Comenzando com la nube hibrida
3 likes2,508 views
This document discusses hybrid IT and how organizations can integrate their on-premises infrastructure with Amazon Web Services (AWS). It defines hybrid IT as combining internal and external cloud services to support business outcomes. It provides examples of common hybrid workloads like backup/archive to AWS Storage using AWS Storage Gateway, and storage expansion using AWS Storage Gateway to store data in Amazon S3. It also discusses how organizations can integrate their network on AWS using AWS Direct Connect, integrate identity and access management using AWS Identity and Access Management (IAM) and AWS Directory Services, and integrate development and operations using services like AWS CodeDeploy. The document encourages readers to try hybrid IT through proofs of concept to help answer questions and consider cloud-first approaches for
![AD Connector
AD
CAA-AdministratorAccessRole
CAA-NetworkAccessRole
CAA-CloudEngineerRole
CAA-ReadOnlyAccessRole
NetworkAccessRole - “Action”:[stsAssumeRole],
“Resource”: “arn:aws:iam::[account1-id]:role/IAM-1-NetworkAccessRole-*
“Resource”: “arn:aws:iam::[account2-id]:role/IAM-1-NetworkAccessRole-*
“Resource”: “arn:aws:iam::[account2-id]:role/IAM-1-NetworkAccessRole-*
Management
account
1
2
3
Application account
4
Switch role
AdministratorAccessRole
NetworkAccessRole
CloudEngineerRole
ReadOnlyAccessRole
Trusted entities: Assume role policy document
“Principal”:
“AWS”:“arn:aws:iam::[management-account-id]:role/CAA-NetworkAccessRole”
“Action”: “sts:AssumeRole”
mycompany.awsapps.com/console](https://image.slidesharecdn.com/2016awssummitbogot-comenzandocomlanubehibrida-160411152855/85/Comenzando-com-la-nube-hibrida-32-320.jpg)
Comenzando com la nube hibrida
- 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Alex Coqueiro Public Sector Solutions Architect Abril, 2016 Comenzando con la nube híbrida
- 2. Direct ConnectTunnels Backup & Archive Storage Expansion Common Hybrid Workloads What is Hybrid IT? Integrated Network Next Steps Control Enterprise Integration Federation Dev Operations Today we’ll cover
- 3. Direct ConnectTunnels Backup & Archive Storage Expansion Common Hybrid Workloads What is Hybrid IT? Integrated Network Next Steps Control Enterprise Integration Federation Dev Operations Today we’ll cover
- 4. Cloud is an ALL or NOTHING proposition
- 5. The Good News is it isn’t an ‘All or Nothing’ Choice Corporate Data Centers On-Premises Resources Cloud Resources Integration
- 6. Hybrid IT
- 7. Hybrid IT: A Definition http://www.gartner.com/technology/research/technical-professionals/hybrid-cloud.jsp “Hybrid IT is the result of combining internal and external services, usually from a combination of internal and public clouds, in support of a business outcome.”
- 8. http://www.gartner.com/technology/research/technical-professionals/hybrid-cloud.jsp “Hybrid IT is the result of combining internal and external services, usually from a combination of internal and public clouds, in support of a business outcome.” Hybrid IT: A Definition
- 10. Your Data Center
- 11. Extending Your DC to your Cloud Provider Your Data Center Your LAN Segments AWS VPC
- 12. Integrated networking # 10.0.100.0 # 10.0.200.0 Integrating AWS with existing On-Prem Infrastructure Integrated access control Microsoft Active Directory Custom LDAP Commom Hybrid Workloads App 1 AWS Storage Gateway Single pane of glass Enterprise Integration
- 13. Direct ConnectTunnels Backup & Archive Storage Expansion Common Hybrid Workloads What is Hybrid IT? Integrated Network Next Steps Control Enterprise Integration Federation Dev Operations Today we’ll cover
- 14. Direct ConnectVirtual Private Cloud (VPC) Services: Networking
- 15. Trend: Integrated Network Your Data Center Project A Deployed Virtual Private Cloud (VPC) Direct Connect
- 16. VPN Tunnels Customer VPN Gateway Directory Server Database Server Application Server Client VPC Configuration • VPC CIDR Network: 10.100.0.0/16 • VPC Subnet 1: 10.100.0.0/23 • VPC Subnet 2: 10.100.2.0/23 • VPN Type: Dynamic BGP • Security Group: HTTP, HTTPS, SSH, ICMP Data Center Configuration • Corporate Network: 10.96.0.0/16 • DC Network: 10.96.24.0/21 • VPN Gateway IP: 54.254.241.240 Your First Virtual Private Cloud Application Server Availability Zone BAvailability Zone A
- 17. VPN Tunnels Customer VPN Gateway Directory Server Database Server Application Server Client Other VPC Features • Multiple VPCs per account • Multiple network interfaces per EC2 instance • Multiple IPs per interface • Move network interfaces between EC2 instances • Egress filtering with security groups and network ACLs • Virtual network peering between VPCs • Direct Connect cross region routing • Support for dedicated instance, single tenant EC2 Services: Networking Application Server Availability Zone BAvailability Zone A VPC Released 2009 • Mature virtual networking service • Highly scalable, up to 64K hosts per VPC • Features focused on enterprise integration
- 18. Integrate your network with Amazon VPC • Connect via standard IPSEC Internet VPN tunnels, or • Private link to AWS Direct Connect peering location, or a combination of both • Connection port speeds from 50M to 10G, you choose the connection speed you want • Connect multiple VPCs using industry standard VLANs and layer 3 routing protocols • Integrate your network to your private VPC resources • Deploy your own network equipment into Direct Connect peering location, e.g. WAN Optimization Devices Compute Storage AWS Global Infrastructure Database App Services Deployment & Administration Networking Customer VPC Internet VPN Connection Customer IPSEC Router/Firewall Customer Direct Connect Router Private Direct Connect Customer Corporate Network Services: Networking: Direct Connect
- 19. Direct ConnectTunnels Backup & Archive Storage Expansion Common Hybrid Workloads What is Hybrid IT? Integrated Network Next Steps Control Enterprise Integration Federation Dev Operations Today we’ll cover
- 22. AWS Storage Gateway AWS S3 Simple Storage Service Services: Storage
- 23. Application Server Virtual Server File Server Database Server Backup System On-premise backup server with S3 • Eliminate tape, hardware, off-site storage • Reduce capital expense for backup infrastructure • Never worry about backup durability • Never run out of backup capacity • Backup gateway integrated to Amazon S3 • Data stored off-site, with high durability, in multiple locations • Take advantage of advanced storage optimization options, De-duplication, compression, WAN acceleration Backup and Archive Amazon S3
- 24. Application Server Virtual Server File Server Database Server Amazon S3 Solutions supporting backup and archive to S3 Veeam Backup & Replication Symantec Net Backup Oracle RMAN and Secure Backup Module CommVault Simpana AWS Storage Gateway VTL Riverbed Whitewater Backup System Backup and Archive
- 25. On-premise storage appliance with S3 • Reduce capital expense for storage infrastructure • Never worry about storage durability • Never run out of storage capacity • Storage appliance integrated to Amazon S3 • Data durably stored off-site in multiple locations • Virtual volumes presented to local network as iSCSI volumes, NFS, CIFS • Local disk cache to provide fast on-premise access • Take advantage of advanced storage optimization options, Block based de-duplication, compression, WAN acceleration • Security through gateway side encryption Application Server Virtual Server File Server Database Server S3 Integrated Appliance Storage Expansion Amazon S3
- 26. Application Server Virtual Server File Server Database Server S3 Integrated Appliance Solutions supporting storage expansion to S3 TwinStrata CloudArray Riverbed Whitewater Panzura Global NAS Aspera on-demand AWS Storage Gateway Cached Volumes Storage Expansion Amazon S3
- 27. Direct ConnectTunnels Backup & Archive Storage Expansion Common Hybrid Workloads What is Hybrid IT? Integrated Network Next Steps Control Enterprise Integration Federation Dev Operations Today we’ll cover
- 28. How do I integrate AWS? Access Control Identity Federation Development Operations
- 29. AWS Directory Services AWS Identity and Access Management Services: Security
- 30. Securing Your AWS Resources AWS Identity and Access Management • AWS IAM enables you to securely control access to AWS services and resources • Fine grained control of user permissions, resources and actions. You get to choose who can do what in your AWS environment and from where • You can easily add multi factor authentication using smartphone apps or hardware tokens • Create users or groups • Assign permissions to groups • Where actions are allowed from Application Server • Who can create subnets • Who can modify security groups • Who can launch EC2 instances, into which subnet • Grant rights to applications • To access AWS resources • With built-in key rotation • No storing of credentials in code • Secure access to console • Require MFA on API action
- 31. New directory in AWS Directory Integration AWS Directory Service Connect existing directory to AWS Simple AD AD Connector Based on Samba 4 Custom federation proxy On-premises Microsoft AD
- 32. AD Connector AD CAA-AdministratorAccessRole CAA-NetworkAccessRole CAA-CloudEngineerRole CAA-ReadOnlyAccessRole NetworkAccessRole - “Action”:[stsAssumeRole], “Resource”: “arn:aws:iam::[account1-id]:role/IAM-1-NetworkAccessRole-* “Resource”: “arn:aws:iam::[account2-id]:role/IAM-1-NetworkAccessRole-* “Resource”: “arn:aws:iam::[account2-id]:role/IAM-1-NetworkAccessRole-* Management account 1 2 3 Application account 4 Switch role AdministratorAccessRole NetworkAccessRole CloudEngineerRole ReadOnlyAccessRole Trusted entities: Assume role policy document “Principal”: “AWS”:“arn:aws:iam::[management-account-id]:role/CAA-NetworkAccessRole” “Action”: “sts:AssumeRole” mycompany.awsapps.com/console
- 34. Coordinate automated deployment Scale from 1 instance to thousands Deploy without downtime Centralize deployment control and monitoring Staging CodeDeployv1, v2, v3 Production Dev Just like Amazon Application revisions Deployment groups
- 35. Set up your target environments (Hybrid or Not) Agent Agent Agent Staging Agent Agent Agent Agent Agent Agent Production Deployment group (on-premises)Deployment group (AWS) Group instances by: • Auto Scaling group • Amazon EC2 tag • On-premises tag
- 36. Operations On AWS into existing Tools Management Portal for vCenter Management Pack for SCOM Systems Manager for SCVMM
- 37. Operations On AWS Integrating AWS into your operations • AWS CloudWatch provides real-time insight into your AWS services, integrate your own metrics, create and act on alarms • AWS SNS allows integration with your alerting systems • Your current tools still work – install on EC2 instance • Your tools already have AWS API integration
- 38. Direct ConnectTunnels Backup & Archive Storage Expansion Common Hybrid Workloads What is Hybrid IT? Integrated Network Next Steps Control Enterprise Integration Federation Dev Operations Today we’ll cover
- 39. Try It! Proof of concept will answer tons of questions Think cloud first for all new deployments
- 40. Gracias