This document discusses best practices for deploying mission critical workloads on AWS. It defines mission critical workloads as those that must be secure, available, and resilient. It provides examples of customers like Capital One and News UK successfully running critical applications on AWS infrastructure. The document outlines the security, reliability, performance and scale benefits AWS provides including availability zones, encryption options, and services like CloudTrail and VPC. It argues AWS allows customers to securely run a wide variety of critical applications at a lower cost than traditional data centers.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Brian Wagner, Solutions Architect, AWS Germany
18 May, Taiwan Summit
Mission Critical Application Workloads on AWS

2. What You Will Learn
Walkthrough the best practice for deploying
business critical applications
Dive deep into fault tolerant and high
performance architectures
Learn about securing sensitive data and
workloads in the AWS cloud

3. What is a mission critical workload?

4. Anatomy of a critical workload
Secure Holds sensitive data, liability if breached or deleted
Available Large scale customer impact if not available
Resilient Loss of data, destruction if IP, productivity penalty
Material Impact >100 Users, >$10K per minute, Contractual Liability

5. Why are customers running critical
workloads on AWS?

6. Customer Success Story
Capital One is using AWS as a central part of its technology strategy. As a result,
the bank plans to reduce its data center footprint from eight to three by 2018.
Capital One is one of the nation’s largest banks and offers credit cards, checking
and savings accounts, auto loans, rewards, and online banking services for
consumers and businesses. It is using or experimenting with nearly every AWS
service to develop, test, build, and run its most critical workloads, including its new
flagship mobile-banking application.
"The financial service industry attracts some of the worst cyber criminals. We work closely with AWS to
develop a security model, which we believe enables us to operate more securely in the public cloud than
we can in our own data centers."– Rob Alexander, Capital One's CIO

7. Customer Success Story
Orion Health is a health-specific software company that develops modern and
creative solutions for healthcare organizations across the globe. By working with
APN consulting partner, Logicworks, and using AWS the company built Cal
INDEX, one of the largest health information exchanges in the US. By using AWS,
Orion health can scale its platform to handle millions of patient records and build
HIPAA-compliant solutions for its customers.

8. Customer Success Story
The company migrated some of its enterprise applications including SAP
Business Objects, SAP GRC, and Oracle Enterprise Manager from traditional
data centers to AWS. By using AWS, the publisher has shortened its time to
market for new development projects from 6 months to 1 day and reduced its data
center footprint from six to two facilities.
“In particular, the AWS focus on overall security, the ability to isolate systems from the Internet while
running in the cloud, and the ability to encrypt data with our own managed keys addresses our
requirements better than alternative solutions.”
– Mike Wedderburn-Clarke, Infrastructure Architect at News UK

9. Benefits of running MCW on AWS

10. Why run critical workloads on AWS
*as of July 31, 2014
Building and managing cloud since 2006
12 regions, 33 availability zones, 54 edge locations
Thousands of partners; 2,500+ Marketplace products
Security & Reliability
Performance
Experience
Scale
Ecosystem
Extensive VM and network performance options
Security in layers approach and 99.95% application SLA

11. Security
A few of our many certifications:
Secured premises
Secured access
Built-in firewalls
Unique users
Multi-factor authentication
Private subnets
Encrypted data storage
Dedicated connection

12. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
AWS Shared Responsibility Model
Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud

13. AWS Global Infrastructure
Region
Edge Location
Over 1 million active
customers across 190
countries
800+ government agencies
3,000+ educational
institutions
12 regions (2016: USA,
India, UK)
33 availability zones
54 edge locations

14. Reliability & Scale:
Availability Zones
AZ
AZ
AZ AZ AZ
Transit
Transit
• Mesh of Availability Zones (AZ) and
Transit Centers
• Redundant paths to transit centers
• Transit centers connect to:
– Private links to other AWS regions
– Private links to customers
– Internet through peering & paid transit

15. Example AWS Availability Zone
AZ
AZ
AZ AZ AZ
Transit
Transit
Data center
Data center
Data center
Data center
• 33 zones world-wide
• All regions have 2 or more zones
• Each zone is 1 or more DC
– No data center is in two zones
– Some zones have as many as 6 DCs

16. Example AWS Data Center
• Single DC is typically between
50,000 & 80,000 servers!

17. What mission critical workloads can I run on
AWS?

18. COTS workloads in AWS
Deploy highly available applications
BYOL or pay per use
Security in layers approach helps with
compliance
Leverage multi-AZ architectures for reliability
& availability

19. Critical Applications
Vendor Applications
SAP Business Suite, Netweaver, BusinessObjects, B1, HANA
Oracle eBusiness, PeopleSoft, Siebel, JDE, Database 11g/12c
Microsoft SharePoint, Exchange, Dynamics, SQL Server
IBM Websphere, DataStage
Infor LN, M3, Syteline, Lawson
Today AWS customers run a wide array of business applications
Companies of all sizes run business applications on AWS

20. Enterprise Agreement
Commercial and Legal
Data Sovereignty
Regulation
Liability and IP Ownership
Direct Connect
Private Link to AWS
Non-Public Applications
Cost Reduction
Public Endpoint Access
Enterprise Support
Proactive Engagement
Infrastructure Event
Management (IEM)
15 Minute Response
Proactive Support
Key Enablers

21. Consolidated Billing
payer account ownerNon - Production AWS
Account
Master Consolidated Billing
AWS Account
Production AWS
Account
Consolidated Billing
linked account owner
Consolidated Billing
linked account owner
Cross
Account
Role
IAM User
IAM User
(billing)
Payer and Linked Accounts

22. Availability Zone 1 Availability Zone 2
Internet
10.0.0.510.0.0.6
10.0.3.5
VPC Subnet VPC Subnet VPC Subnet
Virtual Private Gateway
Customer Gateway
VPN Connection
Customer Data Center
10.0.0.0/16CIDR Block:
S3
VPC Subnet
10.0.0.810.0.0.7
10.1.0.510.1.0.6
Elastic Load
Balancing

23. Have we met the objectives?
Secure Encrypted EBS, IPSEC VPN, Security Groups
Available Two AZ, Auto scale, Elastic Load Balancing
Resilient Replicated DB, Dual AZ, 99.999999999% S3, Auto-
Recovery
Material Impact No Data Loss, Encryption, Auto-Healing

24. Mission Critical Workloads in Motion

25. AWS CloudTrail
CloudTrail can help you achieve many
tasks
Security analysis
Track changes to AWS resources, for
example VPC security groups and NACLs
Compliance – log and understand AWS API
call history
Prove that you did not:
Use the wrong region
Use services you don’t want
Troubleshoot operational issues – quickly
identify the most recent changes to your
environment

26. HTTP and HTTPs requests logged with ELB Logging
API and Console calls logged with CloudTrail Logs
Network traffic logged with VPC Flow Logs
VPC change history logged with AWS Config
IAM policy and user changed logged with AWS Config
Application level metrics logged with CloudWatch Logs
Out of the box….

27. Encryption at rest
AWS
CloudTrail
IAM
EBS
RDS
Redshift
S3
Glacier
Encryption in transit
Fully auditable
Fully
managed
keys
Restricted access
Ubiquitous Encryption

28. Environment Setup
virtual private cloud
Development
virtual private cloud
Test
virtual private cloud
Pre-Prod
virtual private cloud
Production
virtual private cloud
Shared
AWS Directory
Service
corporate data center
AD
virtual private cloud
Audit
flow logs
AWS
CloudTrail customer
gateway
VPN
connection
VPN gateway

29. Feature Cost
Amazon VPC $0
VPC Security Groups $0
AWS Identity & Access Management (IAM) $0
AWS Security Token Service (STS) $0
AWS CloudTrail (service) $0
VPC Flow Logs $0
TLS-enabled AWS API access $0
How much does security cost..

30. Summary
Tools to secure your
workload
Protect your data
through encryption
Operate the way you
want
A mission critical workload is more resilient, available and secure when using
the AWS cloud. By leveraging our platform you can connect your critical
applications seamlessly to system running in AWS.

31. Thank You
Brian Wagner, Solutions Architect, AWS Germany
18 May, Taiwan Summit