Attend this day-long workshop for U.S. Federal government and Department of Defense IT professionals, architects, and administrators to learn how to architect for DoD workloads in the cloud. Join this session to map DoD requirements for cloud architecture and get hands-on experience with AWS NIST Quick Start tools, which can help fast track the FedRAMP/DoD ATO process.
87. Inheritance
Personnel
Incident Response
Boundary Protection
Identity & Access Control
Disaster Recovery
Configuration Management
High Availability Architecture
System Mgmt. & Monitoring
Log Management & Monitoring
Compute & Storage
Networking
Virtualization
Data Center
Specific
Mission
Owner
Controls
Controls fully
inherited
Mission
Owner
on Prem
Mission
Owner
Controls
Hybrid
Controls
Mission
Owner
on AWS
+
Mission
Owner
Mission
Owner
Controls
ATO
Package
88. Production data center
LB
SERVICES
AD or LDAP
NTP & DNS
Bastion Host
HBSS (AV)
ACAS (VS)
LOG MGMT
SIEM
Back Up
FW
APP
DB
APP
COOP data center
SERVICES
AD or LDAP
NTP & DNS
Bastion Host
HBSS (AV)
ACAS (VS)
LOG MGMT
SIEM
Back Up
FW
APP
DB
APP
LB
Asynchronous Replication
Lets Categorize our 2 Tier Web Application
89. Example 2 Tier Web Application Components
App/Web Tier – NGINXApp / WordPress / Apache / PHP
Database Tier – MySQL DB
All Servers Running Linux
Data Elements – PII & other CUI data
For our sample 2 tier app - example classification:
• Moderate/Moderate/Moderate (C/I/A) ✓
• Cloud Impact Level 4 (IL4) ✓
90. Region
Availability Zone A Availability Zone B
Step 1: Find a Home in AWS Cloud
Production data center
APP
DB
LB
FW
APP
Select an AWS Region:
• Independent geographic areas
• Customer chooses Region
• Data Stays within Region
• Federal & DoD options include
US East (VA and OH) – FR Mod, DoD IL2
US West (CA and OR) – FR Mod, DoD IL2
US GovCloud (OR) – FR Mod/High, DoD IL2/4/5
US GovCloud (OH) – FR Mod/High, DoD IL2/4/5
Select AWS Availability Zones (AZs):
• 2 or more AZs for customer use per region
• Physically isolated from each other
• Each AZ designed as independent failure zone
• Connected with low latency links (< 2 msec)
91. Region
Availability Zone A Availability Zone B
Private subnet
Private subnet
Private subnet
Private subnet
VPC
Production data center
APP
DB
LB
FW
Step 2: Define a Your Network in AWS
VPC Subnets:
• Defines a range of IP addresses in your VPC
• Can be used to create separate network zones
• Subnets are AZ specific (they don’t span Azs)
• Example CIDR block 10.10.10.0/24
AWS Virtual Private Cloud (VPC):
• Your private, isolated virtual network w/i AWS Cloud
• You have complete control over your virtual network
• You can assign an IP address space as large as a /16
CIDR block (65,536 addresses)
• VPC CIDR block spans AZs
• Example CIDR block 10.0.0.0/16
Network Access Control List (NACLs):
• Stateless network filters applied to inter-subnet traffic
Route Tables:
• Define rules to determine where traffic is directed
92. Private subnet
Region
Availability Zone A Availability Zone B
Private subnet
Private subnet
Private subnet
VPC
Production data center
APP
DB
LB
FW
Step 3: Add in Servers
Amazon Elastic Compute Cloud (EC2)
• Virtual servers (instances) in the cloud
• Launch EC2 instances into specific subnets
• Quickly launch or reboot servers
• Pay for what you use
EC2 Instance Types
• Various Windows & Linux O/S versions available
• Over 40 instance types to choose from
• Instance types are optimized for different use cases
• CPU, Memory, Networking, Storage & Graphics
Flexible Utilization & Pricing
• Various pricing models available
• Easily scale up or scale out
• Add instances when you need them
• Terminate instances when you don’t need them
95. Region
Availability Zone A Availability Zone B
Private subnet
Private subnet
Private subnet
Private subnet
VPC
Production data center
APP
DB
LB
FW
Step 4: Add Storage for your Servers
Amazon Elastic Block Storage (EBS)
• Create individual storage volumes
• Attach them to an EC2 instance
• Volume is automatically replicated w/in its AZ
EBS uses include:
• Boot volumes and storage for EC2 instances
• Data storage with a file system
• Storage for Databases & Enterprise Applications
• Can be used to create RAID configurations
EBS specifications:
• Persistent storage from 1 GB to 16 TiB
• Magnetic, SSD & Provisioned IOPS SSD
• Performance options to fit application needs
• Optional seamless 256-bit encryption
99. Region
Availability Zone A Availability Zone B
Private subnet
Private subnet
Private subnet
Private subnet
VPC
Production data center
APP
DB
LB
FW
Step 5: Add Scalability, Redundancy & Failover
Multiple Availability Zone (AZ) Architecture
• Supports High Availability and Fail Over
• Supports COOP and DR requirements
100. Production data center
APP
DB
LB
FW
COOP data center
LB
FW
APP APP
DB
Step 5: Add Scalability, Redundancy & Failover
AWS Elastic Load Balancer (ELB)
• Distribute inbound traffic across EC2 instances
• Enables fault tolerance
• Fully managed service
Database Replication and Failover
• Synchronous data replication
• Failover using DNS that is transparent to application
Region
Availability Zone A Availability Zone B
Private subnet
Private subnet
Private subnet
Private subnet
VPC
APP
102. Availability Zone A Availability Zone B
Region
Private subnet
Private subnet
Private subnet
Private subnet
VPC
Production data center
APP
DB
LB
FW
COOP data center
LB
FW
APP APP
DB
Step 5: Add Scalability, Redundancy & Failover
AWS Region
AWS Auto Scaling Group (ASG)
• Scales EC2 instances automatically
• Add or remove instances according to load and traffic
DB
104. Region
Availability Zone A Availability Zone B
Private subnet
Private subnet
Private subnet
Private subnet
VPC
Production data center
APP
DB
LB
FW
COOP data center
LB
FW
APP APP
DB
Step 6: Add network traffic filtering at servers
AWS Security Groups (SG)
• Stateful firewall applied to instance
• Filters source & destination IP, port and protocol
• Inbound and outbound rules
• By default all inbound access is blocked
Create Defense in Depth Architectures
• Allow web servers to talk to app servers
• Allow app servers to talk to DB servers
SG Support Dynamic Scaling
• As servers scale in an ASG SG continue filtering
• SGs can reference other SGs
105. EC2
• Security Groups
- Stateful Virtual Firewall applied to an instance (e.g. EC2, ELB)
- Traffic must be explicitly specified by protocol, port, and security
group
- Can reference other Security Group(s) in Inbound Source and/or
Outbound Destination
AWS
Security
Group
How should you Secure Your VPC?
Best Practice: Build security at every layer using routing rules,
network ACLs, and security groups.
Inbound
Traffic
• Subnet level Network Access Control Lists (ACLs):
- Layer of security that acts as a stateless firewall for controlling
traffic in and out of a subnet
- Port/Protocol defined with Action (Allow/Deny)
Network Subnet ACLs
OS
Firewall
• OS Firewall (e.g., iptables) may be implemented
- Completely user controlled security layer
- Granular access control of discrete hosts
- Logging network events
106. Production data center
APP
DB
LB
FW
COOP data center
LB
FW
APP APP
DB
Region
Availability Zone A Availability Zone B
Private subnet
Private subnet
Private subnet
Private subnet
VPC
Recap: Moving 2 Tier Web App to AWS
AZ Data Center
Subnet VLAN
EC2 instance Server/VM
Security Group FW
ELB Load Balancer
107. Review Your Existing Infrastructure Components
Production data center
LB
SERVICES
AD or LDAP
NTP & DNS
Bastion Host
HBSS (AV)
ACAS (VS)
LOG MGMT
SIEM
Back Up
FW
APP
DB
APP
COOP data center
SERVICES
AD or LDAP
NTP & DNS
Bastion Host
HBSS (AV)
ACAS (VS)
LOG MGMT
SIEM
Back Up
FW
APP
DB
APP
LB
Asynchronous Replication
In addition to
Application & Networking
requirements, we need to
address these services!
108. How do we address these Infrastructure Needs?
CND
VPG Direct
Connect
Co-
Location
CAP
CND
DoDIN
IAP
Web Application Firewall
Network Firewall / Full Packet Capture
Network Intrusion Detection/Prevention
ACAS – Vulnerability Scanning
HBSS – Endpoint Protection
AD / SSO / LDAP / OCSP
DNS / NTP / DHCP
Log Management / SEIM
Patching Services
Region
Availability Zone A Availability Zone B
Private subnet
Private subnet
Private subnet
Private subnet
VPC
109. DoD SCCA Component Functional Requirements
Virtual Datacenter Security Stack (VDSS)
Provides network and application security capabilities such as an
application-aware firewall and/or intrusion prevention system.
Virtual Datacenter Management Stack (VDMS)
Provides system support services for mission owner environments
(AD/LDAP, DNS, Patch Repos). Potentially CSSP offerings as well.
Trusted Cloud Credential Manager (TCCM)
An individual or entity appointed by the Authorizing Official to establish
policies for controlling privileged user access to connect Virtual Private
Clouds to DISN and for administrating cloud services
Cloud Access Point (CAP)
Provides network access to the cloud and boundary protection of DISN from
the cloud.
110. DoD SCCA Architecture Approach in AWS
CND
Direct
Connect
Co-
Location
CAP
CND
DoDIN
IAP
Virtual Datacenter Security Stack (VDSS)
Virtual Datacenter Management Stack (VDMS)Inernet
GovCloud Region
Availability Zone A Availability Zone B
Private subnet
Private subnet
Private subnet
Private subnet
VPC
Availability Zone A Availability Zone B
Network Firewall Services
Full Packet Capture Services
Network Intrusion Detection/Prevention Services
Web Application Firewall Services
Availability Zone A Availability Zone B
ACAS / Vulnerability Scanning Services
HBSS / Endpoint Protection Services
AD / DNS / SSO / OCSP / DCHP Services
Other Shared Services