Hybrid IT Approach and Technologies with the AWS Cloud | AWS Public Sector Summit 2016

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hybrid IT Approach and
Technologies with the AWS Cloud
June 20, 2016
Dario Rivera – Solutions Architect – Amazon Web Services
Dan Thomas – Chief Engineer - DC Health Benefit Exchange Authority

Session agenda
• Introduction
• Hybrid and AWS
• Implementing Hybrid Ops
• Common Hybrid Apps
• Use Case: DC Health Benefit Exchange Authority

Cloud is an ALL or NOTHING proposition

Why are customers choosing AWS
to implement hybrid?

Scale
Service
Breadth
Service
Depth
Security

Broad accreditations and certifications

* As of 1 June 2016
2009
48
280
722
82
2011 2013 2015
AWS has been continually expanding its’ services to support virtually any cloud workload
and now has more than 70 services that range from compute, storage, networking,
database, analytics, application services, deployment, management and mobile. AWS
has launched a total of 368 new features and/or services year to date* - for a total of
2,263new features and/or services since inception in 2006.
AWS Pace of Innovation

TECHNICAL &
BUSINESS
SUPPORT
Account
Management
Support
Professional
Services
Solutions
Architects
Training &
Certification
Security
& Pricing
Reports
Partner
Ecosystem
AWS
MARKETPLACE
Backup
Big Data
& HPC
Business
Apps
Databases
Development
Industry
Solutions
Security
MANAGEMENT
TOOLS
Queuing
Notifications
Search
Orchestration
Email
ENTERPRISE
APPS
Virtual
Desktops
Storage
Gateway
Sharing &
Collaboration
Email &
Calendaring
Directories
HYBRID CLOUD
MANAGEMENT
Backups
Deployment
Direct
Connect
Identity
Federation
Integrated
Management
SECURITY &
MANAGEMENT
Virtual Private
Networks
Identity &
Access
Encryption
Keys
Configuration Monitoring Dedicated
INFRASTRUCTURE
SERVICES
Regions
Availability
Zones
Compute
Storage
(object,
block)
Databases
SQL, NoSQL,
Caching
CDNNetworking
PLATFORM
SERVICES
APP
Mobile
& Web
Front-end
Functions
Identity
Data Store
Real-time
DEVELOPMENT
Containers
Source
Code
Build
Tools
Deployment
DevOps
MOBILE
Sync
Identity
Push
Notifications
Mobile
Analytics
Mobile
Backend
ANALYTICS
Data
Warehousing
Hadoop
Streaming
Data
Pipelines
Machine
Learning

• Secure, flexible networking between
cloud and on-premises
• Secure, federated access
management
• Management tools for hybrid
environments
• Integrated monitoring tools
HYBRID OPS - REQUIREMENTS

Secure, flexible connectivity
OPS | NETWORKING
AWS Direct Connect
• Extend your data center network to the
AWS cloud using a leased-line/circuit
• Secure, consistent performance on a
private network - avoid internet traversal
• Lower data transfer costs (vs VPN)
• 1 Mbps to multiple 10 Gbps
• Simpler management of multi-VPC
environments
• IPSEC VPNs can also be used for small
deployments, POCs, and extra
redundancy

Secure, flexible networking
OPS | NETWORKING
Amazon Virtual Private Cloud
• Create a software-defined network
topology for your cloud including private
and public subnets (RFC1918), routing,
firewall policies and NAT
• Connect VPCs together using peering, or
directly to your data center and offices
Implement network isolation at any level, e.g.
• App environment, tier, business unit, team,
application / project and data classification

Your Data Center
IPSEC VPN
Tunnels(x2)
AWS Direct Connect
Peering Location
Circuit(s), e.g
Metro Ethernet
AWS
Fibre cross connect
Terminated on an AWS
or customer managed gateway
(Internet)
Network Extension
OPS | NETWORKING

(Optional) Bring your favorite security tools
Unified Threat
Management & WAF
VPN / Routing,
Application Delivery,
Key Management
AVAILABLE NOW

• Secure, flexible networking
between cloud and on-premises
management
environments
Amazon Virtual Private
Cloud (Amazon VPC)
AWS Direct Connect

Federated Access Management
OPS | SECURE ACCESS MANAGEMENT
AWS Directory Service – AD Connector
• Easily federate your corporate Active
Directory environment to AWS and enable
single sign-on – no need for SAML
infrastructure
• Proxy only – does not store credentials
• Supports RADIUS-based MFA
• Connects to Domain Controllers in your
VPC or on-premises Domain Controllers
Customers can also use ADFS or partner
solutions

AWS Identity & Access Management
AWS Identity and Access Management
• Securely control access to AWS services
and resources
• Combine IAM and AD Connector to
develop role based security policies for
AWS resources using your existing AD
identities
• Fine grained control of permissions with
auditing via AWS CloudTrail

AWS Management
Console
Your Identity Provider
e.g., Active Directory
IAM
(Federated users)
Policies AWS Services &
Resources
AD Connector – (Proxy only)
AWS Directory Service
Forward Authentication
Access per IAM
policies
Authentication
Authorization
Allow / deny

AWS Management
Console
Your Identity Provider
e.g., Active Directory
IAM
(Federated users)
Policies AWS Services &
Resources
AD Connector – (Proxy only)
Forward Authentication
Access per IAM
policies
Authentication
Authorization
Allow / deny
Ready in
15 minutes!

AWS Identity Federation Partners

between cloud and on-premise
management
environments
Cloud (Amazon VPC)
AWS Direct Connect
AWS Identity & Access
Management (IAM)

management
environments
Cloud (Amazon VPC)
AWS Direct Connect
AWS Identity & Access
Management (IAM)

Step 1 –
Use a “cloud broker”
OPS | MANAGEMENT

Start by experimenting with
different tools
(and try open source)

ANSIBLE
Configuration management
HASHICORP PACKER
Build machine and container
images (cross platform)
HASHICORP TERRAFORM
Create and deploy application
templates (cross platform)
AWS CLOUDFORMATION
Application templates
(AWS only)
Common
Examples
OPS | MANAGEMENT

HASHICORP PACKER
Build cross platform machine
and container images
VMWare
(vmx or ISO)
AWS
(Amazon Machine Image)
OpenStack, etc…
Parallel Build
Source
config
OPS | MANAGEMENT

resource "aws_elb" "frontend" {
name = "frontend-load-balancer"
listener {
instance_port = 8000
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}
instances = ["${aws_instance.app.*.id}"]
}
resource "aws_instance" "app" {
count = 5
ami = "ami-043a5034"
instance_type = "m1.small"
}
HASHICORP TERRAFORM
Application Templates
Ex: Create 5 servers and put them behind a load balancer
OPS | MANAGEMENT

Stack Template
References
Post-
processing
Executes
API / CLI
App Stack
E.g. 3 Tier
Prod Web
Configures
Deploys
(App)
Configures
Deploys
(Infra)
AnsiblePacker
Terraform
Build automation for hybrid environments
OPS | MANAGEMENT

Importing existing VM images
AWS Management Portal for
VMWARE vCenter
AWS VM Import
Point and click
migration for VMware
Migrate VMWare, Hyper-V
and Citrix Xen images
OPS | MANAGEMENT

AWS Import / Export
Snowball
• 80 TB Amazon-owned appliance design
to help move petabytes of data per week
• 256-bit data encryption (KMS)
• Tamper resistant, durable and rugged
enclosure
• 10 GB network – takes ~13 hours to load
a 50 TB Snowball
Use Snowball to move data centers, large
data sets, or individual VMs
OPS | MANAGEMENT

AWS Application Discovery Service
Overview
 Agents deployed on source hosts
 Windows & Linux support
 Capture system inventory, performance,
and dependencies
 Capture and store secured data to AWS
 API access to discovered assets
 Output to CSV or XML
 Can be imported into a third-party
migration or visualization tool
Discovery
Agents Discovery DB
AWS Application
Discovery Service
On-premises data center
Encrypted
data
Internet

management
environments
VPC & Direct Connect IAM, Directory Service
Packer, Terraform, Ansible and VM Import

Amazon
CloudWatch
APPLICATION
PERFORMANCE
OPERATIONAL
ANALYTICS
AWS platform &
service metrics
Splunk App for AWS
API Integration
AppDynamics
OPS | MONITORING

COST/Performance/
Reliability
MANAGEMENT
• Track cloud best practices with reports,
dashboards, and email alerts
• Recommendations via historical usage
analytics
• Assure you are using Best Practices in the
AWS cloud
OPS | MONITORING
AWS Trusted
Advisor

management
environments
VPC & Direct Connect IAM, Directory Service

between cloud and on-premise
management
environments
VPC & DirectConnect IAM, Directory Service

Use Case: DC Health Link
Dan Thomas
Chief Engineer, DC Health Benefit Exchange Authority
CEO, IdeaCrew, Inc.

DC Health Link
Health Benefit Exchange Authority
(HBX) for District of Columbia
Serves DC residents, small businesses
members of Congress and staff
Health, dental, vision benefits
Only marketplace with sole distribution
channel for enrollment
As of March 2016, over 215K people
have come through DC Health Link

First Generation HBX
Some successes…
• Kentucky, California, New York
…and some setbacks
• Oregon, Hawaii
• HealthCare.gov
DC Health Link went live 10/1/2013,
and was one of only four HBXs that
opened on time & operated all day
(Bloomberg News)

Technology Drives DC Health Link
Customer Experience
If system is deficient or degraded:
• Cannot accurately determine financial assistance eligibility
• Cannot help consumers pick best coverage to meet their needs
and budget
• Someone who needs coverage may go uninsured or may be
unable to access needed care
• Uninsured are vulnerable to potentially catastrophic financial
burden

DC Health Link Behind the Scenes
Open Enrollments #1 & #2
Large infrastructure (250-plus VMs) in DC data centers
System Integrator struggled to deliver. After go-live, each
successive release further degraded system
Consumer experience adversely impacted, throughout OE 1 & 2,
both in terms of functionality and system performance
DC Health Link internal teams made heroic efforts to operate,
developing side-along systems, semi-automated, and manual
processes to help ensure enrollment data integrity and manage
exchange among trading partners

Heroic effort isn’t a
sustainable business model
Apparent by end of Open Enrollment #2 that IT strategy needed to change

Enroll Application Program
Devised plan in early 2015 to replace COTS
system with new “Enroll Application”
• Re-architect Web site using open source
technology
• Adopt Agile delivery model
• Move mission-critical functionality to
cloud in hybrid configuration
With only seven months’ development time,
new Enroll Application system went live
October 12, 2015
Today, Enroll Application is the only built-to-
purpose, open source HBX solution

Individuals &
Families
Employers
Insurers
Employees
MongoDB
RabbitMQ
(Message Bus)
Amazon AWS Primary Region
Actors
Brokers
Auto Scaling group
DC Health Link
Web Site / Portal
Identity
Management
Elastic Load
Balancing
DCHBX Enroll App
(Enrollment & Plan
Comparison)
VPC
Peering
Amazon AWS Secondary
Region
Disaster Recovery
(Pilot Light)
MongoDB
Application
Servers
Third-Party Premium
Billing Provider
MS SQL
Server
MySQL
Enterprise
Logging
EDI Engine
Baked
AMIs
Insurers
Third-Party Premium
Billing Provider Data
Center
DC Data Center
Financial Eligibility
Determination
Identity Verification
Auto Scaling group
Enterprise
Services
VPN
Connection
Amazon Cloud
Services
Amazon
CloudWatch
Amazon
SNS
Amazon S3
(Documents,
Logs, Backups,
etc.)
Amazon
ElastiCache
(Redis)
Amazon SES
(Confirmations,
Invitations,
Notices, etc.)
Email
Notifications
Real-Time
Data Replication Backups
Document
Upload/Retrieval
EDI
Files
Low-Latency
Transaction
Caching Emails
Alarms

AWS Enabled Hybrid Infrastructure Approach
DC Data Center
• Home page, HBX help, FAQs
• Identity and Access Management
• Financial assistance eligibility
determination
• Electronic Data Integration (EDI)
AWS Cloud
• Individual and employee registration,
benefit shopping, life events
• Employer registration, benefit
package definition, staff roster
management
• Broker registration, benefit package
quoting, client management
• Online payment, premium billing
62

Immediate Benefits of Built-to-Purpose System
in Cloud Environment
Improved customer experience
• Page count for customers to enroll/renew reduced by two-thirds
• Concurrent user capacity increased from 50 to 1,200-plus
• Average page load time (1.45 seconds)
• Average time on site reduced (6.5 minutes)
• Call center volume reduced 75% compared to first open enrollment
IT Efficiency & Productivity
• Provision IT resources in minutes, not days/weeks
• Auto-scaling for periodic peak loads
• Zero Downtime Deployment
• Fewer staff required to manage and support cloud infrastructure
Financial Sustainability
• Open source investment offset by eliminating millions $$ in COTS change orders and
maintenance costs
• Dramatically lower infrastructure costs

Meaningful Results
23% year-over-year increase in new individual and family
customers
74% of eligible residents enrolled for 2016 coverage
compared to national average of 46%
(Kaiser Family Foundation)
Third-lowest uninsured state
$2.9M per annum immediate COTS license fee savings
generated by Enroll Application

Considerations
When is Hybrid Cloud/Data Center Infrastructure a Good Solution?
• Low risk proofs-of-concept
• Development that parallels production systems
• Ability to distribute existing system components
• System provisioning needs are unclear or highly volatile system demands
Success Factors
• Entrepreneurial leadership/agency culture
• Program leader with a vision, passion for mission and Agile temperament
• Opportunity to demonstrate superiority of vision
• Ability to assemble technical team with key development and integration skills
• Third-party partner who can help bridge gaps and accelerate (we use A&T
Systems)

Resources
• Building a More Efficient Marketplace: Lessons from DC Health
Link’s Experience with Open Source Code:
http://nashp.org/building-a-more-efficient-marketplace-lessons-
from-dc-health-links-experience-with-open-source-code/
• Enroll Application code repository: https://github.com/dchbx/enroll
• HBX Canonical vocabulary: https://github.com/dchbx/cv
• IdeaCrew site: http://www.ideacrew.com

Hybrid IT Approach and Technologies with the AWS Cloud | AWS Public Sector Summit 2016

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Hybrid IT Approach and Technologies with the AWS Cloud | AWS Public Sector Summit 2016

Similar to Hybrid IT Approach and Technologies with the AWS Cloud | AWS Public Sector Summit 2016 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

Hybrid IT Approach and Technologies with the AWS Cloud | AWS Public Sector Summit 2016

Editor's Notes