Simplify & Standardise your migration to AWS with a Migration Landing Zone
1. Koen vd Biggelaar - Sr Mgr AWS Solutions Architecture
Mahmoud ElZayet – Solutions Builder
Tuesday 23rd May 2017
Simplify & Standardise Your Migration to
AWS with a Migration Landing Zone
2. Planning a Migration?
Key Questions to consider
How do we configure
our AWS
environment
What are best practices
for Security and
Compliance
How do we build a
Cloud Operating
Model
How do we
develop a
business case
What types of
migration will we use
What is our
application portfolio
What are our key
drivers
Which partners are
we going to use ?
6. What is an AWS Landing Zone?
- A baseline secure multi-account AWS environment
configured based on best practices
- A starting point for your application migration journey
- An environment that allows for iteration & extension
over time
H
8. Landing Zone Journey
Domains Direct
Connect
Start Accounts
End User
Interaction
AutomationService
Catalog
Central
Services
Migrate
Iterate
Operate &
Optimize
Logging Config Access Identities Federation
Network Security
Identity &
Access
Cloud
Users
What’s
Next ?
Imaging
9. Infrastructure
Request
Current State
Typical Enterprise Situation
Governance
&
Service
Management
Central IT
Lines of
Business
Provisioning
Characteristics
• Lead times ~days to weeks
• Service catalogue of components
• Often process-heavy service
management
10. Agility versus Control
How to choose?
We want agility,
so we can
innovate in our
business
I need control,
so I can protect
our business
Business & Business IT Central IT?
11. Monitor
&
Respond
Landing Zone
Templates
Policy &
Best Practices
Landscape
Management
Current State
Opportunity to achieve Agility and Control
Automation
Lines of
Business
Central IT Opportunities
• Lead times in minutes
• Service catalogue of
landscapes
• Automated service
management
14. Account Structure
• Don’t overdo on Day One
• Use separate accounts for:
Security and
Compliance Isolation
(production non-prod,
logging)
Cost Allocation Resource Management
and Ownership
16. Manage Multiple Accounts
AWS Organizations
• Centrally manage multiple AWS accounts
- Simplified creation of new AWS accounts
- Logically group AWS accounts for management convenience
- Apply organizational control policies (OCP)
- Simplified billing
• An AWS account can be a member of only one organization
• Console, SDK, and CLI support for all management tasks
19. Network
Direct Connect for connecting on-prem and AWS environment
Customer
Gateway
VPN backup
Direct Connect Location
Virtual
Interface #1
Virtual
Interface #2
Secondary Direct
Connect Location
`
`
Partner
Network
20. Network
Central services in a central VPC
Central common/core services
• Authentication/directory
• Monitoring
• Logging
• Bastion host
• Remote administration
• Scanning
• Internet proxy
Production
Generic
Production
Business-critical
Central
Services
Non-production
22. Our Landing Zone needs to be safe and secure
Insight is the first step
• Who is accessing our Amazon accounts and what
are they doing?
• How will we know if anyone breaks our security
policy?
• What does the traffic on our infrastructure look like
and are all of our resources isolated?
• How can we easily analyze our logs?
23. AWS CloudTrail records who is accessing APIs
Store/archive
Central logging
account
Troubleshoot
Monitor & alarm
AWS
accounts
make API call
On a growing set
of AWS services
around the world..
CloudTrail is
continuously
recording API
calls
24. AWS Config informs you of policy violations
Compliance
Guideline
Non-compliance
Action
All storage
volumes should
be encrypted
Automatically
encrypt storage
volumes
Instances must
not have
unrestricted
Internet access
on Port 22
Remove Port 22
access from any
Internet host
Instances must
be tagged with
environment type
Notify developer
(email, page,
SNS)
Pre-configured rules:
https://github.com/awslabs/aws-config-rules
25. VPC flow logs give you network insights
• Agentless – AWS collects the logs on your behalf
• Enable per network interface, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept
or reject
27. Log everything centrally for analysis
The AWS centralized logging solution
makes it easy for security teams to
consolidate AWS logs and analyze
them to detect incidents
Amazon
EC2
flow
logs
VPC subnet
AWS
CloudTrail
Amazon S3
Amazon
CloudWatch
AWS
Lambda
Amazon
Elasticsearch
Service
You can do this by simply using:
• Amazon ElasticSearch Service
• CloudTrail logs
• VPC flow logs
• EC2 server logs
Log Transform Search
https://aws.amazon.com/answers/
logging/centralized-logging
28. Launch
instance
EC2
AMI catalogue Running instance
Your instance
Hardening and configuration
Audit and logging
Vulnerability management
Malware and IPS
Whitelisting and integrity
User administration
Operating system
Configure
instance
Configure your environment as you like
You get to apply your existing security policy
Two options to create or import your own ‘gold’ images
1. Import existing VMs to AWS
2. Procure partner AMI from AWS Marketplace
3. Create and save your own custom images
On 3: choose how to build your standard host security
environment
Choose how to start your compute
Private images or import your current ones
CIS AMI: https://aws.amazon.com/marketplace/seller-profile?id=6b3b0dc2-c6f4-487b-8f29-9edba5f39eed
30. You get to control who can do what in your AWS environment when and
from where
Fine-grained control of your AWS cloud with multi-factor authentication
Integrate with your existing corporate directory and provide SSO to
your customers. Support for SAML 2.0 (like your existing Active Directory)
and OpenID compatible Identity Providers (IdPs).
You can use AWS managed policies, policies for typical job functions
or customer-generated policies using the policy generator and test
with the policy simulator
AWS account
owner
Identity and Access Management
Control access and segregate duties everywhere
31. Corporate Data Center
Browser interface
Identity
Store
Identity and Access Management
Federation with on-prem directory
AD Group
Identity and
authentication
Mapping to specific
IAM role with
access policy
Access to AWS
33. Customers want to:
• Define the resources and
landscapes where software and
applications are deployed
• ‘Approve once and deploy many’
• Enable self-service, deploy with
confidence
• Automate deployments
Agility and Control
What do customers tell us about asset management deployment?
34. Agility and Control
AWS Service Catalog
AWS Service Catalog allows organizations to create and manage
catalogs of IT services. It enables users to quickly deploy approved IT
services they need in a self-service manner.
Administrator Users
Control
Standardization
Governance
Agility
Self-service
Time to market
35. Product =
Template
CloudFormation Running stack
JSON formatted file
Parameter definition
Resource creation
Configuration actions
Configured AWS services
Comprehensive service support
Service event-aware
Customizable
Framework
Stack creation
Stack updates
Error detection and rollback
Administrator Interaction
CloudFormation to create products
36. Creates portfolio and
assigns product portfolio
1
Administrator
Adds constraints, grants access
and add tags
4
2 Creates
product
Authors
template
Administrator Interaction
AWS Service Catalog: Managing products
ProductX
Versions
Portfolio BPortfolio A
• Users and roles
• Constraints
• Tags
Service Catalog
3
Landscape
Architect
38. Agility and Control
Opportunities to strengthen the handshake
User-generated
products to foster
innovation
Back-end microservices
acting on the stacks
Administrator
products
45. Managing to the Portfolio Value
Portfolio Tier Requirements
Operations
Model
Approx.
%
Portfolio*
IT Spend
Against
Portfolio
Differentiators
High rate of change & innovation;
Possibly business-critical, but not
always
DevOps 15%
60% - 70%
Table Stakes
Business-critical, but low rate of
change. Needs high availability,
maximum reliability, and durable DR
Automated
Efficiency
25%
Commodity
COTS & commodity, minimal risk,
low change, standard downtime &
reliability requirements
Traditional
Operations
60% 30% - 40%
*estimated numbers
Provided Under NDA
46. The Migration Journey
Identify and categorize bulk
candidates
Analysts identify high-value
candidates
Pipeline team prepares
candidates
Applications are migrated
based on patterns
Patterns are created
Greenfield Landing Zone
created
Existing Operations team
manages
Portfolios are prioritized
Project initiated
Innovation teams re-architect
the application
New operating levers are
created
Application is implemented
on cloud
Cloud-native components
are patterned
Core Landing Zone created
Future
Landing Zone
Library
of patterns
Future
operating
model
Brown Field Green Field
Future State
47. Sprint 1
Executing Multi-Modal Migrations
Program
Brown
Green
Sprint 2 Sprint 3 Sprint 4 Sprint 5 Sprint 6 Sprint 7
Deploy
Landing Zone
Extend, Integrate and Manage Landing Zone
Migration Business Case
Discovery Prep Discovery
Pipeline Generation
Migration Patterns Creation
Discovery
Greenfield Migrations
Innovation
Re-Factor
Re-Host
Complex App (single sprint)
48. Increasing Levels of Effort with Increasing Levels of Return
Mass
migration
Re-platform /
Refactor
Re-architectMaturity Maturity
Running Multi-Modal Migrations
Minimized
Staffing
Change
Mass
Migration
Capex to
Opex
Cost Out
Facilities
Closure
Consistent
Operations
Traditional Operations
Operational
Transition
Cloud
Capable
Applications
Capex to
Opex
Nascent
Services
Cloud COE
Managed
Services
Hybrid Operations
Cloud
Aware
Applications
Serverless
Compute
Continuous
Integration
Disruptive
Technolog
y
Maximum
Efficiency
Advanced
Architecture
Development and
Operations
49. Multi-Modal Operations
• Many adoptions
are tightly
coupled with agile
delivery adoption.
• Not all workloads
require a DevOps
investment.
• Achieving
business goals
doesn’t always
require
automation.
• Using traditional
support models in
the wrong places
can dilute value.
Mass migration
Re-platform/
Refactor Re-architect
• Data Center-Cloud
Connectivity
• Server/Storage
Provisioning
• Patching/Anti-virus
• Monitoring
• Server
Maintenance/
Incident Response
• Audit/Risk
• Event Management
• Web Server
• DB Mgmt
• Application Software
• Development and
Deployment
Traditional
• Data Center-Cloud
Connectivity
• Patching/Anti-virus
• Monitoring
• Audit/Risk
• Standards/Policy
• Stack Templates
• Server
Maintenance/
Incident Response
• Stack Provisioning
and Decom
• Event Mgmt
• Web Server
• DB Mgmt
• Application Software
• Development and
Deployment
Automated Efficiency
• Data Center-Cloud
Connectivity
• Patching/Anti-virus
• Monitoring Lvl 1
• Monitoring Lvl 2
• Server
Maintenance/
Incident Response
• Stack Templates
and Provisioning
• Audit/Risk
• Event Management
• Web Server
• DB Mgmt
• Application Software
• Development and
Deployment
DevOps
Traditional
Operations
Distributed
Responsibility
50. Key Take-Aways
• Configuring your AWS environment matching your
operations and migration needs, is a key step in your
cloud journey
• Maximize automation, including cost optimization (i.e.
resize instances, on-off schedules)
• Check aws.amazon.com/answers for guidance and
packaged solutions helping you to build your own
Landing Zone
• Be agile for your Migrations, not everything can be
planned upfront
H