©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved

Hybrid Infrastructure Integration Koen vd Biggelaar – AWS Principal Solutions Architect

Miha Kralj – AWS Principal Solutions Architect

Amarpal S. Attwal - JustEat.com Technical Lead

Our journey today

VPC VPN Backup  &  archive

Storage  expansion

AWS  Direct  Connect

AuthenKcaKon FederaKon OperaKons  Tools  and    Monitoring

Start

What  is  Hybrid  

IntegraKon? Integrated

Infrastructure Integrated Services

Integrated PlaTorm

Integrated SoluKon

CI/CD Managed  AWS  Services

MigraKon Roadmap

“Consumption of Cloud Services and On-Premises IT into a combined pool of resources.”

Defining Hybrid Integration

On-premises

IT Services

Platform

Solutions

Cloud Services

Infrastructure

Benefits: •  Cost Efficiencies

•  Scalability

•  Flexibility

•  Security

©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved

Integrated Infrastructure

AWS Virtual Private Network (IPSec VPN)

o  IPSec hardware VPN connection Supported VPN appliances: https://aws.amazon.com/vpc/faqs/#C9

o  Encryption and Validation

o  Private RFC 1918 Addressing

o  Uses Border Gateway Protocol (BGP) for routing and fail-over

o  VPN Service provides managed redundant end-points

http://docs.aws.amazon.com/AmazonVPC/latest/

UserGuide/VPC_VPN.html

Virtual  Gateway

Corporate   data  center

Users

Data  center  router

Servers

Internet

IPSec  VPN

VPC  Subnet

Availability  Zone

Security  Group

VPC  Subnet

Availability  Zone

Security  Group

AWS Direct Connect

o  Requires Layer 2 single mode fiber 1000BASE-LX or 10GBASE-LR

o  Requires 802.1Q VLANs across connection.

Ø  Tagging of IP traffic

o  Routing uses BGP A/A or A/P

multipath.

o  Each DX is mapped to a single AWS

Region

o  Various Partners for every Region http://aws.amazon.com/directconnect/

Virtual  Gateway

Corporate   data  center

Users

Data  center  router

Servers

VPC  Subnet

Availability  Zone

Security  Group

VPC  Subnet

Availability  Zone

Security  Group

Customer   router

AWS  Direct  Connect LocaKon

AWS  Direct  Connect  routers

Customer   router

AWS  Direct  Connect LocaKon

AWS  Direct  Connect  routers

AWS Direct Connect + AWS VPN

o  Dedicated network path with assured bandwidth

o  More secure than Internet-based IPSec

VPN – avoids internet traverse

o  Reduced IPSec network transfer costs

o  Additional Network Security

http://aws.amazon.com/directconnect/

Virtual  Gateway

Corporate   data  center

Users

Data  center  router

Servers

VPC  Subnet

Availability  Zone

Security  Group

VPC  Subnet

Availability  Zone

Security  Group

IPSec  VPN

©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved

Integrated Services

AWS  Direct  Connect LocaKon

AWS  Direct  Connect  routers

Active Directory and LDAP

o  Reduced back-reach Traffic

o  Reduced Latency for Authentication

o  Additional Resiliency

o  Enablement of both: Ø  Multi-Master Read/Write Domain

Controllers Ø  Read-only Domain Controllers (RODCs)

²  Requires IPSec VPN or Direct Connect connectivity

http://aws.amazon.com/microsoft/whitepapers/ad-reference-architecture/

Virtual  

Gateway

Corporate   data  center

Users

Data  center  router

Servers

VPC  Subnet

Availability  Zone

Security  Groups

VPC  Subnet

Availability  Zone

Security  Groups

Type Port  Number

TCP 54,  88,  135,  137,  139,  389,  445,  464,  636,  3268,  3269,  5722,  49152-­‐65535

UDP 53,67,123,  138,  389,  445,  464,  2535,  5355,  49152-­‐65535

AD.Domain

Domain  controller

Domain  controller

Domain  controller

AcKve  Directory   ReplicaKon

Customer   router

AWS  Direct  Connect LocaKon

AWS  Direct  Connect  routers

AWS Directory Service

o  Deploys in two modes Ø  Directory Service Connect

Ø  Simple AD - built on Samba 4 Active

Directory compatible server

o  Simplifies IAM Federation

Ø  Avoids complexity and cost of hosting

SAML-based federation infrastructure

Ø  Acts as a proxy - no data is stored on

AWS infrastructure

Ø  Supports existing RADIUS-based MFA

²  Requires IPSec VPN or Direct Connect connectivity

http://aws.amazon.com/directoryservice/

Virtual  Gateway

data  center

Users

Data  center  router

Servers

VPC  Subnet

Availability  Zone

Security  Groups

VPC  Subnet

Availability  Zone

Security  Groups

AD.Domain

Domain  controller

AD  Connector

AD  Connector

AD  Connector

Customer   router

AWS Federation/Account Governance

Financial  users,  controllers SOC/Auditors Global  AWS  admin

Billing  account

Socware  development

Non-­‐prod  account  #1

ProducKon  account  #1

User  management account

Security  /  Audit account

Non-­‐prod  account.  #2

App  owners DevOps  teams

Security/audit ProducKon Dev/test/sandbox Financial

Consolidated  Billing,  Billing  Alerts

Read-­‐only  access  for  all  accounts

AWS  Direct  Connect LocaKon

AWS  Direct  Connect  routers

Operations Tools and Monitoring

o  Security Monitoring integration points with with CloudTrail and

SIEM Aggregator.

o  Logging with CloudTrail and SNMP

MIBs to SIEM Aggregator.

o  Platform and App Health to SIEM

Aggregator via agent on EC2 guest.

o  Access to Patching and Updates for

AMI by on premises Update Server.

Virtual  Gateway

data  center

Users

Data  center  router

VPC  Subnet

Availability  Zone

Security  Group

VPC  Subnet

Availability  Zone

Security  Group

Update Servers

SIEM Aggregator

CloudTrail

CloudWatch

CloudTrail  S3  Bucket

Customer   router

©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved

Integrated Platform

Application Deployment Management

Apache

Tomcat

Struts

Your Code

Log4J

Spring

Hibernate

JEE

Linux

Java App Stack Inventory of AMIs

Apache

Tomcat

Struts

Your Code

Log4J

Spring

Hibernate

JEE

Linux

Java AMI Amazon EC2

Apache

Tomcat

Struts

Your Code

Log4J

Spring

Hibernate

JEE

Linux

Apache

Tomcat

Struts

Your Code

Log4J

Spring

Hibernate

JEE

Linux

Apache

Tomcat

Struts

Your Code

Log4J

Spring

Hibernate

JEE

Linux

Apache

Tomcat

Struts

Your Code

Log4J

Spring

Hibernate

JEE

Linux

Golden AMI + Fetch binaries on boot

Apache

Tomcat

Hibernate

JEE

Linux

Java AMI

Amazon EC2

Struts

Spring

Log4J

Your Code Fetch on boot

Fetch on boot From S3

Apache

Tomcat

Hibernate

JEE

Linux

Apache

Tomcat

Hibernate

JEE

Linux

Apache

Tomcat

Hibernate

JEE

Linux

JeOS AMI and Library of recipes (install scripts)

JeOS AMI Amazon EC2

JEE

Linux

CHEF

Struts

Spring

Log4J

Apache Tomcat

Your Code Fetch on boot

CHEF recipes

JEE Linux

CHEF

JEE Linux

CHEF

JEE Linux

CHEF

JEE Linux

CHEF

AWS  Elas)c  Beanstalk  

Automated  resource  management  –  web  apps  made  easy  

AWS  OpsWorks  

DevOps  framework  for  applica;on  lifecycle  management  and  

automa;on  

DIY  /    On  Demand  DIY,  on  demand  

resources:  EC2,  S3,  custom  AMI’s,  etc.  

Convenience Control

AWS  CloudForma)on  

Templates  to  deploy  &  update  infrastructure  as  

code  

Deployment and Management

Customer   router

AWS  Direct  Connect LocaKon

AWS  Direct  Connect  routers

Continuous Integration and Deployment

o  Automates application deployments for both On-Premise and AWS EC2

instances with use of CodeDeploy

o  Reuse existing scripts and tools

Ø  Bash, PowerShell, Chef,

Puppet, anything…

o  Integrate with developer tool chain

Ø  GitHub, Jenkins, CloudBees,

TravisCI, Eclipse…

Virtual  

Gateway

data  center

Users

Data  center  router

VPC  Subnet

Availability  Zone

Security  Group

VPC  Subnet

Availability  Zone

Security  Group

AWS  CodeDeploy Servers

AWS  CloudFormaKon

S3 bucket

Agent Agent Agent

Agent Agent Agent

Customer   router

AWS  Direct  Connect LocaKon

AWS  Direct  Connect  routers

Managed AWS Services

o Managed Services Advantages

Ø  Flexibility and Agility

Ø Scalability

Ø Security

Ø Automated Maintenance & Upgrade

Virtual  Gateway

data  center

Users

Data  center  router VPC  Subnet

Availability  Zone

Security  Group

VPC  Subnet

Availability  Zone

Security  Group

Servers

S3 bucket

MySQL MySQL

Apache Kaga

Amazon  Redshic Amazon  EMR

Amazon  Redshic Amazon  EMR

©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved

Integrated Solutions

Customer   router

AWS  Direct  Connect LocaKon

AWS  Direct  Connect  routers

Storage expansion

o  Virtual volumes presented to local network iSCSI, NFS and CIFS volumes

o  Local disk cache to provide fast on-premises access

o  Gateway side encryption for security

Virtual  Gateway

Corporate   data  center

Users

Data  center  router

VPC  Subnet

Availability  Zone

Security  Group

VPC  Subnet

Availability  Zone

Security  Group

Amazon  S3

AWS  Storage   Gateway

iSCSI

Storage  Appliance

AWS  Storage   Gateway

iSCSI

Servers

AWS  Storage   Gateway

Cloud  ONTAP  Secure  Cloud-­‐Integrated  Backup  

Panzura  Global  NAS

TwinStrata  CloudArray

AWS Marketplace Partners

Customer   router

AWS  Direct  Connect LocaKon

AWS  Direct  Connect  routers

Backup and archiving

o  Backup gateways integrated with Amazon S3 o  Leverage Amazon S3 archival

to Amazon Glacier o  Take advantage of current

investments and solutions for options o  De-duplication o  Compression o  WAN Acceleration

Virtual  Gateway

data  center

Users

Data  center  router

VPC  Subnet

Availability  Zone

Security  Group

VPC  Subnet

Availability  Zone

Security  Group

Amazon  S3

Amazon  Glacier VTL

AWS  Storage   Gateway

iSCSI

Backup  System

VTL

AWS  Storage   Gateway

iSCSI

Servers

VTL

AWS  Storage   Gateway

Symantec  Net  Backup

Veeam  Backup  &  ReplicaKon

Cloud  ONTAP  Secure  Cloud-­‐Integrated  Backup  

AWS Marketplace Partners

©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved

The Integrated Journey Roadmap

Sample Migration Roadmap

Program Planning

Cloud Business

Case

Define Security

Requirements

Define Network

Environment

Organizational Structure

Operational Integration

Security Operations Playbook

Cloud Environment Optimization

Application Portfolio

Assessment

Cost and Billing

Analysis

Training & Readiness

Define Cloud Environments

Define EA Policies and

Practices

Continuous Integration &

Delivery

Data Migration

Application Migration Factory

Cloud Readiness

Assessment

Cloud Adoption Framework

The AWS CAF organizes and describes the perspectives in planning, creating, managing, and supporting a modern IT service. Offers practical guidance and comprehensive guidelines for establishing, developing and running AWS cloud-enabled environments. It provides a structure where business and IT can work together towards common strategy and vision, supported by modern IT automation and process optimization. http://bit.ly/AWSCAF

People Perspective

Process Perspective

Security Perspective

Maturity Perspective

Operations Perspective

Business Perspective

Platform Perspective

©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved

Hybrid Infrastructure Integration Amarpal Singh Attwal (MCM:DS) Technical Lead, ICT Engineering

JUST EAT plc (incorporated in the UK) is proud to be the world’s leading online takeaway ordering service. We allow hungry local consumers to order in real-time from their local independent takeaway restaurants via a single online portal.

•  Tech team is ~150 people, 3 sites. •  Windows+.NET platform, cloud native in AWS. •  Very predictable load, ~1200 orders/min peak in UK •  Recruiting!

JUST EAT

Our Journey and Challenges

Hybrid  plaTorm

TradiKonal  plaTorm  and  infrastructure

Change  our  approach

Architect  and  build

Decommission  legacy

Enterprise  plaTorm  v2.0

On  premise

•  Physical  servers •  Hypervisors •  ConnecKvity   •  SANs •  Backup  and  Tape •  Etc…

•  Flexible •  AutomaKon •  Time  to  deploy •  Centralise •  OpKmise  costs •  Fail  fast!

•  ConnecKvity •  Security •  Not  lic  and  shic •  Decoupling •  Data  is  core •  Disposable  

Infrastructure

•  Throw  it  away!

Connectivity and traffic flow

Customer   router

AWS  Direct  Connect LocaKon

AWS  Direct  Connect  routers Virtual  Gateway

Corporate   data  center

Users

Data  center  router

Server

VPC  Subnet

Availability  Zone

Security  Group

VPC  Subnet

Availability  Zone

Security  Group

IPSec  VPN

Example – Active Directory

AWS  CloudFormaKon

Unajend  DCPromo

Build  vanilla  server *Add  in  security  group  for  DC  Ports

Domain  Prep

Manual  –  run  unajend  file

DC  Dies

Domain  Cleanup

Repeat

Example – Critical Application

Start

S3 bucket AWS  CloudFormaKon

S3 bucket AWS  CloudFormaKon

Script  Library

Design  –  How  to  build

Push  data  –  ref  CF

Build  and  store  build  config

Use  build  config  to  rebuild  in  failure

Outcomes

•  Core data stored securely and reliably

•  Centralised connectivity

•  Disposable infrastructure

•  Built-in flexibility (Elasticity)

•  Consistent and automated builds

•  Library of reusable scripts

•  Cross charging of services to business units

•  Continuous BC & DR

•  Less time maintaining – More time INNOVATING

JustEat - Lessons learnt

•  Planning is everything

•  Be prepared for a steep learning curve

•  Give yourself plenty of time

•  Simplicity is key

AWS Marketplace software

•  Launch software on AWS with 1-click

•  Pay-by-the-hour, monthly, or annual

•  Single invoice for AWS usage & software

Takeaways

•  Connectivity is a key to a successful hybrid integration between cloud and

corporate data center

•  Authentication and Authorization is the corner stone of Enterprise Integration

•  Hybrid infrastructure enables a variety of hybrid workload implementations

•  Application migration is just a piece of large-scale Cloud Adoption

–  The Cloud Adoption Framework whitepaper: http://bit.ly/AWSCAF

LONDON