Amazon AWS Cloud Deployment The Amazon cloud deployment strategy is comprised of multiple activities with timelines required for cloud migration. The deployment plan should consider proper change management and minimize service disruption to the enterprise network. The application is deployed to the cloud before making any changes to the enterprise network. That is done to allow for proper testing of cloud applications before cutover of employees. The company would then upgrade equipment and make changes to scripts for switching and routing of packets. The enterprise network is connected to the cloud with cutover of all employees to the cloud application. There are four primary groups that comprise any cloud deployment plan.

Cloud Provider Design Review

Cloud Validation Testing

Application Migration

Data Migration

Cloud Provider Design Review

The design review is a key aspect of any cloud migration. That would include the design review with cloud providers, application vendors and network appliance vendors. This is an opportunity to confirm the aspects of the design with all vendors and identify any deficiencies or errors. In addition the vendors that are part of the cloud design often provide best practice recommendations and suggestions for optimization. There are multiple platforms, features and protocols deployed with any cloud design.

Internet and VPN Connectivity

BGP Routing

Quality of Service

Firewall Rules The cloud provider has significant experience with cloud networking, integration and deployment strategies. The company can setup proof of concept validation testing of the proposed cloud designs. In addition the company engineers can obtain experience with cloud tools and work with cloud support engineers. The cloud provider should provide some training that serves as an orientation to cloud architecture, service management, VM migration and support processes. In addition any courses that teach effective cloud troubleshooting is helpful along with SLA management for private clouds.

Cloud Validation Testing

Customer deployment planning starts with cloud validation testing for any applications migrating to the cloud. It is an opportunity to test the network management tools of the cloud provider. In addition performance, availability and security testing can be done to verify design requirements. Having internet connectivity to the cloud is required for proper testing from the enterprise. It validates all features as well as connectivity between the enterprise and any cloud servers.

The internet connectivity allows for verifying performance across the ISP network. The deployment of all virtual servers and appliances are tested for switching, routing and WAN optimization as well. The following describe the order of activities recommended to accomplish cloud validation testing. Cloud Validation Testing Recommendations

1. Conduct training on vendor virtualization migration tools and service management applications.

2. Test the cloud provider migration tools.

3. Create a proof of concept plan for the cloud provider assigned testing environment.

Develop and run a test plan for all relevant features. The testing includes networking, servers, application features and storage.

The test plan should include the following activities:

Migrate enterprise servers to cloud machine images

Select a subnet model and assign IP addressing

Enable DNS services

Configure ACLs and security groups

Deploy any virtual appliances

Connect the internet link from enterprise network to cloud data center for testing.

Performance load testing and multi-user testing:

1. WAN testing to include the enterprise data center, branch offices, customers, partners and any currently deployed cloud data centers.

2. All failover redundancy design features.

3. Multiple transaction performance testing from the company from any device to include

security. Conduct a design review with engineers, network operations, managers, network architects, application developers, systems administrators and vendors. Make required modifications to the cloud design and run testing again to verify. After testing is approved then proceed to application and data migration.

Application Migration

The next step as part of the cloud deployment is migrating applications to the cloud provider. There are a lot of migration tools available from providers that make the process easy. The cloud provider has import tools to convert enterprise server virtual machines (VMware, Hyper-V etc.) to cloud provider compatible machine images. The migration of physical servers require converting to an enterprise virtual machine (VM) first. Some cloud providers offer services that manage the migration of enterprise servers to the cloud data center.

The cloud provider often quantifies processing as a workload. The workload processing requirements for various applications and transactions vary among applications and servers. For instance a request to a database server could takes two hours and astounding amounts of temporary processing and storage. The request to a web server could take a few seconds and no significant processing or storage at all. The workload requirements becomes a factor when deciding what applications are migrated and assigning instance types. Enterprise Server Migration Options

Physical Server -> Enterprise Virtual Machine -> Cloud Machine Image

Enterprise Virtual Machine -> Cloud Machine Image

Cloud Machine Image -> Cloud Machine Image

The Amazon EC2 Import tool converts an enterprise server VM to a cloud machine image. The conversion maintains application configuration settings. VMware vCenter is an enterprise management application for the virtualized platform. It works with the Amazon EC2 VM Import Connector to import and convert virtual machines (VM). In addition an EC2 availability zone and instance type for the image file are assigned to the server instance. As soon as your applications and workloads have been imported, you can create an AMI from the instance, enabling you to run multiple instances from the same image, and you can create backups with the Amazon Snapshot service.

Amazon AWS Cloud Architecture

The cloud provider virtualization platform has some similarities to the enterprise virtualization platform. There are some architectural differences based on a multi-tenancy service provider design. Amazon AWS services for instance provides public and virtual private cloud services. There are multiple connectivity options available for a variety of design requirements. Amazon AWS provides migration tools to the customer that convert the customer servers to Amazon Application Machine Images (AMI). It is a proprietary hypervisor designed for the Amazon AWS cloud environment. There are Amazon AMI server instances created for all servers associated with an application. In addition the virtual appliances for the VPC are converted to AMI as well. The AMI is assigned to a server instance type. The instance type is a predefined hardware profile comprised of server CPU cores, memory and disk space. In addition there are some instance types that include throughput and IOPS metrics. The cloud provider manages capacity and redundancy with elastic load balancing of web servers. The number of instances can be scaled up or down based on workload requirements and peak traffic. Edge elastic caching is available as well to minimize latency. 1. Enterprise Virtual Machine Image -> Convert to Amazon Machine Image

VMware vSphere

VMware VMDK

Microsoft Hyper-V

Citrix Xen VHD

2. Amazon Machine Image (AMI) -> EC2 Server Instance Type

3. Multiple Server Instances = Cloud Application 4. Deploy Cloud Application Services

Elastic Load Balancing –> EC2 Server Instances

Software Load Balancing -> EC2 Server Instances

Dynamic Auto Scaling -> Number of Server Instances

DNS Redirect, Content Edge Caching and ElastiCache

Amazon EC2 Processing

Amazon Machine Images (AMI) are encrypted machine images of virtual machine servers. It is comprised of bundled applications, operating systems and configuration builds. For instance an AMI for a web server would include an application, operating system, configuration files, security permissions for starting AMI instances and storage volume to instance mapping. The following defines some standard Amazon cloud services. Amazon EC2 – elastic server instances and data storage that is available on-demand with scalable network capacity. The tenant virtual machine is converted to an Amazon AMI to launch an EC2 instance. Instance Type – selected and assigned to an AMI with varying CPU, memory, storage, and networking capacity. Amazon has template types assignable that work well for various application groups based on design requirements. Availability Zones – The regions each have multiple availability zones that are separate data centers. The availability zones enable database replication to separate data centers for high availability and disaster recovery. That optimizes redundancy, load balancing and scalability for tenant cloud applications. Elastic Block Storage (EBS) – This is a block level storage volume assigned to a single instance. It is most suited to database transactions with frequent updates. There are selectable instance types based on performance and capacity requirements.

Auto Scaling Groups – The Amazon AWS EC2 service provides up and down Auto Scaling of server groups. The customer can define performance triggers such as CPU utilization for an Auto Scaling group of web servers. The EC2 service could add web server instances to the Auto Scaling group when CPU utilization is 90% for instance. In addition there are metrics such as latency that can be monitored as a trigger as well. The customer specifies the number of web server instances to add or delete. Elastic Load Balancing (ELB) – The purpose of Elastic Load Balancing is to distribute traffic across multiple Auto Scaling groups. The ELB can load balance traffic across multiple availability zones as well. In addition ELB are performance aware. The traffic is steered away from over-utilized server instances to under-utilized servers.

Data Storage Encryption

The support for disk encryption is based on the storage service as well as key management. The primary storage services include S3 and Elastic Block Storage. There are a variety of Amazon and third party services available with different key management option. In addition there is client side and server side encryption methods available. The client side encryption provides key exchange and data encryption from the enterprise. The server side encryption method will encrypt all data as it arrives at the disk. Amazon S3 is an example of server side encryption. There are three options available to the tenant for key management. 1. Company manages encryption method, key storage and key management.

2. Company manage encryption method and key management. Amazon manages key store.

3. Amazon AWS manages encryption method, key storage and key management.

Passphrase – use same password for both

Public asymmetric keys - different to encrypt decrypt email, messaging

Private symmetric keys - same to encrypt decrypt, data storage

Digital Certificate – increased security and performance

Elastic Block Storage (EBS) Encryption

The newer EBS volume encryption is only available with Amazon EC2 based database management. That is a key security feature particularly for applications with direct exposure to the internet. The data is encrypted from the server and while in transit across the cloud. There are no SSL certificates to manage. The encryption keys are secured and managed by Amazon. The following are client side encryption solutions available for Amazon EBS storage service. Microsoft Windows - EFS for files and TrueCrypt for storage volumes

Linux - EncFS34, Loop-AES35, DM-Crypt36, TrueCrypt37

OpenSolaris - ZFS38

Amazon AWS will replicate applications and workloads on a global scale with AMI and Snapshot Copy services. The instance types can be modified as applications and workloads requirements change. CloudWatch is available to monitor all applications and workloads after importing them.

Data Migration

The applications being migrated to the cloud are often comprised of multiple servers. The existing application data must be migrated to the cloud along with the servers. Most of the data migrated to the cloud is stored on file servers and database servers. The applications discussed so far have been primarily a client/server model with web servers, application servers and database servers. The actual data created by the client/server application is stored by a database server as a database table at a storage device. The file servers save employee data files for retrieval. Those are files created by a variety of Windows and Linux applications. The files and all database tables must be migrated from the enterprise to the cloud unless it is a new application.

Amazon Simple Storage Service (S3)

The Amazon AWS S3 is an Internet storage service that requires an internet gateway for customer access. The typical use for Amazon Simple Storage Service is for data backups and file servers. The architecture defines objects of up to 5 TB in size. Objects are assigned to a bucket and buckets are members of availability zones for failover, load balancing and data backups. The S3 storage has various options for security. The tenant should deploy security to the S3 service based on security requirements. The user authentication methods include bucket policies, ACLs and query strings. The Identity and Access Management feature allows administrators to manage and assign security permissions to user groups. File Object – up to a maximum of 5 TB data file size.

Buckets – one or multiple objects assigned to a single bucket with no capacity limit. The developer assigned key is used to retrieve files. There is data encryption available and security rights assigned to data.

Availability Zone – stores a bucket assigned to an availability zone. The availability zone is part of a region. There are multiple designated regions around the world. It is key to select the best region for your availability zone to minimize latency, security compliance, and redundancy. The regions are selectable based on where customers are located and traffic type such as HTTPS or server side amazon encryption.

Amazon EC2 Elastic Block Storage

Commercial Relational Database platforms include Oracle Database Server and Microsoft SQL Server. They are supported by multiple cloud providers including Amazon EC2. The Amazon Elastic Block Storage (EBS) service is most suitable for commercial databases. EBS has additional options for managing commercial databases. It is a newer persistent storage service that works similar to a hard drive. There is typically much lower latency with EBS than S3 storage services. Server instances (AMI) are assigned to an EBS volume where data is stored and available at all times. The operating system from the AMI read/writes data to SAN disk arrays used for EBS storage. The maximum EBS volume size is 1 TB of assigned disk space. The EBS volume is assigned to an availability zone and a database server instance in that zone. Multiple volumes can be assigned to a single server instance. The following includes typical storage assignment for enterprise servers migrated to Amazon AWS cloud.

File Servers -> Amazon Simple Storage Service (S3)

Oracle and SQL Server Database Servers -> Amazon EC2 + EBS Storage

MySQL, Oracle, SQL Server Database -> Amazon RDS + EC2 + EBS

Optimized Throughput

There is an option with EBS services to create a single volume with up to 4,000 IOPS for increased performance and scalability where required. That improves disk processing for I/O intensive database transactions. The EBS volume is formatted and the enterprise data is migrated to the volume so it is available for an application. The customer can select an EBS optimized instance with 16,000 IOPS and 2 Gbps network interface throughput. That is based on striping a maximum of four volumes with each volume assigned 4,000 IOPS.

Amazon Relational Database Service (RDS)

Amazon RDS is a database managed service from Amazon that supports MySQL, SQL Server and Oracle database servers. Amazon manages the tenant database as a managed service. The customizable features for the tenant are limited as a result. There is a 3 TB maximum volume size along with support for multiple availability zones and read replication for scalability. The Amazon managed services including Amazon RDS for Oracle and SQL Server support TDE style encryption. There is a backup service with the Snapshot Copy feature and security permissions assigned to the tenant. RDS creates a database instance with multiple database tables with assigned processing and volume disk size. There are EC2-Oracle and EC2-SQL database instances available as well to tenants. The EC2 instance denotes the fact that it is tenant managed and customized. The Amazon RDS management service is based on EC2 instances as well. There are additional features the tenant can deploy that make it suitable for some employee applications. EBS Volume Snapshot

The Snapshot Copy service available with Amazon EBS storage makes a backup of an EBS volume for data recovery or copies of instance store volumes. The snapshot is stored to S3 and doesn’t include any cached data.

Service Catalog

The Service Catalog is a collection of enterprise servers that have been converted to Amazon Machine Images (AMI). In addition that would include virtual appliances deployed for VPC connectivity. The catalog is then imported to the cloud provider EC2 service that runs server instances. All additional software including anti-virus software can be imported to the Service Catalog as well. You can launch multiple AMIs of a web server to create a web server cluster. In addition you can define multiple virtual data centers with push button launch to multiple availability zones. Available at Amazon.com

Cloud Design Fundamentals

Copyright © 2017 CiscoNet Solutions All Rights Reserved