selecting the best vpc network architecture (cpn208) | aws re:invent 2013
TRANSCRIPT
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
Selecting the Best VPC Network Architecture
Eric Schultze, AWS
Roshan Vilat & Phil Schulz, Vodafone Australia
Clay Parker, Trimble Navigation
November 15, 2013
Why we’re here
• Choosing a VPC architecture
• Benefits and Challenges
• Lessons Learned
Before we get started…
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
Selecting the Best VPC Network Architecture
Vodafone Australia Case Study
Roshan Vilat & Phil Schulz, Vodafone Australia
November 15, 2013
Vodafone Australia
• Presentation:
– Cloud Transformation Roadmap
– Multi VPC Solution
– One of the world’s leading telecommunications groups
– Vodafone operates in more than 30 countries across five continents
– 404 million customers globally
– One of the top 10 brands in the world
Vodafone Group
1. Public Facing Website in the Cloud
– Migration from traditional data center to the Cloud
– Saved one year in time to market
– Saved at least $1,000,000
– AWS Opened a Data Centre in Australia
– Migration from the US to AU
– Re-Architecture into Cloud Orientated Architecture: Auto Scaling; Elastic IPs; Amazon RDS database; AWS CloudFormation; Highly Available File Storage; Self Healing Environments
– Agile Delivery with Cross Functional Teams; Behavior Driven Development; Automated Testing; Continuous Integration; Daytime Deployments
2. Re-architecting for the Cloud
– Greenfield Enabler for Multiple Digital Services
– Supporting Customer Sensitive Data
– Direct Connection into Backend Services
– Suite of Security Tools
– Live Business Intelligence
– New Support Model
3. Business Critical Applications
– Core Team
– InfoSec
– Networks
– Service Management
– Operational Support Services
– Vodafone Group
– My Account App Team
Project Partners
To Multi-VPC or not to Multi-VPC?
Project Key Requirements
1. Secure – protect customer sensitive data
2. Networked – low latency, stable connectivity
3. Automated
4. Supportable
5. Resilient, Scalable, and Available.
VPC Design Evolution
• 100s of VPCs
• Single VPC
• Multi-VPC
100s of VPCs
TEST
100’s of VPCs
100s of VPCs
Pros
• Strong Isolation
Cons
• Sheer number of VPCs
• Management nightmare
• Networking nightmare
• Equivalent of creating a
datacenter per
application?
Single VPC
Single VPC
Pros
• Simplifies AWS Direct
Connect
Cons
• Low isolation – security, billing implications
• No role separation – IAM limitation
• AWS account and VPC limits
• Difficult to contain blast radius!
Single VPC
Pros
• Simplifies AWS Direct
Connect
Cons
• Low isolation – security implications
• No role separation – IAM limitation
• AWS account and VPC limits
• Difficult to contain blast radius!
Multi VPC
Multi VPC
Design Benefits
• Multi-account for role separation, cost control and resource limits
• Balance of isolation and management complexity
• AWS Direct Connect provides stable inter-VPC and Vodafone-VPC communication
• AWS Direct Connect provides central network control point
Lessons Learned
• Ensure team has domain experts
• Capture all stakeholder requirements
• Differences between traditional and cloud-based methodologies
• Use multiple constructs to achieve desired isolation – Accounts, VPCs, security groups, etc.
• AWS account and VPC limits
• IAM access control capabilities
Project Outcome
• First cloud-based environment for business
critical apps
• Built in 4 months
• MyAccount (Online Self-Service) in production
• Shared security and operational services in
production
• Next 4 applications in build stage
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
Selecting the Best Virtual Private Cloud
Architecture In AWS
Clay Parker, Trimble Navigation
November 15, 2013
Trimble Navigation • A world leader in transforming how work is done across multiple industries
and professions
• Our customers gain significant economic breakthroughs at the same time improving quality, safety, regulatory compliance and reducing environmental impact
• Our technological capabilities span positioning and sensing, global connectivity, 3D design, modeling & measurement, machine and process automation, and powerful data analytics
• 2012 Revenue US $2Billion; 6,500 employees
• Founded in 1978, headquartered in Sunnyvale, California with Offices in 35 countries, partners in 125 countries and customers in 150 – from some of the world’s largest corporations to some of the smallest family firms
Trimble Hosting Services • We are a Trimble Division
• We exist to help Trimble businesses with external end-user-facing application hosting and 24x7x365
• support
• 74 staff in seven locations in five countries
• Production infrastructure in seven data centers
• Development infrastructure in six Trimble offices
• Facilitate hosting in Amazon Web Services (AWS)
• Our ISMS is ISO27001 certified for hosting in THS infrastructure and in AWS
• Staff have specific expertise in: - Server virtualization - Cloud hosting
- Storage management - Operations
- Network engineering - Information security
- Database management - Finance
- Program & project management
United Kingdom
Ireland
AT&T Ashburn
SunGard
Scottsdale
Milpitas
NOC
21Vianet BeijingCT Xi’an
Global Admin Network
Chennai NOC
Node4 Northampton
Equinix Slough
Equinix Dallas
Current use of Amazon Web Services
• Shared Production Account – Multi-tenant environments in several regions to support multiple
customers
– Single production account with one VPC per region
– No tenant write access to the AWS Management Console
– VPN connectivity to private cloud production data centers
– All AWS resources tagged for customer identification
– All AWS resources under change management control
Current use of Amazon Web Services
• Shared Development Account – Multi-tenant environments in several regions to support multiple
customers
– Single development account with one VPC per region
– Controlled tenant access to the AWS Management Console
– VPN connectivity to private cloud development data centers
– All AWS resources tagged for customer identification
Current use of Amazon Web Services
• Customer Development Accounts – One per customer
– VPN connectivity to our development data centers only
– Unlimited access to the AWS Management Console (except
Amazon VPC)
– Linked to our master account for consolidated billing
Current use of Amazon Web Services
• Billing Only Accounts – One for each customer
– Linked to our master account for consolidated billing
Private / Public / Hybrid Clouds • Private
– Trimble Private Cloud (TPC)
– THS owns & manages infrastructure
• Public
– Amazon Web Services (AWS)
– AWS owns & manages infrastructure
• Hybrid
– Uses infrastructure in both TPC & AWS
– Take advantage of the best of both worlds Other
Trimble Hosted
Applications
ISP
ISP
Data Center
Core Network
SAN
Web App Database
Wireless Carrier
Wireless Carrier
Pipe to DR
Data Center
Trimble Mgmt
Monitoring
Managment
Common Services:
Monitoring
LAN, SAN management
VMware management
Other
Web App Database
BGP
RoutersCore
Switches
Redundant
physical
database
cluster
Common Core NetworkShared VMware &
SAN Infrastructure
AppWeb
Redundant physical and/or virtual
Web & Application servers
Availability Zone A
AWS Region 1
Availability Zone B
Web App Server
Amazon LinuxEC2 Instance
Web App Server
Amazon LinuxEC2 Instance
Security Group Security Group
Elastic Load Balancer
Route 53 Hosted Zone
www.myconnectedassets.com
VPC Subnet
UsersMobile ClientClient
AmazonCloudWatch
Alarms
VPN Connection
Trimble Integrated Cloud
THS Common Services Network /Admin Backbone
To PDXA THS Prod
Trimble Corporate WAN
SJC3CA
IAD2VA
To IADA THS
Prod
IADAAWS US-East
N. Virginia
THSCSN
Cust A Subnet
Cust B Subnet
THSCSN
Cust A Subnet
Cust B Subnet
PDXAAWS US-West
Oregon
THSCSN
Cust A Subnet
Cust B Subnet
THSCSN
Cust A Subnet
Cust B Subnet
PHX1AZ
LHR1UK
LHR2UK
MAA1India
PEK1China
Trimble Users
AWS Virtual Private Gateways
To IADA THS Dev
To PDXA Cust Dev
To PDXA Cust Dev
XIY1China
Criteria for using fewer VPCs
• Shared Production & Development Accounts – Single VPC per region
– Modeled after our physical data center environment
– Less confusion for all concerned
– Able to use a single VPN for connectivity
– Less complexity for ITOps support
Advantages of using fewer VPCs
• Reduces complexity of managing internal IP
address space
• Single place to manage: – Subnets
– Security groups
– Routes and VPN configuration
Challenges of using fewer VPCs
• Perceived customer data bleeding
• Complexity of managing access to individual
resources
• Complexity of individual tenant billing from a
shared account
• Risk of users deleting resources that are not
theirs
Please give us your feedback on this
presentation
As a thank you, we will select prize
winners daily for completed surveys!
CPN208