Hybrid IT Approach and Technologies with the AWS Cloud | AWS Public Sector Summit 2016

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Hybrid IT Approach and Technologies with the AWS Cloud

June 20, 2016

Dario Rivera – Solutions Architect – Amazon Web ServicesDan Thomas – Chief Engineer - DC Health Benefit Exchange Authority

Session agenda

• Introduction• Hybrid and AWS• Implementing Hybrid Ops• Common Hybrid Apps• Use Case: DC Health Benefit Exchange Authority

Hybrid Ops

Hybrid Apps /

Cloud is an ALL or NOTHING proposition

Why are customers choosing AWS to implement hybrid?

Scale

Service Breadth

Service Depth

Security

Broad accreditations and certifications

* As of 1 June 2016

2009

48

280

722

82

2011 2013 2015

AWS has been continually expanding its’ services to support virtually any cloud workload and now has more than 70 services that range from compute, storage, networking, database, analytics, application services, deployment, management and mobile. AWS has launched a total of 368 new features and/or services year to date* - for a total of

2,263 new features and/or services since inception in 2006.

AWS Pace of Innovation

TECHNICAL & BUSINESS SUPPORT

Account Management

Support

Professional Services

Solutions Architects

Training & Certification

Security & Pricing Reports

Partner Ecosystem

AWSMARKETPLACE

Backup

Big Data& HPC

Business Apps

Databases

Development

IndustrySolutions

Security

MANAGEMENTTOOLS

Queuing

Notifications

Search

Orchestration

Email

ENTERPRISEAPPS

VirtualDesktops

StorageGateway

Sharing &Collaboration

Email &Calendaring

Directories

HYBRID CLOUDMANAGEMENT

Backups

Deployment

DirectConnect

IdentityFederation

IntegratedManagement

SECURITY &MANAGEMENT

Virtual PrivateNetworks

Identity &Access

EncryptionKeys Configuration Monitoring Dedicated

INFRASTRUCTURESERVICES

Regions AvailabilityZones Compute

Storage (object, block)

DatabasesSQL, NoSQL, Caching

CDNNetworking

PLATFORMSERVICES

APP

Mobile & WebFront-end

Functions

Identity

Data Store

Real-time

DEVELOPMENT

Containers

SourceCode

BuildTools

Deployment

DevOps

MOBILE

Sync

Identity

PushNotifications

MobileAnalytics

MobileBackend

ANALYTICS

DataWarehousing

Hadoop

Streaming

DataPipelines

MachineLearning

Hybrid OpsGetting started

• Secure, flexible networking between cloud and on-premises

• Secure, federated access management

• Management tools for hybrid environments

• Integrated monitoring tools

HYBRID OPS - REQUIREMENTS






Secure, flexible connectivity

OPS | NETWORKING

AWS Direct Connect

• Extend your data center network to the AWS cloud using a leased-line/circuit

• Secure, consistent performance on a private network - avoid internet traversal

• Lower data transfer costs (vs VPN)• 1 Mbps to multiple 10 Gbps• Simpler management of multi-VPC

environments• IPSEC VPNs can also be used for small

deployments, POCs, and extra redundancy

Secure, flexible networking

OPS | NETWORKING

Amazon Virtual Private Cloud

• Create a software-defined network topology for your cloud including private and public subnets (RFC1918), routing, firewall policies and NAT

• Connect VPCs together using peering, or directly to your data center and offices

Implement network isolation at any level, e.g.• App environment, tier, business unit, team,

application / project and data classification

Your Data Center

IPSEC VPN Tunnels(x2)

AWS Direct ConnectPeering Location

Circuit(s), e.gMetro Ethernet

AWS

Fibre cross connect

Terminated on an AWS or customer managed gateway

(Internet)

Network Extension

OPS | NETWORKING

(Optional) Bring your favorite security tools

Unified Threat Management & WAF

VPN / Routing, Application Delivery,

Key Management

AVAILABLE NOW






Amazon Virtual PrivateCloud (Amazon VPC)

AWS Direct Connect







AWS Direct Connect

Federated Access Management

OPS | SECURE ACCESS MANAGEMENT

AWS Directory Service – AD Connector

• Easily federate your corporate Active Directory environment to AWS and enable single sign-on – no need for SAML infrastructure

• Proxy only – does not store credentials• Supports RADIUS-based MFA• Connects to Domain Controllers in your

VPC or on-premises Domain Controllers

Customers can also use ADFS or partner solutions

AWS Identity & Access Management


AWS Identity and Access Management

• Securely control access to AWS services and resources

• Combine IAM and AD Connector to develop role based security policies for AWS resources using your existing AD identities

• Fine grained control of permissions with auditing via AWS CloudTrail


AWS ManagementConsole

Your Identity Providere.g., Active Directory

IAM(Federated users)

Policies AWS Services & Resources

AD Connector – (Proxy only)AWS Directory Service

Forward Authentication

Access per IAMpolicies

Authentication

Authorization

Allow / deny


AWS ManagementConsole

Your Identity Providere.g., Active Directory

IAM(Federated users)

Policies AWS Services & Resources

AD Connector – (Proxy only)AWS Directory Service

Forward Authentication

Access per IAMpolicies

Authentication

Authorization

Allow / deny

Ready in 15 minutes!

AWS Identity Federation Partners


• Secure, flexible networking between cloud and on-premise






AWS Direct Connect

AWS Identity & Access Management (IAM)

AWS Directory Service







AWS Direct Connect

AWS Identity & Access Management (IAM)

AWS Directory Service

Step 1 – Use a “cloud broker”

OPS | MANAGEMENT

Start by experimenting with different tools

(and try open source)

ANSIBLEConfiguration management

HASHICORP PACKERBuild machine and container

images (cross platform)

HASHICORP TERRAFORMCreate and deploy application

templates (cross platform)

AWS CLOUDFORMATIONApplication templates

(AWS only)

CommonExamples

OPS | MANAGEMENT

HASHICORP PACKERBuild cross platform machineand container images

VMWare(vmx or ISO)

AWS(Amazon Machine Image)

OpenStack, etc…

Parallel Build

Sourceconfig

OPS | MANAGEMENT

resource "aws_elb" "frontend" { name = "frontend-load-balancer" listener { instance_port = 8000 instance_protocol = "http" lb_port = 80 lb_protocol = "http" } instances = ["${aws_instance.app.*.id}"]} resource "aws_instance" "app" { count = 5 ami = "ami-043a5034" instance_type = "m1.small"}

HASHICORP TERRAFORMApplication Templates

Ex: Create 5 servers and put them behind a load balancer

OPS | MANAGEMENT

Stack Template

References

Post-processing

Executes

API / CLI

App Stack

E.g. 3 Tier Prod Web

ConfiguresDeploys(App)

ConfiguresDeploys(Infra)

AnsiblePacker

Terraform

Build automation for hybrid environments

OPS | MANAGEMENT

Importing existing VM images

AWS Management Portal for VMWARE vCenter

AWS VM Import

Point and click migration for VMware

Migrate VMWare, Hyper-V and Citrix Xen images

OPS | MANAGEMENT

AWS Import / ExportSnowball

• 80 TB Amazon-owned appliance design to help move petabytes of data per week

• 256-bit data encryption (KMS)• Tamper resistant, durable and rugged

enclosure• 10 GB network – takes ~13 hours to load

a 50 TB Snowball

Use Snowball to move data centers, large data sets, or individual VMs

OPS | MANAGEMENT

AWS Application Discovery ServiceOverview

Agents deployed on source hosts Windows & Linux support

Capture system inventory, performance, and dependencies

Capture and store secured data to AWS

API access to discovered assets Output to CSV or XML

Can be imported into a third-party migration or visualization tool

Discovery Agents Discovery DB

AWS Application Discovery Service

On-premises data centerEncrypted data

Internet

Coming Soon!





HYBRID OPS - REQUIREMENTSVPC & Direct Connect IAM, Directory Service

Packer, Terraform, Ansible and VM Import






Packer, Terraform, Ansible and VM Import

Amazon CloudWatch

APPLICATIONPERFORMANCE

OPERATIONALANALYTICS

AWS platform & service metrics

Splunk App for AWS

API Integration

AppDynamics

OPS | MONITORING

COST/Performance/

ReliabilityMANAGEMENT

• Track cloud best practices with reports, dashboards, and email alerts

• Recommendations via historical usage analytics

• Assure you are using Best Practices in the AWS cloud

OPS | MONITORING

AWS Trusted Advisor






• Secure, flexible networking between cloud and on-premise




HYBRID OPS - REQUIREMENTSVPC & DirectConnect IAM, Directory Service

Use Case: DC Health LinkDan ThomasChief Engineer, DC Health Benefit Exchange AuthorityCEO, IdeaCrew, Inc.

DC Health Link

Health Benefit Exchange Authority (HBX) for District of Columbia

Serves DC residents, small businesses members of Congress and staff

Health, dental, vision benefits

Only marketplace with sole distribution channel for enrollment

As of March 2016, over 215K people have come through DC Health Link

First Generation HBX

Some successes…• Kentucky, California, New York

…and some setbacks• Oregon, Hawaii• HealthCare.gov

DC Health Link went live 10/1/2013, and was one of only four HBXs that opened on time & operated all day(Bloomberg News)

Technology Drives DC Health Link Customer Experience

If system is deficient or degraded:• Cannot accurately determine financial assistance eligibility• Cannot help consumers pick best coverage to meet their needs

and budget• Someone who needs coverage may go uninsured or may be

unable to access needed care• Uninsured are vulnerable to potentially catastrophic financial

burden

DC Health Link Behind the ScenesOpen Enrollments #1 & #2

Large infrastructure (250-plus VMs) in DC data centers

System Integrator struggled to deliver. After go-live, each successive release further degraded system

Consumer experience adversely impacted, throughout OE 1 & 2, both in terms of functionality and system performance

DC Health Link internal teams made heroic efforts to operate, developing side-along systems, semi-automated, and manual processes to help ensure enrollment data integrity and manage exchange among trading partners

Heroic effort isn’t a sustainable business modelApparent by end of Open Enrollment #2 that IT strategy needed to change

Enroll Application Program

Devised plan in early 2015 to replace COTS system with new “Enroll Application”

• Re-architect Web site using open source technology

• Adopt Agile delivery model• Move mission-critical functionality to

cloud in hybrid configurationWith only seven months’ development time, new Enroll Application system went live October 12, 2015Today, Enroll Application is the only built-to-purpose, open source HBX solution

Individuals & Families

Employers

Insurers

Employees

MongoDB

RabbitMQ(Message Bus)

Amazon AWS Primary Region

Actors

Brokers

Auto Scaling group

DC Health Link Web Site / Portal

Identity Management

Elastic Load Balancing

DCHBX Enroll App(Enrollment & Plan

Comparison)

VPC Peering

Amazon AWS Secondary Region

Disaster Recovery(Pilot Light)

MongoDB

Application Servers

Third-Party Premium Billing Provider

MS SQL Server

MySQL

Enterprise Logging

EDI Engine

Baked AMIs

Insurers

Third-Party Premium Billing Provider Data

Center

DC Data Center

Financial Eligibility Determination

Identity Verification

Auto Scaling group

Enterprise Services

VPN Connection

Amazon Cloud Services

Amazon CloudWatch

Amazon SNS

Amazon S3(Documents,

Logs, Backups, etc.)

Amazon ElastiCache

(Redis)

Amazon SES(Confirmations,

Invitations, Notices, etc.)

Email Notifications

Real-Time Data Replication Backups

Document Upload/Retrieval

EDI Files

Low-Latency Transaction

Caching Emails

Alarms

AWS Enabled Hybrid Infrastructure Approach

DC Data Center• Home page, HBX help, FAQs• Identity and Access Management• Financial assistance eligibility

determination• Electronic Data Integration (EDI)

AWS Cloud• Individual and employee

registration, benefit shopping, life events

• Employer registration, benefit package definition, staff roster management

• Broker registration, benefit package quoting, client management

• Online payment, premium billing 62

Immediate Benefits of Built-to-Purpose System in Cloud EnvironmentImproved customer experience

• Page count for customers to enroll/renew reduced by two-thirds• Concurrent user capacity increased from 50 to 1,200-plus• Average page load time (1.45 seconds)• Average time on site reduced (6.5 minutes)• Call center volume reduced 75% compared to first open enrollment

IT Efficiency & Productivity• Provision IT resources in minutes, not days/weeks• Auto-scaling for periodic peak loads • Zero Downtime Deployment• Fewer staff required to manage and support cloud infrastructure

Financial Sustainability• Open source investment offset by eliminating millions $$ in COTS change orders and

maintenance costs• Dramatically lower infrastructure costs

Meaningful Results

23% year-over-year increase in new individual and family customers74% of eligible residents enrolled for 2016 coverage compared to national average of 46%(Kaiser Family Foundation)Third-lowest uninsured state$2.9M per annum immediate COTS license fee savings generated by Enroll Application

Considerations

When is Hybrid Cloud/Data Center Infrastructure a Good Solution?• Low risk proofs-of-concept• Development that parallels production systems• Ability to distribute existing system components• System provisioning needs are unclear or highly volatile system demands

Success Factors• Entrepreneurial leadership/agency culture• Program leader with a vision, passion for mission and Agile temperament• Opportunity to demonstrate superiority of vision• Ability to assemble technical team with key development and integration skills• Third-party partner who can help bridge gaps and accelerate (we use A&T Systems)

Resources

• Building a More Efficient Marketplace: Lessons from DC Health Link’s Experience with Open Source Code: http://nashp.org/building-a-more-efficient-marketplace-lessons-from-dc-health-links-experience-with-open-source-code/

• Enroll Application code repository: https://github.com/dchbx/enroll

• HBX Canonical vocabulary: https://github.com/dchbx/cv• IdeaCrew site: http://www.ideacrew.com

http://nashp.org/building-a-more-efficient-marketplace-lessons-from-dc-health-links-experience-with-open-source-code/

http://nashp.org/building-a-more-efficient-marketplace-lessons-from-dc-health-links-experience-with-open-source-code/

https://github.com/dchbx/enroll

https://github.com/dchbx/cv

https://github.com/dchbx/cv

http://www.ideacrew.com/

Thank you!