aws re:invent 2016: automated devops and continuous delivery (dev211)
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jeremy Oakey, Director CloudCenter Technical Marketing, Cisco Systems
December 2016
DEV211
Automated DevOps
and Continuous Delivery
What to Expect from the Session
• Challenges that necessitate automation
• Benefits to model-based approach for application
automation
• Automating image management
• Other features and services needed in an application-
centric future
Request Infrastructure
Verification
Hardware
Setup
Build VMs – New
or Clone
DNS EntriesInstall, Setup,
Configure
Workload Database
Refresh
Latest Code
Deployment
Load Balancer
Entries
Web Server
Configuration
Firewall
Changes
External Interface &
Integration
PPM TasksWorkload
Monitoring Setup
Security – VM
access controlTesting
1- 2 days 3- 5 days 2 – 4 weeks 3 – 5 days
1 – 2 days 4 – 7 days 2 – 3 days 2 – 5 days
2 – 5 days 1 -2 days 2 – 4 days 1 – 2 days
3 – 7 days 2 – 3 days 1 day 5 – 6 days
Task timeWait time
Deploying an Enterprise Application Without Automation
Request Infrastructure
Verification
Hardware
Setup
Build VMs – New
or Clone
DNS EntriesInstall, Setup,
Configure
Workload Database
Refresh
Latest Code
Deployment
Load Balancer
Entries
Web Server
Configuration
Firewall
Changes
External Interface &
Integration
PPM TasksWorkload
Monitoring Setup
Security – VM
access controlTesting
VM Automation Only – A Partial Solution
1 - 2 days
1 - 2 days 4 - 7 days 2 - 3 days 2 - 5 days
2 - 5 days 1 - 2 days 2 - 4 days 1 - 1 days
3 - 7 days 2 - 3 days 1 day 5 - 6 days
Request Infrastructure
Verification
Hardware
Setup
Build VMs – New
or Clone
DNS EntriesInstall, Setup,
Configure
Workload Database
Refresh
Latest Code
Deployment
Load Balancer
Entries
Web Server
Configuration
External Interface &
Integration
PPM TasksWorkload
Monitoring SetupTesting
Network Automation Only – A Partial Solution
1 - 2 days
4 - 7 days 2 - 3 days 2 - 5 days
2 - 5 days 1 - 2 days 1 - 1 days
3 - 7 days 2 - 3 days 5 - 6 days
Firewall
Changes
Security – VM
access control
Infrastructure
Verification
Hardware
Setup
Build VMs –
New or Clone
Application Orchestration and Infrastructure
Automation – Still No Guaranteed Outcome
Latest Code
Deployment
External Interface &
Integration
Testing
2 - 5 days
1 - 1 days
5 - 6 days
Request
1 - 2 days
DNS EntriesInstall, Setup,
Configure
Workload Database
Refresh
Load Balancer
Entries
Web Server
Configuration
Firewall
Changes
PPM TasksWorkload
Monitoring Setup
Security – VM
access control
Why Migrate from On-premises Environments?
• Capacity limitations such as
resources, power or performance
• Pay for what you use
• Self-managed
• App runs best close to the “edge”
• It’s ready for you!On-premises
Environment
Migrate Back? Hybrid Deployments?
• Multi-use database in an on-
premises environment is used
• Interact with other applications not
externally reachable
• Compliance requirements
• “Free” resources On-premises
Environment
Application Profile (Represented as Cube)
nginx_...
apache_...
mysql_...
2CPU
4GBMemory
20GBStorage
Containers
Recipes
Scripts
Jar
War
Binaries
Application Profile (Represented as Cube)
Build
Environment
Infrastructure Compute, Network,
Storage
Cloud ServicesLoad Balance, Storage
Images, Services, ContainersApp and Web Servers
Cluster and Caching
Middleware
Database
OS and VM Images or Containers
Packages and
FilesScripts Data
Build Automation is Generally Mature
Source
Repository
GitHub
Artifact
Repository
Artifactory
Build
Automation
Jenkins
Deployment Automation is Not…
Source
Repository
GitHub
Artifact
Repository
Artifactory
Build
Automation
Jenkins
??
On-premises
On-premises
Hardwired automation
doesn’t scale…AWS US East
App V.1
AWS US West
App V.1
AWS US East
App V.2 AWS US West
App V.2
Hardwired Automation?
resource "aws_elb” "web” {
name = "terraform-example-elb”
subnets = ["${aws_subnet.default.id}"]
security_groups = ["${aws_security_group.elb.id}"]
instances = ["${aws_instance.web.id}"]
listener {
instance_port = 80
instance_protocol = "http”
lb_port = 80
lb_protocol = "http”
}
}
resource "aws_key_pair" "auth" {
key_name = "${var.key_name}”
public_key = "${file(var.public_key_path)}"}
resource "aws_instance" "web”
connection {
user = "ubuntu}
instance_type = "m1.small”
ami = "${lookup(var.aws_amis, var.aws_region)}”
key_name = "${aws_key_pair.auth.id}”
accessvpc_security_group_ids = ["${aws_security_group.default.id}"]
..
}
Deployment Automation is Not…Hard-Coded
Example – Jenkins Plugin for AWS
Cisco CloudCenter
On-premisesOn-premises
Source
Repository
GitHub
Artifact
Repository
Artifactory
Build
Automation
Jenkins
What is Cisco CloudCenter?
Demos include, so what should you know about it?
• Cloud management and brokerage platform
• Uses Application Profile - model once, deploy anywhere
• Provides guardrails to automation
- Governance to any environment
- Policy and financial controls
- Multi-tenant and multi-account
• Benchmarking of applications
Enterprise Class
UI
CLI
API
ORCHESTRATORMANAGER PROFILE
Extendable
Multi-tenant
Secure
Scalable
What are Options for Managing Images?
Images still need to be maintained and now at scale
Options
• Transform ”Gold” images to AWS
• Rebuild images dynamically
• Consume OS vendor-provided
images
Challenges
• Multiple virtualization formats
• Storage costs (not thin)
• Region-specific requirement
• Pace of patches increasing
• New deployments with old images
= exploitable until patched
Demo - Automate Image
Management
Networking – Simplify the Complex thru APIs
• Consistent implementation between on-premises
environments and AWS needs a management strategy
• Multi Availability Zones required for uptime guarantee
• Different best practices from the firewalling we grew up with
Availability Zoneregion
Availability Zone
web svr
web svr
web svr
web svr
web svr
web svr
web svrweb svr
web svr
web svr
web svr
web svr
web svr
web svr
web svr
web svr
web svr
web svr
web svr
web svr
Demo – Network Segmentation
Demo – Automatically Scaling
Across Availability Zones
Demo – Adopting AWS
Services Like RDS and Elastic
Load Balancing
Amazon
RDS
Elastic Load
Balancing
What About Your Crypto Keys?
AWS CloudHSM provides:
• Hardware – the H in HSM
(dedicated appliance)
• Storage of cryptographic keys
• Use AWS for sensitive data without
direct access to encryption keys
• AWS operations personnel do not have
access to your cryptographic domain
virtual private cloud
AWS
CloudHSM
AWS – manages
the appliance
You – control keys
and crypto operations
Demo – Using CloudHSM
AWS
CloudHSM
Demo – Application
Benchmarking
Thank you!
Remember to complete
your evaluations!