Running Mission Critical Workloads on AWS

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Rebeker Choi, Solutions Architect, AWS
October-16, 2018
Running Mission Critical Workloads
on AWS

Sponsor

What to Expect from the Session
• Walkthrough the best practice for deploying business critical
applications
• Dive deep into secure, highly available and scalable architectures
• Learn about AWS tools that will make you successful in
deployment and management

Why are customers running critical
workloads on AWS?

Why run critical workload on AWS
Security in layers approach
Extensive VM and network performance options
Building and managing cloud since 2006
18 regions, 55 availability zones, 100+ edge locations
Thousands of partners; 2,500+ Marketplace products
Security & Reliability
Performance
Experience
Scale & Reliability
Ecosystem

What is a Business Critical
Application?

Anatomy of a critical workload
Holds sensitive data, liability if breached or deleted
Large scale customer impact if not available
Loss of data, destruction of IP, productivity penalty
> 100 users, > $10K per minute, Contractual Liability
Secure
Available
Resilient
Material Impact

Business Applications on AWS
Today AWS customers run a wide array of business applications
Vendor Applications
SAP Business Suite, Netweaver, BusinessObjects, B1, HANA
Oracle eBusiness, PeopleSoft, Siebel, JDE, Database 11g/12c
Microsoft SharePoint, Exchange, Dynamics, SQL Server
IBM Websphere, DataStage
Infor LN, M3, Syteline, Lawson
Companies of all sizes run business applications

The Global Infrastructure

Resiliency starts with the core infrastructure
REGION
An independent collection of AWS
resources in a defined geography
A solid foundation for meeting
location-dependent privacy and
compliance requirements

Availability Zones
Low latency
ensures real data
replication
Distance
ensures high
availability
REGION
AZ A AZ B
AZ C

Availability Zones
Low latency
ensures real data
replication
Distance
ensures high
availability
REGION
AZ A AZ B
AZ C
Availability Zone
Designed as independent failure
zones. Physically separated within a
typical metropolitan region

AZ – Availability Zone
Network
multiple tier‐1 transit providers
Power
isolated electrical grids, UPS, onsite backup generator
Geo
isolated fault lines flood plains
Network
Power
Geo
Zone A Zone B
Each availability zone runs on its sown physically distinct, independent infrastructure

AZ – Availability Zone
Zone A Zone B
Network
Power
Geo
Network
Power
Geo
Web
DB Master
Load
Balancer
DB Slave
Web
Storage StorageSingle
digit ms

Availability

Multi-AZ Deployment
10.1.0.0/16
10.1.1.0/24
10.1.2.0/24
10.1.3.0/24
10.1.4.0/24
10.1.5.0/24
10.1.6.0/24
Availability Zone - A
Availability Zone - B
Private SubnetPrivate SubnetPublic Subnet

Multi-AZ Deployment
TCP 80
Users
DB
DB
WEB /
App
WEB /
App
Load Balancer

Options for Deploying SQL Server on AWS
Amazon RDS Databases on Amazon EC2
Versions Supported: MSSQL, Oracle, MySQL, Postgres, MariaDB Any DBs
High Availability: Self-managed; AlwaysOn, Mirror, Log ShipAWS-managed, Multi-AZ
Encrypted storage using AWS KMS (all editions); TDE supportEncryption:
Maintenance plans & third-party toolsManaged automated backupsBackups:
DB Install / Maintenance / PatchingDB Install / Maintenance / PatchingDatabase
OS Install / Maintenance / PatchingOS Install / Maintenance / PatchingOperating System:
Customer-
managed
AWS-managed
1 2

What does it look like after RDS is up?
Availability Zone A
AWS Region
10.1.0.0/16
10.1.1.0/24
Availability Zone B
10.1.2.0/24
Synchronous replication
Same
instance
type as
master
• Managed high availability across
multiple datacenters
• No application code change
• 60-120 seconds failover time
• RPO = zero
Automatic failover
Synchronous replication
dbinstancename.1234567890.us-west-2.rds.amazonaws.com:3006
Application

Multi-AZ Deployment
TCP 80
Users
WEB /
App
WEB /
App
Load Balancer
ü Improved high availability
across multiple availability
zones
ü Offload operation tasks to
AWS
ü AWS deals with licenses
Benefits:

Scalability & Performance

M2
2nd Generation
Compute
M4
4th Generation
Compute
Upgrade Your Compute

Increase your server farms capacity
Vertical Scaling
CPU, Disk Read/Write,
Network In/Out
Horizontal Scaling
m4.large m4.large
m4.large
2 vCPU, 8GB RAM
m4.xlarge
4 vCPU, 16GB RAM
m4.large m4.large m4.large m4.large m4.large m4.large m4.large m4.large

Web/App tier - Aut-Scaling
TCP 80
Users
Auto-
Scaling
Group
WEB /
App
WEB /
App
Load Balancer
Auto-scaling based
on different metrics,
e.g. CPU, memory,
network, number of
requests, etc

Database tier – scale up
TCP 80
Users
Auto-
Scaling
Group
WEB /
App
WEB /
App
Load Balancer
• for commercial
database like Oracle
and SQL, only
vertical scaling is
supported
• offload the
database by caching

Scalability & Performance
TCP 80
Users
Auto-
Scaling
Group
WEB /
App
WEB /
App
Load Balancer
zones
AWS
ü Improved scalability &
performance
Benefits:

Security

AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
AWS Shared Responsibility Model
Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud

Inherit global security and compliance controls
https://aws.amazon.com/compliance/programs/
https://aws.amazon.com/artifact/

Auto-
Scaling
Group
VPC firewall - Security Groups
TCP 80
Users
WEB /
App
WEB /
App
Load Balancer
Web Security Group
Accept Port 80 from LB
SQL Security Group
Accept Port 1433 from
Web
Inbound Security Group SG-WebTier
Traffic from Protocol L4 Port Action
SG-WebELB HTTP TCP 80 Allow
* * * * Deny
• Security Groups
• Built-in feature of VPC
• Restrict in/out traffic of
EC2 instances based on
source, port, protocol

Data Encryption with AWS (in-transit)
Between your network and VPC
• IPSec VPN
• AWS virtual private gateway, fully
managed and highly redundant, allows you
to establish redundant tunnels
• Direct Connect (optional): private
connectivity
Between your apps and your app’s end users
• TLS certificates
• secure network communication over the
Internet
• Uses X.509 certificate to authenticate both
the client and the back-end application
Customer VPC
10.0.0.0/16
IPSec VPN tunnels
Customer DC
192.168.1.0/16
HTTPS
CloudFront ELB Web/App
HTTP(s) HTTP(s)

Auto-
Scaling
Group
Secure Hybrid Connectivity
TCP 80
Users
WEB /
App
WEB /
App
Load Balancer
Web Security Group
SQL Security Group
Web
Corporate
Office
IPSec VPN /
Direct Connect
• IPSec VPN between AWS VPC
and on-premises DC network
• AWS Direct Connect – private
connectivity for workload
with high data sensitivity

Data Encryption with AWS (at-rest)
• Data encryption of server and
database storage
• Centralized key management
(create, delete, view, set policies)
• Import your own keys
• Enforced, automatic key rotation
• Fully auditable
• Option for dedicated, hardware-
based cryptographic key storage
using AWS CloudHSM
Encrypted in transit
AWS CloudTrail
AWS IAM
EBS
RDS
Amazon
Redshift
S3
Glacier
and at rest
Fully auditable
Fully managed
keys
Restricted access
KMS
PCI DSS 3.1

Encryption
Encryption at rest: EBS w/ KMS, RDS w/KMS
Simply check a box!
EBS Volume RDS

Encrypting Data At Rest
Auto-
Scaling
Group
HTTPS
Users
WEB /
App
WEB /
App
Load Balancer
Web Security Group
SQL Security Group
Web
Corporate
Office
IPSec VPN /
Direct Connect
• VM volume encryption
• Database encryption
• VM volume encryption
• Database encryption

AWS CloudTrail
• Simplify your compliance audits by automatically recording and storing
activity logs for your AWS accounts
• Provide visibility into your user and resource activity
WhoWhat
Where from
Where to
When

AWS Services can automate Regulatory Compliance to
Increase Pace of Innovation
Changes
Compliance
Engine
Automated
Response

Out of the box...
• HTTP and HTTPs requests logged with ELB Logging
• API and Console calls logged with CloudTrail Logs
• Network traffic logged with VPC Flow Logs
• VPC change history logged with AWS Config
• IAM Policy and user changed logged with AWS Config
• Application level metrics logged with CloudWatch Logs

Ubiquitous logging for forensics analysis
Auto-
Scaling
Group
HTTPS
Users
WEB /
App
WEB /
App
Load Balancer
Web Security Group
SQL Security Group
Web
Corporate
Office
IPSec VPN /
Direct Connect
S3 buckets
log
analytics

Security
Auto-
Scaling
Group
HTTPS
Users
WEB /
App
WEB /
App
Load Balancer
Web Security Group
SQL Security Group
Web
zones
AWS
ü Improved scalability &
performance
ü Improved security posture
with cloud-native approach
in a cost effective way
Benefits:
S3 buckets
log
analytics

Do we hit our objectives?
Encrypting data at rest, IP Sec VPN, Security Groups, visibility
Multiple Availability Zones, Auto-scaling, Elastic Load Balancing
Multi-AZ Database, cross-region DR design
Multi-AZ deployment, No Data Loss, Encryption, Auto-Healing
Secure
Available
Resilient
Material Impact
https://aws.amazon.com/architecture/well-architected/

AWS Facebook Hong Kong Page

Remember to complete
your evaluations!Remember to complete
your evaluations!

Thank you!
rebeker@amazon.com

Running Mission Critical Workloads on AWS

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Running Mission Critical Workloads on AWS

Ähnlich wie Running Mission Critical Workloads on AWS (20)

Mehr von Amazon Web Services

Mehr von Amazon Web Services (20)

Running Mission Critical Workloads on AWS