This session is recommended for anyone considering using the AWS cloud to augment their current capabilities. Adoption of cloud computing provides access to the benefits of new deployment models with significant cost and agility benefits. But how can the cloud benefit existing government organizations that have invested large amounts of resources in existing on-premises technologies? This session outlines several key factors to consider from the point of view of the large-scale IT shop stakeholder. Because each organization has its unique set of challenges in cloud adoption, this session compares some of the opportunities and risks of several hybrid cloud use-case models and then helps customers understand the cloud-native and third-party vendor options available that bridge the gap to the cloud for large-scale government environments.
8. * As of 1 June 2016
2009
48
280
722
82
2011 2013 2015
AWS has been continually expanding its’ services to support virtually any cloud workload
and now has more than 70 services that range from compute, storage, networking,
database, analytics, application services, deployment, management and mobile. AWS
has launched a total of 368 new features and/or services year to date* - for a total of
2,263new features and/or services since inception in 2006.
AWS Pace of Innovation
9. TECHNICAL &
BUSINESS
SUPPORT
Account
Management
Support
Professional
Services
Solutions
Architects
Training &
Certification
Security
& Pricing
Reports
Partner
Ecosystem
AWS
MARKETPLACE
Backup
Big Data
& HPC
Business
Apps
Databases
Development
Industry
Solutions
Security
MANAGEMENT
TOOLS
Queuing
Notifications
Search
Orchestration
Email
ENTERPRISE
APPS
Virtual
Desktops
Storage
Gateway
Sharing &
Collaboration
Email &
Calendaring
Directories
HYBRID CLOUD
MANAGEMENT
Backups
Deployment
Direct
Connect
Identity
Federation
Integrated
Management
SECURITY &
MANAGEMENT
Virtual Private
Networks
Identity &
Access
Encryption
Keys
Configuration Monitoring Dedicated
INFRASTRUCTURE
SERVICES
Regions
Availability
Zones
Compute
Storage
(object,
block)
Databases
SQL, NoSQL,
Caching
CDNNetworking
PLATFORM
SERVICES
APP
Mobile
& Web
Front-end
Functions
Identity
Data Store
Real-time
DEVELOPMENT
Containers
Source
Code
Build
Tools
Deployment
DevOps
MOBILE
Sync
Identity
Push
Notifications
Mobile
Analytics
Mobile
Backend
ANALYTICS
Data
Warehousing
Hadoop
Streaming
Data
Pipelines
Machine
Learning
11. • Secure, flexible networking between
cloud and on-premises
• Secure, federated access
management
• Management tools for hybrid
environments
• Integrated monitoring tools
HYBRID OPS - REQUIREMENTS
12. • Secure, flexible networking between
cloud and on-premises
• Secure, federated access
management
• Management tools for hybrid
environments
• Integrated monitoring tools
HYBRID OPS - REQUIREMENTS
13. Secure, flexible connectivity
OPS | NETWORKING
AWS Direct Connect
• Extend your data center network to the
AWS cloud using a leased-line/circuit
• Secure, consistent performance on a
private network - avoid internet traversal
• Lower data transfer costs (vs VPN)
• 1 Mbps to multiple 10 Gbps
• Simpler management of multi-VPC
environments
• IPSEC VPNs can also be used for small
deployments, POCs, and extra
redundancy
14. Secure, flexible networking
OPS | NETWORKING
Amazon Virtual Private Cloud
• Create a software-defined network
topology for your cloud including private
and public subnets (RFC1918), routing,
firewall policies and NAT
• Connect VPCs together using peering, or
directly to your data center and offices
Implement network isolation at any level, e.g.
• App environment, tier, business unit, team,
application / project and data classification
15. Your Data Center
IPSEC VPN
Tunnels(x2)
AWS Direct Connect
Peering Location
Circuit(s), e.g
Metro Ethernet
AWS
Fibre cross connect
Terminated on an AWS
or customer managed gateway
(Internet)
Network Extension
OPS | NETWORKING
16. (Optional) Bring your favorite security tools
Unified Threat
Management & WAF
VPN / Routing,
Application Delivery,
Key Management
AVAILABLE NOW
17. • Secure, flexible networking
between cloud and on-premises
• Secure, federated access
management
• Management tools for hybrid
environments
• Integrated monitoring tools
HYBRID OPS - REQUIREMENTS
Amazon Virtual Private
Cloud (Amazon VPC)
AWS Direct Connect
18. • Secure, flexible networking
between cloud and on-premises
• Secure, federated access
management
• Management tools for hybrid
environments
• Integrated monitoring tools
HYBRID OPS - REQUIREMENTS
Amazon Virtual Private
Cloud (Amazon VPC)
AWS Direct Connect
19. Federated Access Management
OPS | SECURE ACCESS MANAGEMENT
AWS Directory Service – AD Connector
• Easily federate your corporate Active
Directory environment to AWS and enable
single sign-on – no need for SAML
infrastructure
• Proxy only – does not store credentials
• Supports RADIUS-based MFA
• Connects to Domain Controllers in your
VPC or on-premises Domain Controllers
Customers can also use ADFS or partner
solutions
20. AWS Identity & Access Management
OPS | SECURE ACCESS MANAGEMENT
AWS Identity and Access Management
• Securely control access to AWS services
and resources
• Combine IAM and AD Connector to
develop role based security policies for
AWS resources using your existing AD
identities
• Fine grained control of permissions with
auditing via AWS CloudTrail
21. OPS | SECURE ACCESS MANAGEMENT
AWS Management
Console
Your Identity Provider
e.g., Active Directory
IAM
(Federated users)
Policies AWS Services &
Resources
AD Connector – (Proxy only)
AWS Directory Service
Forward Authentication
Access per IAM
policies
Authentication
Authorization
Allow / deny
22. OPS | SECURE ACCESS MANAGEMENT
AWS Management
Console
Your Identity Provider
e.g., Active Directory
IAM
(Federated users)
Policies AWS Services &
Resources
AD Connector – (Proxy only)
AWS Directory Service
Forward Authentication
Access per IAM
policies
Authentication
Authorization
Allow / deny
Ready in
15 minutes!
32. Importing existing VM images
AWS Management Portal for
VMWARE vCenter
AWS VM Import
Point and click
migration for VMware
Migrate VMWare, Hyper-V
and Citrix Xen images
OPS | MANAGEMENT
33. AWS Import / Export
Snowball
• 80 TB Amazon-owned appliance design
to help move petabytes of data per week
• 256-bit data encryption (KMS)
• Tamper resistant, durable and rugged
enclosure
• 10 GB network – takes ~13 hours to load
a 50 TB Snowball
Use Snowball to move data centers, large
data sets, or individual VMs
OPS | MANAGEMENT
34. AWS Application Discovery Service
Overview
Agents deployed on source hosts
Windows & Linux support
Capture system inventory, performance,
and dependencies
Capture and store secured data to AWS
API access to discovered assets
Output to CSV or XML
Can be imported into a third-party
migration or visualization tool
Discovery
Agents Discovery DB
AWS Application
Discovery Service
On-premises data center
Encrypted
data
Internet
35. • Secure, flexible networking
between cloud and on-premises
• Secure, federated access
management
• Management tools for hybrid
environments
• Integrated monitoring tools
HYBRID OPS - REQUIREMENTS
VPC & Direct Connect IAM, Directory Service
Packer, Terraform, Ansible and VM Import
36. • Secure, flexible networking
between cloud and on-premises
• Secure, federated access
management
• Management tools for hybrid
environments
• Integrated monitoring tools
HYBRID OPS - REQUIREMENTS
VPC & Direct Connect IAM, Directory Service
Packer, Terraform, Ansible and VM Import
38. COST/Performance/
Reliability
MANAGEMENT
• Track cloud best practices with reports,
dashboards, and email alerts
• Recommendations via historical usage
analytics
• Assure you are using Best Practices in the
AWS cloud
OPS | MONITORING
AWS Trusted
Advisor
39. • Secure, flexible networking
between cloud and on-premises
• Secure, federated access
management
• Management tools for hybrid
environments
• Integrated monitoring tools
HYBRID OPS - REQUIREMENTS
VPC & Direct Connect IAM, Directory Service
40. • Secure, flexible networking
between cloud and on-premise
• Secure, federated access
management
• Management tools for hybrid
environments
• Integrated monitoring tools
HYBRID OPS - REQUIREMENTS
VPC & DirectConnect IAM, Directory Service
41. Use Case: DC Health Link
Dan Thomas
Chief Engineer, DC Health Benefit Exchange Authority
CEO, IdeaCrew, Inc.
42. DC Health Link
Health Benefit Exchange Authority
(HBX) for District of Columbia
Serves DC residents, small businesses
members of Congress and staff
Health, dental, vision benefits
Only marketplace with sole distribution
channel for enrollment
As of March 2016, over 215K people
have come through DC Health Link
43. First Generation HBX
Some successes…
• Kentucky, California, New York
…and some setbacks
• Oregon, Hawaii
• HealthCare.gov
DC Health Link went live 10/1/2013,
and was one of only four HBXs that
opened on time & operated all day
(Bloomberg News)
44. Technology Drives DC Health Link
Customer Experience
If system is deficient or degraded:
• Cannot accurately determine financial assistance eligibility
• Cannot help consumers pick best coverage to meet their needs
and budget
• Someone who needs coverage may go uninsured or may be
unable to access needed care
• Uninsured are vulnerable to potentially catastrophic financial
burden
45. DC Health Link Behind the Scenes
Open Enrollments #1 & #2
Large infrastructure (250-plus VMs) in DC data centers
System Integrator struggled to deliver. After go-live, each
successive release further degraded system
Consumer experience adversely impacted, throughout OE 1 & 2,
both in terms of functionality and system performance
DC Health Link internal teams made heroic efforts to operate,
developing side-along systems, semi-automated, and manual
processes to help ensure enrollment data integrity and manage
exchange among trading partners
46. Heroic effort isn’t a
sustainable business model
Apparent by end of Open Enrollment #2 that IT strategy needed to change
47. Enroll Application Program
Devised plan in early 2015 to replace COTS
system with new “Enroll Application”
• Re-architect Web site using open source
technology
• Adopt Agile delivery model
• Move mission-critical functionality to
cloud in hybrid configuration
With only seven months’ development time,
new Enroll Application system went live
October 12, 2015
Today, Enroll Application is the only built-to-
purpose, open source HBX solution
48. Individuals &
Families
Employers
Insurers
Employees
MongoDB
RabbitMQ
(Message Bus)
Amazon AWS Primary Region
Actors
Brokers
Auto Scaling group
DC Health Link
Web Site / Portal
Identity
Management
Elastic Load
Balancing
DCHBX Enroll App
(Enrollment & Plan
Comparison)
VPC
Peering
Amazon AWS Secondary
Region
Disaster Recovery
(Pilot Light)
MongoDB
Application
Servers
Third-Party Premium
Billing Provider
MS SQL
Server
MySQL
Enterprise
Logging
EDI Engine
Baked
AMIs
Insurers
Third-Party Premium
Billing Provider Data
Center
DC Data Center
Financial Eligibility
Determination
Identity Verification
Auto Scaling group
Enterprise
Services
VPN
Connection
Amazon Cloud
Services
Amazon
CloudWatch
Amazon
SNS
Amazon S3
(Documents,
Logs, Backups,
etc.)
Amazon
ElastiCache
(Redis)
Amazon SES
(Confirmations,
Invitations,
Notices, etc.)
Email
Notifications
Real-Time
Data Replication Backups
Document
Upload/Retrieval
EDI
Files
Low-Latency
Transaction
Caching Emails
Alarms
49. AWS Enabled Hybrid Infrastructure Approach
DC Data Center
• Home page, HBX help, FAQs
• Identity and Access Management
• Financial assistance eligibility
determination
• Electronic Data Integration (EDI)
AWS Cloud
• Individual and employee registration,
benefit shopping, life events
• Employer registration, benefit
package definition, staff roster
management
• Broker registration, benefit package
quoting, client management
• Online payment, premium billing
62
50. Immediate Benefits of Built-to-Purpose System
in Cloud Environment
Improved customer experience
• Page count for customers to enroll/renew reduced by two-thirds
• Concurrent user capacity increased from 50 to 1,200-plus
• Average page load time (1.45 seconds)
• Average time on site reduced (6.5 minutes)
• Call center volume reduced 75% compared to first open enrollment
IT Efficiency & Productivity
• Provision IT resources in minutes, not days/weeks
• Auto-scaling for periodic peak loads
• Zero Downtime Deployment
• Fewer staff required to manage and support cloud infrastructure
Financial Sustainability
• Open source investment offset by eliminating millions $$ in COTS change orders and
maintenance costs
• Dramatically lower infrastructure costs
51. Meaningful Results
23% year-over-year increase in new individual and family
customers
74% of eligible residents enrolled for 2016 coverage
compared to national average of 46%
(Kaiser Family Foundation)
Third-lowest uninsured state
$2.9M per annum immediate COTS license fee savings
generated by Enroll Application
52. Considerations
When is Hybrid Cloud/Data Center Infrastructure a Good Solution?
• Low risk proofs-of-concept
• Development that parallels production systems
• Ability to distribute existing system components
• System provisioning needs are unclear or highly volatile system demands
Success Factors
• Entrepreneurial leadership/agency culture
• Program leader with a vision, passion for mission and Agile temperament
• Opportunity to demonstrate superiority of vision
• Ability to assemble technical team with key development and integration skills
• Third-party partner who can help bridge gaps and accelerate (we use A&T
Systems)
53. Resources
• Building a More Efficient Marketplace: Lessons from DC Health
Link’s Experience with Open Source Code:
http://nashp.org/building-a-more-efficient-marketplace-lessons-
from-dc-health-links-experience-with-open-source-code/
• Enroll Application code repository: https://github.com/dchbx/enroll
• HBX Canonical vocabulary: https://github.com/dchbx/cv
• IdeaCrew site: http://www.ideacrew.com
This session will provide a 100-200 level introduction into hybrid on AWS.
We’ll talk about the AWS hybrid story
And we’ll split the body of the session into two key parts
Implementing hybrid ops
Implementing apps
Then we’ll discuss an excellent use case on how Hybrid was implemented in Government with the DC Health Benefit Exchange Authority
…NEXT
Hybrid Ops provide the foundations, including networking, security and management tools
Hybrid Apps sit on top of these foundations. Later in the session we wil talk about the common patterns for hybrid apps
At AWS is not an all or nothing proposition.
There are four dimensions to this.
Security, is our #1 priority at AWS and we have invested heavily into improving security for all customers
Scale, 10x more than the others,
Breadth of services, more than 50 at last count
Depth of features, we are adding more than 1 new feature every single day.
Security certifications apply globally to all of our DCs
Security is also not a static craft at AWS. We are constantly evolvong and just recently we announce we have achieved ISO27018 certification which relates to data privacy in the cloud
We also announced a number of new security products, including a security assessment service Amazon Inpsect, a WAF and a cloud governance solution called AWS config rules
Note to AWS Employees: Please note that we are no longer providing a bar chart comparing 2015 year-to-date to previous years in this deck. We will provide a final launch number at the close of each year going forward. It is ok however to verbally disclose the current year-to-date launch count in your own presentations/customer materials however.
Complete technology and enterprise services platform
Compute Server Storage Networking Security
Enterprise Apps for email, virtual desktops, directory services
Mobile development tools, scalable Analytics infrastructure and now reporting tools like Quicksight,
Marketplace offers easy software and infrastructure procurement
Enterprise Support, professional services and training
So how do you capitalise on these products and sevrices.
In this section we will talk about how companies start by laying the foundations for a hybrid operating model.
This is the type of plumbing that enterprises have told us they need to implement
The first thing that is critical is secure, reliable networking
Next, we need to make it easy for companies to connect their access management systems like Active Directory to the cloud
Then, enterprises need tools that work with both AWS and their on-premise infrastructure
Finally, monitoring tools that can keep your services running smoothly
As a best practice we don’t disclose locations of our data centers, and so we use peering partners like Equinix who provide demarcation point and cross connect into our cloud services.
DX is a Layer 3 service between AWS and your co-lo.
BGP and HSRP for failover etc.
Customers can use multiple DX and VPNs for redundancy and BGP/HSRP to manage failover
If you have additional security products in your on-premise environment you can bring them along with you.
AWS Marketplace makes procuring and implementing these solutions a one-click experience. Licensing is handled by marketplace and fees are automatically charged to your AWS account. Once purchased Marketplace install the solution into the VPC of your choice.
There are thousands of products across multiple categories like security, business intelligence and management in AWS Marketplace
So I’ve shown you how easy it is to setup a high performance, secure and scalable connectivity and networking between AWS and your existing environment using DirectConnect and VPC. Let’s move onto the next step …. NEXT
Secure access management is the next step…NEXT
AWS Directory Service is a full managed directory service that operates in two modes. One is as a standadlone SAMBA4 compatible directory.
The other is as a Connector (or Proxy) to your Active Directory environment.
With a few clicks you can have your corporate AD environment federated with AWS to for secure access management and single-signon. This means your AD identities can be associated with permissions to AWS platform services. Such as the ability to create and terminate EC2 instances. In CloudTrail, which keeps a log of activities – down to the API level – you will be able to see individual AD user and what action they attempted to perform.
IAM is our policy driven access management system. It is extremely fine grained.
You can use IAMs built in identities, or federate, to link IAM to your existing AD environment
Using AWS Directory Service and AD Connector it takes just 15 minutes to setup!
For those who want to use their existing Identity Management solutions, we have partnered with all the leading vendors, including those which you can see here
Almost every company we work with that is implementing a hybrid strategy is actually choosing just one cloud to partner with. Customers tell us they prefer a cloud partner with a large breadth and depth of services.
Multi-cloud is being talked about as a potential long term option, but they are all starting with one knowing that the beginning of a long journey starts with a few humble footsteps.
Cloud brokers, or systems that abstract customers from cloud providers APIs, products and services, negate just about all of the benefits of the cloud. Broker platforms are slow to respond to or never support new services, features and API. They can become bottlenecks and introduce reliability issues. In fact, many brokers stop at “VM” integration which is simply not enough.
Open source has well and truly arrived and it is an extremely viable, and in many cases better alternative to commercial solutions. OS is free, often field tested at scale and is updated frequently. Some of the worlds largest startups like Netflix use AWS and are building ecosystems of management tools to add additional features and capabilities.
Enterprises are using tools like these to fully automate the deployment of their applications
HASHICORP Packer: solves the problem of building multi-platform (VMWare, AWS) machine images
Terraform: allows you to describe an application stack (e.g. 3 tier) as a template and then use that template to deploy app environments
Ansible: a popular configuration manegment tooll for scripting changes to virtual machines, EC2 instances and applications
Describe the basic machine type (specifications, running services tc. and types of images you want to produce “builders”) and packer automatically generates those images (AMI, VMX etc.)
Terraform uses a similar JSON based format. This script for an application running on AWS creates 5 amazon EC2 instances of “m1.small” type and puts them behind a AWS manage load balancer on port 80 and routes through to internal port of 8000.
This is a common workflow in enterprise environments. Let’s walk through it
If you have existing VM images you can easily migrate them to AWS using these tools
What if you wanted to move lots of virtual machines or evne an entire data center
That’s where Snowball comes in.
Keys are not stored on the appliance
It can withstand a 6 G jolt
Customer/partner steps would be:
Set up web proxy (opt)
Deploy agents
Query, analyze and export data to DiscoveryDB
Playup the idea of partner or customer developed agents to populate Discovery DB using public API’s, API’s will be a part of standard AWS SDK, we are releasing custom CLI’s to consume data easliy,
So we have talked about how packer, terraform, ansible can help you implement automated builds across your on-prem and AWS environments
Now let’s talk about monitoring tools
AWS comes with a built-in monitoring platform called CloudWatch. CloudWatch provides useful dashboards and metrics and simple alerts for our platform services and features. Many of these are at the infrastructure level. But you WILL need more detail than that, so you want to invest or extend in your existing tools.
New Relic and App dynamics provide application and infrastructure performance management. And data dog provides really detailed infrastructure.
These vendors all have integration with AWS and are mutli platform supporting AWS cloud and on-prem infrastructure
Splunk App covers cloudtrail, AWS config, EC2 ++
Now that you are paying as you go, it’s important to track your spend.
AWS provides native tools to do so, and its easy to setup billing alerts.
Many of our enterprise customers also use a produc called Cloudability” which gives them detailed spending reports, usage analytics and tools to govern and regulate spending
Finally, we added application performance monitoring and integrated splunk for operational analytics
And you’re done.
Enterprises start with dev and test because it’s a low risk and high return prospect
Create application templates, implement CI, CD and make DevOps a reality.
Test full scale environments.
One thing I hear over and over again from developerss that there simply arnet enough development environments to go around
Developers want more, and they want their own discrete environments. And they want environments that replicate the performance dynamics of the production environment. What about a fully built and managed, data center clustered Oracle 12 database in 15 mins? Or SQL, Mysql, Postgres or even MariaDB?
And if you’re outsourcing development you also need to provide a secure workspace. With Workspaces, our virrtual desktop as a service, its easy to do this. Plus with the power of VPC, you can provide network isolated environments.
J&J is in the process of rollut out 25,000 Amazon Workspaces for temporary employees
AWS have developer focused services for enterprises and startups.
Even if you’re not doing continuous integration and delivery, you can still harvest the benefits of our developer tools.
CodeCommit, Git compatible repository fully managed (we handle storage scalability, security and availability)
CodeDeploy to managed deployments. This is based on a tool named Apollo that Amazon has been buulding over the last 10 years as part of our journey towards micro-services.
The next step some customers take is to move Disaster Recovery environments to the cloud. Because enterprises are paying a lot of money for secondary sites that they seldom use. With AWS, you pay for what you use when you’re using it.
Not all customers move DR, in fact many skip it and move straight into production workloads.
If you decomission tape altogether, at the very least send your daily, weekly backups to AWS.
Companies like CommVault and Symantec have made that easy with NATIVE integration for AWS S3 as a storage provider.
Even if you doint use those products you can use the AWS Storage Gateway, a virtual appliance, that asynchronously replicates data to Amazon S3. Likewise, ordinary server volumes mounted across iSCSI can be replicated into the AWS cloud enabling you to protect specific systems or datasets attached to servers (like databases)
What about live replicating virtual machines and apps to AWS for DR? That’s possible too
Racemi and CLoudVelox both provide solutions to do this and to failover in the event of an issue.
Or consider this as a simple and cost effective insurance policy. Use VM Export to make a monthly copy of all of your VMs to a Snowball device and then import them back into the cloud as on-standby virtual machine instances.
So you got through dev and test and DR… and an amazing new digital project has come up.
First off, digital projects are the BEST place to start with AWS … so why is that
AWS is digital. In fact we have a lot of digital services, like IoT, machine learning, data analytics – but we wont have time to cover all of them in this session – so I’ll just focus on a few
We have a large variety of services. If you’re building a new mobile app from scratch then check out Mobile Hub. It This is designed to help you ship your product faster by providing you with all the basic mobile app functionality including identity management and session storage, analytics, content delivery, and app testing.
If you have an existing app, or a project already underway, you should definitely check out Elastic Beanstalk. With EB, just upload the code and AWS does the rest, buidling the infrastructure (LB app and database) and scaling to adapt to peaks in demand. Apps can take as little as 2 minutes to deploy and it supports all of the major languages and container types.
If you want to implement an app architecture that uses both on-prem and cloud, then you can – using DirectConnect. Just remember to keep the app and database as together for a better customer experience.
DCHBX Executive Director Mila Kofman, DHHS Secretary Sylvia Burwell, DC Councilmember Brandon Todd
AWS Cloud services were key to rapid development and deployment of HBX core mission functions
Red Hat, Ruby on Rails, MongoDB NoSQL
17-plus AWS tools/services: S3, ElastiCache, SES, CoudWatch
Push-button provisioning: CloudFormation, Chef
Demand-based performance: AWS AutoScaling groups and launch configurations
FedRAMP-compliant environment
Disaster Recovery: pilot light environment in remote AWS region