aws enterprise summit netherlands - creating a landing zone
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Wednesday Sept 21st, 2016
Landing Zone for Application Migrations
Koen vd Biggelaar - sr mgr AWS Solutions ArchitectureHenk van Rossum - Director – Platform Manager Hosting and Storage
PeoplePerspective
ProcessPerspective
SecurityPerspective
MaturityPerspective
PlatformPerspective
OperationsPerspective
BusinessPerspective
AWS Cloud Adoption Framework
PeoplePerspective
ProcessPerspective
SecurityPerspective
MaturityPerspective
OperationsPerspective
BusinessPerspective
PlatformPerspective
AWS Cloud Adoption Framework
Current State
Account Structure Security Network
Identities&
Access
Cloud Consumers
Our Journey Today
MigrateOperate
&Optimize
Current State
Account Structure Security Network
Identities&
Access
Cloud Consumers Migrate
Operate &
Optimize
Infrastructure Request
Current StateTypical Enterprise Situation
Governance &
Service Management
Central IT
Lines of Business
Provisioning
Characteristics• Lead times ~days to weeks• Service Catalogue of components• Often process-heavy Service
Management
Monitor&
Respond
Landing Zone
TemplatesPolicy &
Best Practices
Landscape Management
Current StateOpportunity to achieve agility and control
Automation
Lines of Business Central IT Opportunities
• Lead times in minutes• Service Catalogue of
landscapes• Automated Service
Management
Start Account Structure Security Network
Identities&
Access
Cloud Consumers Migrate
Operate &
Optimize
Account Structure
• Don’t overdo on Day One• Use separate accounts for
Security and Compliance Isolation(production non-prod,
logging)
Cost Allocation Resource Management and Ownership
Account Structure
Payer
Billing Reports
Service Catalog Logging Audit
Central Services Dev & Test Mobility
IoT
Serverless
Internal business apps Digital Platforms
Option: Per AWS Region
Production Generic
Production Critical
Central Accounts
Services Accounts
Start Account Structure Security Network
Identities&
Access
Cloud Consumers Migrate
Operate &
Optimize
Analyze your CloudTrail Logs
AWSCloudTrail
AWS Management
Console
AWS CLI
SDK
Your Central Amazon S3 logging bucket
Analysis &
Action
AWS Services
You make API calls …
…to AWS Services,
logged by CloudTrail
delivered to your S3 bucket
NormalizeRecordChanging Resources
Deliver
Stream
Snapshot (ex. 2014-11-05)AWS Config
APIs
Store
History
Config tracks resource changes
Start Account Structure Security Network
Identities&
Access
Cloud Consumers Migrate
Operate &
Optimize
NetworkKey Considerations
Non-overlapping IP range
VPC Design
Access Control Lists &Security Groups
Logging and Monitoring
Direct Connect
Subnet Design
NetworkDirect Connect for connecting on-prem and AWS environment
Customer Gateway
VPN backup
Direct Connect Location
Virtual Interface #1
Virtual Interface #2
Secondary Direct Connect Location
`
`
Partner Network
NetworkCentral Services in a central VPC
Central common/core services• Authentication/directory• Monitoring• Logging• Remote administration• Scanning• Internet Proxy
ProductionGeneric
ProductionBusiness Critical
Central Services
Non-production
Start Account Structure Security Network
Identities&
Access
Cloud Consumers Migrate
Operate &
Optimize
You get to control who can do what in your AWS environment when and from where
Fine-grained control of your AWS cloud with multi-factor authentication
Integrate with your existing LDAP / Active directory using federation and single sign-on
You can use AWS managed policies or customer generated policies using the policy generator and test with the policy simulator
AWS account owner
Identity and Access ManagementControl access and segregate duties everywhere
Identities and Access ControlSample Access Policy{
"Version": "2012-10-17","Statement": [{
"Effect": "Allow","Action": [
"ec2:StartInstances","ec2:StopInstances","ec2:RebootInstances"
],"Resource": “arn:aws:ec2:::instance/*”,"Condition": {
"StringEquals": {"ec2:ResourceTag/Environment" : "Dev"
}}
}]
}
Allow or Deny access to resource
Service calls allowed to be performed
Resource object or objects that the statement coversConditions to satisfy:EC2 resources must be tagged with “Dev”
Identities and Access ControlExample user types with corresponding access policies
IAM MasterCreate policies
IAM ManagerAssign Policies
AuditRead-Only
Access Managers
ArchitectCreate landscapes
StorageDesign and Build
Network Design and Build Design
DevOpsAPI Access
App OwnerLandscape owner
Application Owners
SupportAccount policy
Empty RoleNo policy
Support and Operations
Typical Access Policy
AdministratorLandscape Mgt
AdministratorService CatalogAdministrators
Corporate Data Center
Browser interface
Identity Store
Identity and Access ManagementFederation with on-prem directory
AD Group
Identity and Authentication
Mapping to specific IAM Role with Access Policy
Access to AWS
Start Account Structure Security Network
Identities&
Access
Cloud Consumers Migrate
Operate &
Optimize
Cloud ConsumersAWS Service Catalog
AWS Service Catalog allows organizations to create and manage catalogs of IT services. It enables users to quickly deploy approved IT services they need in a self-service manner.
Administrator Users
ControlStandardization
Governance
AgilitySelf-service
Time to market
Product = Template
CloudFormation Running Stack
JSON formatted file
Parameter definitionResource creation
Configuration actions
Configured AWS services
Comprehensive service supportService event aware
Customisable
Framework
Stack creationStack updates
Error detection and rollback
Administrator InteractionCloudFormation to create products
Creates portfolio and assigns product portfolio
1
AdministratorAdds constraints, grant access
and add tags
4
2 Creates product
Authors template
Administrator InteractionManaging products
ProductX
Versions
Portfolio BPortfolio A
• Users and Roles• Constraints • Tags
Service Catalog
3
Landscape Architect
Agility and ControlOpportunities to strengthen the handshake
User generated products to foster
innovation
Back-end micro-services acting on the stacks
Administrator Products
Browse Products
5
43
2
1
Portfolio
Cloud Consumers
Select version,Provision Product, configure
parametersDeploy
Notifications and outputs
Notifications and outputs
4Scheduled functions
Administrator
Cloud Consumer InteractionOverview
Start Account Structure Security Network
Identities&
Access
Cloud Consumers
Our Journey TodayWhat did we cover?
MigrateOperate
&Optimize
CreatingalandingzoneinAWSAnEnterprisewayofworking
HenkvanRossum
September21,2016
PlatformandProgramManagerHostingandStorage
100+SiteswithITInfrastructure
3500+ServersPhysical&Virtual
ExtremelyhighFixedcosts
OldEnd-of-termInfrastructure
NoincentivestoDecomm&Modernize
Governance
CurrentSituation
42%Workloads
3%Workloads
25%Workloads
1st tierDatacenter
30%Workloads DecommissionInfra
Localcompute(Darkroomoperated)
MovingfromLegacytoFutureproofFutureSituation
21September2016
• “Break-Fix”• SLAbasedmanagedservices• Unplannedbusinessinterruptions• Complexsupplychainnewdemand• Widevarietyofversions• NotScalable• Payforcapacityreserved• Reporting“afterthefact”
• Designfor“AlwaysOn”• SLAbasedmanagedservices• SelfProvisioning,consumerdriven• Standardmarketavailableservices• ScalableResources• Payonlyforwhatyouuse• “realtime”usage&performance
FromLegacytoCloudFirst
DoesnotrepresentaPhilipslocation
21September2016
Creatingalandingzone
network
application
dataruntime
middlewareOS
virtualmachine
server
storagenetwork
application
dataruntime
middlewareOS
virtualmachine
server
storage
Legacy
DCpartner
AMSpartner
Mang.Partner
AWS
AMSpartn
er
AWS
AMSpartn
er
network
application
dataruntime
middlewareOS
virtualmachine
server
storage
EndState
Prov
ider
prov
ider
Prov
ider
OnPremiseDC TechnologyRefresh Cloud
CloseonpremiseDC,leverageCloud
21September2016
Creatingalandingzone– AccountArchitectureENTERPRISECONTRACT
Market1 MarketX BUX
PayerA
ccoun
t
RootaccountCore
Globalservices
Functio
nalA
ccoun
ts SharedCentralLoggingAccount
BackupAccount BackupAccount
SharedCentralAuditAccount
SharedCentralIntellectualPropertyAccount
Linkeda
ccoun
ts–R
esou
rces
Resourc
es
Resourc
es
Resourc
es
Resourc
es
Resourc
es
Resourc
es
Resourc
es
Resourc
es
Resourc
es
Resourc
es
Resourc
es
Partn
erAc
coun
ts
Other Other Other
SharedUsersFederationAccount
Partner1
Partner2Resourc
es
BackupAccountBackupAccount
21September2016
Creatingalandingzone- InternetCentricNetworking
The Internet
Sites
Private Network – Provider
InternetEdge
SaaSCloud
ISP ISP
Cloud Gatewa
y1
Cloud Gatewa
y 2
Cloud Gatewa
y N
PartnerTier1DC
siteMPLS
DirectConnect
21September2016
MPLS
Direct Connect
Service Catalog
CloudTrail
S3
IAM Config
Lambda
Applications migrated to your landing zone