Upload
amazon-web-services
View
1.029
Download
1
Embed Size (px)
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hybrid IT Approach and Technologies with the AWS Cloud
June 20, 2016
Dario Rivera – Solutions Architect – Amazon Web ServicesDan Thomas – Chief Engineer - DC Health Benefit Exchange Authority
Session agenda
• Introduction• Hybrid and AWS• Implementing Hybrid Ops• Common Hybrid Apps• Use Case: DC Health Benefit Exchange Authority
Hybrid Ops
Hybrid Apps /
Cloud is an ALL or NOTHING proposition
Why are customers choosing AWS to implement hybrid?
Scale
Service Breadth
Service Depth
Security
Broad accreditations and certifications
* As of 1 June 2016
2009
48
280
722
82
2011 2013 2015
AWS has been continually expanding its’ services to support virtually any cloud workload and now has more than 70 services that range from compute, storage, networking, database, analytics, application services, deployment, management and mobile. AWS has launched a total of 368 new features and/or services year to date* - for a total of
2,263 new features and/or services since inception in 2006.
AWS Pace of Innovation
TECHNICAL & BUSINESS SUPPORT
Account Management
Support
Professional Services
Solutions Architects
Training & Certification
Security & Pricing Reports
Partner Ecosystem
AWSMARKETPLACE
Backup
Big Data& HPC
Business Apps
Databases
Development
IndustrySolutions
Security
MANAGEMENTTOOLS
Queuing
Notifications
Search
Orchestration
ENTERPRISEAPPS
VirtualDesktops
StorageGateway
Sharing &Collaboration
Email &Calendaring
Directories
HYBRID CLOUDMANAGEMENT
Backups
Deployment
DirectConnect
IdentityFederation
IntegratedManagement
SECURITY &MANAGEMENT
Virtual PrivateNetworks
Identity &Access
EncryptionKeys Configuration Monitoring Dedicated
INFRASTRUCTURESERVICES
Regions AvailabilityZones Compute
Storage (object, block)
DatabasesSQL, NoSQL, Caching
CDNNetworking
PLATFORMSERVICES
APP
Mobile & WebFront-end
Functions
Identity
Data Store
Real-time
DEVELOPMENT
Containers
SourceCode
BuildTools
Deployment
DevOps
MOBILE
Sync
Identity
PushNotifications
MobileAnalytics
MobileBackend
ANALYTICS
DataWarehousing
Hadoop
Streaming
DataPipelines
MachineLearning
Hybrid OpsGetting started
• Secure, flexible networking between cloud and on-premises
• Secure, federated access management
• Management tools for hybrid environments
• Integrated monitoring tools
HYBRID OPS - REQUIREMENTS
• Secure, flexible networking between cloud and on-premises
• Secure, federated access management
• Management tools for hybrid environments
• Integrated monitoring tools
HYBRID OPS - REQUIREMENTS
Secure, flexible connectivity
OPS | NETWORKING
AWS Direct Connect
• Extend your data center network to the AWS cloud using a leased-line/circuit
• Secure, consistent performance on a private network - avoid internet traversal
• Lower data transfer costs (vs VPN)• 1 Mbps to multiple 10 Gbps• Simpler management of multi-VPC
environments• IPSEC VPNs can also be used for small
deployments, POCs, and extra redundancy
Secure, flexible networking
OPS | NETWORKING
Amazon Virtual Private Cloud
• Create a software-defined network topology for your cloud including private and public subnets (RFC1918), routing, firewall policies and NAT
• Connect VPCs together using peering, or directly to your data center and offices
Implement network isolation at any level, e.g.• App environment, tier, business unit, team,
application / project and data classification
Your Data Center
IPSEC VPN Tunnels(x2)
AWS Direct ConnectPeering Location
Circuit(s), e.gMetro Ethernet
AWS
Fibre cross connect
Terminated on an AWS or customer managed gateway
(Internet)
Network Extension
OPS | NETWORKING
(Optional) Bring your favorite security tools
Unified Threat Management & WAF
VPN / Routing, Application Delivery,
Key Management
AVAILABLE NOW
• Secure, flexible networking between cloud and on-premises
• Secure, federated access management
• Management tools for hybrid environments
• Integrated monitoring tools
HYBRID OPS - REQUIREMENTS
Amazon Virtual PrivateCloud (Amazon VPC)
AWS Direct Connect
• Secure, flexible networking between cloud and on-premises
• Secure, federated access management
• Management tools for hybrid environments
• Integrated monitoring tools
HYBRID OPS - REQUIREMENTS
Amazon Virtual PrivateCloud (Amazon VPC)
AWS Direct Connect
Federated Access Management
OPS | SECURE ACCESS MANAGEMENT
AWS Directory Service – AD Connector
• Easily federate your corporate Active Directory environment to AWS and enable single sign-on – no need for SAML infrastructure
• Proxy only – does not store credentials• Supports RADIUS-based MFA• Connects to Domain Controllers in your
VPC or on-premises Domain Controllers
Customers can also use ADFS or partner solutions
AWS Identity & Access Management
OPS | SECURE ACCESS MANAGEMENT
AWS Identity and Access Management
• Securely control access to AWS services and resources
• Combine IAM and AD Connector to develop role based security policies for AWS resources using your existing AD identities
• Fine grained control of permissions with auditing via AWS CloudTrail
OPS | SECURE ACCESS MANAGEMENT
AWS ManagementConsole
Your Identity Providere.g., Active Directory
IAM(Federated users)
Policies AWS Services & Resources
AD Connector – (Proxy only)AWS Directory Service
Forward Authentication
Access per IAMpolicies
Authentication
Authorization
Allow / deny
OPS | SECURE ACCESS MANAGEMENT
AWS ManagementConsole
Your Identity Providere.g., Active Directory
IAM(Federated users)
Policies AWS Services & Resources
AD Connector – (Proxy only)AWS Directory Service
Forward Authentication
Access per IAMpolicies
Authentication
Authorization
Allow / deny
Ready in 15 minutes!
AWS Identity Federation Partners
OPS | SECURE ACCESS MANAGEMENT
• Secure, flexible networking between cloud and on-premise
• Secure, federated access management
• Management tools for hybrid environments
• Integrated monitoring tools
HYBRID OPS - REQUIREMENTS
Amazon Virtual PrivateCloud (Amazon VPC)
AWS Direct Connect
AWS Identity & Access Management (IAM)
AWS Directory Service
• Secure, flexible networking between cloud and on-premises
• Secure, federated access management
• Management tools for hybrid environments
• Integrated monitoring tools
HYBRID OPS - REQUIREMENTS
Amazon Virtual PrivateCloud (Amazon VPC)
AWS Direct Connect
AWS Identity & Access Management (IAM)
AWS Directory Service
Step 1 – Use a “cloud broker”
OPS | MANAGEMENT
Start by experimenting with different tools
(and try open source)
ANSIBLEConfiguration management
HASHICORP PACKERBuild machine and container
images (cross platform)
HASHICORP TERRAFORMCreate and deploy application
templates (cross platform)
AWS CLOUDFORMATIONApplication templates
(AWS only)
CommonExamples
OPS | MANAGEMENT
HASHICORP PACKERBuild cross platform machineand container images
VMWare(vmx or ISO)
AWS(Amazon Machine Image)
OpenStack, etc…
Parallel Build
Sourceconfig
OPS | MANAGEMENT
resource "aws_elb" "frontend" { name = "frontend-load-balancer" listener { instance_port = 8000 instance_protocol = "http" lb_port = 80 lb_protocol = "http" } instances = ["${aws_instance.app.*.id}"]} resource "aws_instance" "app" { count = 5 ami = "ami-043a5034" instance_type = "m1.small"}
HASHICORP TERRAFORMApplication Templates
Ex: Create 5 servers and put them behind a load balancer
OPS | MANAGEMENT
Stack Template
References
Post-processing
Executes
API / CLI
App Stack
E.g. 3 Tier Prod Web
ConfiguresDeploys(App)
ConfiguresDeploys(Infra)
AnsiblePacker
Terraform
Build automation for hybrid environments
OPS | MANAGEMENT
Importing existing VM images
AWS Management Portal for VMWARE vCenter
AWS VM Import
Point and click migration for VMware
Migrate VMWare, Hyper-V and Citrix Xen images
OPS | MANAGEMENT
AWS Import / ExportSnowball
• 80 TB Amazon-owned appliance design to help move petabytes of data per week
• 256-bit data encryption (KMS)• Tamper resistant, durable and rugged
enclosure• 10 GB network – takes ~13 hours to load
a 50 TB Snowball
Use Snowball to move data centers, large data sets, or individual VMs
OPS | MANAGEMENT
AWS Application Discovery ServiceOverview
Agents deployed on source hosts Windows & Linux support
Capture system inventory, performance, and dependencies
Capture and store secured data to AWS
API access to discovered assets Output to CSV or XML
Can be imported into a third-party migration or visualization tool
Discovery Agents Discovery DB
AWS Application Discovery Service
On-premises data centerEncrypted data
Internet
Coming Soon!
• Secure, flexible networking between cloud and on-premises
• Secure, federated access management
• Management tools for hybrid environments
• Integrated monitoring tools
HYBRID OPS - REQUIREMENTSVPC & Direct Connect IAM, Directory Service
Packer, Terraform, Ansible and VM Import
• Secure, flexible networking between cloud and on-premises
• Secure, federated access management
• Management tools for hybrid environments
• Integrated monitoring tools
HYBRID OPS - REQUIREMENTSVPC & Direct Connect IAM, Directory Service
Packer, Terraform, Ansible and VM Import
Amazon CloudWatch
APPLICATIONPERFORMANCE
OPERATIONALANALYTICS
AWS platform & service metrics
Splunk App for AWS
API Integration
AppDynamics
OPS | MONITORING
COST/Performance/
ReliabilityMANAGEMENT
• Track cloud best practices with reports, dashboards, and email alerts
• Recommendations via historical usage analytics
• Assure you are using Best Practices in the AWS cloud
OPS | MONITORING
AWS Trusted Advisor
• Secure, flexible networking between cloud and on-premises
• Secure, federated access management
• Management tools for hybrid environments
• Integrated monitoring tools
HYBRID OPS - REQUIREMENTSVPC & Direct Connect IAM, Directory Service
• Secure, flexible networking between cloud and on-premise
• Secure, federated access management
• Management tools for hybrid environments
• Integrated monitoring tools
HYBRID OPS - REQUIREMENTSVPC & DirectConnect IAM, Directory Service
Use Case: DC Health LinkDan ThomasChief Engineer, DC Health Benefit Exchange AuthorityCEO, IdeaCrew, Inc.
DC Health Link
Health Benefit Exchange Authority (HBX) for District of Columbia
Serves DC residents, small businesses members of Congress and staff
Health, dental, vision benefits
Only marketplace with sole distribution channel for enrollment
As of March 2016, over 215K people have come through DC Health Link
First Generation HBX
Some successes…• Kentucky, California, New York
…and some setbacks• Oregon, Hawaii• HealthCare.gov
DC Health Link went live 10/1/2013, and was one of only four HBXs that opened on time & operated all day(Bloomberg News)
Technology Drives DC Health Link Customer Experience
If system is deficient or degraded:• Cannot accurately determine financial assistance eligibility• Cannot help consumers pick best coverage to meet their needs
and budget• Someone who needs coverage may go uninsured or may be
unable to access needed care• Uninsured are vulnerable to potentially catastrophic financial
burden
DC Health Link Behind the ScenesOpen Enrollments #1 & #2
Large infrastructure (250-plus VMs) in DC data centers
System Integrator struggled to deliver. After go-live, each successive release further degraded system
Consumer experience adversely impacted, throughout OE 1 & 2, both in terms of functionality and system performance
DC Health Link internal teams made heroic efforts to operate, developing side-along systems, semi-automated, and manual processes to help ensure enrollment data integrity and manage exchange among trading partners
Heroic effort isn’t a sustainable business modelApparent by end of Open Enrollment #2 that IT strategy needed to change
Enroll Application Program
Devised plan in early 2015 to replace COTS system with new “Enroll Application”
• Re-architect Web site using open source technology
• Adopt Agile delivery model• Move mission-critical functionality to
cloud in hybrid configurationWith only seven months’ development time, new Enroll Application system went live October 12, 2015Today, Enroll Application is the only built-to-purpose, open source HBX solution
Individuals & Families
Employers
Insurers
Employees
MongoDB
RabbitMQ(Message Bus)
Amazon AWS Primary Region
Actors
Brokers
Auto Scaling group
DC Health Link Web Site / Portal
Identity Management
Elastic Load Balancing
DCHBX Enroll App(Enrollment & Plan
Comparison)
VPC Peering
Amazon AWS Secondary Region
Disaster Recovery(Pilot Light)
MongoDB
Application Servers
Third-Party Premium Billing Provider
MS SQL Server
MySQL
Enterprise Logging
EDI Engine
Baked AMIs
Insurers
Third-Party Premium Billing Provider Data
Center
DC Data Center
Financial Eligibility Determination
Identity Verification
Auto Scaling group
Enterprise Services
VPN Connection
Amazon Cloud Services
Amazon CloudWatch
Amazon SNS
Amazon S3(Documents,
Logs, Backups, etc.)
Amazon ElastiCache
(Redis)
Amazon SES(Confirmations,
Invitations, Notices, etc.)
Email Notifications
Real-Time Data Replication Backups
Document Upload/Retrieval
EDI Files
Low-Latency Transaction
Caching Emails
Alarms
AWS Enabled Hybrid Infrastructure Approach
DC Data Center• Home page, HBX help, FAQs• Identity and Access Management• Financial assistance eligibility
determination• Electronic Data Integration (EDI)
AWS Cloud• Individual and employee
registration, benefit shopping, life events
• Employer registration, benefit package definition, staff roster management
• Broker registration, benefit package quoting, client management
• Online payment, premium billing 62
Immediate Benefits of Built-to-Purpose System in Cloud EnvironmentImproved customer experience
• Page count for customers to enroll/renew reduced by two-thirds• Concurrent user capacity increased from 50 to 1,200-plus• Average page load time (1.45 seconds)• Average time on site reduced (6.5 minutes)• Call center volume reduced 75% compared to first open enrollment
IT Efficiency & Productivity• Provision IT resources in minutes, not days/weeks• Auto-scaling for periodic peak loads • Zero Downtime Deployment• Fewer staff required to manage and support cloud infrastructure
Financial Sustainability• Open source investment offset by eliminating millions $$ in COTS change orders and
maintenance costs• Dramatically lower infrastructure costs
Meaningful Results
23% year-over-year increase in new individual and family customers74% of eligible residents enrolled for 2016 coverage compared to national average of 46%(Kaiser Family Foundation)Third-lowest uninsured state$2.9M per annum immediate COTS license fee savings generated by Enroll Application
Considerations
When is Hybrid Cloud/Data Center Infrastructure a Good Solution?• Low risk proofs-of-concept• Development that parallels production systems• Ability to distribute existing system components• System provisioning needs are unclear or highly volatile system demands
Success Factors• Entrepreneurial leadership/agency culture• Program leader with a vision, passion for mission and Agile temperament• Opportunity to demonstrate superiority of vision• Ability to assemble technical team with key development and integration skills• Third-party partner who can help bridge gaps and accelerate (we use A&T Systems)
Resources
• Building a More Efficient Marketplace: Lessons from DC Health Link’s Experience with Open Source Code: http://nashp.org/building-a-more-efficient-marketplace-lessons-from-dc-health-links-experience-with-open-source-code/
• Enroll Application code repository: https://github.com/dchbx/enroll
• HBX Canonical vocabulary: https://github.com/dchbx/cv• IdeaCrew site: http://www.ideacrew.com
Thank you!