On-Demand HostingAuto-Provisioning Hosting Services

at EPA

November 2, 2010

Rebecca Astin and David Pritchett

2

Agenda

• Goals, Purpose and Benefits

• New On-line Ordering and Auto-Provisioning

Tool

• On-line Service Offering

• Managed Development Environment

• On-line Ordering Interface

• Future Service Offerings

3

Purpose

• Purpose: To provide an efficient and streamlined cloud hosting service to EPA Hosting customers

• The solution must be…– On-Demand, Self-Service: Order services at any time with

minimal human intervention

– Broadly Accessible: Available over LAN/WAN network via common protocols/clients

– Use Pooled Resources: Supports multi-tenancy via dynamically assigned and re-assigned physical and virtual resources

– Rapidly Elastic: Scale usage in any quantity at any time

– Measured Service: Resources are controlled, monitored, and optimized based on real time metrics

4

Benefits

• On-Demand Hosting– Users can request services in as little as three days with

division and ISO approval

– Servers are available using standard ports and protocols

across EPA LAN/WAN and via AAA

– Servers are hosted in a virtual cloud environment at NCC

– Can request software, processing power, memory, disk space,

server restarts, etc. as required (Rapid Elasticity)

– Solution is monitored and status/usage is available via web

interface

• Service is available in Pilot Mode until March 2011

5

On-line Ordering Interface

• Self-service ordering via Web Interface

– Extranet site (Log-in required – WAM credentials)

– Website Available: December 1, 2010

• New services available to all EPA employees

• Pre-defined selections for hardware and software

• Required WCF products and services calculated based

on selections made

• Service requests are automatically routed for review

and approval

• Services can be provisioned, de-provisioned and

reconfigured via the Web interface

6

Current Service Offering

• Managed Development Environment

– NCC Private Cloud (on-site)

– FISMA complaint virtual server

– Isolated from EPA’s production network

– Behind Network Extension Firewall

– Red Hat Linux (Windows coming soon)

– Accessible from EPA’s network and remotely via AAA

– VMs protected by server-level firewalls (Reflex)

– Supports HTTP/80, HTTPS/443, FTPS/21, SSH/22,

SQLNet2/1521 and MySQL 3306

7

Server Details• Server Type

• Data Disk Size

– 10gig, 20gig, or 40 gig

• Guest Operating System (OS)

– RedHat Linux 4 (32 bit) – Small and Medium Only

– RedHat Linux 4 (64 bit) – Small, Medium, Large

– RedHat Linux 5 (32 bit) – Small and Medium Only

– RedHat Linux 5 (64 bit) – Small, Medium, Large

Small Medium Large

Virtual CPU 1 2 4

Memory 2 gig 4 gig 8 gig

OS Disk Size 18 gig 18 gig 18 gig

8

Technical Architecture Network Extension + Virtual Firewalls

Intranet VMWareCluster

ESXiCluster

Prod/StageVMs

Internet

AAA

Provides Software

Depot Services

App Dev Env

CustomerVM

CustomerVM

App Dev Env

CustomerVM

CustomerVM

ReflexVM

ReflexVM

AgencyFW

RedHatSatellite

EPA WAN Network134.67.XXX.XXX

JumpBox

VC ServerSQL Server

ESXiR710

ESXiR710

VMotionManagement w/ACL

NewScaleAuto Provision

IDSNetExt

FW

WAM

App Dev EnvReflex Virt FW behind Network Ext Fw

9

NCC’s Service Offerings

• Infrastructure as a Service (IaaS)– NCC managed FISMA compliant operating system

– Customer managed application platform and deployment

– Lowest cost option with minimal support

• Platform as a Service (PaaS)– NCC managed FISMA compliant operating system

– NCC managed application platform

– Support for Apache Web Server, Tomcat, JBoss, MySQL, and

LAMP

– Customer managed application deployment

10

Security

• Network Extension Firewall– Separates the development servers from the production

servers and isolates problems

• Virtual Firewalls (Reflex)– Supports Multi-Tenancy by creating zones around each

virtual server and groups of servers

– Allows Intranet, Extranet, and Public Access servers to run on the same physical hardware

– Manages access for each zone and subzone

– Documents communication ports and protocols

– Goal: Rules to follow server into production

Cluster Zone

Inter Customer Zone

Net Ext FW

Customer 2Customer 1 Customer 3

DMZ Intra

11

Private Cloud Services

12

Private Cloud - Development Server “Overview”

13

Customer Information

14

Server Details

15

Server Details - Owner

16

Platform Details

Pg 15

• Include Additional

Software?– If no, skip to next question (Software

to Install will not be displayed)

– If yes, select software

• Software Selections– Apache Web Server

– Apache Tomcat

– JBoss

– MySQL

– PHP

17

Server Details - Alias

Default: http://nccdevReq#.rtpnc.epa.gov Alias: http://alias.nccdev.rtpnc.epa.gov

18

Billing Information

19

Monthly WCF ServicesIaaS(Managed OS)

PaaS(Managed OS & Platform)

VM Server Hosting Fee (includes OS Installation and licenses)

UH-VM$1,100

UH-VM$1,100

VM Hardware Fee (based on #CPU and memory of server)

UH-HW$36 per core$8.33 per gig

UH-HW$36 per core$8.33 per gig

Disk Space UC-DED$7.31 per gig

UC-DED$7.31 per gig

Application Platform Installation and Maintenance

N/A XS-DED $567

Hardware set-up and Configuration

UH-ODC$2,000 (one-time)

UH-ODC$2,000 (one-time)

Technical Consulting TZ (as needed) TZ (as needed)

No Cost Pilot Period – thru March 30, 2011

20

eBusiness Approvals

• When an order is placed, an e-mail is sent to

the hosting and custom application workload

capture team (WLC)

• WLC team places an order for each service in

eBusiness (same process as an ADC today)

• When eBusiness account manager approves

the order, WLC team will associate the

registration IDs with your order in the On-

Demand Hosting request system

21

Network Communication

• Predefined ports and protocols– HTTP-80

– HTTPS-443

– FTP-21

– SQLNet-1521

– MySQL-3306

– SSH-22

• Additional ports and protocols available thru

the Firewall Rule Request process

• Available via AAA (must select “yes” on order

screen)

22

Server Management

• NCC Server Administrators will manage the operating

system for both IaaS and PaaS

• NCC Server Administrators will manage the application

platform for PaaS

• Customer will have “Custodian Administrator” rights

– Provided limited Sudo rights to perform basic

functions

• Custodian Administrators will log-in with WAM

credentials

– Authentication via WAM ID (EPA Employees: LANid)

– Must have a POSIX compatible WAM ID (Externals)

23

Service Approval

• Orders for service must be approved by the following individuals PRIOR to fulfillment:

– Customer Owner (if ordered “On Behalf”)

– Customer Division Director

– Organization’s Primary ISO

– eBusiness Account Manager

• Approvals happen in succession and cannot be obtained concurrently

• Owner, Division Director and ISO approvers will receive an e-mail with instructions on how to review and approve your request

• eBusiness account manager will follow eBusiness procedures for approving WCF orders

24

Service Approval

25

Terms of Service

• NCC will manage the the Operating System

• For IaaS, customer will be responsible for all application

platforms added to the server

• For PaaS, NCC will be responsible for all application

platforms added to the server

• Technical support available through WCF Service TZ

• NCC reserves the right to shut down any server that

negatively impacts the development environment

• Customer shall use the development server for

development purposes only

26

Service Delivery• Begins after ALL approvals are received

• Server will be cloned from a base template in VMware

• The On-Demand Hosting request system will issue commands to automatically reconfigure the server to specified configuration and to allocate data disk space

• NCC Server Administrators will assign IP address and check the server configuration

• Software teams will receive installation instructions if NCC is to install and manage application platform

• WAM team will add Custodian Administrators to the server group in OID and check for ID compatibility (POSIX)

• Server owner and Custodian Administrators will receive log-in instructions

27

Service Confirmation

28

Tracking Your Order

• Progress on order fulfillment is available via

the Delivery Process Tracking Screen

29

Managing Your Service

Once server is delivered, you can…

• Examine server set-up (IP address, DNS entry, Software Installed, Memory, Processors Disk Space, Cost, etc.)

• Request modifications

30

Future On Demand Services

• Add additional server support services

– Add/remove Custodian Administrators

– Change Server Owner

– Change Program Office/Region Ownership

– Change eBusiness Account Number

• Web account registration and decommission

(processes currently performed in TSSMS)

• Windows operating system for development

environment

31

Ordering System Integration

• Automate WCF service ordering process

• Automate OID group association (for

authorization)

• Automate the ADC record entry

• Provide DNS lookup for available aliases

• Provide access to download pre-configured

application platforms

32

Contacts:Rebecca Astin

newScale Project ManagerAstin.Rebecca@epa.gov

919-541-1555

David PritchettnewScale Technical Architect

Pritchett.David@epa.gov919-541-2798