(SEC204) AWS GovCloud (US): Not Just for Govies
-
Upload
amazon-web-services -
Category
Technology
-
view
3.622 -
download
6
Transcript of (SEC204) AWS GovCloud (US): Not Just for Govies
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CJ Moses, GM, AWS Government Cloud Solutions
Keith Brooks, AWS GovCloud Senior Business Development Manager
October 2015
SEC204
AWS GovCloud (US)Not Just for Govies
What to expect from this session
1. Background on the AWS GovCloud (US) region
2. Overview of AWS GovCloud (US) features
3. Description of AWS GovCloud (US) users and suitable
workloads
4. Customer use case examples
Background and history
AWS GovCloud (US) features
Requirements for access to AWS GovCloud (US)
Can handle export
controlled data
US person(account holder)
US entity on US soil
AWS GovCloud (US) features
Managed by US
persons on US soil
Separate AWS
IAM and
authentication
Located in Pacific
NW (Oregon)
Data, network, and
machine isolation
AWS GovCloud (US) features
“Community Cloud” Multiple regulatory and compliance features
Who’s using AWS GovCloud (US)
and why?
2011 2012 2013 2014
AWS GovCloud (US) adoption
273% average YoY growth since launch
(Q4 2011 to Q4 2014)
Users span various types of enterprises
US Government
Federal, state, and local
Consulting firms and
systems integrators
Technology firms
and software
vendors
Resellers
Educational
institutions
Research
organizations
Commercial
industry
Nonprofit
organizations
Managed service
providers
…but all share common characteristics
Sensitive data and applications
Strict regulatory and compliance requirements
Restricted, community cloud preference
AWS cloud platform
AWS GovCloud (US) is fit for hosting sensitive data
Agriculture Copyright Critical infrastructure
Export control (ITAR) Financial Immigration
Intelligence Law enforcement Legal
Nuclear Patent Privacy (PII)
Proprietary (IP) Statistical (census) Tax
Transportation
All levels of Controlled Unclassified Information (CUI)
Example workloads on AWS GovCloud (US)
Web applications
and websites
Backup
and recovery
Archiving Disaster recovery Development
and test
Big dataHigh performance
computing
Business
applicationsEnterprise IT Mobile
Customer highlight: Planet Labs
Imaging the Earth
DailyTroy Toman
Director of Engineering
Planet Labs
[email protected] I @troytoman
Imaging the Earth DailyTroy Toman
Director of Engineering
Planet Labs
[email protected] I @troytoman
Planet Labs Proprietary & Confidential
Size: 10 x 10 x 30cm
Mass: 4kg
Radome – April 2014
Awarua, NZ
101 satellites launched on 9 rockets
Orange River, South Africa, August 4, 2015
Forest Management
Oregon, USA
Source: Landsat 8
Date: March 23, 2014
Forest Management
Oregon, USA
Source: Planet Labs
Date: May 2, 2014
150satellites
475 KMaltitude
sun synchronous orbit
30ground stations
10sites
370,000images per day
<24 hours
online catalog
APIfor data pipeline
and platform access
1000S of
servers
11 TBprocessed daily
Spacecraft Manufacturing and Operations Data Pipeline and Production Apps
Infrastructure
Challenges11 TB/day…everyday…forever
Regulatory compliance
Agile aerospace
Dynamic use cases
Multiple products/output formats
Complex/compute intensive pipeline
Procurement
Physical security
Inventory
DC operations
Server provisioning
Private cloud ops
Network management
Hardware maintenance
What could have been…
https://creativecommons.org/licenses/by-nc/2.0/
What AWS GovCloud (US) enables
us-gov-west us-west
Python (boto) AWS CLI
Amazon RDS
RDS
Amazon S3
S3AWS import/export
SAML
Ansible
CI
Git/GitHub
Analytics
Logging
Messaging
Ticketing
VPN gatewayVPN gateway
Amazon
Route 53
Route 53
Instances
Instances Spot
instances
Common
Ops/Dev Tools
Data Pipeline
Production APIsSpacecraft
Manufacturing/Operations
ansible-jenkins
├── environments
│ ├── preprod.ini
│ ├── prod-current.ini
│ ├── prod-new.ini
│ ├── space.ini
│ └── test.ini
├── jenkins.yml
├── planet_roles
│ ├── apache_saml
│ ├── aptly
│ ├── aptserver
│ ├── awscli
│ ├── base
│ ├── datadog_agent
│ ├── elasticsearch
│ ├── fpm
│ ├── graphite
│ ├── jenkins
│ ├──
A Transparent Planet…
…to act on change
Commercial access to space
Space-capable consumer technology
Compliant cloud services
Universal access
Customer Highlight: CSC
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jon Check, CSGov
AWS GovCloud (US) MigrationCSC’s separation drives rapid migration of
business applications to AWS GovCloud (US)
What to Expect from This Part of the Session
• Demonstrate a use case of successful, rapid migration of a large business’
application portfolio to AWS GovCloud (US).
• Provide a successful cloud migration process.
• Share reasons why we chose AWS GovCloud (US).
• Demonstrate how CSGov executed the process and migration.
• Provide success stories and lessons learned.
Our ChallengeMay 19, 2015, CSC announced that its Board of Directors unanimously approved a plan to separate the company into two publically traded, pure play leaders: one to serve commercial and government clients, and one to serve public sector clients in the US.
CSGov
Business Application Portfolios
200+ apps must
migrate by
October 1, 2015
Program Specific
Applications Types:
Collaboration
Finance
HR
Payroll
Security
Other
70,000 Employees
14,000 employees
Approximately:
250 servers (phys.
and virt.)
3 TB memory
1,300 processors
Infrastructure Types:
Physical
Virtual
Private cloud
SaaSData Centers
14+ data centers
SaaS providers
Data Centers
2 data centers
1 Gov CSP
SaaS providers
How Do We Attack This Problem?We need a strong systems integrator with proven applications migration processes to discover, plan, and execute our application separation between the two separate companies.
APPLICATION DISCOVERY
OPERATIONS ONBOARDING
APPLICATION AFFINITY GROUPING
MIGRATION EXECUTION
CLOUD ADOPTION ASSESSMENT
TARGET ASSESSMENT & ARCHITECTURE
APPLICATION TREATMENTS
MIGRATION VALIDATION
OPERATIONS PLANNING
CONTINUOUS IMPROVEMENT
Migration
Process
APPLICATION DISCOVERY
Migration – Shape CLOUD ADOPTION ASSESSMENT
CSGovOnly49%
CSC/CSGovShared
40%
CSC Only11%
Suitability ScorecardTells you the ideal level at which you should be looking
for a cloud-based alternative: SaaS, PaaS, IaaS.
Cloud Adoption RoadmapIdentifies treatments and prioritization based on
customer requirements and target environment.
Our Targets: Physical CSGov Data Center, CSGov
Private Cloud, AWS GovCloud (US), SaaS Providers
App Inventory
App Data Flow
Diagram
Why AWS GovCloud (US)?
Requirement AWS
GovCloud
(US)
Provide rapid, self-service infrastructure provisioning enabling an
aggressive migration schedule.
Government contracts require strict security standards and CSGov
aspires to provide highest security levels for our customers and our
business.
HR data will contain personally identifiable information, best
protected via DoD Impact Level 4 added security controls.
CSGov must retain ITAR compliance, and so should our cloud
service provider.
Ideally the CSP has an established relationship with CSGov.
Migration – TransformAPPLICATION AFFINITY GROUPING APPLICATION TREATMENTS
Not Migrate24%
Physical (NPS Data
Center)51%
Gov Cloud15%
SaaS10%
Treatment
Do not migrateApplication exists at a location/data center that will
remain. No need to migrate at this time.
Physical moveShip physical architecture with applications installed to
consolidated data center.
Migrate to AWS GovCloud (US)Initiate an application migration to AWS GovCloud (US),
via cloning, cloning and import/export, rebuilding, or
rebuilding with import/export.
Migrate to CSGov instance of SaaSCSGov is sharing a SaaS implementation with CSC.
Need to work with the SaaS providers to create a CSGov
dedicated instance and initiate a data migration and
purge.
Migration – Transform (Cont’d)MIGRATION EXECUTION MIGRATION VALIDATION
Physical CSGov Data Center/Private Cloud1. Data center preparation (space, power, network, staffing)
2. Application outage planning
3. Onsite installation
4. Configuration
5. Base testing
AWS GovCloud (US)1. Partnership with Racemi
2. Move group planning
3. Discover, capture, clone, configure
4. AWS import/export
5. Some straight rebuild
SaaS Providers1. Partnership with SaaS providers
2. Professional services
3. SaaS statement of work
4. Configuration migration/establishment
5. Base testing
• Release planning
• Reuse existing regression testing
• Manual test script execution
• User acceptance testing
• Go/no-go decision
• Go-live support period
Team used Agile methodologies to deliver the migration
execution (scrum planning, kanban execution)
Our AWS Architecture
Our AWS Architecture
Migration – ManageOPERATIONS ONBOARDING CONTINUOUS IMPROVEMENT
Integrated Technology Center (ITC)
integration: 1. CSC Answers (HR Help Desk)
2. CSC Technical Help Desk
3. Network Operations & Security Center (NOSC)
Application O&M teams1. Parallel O&M for a period of time to support rollback
2. Outage management
3. Triage
4. Scrumban teams
5. DevOps
Physical to cloud/virtual
Keep moving to the cloud!
Stateless architectures
High availability
Cloud service rich
Hybrid – VM/container/SaaS architectures
Offering enhancements
WHERE WE NEED TO BE…
WHERE WE STARTED…
WHERE WE ARE…
Lift & Shift
Optimize
Success Stories• Hybrid environment (compute, network, storage) on physical premises,
dedicated private cloud, government community cloud, SaaS provider, all
seamless to the end user….and it works!
• Agile methodology, delivered value early, identified issues, and mitigated them
rapidly.
• CSC used its own processes and methods to take on this aggressive
application migration effort—and they worked. Lessons will improve these
migration offerings, passing on value to our customers.
• DR recovery point time reduced from days to minutes with some of these
applications. Architected for resiliency to failures.
• Use of AWS, rapidly increased the time to value for our
cloud-based IaaS (compute, network and storage). Able to
execute plan in hours/days versus the weeks/months it would
have taken using alternative IaaS with same requirements.
Lessons Learned• No magic bullet for an enterprise migration.
• Plan for bandwidth. The biggest bottleneck in an automated migration/cloning to
cloud is bandwidth. Plan ahead, expect delays for bandwidth restrictions/issues.
• Do not disregard the importance of planning, especially the target environment
planning. Much harder to move migrated resources due to poor VPC/target
network planning.
• Automation cannot migrate everything. Expect some traditional migration
methods to be required.
• No Re-IP’ing is a great goal, but not entirely possible in a large-scale migration.
• Most importantly…utilize your partner expertise, heed their advice (AWS,
Racemi, SaaS Partners, etc.).
Thank You!
Important things to remember
AWS GovCloud (US) is a physically and logically isolated region
Separate AZs, console, IAM and authentication stack, and endpoints
AWS GovCloud (US) is not just for the US Government
Users span government, commercial entities, education and nonprofits
Remember the AWS Shared Responsibility ModelAWS IAM users can be non–US persons if adhering to shared responsibility
(e.g., development teams outside of the US w/o access to ITAR data)
Learn more about AWS GovCloud (US)
AWS GovCloud (US) webpagehttps://aws.amazon.com/govcloud-us/
AWS GovCloud (US) User Guidehttp://docs.aws.amazon.com/govcloud-us/latest/UserGuide/welcome.html
Keith BrooksAWS GovCloud Business Development
CJ MosesGM, AWS Government Cloud Solutions
Remember to complete
your evaluations!
Thank you!