application migrations

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Wednesday July 6th, 2016

Landing Zone for application migrations

Koen vd Biggelaar Sr Mgr AWS Solutions Architecture - Global Accounts

Application Migration

Create Landing Zone Migrate Apps Operate & Optimize

H

PeoplePerspective

ProcessPerspective

SecurityPerspective

MaturityPerspective

PlatformPerspective

OperationsPerspective

BusinessPerspective

AWS Cloud Adoption Framework

PeoplePerspective

ProcessPerspective

SecurityPerspective

MaturityPerspective

OperationsPerspective

BusinessPerspective

PlatformPerspective

AWS Cloud Adoption Framework

Current State

Account Structure Security Network

Identities&

Access

Cloud Consumers

Our Journey Today

MigrateOperate

&Optimize

Current State

Account Structure Security Network

Identities&

Access

Cloud Consumers Migrate

Operate &

Optimize

Infrastructure Request

Current StateTypical Enterprise Situation

Governance &

Service Management

Central IT

Lines of Business

Provisioning

Characteristics• Lead times ~days/weeks/months• Service Catalogue of components• Often process-heavy Service

Management

Monitor&

Respond

TemplatesPolicy & Practices

Landscape Management

Current StateOpportunity to achieve agility and control

Automation

Lines of Business Central IT Opportunities

• Lead times in minutes• Service Catalogue of

landscapes• Automated Service

Management

Security Automation Consumers

Current StateGuiding Principles

Start Account Structure Security Network

Identities&

Access

Cloud Consumers Migrate

Operate &

Optimize

Account Structure

• Don’t overdo on Day One• Use separate accounts for

Security and Compliance Isolation(production non-prod,

logging)

Cost Allocation Resource Management and Ownership

Account Structure

Payer

Account Structure Opportunity to create linked Accounts

Create Linked Account (CLA) API

• The payer account can programmatically access and manage the new accounts using cross account access and administrative privileges automatically configured during account creation.

• Currently available on whitelisting basis- Connect with your AWS Account Manager or SA- Public API will be rolled out in future, you need to use these new APIs then

Account Structure

Payer

Billing Reports

Service Catalog Logging Audit

Central Services Dev & Test Mobility

IoT

Serverless

Internal business apps Digital Platforms

Option: Per AWS Region

Production Generic

Production Critical

Central Accounts

Services Accounts

Start Account Structure Security Network

Identities&

Access

Cloud Consumers Migrate

Operate &

Optimize

Analyze your CloudTrail Logs

AWSCloudTrail

AWS Management

Console

AWS CLI

SDK

Your Central Amazon S3 logging bucket

Analysis &

Action

AWS Services

You make API calls …

…to AWS Services,

logged by CloudTrail

delivered to your S3 bucket

Changing Resources

Config tracks resource changes

NormalizeRecordChanging Resources

Deliver

Stream

Snapshot (ex. 2014-11-05)AWS Config

APIs

Store

History

Config tracks resource changes

Start Account Structure Security Network

Identities&

Access

Cloud Consumers Migrate

Operate &

Optimize

NetworkKey Considerations

Non-overlapping IP range

VPC Design

Access Control Lists &Security Groups

Logging and Monitoring

Direct Connect

Subnet Design

NetworkDirect Connect for connecting on-prem and AWS environment

Customer Gateway

VPN backup

Direct Connect Location

Virtual Interface #1

Virtual Interface #2

Secondary Direct Connect Location

`

`

Partner Network

NetworkCentral Services in a central VPC

Central common/core services• Authentication/directory• Monitoring• Logging• Remote administration• Scanning• Internet Proxy

ProductionGeneric

ProductionBusiness Critical

Central Services

Non-production

Start Account Structure Security Network

Identities&

Access

Cloud Consumers Migrate

Operate &

Optimize

You get to control who can do what in your AWS environment when and from where

Fine-grained control of your AWS cloud with multi-factor authentication

Integrate with your existing LDAP / Active directory using federation and single sign-on

You can use AWS managed policies or customer generated policies using the policy generator and test with the policy simulator

AWS account owner

Identity and Access ManagementControl access and segregate duties everywhere

Identities and Access ControlSample Access Policy{

"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["ec2:StartInstances","ec2:StopInstances","ec2:RebootInstances"

],"Resource": “arn:aws:ec2:::instance/*”,"Condition": {

"StringEquals": {"ec2:ResourceTag" : "Dev"

}}

}]

}

Allow or Deny access to resource

Service calls allowed to be performed

Resource object or objects that the statement coversConditions to satisfy:EC2 resources must be tagged with “Dev”

Identities and Access ControlExample user types with corresponding access policies

IAM MasterCreate policies

IAM ManagerAssign Policies

AuditRead-Only

Access Managers

ArchitectCreate landscapes

StorageDesign and Build

Network Design and Build Design

DevOpsAPI Access

App OwnerLandscape owner

Application Owners

SupportAccount policy

Empty RoleNo policy

Support and Operations

Typical Access Policy

AdministratorLandscape Mgt

AdministratorService CatalogAdministrators

Corporate Data Center

Browser interface

Identity Store

Identity and Access ManagementFederation with on-prem directory

AD Group

Identity and Authentication

Mapping to specific IAM Role with Access Policy

Access to AWS

Start Account Structure Security Network

Identities&

Access

Cloud Consumers Migrate

Operate &

Optimize

Cloud ConsumersAWS Service Catalog

AWS Service Catalog allows organizations to create and manage catalogs of IT services. It enables users to quickly deploy approved IT services they need in a self-service manner.

Administrator Users

ControlStandardization

Governance

AgilitySelf-service

Time to market

Product = Template

CloudFormation Running Stack

JSON formatted file

Parameter definitionResource creation

Configuration actions

Configured AWS services

Comprehensive service supportService event aware

Customisable

Framework

Stack creationStack updates

Error detection and rollback

Administrator InteractionCloudFormation to create products

Creates portfolio and assigns product portfolio

1

AdministratorAdds constraints, grant access

and add tags

4

2 Creates product

Authors template

Administrator InteractionManaging products

ProductX

Versions

Portfolio BPortfolio A

• Users and Roles• Constraints • Tags

Service Catalog

3

Landscape Architect

Agility and ControlOpportunities to strengthen the handshake

User generated products to foster

innovation

Back-end micro-services acting on the stacks

Administrator Products

Browse Products

5

43

2

1

Portfolio

Cloud Consumers

Select version,Provision Product, configure

parametersDeploy

Notifications and outputs

Notifications and outputs

4Scheduled functions

Administrator

Cloud Consumer InteractionOverview

Cloud Consumer InteractionBrowse Products

Launch Product

Available Products

Launched Products

Cloud Consumer InteractionConfiguring Options

EC2 Instance type

Schedule on/off

Schedule details

End User InteractionLaunched Product

Launched Product details

End User InteractionLaunched Product

End User InteractionCost Overview

Test IT SecurityProd Dev

Prod

Test

Dev

AWS Service CatalogAnnouncing today

• End User APIs are Generally Available w/SDK and CLI support

• CloudTrail support for End User actions in UI and API

• Product version default limit raised to 50 per product

Start Account Structure Security Network

Identities&

Access

Cloud Consumers

Our Journey TodayWhat did we cover?

MigrateOperate

&Optimize

Application Migration Approach

Create Landing Zone Migrate Operate & Optimize

H

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Thank you