aws re:invent 2016: hybrid architecture design: connecting your on-premises workloads to the cloud...

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Matt Lehwess – Principal Solutions Architect

James Fogerson – Sr. Solution Architect, Robert Half

November 29, 2016

Hybrid Architecture DesignConnecting Your On-Premises Workloads

to the Cloud

Should I migrate everything to AWS?

No, this is more than a binary choice.

On-Premises Cloud

Should I migrate everything to AWS?

We just need to figure out the connectivity…

On-Premises Cloud?

Hybrid networkingOr more commonly referred to as… networking.

Instance A

10.1.1.11/24Instance B

10.1.2.11/24

Managed

NAT GatewayAWS Lambda

inside VPC

AWS networking

Lets get distracted by new

things:

Virtual Private Endpoints for S3

Gives you the ability to connect

privately to S3

AWS Lambda inside a VPC

Access Lambda without having to go

through a VGW

NAT Gateway

Use NAT gateway within a VPC for

manage NAT to the Internet

Availability Zone A Availability Zone B

Instance C

10.1.3.33/24

Public SubnetPublic Subnet

Private Subnet Private Subnet

Instance D

10.1.4.44/24

VPC CIDR 10.1.0.0/16

Connecting to AWSIGWs, VGWs, VPNs, and AWS Direct Connect

On-Premises

VPN connectivityProvisioning VPN connections

1. Build your AWS infrastructure

2. Create your Virtual Private Gateway (VGW) and attach to

your Virtual Private Cloud (VPC)

3. Define your customer gateway (CGW)

4. Create your VPN connection between the VGW and CGW

5. Download your template configuration

6. Configure your CGW and watch your tunnels come up and

enjoy encrypted connectivity!

Internet Access

IPsec Tunnel 1 - Primary

IPsec Tunnel 2- Secondary

The Internet

! Amazon Web Services! Virtual Private Cloud

! AWS utilizes unique identifiers to manipulate the configuration of ! a VPN Connection. Each VPN Connection is assigned an identifier and is ! associated with two other identifiers, namely the ! Customer Gateway Identifier and Virtual Private Gateway Identifier.!! Your VPN Connection ID : vpn-52cd203b! Your Virtual Private Gateway ID : vgw-9c987bf5! Your Customer Gateway ID : cgw-c39d7eaa!!! This configuration consists of two tunnels. Both tunnels must be ! configured on your Customer Gateway.!!!!!! --------------------------------------------------------------------------------! IPSec Tunnel #1

Sample VPN configuration

AWS Direct Connect – Provisioning

on-premises

Colocation Facility – e.g. Equinix SV1

Private VIF

Public VIF

VLAN B

VLAN A

AWS Direct

Connect POP

Customer or

Partner Cage

1. Build your AWS infrastructure

2. Create your Virtual Private Gateway (VGW)

and attach to your Virtual Private Cloud (VPC)

3. Order an AWS Direct Connect from the

console or through a Direct Connect Partner

4. Have your cross connect provisioned from the

AWS router to your device or your partners

device (or use a partners NNI)

5. Build connectivity if not already available

through partner back to on-premises

6. Provision your Virtual interfaces (private or

public) and start using your AWS Direct

Connect.

Service Provider

Network

+ More

Common hybrid use casesWhat kind of hybrid architectures can we build?

Customer-facing applications

External apps

on AWS

Scalability and Elasticity

Auto Scaling infrastructure to required

capacity and match spending to

actual utilization

High Availability

Application deployments that span

across multiple facilities with

adequate load balancing

Global Reach

Highly available global services on

edge locations across the world

Maintainability

Fully managed service portfolio for

most common application components

DNS CDN Load B. Load B.Front App Back end Database

Storage

The famous three-tiered web application

Reference: https://aws.amazon.com/architecture/

Building multi-site deployments with AWS

Pilot light architecture

• Allows the scaling of redundant sites

during a failure scenario

X

DNS Resoluton

DNS Resoluton

Defining communications

# Source

Application

Destination

Application

Port Bandwidth Latency

#1 Web Tier Application Tier 443 10Mbps 10ms

#2 Application Tier Database Tier 1 1433 50Mbps 2ms

#3 Database Tier 1 Database Tier 2 1521 50Mbps 50ms

The communications matrix

Allows for the description of interconnectivity between applications.

By defining communications you can determine where applications may be

placed based on the network properties of any points of interconnection.

Placing your application where it makes sense

On-premises based front end

• Allows for on-premises front end, such as

application-based interfaces.

Nuts.com required the front end for their web application to reside inside their

distribution centers in the form of an application running on portable Motorola

Simbol TC70 hardened barcode scanners.

With users constantly communicating with the AWS-built application continuously,

low latency seamless connectivity was a hard requirement of the project.

AT&T NetBond

Customer case study: Nuts.com

On-premises based front end

• Allows for on-premises front end, such as

application based interfaces.

Customer case study: Nuts.com

Customer case study: Nuts.com

“Our value is in being able to deliver quality food items

quickly...

AT&T NetBond® helps us streamline back-end operations

by simplifying how we connect to AWS cloud services, so

we focus on impressing our customers.”

Ben Shakal

Chief Tech Nut,

Customer case study: Brooks Brothers

Availability Zone

VPC Subnet

Corporate Data Center

SAP

ERP

Users

Call Center

Supporting

SystemsStores (POS)

SaaS Provider

(Data Cleansing)

AWS Direct

Connect

r3.8xlarger3.8xlarge

SAP Customer Contact Center application landscape

SAP HANA Quick Start: https://aws.amazon.com/quickstart/architecture/sap-hana/

SAP

HANASAP

HANA

SAP

CAR(AS ABAP)

SAP

CAR(AS ABAP)

SAP

SLT

SAP HANA hybrid deployment

Customer case study:

AWS

CloudFormationIAM

Amazon

CloudWatchAmazon S3

Backup

Recovery

Kellogg’s Data Center

SAP ERP

Users

Production

SAP HANA

DB

Encrypted VPN

Connection

Public reference: https://aws.amazon.com/solutions/case-studies/kellogg-company/

Placing your application where it makes sense

Split-tier architecture

• Allows for custom “web” layer on-

premises, such as application-based

interfaces.

Placing your application where it makes sense

Split-tier architecture

• Allows for custom “App” layer on-

premises, such as application

processing

DNS Resoluton

Placing your application where it makes sense

Split-tier architecture

• Allows for custom “DB” layer on-

premises, for example for regional or

compliance reasons

DNS Resoluton

Other hybrid use casesWhat else can we build?

Corporate Network

App A

App B App C

Container

DevOps

TemplateVDI

Innovation & agility

Automated builds and deployment of

code

Consistent regression testing

Numerous disposable environments that

can be (re)built within a click allowing

regression tests in identical setups

Cost-effective

Environments can be disposed or

stopped when unused

Scalability

Conduct performance and stress tests

with potentially thousands of simulation

nodes

Development and test

Application

Server

Virtual

Server

File

Server

Database

Server

Amazon S3

Backup

System

Backup and archive

Amazon

Glacier

Backup to cloud storage

• Eliminate tape, hardware, off-site storage

• Reduce capital expense for backup

infrastructure

• Never worry about backup durability

• Never run out of backup capacity

• Data stored off-site, with high durability, in

multiple locations

Application

Server

Virtual

Server

File

Server

Database

Server

Amazon S3

Veeam Backup & Replication

Symantec NetBackup

Oracle RMAN and Secure

Backup Module

CommVault Simpana

AltaVault (SteelStore)

Backup

System

Backup and archive

Amazon

Glacier

Hybrid connectivityComplexity solved through partner solutions

Hybrid cloud requirements

Customer case study:

Robert Half IT envisioned a hybrid cloud architecture where business

units and developers use separate cloud resources with secure

connectivity to their datacenter.

Robert Half has staffing and consulting operations at over 400 locations

worldwide. As an early adopter of AWS cloud services, the company

needed to address the agility, flexibility, and secure isolation with

separate Virtual Private Clouds (VPCs).

Hybrid cloud challenges

Customer case study:

The network bottleneck: More than 4 weeks to provision

secure connectivity between cloud provider VPN gateways

(such as the VGW) to datacenter edge router due to:

• IT maintenance windows

• Manual intervention by CCIE network experts

• Complex CLI configurations

Hybrid cloud challenges

Customer case study:

Other challenges when building hybrid cloud connectivity:

• Business disruption risk during configuration of connectivity

• Granular account mapping – on-premises to AWS

• No automated self-service workflow mechanism for deploying hybrid cloud sandboxes

Hybrid cloud challenges

Customer case study:

Perimeter

Device

Long wait time (weeks) to

provision cloud network

Requires change for each

VPC connection

VPC’s are manually created

with no central management

Hybrid cloud solutions

Customer case study:

IAM S3 Endpoint Security

GroupsAccount

Aliases

Aviatrix CloudN

1. Users can provision

cloud networks in minutes

2. Integration with

Service Now for self-service3. All cloud network connections

terminate in the Aviatrix gateway

4. No edge router changes are

required for VPC connectivity

5. VPCs are automatically created

and managed by Aviatrix software

6. Networks are automatically

connected to the on-premises network

with encryption.

AGW

VPC 1

“Aviatrix makes AWS a lot more consumable

for us. We wanted a completely isolated

environment for each business application.

Aviatrix solution is a perfect fit with our

technology strategy related to application

isolation in the cloud.”

James Fogerson

Sr. Solution Architect, Robert Half

Customer case study:

Results and benefits

Final thoughts

• Hybrid infrastructure is key. AWS allows for full network integration and

hybrid cloud architectures across on-premises and AWS.

• Reduce the heavy-lifting: Using cloud services can allow you to focus on

your business and alleviate pain points in new deployments.

• Adoption is not tech but business-driven. Increased agility provides

necessary reduced time-to-market.

• On-premises infrastructure is not throwaway. After you move to the cloud,

it’s not a cloud or no-cloud decision. You can and probably will use both.

Questions

Thank you!

Remember to complete

your evaluations!