aws innovate: best of both worlds: leveraging hybrid it with aws- dhruv singhal
TRANSCRIPT
Best of Both Worlds: Leveraging Hybrid IT with AWS• Dhruv Singhal, Head of Solutions Architect, AISPL
Our Journey Today
Amazon
VPC
VPNBackup,
archive & DR
Storage
expansion
Common workloads in
hybrid infrastructureWhat is hybrid
infrastructure?Connectivity
Integrated
AWS Direct
Connect
Authentication
Enterprise
integration
FederationOperations
monitoring
Start
Dev & Test
What do we mean by a “hybrid infrastructure”?
On-premises
resources
Data center
Cloud services
Cloud infrastructure
Workload migration
and integration
Enterprise
management tools
Access/authentication
control integration
Connectivity
Connectivity
Connectivity: VPC
Extend your data center with Amazon VPC• Provision logically isolated section of AWS Cloud using
your own network address space
• Complete control over your virtual networking environment
including creation of subnets, IP addressing, routing tables
and network gateways
• Create private or public subnets in multiple Availability Zones
• You choose where to deploy EC2 instances
• You manage network security at subnet level using NACLs
• You manage EC2 Instance Security Groups,
providing stateful network firewall per instance
10.0.0.0/16
10.0.1.0/16
AWS region
Web
layerInternet
Your data center
Application
layer
Database
layer
Auto Scaling
Connectivity: Internet
Connectivity: VPN
Virtual
Gateway
Corporate
data centerUsers
Data center router
Servers
Internet
IPSec VPN
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Connectivity: Direct Connect
Virtual
Gateway
Corporate
data centerUsers
Data center router
Servers
VPC Subnet
Availability Zone
Security Group
VPC Subnet
Availability Zone
Security Group
Customer
router
AWS Direct Connect
Location
AWS Direct Connect
routers
AWS region
Public-facing
web app
Public app
w/back-end
integration
Your Data
Center
Private app
w/back-end
integration
Core/shared
services
AWS Direct Connect
Location
Connect to Multiple VPCs
Enterprise Integration
o 3 Directory Types to choose from
• AD connector
• Simple AD - built on Samba 4
Active Directory compatible
server
• Directory Service for ADAWS Directory Service
Connect
Corporate
data center
Users
AD.Domain
Servers
AWS Directory Service
Domain
controller
VPC subnet
Availability Zone
Security
group
Virtual
Gateway
VPC subnet
Availability Zone
Security
group
AWS
region• Domain controllers launched
in internal VPC
• Internal VPC instances join
domain upon launch
• Domain controller replicates
with corporate AD servers
• VPC DNS forwarding to
corporate DNS
Public Facing
Web App
Internal
Corporate
App
VPN
Connection
corp.example.com
AD Controller
Domain
Controller
+ DNS
example.com
DNS
AD
Replication
Domain Join +
DNS Queries
DNS
Forward
Requests
New Instance:
friendly-vpc-
123.corp.example.com
Corporate Data center
Bring your own Active Directory
Identity federation
Customer (Identity Provider) AWS Cloud (Relying Party)
AWS Resources
User
Application
Active
Directory
Federation Proxy
4Get Federation
Token Request
3
2
Amazon S3
Bucket
with Objects
Amazon
DynamoDB
Amazon
EC2
Request
Session 1
Receive
Session6
5Get Federation Token
Response
• Access Key
• Secret Key
• Session Token
APP
Federation
Proxy
• Uses a set of IAM user credentials to
make a GetFederationTokenRequest()
• IAM user permissions need to be the
union of all federated user permissions
• Proxy needs to securely store these
privileged credentials
Call AWS APIs7
• Security monitoring integration
points with CloudTrail and SIEM
Aggregator
• Platform and app health to SIEM
Aggregator via agent on EC2
guest
• Cloudwatch Logs provide scalable
low cost log aggregation
• Access to patching and updates
for AMI by on-premises update
server
VPC subnet
Availability Zone
Security group
VPC subnet
Availability Zone
Security group
Virtual
Gateway
Corporate
data centerUsers
Data center router
Update
Servers
Connectivity
CloudTrail
CloudWatch
Logs
SIEM
Aggregator
Operations and security integration
VPC Flow
Logs
AWS
Config
Operations on AWS
Integrating AWS into your operations• AWS CloudWatch provides insight into your AWS
services, integrate your own metrics, create and act on
alarms
• Amazon SNS allows integration with your alerting
systems
• Your current tools still work – install on EC2 instance
• Your tools already have AWS API integration
• Established processes don’t get thrown away
Common Workloadsin Hybrid Infrastructure
Common Workloads in Hybrid Infrastructure
In Summary
• Connectivity is a key to a successful hybrid integration between cloud and
corporate data center.
• Authentication and Authorization are the corner stones of Enterprise
Integration.
• Test it – create a VPC, establish VPN, leverage free tier.
• Hybrid infrastructure enables a variety of hybrid workload implementations.
Online Labs & Training
Gain confidence and hands-on
experience with AWS.
Watch free Instructional Videos and
explore Self-Paced Labs
Instructor Led Classes
Learn how to design, deploy and
operate highly available, cost-effective
and secure applications on AWS in
courses led by qualified AWS instructors
Validate your technical expertise
with AWS and use practice exams
to help you prepare for AWS
Certification
AWS Certification
More info at http://aws.amazon.com/training
Thank You for Attending AWS Innovate
We hope you found it interesting!
Do provide us with your feedback for the session and complete the feedback form.
Let us know your thoughts of today’s event and how we can improve the event
experience for you in the future.