Application Migrations
•
8 likes•2,442 views
Landing Zone for Application migrations
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (12)
Similar to Application Migrations
Similar to Application Migrations (20)
More from Amazon Web Services
More from Amazon Web Services (20)
Recently uploaded
Recently uploaded (20)
Application Migrations
- 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Wednesday July 6th , 2016 Landing Zone for application migrations Koen vd Biggelaar Sr Mgr AWS Solutions Architecture - GlobalAccounts
- 2. Application Migration Create Landing Zone Migrate Apps Operate & Optimize H
- 5. Current State Account Structure Security Network Identities & Access Cloud Consumers Our Journey Today Migrate Operate & Optimize
- 7. Infrastructure Request Current State Typical Enterprise Situation Governance & Service Management Central IT Lines of Business Provisioning Characteristics • Lead times ~days/weeks/months • Service Catalogue of components • Often process-heavy Service Management
- 8. Monitor & Respond Templates Policy & Practices Landscape Management Current State Opportunity to achieve agility and control Automation Lines of Business Central IT Opportunities • Lead times in minutes • Service Catalogue of landscapes • Automated Service Management
- 9. Security Automation Consumers Current State Guiding Principles
- 11. Account Structure • Don’t overdo on Day One • Use separate accounts for Security and Compliance Isolation (production non-prod, logging) Cost Allocation Resource Management and Ownership
- 13. Account Structure Opportunity to create linked Accounts Create Linked Account (CLA) API • The payer account can programmatically access and manage the new accounts using cross account access and administrative privileges automatically configured during account creation. • Currently available on whitelisting basis - Connect with your AWS Account Manager or SA - Public API will be rolled out in future, you need to use these new APIs then
- 14. Account Structure Payer Billing Reports Service Catalog Logging Audit Central Services Dev & Test Mobility IoT Serverless Internal business apps Digital Platforms Option: Per AWS Region Production Generic Production Critical Central Accounts Services Accounts
- 16. Analyze your CloudTrail Logs AWS CloudTrail AWS Management Console AWS CLI SDK Your Central Amazon S3 logging bucket Analysis & Action AWS Services You make API calls … …to AWS Services, logged by CloudTrail delivered to your S3 bucket
- 17. Changing Resources Config tracks resource changes
- 18. NormalizeRecordChanging Resources Deliver Stream Snapshot (ex. 2014-11-05) AWS Config APIs Store History Config tracks resource changes
- 20. Network Key Considerations Non-overlapping IP range VPC Design Access Control Lists & Security Groups Logging and Monitoring Direct Connect Subnet Design
- 21. Network Direct Connect for connecting on-prem and AWS environment Customer Gateway VPN backup Direct Connect Location Virtual Interface #1 Virtual Interface #2 Secondary Direct Connect Location ` ` Partner Network
- 22. Network Central Services in a central VPC Central common/core services • Authentication/directory • Monitoring • Logging • Remote administration • Scanning • Internet Proxy Production Generic Production Business Critical Central Services Non-production
- 24. You get to control who can do what in your AWS environment when and from where Fine-grained control of your AWS cloud with multi- factor authentication Integrate with your existing LDAP / Active directory using federation and single sign-on You can use AWS managed policies or customer generated policies using the policy generator and test with the policy simulator AWS account owner Identity and Access Management Control access and segregate duties everywhere
- 25. Identities and Access Control Sample Access Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances" ], "Resource": “arn:aws:ec2:::instance/*”, "Condition": { "StringEquals": { "ec2:ResourceTag" : "Dev" } } } ] } Allow or Deny access to resource Service calls allowed to be performed Resource object or objects that the statement covers Conditions to satisfy: EC2 resources must be tagged with “Dev”
- 26. Identities and Access Control Example user types with corresponding access policies IAM Master Create policies IAM Manager Assign Policies Audit Read-Only Access Managers Architect Create landscapes Storage Design and Build Network Design and Build Design DevOps API Access App Owner Landscape owner Application Owners Support Account policy Empty Role No policy Support and Operations Typical Access Policy Administrator Landscape Mgt Administrator Service Catalog Administrators
- 27. Corporate Data Center Browser interface Identity Store Identity and Access Management Federation with on-prem directory AD Group Identity and Authentication Mapping to specific IAM Role with Access Policy Access to AWS
- 29. Cloud Consumers AWS Service Catalog AWS Service Catalog allows organizations to create and manage catalogs of IT services. It enables users to quickly deploy approved IT services they need in a self-service manner. Administrator Users Control Standardization Governance Agility Self-service Time to market
- 30. Product = Template CloudFormation Running Stack JSON formatted file Parameter definition Resource creation Configuration actions Configured AWS services Comprehensive service support Service event aware Customisable Framework Stack creation Stack updates Error detection and rollback Administrator Interaction CloudFormation to create products
- 31. Creates portfolio and assigns product portfolio 1 Administrator Adds constraints, grant access and add tags 4 2 Creates product Authors template Administrator Interaction Managing products ProductX Versions Portfolio BPortfolio A • Users and Roles • Constraints • Tags Service Catalog 3 Landscape Architect
- 32. Agility and Control Opportunities to strengthen the handshake User generated products to foster innovation Back-end micro-services acting on the stacks Administrator Products
- 33. Browse Products 5 4 3 2 1 Portfolio Cloud Consumers Select version, Provision Product, configure parameters Deploy Notifications and outputs Notifications and outputs 4 Scheduled functions Administrator Cloud Consumer Interaction Overview
- 34. Cloud Consumer Interaction Browse Products Launch Product Available Products Launched Products
- 35. Cloud Consumer Interaction Configuring Options EC2 Instance type Schedule on/off Schedule details
- 36. End User Interaction Launched Product Launched Product details
- 37. End User Interaction Launched Product
- 38. End User Interaction Cost Overview Test IT SecurityProd Dev Prod Test Dev
- 39. AWS Service Catalog Announcing today • End User APIs are Generally Available w/SDK and CLI support • CloudTrail support for End User actions in UI and API • Product version default limit raised to 50 per product
- 40. Start Account Structure Security Network Identities & Access Cloud Consumers Our Journey Today What did we cover? Migrate Operate & Optimize
- 41. Application Migration Approach Create Landing Zone Migrate Operate & Optimize H
- 42. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you