![Page 1: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/1.jpg)
©2015,AmazonWebServices,Inc.oritsaffiliates.Allrightsreserved
Expandindo seu Data Center com uma infraestrutura hibrida
Angelo Carvalho, Solutions Architect
![Page 2: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/2.jpg)
Agenda
• Hybrid architectures and distributed workloads, split tiers• Layers
– Data center– Network– Hypervisors– Operating systems– Management services
• AWS OpsWorks• AWS CodeDeploy
– Applications– Data
• Example hybrid architectures
![Page 3: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/3.jpg)
Split tiers
![Page 4: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/4.jpg)
I—Split tiers, AWS front end
AWS region
WebLayer
PrivateConnection
Your Data Center
Internet
AppLayer
DatabaseLayer
![Page 5: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/5.jpg)
II—Split tiers, on-premises DMZ
AWS region
PrivateConnection
Internet
WebLayer
AppLayer
DBLayer
Your Data Center
WebLayer
![Page 6: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/6.jpg)
III—Split tiers, one arm
AWS region
PrivateConnection
Internet
AppLayer
WebLayer
DBLayer
WebLayer
Your Data Center
AppLayer
![Page 7: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/7.jpg)
Layers
![Page 8: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/8.jpg)
Data
Applications
Management Services
Operating Systems
Hypervisors
Network
Data Center
LEGACYDC
AWS
Corporate Data Centers
Layers
Store, Replicate, Archive
Burst, Scale, 86
Management Services
Operating Systems
Amazon EC2
VPC, Direct Connect
Availability Zones, Regions
![Page 9: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/9.jpg)
Data center layer
![Page 10: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/10.jpg)
101—Data center expansion, dynamic bursting
AWS Cloud
Legacy DC
![Page 11: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/11.jpg)
101—Data center HA, disaster recovery
AWS Cloud
Legacy DC
![Page 12: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/12.jpg)
101—Data center compliance/security
AWS Cloud
Legacy DC
![Page 13: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/13.jpg)
301—Data center layer
• An AWS region is more than a data center• Availability Zone is a different construct• Distance determines expansion vs. a new data
center– Maximum distance for data center expansion– Minimum requirements for an independent data center– How to measure latency for data center interconnects
• Security and operations mismatch in design
![Page 14: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/14.jpg)
Network layer
![Page 15: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/15.jpg)
101—Network layer interconnect
Customer Router
Customer Internal Network
Direct ConnectRouter
• Routing selection priority—Static, Direct Connect, VPN• Overlapping routes only via propagated routes• Use BGP with VPN configuration for faster failover• If Direct Connect fails, VPN backup for Private VI• If Direct Connect fails, Internet backup for Public VI
EC2Instances
InternetCustomer Gateway
VPN connection
Amazon S3
Public TrafficPrivate Traffic
AWS Region
![Page 16: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/16.jpg)
VLAN Y
VLAN X
virtual private cloud 1
virtual private cloud 2
virtual private cloud N
…
public endpoints
RegionDirect Connect Location
VLAN Z
VLAN N
Direct ConnectRouter
CustomerRouter
Each interface can be associated with a different
AWS account. (Hosted Virtual Interfaces)
201—Private and public interconnects
![Page 17: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/17.jpg)
Customer Routers
Customer Internal Network
Direct ConnectRouters
• Active/Active links via BGP multi-pathing• Active/Passive also an option• AWS ensures different router if same facility• Can use different facilities and carriers• Customer can affect return path selection
• AS-PATH prepend, but not on public• More specific route
Direct Connect Location(s)
AWS Region
Amazon S3
EC2 Instances
10.10.0.0/16 65500
10.10.0.0/16 65500 6550010.10.9.0/24 65500 65500
201—Redundancy in AWS Direct Connect connections
Public TrafficPrivate Traffic
![Page 18: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/18.jpg)
VPC 1
Private Virtual Interface 1VLAN Tag 101
BGP ASN 7224
BGP Announce 10.1.0.0/16
Interface IP 169.254.251.5/30 10.1.0.0/16
VGW 1
Multiple VPCs over AWS Direct Connect
CustomerSwitch + Router
Customer Interface 0/1.101VLAN Tag 101
BGP ASN 65001
BGP Announce 10.0.0.0/8
Interface IP 169.254.251.6/30
VLAN 101
VLAN 102
VLAN 103
VPC 210.2.0.0/16
VGW 2
VPC 310.3.0.0/16
VGW 3
Private Virtual Interface 2VLAN Tag 102
BGP ASN 7224
BGP Announce 10.2.0.0/16
Interface IP 169.254.251.9/30
Customer Interface 0/1.102VLAN Tag 102
BGP ASN 65002
BGP Announce 10.0.0.0/8
Interface IP 169.254.251.10/30
Customer Interface 0/1.103VLAN Tag 103
BGP ASN 65003
BGP Announce 10.0.0.0/8
Interface IP 169.254.251.14/30
Private Virtual Interface 3VLAN Tag 103
BGP ASN 7224
BGP Announce 10.3.0.0/16
Interface IP 169.254.251.13/30
Route Table
Destination Target
10.1.0.0/16 PVI 1
Customer Internal Network
10.2.0.0/16 PVI 2
10.3.0.0/16 PVI 3
![Page 19: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/19.jpg)
Direct ConnectEquinix, San Jose
us-west-1
us-west-2
us-east-1
AWS Private Network
VPN to VGW
In the US, with a public VIF, use the AWS network to:• Access public resources in remote US regions• VPN to a remote US region and emulate a private VIF• Public VIF + VPN is a common AWS GovCloud (US) scenario
Public TrafficPrivate Traffic
301—Direct Connect interregion
![Page 20: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/20.jpg)
Direct ConnectEquinix, San Jose
us-west-1
us-west-2
us-east-1
Company establishes Direct Connect to us-west-1 and us-east-1.Which path should be taken to an S3 resource in us-west-2?
Direct ConnectEquinix, Ashburn
Customer internal network
Office
• Customer is responsible for their internal routing behaviors• AWS provides OOB information on region address blocks• Use BGP Local Pref, for example, for outbound routing• Use specific routes for inbound routing, avoid asymmetry• Use BFD for faster routing recovery on link failure
Public TrafficPrivate Traffic
301—Direct Connect interregion
![Page 21: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/21.jpg)
US customer data center
eu-west-1 region
EU customer data center
Customer IPVPN MPLS backbone
Direct Connect PoPIreland or London
us-east-1 region
Direct Connect PoPVirginia or NYC
ap-southeast-1 region
Direct Connect PoPSingapore
AP customer data center
Public TrafficPrivate Traffic
301- Global multi-region Direct Connect
![Page 22: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/22.jpg)
Hypervisor layer
![Page 23: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/23.jpg)
101- Bidirectional gold image replication
AWS CloudLegacy DC
EC2 AMIs
VM Images
![Page 24: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/24.jpg)
vCenter image migration
1. The vSphere client authorizes import to the environment.
2. The management portal verifies that the user has permission to migrate VMs to the environment and returns a token.
3. The vSphere client sends an import request to the connector along with the token.
4. The connector verifies the token.5. The connector verifies that the
user has permission to export the VM.
6. The connector starts the migration.
7. The connector sends a response to the vSphere client with the import task ID.
Your Data Center
vSphere Client
AWS Management Portal for vCenter
EC2
AWS Connector
VM ImportvCenterServer
Federation Proxy
1
2
3
4
5 6
7
![Page 25: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/25.jpg)
301—Hybrid considerations
Importing VMs• HVM Only with 64-bit (Linux PVHVM drivers are supported within imported instances)• BYOL for RHEL• The expanded image cannot exceed 1 TiB• Make sure your VM only uses a single disk• Virtual Hard Disk (VHD) images must be dynamic• Single ENI• VM Import does not install the single root I/O virtualization (SR-IOV) • Known limitations for exporting a VM from Amazon EC2
Exporting VMs• Amazon Elastic Block Store (Amazon EBS) data volumes• Make sure your instance only uses a single disk• Single ENI• You cannot export an instance that you did not import
![Page 26: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/26.jpg)
Management services layers
![Page 27: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/27.jpg)
o Deploys in two modes
§ Directory Service connect
§ Simple AD—built on Samba 4
Active Directory compatible server
o Simplifies AWS IAM federation
§ Avoids complexity and cost of hosting SAML-based federation
infrastructure
§ Acts as a proxy—no data is stored
on AWS infrastructure
§ Supports existing RADIUS-based
MFA
² Requires IPSec VPN or Direct Connect connectivity
AWSDirectoryServiceConnect
Corporatedatacenter
Users
AD.Domain
Servers
Domaincontroller
VPCsubnet
AvailabilityZone
Securitygroup
VirtualGateway
VPCsubnet
AvailabilityZone
Securitygroup
101—AWS Directory Service
![Page 28: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/28.jpg)
AWS region
• Domain controllers launched in internal VPC
• Internal VPC instances join domain upon launch
• Instances use Dynamic DNS to register both A and PTR records
• Domain controller replicates with corporate AD servers
• VPC DNS forwarding to corporate DNS
Bring your own Active Directory
Public FacingWeb App
InternalCorporateApp
VPN Connection
Corporate Data Center
corp.example.comAD Controller
Domain Controller
+ DNS
example.comDNS
AD Replication
Domain Join + DNS Queries
DNS Forward Requests
New Instance:friendly-vpc-123.corp.example.com
![Page 29: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/29.jpg)
101—Identity federationCustomer (Identity Provider) AWS Cloud (Relying Party)
AWS Resources
User Application
Active Directory
Federation Proxy
4 Get FederationToken Request
3
2
Amazon S3 Bucket
with Objects
Amazon DynamoDB
Amazon EC2
Request Session 1
Receive Session6
5Get Federation TokenResponse
• Access Key• Secret Key• Session Token
APP
Federation Proxy
• Uses a set of IAM user credentials to make a GetFederationTokenRequest()
• IAM user permissions need to be the union of all federated user permissions
• Proxy needs to securely store these privileged credentials
Call AWS APIs7
![Page 30: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/30.jpg)
Resource tracking and cost allocationTag and describe your infrastructure• Describe every AWS object through an API call• Resources in AWS can have custom tags• Custom tags can be used to control permissions and
allocate costs, enabling charge-back of services usage• Dynamically generate a full inventory• Visualize your AWS infrastructure in real time
Name: APAWSIN001Purpose: ProductionApplication: SharePoint Farm 03Business Unit: MarketingCost Centre: 2384234
![Page 31: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/31.jpg)
o Security monitoring integration points with AWS CloudTrail and SIEM Aggregator
o Logging with CloudTrail and SNMP MIBs to SIEM Aggregator
o Platform and app health to SIEM Aggregator via agent on EC2 guest
o Amazon CloudWatch Logs provide scalable low cost log aggregation
o Access to patching and updates for AMI by on-premises update server VPCsubnet
AvailabilityZone
Securitygroup
VPCsubnet
AvailabilityZone
Securitygroup
VirtualGateway
Corporatedatacenter
Users
Datacenterrouter
UpdateServers
Connectivity
CloudTrail
CloudWatch
SIEMAggregator
101—Operations and security integration
![Page 32: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/32.jpg)
Operations on AWSIntegrating AWS into your operations• Amazon CloudWatch provides real-time insight into
your AWS services, integrate your own metrics, create and act on alarms
• Amazon SNS allows integration with your alerting systems
• Your current tools still work—install on EC2 instance
• Your tools already have AWS API integration• Established processes don’t get thrown away
![Page 33: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/33.jpg)
Automation with AWS OpsWorks
![Page 34: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/34.jpg)
101—AWS OpsWorks
![Page 35: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/35.jpg)
101—Integration points with AWS
• Amazon RDS• Elastic Load
Balancing• Amazon CloudWatch• AWS CloudFormation• AWS CloudTrail• AWS IAM
• HAProxy• Ruby, Node.js, Java,
PHP, Static Web• Ganglia• Memcached• MySQL
![Page 36: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/36.jpg)
201—
It works on AWS and on legacy infrastructure
![Page 37: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/37.jpg)
201—On-premises availability
• Launched on December 8, 2014• 2 cents an hour—includes 14 one-minute
host-level metrics on CloudWatch
![Page 38: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/38.jpg)
Some customer challenges
• Automating deployments
• Eliminating manual operations
• Minimizing deployment downtime
• Scaling deployments as infrastructure grows
![Page 39: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/39.jpg)
201—Scale out/move
Prepare for large events that exceed your own data center capacity in terms of infrastructure or bandwidth.
On premisesAWSDB readDB write
![Page 40: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/40.jpg)
Ease the load in your existing data center by moving environments to AWS OpsWorks.Provide in minutes as many controlled and secure stacks for test and development to your QA teams or developers.
201—Move test and dev to AWS
prod teststaging
dev1 dev2
![Page 41: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/41.jpg)
301—What you didn’t know• You can override any part of a cookbook and you win• Proxy support—you are one step closer to legacy infrastructure• Docker integration• Vagrant support• Use Packer• Besides on-premises, you can start using OpsWorks with your current
EC2 instances through EC2 import. It enables features like script execution on EC2 and gives you 14 1-minute CloudWatch metrics.
• Ansible?• Faster boot time with GP2• Instance profiles
![Page 42: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/42.jpg)
101—AWS CodeDeploy
• Automated application deployments to EC2,and soon to any Internet-connected computer
• Consistent and reliable releases, without downtime
• Works on AWS• Works on legacy
![Page 43: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/43.jpg)
301—What you didn’t know
• Based on Apollo, used by Amazon for on-premises and cloud deployments for over a decade
• Apollo performed 50 million deployments in a 12 month period
• Does AZ striping when deploying across multiple AZs to maximize redundancy
• Starts deployments with instances in a stale or broken state to maximize fleet health
![Page 44: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/44.jpg)
Data layer
![Page 45: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/45.jpg)
o Backup gateways integrated with Amazon S3o Leverage Amazon S3 archival to
Amazon Glacier
o Take advantage of current investments and solutions for options likeo De-duplicationo Compressiono WAN acceleration
Corporatedatacenter
AmazonS3 AmazonGlacier
Applicationserver
Virtualserver
Fileserver
Databaseserver
Backupsystem
VTL AWSStorageGateway
iSCSI
101—Data redundancy
![Page 46: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/46.jpg)
o Virtual volumes presented to local network iSCSI, NFS and CIFS volumes
o Local disk cache to provide fast on-premises access
o Gateway side encryption for security
Corporatedatacenter
AmazonS3
Applicationserver
Virtualserver
Fileserver
Databaseserver
Storageappliance
AWSStorageGateway
iSCSI
CloudONTAPSecureCloud-IntegratedBackup
PanzuraGlobalNAS
AWS Marketplace Partners
101—Data expansion
![Page 47: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/47.jpg)
Hybrid architecture examples
![Page 48: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/48.jpg)
Kellogg’s—SAP HANA hybrid deployment
![Page 49: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/49.jpg)
Q & A
![Page 50: Expandindo seu Data Center com uma infraestrutura hibrida](https://reader031.vdocuments.site/reader031/viewer/2022030311/58ef07341a28abff168b4589/html5/thumbnails/50.jpg)
Obrigado!