selecting the best vpc network architecture (cpn208) | aws re:invent 2013

© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

Selecting the Best VPC Network Architecture

Eric Schultze, AWS

Roshan Vilat & Phil Schulz, Vodafone Australia

Clay Parker, Trimble Navigation

November 15, 2013

Why we’re here

• Choosing a VPC architecture

• Benefits and Challenges

• Lessons Learned

Before we get started…

© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

Selecting the Best VPC Network Architecture

Vodafone Australia Case Study

Roshan Vilat & Phil Schulz, Vodafone Australia

November 15, 2013

Vodafone Australia

• Presentation:

– Cloud Transformation Roadmap

– Multi VPC Solution

– One of the world’s leading telecommunications groups

– Vodafone operates in more than 30 countries across five continents

– 404 million customers globally

– One of the top 10 brands in the world

Vodafone Group

1. Public Facing Website in the Cloud

– Migration from traditional data center to the Cloud

– Saved one year in time to market

– Saved at least $1,000,000

– AWS Opened a Data Centre in Australia

– Migration from the US to AU

– Re-Architecture into Cloud Orientated Architecture: Auto Scaling; Elastic IPs; Amazon RDS database; AWS CloudFormation; Highly Available File Storage; Self Healing Environments

– Agile Delivery with Cross Functional Teams; Behavior Driven Development; Automated Testing; Continuous Integration; Daytime Deployments

2. Re-architecting for the Cloud

– Greenfield Enabler for Multiple Digital Services

– Supporting Customer Sensitive Data

– Direct Connection into Backend Services

– Suite of Security Tools

– Live Business Intelligence

– New Support Model

3. Business Critical Applications

– Core Team

– InfoSec

– Networks

– Service Management

– Operational Support Services

– Vodafone Group

– My Account App Team

Project Partners

To Multi-VPC or not to Multi-VPC?

Project Key Requirements

1. Secure – protect customer sensitive data

2. Networked – low latency, stable connectivity

3. Automated

4. Supportable

5. Resilient, Scalable, and Available.

VPC Design Evolution

• 100s of VPCs

• Single VPC

• Multi-VPC

100s of VPCs

TEST

100’s of VPCs

100s of VPCs

Pros

• Strong Isolation

Cons

• Sheer number of VPCs

• Management nightmare

• Networking nightmare

• Equivalent of creating a

datacenter per

application?

Single VPC

Single VPC

Pros

• Simplifies AWS Direct

Connect

Cons

• Low isolation – security, billing implications

• No role separation – IAM limitation

• AWS account and VPC limits

• Difficult to contain blast radius!

Single VPC

Pros

• Simplifies AWS Direct

Connect

Cons

• Low isolation – security implications

• No role separation – IAM limitation

• AWS account and VPC limits

• Difficult to contain blast radius!

Multi VPC

Multi VPC

Design Benefits

• Multi-account for role separation, cost control and resource limits

• Balance of isolation and management complexity

• AWS Direct Connect provides stable inter-VPC and Vodafone-VPC communication

• AWS Direct Connect provides central network control point

Lessons Learned

• Ensure team has domain experts

• Capture all stakeholder requirements

• Differences between traditional and cloud-based methodologies

• Use multiple constructs to achieve desired isolation – Accounts, VPCs, security groups, etc.

• AWS account and VPC limits

• IAM access control capabilities

Project Outcome

• First cloud-based environment for business

critical apps

• Built in 4 months

• MyAccount (Online Self-Service) in production

• Shared security and operational services in

production

• Next 4 applications in build stage

© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

Selecting the Best Virtual Private Cloud

Architecture In AWS

Clay Parker, Trimble Navigation

November 15, 2013

Trimble Navigation • A world leader in transforming how work is done across multiple industries

and professions

• Our customers gain significant economic breakthroughs at the same time improving quality, safety, regulatory compliance and reducing environmental impact

• Our technological capabilities span positioning and sensing, global connectivity, 3D design, modeling & measurement, machine and process automation, and powerful data analytics

• 2012 Revenue US $2Billion; 6,500 employees

• Founded in 1978, headquartered in Sunnyvale, California with Offices in 35 countries, partners in 125 countries and customers in 150 – from some of the world’s largest corporations to some of the smallest family firms

Trimble Hosting Services • We are a Trimble Division

• We exist to help Trimble businesses with external end-user-facing application hosting and 24x7x365

• support

• 74 staff in seven locations in five countries

• Production infrastructure in seven data centers

• Development infrastructure in six Trimble offices

• Facilitate hosting in Amazon Web Services (AWS)

• Our ISMS is ISO27001 certified for hosting in THS infrastructure and in AWS

• Staff have specific expertise in: - Server virtualization - Cloud hosting

- Storage management - Operations

- Network engineering - Information security

- Database management - Finance

- Program & project management

United Kingdom

Ireland

AT&T Ashburn

SunGard

Scottsdale

Milpitas

NOC

21Vianet BeijingCT Xi’an

Global Admin Network

Chennai NOC

Node4 Northampton

Equinix Slough

Equinix Dallas

Current use of Amazon Web Services

• Shared Production Account – Multi-tenant environments in several regions to support multiple

customers

– Single production account with one VPC per region

– No tenant write access to the AWS Management Console

– VPN connectivity to private cloud production data centers

– All AWS resources tagged for customer identification

– All AWS resources under change management control

Current use of Amazon Web Services

• Shared Development Account – Multi-tenant environments in several regions to support multiple

customers

– Single development account with one VPC per region

– Controlled tenant access to the AWS Management Console

– VPN connectivity to private cloud development data centers

– All AWS resources tagged for customer identification

Current use of Amazon Web Services

• Customer Development Accounts – One per customer

– VPN connectivity to our development data centers only

– Unlimited access to the AWS Management Console (except

Amazon VPC)

– Linked to our master account for consolidated billing

Current use of Amazon Web Services

• Billing Only Accounts – One for each customer

– Linked to our master account for consolidated billing

Private / Public / Hybrid Clouds • Private

– Trimble Private Cloud (TPC)

– THS owns & manages infrastructure

• Public

– Amazon Web Services (AWS)

– AWS owns & manages infrastructure

• Hybrid

– Uses infrastructure in both TPC & AWS

– Take advantage of the best of both worlds Other

Trimble Hosted

Applications

ISP

ISP

Data Center

Core Network

SAN

Web App Database

Wireless Carrier

Wireless Carrier

Pipe to DR

Data Center

Trimble Mgmt

Monitoring

Managment

Common Services:

Monitoring

LAN, SAN management

VMware management

Other

Web App Database

BGP

RoutersCore

Switches

Redundant

physical

database

cluster

Common Core NetworkShared VMware &

SAN Infrastructure

AppWeb

Redundant physical and/or virtual

Web & Application servers

Availability Zone A

AWS Region 1

Availability Zone B

Web App Server

Amazon LinuxEC2 Instance

Web App Server

Amazon LinuxEC2 Instance

Security Group Security Group

Elastic Load Balancer

Route 53 Hosted Zone

www.myconnectedassets.com

VPC Subnet

UsersMobile ClientClient

AmazonCloudWatch

Alarms

VPN Connection

Trimble Integrated Cloud

THS Common Services Network /Admin Backbone

To PDXA THS Prod

Trimble Corporate WAN

SJC3CA

IAD2VA

To IADA THS

Prod

IADAAWS US-East

N. Virginia

THSCSN

Cust A Subnet

Cust B Subnet

THSCSN

Cust A Subnet

Cust B Subnet

PDXAAWS US-West

Oregon

THSCSN

Cust A Subnet

Cust B Subnet

THSCSN

Cust A Subnet

Cust B Subnet

PHX1AZ

LHR1UK

LHR2UK

MAA1India

PEK1China

Trimble Users

AWS Virtual Private Gateways

To IADA THS Dev

To PDXA Cust Dev

To PDXA Cust Dev

XIY1China

Criteria for using fewer VPCs

• Shared Production & Development Accounts – Single VPC per region

– Modeled after our physical data center environment

– Less confusion for all concerned

– Able to use a single VPN for connectivity

– Less complexity for ITOps support

Advantages of using fewer VPCs

• Reduces complexity of managing internal IP

address space

• Single place to manage: – Subnets

– Security groups

– Routes and VPN configuration

Challenges of using fewer VPCs

• Perceived customer data bleeding

• Complexity of managing access to individual

resources

• Complexity of individual tenant billing from a

shared account

• Risk of users deleting resources that are not

theirs

Questions

• Contact information – Email parkclay@gmail.com

– Twitter @parkclay

Please give us your feedback on this

presentation

As a thank you, we will select prize

winners daily for completed surveys!

CPN208