aws를 활용한 금융권 hybrid cloud...
TRANSCRIPT
Hybrid Architectures in AWSA view on FinServ
Felix CandelarioGlobal Solutions Architect – Financial Services
Time : 13:00 – 13:40
Hybrid Overview
Consumption of Cloud Services and On-Premises Infrastructure into an aggregated pool of resources.
On-Premises Infrastructure
Services
Platform
Solutions
Cloud Services
Infrastructure
Layers
Data
Applications
Management Services
Operating Systems
Hypervisors
Network
Data Center
On-Premises DC
AWS
Corporate Data Centers
Store, Replicate, Archive
Burst, Scale, x86
Management Services
Operating Systems
Amazon EC2
VPC, Direct Connect
Availability Zones, Regions
Hybrid Comes in Many Forms
VPCVPN Backup & archive
Storage expansion
IntegratedStacks
AWS Direct Connect
Authentication Federation Operations Tools and Monitoring
Start
IntegratedPatterns
IntegratedInfrastructure
IntegratedServices
IntegratedPlatform
IntegratedSolution
CI/CDManaged AWS Services
Split Tiers
Integrated Patterns
Split Tiers – AWS Front End
AWS region
WebLayer Private
Connection
Your Data Center
Internet
AppLayer
DatabaseLayer
Split Tiers – On-premises DMZ
AWS region
PrivateConnection
Internet
WebLayer
AppLayer
DBLayer
Your Data Center
WebLayer
Split Tiers – One Arm
AWS region
PrivateConnection
Internet
AppLayer
WebLayer
DBLayer
WebLayer
Your Data Center
AppLayer
Integrated Infrastructure
AWS Virtual Private Network (IPSec VPN)
• IPSec hardware VPN connection Supported VPN appliances:
• Encryption and Validation• Private RFC 1918 Addressing• Uses Border Gateway Protocol (BGP)
for routing and fail-over• VPN Service provides managed
redundant end-points
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html
VirtualGateway
On-PremesisUsers
Data center router
Servers
Internet
IPSec VPN
VPC SubnetAvailability
Zone
Security Group
VPC SubnetAvailability
Zone
Security Group
AWS Direct Connect
• Requires Layer 2 single mode fiber 1000BASE-LX or 10GBASE-LR
• Requires 802.1Q VLANs across connection.
– Tagging of IP traffic
• Routing uses BGP A/A or A/P multipath.• Each DX is mapped to a single AWS
Region
http://aws.amazon.com/directconnect/
Customer router
AWS Direct Connect Location
AWS Direct Connect routers
On-PremisesUsers
Data center router
Servers
VPC SubnetAvailability Zone
Security Group
VPC SubnetAvailability Zone
Security GroupVirtual
Gateway
AWS Direct Connect + AWS VPN
• Dedicated network path with assured bandwidth
• More secure than Internet-based IPSecVPN – avoids internet traverse
• Reduced IPSec network transfer costs• Additional Network Security
http://aws.amazon.com/directconnect/
Customer router
AWS Direct Connect Location
AWS Direct Connect routers
On-PremiseUsers
Data center router
Servers
VPC SubnetAvailability Zone
Security Group
VPC SubnetAvailability Zone
Security GroupVirtual
Gateway
IPSec VPN
Integrated Services
Active Directory and LDAP
• Reduced back-reach Traffic• Reduced Latency for Authentication• Additional Resiliency• Enablement of both:
– Multi-Master Read/Write Domain Controllers
– Read-only Domain Controllers (RODCs)
• Requires IPSec VPN or Direct Connect connectivity
Customer router
AWS Direct Connect Location
AWS Direct Connect routers
VirtualGateway
On PremisesUsers
Data center router
Servers
VPC SubnetAvailability Zone
Security Groups
VPC SubnetAvailability Zone
Security Groups
AD.Domain
Domain controller
Domain controller
Domain controller
Active Directory Replication
AWS Directory Service
• Three types of directories– Microsoft AD– AD Connector– Simple AD - built on Samba 4 Active
Directory compatible server• Simplifies IAM Federation• Avoids complexity and cost of hosting
SAML-based federation infrastructure• Acts as a proxy - no data is stored on
AWS infrastructure• Supports existing RADIUS-based MFA• Requires IPSec VPN or Direct Connect
connectivityhttp://aws.amazon.com/directoryservice/
Customer router
AWS DirectConnect Location
AWS Direct Connect routers
VirtualGatewa
y
On-Premesis
Users
Data center router
Servers
VPC SubnetAvailability Zone
Security Groups
VPC SubnetAvailability Zone
Security Groups
AD.Domain
Domain controller
AD Connector
AD Connector
AD Connector
Identity Federation
Customer (Identity Provider) AWS Cloud (Relying Party)
AWS Resources
User Application
Active Directory
Federation Proxy
4 Get FederationToken Request
3
2
Amazon S3 Bucket
with Objects
Amazon DynamoDB
Amazon EC2
Request Session 1
Receive Session6
5Get Federation TokenResponse
• Access Key• Secret Key• Session Token
APP
Federation Proxy
• Uses a set of IAM user credentials to make a GetFederationTokenRequest()
• IAM user permissions need to be the union of all federated user permissions
• Proxy needs to securely store these privileged credentials
Call AWS APIs7
Operational Tools and Monitoring
• Security Monitoring integration points with with CloudTrail and SIEM Aggregator.
• Logging with CloudTrail and SNMP MIBs to SIEM Aggregator.
• Platform and App Health to SIEM Aggregator via agent on EC2 guest.
• Access to Patching and Updates for AMI by on premises Update Server.
Customer router
AWS DirectConnect Location
AWS Direct Connect routers
VirtualGatewa
y
On-PremisesUsers
Data center router
VPC SubnetAvailability Zone
Security Group
VPC SubnetAvailability Zone
Security Group
UpdateServer
s SIEMAggregator
CloudTrail
CloudWatch
CloudTrail S3 Bucket
Integrated Platform
Continuous Integration and Deployment
• Automates application deployments for both On-Premise and AWS EC2 instances with use of CodeDeploy
• Reuse existing scripts and tools– Bash, PowerShell, Chef, Puppet,
anything…
• Integrate with developer tool chain– GitHub, Jenkins, CloudBees, TravisCI,
Eclipse…Customer
router
AWS DirectConnect Location
AWS Direct Connect routers
VirtualGateway
On-PremisesUsers
Data center router
VPC SubnetAvailability
Zone
Security Group
VPC SubnetAvailability
Zone
Security Group
AWS CodeDeploy
Servers
AWS CloudFormation
S3 bucket
AgentAgentAgent
AgentAgentAgent
Managed AWS Services
• AWS Managed Services:– Compute: Amazon ECR/ECS AWS
Lambda, AWS Elastic Beanstalk– Storage: Amazon EFS– Databases: Amazon RDS, Amazon
DynamoDB, Amazon Elasticache– Analytics: Amazon EMR, Amazon
Elasticsearch Service, Amazon Kinesis, Amazon Redshift
– Security:: AWS Directory Service, AWS KMS
• Managed Services Advantages– Flexibility and Agility, Scalability– Security– Automated Maintenance & Upgrade
Customer router
AWS Direct Connect Location
AWS Direct Connect routers
VirtualGateway
On-Premises
Users
Data center router
VPC SubnetAvailability Zone
Security Group
VPC SubnetAvailability Zone
Security Group
Servers
S3 bucket
MySQL MySQL
ApacheKafka
Amazon RedshiftAmazon EMR
Amazon RedshiftAmazon EMR
Integrated Solution
Backup and Archive
• Backup gateways integrated with Amazon S3
– Leverage Amazon S3 archival to Amazon Glacier
• Take advantage of current investments and solutions for options
– De-duplication– Compression– WAN Acceleration
Customer router
AWS Direct ConnectLocation
AWS Direct Connect routers
VirtualGatewa
y
On-premises
Users
Data center router
VPC SubnetAvailability Zone
Security Group
VPC SubnetAvailability Zone
Security Group
Amazon S3
Amazon Glacier VTL
AWS Storage Gateway
iSCSI
Backup System
VTL
AWS Storage Gateway
iSCSI
Servers
VTL AWS Storage Gateway
Hybrid Examples
“For our market surveillance systems, we are looking at about 40% [savings with AWS], but the real benefits are the business benefits: We can do things that we physically weren’t able to do before, and that is priceless.”
- Steve Randich, CIO
What FINRA needed• Infrastructure for its market surveillance platform• Support of analysis and storage of approximately 30
billion market events every day
Why they chose AWS• Fulfillment of FINRA’s security requirements• Ability to create a flexible platform using dynamic
clusters (Hadoop, Hive, and HBase), Amazon EMR, and Amazon S3
Benefits realized• Increased agility, speed, and cost savings• Estimated savings of $10-20m annually by using AWS
Case Study: Re-architecting Compliance
“Using AWS helps us reduce a 10-day process to 10 minutes.
That’s trans-formative: it broadens our ability to discover.”
- Peter Phillips, Managing Director
What Aon needed• Perform actuarial calculations with greater computing
power• Information delivery within shorter time frames and less
cost
Why they chose AWS• Ability to spin up large numbers of Graphical Processing
Units (or GPUs) quickly and inexpensively• Quick delivery of an entire environment and functionality
Benefits realized• By processing on AWS, recalculating policies takes
minutes rather than hours or days• Ability to deliver client solutions more quickly, with richer
risk assessments
Case Study: High Performance Computing (HPC)
What Nasdaq needed• Replacement of on-premises legacy warehouse • Reduction of cost and increase in data capacity
Why they chose AWS (specifically Amazon Redshift)• Fulfillment of security and regulatory requirements• Cost efficiencies without sacrificing functionalities
Benefits realized• System that moves an average of 5.5 billion rows into
Amazon Redshift every day (with 14 billion on a peak day in Oct of 2014)
• Ability to increase accessibility of historic data to a growing number of internal groups
“The Nasdaq Group has been a user of Amazon Redshift since it was released and we are extremely happy with it…. Currently, our system is moving an average of 5.5 billion rows into Amazon Redshift every day.”
- Nate Simmons, Principal Architect
Case Study: Big Data Analytics
What ISE needed• SEC determined ISE’s disaster recovery was not
geographically diverse. They needed to build a robust and resilient DR solution with a 2 hour RTO
Why they chose AWS• Global reach to enable geographic diversity• Performance of products and services• Easy automation
Benefits realized• Abstracted away physical infrastructure• Ability to add capacity as required• Mobility associated with global reach
Case Study: Re-architecting ISE’s DR Solution
Thank you