aws enterprise summit netherlands - creating a landing zone

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Wednesday Sept 21st, 2016

Landing Zone for Application Migrations

Koen vd Biggelaar - sr mgr AWS Solutions ArchitectureHenk van Rossum - Director – Platform Manager Hosting and Storage

Application Migration

Create Landing Zone Migrate Apps Operate & Optimize

H

PeoplePerspective

ProcessPerspective

SecurityPerspective

MaturityPerspective

PlatformPerspective

OperationsPerspective

BusinessPerspective

AWS Cloud Adoption Framework

PeoplePerspective

ProcessPerspective

SecurityPerspective

MaturityPerspective

OperationsPerspective

BusinessPerspective

PlatformPerspective

AWS Cloud Adoption Framework

Current State

Account Structure Security Network

Identities&

Access

Cloud Consumers

Our Journey Today

MigrateOperate

&Optimize

Current State

Account Structure Security Network

Identities&

Access

Cloud Consumers Migrate

Operate &

Optimize

Infrastructure Request

Current StateTypical Enterprise Situation

Governance &

Service Management

Central IT

Lines of Business

Provisioning

Characteristics• Lead times ~days to weeks• Service Catalogue of components• Often process-heavy Service

Management

Monitor&

Respond

Landing Zone

TemplatesPolicy &

Best Practices

Landscape Management

Current StateOpportunity to achieve agility and control

Automation

Lines of Business Central IT Opportunities

• Lead times in minutes• Service Catalogue of

landscapes• Automated Service

Management

Security Automation Cloud IT Consumers

Current StateGuiding Principles

Start Account Structure Security Network

Identities&

Access


Operate &

Optimize

Account Structure

• Don’t overdo on Day One• Use separate accounts for

Security and Compliance Isolation(production non-prod,

logging)

Cost Allocation Resource Management and Ownership

Account Structure

Payer

Billing Reports

Service Catalog Logging Audit

Central Services Dev & Test Mobility

IoT

Serverless

Internal business apps Digital Platforms

Option: Per AWS Region

Production Generic

Production Critical

Central Accounts

Services Accounts


Identities&

Access


Operate &

Optimize

Analyze your CloudTrail Logs

AWSCloudTrail

AWS Management

Console

AWS CLI

SDK

Your Central Amazon S3 logging bucket

Analysis &

Action

AWS Services

You make API calls …

…to AWS Services,

logged by CloudTrail

delivered to your S3 bucket

Changing Resources

Config tracks resource changes

NormalizeRecordChanging Resources

Deliver

Stream

Snapshot (ex. 2014-11-05)AWS Config

APIs

Store

History

Config tracks resource changes


Identities&

Access


Operate &

Optimize

NetworkKey Considerations

Non-overlapping IP range

VPC Design

Access Control Lists &Security Groups

Logging and Monitoring

Direct Connect

Subnet Design

NetworkDirect Connect for connecting on-prem and AWS environment

Customer Gateway

VPN backup

Direct Connect Location

Virtual Interface #1

Virtual Interface #2

Secondary Direct Connect Location

`

`

Partner Network

NetworkCentral Services in a central VPC

Central common/core services• Authentication/directory• Monitoring• Logging• Remote administration• Scanning• Internet Proxy

ProductionGeneric

ProductionBusiness Critical

Central Services

Non-production


Identities&

Access


Operate &

Optimize

You get to control who can do what in your AWS environment when and from where

Fine-grained control of your AWS cloud with multi-factor authentication

Integrate with your existing LDAP / Active directory using federation and single sign-on

You can use AWS managed policies or customer generated policies using the policy generator and test with the policy simulator

AWS account owner

Identity and Access ManagementControl access and segregate duties everywhere

Identities and Access ControlSample Access Policy{

"Version": "2012-10-17","Statement": [{

"Effect": "Allow","Action": [

"ec2:StartInstances","ec2:StopInstances","ec2:RebootInstances"

],"Resource": “arn:aws:ec2:::instance/*”,"Condition": {

"StringEquals": {"ec2:ResourceTag/Environment" : "Dev"

}}

}]

}

Allow or Deny access to resource

Service calls allowed to be performed

Resource object or objects that the statement coversConditions to satisfy:EC2 resources must be tagged with “Dev”

Identities and Access ControlExample user types with corresponding access policies

IAM MasterCreate policies

IAM ManagerAssign Policies

AuditRead-Only

Access Managers

ArchitectCreate landscapes

StorageDesign and Build

Network Design and Build Design

DevOpsAPI Access

App OwnerLandscape owner

Application Owners

SupportAccount policy

Empty RoleNo policy

Support and Operations

Typical Access Policy

AdministratorLandscape Mgt

AdministratorService CatalogAdministrators

Corporate Data Center

Browser interface

Identity Store

Identity and Access ManagementFederation with on-prem directory

AD Group

Identity and Authentication

Mapping to specific IAM Role with Access Policy

Access to AWS


Identities&

Access


Operate &

Optimize

Cloud ConsumersAWS Service Catalog

AWS Service Catalog allows organizations to create and manage catalogs of IT services. It enables users to quickly deploy approved IT services they need in a self-service manner.

Administrator Users

ControlStandardization

Governance

AgilitySelf-service

Time to market

Product = Template

CloudFormation Running Stack

JSON formatted file

Parameter definitionResource creation

Configuration actions

Configured AWS services

Comprehensive service supportService event aware

Customisable

Framework

Stack creationStack updates

Error detection and rollback

Administrator InteractionCloudFormation to create products

Creates portfolio and assigns product portfolio

1

AdministratorAdds constraints, grant access

and add tags

4

2 Creates product

Authors template

Administrator InteractionManaging products

ProductX

Versions

Portfolio BPortfolio A

• Users and Roles• Constraints • Tags

Service Catalog

3

Landscape Architect

Agility and ControlOpportunities to strengthen the handshake

User generated products to foster

innovation

Back-end micro-services acting on the stacks

Administrator Products

Browse Products

5

43

2

1

Portfolio

Cloud Consumers

Select version,Provision Product, configure

parametersDeploy

Notifications and outputs

Notifications and outputs

4Scheduled functions

Administrator

Cloud Consumer InteractionOverview

Cloud Consumer InteractionBrowse Products

Launch Product

Available Products

Launched Products

Cloud Consumer InteractionConfiguring Options

EC2 Instance type

Schedule on/off

Schedule details

End User InteractionLaunched Product

Launched Product details

End User InteractionCost Overview

Test IT SecurityProd Dev

Prod

Test

Dev


Identities&

Access

Cloud Consumers

Our Journey TodayWhat did we cover?

MigrateOperate

&Optimize

Application Migration Approach

Create Landing Zone Migrate Operate & Optimize

H

CreatingalandingzoneinAWSAnEnterprisewayofworking

HenkvanRossum

September21,2016

PlatformandProgramManagerHostingandStorage

100+SiteswithITInfrastructure

3500+ServersPhysical&Virtual

ExtremelyhighFixedcosts

OldEnd-of-termInfrastructure

NoincentivestoDecomm&Modernize

Governance

CurrentSituation

42%Workloads

3%Workloads

25%Workloads

1st tierDatacenter

30%Workloads DecommissionInfra

Localcompute(Darkroomoperated)

MovingfromLegacytoFutureproofFutureSituation

21September2016

• “Break-Fix”• SLAbasedmanagedservices• Unplannedbusinessinterruptions• Complexsupplychainnewdemand• Widevarietyofversions• NotScalable• Payforcapacityreserved• Reporting“afterthefact”

• Designfor“AlwaysOn”• SLAbasedmanagedservices• SelfProvisioning,consumerdriven• Standardmarketavailableservices• ScalableResources• Payonlyforwhatyouuse• “realtime”usage&performance

FromLegacytoCloudFirst

DoesnotrepresentaPhilipslocation

21September2016

Creatingalandingzone

network

application

dataruntime

middlewareOS

virtualmachine

server

storagenetwork

application

dataruntime

middlewareOS

virtualmachine

server

storage

Legacy

DCpartner

AMSpartner

Mang.Partner

AWS

AMSpartn

er

AWS

AMSpartn

er

network

application

dataruntime

middlewareOS

virtualmachine

server

storage

EndState

Prov

ider

prov

ider

Prov

ider

OnPremiseDC TechnologyRefresh Cloud

CloseonpremiseDC,leverageCloud

21September2016

Creatingalandingzone– AccountArchitectureENTERPRISECONTRACT

Market1 MarketX BUX

PayerA

ccoun

t

RootaccountCore

Globalservices

Functio

nalA

ccoun

ts SharedCentralLoggingAccount

BackupAccount BackupAccount

SharedCentralAuditAccount

SharedCentralIntellectualPropertyAccount

Linkeda

ccoun

ts–R

esou

rces

Resourc

es

Resourc

es

Resourc

es

Resourc

es

Resourc

es

Resourc

es

Resourc

es

Resourc

es

Resourc

es

Resourc

es

Resourc

es

Partn

erAc

coun

ts

Other Other Other

SharedUsersFederationAccount

Partner1

Partner2Resourc

es

BackupAccountBackupAccount

21September2016

Creatingalandingzone- InternetCentricNetworking

The Internet

Sites

Private Network – Provider

InternetEdge

SaaSCloud

ISP ISP

Cloud Gatewa

y1

Cloud Gatewa

y 2

Cloud Gatewa

y N

PartnerTier1DC

siteMPLS

DirectConnect

21September2016

MPLS

Direct Connect

Service Catalog

CloudTrail

S3

IAM Config

Lambda

Applications migrated to your landing zone