption keys
• Connects to Amazon S3
• Physical or virtual appliance
• 30:1 storage reduction over 3 years is pretty typical
AVAILABLE IN
Third party solutions
37. Amazon S3
$0.03 per GB / month
30:1 storage reduction
over 3 years
That’s $1/Terabyte/month
After Whitewater
$0.001 per GB / month
Storage Expansion AVAILABLE IN
Third party solutions
40. How do I integrate AWS?
Access
Control
Identity
Federation
Resource
Tracking
Service
Catalog
Operations
41. Every Customer Gets the Same AWS Security Foundations
Independent validation by experts
• Every AWS Region is in scope
• SOC 1 (SSAE 16 & ISAE 3402) Type II
• SOC 2 Type II and public SOC 3 report
• ISO 27001 Certification
• Certified PCI DSS Level 1 Service Provider
• FedRAMP Certification, HIPAA capable
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge
Locations
42. Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
Security is a Shared Responsibility Between AWS and our Customers
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge
Locations
AWS Foundation Services
43. Your
own
compliant
soluLons
• Culture of security and
continual improvement
• Ongoing audits and
assurance
• Protection of large-scale
service endpoints
Your Own Auditor Can Still Audit your AWS Environment
Your
own
ISO
cerLficaLons
Your
own
external
audits
and
assurance
• Achieve PCI, HIPAA and
MPAA compliance
• Certify against ISO27001
with a reduced scope
• Have key controls audited
or publish your own
independent attestations
Customers
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge
Locations
AWS Foundation Services
44. Securing Your AWS Resources
AWS Identity and Access Management
• AWS IAM enables you to securely control access to AWS
services and resources
45. Securing Your AWS Resources
AWS Identity and Access Management
• AWS IAM enables you to securely control access to AWS
services and resources
• Fine grained control of user permissions, resources and
actions. You get to choose who can do what in your AWS
environment and from where
• Create users or groups
• Assign permissions to groups
• Where actions are allowed from
46. • Which accounts have access
• Who can access which files
• With what access rights
Securing Your AWS Resources
AWS Identity and Access Management
• AWS IAM enables you to securely control access to AWS
services and resources
• Fine grained control of user permissions, resources and
actions. You get to choose who can do what in your AWS
environment and from where
47. Securing Your AWS Resources
AWS Identity and Access Management
• AWS IAM enables you to securely control access to AWS
services and resources
• Fine grained control of user permissions, resources and
actions. You get to choose who can do what in your AWS
environment and from where
Application
Server
• Who can create subnets
• Who can modify security groups
• Who can launch EC2 instances,
into which subnet
48. Your
ApplicaLon
• Grant rights to applications
• To access AWS resources
• With built-in key rotation
• No storing of credentials in code
Securing Your AWS Resources
AWS Identity and Access Management
• AWS IAM enables you to securely control access to AWS
services and resources
• Fine grained control of user permissions, resources and
actions. You get to choose who can do what in your AWS
environment and from where
49. • Secure access to console
• Require MFA on API action
Securing Your AWS Resources
AWS Identity and Access Management
• AWS IAM enables you to securely control access to AWS
services and resources
• Fine grained control of user permissions, resources and
actions. You get to choose who can do what in your AWS
environment and from where
• You can easily add multi factor authentication using
smartphone apps or hardware tokens
50. Enterprise Federation
Integrate identity management with AWS
• Secure access to AWS resources using your IDM
• Provide SSO to AWS Management Console or API’s
• Build your own SSO federation using AWS STS service, or
• Federate with on-premise directories like Active Directory,
TFIM, OAM or another SAML 2.0 compliant IdP
51. Instance! Name! VPC ID! Subnet ID! Instance type! Security Groups!
i-5ef40608! SharePoint App Server! vpc-ebfd0283! subnet-e1fd0289! c3.xlarge! Admin, App!
i-59f4060f! SharePoint App Server! vpc-ebfd0283! subnet-e1fd0289! c3.xlarge! Admin, App!
i-f6be9aa0! Web Server! vpc-ebfd0283! subnet-e1fd0289! m3.large! Admin, Web!
i-ec50e1ba! Web Server! vpc-ebfd0283! subnet-e1fd0289! m3.large! Admin, Web!
i-9f50e1c9! Database Server! vpc-ebfd0283! subnet-f9a51991! r3.2xlarge! Admin, Database!
i-77ab8f21! Database Server! vpc-ebfd0283! subnet-f9a51991! r3.2xlarge! Admin, Database!
i-d9912f8f! Directory Server! vpc-ebfd0283! subnet-f9a51991! c3.medium! Admin, Directory!
i-407b3316! Directory Server! vpc-ebfd0283! subnet-f9a51991! c3.medium! Admin, Directory!
Resource Tracking and Cost Allocation
Tag and Describe your infrastructure
• Describe every AWS object through an API call
52. Resource Tracking and Cost Allocation
Tag and Describe your infrastructure
• Describe every AWS object through an API call
• Resources in AWS can have custom tags
Name: APAWSIN001
Purpose: Production
Application: SharePoint Farm 03
Business Unit: Marketing
Cost Centre: 2384234
53. Resource Tracking and Cost Allocation
Tag and Describe your infrastructure
• Describe every AWS object through an API call
• Resources in AWS can have custom tags
• Custom tags can be used to control permissions, and
Name: APAWSIN001
Purpose: Production
Application: SharePoint Farm 03
Business Unit: Marketing
Cost Centre: 2384234
54. Resource Tracking and Cost Allocation
Tag and Describe your infrastructure
• Describe every AWS object through an API call
• Resources in AWS can have custom tags
• Custom tags can be used to control permissions, and
• Allocate Costs, enabling charge back of services usage
55. Status
LocaLon
Group
Product
A#ributes
SLA
Life
Cycle
Resource Tracking and Cost Allocation
Tag and Describe your infrastructure
• Describe every AWS object through an API call
• Resources in AWS can have custom tags
• Custom tags can be used to control permissions, and
• Allocate Costs, enabling charge back of services usage
• Dynamically generate a full inventory
56. Resource Tracking and Cost Allocation
Tag and Describe your infrastructure
• Describe every AWS object through an API call
• Resources in AWS can have custom tags
• Custom tags can be used to control permissions, and
• Allocate Costs, enabling charge back of services usage
• Dynamically generate a full inventory
• Visualize your AWS infrastructure in real-time
57. Operations On AWS
Integrating AWS into your operations
• AWS CloudWatch provides real-time insight into your AWS
services, integrate your own metrics, create and act on
alarms
58. Operations On AWS
Integrating AWS into your operations
• AWS CloudWatch provides real-time insight into your AWS
services, integrate your own metrics, create and act on
alarms
• AWS SNS allows integration with your alerting systems
59. Operations On AWS
Integrating AWS into your operations
• AWS CloudWatch provides real-time insight into your AWS
services, integrate your own metrics, create and act on
alarms
• AWS SNS allows integration with your alerting systems
• Your current tools still work – install on EC2 instance
60. Operations On AWS
Integrating AWS into your operations
• AWS CloudWatch provides real-time insight into your AWS
services, integrate your own metrics, create and act on
alarms
• AWS SNS allows integration with your alerting systems
• Your current tools still work – install on EC2 instance
• Your tools already have AWS API integration
61. Operations On AWS
Integrating AWS into your operations
• AWS CloudWatch provides real-time insight into your AWS
services, integrate your own metrics, create and act on
alarms
• AWS SNS allows integration with your alerting systems
• Your current tools still work – install on EC2 instance
• Your tools already have AWS API integration
62. Integrating AWS Into Your Service Catalog
Reusable architectures
• Every Object in AWS can be described through an API
Test
Environment
63. Integrating AWS Into Your Service Catalog
Reusable architectures
• Every Object in AWS can be described through an API
• Objects can be grouped together and described as templates Test
Environment
CloudFormation
Template
64. Integrating AWS Into Your Service Catalog
Reusable architectures
• Every Object in AWS can be described through an API
• Objects can be grouped together and described as templates
• Templates can be deployed to form stacks
Test
Environment
CloudFormation
Template
CloudFormation
Stack
65. Integrating AWS Into Your Service Catalog
Reusable architectures
• Every Object in AWS can be described through an API
• Objects can be grouped together and described as templates
• Templates can be deployed to form stacks
• Templates are standardized, re-useable, Infrastructure as code
Test
Environment
CloudFormation
Template
CloudFormation
Stack
66. Integrating AWS Into Your Service Catalog
Reusable architectures
• Every Object in AWS can be described through an API
• Objects can be grouped together and described as templates
• Templates can be deployed to form stacks
• Templates are standardized, re-useable, Infrastructure as code
• Simple or complex reusable architectures
CloudFormation
Stack
Application
Server
67. Integrating AWS Into Your Service Catalog
Reusable architectures
• Every Object in AWS can be described through an API
• Objects can be grouped together and described as templates
• Templates can be deployed to form stacks
• Templates are standardized, re-useable, Infrastructure as code
• Simple or complex reusable architectures
• Created and managed by AWS CloudFormation
CloudFormation
Stack
68. Integrating AWS Into Your Service Catalog
Templates as catalog items
• Example: Marketing micro site for 3 month project
69. Integrating AWS Into Your Service Catalog
Templates as catalog items
• Example: Marketing micro site for 3 month project
Weeks
Later
Web
Server
Application
Server
Directory
Server
Database
Server
Web
Server
Application
Server
Directory
Server
Database
Server
70. Integrating AWS Into Your Service Catalog
Templates as catalog items
• Example: Marketing micro site for 3 month project
• Integrate service catalog with AWS CloudFormation via API
71. Integrating AWS Into Your Service Catalog
Templates as catalog items
• Example: Marketing micro site for 3 month project
• Integrate service catalog with AWS CloudFormation via API
• Deploy solutions within minutes, not days or weeks
Minutes
Later
72. Integrating AWS Into Your Service Catalog
Templates as catalog items
• Example: Marketing micro site for 3 month project
• Integrate service catalog with AWS CloudFormation via API
• Deploy solutions within minutes, not days or weeks
• Archive and delete when no longer required
Minutes
Later
75. Try It!
Proof
of
concept
will
answer
tons
of
ques1ons
Amazon Redshift
76. Amazon
Redshift
Alfresco
Server
Availability Zone A Availability Zone B
Directory
Server
Database
Server
Application
Server
Client
Corporate
Data Centre
Your First VPC – Lets Add Amazon Redshift
77.
78. Try It!
Proof
of
concept
will
answer
tons
of
ques1ons
Amazon Redshift
Think
cloud
first
for
all
new
deployments