AWS Enterprise Summit Netherlands - Creating a Landing Zone
•
7 likes•5,859 views
This document discusses creating a landing zone in AWS for migrating applications from an on-premise data center environment. It covers setting up account structure with separate accounts for production, non-production and centralized services. It also discusses establishing network connectivity with VPC design, identity and access management using IAM, and using AWS Service Catalog for self-service provisioning by cloud consumers. The overall goal is to discuss best practices for creating a secure and governed landing zone in AWS to migrate and operate applications.
Report
Share
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to AWS Enterprise Summit Netherlands - Creating a Landing Zone
Similar to AWS Enterprise Summit Netherlands - Creating a Landing Zone (20)
More from Amazon Web Services
More from Amazon Web Services (20)
Recently uploaded
Recently uploaded (20)
AWS Enterprise Summit Netherlands - Creating a Landing Zone
- 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Wednesday Sept 21st , 2016 Landing Zone for Application Migrations Koen vd Biggelaar - sr mgr AWS Solutions Architecture Henk van Rossum - Director – Platform Manager Hosting and Storage
- 2. Application Migration Create Landing Zone Migrate Apps Operate & Optimize H
- 5. Current State Account Structure Security Network Identities & Access Cloud Consumers Our Journey Today Migrate Operate & Optimize
- 7. Infrastructure Request Current State Typical Enterprise Situation Governance & Service Management Central IT Lines of Business Provisioning Characteristics • Lead times ~days to weeks • Service Catalogue of components • Often process-heavy Service Management
- 8. Monitor & Respond Landing Zone Templates Policy & Best Practices Landscape Management Current State Opportunity to achieve agility and control Automation Lines of Business Central IT Opportunities • Lead times in minutes • Service Catalogue of landscapes • Automated Service Management
- 9. Security Automation Cloud IT Consumers Current State Guiding Principles
- 11. Account Structure • Don’t overdo on Day One • Use separate accounts for Security and Compliance Isolation (production non-prod, logging) Cost Allocation Resource Management and Ownership
- 12. Account Structure Payer Billing Reports Service Catalog Logging Audit Central Services Dev & Test Mobility IoT Serverless Internal business apps Digital Platforms Option: Per AWS Region Production Generic Production Critical Central Accounts Services Accounts
- 14. Analyze your CloudTrail Logs AWS CloudTrail AWS Management Console AWS CLI SDK Your Central Amazon S3 logging bucket Analysis & Action AWS Services You make API calls … …to AWS Services, logged by CloudTrail delivered to your S3 bucket
- 15. Changing Resources Config tracks resource changes
- 16. NormalizeRecordChanging Resources Deliver Stream Snapshot (ex. 2014-11-05) AWS Config APIs Store History Config tracks resource changes
- 18. Network Key Considerations Non-overlapping IP range VPC Design Access Control Lists & Security Groups Logging and Monitoring Direct Connect Subnet Design
- 19. Network Direct Connect for connecting on-prem and AWS environment Customer Gateway VPN backup Direct Connect Location Virtual Interface #1 Virtual Interface #2 Secondary Direct Connect Location ` ` Partner Network
- 20. Network Central Services in a central VPC Central common/core services • Authentication/directory • Monitoring • Logging • Remote administration • Scanning • Internet Proxy Production Generic Production Business Critical Central Services Non-production
- 22. You get to control who can do what in your AWS environment when and from where Fine-grained control of your AWS cloud with multi- factor authentication Integrate with your existing LDAP / Active directory using federation and single sign-on You can use AWS managed policies or customer generated policies using the policy generator and test with the policy simulator AWS account owner Identity and Access Management Control access and segregate duties everywhere
- 23. Identities and Access Control Sample Access Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances" ], "Resource": “arn:aws:ec2:::instance/*”, "Condition": { "StringEquals": { "ec2:ResourceTag/Environment" : "Dev" } } } ] } Allow or Deny access to resource Service calls allowed to be performed Resource object or objects that the statement covers Conditions to satisfy: EC2 resources must be tagged with “Dev”
- 24. Identities and Access Control Example user types with corresponding access policies IAM Master Create policies IAM Manager Assign Policies Audit Read-Only Access Managers Architect Create landscapes Storage Design and Build Network Design and Build Design DevOps API Access App Owner Landscape owner Application Owners Support Account policy Empty Role No policy Support and Operations Typical Access Policy Administrator Landscape Mgt Administrator Service Catalog Administrators
- 25. Corporate Data Center Browser interface Identity Store Identity and Access Management Federation with on-prem directory AD Group Identity and Authentication Mapping to specific IAM Role with Access Policy Access to AWS
- 27. Cloud Consumers AWS Service Catalog AWS Service Catalog allows organizations to create and manage catalogs of IT services. It enables users to quickly deploy approved IT services they need in a self-service manner. Administrator Users Control Standardization Governance Agility Self-service Time to market
- 28. Product = Template CloudFormation Running Stack JSON formatted file Parameter definition Resource creation Configuration actions Configured AWS services Comprehensive service support Service event aware Customisable Framework Stack creation Stack updates Error detection and rollback Administrator Interaction CloudFormation to create products
- 29. Creates portfolio and assigns product portfolio 1 Administrator Adds constraints, grant access and add tags 4 2 Creates product Authors template Administrator Interaction Managing products ProductX Versions Portfolio BPortfolio A • Users and Roles • Constraints • Tags Service Catalog 3 Landscape Architect
- 30. Agility and Control Opportunities to strengthen the handshake User generated products to foster innovation Back-end micro-services acting on the stacks Administrator Products
- 31. Browse Products 5 4 3 2 1 Portfolio Cloud Consumers Select version, Provision Product, configure parameters Deploy Notifications and outputs Notifications and outputs 4 Scheduled functions Administrator Cloud Consumer Interaction Overview
- 32. Cloud Consumer Interaction Browse Products Launch Product Available Products Launched Products
- 33. Cloud Consumer Interaction Configuring Options EC2 Instance type Schedule on/off Schedule details
- 34. End User Interaction Launched Product Launched Product details
- 35. End User Interaction Cost Overview Test IT SecurityProd Dev Prod Test Dev
- 36. Start Account Structure Security Network Identities & Access Cloud Consumers Our Journey Today What did we cover? Migrate Operate & Optimize
- 37. Application Migration Approach Create Landing Zone Migrate Operate & Optimize H
- 40. • “Break-Fix” • SLA based managed services • Unplanned business interruptions • Complex supply chain new demand • Wide variety of versions • Not Scalable • Pay for capacity reserved • Reporting “after the fact” • Design for “Always On” • SLA based managed services • Self Provisioning, consumer driven • Standard market available services • Scalable Resources • Pay only for what you use • “real time” usage & performance From Legacy to Cloud First Does not represent a Philips location 21 September 2016
- 42. Creating a landing zone – Account Architecture ENTERPRISE CONTRACT Market 1 Market X BU X Payer Account Root accountCore Global services Functional Accounts Shared Central Logging Account Backup Account Backup Account Shared Central Audit Account Shared Central Intellectual Property Account Linked accounts – Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Resources Partner Accounts Other Other Other Shared Users Federation Account Partner 1 Partner 2 Resources Backup Account Backup Account 21 September 2016
- 43. Creating a landing zone - Internet Centric Networking The Internet Sites Private Network – Provider Internet Edge SaaS Cloud ISP ISP Cloud Gatewa y 1 Cloud Gatewa y 2 Cloud Gatewa y N Partner Tier1 DC siteMPL S Direct Connect 21 September 2016 MPL S
- 45. Direct Connect Service Catalog CloudTrail S3 IAM Config Lambda Applications migrated to your landing zone
- 46. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you