Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

AWS Enterprise Summit Netherlands - Creating a Landing Zone

3.606 visualizaciones

Publicado el

Creating a Landing Zone for Application Migrations

Publicado en: Tecnología

AWS Enterprise Summit Netherlands - Creating a Landing Zone

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Wednesday Sept 21st , 2016 Landing Zone for Application Migrations Koen vd Biggelaar - sr mgr AWS Solutions Architecture Henk van Rossum - Director – Platform Manager Hosting and Storage
  2. 2. Application Migration Create Landing Zone Migrate Apps Operate & Optimize H
  3. 3. People Perspective Process Perspective Security Perspective Maturity Perspective Platform Perspective Operations Perspective Business Perspective AWS Cloud Adoption Framework
  4. 4. People Perspective Process Perspective Security Perspective Maturity Perspective Operations Perspective Business Perspective Platform Perspective AWS Cloud Adoption Framework
  5. 5. Current State Account Structure Security Network Identities & Access Cloud Consumers Our Journey Today Migrate Operate & Optimize
  6. 6. Current State Account Structure Security Network Identities & Access Cloud Consumers Migrate Operate & Optimize
  7. 7. Infrastructure Request Current State Typical Enterprise Situation Governance & Service Management Central IT Lines of Business Provisioning Characteristics • Lead times ~days to weeks • Service Catalogue of components • Often process-heavy Service Management
  8. 8. Monitor & Respond Landing Zone Templates Policy & Best Practices Landscape Management Current State Opportunity to achieve agility and control Automation Lines of Business Central IT Opportunities • Lead times in minutes • Service Catalogue of landscapes • Automated Service Management
  9. 9. Security Automation Cloud IT Consumers Current State Guiding Principles
  10. 10. Start Account Structure Security Network Identities & Access Cloud Consumers Migrate Operate & Optimize
  11. 11. Account Structure • Don’t overdo on Day One • Use separate accounts for Security and Compliance Isolation (production non-prod, logging) Cost Allocation Resource Management and Ownership
  12. 12. Account Structure Payer Billing Reports Service Catalog Logging Audit Central Services Dev & Test Mobility IoT Serverless Internal business apps Digital Platforms Option: Per AWS Region Production Generic Production Critical Central Accounts Services Accounts
  13. 13. Start Account Structure Security Network Identities & Access Cloud Consumers Migrate Operate & Optimize
  14. 14. Analyze your CloudTrail Logs AWS CloudTrail AWS Management Console AWS CLI SDK Your Central Amazon S3 logging bucket Analysis & Action AWS Services You make API calls … …to AWS Services, logged by CloudTrail delivered to your S3 bucket
  15. 15. Changing Resources Config tracks resource changes
  16. 16. NormalizeRecordChanging Resources Deliver Stream Snapshot (ex. 2014-11-05) AWS Config APIs Store History Config tracks resource changes
  17. 17. Start Account Structure Security Network Identities & Access Cloud Consumers Migrate Operate & Optimize
  18. 18. Network Key Considerations Non-overlapping IP range VPC Design Access Control Lists & Security Groups Logging and Monitoring Direct Connect Subnet Design
  19. 19. Network Direct Connect for connecting on-prem and AWS environment Customer Gateway VPN backup Direct Connect Location Virtual Interface #1 Virtual Interface #2 Secondary Direct Connect Location ` ` Partner Network
  20. 20. Network Central Services in a central VPC Central common/core services • Authentication/directory • Monitoring • Logging • Remote administration • Scanning • Internet Proxy Production Generic Production Business Critical Central Services Non-production
  21. 21. Start Account Structure Security Network Identities & Access Cloud Consumers Migrate Operate & Optimize
  22. 22. You get to control who can do what in your AWS environment when and from where Fine-grained control of your AWS cloud with multi- factor authentication Integrate with your existing LDAP / Active directory using federation and single sign-on You can use AWS managed policies or customer generated policies using the policy generator and test with the policy simulator AWS account owner Identity and Access Management Control access and segregate duties everywhere
  23. 23. Identities and Access Control Sample Access Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances" ], "Resource": “arn:aws:ec2:::instance/*”, "Condition": { "StringEquals": { "ec2:ResourceTag/Environment" : "Dev" } } } ] } Allow or Deny access to resource Service calls allowed to be performed Resource object or objects that the statement covers Conditions to satisfy: EC2 resources must be tagged with “Dev”
  24. 24. Identities and Access Control Example user types with corresponding access policies IAM Master Create policies IAM Manager Assign Policies Audit Read-Only Access Managers Architect Create landscapes Storage Design and Build Network Design and Build Design DevOps API Access App Owner Landscape owner Application Owners Support Account policy Empty Role No policy Support and Operations Typical Access Policy Administrator Landscape Mgt Administrator Service Catalog Administrators
  25. 25. Corporate Data Center Browser interface Identity Store Identity and Access Management Federation with on-prem directory AD Group Identity and Authentication Mapping to specific IAM Role with Access Policy Access to AWS
  26. 26. Start Account Structure Security Network Identities & Access Cloud Consumers Migrate Operate & Optimize
  27. 27. Cloud Consumers AWS Service Catalog AWS Service Catalog allows organizations to create and manage catalogs of IT services. It enables users to quickly deploy approved IT services they need in a self-service manner. Administrator Users Control Standardization Governance Agility Self-service Time to market
  28. 28. Product = Template CloudFormation Running Stack JSON formatted file Parameter definition Resource creation Configuration actions Configured AWS services Comprehensive service support Service event aware Customisable Framework Stack creation Stack updates Error detection and rollback Administrator Interaction CloudFormation to create products
  29. 29. Creates portfolio and assigns product portfolio 1 Administrator Adds constraints, grant access and add tags 4 2 Creates product Authors template Administrator Interaction Managing products ProductX Versions Portfolio BPortfolio A • Users and Roles • Constraints • Tags Service Catalog 3 Landscape Architect
  30. 30. Agility and Control Opportunities to strengthen the handshake User generated products to foster innovation Back-end micro-services acting on the stacks Administrator Products
  31. 31. Browse Products 5 4 3 2 1 Portfolio Cloud Consumers Select version, Provision Product, configure parameters Deploy Notifications and outputs Notifications and outputs 4 Scheduled functions Administrator Cloud Consumer Interaction Overview
  32. 32. Cloud Consumer Interaction Browse Products Launch Product Available Products Launched Products
  33. 33. Cloud Consumer Interaction Configuring Options EC2 Instance type Schedule on/off Schedule details
  34. 34. End User Interaction Launched Product Launched Product details
  35. 35. End User Interaction Cost Overview Test IT SecurityProd Dev Prod Test Dev
  36. 36. Start Account Structure Security Network Identities & Access Cloud Consumers Our Journey Today What did we cover? Migrate Operate & Optimize
  37. 37. Application Migration Approach Create Landing Zone Migrate Operate & Optimize H
  38. 38. Creating a landing zone in AWS An Enterprise way of working Henk van Rossum September 21, 2016 Platform and Program Manager Hosting and Storage
  39. 39. 100+ Sites with IT Infrastructure 3500+ Servers Physical & Virtual Extremely high Fixed costs Old End-of-term Infrastructure No incentives to Decomm & Modernize Governance Current Situation 42% Workloads 3% Workloads 25% Workloads 1st tier Datacenter 30% Workloads Decommission Infra Local compute (Darkroom operated) Moving from Legacy to Future proof Future Situation 21 September 2016
  40. 40. • “Break-Fix” • SLA based managed services • Unplanned business interruptions • Complex supply chain new demand • Wide variety of versions • Not Scalable • Pay for capacity reserved • Reporting “after the fact” • Design for “Always On” • SLA based managed services • Self Provisioning, consumer driven • Standard market available services • Scalable Resources • Pay only for what you use • “real time” usage & performance From Legacy to Cloud First Does not represent a Philips location 21 September 2016
  41. 41. Creating a landing zone network application data runtime middleware OS virtual machine server storage network application data runtime middleware OS virtual machine server storage Legacy DC partnerAMS partner Mang. PartnerAWSAMS partner AWS AMS partner network application data runtime middleware OS virtual machine server storage End State Provider provider Provider On Premise DC Technology Refresh Cloud Close on premise DC, leverage Cloud 21 September 2016
  42. 42. Creating a landing zone – Account Architecture ENTERPRISE CONTRACT Market 1 Market X BU X Payer Account Root accountCore Global services Functional Accounts Shared Central Logging Account Backup Account Backup Account Shared Central Audit Account Shared Central Intellectual Property Account Linked accounts – Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Partner Accounts Other Other Other Shared Users Federation Account Partner 1 Partner 2 Resources Backup Account Backup Account 21 September 2016
  43. 43. Creating a landing zone - Internet Centric Networking The Internet Sites Private Network – Provider Internet Edge SaaS Cloud ISP ISP Cloud Gatewa y 1 Cloud Gatewa y 2 Cloud Gatewa y N Partner Tier1 DC siteMPL S Direct Connect 21 September 2016 MPL S
  44. 44. Direct Connect Service Catalog CloudTrail S3 IAM Config Lambda Applications migrated to your landing zone
  45. 45. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you

×