aws re:invent 2016: hybrid architecture design: connecting your on-premises workloads to the cloud...
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Matt Lehwess – Principal Solutions Architect
James Fogerson – Sr. Solution Architect, Robert Half
November 29, 2016
Hybrid Architecture DesignConnecting Your On-Premises Workloads
to the Cloud
Should I migrate everything to AWS?
No, this is more than a binary choice.
On-Premises Cloud
Should I migrate everything to AWS?
We just need to figure out the connectivity…
On-Premises Cloud?
Hybrid networkingOr more commonly referred to as… networking.
Instance A
10.1.1.11/24Instance B
10.1.2.11/24
Managed
NAT GatewayAWS Lambda
inside VPC
AWS networking
Lets get distracted by new
things:
Virtual Private Endpoints for S3
Gives you the ability to connect
privately to S3
AWS Lambda inside a VPC
Access Lambda without having to go
through a VGW
NAT Gateway
Use NAT gateway within a VPC for
manage NAT to the Internet
Availability Zone A Availability Zone B
Instance C
10.1.3.33/24
Public SubnetPublic Subnet
Private Subnet Private Subnet
Instance D
10.1.4.44/24
VPC CIDR 10.1.0.0/16
Connecting to AWSIGWs, VGWs, VPNs, and AWS Direct Connect
On-Premises
VPN connectivityProvisioning VPN connections
1. Build your AWS infrastructure
2. Create your Virtual Private Gateway (VGW) and attach to
your Virtual Private Cloud (VPC)
3. Define your customer gateway (CGW)
4. Create your VPN connection between the VGW and CGW
5. Download your template configuration
6. Configure your CGW and watch your tunnels come up and
enjoy encrypted connectivity!
Internet Access
IPsec Tunnel 1 - Primary
IPsec Tunnel 2- Secondary
The Internet
! Amazon Web Services! Virtual Private Cloud
! AWS utilizes unique identifiers to manipulate the configuration of ! a VPN Connection. Each VPN Connection is assigned an identifier and is ! associated with two other identifiers, namely the ! Customer Gateway Identifier and Virtual Private Gateway Identifier.!! Your VPN Connection ID : vpn-52cd203b! Your Virtual Private Gateway ID : vgw-9c987bf5! Your Customer Gateway ID : cgw-c39d7eaa!!! This configuration consists of two tunnels. Both tunnels must be ! configured on your Customer Gateway.!!!!!! --------------------------------------------------------------------------------! IPSec Tunnel #1
Sample VPN configuration
AWS Direct Connect – Provisioning
on-premises
Colocation Facility – e.g. Equinix SV1
Private VIF
Public VIF
VLAN B
VLAN A
AWS Direct
Connect POP
Customer or
Partner Cage
1. Build your AWS infrastructure
2. Create your Virtual Private Gateway (VGW)
and attach to your Virtual Private Cloud (VPC)
3. Order an AWS Direct Connect from the
console or through a Direct Connect Partner
4. Have your cross connect provisioned from the
AWS router to your device or your partners
device (or use a partners NNI)
5. Build connectivity if not already available
through partner back to on-premises
6. Provision your Virtual interfaces (private or
public) and start using your AWS Direct
Connect.
Service Provider
Network
+ More
Common hybrid use casesWhat kind of hybrid architectures can we build?
Customer-facing applications
External apps
on AWS
Scalability and Elasticity
Auto Scaling infrastructure to required
capacity and match spending to
actual utilization
High Availability
Application deployments that span
across multiple facilities with
adequate load balancing
Global Reach
Highly available global services on
edge locations across the world
Maintainability
Fully managed service portfolio for
most common application components
DNS CDN Load B. Load B.Front App Back end Database
Storage
The famous three-tiered web application
Reference: https://aws.amazon.com/architecture/
Building multi-site deployments with AWS
Pilot light architecture
• Allows the scaling of redundant sites
during a failure scenario
X
DNS Resoluton
DNS Resoluton
Defining communications
# Source
Application
Destination
Application
Port Bandwidth Latency
#1 Web Tier Application Tier 443 10Mbps 10ms
#2 Application Tier Database Tier 1 1433 50Mbps 2ms
#3 Database Tier 1 Database Tier 2 1521 50Mbps 50ms
The communications matrix
Allows for the description of interconnectivity between applications.
By defining communications you can determine where applications may be
placed based on the network properties of any points of interconnection.
Placing your application where it makes sense
On-premises based front end
• Allows for on-premises front end, such as
application-based interfaces.
Nuts.com required the front end for their web application to reside inside their
distribution centers in the form of an application running on portable Motorola
Simbol TC70 hardened barcode scanners.
With users constantly communicating with the AWS-built application continuously,
low latency seamless connectivity was a hard requirement of the project.
AT&T NetBond
Customer case study: Nuts.com
On-premises based front end
• Allows for on-premises front end, such as
application based interfaces.
Customer case study: Nuts.com
Customer case study: Nuts.com
“Our value is in being able to deliver quality food items
quickly...
AT&T NetBond® helps us streamline back-end operations
by simplifying how we connect to AWS cloud services, so
we focus on impressing our customers.”
Ben Shakal
Chief Tech Nut,
Customer case study: Brooks Brothers
Availability Zone
VPC Subnet
Corporate Data Center
SAP
ERP
Users
Call Center
Supporting
SystemsStores (POS)
SaaS Provider
(Data Cleansing)
AWS Direct
Connect
r3.8xlarger3.8xlarge
SAP Customer Contact Center application landscape
SAP HANA Quick Start: https://aws.amazon.com/quickstart/architecture/sap-hana/
SAP
HANASAP
HANA
SAP
CAR(AS ABAP)
SAP
CAR(AS ABAP)
SAP
SLT
SAP HANA hybrid deployment
Customer case study:
AWS
CloudFormationIAM
Amazon
CloudWatchAmazon S3
Backup
Recovery
Kellogg’s Data Center
SAP ERP
Users
Production
SAP HANA
DB
Encrypted VPN
Connection
Public reference: https://aws.amazon.com/solutions/case-studies/kellogg-company/
Placing your application where it makes sense
Split-tier architecture
• Allows for custom “web” layer on-
premises, such as application-based
interfaces.
Placing your application where it makes sense
Split-tier architecture
• Allows for custom “App” layer on-
premises, such as application
processing
DNS Resoluton
Placing your application where it makes sense
Split-tier architecture
• Allows for custom “DB” layer on-
premises, for example for regional or
compliance reasons
DNS Resoluton
Other hybrid use casesWhat else can we build?
Corporate Network
App A
App B App C
Container
DevOps
TemplateVDI
Innovation & agility
Automated builds and deployment of
code
Consistent regression testing
Numerous disposable environments that
can be (re)built within a click allowing
regression tests in identical setups
Cost-effective
Environments can be disposed or
stopped when unused
Scalability
Conduct performance and stress tests
with potentially thousands of simulation
nodes
Development and test
Application
Server
Virtual
Server
File
Server
Database
Server
Amazon S3
Backup
System
Backup and archive
Amazon
Glacier
Backup to cloud storage
• Eliminate tape, hardware, off-site storage
• Reduce capital expense for backup
infrastructure
• Never worry about backup durability
• Never run out of backup capacity
• Data stored off-site, with high durability, in
multiple locations
Application
Server
Virtual
Server
File
Server
Database
Server
Amazon S3
Veeam Backup & Replication
Symantec NetBackup
Oracle RMAN and Secure
Backup Module
CommVault Simpana
AltaVault (SteelStore)
Backup
System
Backup and archive
Amazon
Glacier
Hybrid connectivityComplexity solved through partner solutions
Hybrid cloud requirements
Customer case study:
Robert Half IT envisioned a hybrid cloud architecture where business
units and developers use separate cloud resources with secure
connectivity to their datacenter.
Robert Half has staffing and consulting operations at over 400 locations
worldwide. As an early adopter of AWS cloud services, the company
needed to address the agility, flexibility, and secure isolation with
separate Virtual Private Clouds (VPCs).
Hybrid cloud challenges
Customer case study:
The network bottleneck: More than 4 weeks to provision
secure connectivity between cloud provider VPN gateways
(such as the VGW) to datacenter edge router due to:
• IT maintenance windows
• Manual intervention by CCIE network experts
• Complex CLI configurations
Hybrid cloud challenges
Customer case study:
Other challenges when building hybrid cloud connectivity:
• Business disruption risk during configuration of connectivity
• Granular account mapping – on-premises to AWS
• No automated self-service workflow mechanism for deploying hybrid cloud sandboxes
Hybrid cloud challenges
Customer case study:
Perimeter
Device
Long wait time (weeks) to
provision cloud network
Requires change for each
VPC connection
VPC’s are manually created
with no central management
Hybrid cloud solutions
Customer case study:
IAM S3 Endpoint Security
GroupsAccount
Aliases
Aviatrix CloudN
1. Users can provision
cloud networks in minutes
2. Integration with
Service Now for self-service3. All cloud network connections
terminate in the Aviatrix gateway
4. No edge router changes are
required for VPC connectivity
5. VPCs are automatically created
and managed by Aviatrix software
6. Networks are automatically
connected to the on-premises network
with encryption.
AGW
VPC 1
“Aviatrix makes AWS a lot more consumable
for us. We wanted a completely isolated
environment for each business application.
Aviatrix solution is a perfect fit with our
technology strategy related to application
isolation in the cloud.”
James Fogerson
Sr. Solution Architect, Robert Half
Customer case study:
Results and benefits
Final thoughts
• Hybrid infrastructure is key. AWS allows for full network integration and
hybrid cloud architectures across on-premises and AWS.
• Reduce the heavy-lifting: Using cloud services can allow you to focus on
your business and alleviate pain points in new deployments.
• Adoption is not tech but business-driven. Increased agility provides
necessary reduced time-to-market.
• On-premises infrastructure is not throwaway. After you move to the cloud,
it’s not a cloud or no-cloud decision. You can and probably will use both.
Questions
Thank you!
Remember to complete
your evaluations!