Discover how AsiaPac is helping government, education and nonprofit organizations to architect and migrate their mission-critical applications onto AWS - with secure, high-performing, resilient, and efficient infrastructure. As more organizations move towards cloud, learn how best practices have been implemented on AsiaPac's full-lifecycle services - to provision, run, and support infrastructure, as well as managed services to reduce customer's operation overhead and risks.

1. P U B L I C S E C T O R
S U M M I T
SINGAPORE

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
How AsiaPac is helping Customers to
build a Restricted Cloud Environment
on AWS
Sourav Ray
Cloud Architect
AsiaPac

3. Copyright © & Confidential

4. Copyright © & Confidential
An M1
company.
Since
Nov’18
EPPU
S/10
company
ISO
9001:2015
& Biz Safe
Level 3
certified
ICT
Solutions
Provider
Started
1990
Commercial, Enterprise, Education, Healthcare & Government

5. Copyright © & Confidential

6. Self Service Management Portal
Government / Enterprise Customers Self Service &
Service
Management
Hybrid Cloud
Management
System
Leading Telecommunications Provider
First telco to embark 5G live test in SG
Direct Connect
Local Loops
SDWAN
CMP
Frameworks
Blueprints
Modernization
• Bring workloads closer to
AWS
• Low latency connectivity
• Orchestration
Bring
close to
AWS
Migrate to
AWS or
Migrate to
AWS
Outpost/
VMC
Customer
Self
Manage
Creating Business Ecosystem

7. VMware Cloud on AWS
Exclusive Launch Partner

8. Copyright © & Confidential
Governance in
Restricted Cloud
Environment

9. § Controlled access reducing Security Risks
§ Ensuring regulatory compliance like HIPAA, PCI, MTSC Tier 3, ISO etc.
§ Cost Optimization
§ Eliminate unnecessary IT and Cloud initiatives
§ DevOps process initiation and parameter definitions
§ Enhance management of Cloud resources
The Disciplines of CLOUD GOVERNANCE
Why is it important?

10. Our Approach to CLOUD GOVERNANCE
Cloud
Governance
Data
Security
Resource
Tagging
Structured
DevOps
Solutions
Security and
Log
Management
Monthly
Reports and
Analytics
Patch
Management
with
Approval
Process
Infrastructure
Monitoring
Application
Monitoring
Internal
Audits
Cost
Budgeting
Environment
Templatization
Authentication
&
Authorization

11. Our Approach to CLOUD GOVERNANCE
Cloud
Governance
Environment
Templatization
Data Security
Resource
Tagging
Structured
DevOps
Solutions
Security and
Log
Management
Authentication
and
Authorization
Monthly
Reports and
Analytics
Patch
Management
with Approval
process
Application
Monitoring
Infrastructure
Monitoring
Internal Audits Cost Budgeting
§ Compliance Audit
§ Security Audit
§ User Audit
§ Data Privacy Audit
§ Penetration Testing

12. Our Approach to CLOUD GOVERNANCE
Cloud
Governance
Environment
Templatization
Data Security
Resource
Tagging
Structured
DevOps
Solutions
Security and
Log
Management
Authentication
and
Authorization
Monthly
Reports and
Analytics
Patch
Management
with Approval
process
Application
Monitoring
Infrastructure
Monitoring
Internal Audits Cost Budgeting
§ Enforcing MFA for AWS
Management Console
§ Enforcing console login via on
premise AD authentication using
AWS SSO
§ Enforcing AWS Cognito for
application level authentication
§ Enforcing privileged access using
AWS IAM

13. Our Approach to CLOUD GOVERNANCE
Cloud
Governance
Environment
Templatization
Data Security
Resource
Tagging
Structured
DevOps
Solutions
Security and
Log
Management
Authentication
and
Authorization
Monthly
Reports and
Analytics
Patch
Management
with Approval
process
Application
Monitoring
Infrastructure
Monitoring
Internal Audits Cost Budgeting
Continuous
Integration
Micro-Services
Policy as Code and Automated
Monitoring

14. Our Approach to CLOUD GOVERNANCE
Cloud
Governance
Environment
Templatization
Data Security
Resource
Tagging
Structured
DevOps
Solutions
Security and
Log
Management
Authentication
and
Authorization
Monthly
Reports and
Analytics
Patch
Management
with Approval
process
Application
Monitoring
Infrastructure
Monitoring
Internal Audits Cost Budgeting
Launch
Instance
Create
Tags
Scan OS based
on Patch
Baseline
Generate
Missing
Patch List
SSM Document for Patch Scan
Stop
Instance
Create
Image
Create Tags Terminate
Instance
SSM Document for Patch Install
Launch
Instance
Update OS
Software
Generate
Installed
Patch List
Update
Parameter
Store
If approved

15. How to Regain a Healthy Governance
§ current state of all cloud users and their access rights across
the enterprise?
“WITHOUT REDUCING CLOUD AGILITY”
MANAGE
ENSURE
§ adherence to the overall costs to PAY PER USE model?
§ deployments and operations are in track with
compliance regulations and policies?
ENFORCE
§ security across all the environment workloads as well
as User Management?
Cloud Governance
Pain Areas

16. ASIAPAC MANAGED INFRASTRUCTURE & CLOUD SERVICES
Increase in
AWS
Workloads
Growth in
AWS account
Management
Cost Control
Security &
Compliance
GOVERNANCE
AT SCALE
Solutions to Governance at Scale

17. Design
Architecture
AZ-A AZ-B
IGW
Direct Connect
Internet
Web 1
RDS Master
IDS1 IDS2Mgmt 1EVM1 Mgmt 2 EVM2
ELB
ELB
Cyber Watch
Center
App1 App2 App3 App4 App5 App6
ELB
App7 App8 App9 App10 App11 App12
Web 2
Tier 1
NGFW
Tier 1
NGFW
RDS Slave
Tier 2
NGFW
Tier 2
NGFW
NAT
Gateway
NAT
Gateway
AD Server 1
AZ-A
AD Server 2
Event
Collector1
Event
Collector2
Customer On
Premise
Dev Server Dev Server
Bastion Host
API Server
Monitoring
Collector
AZ-B
AsiaPac NOC VPC
AsiaPac
EM7
Database
VPN Gateway2FA 2FA
API Server
On Premise SOC
AsiaPac
SysAdmin
IPSEC VPN
API
Server
Dev Server
IGW
Client VPN
IPSEC VPN
NAT Gateway
AZ-A AZ-B
App1 App2 App3 App4 App5 App6
ELB
Web 1
Master DB
Slave DB
App7 App8 App9 App10 App11 App12
Web 2
VPN
IGW
Firewall
ELB
NAT
Gateway
NAT
Gateway
ELB
Internet
AD Server 1
AZ-A
AD Server 2
Event
Collector1
Customer
Data Center
Dev Server
Bastion Host
API Server
DB Server
AZ-B
VPN Gateway2FA 2FA
API Server
On Premise
SOC
AsiaPac
SysAdmin
IPSEC VPN
API Server
CI CD
Server
IGW
Client VPN
IPSEC VPN
NAT Gateway
AZ-A
App1 App2 App3
ELB
ELB
Web 1
Master DB
App4 App5 App6
App7
IGW
Fwd Proxy
ELB
NAT
Gateway
Internet

18. VMware Cloud on AWS:
Jointly engineered Cloud Service
Service Overview:
§ VMware SDDC running on AWS bare metal
§ Delivered, operated, supported by VMware
§ On-demand capacity and flexible consumption
§ Seamless portability of hybrid large-scale workload
§ Direct access to native AWS services
Business Use Cases:
§ Data Center Extension
§ Disaster Recovery
§ Cloud Migration
§ Application Modernization

19. Cloud Motion:
Workload Mobility across Hybrid Clouds
Active Migrated VMs
CROSS-VERSION HYBRIDITY SECURITY
ON PREMISE CLOUD
LARGE SCALE WARM MIGRATION
Hybrid Interconnect
Any-to-Any vSphere Migration
vSphere 5.0 VMware Cloud

20. VMware Cloud on AWSOn-Premises Data Center
AWS Direct Connect
Compute
Storage
Network
Compute
Storage
Network
vSphere-based SDDC with NSX
CGW
Network A
MGW
N-S FW
Router
Network 172.16.10.0/24
Network 172.16.20.0/24
Govt
Network
Zone
VMC-VM
BGP Peering Session
Public
Internet
N-S FW
Governing Internet/Security
Posture from On Premise DC
Manage the Internet bound traffic on Public cloud
via On-premise security framework, so that control
and governance need not be re-architected and
use Public Cloud for the benefit of Agility and
Scale.
Use Cases:
§ Internet Separation or Network Zone
Separation for VDI/Any workloads.
§ Data Center Extension where Public
Cloud is used as Hot capacity/Cloud
Burst.

21. Leveraging Well Architected Framework on AWS
§ Expense Awareness
§ Cost-effective Resource
§ Match supply with
demand
§ Architecture
optimization
§ Select
§ Review
§ Monitoring
§ Trade-offs
§ Automated
Change
Management
§ Automated
Failure
Management
§ Centralized
Privileged
Management
§ Centralized
Monitoring
§ Data Security
§ Incident
Management plan
§ Prepare
§ Operate
§ Evolve
Cost
Optimization
Performance
Efficiency
ReliabilitySecurity
Operational
Excellence

22. Copyright © & Confidential
Providing Cloud Best Practices through
EXPERIENCE.

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Sourav Ray
Cloud Architect
AsiaPac