Upload
amazon-web-services
View
719
Download
7
Tags:
Embed Size (px)
Citation preview
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Cloud Migration, Application Modernization,
and Security for Partners
Tom Laszewski, Sr. Manager, GSI Solutions Architecture
Matt Yanchyshyn, Sr. Manager, ISV Solutions Architecture
AWS Migration Methodology
People, process,
technology
Migration experience
Knowledge & training
Not primary business activity
Fear
Attempting too much at once
Migration challenges
Discover Design Transform Transition Operate Optimize
Plan RunBuild
• Detailed
migration plan
• Estimate effort
• Security & risk
assessment
• Network
topology
• Migrate
• Deploy
• Validate
• Assessment &
profiling
• Prioritization
• Data
requirements &
classification
• Business logic
& infrastructure
dependencies
• Pilot testing
• Transition to
support
• Release
management
• Cutover &
decommission
• Staff training
• Monitoring
• Incident
management
• Provisioning
• Monitoring-
driven
optimization
• Continuous
integration and
continuous
deployment
App migration
assessment
Re-hosting
(lift and shift)App portfolio optimization
Re-platforming
(lift and reshape)
Migration methodology
Planning your migration
Migrating to the cloud can take one of many paths
Discover,
Assess (Enterprise
Architecture and
Applications)
Lift and Shift
(Minimal
Change)
Migration and
UAT Testing Operate
Refactor
for AWS
Application
Lift and shift
Move the App
Infrastructure
Plan Migration
and Sequencing
Determine
Migration Path
Decommission
Do Not Move
Create Cloud
Strategy
Design, Build AWS
Environment
Move the
Application
Determine
Migration
ProcessManually Move
App and Data
Third-Party Tools
AWS VM ImportRefactor
for AWS
Rebuild Application
Architecture
Vendor
S/PaaS
(if available)
Third-Party Migration Tool
Manually Move App and Data
Determine
Migration Process
Replatform
(typically legacy
applications)
Recode App
Components
Rearchitect
Application
Recode
Application
Architect AWS Environment
and Deploy App, Migrate Data
Signoff
Tuning Cutover
Org/Ops
Impact
Analysis
Identify
Ops Changes
Change
Management
Plan
End-state Architecture
Architecting your AWS environment
Design and architecture of the cloud environment is important to realize
cloud benefits such as agility and cost savings
Networking
• Convergence of
on-premises and
cloud
• Cloud-oriented
protocols
• IP scheme and
addressing
• VPC and account
configuration
Security
• SSO
• Access policies
• Least privilege
• Audits
• Compliance
• Intrusion detection
& prevention
• Logging
Governance
• Billing & cost
management
• Service
catalogs
• Configuration
management
• Architecture
Standards
• SLA/SLO
• Procurement
Data management
• RPO/RTO
• Retention policies
• Replication
• Storage
optimization
• ILM
• Data quality
Monitoring
• Notifications &
alerting
• Application level
awareness
• Thresholds
• Service desk
integration
On-premises infrastructure mapped to AWS
Technology On-premises AWS
Network VPN, MPLS Amazon VPC, AWS Direct Connect
Storage DAS, SAN, NAS, SSDAmazon Elastic Block Store, Amazon S3, Amazon EC2
instance storage, distributed & clustered FS on Amazon EC2
Compute Hardware, virtualization Amazon EC2, Amazon ECS, AWS Lambda
Content delivery Third-party CDN Amazon CloudFront
DatabasesMS SQL Server, MySQL, Oracle, DB2,
PostgreSQL, MongoDB,. …
Amazon RDS, Amazon DynamoDB, Amazon Amazon
ElastiCache, DB software on Amazon EC2
Load balancing Hardware and software load balancers Elastic Load Balancing, software load balancers
Scaling & cluster
management
Hardware and software clustering
toolsAuto Scaling, software clustering solutions
DNS BIND, Windows Server, third party Amazon Route 53, third-party DNS software on EC2
Technology On-premises AWS
Analytics & data warehouseHadoop, Vertica, Cassandra, specialized
hardware and software Amazon EMR, Amazon Redshift, software on Amazon EC2
Messaging and workflow RabbitMQ, ActiveMQ, Kafka, … Amazon SQS, Amazon SNS, Amazon SWF, software on EC2
Caching Redis, Memcached, … Amazon ElastiCache, Memcached, SAP Hana
Archiving Tape library, off-site data storage Amazon S3, Amazon Glacier
Email Email software Amazon SES
Identity, authoritzation, &
authenticationAD/ADFS, LDAP, SAML, third party…
AWS Identity and Access Management/AWS STS, Amazon
Cognito, AWS Directory Service, AD & LDAP on Amazon EC2
Deployment & configuration
management
Chef, Puppet, Salt, Ansible, PowerShell
DSC
AWS CloudFormation, AWS OpsWorks, AWS Elastic Beanstalk,
AWS CodeDeploy, Amazon ECS
Management and
monitoringCA, BMC, Rightscale
Amazon CloudWatch, AWS Config, AWS CloudTrail, AWS
Trusted Advisor
On-premises infrastructure mapped to AWS
Security Comes First!
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability ZonesEdge
locations
AWS is responsible for the security of the cloud
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability ZonesEdge
Locations
Client-side data
encryption
Server-side data
encryptionNetwork traffic
protection
Platform, applications, identity & access management
Operating system, network, & firewall configuration
Customer applications & contentC
usto
mers
Customers configure their security in the cloud
AWS security offerings
Auditability
• Compliance
reports
Visibility
• Amazon CloudWatch
• AWS CloudTrail
• AWS Config
• “Describe” APIs
Control
• IAM
• AWS CloudHSM
• AWS CloudFormation
• AWS KMS
Defense-in-depth
AWS compliance
program
Third-party
attestationsPh
ysic
al
Security groups
VPC configuration
Netw
ork Web application
firewalls
Bastion hosts
Encryption in-transit
Hardened AMIs
OS and apppatch mgmt.
IAM roles for EC2
IAM credentials
Syste
m s
ecu
rity
Logical access controls
User authentication
Encryption at-rest
Data
se
cu
rity
Encryption: data at rest
EBS
Volume encryption
EBS encryption OS toolsAWS
marketplace/partner
Object encryption
S3 server side
encryption (sse)
S3 SSE w/ customer provided keys Client-side encryption
Database encryption
Amazon Redshift
encryption
RDS
PostgreSQL
KMS
RDS
MYSQL
KMS
RDS
ORACLE
TDE/HSM
RDS MSSQL
TDE
Built-in firewall: security groups and NACLs
• VPC security groups (mandatory)– Instance level, stateful
– Supports ALLOW rules only
– Default deny inbound, allow outbound
– Use as “whitelist” – least privilege
• VPC NACLs (optional)– Subnet level, stateless
– Supports ALLOW and DENY
– Default allow all
– Use as “blacklist”/“guardrails”(port 135,21,23…)
• Separation of duties
• Changes audited via AWS CloudTrail
• Additional cost for SGs/NACLs: $0
Physical Interfaces
Customer 1
Hypervisor
Customer 2 Customer n…
…
Virtual Interfaces
Firewall
Customer 1
Security
Groups
Customer 2
Security
Groups
Customer n
Security
Groups
Security Groups
AWS partner solutions extend & enhance security
• Some examples:– Cisco CSR (VPN)
– Sophos UTM (firewall, …)
– Alert Logic Web Security Manager (WAF)
– Alert Logic Threat Manager (NIDS)
– Trend Micro Deep Security (IDPS)
– Trend Micro SecureCloud (encryption)
– Dome9 SecOps (security group audit & management)
– …
Migration Approach & Best Practices
Identifying applications to move
Standalone applications are easy to move
Application with loosely coupled SOA-based
integrations are good candidates
Tightly integrated application needs more planning
‘Low hanging fruit’• Dev/Test applications, self-contained web applications (LAMP stack), social media product
marketing campaigns, training envrionments, pre-sales demo portal, software downloads, trial
applications
Watch out for• 32 bit, non-Linux/Windows, multi-cast (Oracle RAC), client/server applications, engineered
systems (Exadata, Netezza), massive file servers, vertically challenged software/applications
Getting a bread box estimate: minimum information
Compute : Number of servers/VMs including RAM,
CPU, OS, and boot drive size (Amazon EC2)
Storage mapping to transactional, backup, archival,
and log/file system/applications (Amazon EBS, Amazon Glacier, and Amazon S3)
Data transfer out for networking
Internet or dedicated networking including security
requirements (AWS Direct Connect and VPN)
Region where processing is happening
Getting a bread box estimate: nice to have
HA requirements for each workload (ELB, Route53)
Scalability requirements for each workload (ELB,
Route53, Auto Scaling, CloudFront)
DR requirements for each workload
Storage IOPS requirements for each workload
Compute requirements for management/monitoring
Backup requirements for each workload that can
not be supported by EBS snapshots
Getting a bread box estimate: really nice
Workload stratification file servers, security, RDBMS,
ERP, big data, security, management/monitoring etc.
HIPPA and PCI requirements for each workload
HPC requirements for each workload
Extremely high CPU, memory requirements
Top third-party vendors for packaged apps
IDS/IPS, WAF, management, monitoring, logging, etc.
Invest in proof of concept early
Proof of concept will answer tons of questions and get your
feet wet with AWS quickly
Will help identify gaps and touch points
Give you a good estimation of the migration costs
Give you a good estimation of the AWS runtime costs
Migrating data into AWS cloud
• File transfer to Amazon S3 or EC2 using S/FTP, SCP, UDP, Attunity
• NFS mount accessible from on premise and AWS
• Configure on-premises backup application (like NetBackup, CA, CommVault, Riverbed) to use Amazon S3
• AWS Storage Gateway for asynchronous backup to Amazon S3
• AWS Import/Export service: Ship your disk to AWS
• Database backup tools like Oracle Secure Backup
• Database replication tools like GoldenGate, Dbvisit
• AWS Direct Connect 100 Mbps to 10 Gbps
Migrating data into AWS
Data size*
* relative to Internet bandwidth and latency
Data
velo
city r
equ
ired UDP transfer software
(e.g., Aspera, Tsunami, …)
Attunity CloudBeam
AWS Storage Gateway,
Riverbed, NFS
AWS Import / ExportTransfer to S3
over Internet
One-time upload with
constant delta updates
Days
Hours
TBsGBs
Security Best Practices
Enforce consistent security on your hosts
Launch
instanceEC2
AMI catalog Running instance
Your instance
Hardening
Audit and logging
Vulnerability management
Malware and HIPS
Whitelisting and integrity
User administration
Operating system
Configure
instance
Configure and harden EC2 instances based on security and compliance needs
Host-based protection software
Restrict access where possible
Connect to existing services
Separate static assets
and move servers away from the edge
Inbound HTTP
CloudFront
Amazon S3
WAFDynamic
App
App
AppPeering
Identity and Access ManagementCreate appropriate principles, authorization, and privileges for AWS resources
Multi-factor authenticationAWS Identify and
Access Management
Policies
User
Groups
Roles
Principle of least privilege
User User Hardware Virtual
IAM AWS administrative users
Root account
Note: Always associate the account owner ID with
an MFA device and store it in a secured place!
AWS IAM hierarchy of privileges
AWS account owner (root)
AWS IAM User
Temporary
security
creds
Permissions Example
Unrestricted access to all
enabled services and
resources.
Action: *Effect: AllowResource: *(implicit)
Access restricted by
group and user policies
Action: [‘s3:*’,’sts:Get*’]Effect: AllowResource: *
Access restricted by
generating identity and
further by policies used
to generate token
Action: [ ‘s3:Get*’ ]Effect: AllowResource:‘arn:aws:s3:::mybucket/*’
Enforce principle of least privilege with Identity and Access Management (IAM)
users, groups, and policies and temporary credentials
Principle of least privilege with IAM
• Login to an account with a less privileged user– Read-only
– EC2 launch-only
• Change role for privileged action– Administer IAM
– Terminate instance
– Delete snapshots
Protection against accidents or mistakes
(e.g., similar to DisableApiTermination=true)
Consolidate your IAM users
• Put all IAM users and groups in
one account
• All other accounts use AWS IAM
roles
Best practices:
• Tie into consolidated billing hierarchy
• Users in IAM account are only
authorized to assume roles in other
accounts
• No AWS-billable resources in this
account
Governance through IAM policies...
"Effect": "Deny","Action": "ec2:RunInstances","Resource": [
"arn:aws:ec2:region:account:network-interface/*"],"Condition": {
"ArnNotEquals": {"ec2:Subnet": "arn:aws:ec2:region:account:subnet/subnet-12345678"
}}
},{
"Effect": "Allow","Action": "ec2:RunInstances","Resource": [
"arn:aws:ec2:region::image/ami-12345678","arn:aws:ec2:region:account:subnet/subnet-12345678","arn:aws:ec2:region:account:security-group/sg-12345678"]
"Condition": {"StringEquals": {
"ec2:ResourceTag/BillingCode": “4000"},"StringEquals": {
"ec2:ResourceTag/Environnent": “Prod”...
Deny RunInstances without
appropriate subnet
Require RunInstances to
have specific AMI, subnet,
security group, …
Require RunInstances to
have specific tags
Implementing “smart” AWS policies
• The 5 Ws of auditability:
– Who?
– What?
– Where?
– When?
– Why?
• What we really want is an “if and only if” statement:
– You can deploy this change in production “if and only if” it
actually worked in test
Controlled by AWS IAM
Not controlled by IAM
Federate with AWS Directory Service & IAM
Directory Users
Directory Groups
IAM_Admins
Read_Only
EC2_Admin
Group ‘n’
…
AWS Directory Services
Mgmt Acct
IAM_Admin
IAM Role Mapping
Read_Only
EC2_Admin
Role ‘n’
Case Study:
Condé Nast Data Center Migration
Condé Nast data center migration drivers
• Existing data center needed >$1 million in upgrades
• Financial pressure to close facility by July 2014
• Increase resource efficiency, both people and technology
Condé Nast data center migration scope
• 47 application groups
• 350+ servers
• 400+ TB storage
Application migration methodology
• Condé Nast provided a detailed inventory of their Delaware DC assets
• Utilization metrics were critical for Reserved Instance analysis and to
explore elasticity
• Application assessment determined migration order
• Migration scheduled in waves
• Change window: Migrations occurred over weekends
• Coordinating the change window with various teams was key
• Applications run in hybrid mode during the migration
• Once a server was migrated successfully it was decommissioned
Application migration: virtual machines
• Condé Nast was highly virtualized (VMware)
• Veeam: stage VMs to Amazon S3– Supports change block tracking which minimizes downtime during migration
• AWS VM Import/Export: migrate staged VMs to Amazon EC2– Eliminates VM data migration as a part of the change window
• Large databases: created directly on AWS and then data
synchronized
AWS VPC and networking
Key criteria to support waves of migration:
• AWS Direct Connect: 10 GB DX to AWS
• IP addressing: Avoid overlapping IPs
• Service names
AWS Identity and Access Management (IAM)
Key criteria:
• IAM policies
• Identify groups and permissions
• Application tagging
Phased migration
• Live migration from premises was too slow– Large change windows meant that production systems were
frozen for a long time
• Solutions: – Use a tool (Veeam) to backup and ongoing synchronization of
VMs to Amazon S3
– Use a staging farm to run VM Import/Export
VM Import/Export considerations
• Root partitions cannot span multiple disks– Solution: Eliminate this on premises before migration
• Volumes > 1 TB not supported– Solution: Spread data across volumes
• VM Import/Export requires stream-optimized VMDK– Solution: conversion process was scripted
• Nonvirtualized servers were virtualized on premises before migration
• Unsupported operating systems were upgraded to supported OS before migrating
Lessons learned at Condé Nast
• Know your limitations
• Evaluate and understand your infrastructure environment
• Sign-up for enterprise support early and involve a TAM early on
• Get your operations staff trained on AWS
• Challenge yourself and make sound architecture decisions;
changing in future can be difficult
• Document every decision made, especially the anti-patterns
• Work directly with application owners; nothing beats hands-on
experience
SAN FRANCISCO