Simplify & StandardiseYour Migration to AWS with a … · 2017-11-02 · Fine-grained control of...
Transcript of Simplify & StandardiseYour Migration to AWS with a … · 2017-11-02 · Fine-grained control of...
Koen vd Biggelaar - Sr Mgr AWS Solutions ArchitectureMahmoud ElZayet – Solutions Builder
Tuesday 31st October 2017
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
LONDON
Planning a Migration?Key Questions to consider
How do we configure our AWS
environment
What are best practices for Security and
Compliance
How do we build a Cloud Operating
Model
How do we develop a
business caseWhat types of
migration will we useWhat is our
application portfolioWhat are our key
drivers
Which partners are we going to use ?
What is an AWS Landing Zone?
- A baseline secure multi-account AWS environment
configured based on best practices
- A starting point for your application migration journey
- An environment that allows for iteration & extension
over time
H
What to Expect from the Session
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
H
Understand
Build
Engage
Operate
AWS Cloud Adoption Framework
Application Migration
Create Landing Zone Migrate Apps Operate & Optimise
H
Landing Zone Journey
Domains DirectConnect
Start Accounts
EndUserInteraction
AutomationServiceCatalog
CentralServices
Migrate
Iterate
Operate&Optimise
Logging Config Access Identities Federation
Network Security Identity&Access
OperationalAutomation
What’sNext?
Imaging
Infrastructure Request
Current StateTypical Enterprise Situation
Governance &
Service Management
Central IT
Lines of Business
Provisioning
Characteristics• Lead times ~days to weeks• Service catalogue of components• Often process-heavy service
management
Agility versus ControlHow to choose?
We want agility, so we can
innovate in our business
I need control, so I can protect
our business
Business & Business IT Central IT?
Monitor&
Respond
Landing Zone
TemplatesPolicy &
Best Practices
Landscape Management
Current StateOpportunity to achieve Agility and Control
Automation
Lines of Business Central IT Opportunities
• Lead times in minutes• Service catalogue of
landscapes• Automated service
management
Security
Guiding Principles
Landscapes&
Automation
Cloud ITConsumers
Start Accounts Network Security Identity&Access
OperationalAutomation
What’sNext?
Account Structure
• Don’t overdo on Day One• Use separate accounts for:
Security and Compliance Isolation(production non-prod,
logging)
Cost Allocation Resource Management and Ownership
Account Structure
Billing
Security and Audit
Shared Services Dev & Test Mobile
IoT
Business Apps Digital Platforms
Option: Per AWS Region
Production Generic
Production Critical
Central Accounts
Application Accounts
Dev & Test
Analytics
ApplicationAccount(s)
Peering
BillingAccount
Security&AuditAccount
SharedServicesAccount
Logs
Billing
Billing Account Structure Security & Audit Account Structure
Shared Services Account Structure Application Account Structure
Security&AuditAccount
Logs
BillingAccount
SharedServicesAccount
ApplicationAccount(s)ConsolidatedBilling
Security&AuditAccount
SharedServicesAccount
ApplicationAccount(s)
BillingAccount
SharedServicesAccount
VPCPeering
BillingAccount
Security&AuditAccount
ApplicationAccount(s)
Initial Account StructureDifferent Perspectives
Manage Multiple AccountsCloudFormation StackSets
Stack Set
Payer / AdminstratorAccount
Template
Region
Stack
TargetAccount: A
Stack
TargetAccount: B
Account C Account D Account E …Region
Stack
TargetAccount: A
Stack
TargetAccount: B
Account C Account D Account E …
Manage Multiple AccountsAWS Organizations
Root
OU
OU OUOU
Stack Set
Stack Set
Account B Account C
Account A
Lookup
Deploy
Start Accounts Network Security Identity&Access
OperationalAutomation
What’sNext?
Individual VPC Patterns
ü Hybrid 2-tier (public and private)
ü Internal-only
ü Internet-only
ü Hybrid 3-tier (Presentation/Application/Data)
AWS Quick Start:Scalable VPCPCI DSS
§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§
§§§§§§§§§§§§§§§§§§§§§§§§§§§§
ü Leverage existing AWS Direct Connect to route traffic between VPCs
ü Offers customers the ability to incorporate transitive routing
ü Need to create more than 100 connections per VPC
Multiple VPN/DX VIFsConnect Applications running in multiple VPC to your DC
AWS Answers:How do I connect multiple VPCs in a single AWS Region?
ü Can create multiple VPCs within the same or different region/account
ü Do not require full connectivity between all of their VPCs
ü Central shared services VPCü Multiple VPCs that need access to shared resources
but do not each otherü Require fewer than 100 peering connections per
VPC
§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§
§§
Multi-VPC Partially MeshedVPC Peering
AWS Answers:How do I share a single VPN connection with multiple VPCs?
§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§
Transit VPC
ü Uses customer-managed EC2 VPN instances in a dedicated transit VPC with an IGW
ü Implements a transit VPCü Want more advanced connection types, such
as inter-region connectivity, or multi-VPC connectivity to on-premises resources
AWS Answers:How do I build a global transit network on AWS?
Start Accounts Network Security Identity&Access
OperationalAutomation
What’sNext?
Set Per-Account Security BaselineConfiguration of the security baseline
AWS Identity and Access Management (IAM) IAM password and other policies
AWS ConfigCentrally store configuration changes
Auditing and Governance
Access Control
AWS CloudTrail
Centrally store audit logs
Amazon S3 bucket(security logs)
Security Log Account
Billing Account Shared Services
Application AccountsApplication Accounts
Application AccountsApplication Accounts
Security Notifications
AWS CloudWatch AlertsAlert and send security notifications
AWS Organizations
AmazonVPC
AWS DirectoryService
AWS Service Catalog
AWS Quick Start:quickstart-compliance-common (Github)
AWS Labs Github:aws-config-rules
§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§
§§§§§§§§§§§§§§§§§§§§§§§§§§§§
Build Compliance into your AWS accounts
• Implement the CIS Foundations Benchmark• Use the UK-OFFICIAL compliance Quick Start• Deploy the AWS Labs CIS Foundation Benchmark
Checklist templates
AWS Labs Github:aws-security-benchmark
AWS Security Blog:Announcing Industry Best Practices for Securing AWS Resources
AWS Quick Start:UK-OFFICIAL
Log everything centrally for analysisCentralised logging makes it easy for security teams to consolidate AWS logs and analyze them to detectincidents
VPC subnet
AmazonEC2
Flow Logs
AWSCloudTrail
Amazon S3
Amazon CloudWatch
AWS Lambda
AmazonElasticsearch
Service
You can do this by simply using:• Amazon ElasticSearch Service• CloudTrail logs• VPC flow logs• EC2 server logs• AWS Config logsLog Transform Search
AWS Answers:How can I implement a centralized logging solution on AWS?What are the native AWS security-logging capabilities?
Choose how to start your compute Private images or import your current ones
Launch instance
EC2
AMI catalogue Running instance Your instance
Hardening and configuration
Audit and logging
Vulnerability management
Malware and IPS
Whitelisting and integrity
User administration
Operating system
Configure instance
Configure your environment as you likeOptions to create or import your own ‘gold’ images1. Import existing VMs to AWS 2. Procure partner AMI from AWS Marketplace3. Create and save your own custom images4. Bootstrapping a base AMI
AWS Marketplace:CIS Hardened AMIs
AWS Devops Blog:How to Create an AMI Builder with AWS CodeBuild and HashiCorp Packer
Start Accounts Network Security Identity&Access
OperationalAutomation
What’sNext?
You get to control who can do what in your AWS environment when and from where
Fine-grained control of your AWS cloud with multi-factor authentication
Integrate with your existing corporate directory and provide SSO to your customers. Support for SAML 2.0 (like your existing Active Directory) and OpenID compatible Identity Providers (IdPs).
You can use AWS managed policies, policies for typical job functions or customer-generated policies using the policy generator and test with the policy simulator
AWS account owner
Identity and Access ManagementControl access and segregate duties everywhere
Corporate Data Center
Browser interface
Identity Store
Identity and Access ManagementIdentity Federation
AD Group
Identity and authentication
Mapping to specific IAM role with access policy
Access to AWS
Select an Identity Federation Option
• Cross-Account Roles with IAM• Cross-Account Roles with AWS Directory Service• SAML Federation• Custom Identity Broker
Example: Cross-Account Roles with AWS Directory Service
AWS Answers:How do I manage multiple AWS accounts for security purposes?
§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§
§§§§ switch role
AWS Directory Service
users
Shared-services account Sub-accounts (Billing, Security, Application)
• Users and groups are managed in one account (Shared-services) using AWS Directory Service
• IAM roles in every account is used for fine-grained authorization• Can be integrated with on-premises user directory for authentication
Start Accounts Network Security Identity&Access
OperationalAutomation
What’sNext?
Agility and ControlAWS Service Catalog and Marketplace
DevelopersOrganizations
StandardiseControl Govern
Agility Self-Service
Time to Market
…allows organizations to create and manage catalogs of IT services and software on AWS
Key Features
Tag Enforcement
Portfolio Level IAM access
Denial of end-user access to underlying services
Constraint CloudFormation Parameters
Share Portfolios
Version & Re-use Products
API, CLI, Console
AWS Marketplace to AWS Service Catalog Copy
AWS Ops Automator
• Automation Framework
• Central Administration
• Multi-Account/Multi-Region
• Pre-built Actions
• Custom Actions (Auto-retry, logging, concurrency…etc.)
AWS Answers:https://aws.amazon.com/answers/infrastructure-management/ops-automator/
TaggedEC2
instances for one or more AWS accounts
IAM cross account roles
controlsaccess to
AWS accounts
Schedulerrole
Schedulerconfiguration
tableInstance state
table
EC2 Instanceinformation
CloudWatchLogs
CloudWatchMetrics
CloudWatch ruletriggers Scheduler
SchedulerLambdafunction
CloudFormationscheduler
stack
EC2 instance scheduler
A single template deploys all solution components
AWS Answers:How do I automatically start and stop my Amazon EC2 instances?/
Logging Buckets
CentralisedLogging Analytics
Cost Optimization
Monitor
SecurityAccount
What have we built so far?High-level Architecture
Shared ServicesAccount
BillingAccount
Stack Set Admin AccountStack Sets
Stand Alone Templates
Scalable VPC Quick
Start
Cross Account Manager
VPC Flow & Instance Logs
CloudTrail, Config & IAM Baseline
CAM Sub-Account
ApplicationAccounts
Ops Automator/
Instance Scheduler
Start Accounts Network Security Identity&Access
OperationalAutomation
What’sNext?
Managing to the Portfolio Value
Portfolio Tier Requirements Operations Model
Approx. %
Portfolio*
IT Spend Against Portfolio
DifferentiatorsHigh rate of change & innovation; Possibly business-critical, but not always
DevOps 15%
60% - 70%
Table StakesBusiness-critical, but low rate of change. Needs high availability, maximum reliability, and durable DR
Automated Efficiency 25%
CommodityCOTS & commodity, minimal risk, low change, standard downtime & reliability requirements
Automated-Traditional 60% 30% - 40%
*estimated numbers
Provided Under NDA
Increasing Levels of Effort with Increasing Levels of Return
Mass migration
Re-platform / Refactor Re-architectMaturity Maturity
Running Multi-Modal Migrations
Value Automation
Mass Migration
Capex to Opex
Cost Out
Facilities Closure
Consistent Operations
Traditional Operations+
Operational Transition
Cloud Capable
Applications
Capex to Opex
Nascent Services
Cloud COEManaged Services
Automated Operations
Cloud Aware
Applications
ServerlessCompute
Continuous Integration
Disruptive Technolog
y
Maximum Efficiency
Advanced Architecture
Development and Operations
Sprint 1
Executing Multi-Modal Migrations
Program
Brown
Green
Sprint 2 Sprint 3 Sprint 4 Sprint 5 Sprint 6 Sprint 7
Deploy Landing Zone Extend, Integrate and Manage Landing Zone
Migration Business Case
Discovery Prep Discovery
Pipeline Generation
Migration Patterns Creation
DiscoveryGreenfield Migrations
Innovation
Re-FactorRe-Host
Complex App (single sprint)
Key Take-Aways• Configuring your AWS environment matching your operations
and migration needs, is a key step in your cloud journey
• Maximise automation, including cost optimization (i.e. resize instances, on-off schedules)
• Check aws.amazon.com/answers for guidance and packaged solutions helping you to build your own Landing Zone
• Be agile for your Migrations, not everything can be planned upfront
H
Thank you!
LONDON
Landing Zone Resources (1/3)Title Link
Cost Optimization Monitor https://aws.amazon.com/answers/account-management/cost-optimization-monitor/
Scalable VPC Quick Start https://docs.aws.amazon.com/quickstart/latest/vpc/
PCI DSS Quick Start https://aws.amazon.com/quickstart/architecture/accelerator-pci/
How do I connect multiple VPCs in a single AWS Region?
https://aws.amazon.com/answers/networking/aws-single-region-multi-vpc-connectivity/
How do I share a single VPN connection with multiple VPCs?
https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn-connection-sharing/
How do I build a global transit network on AWS?
https://aws.amazon.com/answers/networking/aws-global-transit-network/
Microsoft Active Directory https://aws.amazon.com/quickstart/architecture/active-directory-ds/
How do I ensure I set up my AWS account securely?
https://aws.amazon.com/answers/security/aws-secure-account-setup/
How do I setup AWS Identity and Account Management (IAM) for my organization?
https://aws.amazon.com/answers/security/aws-iam-in-practice/
Landing Zone Resources (2/3)Title Link
Compliance Quick Start https://github.com/aws-quickstart/quickstart-compliance-common
CIS Security Benchmark https://github.com/awslabs/aws-security-benchmark
Security Blog: Announcing Industry Best Practices for Securing AWS Resources
https://aws.amazon.com/blogs/security/announcing-industry-best-practices-for-securing-aws-resources/
UK-OFFICIAL Compliance Quick Start https://aws.amazon.com/quickstart/architecture/accelerator-uk-official/
How can I implement a centralized logging solution on AWS?
https://aws.amazon.com/answers/logging/centralized-logging/
What are the native AWS security-logging capabilities?
https://aws.amazon.com/answers/logging/aws-native-security-logging-capabilities/
CIS Hardened AMIs https://aws.amazon.com/marketplace/seller-profile?id=6b3b0dc2-c6f4-487b-8f29-9edba5f39eed
How to Create an AMI Builder with AWS CodeBuild and HashiCorp Packer
https://aws.amazon.com/blogs/devops/how-to-create-an-ami-builder-with-aws-codebuild-and-hashicorp-packer/
How should I manage multiple AWS accounts for security purposes?
https://aws.amazon.com/answers/account-management/aws-multi-account-security-strategy/
Landing Zone Resources (3/3)Title Link
User Access Management Module http://www.awslandingzone.com/modules/landing-zone-user-access.pptx
How do I monitor the cross-region replication of my Amazon S3 objects?
https://aws.amazon.com/answers/infrastructure-management/crr-monitor/
AWS Ops Automator https://github.com/awslabs/aws-ops-automator
DynamoDB Continuous Backup Utility https://github.com/awslabs/dynamodb-continuous-backup
How do I automatically start and stop my Amazon EC2 instances?
https://aws.amazon.com/answers/infrastructure-management/ec2-scheduler/
How do I receive notifications as I approach AWS service limits?
https://aws.amazon.com/answers/account-management/limit-monitor/
Deck Guidelines
Fonts, sizes, colors, and layouts are all pre-built in this template.
Color palette
Please do not use gradients, shadows, or outlines on shape elements. Limit color use for chart graphics to grayscale plus one accent color.