Embed Size (px)
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Alex Coqueiro
Public Sector Solutions Architect
Abril, 2016
Comenzando con la nube híbrida
Direct ConnectTunnels
Backup &
Archive
Storage
Expansion
Common Hybrid
WorkloadsWhat is
Hybrid IT?
Integrated
Network
Next
Steps
Control
Enterprise
Integration
Federation Dev Operations
Today we’ll cover
Direct ConnectTunnels
Backup &
Archive
Storage
Expansion
Common Hybrid
WorkloadsWhat is
Hybrid IT?
Integrated
Network
Next
Steps
Control
Enterprise
Integration
Federation Dev Operations
Today we’ll cover
Cloud is an ALL or NOTHING proposition
The Good News is it isn’t an ‘All or Nothing’ Choice
Corporate
Data Centers
On-Premises
Resources
Cloud
ResourcesIntegration
Hybrid IT
Hybrid IT: A Definition
http://www.gartner.com/technology/research/technical-professionals/hybrid-cloud.jsp
“Hybrid IT is the result of combining internal and
external services, usually from a combination of
internal and public clouds, in support of a business
outcome.”
http://www.gartner.com/technology/research/technical-professionals/hybrid-cloud.jsp
“Hybrid IT is the result of combining internal and
external services, usually from a combination of
internal and public clouds, in support of a business
outcome.”
Hybrid IT: A Definition
Your Data Center
Your Data Center
Extending Your DC to your Cloud Provider
Your Data Center
Your LAN
Segments
AWS VPC
Integrated
networking
# 10.0.100.0
# 10.0.200.0
Integrating AWS with existing On-Prem Infrastructure
Integrated
access control
Microsoft Active
Directory
Custom
LDAP
Commom Hybrid
Workloads
App 1
AWS Storage Gateway
Single pane
of glass
Enterprise
Integration
Direct ConnectTunnels
Backup &
Archive
Storage
Expansion
Common Hybrid
WorkloadsWhat is
Hybrid IT?
Integrated
Network
Next
Steps
Control
Enterprise
Integration
Federation Dev Operations
Today we’ll cover
Direct ConnectVirtual Private
Cloud (VPC)
Services: Networking
Trend: Integrated Network
Your Data Center
Project ADeployed
Virtual Private
Cloud (VPC)
Direct Connect
VPN
Tunnels
Customer VPN
Gateway
Directory
Server
Database
Server
Application
Server
Client
VPC Configuration• VPC CIDR Network: 10.100.0.0/16
• VPC Subnet 1: 10.100.0.0/23
• VPC Subnet 2: 10.100.2.0/23
• VPN Type: Dynamic BGP
• Security Group: HTTP, HTTPS, SSH, ICMP
Data Center Configuration• Corporate Network: 10.96.0.0/16
• DC Network: 10.96.24.0/21
• VPN Gateway IP: 54.254.241.240
Your First Virtual Private Cloud
Application
Server
Availability Zone BAvailability Zone A
VPN
Tunnels
Customer VPN
Gateway
Directory
Server
Database
Server
Application
Server
Client
Other VPC Features • Multiple VPCs per account
• Multiple network interfaces per EC2 instance
• Multiple IPs per interface
• Move network interfaces between EC2 instances
• Egress filtering with security groups and network ACLs
• Virtual network peering between VPCs
• Direct Connect cross region routing
• Support for dedicated instance, single tenant EC2
Services: Networking
Application
Server
Availability Zone BAvailability Zone A
VPC Released 2009• Mature virtual networking service
• Highly scalable, up to 64K hosts per VPC
• Features focused on enterprise integration
Integrate your network with Amazon VPC• Connect via standard IPSEC Internet VPN tunnels, or
• Private link to AWS Direct Connect peering location,
or a combination of both
• Connection port speeds from 50M to 10G, you choose the
connection speed you want
• Connect multiple VPCs using industry standard VLANs and
layer 3 routing protocols
• Integrate your network to your private VPC resources
• Deploy your own network equipment into Direct Connect
peering location, e.g. WAN Optimization Devices
Compute Storage
AWS Global Infrastructure
Database
App Services
Deployment & Administration
Networking
Customer VPC
Internet VPN
Connection
Customer IPSEC
Router/FirewallCustomer Direct
Connect Router
Private Direct
Connect
Customer Corporate
Network
Services: Networking: Direct Connect
Direct ConnectTunnels
Backup &
Archive
Storage
Expansion
Common Hybrid
WorkloadsWhat is
Hybrid IT?
Integrated
Network
Next
Steps
Control
Enterprise
Integration
Federation Dev Operations
Today we’ll cover
Common Hybrid Workloads
Common Hybrid Workloads
AWS Storage
GatewayAWS S3
Simple Storage
Service
Services: Storage
Application
Server
Virtual
Server
File
Server
Database
Server
Backup
System
On-premise backup server with S3• Eliminate tape, hardware, off-site storage
• Reduce capital expense for backup infrastructure
• Never worry about backup durability
• Never run out of backup capacity
• Backup gateway integrated to Amazon S3
• Data stored off-site, with high durability, in multiple locations
• Take advantage of advanced storage optimization options,
De-duplication, compression, WAN acceleration
Backup and Archive
Amazon S3
Application
Server
Virtual
Server
File
Server
Database
Server
Amazon S3
Solutions supporting backup and archive to S3
Veeam Backup & Replication
Symantec Net Backup
Oracle RMAN and Secure Backup Module
CommVault Simpana
AWS Storage Gateway VTL
Riverbed Whitewater
Backup
System
Backup and Archive
On-premise storage appliance with S3• Reduce capital expense for storage infrastructure
• Never worry about storage durability
• Never run out of storage capacity
• Storage appliance integrated to Amazon S3
• Data durably stored off-site in multiple locations
• Virtual volumes presented to local network as
iSCSI volumes, NFS, CIFS
• Local disk cache to provide fast on-premise access
• Take advantage of advanced storage optimization options,
Block based de-duplication, compression, WAN acceleration
• Security through gateway side encryption
Application
Server
Virtual
Server
File
Server
Database
Server
S3 Integrated
Appliance
Storage Expansion
Amazon S3
Application
Server
Virtual
Server
File
Server
Database
Server
S3 Integrated
Appliance
Solutions supporting storage expansion to S3
TwinStrata CloudArray
Riverbed Whitewater
Panzura Global NAS
Aspera on-demand
AWS Storage Gateway Cached Volumes
Storage Expansion
Amazon S3
Direct ConnectTunnels
Backup &
Archive
Storage
Expansion
Common Hybrid
WorkloadsWhat is
Hybrid IT?
Integrated
Network
Next
Steps
Control
Enterprise
Integration
Federation Dev Operations
Today we’ll cover
How do I integrate AWS?
Access
Control
Identity
FederationDevelopment Operations
AWS Directory
Services
AWS Identity and
Access
Management
Services: Security
Securing Your AWS Resources
AWS Identity and Access Management• AWS IAM enables you to securely control access to AWS
services and resources
• Fine grained control of user permissions, resources and actions.
You get to choose who can do what in your AWS environment
and from where
• You can easily add multi factor authentication using smartphone
apps or hardware tokens• Create users or groups
• Assign permissions to groups
• Where actions are allowed from
Application
Server
• Who can create subnets
• Who can modify security groups
• Who can launch EC2 instances,
into which subnet
• Grant rights to applications
• To access AWS resources
• With built-in key rotation
• No storing of credentials in code
• Secure access to console
• Require MFA on API action
New directory in AWS
Directory IntegrationAWS Directory Service
Connect existing directory to AWS
Simple AD AD ConnectorBased on Samba 4
Custom federation proxy
On-premises
Microsoft AD
AD Connector
AD
CAA-AdministratorAccessRole
CAA-NetworkAccessRole
CAA-CloudEngineerRole
CAA-ReadOnlyAccessRole
NetworkAccessRole - “Action”:[stsAssumeRole],
“Resource”: “arn:aws:iam::[account1-id]:role/IAM-1-NetworkAccessRole-*
“Resource”: “arn:aws:iam::[account2-id]:role/IAM-1-NetworkAccessRole-*
“Resource”: “arn:aws:iam::[account2-id]:role/IAM-1-NetworkAccessRole-*
Management
account
1
2
3
Application account
4
Switch role
AdministratorAccessRole
NetworkAccessRole
CloudEngineerRole
ReadOnlyAccessRole
Trusted entities: Assume role policy document“Principal”:
“AWS”:“arn:aws:iam::[management-account-id]:role/CAA-NetworkAccessRole”
“Action”: “sts:AssumeRole”
mycompany.awsapps.com/console
AWS CodeDeploy
Services: Application
Coordinate automated deployment
Scale from 1 instance to thousands
Deploy without downtime
Centralize deployment control and monitoring
Staging
CodeDeployv1, v2, v3
Production
Dev
Just like Amazon
Application
revisions
Deployment groups
Set up your target environments (Hybrid or Not)
Agent Agent Agent
Staging
Agent Agent
Agent Agent
Agent
Agent
Production
Deployment group (on-premises)Deployment group (AWS)
Group instances by:
• Auto Scaling group
• Amazon EC2 tag
• On-premises tag
Operations On AWS into existing Tools
Management
Portal for vCenter
Management Pack
for SCOM
Systems Manager
for SCVMM
Operations On AWS
Integrating AWS into your operations• AWS CloudWatch provides real-time insight into your AWS
services, integrate your own metrics, create and act on alarms
• AWS SNS allows integration with your alerting systems
• Your current tools still work – install on EC2 instance
• Your tools already have AWS API integration
Direct ConnectTunnels
Backup &
Archive
Storage
Expansion
Common Hybrid
WorkloadsWhat is
Hybrid IT?
Integrated
Network
Next
Steps
Control
Enterprise
Integration
Federation Dev Operations
Today we’ll cover
Try It!
Proof of concept will
answer tons of
questions
Think cloud firstfor all new
deployments
Gracias
