Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Infrastructure Provisioning & Automation For Large Enterprises

Download as PPTX, PDF
Tensult
Tensult

This presentation was made at the AWS Community Day Bangalore 2019 and talks about some of the automation developed by Tensult.

Related slideshows

How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
 
AWS WAF - A Web App Firewall
AWS WAF - A Web App FirewallAWS WAF - A Web App Firewall
AWS WAF - A Web App Firewall
 
Azure appservice
Azure appserviceAzure appservice
Azure appservice
 
1 of 25
Infrastructure Provisioning & Automation For Large Enterprises Presented By Anirudh Baskaran,Tensult CEO, Founder Dilip Kola, Tensult Co-Founder & CTO
• About Tensult • Design Considerations • Solutions • Centralized Management • Security • Networking • Automation
• Tensult is a AWS Advanced Consulting Partner • Started by passionate ex-AWS employees • In-depth cloud knowledge and expertise • Automation First approach About
Design Considerations
Security and Compliance Centralized Policy Management Automation Approach Centralized Billing Design Considerations
Centralized Policy Management
AWS Organisations A configured environment with standard set of secured cloud infrastructure, policies, best practices, guidelines and centrally managed services. Service Control Policies (SCP’s) SCP’s are written for multiple Organisational Units (OU’s) to restrict access to users, groups and roles at an account level.
AWS Organisations
Security and Compliance
The building block of networking in Landing Zone concept is ‘Transit VPC’. Transit VPC acts as an intermediary for routing between two different places, in this case different VPC’s. Transit VPC - Advanced filtering and protection is enabled using Nextgen FortiGate Firewall - Setup in active-active mode with failover for VPN connectivity to ensure business continuity. Networking
Access Mgmt & Compliance • IAM Policies For delegating access to different type of users based on their roles, IAM policies are written hand-in-hand with SCP’s • SAML based Single Sign-On (SSO) For seamless access, ADFS is integrated using SAML and users can continue using their existing credentials • AWS Config Configuration History and Inventory Automated Monitoring of Policy Violations
AUTOMATION
AWS Systems Manager • AWS Systems Manager (SSM) provides an easier way to automate instance actions with minimal setup. • We can automate both Data plane (Instance level using SSM Run Commands) and Control plane (AWS API level using SSM Automations). • SSM Automation provides rich features like branching, waits and error handling and integrate with SSM Run commands, Cloud Formation, Lambda, Step functions, most of the AWS APIs and many more. • SSM Run command provides powerful ways to execute commands based on OS Types and other instance level information. • SSM provides logs and history of the all executions so it is easy to debug and audit and most importantly it avoids logging into the instance directly.
SSM Trigger Automation Automation DocumentLambda Function CloudWatc h Event Invokes Automation Workflow
Automation Workflow Amazon Systems Manager (SSM) • Capabilities of SSM are leveraged to automate management tasks such as automated VM creation, patch management, Application installation, AD joining etc. Amazon Lambda • Lambda is used for triggering SSM scripts in response to specified events. Amazon CloudWatch • CloudWatch event rules are used for triggering the lambda functions. The most challenging part was automation in which multiple scripts were written to achieve the desired output, without logging into the instances
Automated AD join SSM Automation SSM Automation Workflow 1. Install Dependencies 2. Fetch AD credentials from Parameter Store 3. Fetch Hostname Tag using Instance ID 4. Change the hostname 5. Execute Domain Joining Script Instance
Application Installation SSM Automation SSM Automation Workflow 1. Check for OS version 2. Document is selected based on OS type. 3. Application Binary is downloaded from S3 bucket 4. Binary is installed and verified Instance
Virus Definitions updates SSM Automation SSM Automation Workflow 1. Start the stopped instances 2. Wait for them to come to running state 3. Execute SSM Run Command to update the virus definitions. 4. Stop the instances. Instance • This workflow is to update the virus definitions on stopped instance periodic • This will be triggered using Cron based CloudWatch Event rules.
Self-Service Infrastructure Provisioning
Standardised Deployments • Create standardized landscapes for the organisation with controls to restrict product deployment including type of instances, AMI, Security Group port opening etc. Easy to Deploy • Based on the access user has, available products can be found under the listing and can be provisioned on their own. Fine-grain Access Control • Administrators can create portfolios for products and can grant access to the portfolios leveraging IAM. Version Control • Products can be added to any number of portfolios, updating a product version will update the products across all the portfolios where the product is AWS Service Catalog
Image caption 3 Easy to Design: Infrastructure as a code, supports both JSON and YAML. Modularization: Split the infrastructure into modules. E.g. Nested Stacks Wait Conditions: Breakpoints can be added to the template with wait conditions. E.g. Wait for an EC2 instance or service to start Automated Rollback: If there are any issues with the code, it rolls back to the previous working state automatically. AWS CloudFormation
Service Catalog Architecture Source : https://tinyurl.com/y4e7d487
Single and Two Tier Stack: It can be deployed over few mouse clicks using Service Catalog products with pre-approved AMIs. Multiple OS Support: Cloud Formation stack with 6 OS support namely Amazon Linux, CentOS, Ubuntu, RedHat, Windows 2012 and Windows 2016. Multiple DB Support: CloudFormation stack supports 2 RDS DB’s namely MYSQL and MSSQL Service Catalog Stacks
ANY QUESTIONS ?
Thank You Sample our Work Follow Us https://medium.com/tensult https://linkedin.com/company/tensult https://github.com/tensult https://twitter.com/tensultdotcom https://www.facebook.com/tensult

More Related Content

Infrastructure Provisioning & Automation For Large Enterprises

  • 1. Infrastructure Provisioning & Automation For Large Enterprises Presented By Anirudh Baskaran,Tensult CEO, Founder Dilip Kola, Tensult Co-Founder & CTO
  • 2. • About Tensult • Design Considerations • Solutions • Centralized Management • Security • Networking • Automation
  • 3. • Tensult is a AWS Advanced Consulting Partner • Started by passionate ex-AWS employees • In-depth cloud knowledge and expertise • Automation First approach About
  • 7. AWS Organisations A configured environment with standard set of secured cloud infrastructure, policies, best practices, guidelines and centrally managed services. Service Control Policies (SCP’s) SCP’s are written for multiple Organisational Units (OU’s) to restrict access to users, groups and roles at an account level.
  • 10. The building block of networking in Landing Zone concept is ‘Transit VPC’. Transit VPC acts as an intermediary for routing between two different places, in this case different VPC’s. Transit VPC - Advanced filtering and protection is enabled using Nextgen FortiGate Firewall - Setup in active-active mode with failover for VPN connectivity to ensure business continuity. Networking
  • 11. Access Mgmt & Compliance • IAM Policies For delegating access to different type of users based on their roles, IAM policies are written hand-in-hand with SCP’s • SAML based Single Sign-On (SSO) For seamless access, ADFS is integrated using SAML and users can continue using their existing credentials • AWS Config Configuration History and Inventory Automated Monitoring of Policy Violations
  • 13. AWS Systems Manager • AWS Systems Manager (SSM) provides an easier way to automate instance actions with minimal setup. • We can automate both Data plane (Instance level using SSM Run Commands) and Control plane (AWS API level using SSM Automations). • SSM Automation provides rich features like branching, waits and error handling and integrate with SSM Run commands, Cloud Formation, Lambda, Step functions, most of the AWS APIs and many more. • SSM Run command provides powerful ways to execute commands based on OS Types and other instance level information. • SSM provides logs and history of the all executions so it is easy to debug and audit and most importantly it avoids logging into the instance directly.
  • 15. Automation Workflow Amazon Systems Manager (SSM) • Capabilities of SSM are leveraged to automate management tasks such as automated VM creation, patch management, Application installation, AD joining etc. Amazon Lambda • Lambda is used for triggering SSM scripts in response to specified events. Amazon CloudWatch • CloudWatch event rules are used for triggering the lambda functions. The most challenging part was automation in which multiple scripts were written to achieve the desired output, without logging into the instances
  • 16. Automated AD join SSM Automation SSM Automation Workflow 1. Install Dependencies 2. Fetch AD credentials from Parameter Store 3. Fetch Hostname Tag using Instance ID 4. Change the hostname 5. Execute Domain Joining Script Instance
  • 17. Application Installation SSM Automation SSM Automation Workflow 1. Check for OS version 2. Document is selected based on OS type. 3. Application Binary is downloaded from S3 bucket 4. Binary is installed and verified Instance
  • 18. Virus Definitions updates SSM Automation SSM Automation Workflow 1. Start the stopped instances 2. Wait for them to come to running state 3. Execute SSM Run Command to update the virus definitions. 4. Stop the instances. Instance • This workflow is to update the virus definitions on stopped instance periodic • This will be triggered using Cron based CloudWatch Event rules.
  • 20. Standardised Deployments • Create standardized landscapes for the organisation with controls to restrict product deployment including type of instances, AMI, Security Group port opening etc. Easy to Deploy • Based on the access user has, available products can be found under the listing and can be provisioned on their own. Fine-grain Access Control • Administrators can create portfolios for products and can grant access to the portfolios leveraging IAM. Version Control • Products can be added to any number of portfolios, updating a product version will update the products across all the portfolios where the product is AWS Service Catalog
  • 21. Image caption 3 Easy to Design: Infrastructure as a code, supports both JSON and YAML. Modularization: Split the infrastructure into modules. E.g. Nested Stacks Wait Conditions: Breakpoints can be added to the template with wait conditions. E.g. Wait for an EC2 instance or service to start Automated Rollback: If there are any issues with the code, it rolls back to the previous working state automatically. AWS CloudFormation
  • 22. Service Catalog Architecture Source : https://tinyurl.com/y4e7d487
  • 23. Single and Two Tier Stack: It can be deployed over few mouse clicks using Service Catalog products with pre-approved AMIs. Multiple OS Support: Cloud Formation stack with 6 OS support namely Amazon Linux, CentOS, Ubuntu, RedHat, Windows 2012 and Windows 2016. Multiple DB Support: CloudFormation stack supports 2 RDS DB’s namely MYSQL and MSSQL Service Catalog Stacks
  • 25. Thank You Sample our Work Follow Us https://medium.com/tensult https://linkedin.com/company/tensult https://github.com/tensult https://twitter.com/tensultdotcom https://www.facebook.com/tensult