migrating department of education web mapping app to aws ec2
DESCRIPTION
The U.S. Department of Education (ED) participated in the Federal Geographic Data Committee's (FGDC) GeoCloud Program in 2012. The GeoCloud initiative provides selected agencies an Amazon Web Services (AWS) hosting platform to on-ramp their geospatial applications. ED migrated its on-premises ArcGIS for Server for the School District Demographic Data System (SDDS) Map Viewer (http://nces.ed.gov/surveys/sdds) to Amazon EC2. SDDS is publicly available and allows access to information about demographics, social characteristics, and economics of children and school districts from the National Center for Education Statistics (NCES). Using GeoCloud, ED gained experience with cloud-based Windows 2008R2 Server and Esri ArcGIS 10.1 for Server platform. It has been almost one year now and we'll reflect on various lessons learned including planning, security/hardening, AWS console, server configuration, reliability, licensing, and backup strategy. We will discuss the current state of our server deployments and future plans for ED in the Cloud.TRANSCRIPT
- 1. MIGRATING DEPARTMENT OF EDUCATION WEB MAPPING APP TO AWS EC2 Presented by Tai Phan, NCES & Amy Ramsdell, Blue 2013 ESRI International User Conference July 11, 2013
2. FGDCS GEOCLOUD INITIATIVE FGDC-sponsored hosting in Amazon Web Services (AWS) A Geospatial Platform activity led by FGDCs Douglas Nebert GeoCloud provides a common platform for deploying and documenting geospatial cloud services Enables organizations to Leverage other agencies experiences Reuse and share server configurations Gain experience in cloud-based server and application deployment http://www.fgdc.gov/initiatives/geoplatform/geocloud 3. DEPT OF EDS PARTICIPATION IN GEOCLOUD National Center for Education Statistics (NCES) The primary federal entity for collecting and analyzing education-related data NCES uses ESRI technologies to provide geospatial context to education data Two NCES Projects have migrated to GeoCloud in 2012 School District Demographic Data System Public School Boundary Collection and Verification Project http://nces.ed.gov/surveys/sdds/ 4. SCHOOL DISTRICT DEMOGRAPHIC SYSTEM 5. PUBLIC SCHOOL BOUNDARY COLLECTION AND VERIFICATION TOOL 6. GEOCLOUD ARCHITECTURE 7. PLANNING Costs to project for expansion: Operating hours Reserved instances BYOL for RDS and AMIs with database ArcGIS licensing Disk space ~ 40 GB taken by OS and Programs Support forums or paid support Amazon staff active in forums Amazon restrictions: Elastic IPs Limit of 5 Security groups Cant change once applied SMTP Undisclosed limit, consider Simple Email Service (SES) 8. SERVER CONFIGURATION AWS CONSOLE 9. SERVER CONFIGURATION - AGS AMI Considerations for ArcGIS Server Windows 2008 Server AMI Need Web Adaptor for port 80 otherwise open port 6080 in security group WWW service turned off by default 10. SERVER CONFIGURATION - UPDATES Apply any Windows updates 11. SERVER CONFIGURATION - PORTS Lock down SQL Server Express dynamic port setting to 1433 12. SERVER CONFIGURATION - PORTS ArcGIS license manager is based on machine ID ID will change when used as an AMI template Lock down the license manager ports to 27000 and 27001 13. MONITORING System/instance Status Checks - 2/2 checks Can create status check alarm 14. MONITORING Amazon Service Health Dashboard Amazon Elastic Compute Cloud (N. Virginia) http://status.aws.amazon.com/ Website monitoring 15. SCALING CONSIDERATIONS 16. BACKUP STRATEGY 17. BACKUP STRATEGY Instance backups Powershell scripts http://messor.com : AWS Disaster Recovery Automation Scheduled task on Micro instance Windows 2008 server Daily volume snapshots Weekly AMIs Clean up snapshots and AMIs Database backup to S3 Using Cloudberry and Powershell 18. SECURITY AMAZON LEVEL May, 2013 AWS received ATO from the Department of Health and Human Services FedRAMP at the Moderate impact level for AWS GovCloud (U.S.) and all U.S. Regions AWS admins All accesses logged and audited Cannot log in to instances EC2 Instance isolation on physical machine Use VPC for dedicated instances 19. SECURITY IAM CONSOLE Control users and groups within account Unique security credentials for access keys and login/passwords 20. SECURITY INBOUND RULES Inbound network traffic controlled through security groups Ports 80 and 443 only open to the internet RDP 3389, MS SQL 1433, ArcGIS License Manager 27000, 27001 ports by IP 21. FUTURE PLANS Transition instances to NCES cloud environment Migrate front-facing applications to NCES cloud Achieve FISMA C&A for Low Impact/Low Risk system 22. GAL (GIANT ACRONYM LIST) 1) AGS ArcGIS Server 2) AMI - Amazon Machine Images 3) ATO Authority to Operate 4) AWS Amazon Web Services 5) BYOL - Bring Your Own License 6) C&A - Certification and Accreditation 7) EC2 - Elastic Cloud Compute 8) FedRAMP Federal Risk and Authorization Management Program 9) FISMA - Federal Information Security Management Act of 2002 10) HHS Department of Health and Human Services 11) IAM Identity and Access Management 12) RDP - Remote Desktop Protocol 13) RDS - Relational Database Service 14) S3 - Simple Storage Service 15) SES Simple Email Service 16) SMTP - Simple Mail Transfer Protocol 17) VPC Virtual Private Cloud 23. FOR MORE INFORMATION: Amy Ramsdell aramsdell @ blueraster.com 703-842-0177 www.blueraster.com blog.blueraster.com Tai Phan [email protected] 202-502-7431 nces.ed.gov/surveys/sdds/index.aspx