As more organisations seek to leverage the power and benefits of the cloud, they also need to combine new systems with existing on-premise systems. Services such as Amazon Virtual Private Cloud (VPC) and AWS Direct Connect enable AWS customers to combine on-premise and cloud-based resources easily and effectively. This session will walk customers through the 4 main patterns of connectivity and will include a "real time" demonstration of how easy it is to setup your own VPC and start working in your own private section of the AWS Cloud.
6. 2013 AWS WWPS Summit,
Canberra – May 23
VPC Overview
• Bring your own network
Your network goes here
7. 2013 AWS WWPS Summit,
Canberra – May 23
VPC Overview
• Bring your own network
• Create your own subnets
Subnet 1 Subnet 2 Subnet ‘n’
…
8. 2013 AWS WWPS Summit,
Canberra – May 23
VPC Overview
• Control instance placement
Availability Zone ‘A’ Availability Zone ‘B’
9. 2013 AWS WWPS Summit,
Canberra – May 23
VPC Overview
• Control instance placement and traffic
– Security Groups & NACLs
Availability Zone ‘A’ Availability Zone ‘B’
10. 2013 AWS WWPS Summit,
Canberra – May 23
VPC Overview
• Control instance placement and traffic
– Security Groups & NACLs
– Routing Rules
Availability Zone ‘A’ Availability Zone ‘B’
34. VPC $0
Hardware VPN $0.05/ Hour
Direct Connect
1 Gbps Port $0.30/ Hour
10 Gbps Port $2.25/ Hour
Inbound Data $0.00
Outbound Data (SYD) $0.045 per GB
Inbound Data $0.00
Outbound Data (SYD) $0.19 per GB (first GB free)
35. 2013 AWS WWPS Summit,
Canberra – May 23
VPC $0
Hardware VPN $438
Direct Connect
1 Gbps Port $2,628
10 Gbps Port $19,710
*Plus Outgoing data & private connection costs
For a Year…
43. 2013 AWS WWPS Summit,
Canberra – May 23
Goodies
• Control over Ingress & Egress of data – Security Groups
• Dynamic allocation of Security Groups to Instances
• Elastic Network Interfaces – up to 8 depending on instance
• DNS Resolution – Default or use your own
• ElastiCache in VPC (joining RDS, EMR, ElasticBeanstalk,
Redshift, OpsWorks, etc)
• RDS IP Addresses - option to have RDS publically
accessible
47. DEEWR AWS Pilot
Client Systems, Architecture and Strategy Team
Technology Branch
Technology Solutions Group
AWS WWPS Summit
May 2013
48. 2013 AWS WWPS Summit,
Canberra – May 23
Agenda
• DEEWR Background
• Business Case
• AWS Technologies used in Pilot
• Development AWS Diagram
• Network Connectivity, Design, Security and Public Services
• Benefits and Challenges
49. 2013 AWS WWPS Summit,
Canberra – May 23
DEEWR Background
• Shared service provider for Government – PWS, FWO, DIICCSRTE, APSC,
APCC and others
• IT environment comprises of Development, Test, Preprod and Production
Environment
• 810 HP Blades, 1200 virtuals, 265 rack mounted servers
• Dev environment consists 60 physical and 350 Virtual servers and running
on Hyper V
• Used by internal business units to develop, upgrade, and test predominately
.NET applications
50. 2013 AWS WWPS Summit,
Canberra – May 23
Business case for IAAS adoption
• Reduced capital budget
• Reduced staff numbers
• Data centre consolidation
• Responsiveness, agility, efficiency – we need to provide
better service to our customers
51. 2013 AWS WWPS Summit,
Canberra – May 23
Use cases
• Extend Development Environment into AWS
• Provide an on demand Lab Environment for our
developers
52. • EC2 Instances
• VPC
• EBS and S3 Storage
• Route 53 and Elastic IP
• Hotlink Hybrid Express (Third Party Application)
AWS Technologies used in Pilot
53. 2013 AWS WWPS Summit,
Canberra – May 23
Development AWS Environment
54. 2013 AWS WWPS Summit,
Canberra – May 23
Networking - Connectivity
• IPsec VPN from DEEWR Internet Gateway to Amazon
(Sydney)
• Cisco ASA is our customer gateway (VPN endpoint)
• Another option is “Amazon Direct Connect”: a physical
fibre link to Amazon in Equinix SY3
55. 2013 AWS WWPS Summit,
Canberra – May 23
Networking - Design
• Allocate private network space for our VPC and route it
over the VPN (e.g. 192.168.0.0/21)
• Subnet within the VPC the same as existing
environment: web/app/db/management tiers
• +1 subnet for Internet-accessible services (more info
later)
56. 2013 AWS WWPS Summit,
Canberra – May 23
Networking - Security
• Data in transit – encrypted via IPSec VPN over the
public Internet
• VPN terminates in the DEEWR Internet Gateway
• Then the existing Gateway security controls apply (firewalling, monitoring,
logging IDS/IPS, etc)
• System contains Unclassified DLM data only
57. 2013 AWS WWPS Summit,
Canberra – May 23
Network – Public Services
• VPC services to be exposed to the Internet go in a
dedicated subnet
• Connectivity is restricted with ACLs
• A subdomain is delegated to AWS Route53
• devnet.deewr.gov.au
• An elastic IP is associated to the EC2 instance and a
DNS entry created for it
• eg. testservice01.devnet.deewr.gov.au
58. 2013 AWS WWPS Summit,
Canberra – May 23
Benefits
• Use existing Infrastructure (Active Directory, DNS, ADFS, MS
SCCM and MS Ops Manager) and change and release processes
• AWS Network and Security Architecture is very similar to
DEEWR’s
• Reduce upfront Capital and Ongoing Expenditure
• Ease of implementation
• Flexibility, agility, cost attribution
59. 2013 AWS WWPS Summit,
Canberra – May 23
Still to do
• Integrate Microsoft MS Systems Centre Virtual Machine Manager into
AWS
• Migrating existing applications to AWS
• Produce the documentation – detailed evaluation of our services v’s
AWS, cloud providers checklist, SRMP, SSP
• Importing existing Virtual Machines
• Extensibility – if it works for DEV, what about Pre-production,
Production?