2017SpringITPF-Enterprise Infrastructure in the …...Deploy using Infrastructure-as-Code (IaC)...

EnterpriseInfrastructureintheAmazonWebServices

(AWS)CloudDavidZych,ErikColeman,PhilWinans

gotAWS?

• http://aws.illinois.edu• Let’sgo!

But…• ITserviceshavedependencies• ActiveDirectory• private resourcesoncampusnetwork• private resourcesinotherAWSaccounts

• packetsneedroads(routes)

Wherewe’regoing…

ØVPCNetworkingConcepts

• FantasticEnterpriseVPCsandHowtoBuildThem

• UsingActiveDirectoryintheCloud

• ThereAndBackAgain:aPacket’sJourneyfromUIUCtoAWS

VPCBasics

• VirtualPrivateCloud(VPC):alogicallyisolatedvirtualnetworkintheAWScloudwhichisdedicatedtoyourAWSaccount

• anAWSaccountmayhavemultipleVPCs

• eachVPCmaycontainmultipleSubnets

Location,Location,Location

• aVPCbelongstoasingleRegion(us-east-2:Ohio)• aSubnetbelongstoasingleAvailabilityZone(us-east-2a)

Public-facingSubnets

• bi-directionalcommunicationwithanyhostonthepublicInternet• ifpermittedbySecurityGroups

• privateIPv4addressesinternally

• 1:1NetworkAddressTranslation(NAT)mapseachprivateIPtoanElasticIPortransientpublicIP

NetworkAddressTranslation(Example)

DNS: example.com IN A 52.15.99.99

Campus-facingSubnets

• bi-directionaltocampus,withoutNAT• usingTechnologyServicesVPNconnection

• outbound-onlytoInternet(optional)


• VPCNetworkingConcepts

ØFantasticEnterpriseVPCsandHowtoBuildThem



EnterpriseVPC(vsIndependentVPC)

• Enterprisenetworkingfeatures• Campus-facingsubnets• VPCPeeringtootherEnterpriseVPCs

• includingCoreServicesVPCs

• Restrictions• PrivateIPv4spacecentrallyallocatedbyTechnologyServices• us-east-2(Ohio)only

RecursiveDNSResolution

• AmazonProvidedDNS:default,preferred

• CannotresolveUniversity-restrictedDNSzones• ad.uillinois.edu• reverse-mappingzonesforRFC1918privateIPv4space

• oncampus• inAWSEnterpriseVPCs(ifmanagedinIPAM)

RecursiveDNSResolution(Options)

BuildingYourEnterpriseVPC

1. Planyourrequirements• Whichfeatures?• Whatsubnets?(types,sizes,AvailabilityZones)• HowmuchprivateIPv4space?

2. RequestallocationfromTechnologyServices3. DeployusingInfrastructure-as-Code(IaC)• Download,customize,run!• Terraform

SeeKnowledgebasefordetails.

EyeTest




ØUsingActiveDirectoryintheCloud


ActiveDirectoryHybridArchitecture

HAB

PPSB

DCL

Node9

“Urbana”ADSite “Chicago”ADSite

RRB30s

“Radius”ADSite

RRBDCL

“AWS”ADSite

EC2 EC2

Zone Zone

US-East-2(Ohio)RegionCoreServicesVPC

360s900s

ADExtendedtoAWS

VPCPeerConnection

EnterpriseServicesVPC

Public-facingsubnet10.x.y.0/27

EC2

Campus-facingsubnet10.x.y.64/27

Campus-facingsubnet10.x.y.128/27

AvailabilityZone

LDAP(389)LDAPS(636)Keberos (88)

EC2

EC2

AvailabilityZone

CoreServicesVPC

Campus-facingsubnet10.224.n.64/27

AvailabilityZone

Campus-facingsubnet10.224.n.96/27

AWSDC1

AWSDC2

ELB

ldap-ad-aws.ldap.illinois.edu:389krb-ad-aws.kerberos.illinois.edu:88

SupportforDomain-Join

• Previouslyunsupported• Announcingfullsupporttoday!June8th,2017• ADSiteBoundariesforAWSIPspace• PreferredforAWScampus-facingsubnets• Reducedfunctionalityforprivate-facingandpublic-facingsubnets

SupportforDomain-JoinforEnterpriseVPCs

Privatesubnet

Campus-facingsubnet

Public-facingsubnet

PasswordSynchronization 15 mindelay ü 15 mindelay

AD SiteFailover û ü ûGlobalCatalogLookup û ü ûDynamic DNS ü ü ü*

*DDNSregistersprivateIPonly.Bestpracticeistoalwaysusecampus-publishedDNS(IPAM)forapplicationuse.Never publicizetheAD-registeredIPorDNShostname.

What’snext?

• EvaluateneedforLDAPoverSSL(port636)• ExploringAmazonIAMIntegration• EvaluateAWS-hostedADoptions• AWSDirectoryServicesforMicrosoftAD• SimpleAD• ADConnector

• Whatelsedoyouneed?





ØThereAndBackAgain:aPacket’sJourneyfromUIUCtoAWS

AWSUSRegions

ToAWSFromCampus

DifferentWaysNetworksConnecttoAWS

UofI toInternet2tous-east-2

UofI toWiscNet tous-east-2

Resources

• http://aws.illinois.edu• Knowledgebase:searchfor“AWS”• [email protected]

• DavidZych<[email protected]>• ErikColeman<[email protected]>• PhilWinans <[email protected]>

2017SpringITPF-Enterprise Infrastructure in the …...Deploy using Infrastructure-as-Code (IaC)...

Documents

Transcript of 2017SpringITPF-Enterprise Infrastructure in the …...Deploy using Infrastructure-as-Code (IaC)...