Download the full video: Download the full MP4 file
1. Churyang's understanding
- Defines the concept of a hybrid it architecture (because some enterprises may not have a cloud locally, but need to build a cloud + physical architecture)
Hybrid IT architecture is a trend, but ultimately not a public cloud eminence, and local it must continue to exist because:
- Data compliance Requirements (example: European data only in Europe)
- Special hardware requirements (example: dongle, etc.)
- Return on investment in legacy assets
- Business Rights Protection (example: software that binds MAC addresses)
To achieve a hybrid it architecture, you need to work from multiple fronts
Connectivity (connecting physical and cloud environments)
– VPN
– Fiber Optic Direct connection
Migration tools
– Data migration (e.g. Storage Gateway Service)
–VM migration (e.g. VM Import/export service)
– Network planning Migration (use VPC to make subnets, ACLs, etc.)
Enterprise organization Structure Information synchronization
– Synchronization of information such as AD, LDAP, etc. in the cloud (you can use the Directory Services service)
- Understand the relationship between cloud services and traditional architectures
–ec2→ Physical Machine
–ebs/s3→san Storage
–elb→f5/nginx, etc.
–rds→oracle/sqlserver database, etc.
Common application patterns for hybrid cloud architectures
- Backup, archive (save data to S3 via storage gateway and put it on tape library glance)
- Storage extension (for NFS, Iscis, CIFS, and other volumes via storage Gateway direct local physical machine)
- Disaster recovery (application architecture in the local physical machine, replication set in the Cloud – cold backup, warm backup, hot backup, etc.)
- Development, test validation (scaling the compute, storage, network capabilities of the on-premises data center)
- Business-critical applications (e.g., Oracle, SQL Server database, etc. using RDS Services)
- Big Data Analytics (console on-premises data center, backend data processing capability using EMR)
2. What is it hybrid Architecture 2.1. Definition of Hybrid IT architecture
It is defined as an IT hybrid architecture, not a hybrid cloud: Because the enterprise may be a public + private cloud model, or it may be a public + private data center (no cloud) architecture
Gartner's definition of hybrid it: a hybrid IT architecture is a combination of " internal and external services ", typically by combining public and private clouds to achieve business results
AWS Definition of Hybrid Architecture: Service + solution = Business Results
2.2. Cloud is the new normal, why mix architecture? (Benefits of hybrid cloud)
- Continue to use the facilities already built
- Control spending between investment –capex and operational –opex
- Compliance or industry requirements
- Reduce individual vendor risk
- Achieve unique functionality, performance
- Restrictions on commercial licensing maintenance support (e.g., binding MAC address, specific hardware)
- Benefits of both private and public clouds
2.3. Hybrid IT architecture is a recent trend
At the end of gartner:2017, hybrid cloud deployments are used in nearly half of enterprises
However, a hybrid architecture is a journey, not a goal. AWS is focused on the purpose of the hybrid architecture, to tell users that ultimately the "cloud" needs to be selected, and that the hybrid architecture is only a gradual, transitional approach to alignment
3.AWS Hybrid architecture supporting hybrid IT architecture 3.1.AWS support
- Mixed environment
- Public Cloud + Private cloud
- Public cloud + self-built private IDC
- Public cloud + hosted private IDC
- Connection between public + private IDC
- Private links
- Workloads and data migration
- Access Control Integration
- Working with existing management tools
Hybrid architecture from the IT overall (medium, High) level
| Enterprise Local/existing tools |
Architecture & capabilities in the Cloud |
| Enterprise Directory Login (Corporate directory) |
Identity authentication IAM Policies |
| Virtualized VM Mirroring (virtual Images) |
VM Import/export converted to Ami |
| Private Network (Privatenetwork) |
VPC Network |
| Customer information (Your data) |
Our storage is transferred to S3 via storage gateway |
| Locally deployed apps (on-premise apps) |
Your cloud App |
3.2. Partial cloud services that support hybrid architectures
3.2.1. Network VPC Service
- Users use their own network address segments to create logically isolated networks on the AWS Cloud
- Enterprise uses Full control over the virtual network environment, including creating subnets, defining IP addresses, routing tables, and gateways
- Create public and private subnets in multiple availability zones (AZ)
- Users use NaCl to manage network security at the subnet level
- Users manage security groups for EC2 instances, providing a network firewall with a body for each EC2 instance
3.2.2. Network VPN (IPSEC VPN) service
- Once the public cloud has a VPC, the enterprise can be connected to AWS via a VPN
- For example, 1 vpcs were built, and 2 subnet were established, in 2 AZ, and the VPN service object was for a VPC
- Support VPN-specific devices via IPSec hardware VPN connection
- Encryption and authentication
- Private RFC 1918 addressing
- Using BGP Routing and fail-over rescue
- VPN Service provides management of the access side
3.2.3. Direct connection to network Direct Connect line
- Essentially, in a customer's private data center, a channel is built through bare fiber
- Connect to AWS via a standard Internet-based IPSec VPN tunnels or private line, or both
- The user chooses the connection speed, from 50MB to 10G connection, commonly is the 1G connection
- Allows the use of Layer2 single mode fiber 1GBASE-LX or 10GBASE-LR
- Industry-standard VLANs and Layer3 routing
- Connect using 802.1Q VLANs (callout IP traffic)
- Routes using BGP multipathing: a/a (dual live, recommended) or a/p (master)
- Enable direct connection to users ' VPC resources via leased line
- Each leased line DX is connected to a single AWS region
- User's network devices, such as Wan Optimizer, can be used at DC connections
You can also dc+vpn the usage mode of the overlay: the fiber does not go directly to the IP, but on top of the VPN channel, the benefits are:
- Private network path to ensure bandwidth
- More than Internet-based IPSec VPN to avoid network threading
- Reduce the cost of IPSec network transmission
- Additional Network security assurance diagram
4. Examples and usage of hybrid IT architectures 4.1. Simple example-hybrid architecture via Direct Line connection
Simply put different types of business into different clouds, for example: the production environment is on-premises, the development environment is in AWS
4.2. Advanced example-split level, AWS Frontend
For example, putting the Web front end of a 3-tier architecture into the cloud, you can:
-Use ELB to ensure scalability
-Increased traffic through the as service
-Additional CDN for accelerated access and anti-DDoS attacks
4.3. Advanced example-split level, local DMZ frontend
Put the application tier, the database into AWS, and locally secure the front end, the scenario is:
-for example, a company with a global presence needs to tightly control access to the Web, and the backend is placed into AWS because it is not exposed directly
-Example: Use AWS when Big data analytics, data queries are accessed in the Local data center, and the backend requires a lot of processing power
4.4. Advanced example-split level, apply cloud burst
Putting the Web and database into the cloud, and putting the application layer into the on-premises data center, the scenario is:
-Application processing with customer's core technology (such as password machine, special hardware, etc.), need to firmly control in their own hands
-also put the DB on the local, because: the data is more important, core secrets, etc., need to firmly control in their own hands
4.5. Advanced examples-storage extensions
Use the Data Service storage gateway to put private cloud data into the public cloud S3, including:
-Direct use, virtual storage volumes can be connected as iscsi,nfs,cifs volumes
-Cache usage, all data is S3, but common data is placed locally
- Backup and archive usage, integration with S3 using storage gateway, and regular backup to glance (Virtual Tape library service)
- Glance recovery requires up to half an hour
- Features that glance can do (de-weight, compression, Wan Wan acceleration)
4.6. Advanced examples-hosted cloud services
- For example: The user puts data through DC direct connection into the S3, and then in the Big Data service EMR, processing, the finished data can be put into redshift
- For example: There is an internet of things data, the former heap with a large number of IoT streaming data, through the kinesis to get stream data, let the data into the S3, follow-up can also be processed by EMR, after the completion can be placed in redshift
4.7. Advanced example-enterprise organization structure Management (AD)
Enterprise internal certification needs to be managed using applications such as LDAP and AD, and you can deploy another set of infrastructure directly in AWS (different VPC and subnets have AD, then sync Policy)
The benefits are:
- Reduce round-trip traffic (because there is a separate ad in different regions, so you don't have to get data from the primary ad every time)
- Reduce certification delays (IBID.)
- Increased toughness resiliency (ad-provided functionality to guarantee recoverability)
- and can be used
- Multi-Master simultaneous read and write (multi-master read/write domain controller)
- Replica mode (read-only domain Controller-rodcs)
The challenge is to manage different ad servers separately
Note: Requires IPSec VPN or DC Direct connect mode
You can also use AWS's own authentication service, AWS Directory Service, and provide 2 modes to adapt to enterprise certification management work
1. Self-Service Application The Directory Service Connect connector deployed in the cloud can then replicate policies in the cloud and AWS provides reliability support
2. Deploy a EC2 host and run an application called simple AD to achieve similar functionality (Samba 4 Active directory compatible)
Another option that can also be controlled by AWS-provided IAM
-By creating a token in IAM, then assigning the token to the app, and managing the permissions through the role
-Iam supports existing radius-based MFA
Note: Requires IPSec VPN or DC Direct connect mode
4.8. Advanced examples-operations and monitoring tools
When mixing clouds, it's important to ensure that monitoring tools unify the management of events in the local data center and public cloud
Use Cloudwatch and cloudtrial in the cloud. Local need to use the Siem Aggregator tool (Security information and event Management safety information and incident management)
-Cloudtrail is a service that records the operation of all standard APIs. All interactions in the cloud, including consoles, command lines, programming, and so on, are communicated to the cloud through standard APIs
-Cloudwatch is the monitoring of the instance and resource status created by all AWS Services
Specific practices:
- Security monitoring of integrated connections using Cloudtrail and SIEM Aggregators
- Registering data for Cloudtrail and SNMP MIBs (monitoring information for hardware) into the Siem aggregator
- Placing platform and application health information into the SIEM aggregator via EC2 guest GEN agent
- Patch and upgrade with local deployment upgrade server
4.9. Advanced examples-continuous integration, continuous delivery
- Use the Codedeploy service to implement a flexible deployment of your application on EC2
- The rest of the services are: cloudformation (Implementing the deployment architecture with code), Clouddeploy, Elasticbeanstalk (Application managed architecture), and so on, to perform continuous integration, continuous delivery
- Reuse enterprise-existing scripts and tools: Bash, PowerShell, chef, puppet, and more
- Integration with key development tools: Github,jenkins,cloudbees,travisci, Eclipse, etc.
4.10. Advanced example-Xiaomi Cloud Flash Purchase (AWS Frontend)
Background: Rice noodle Carnival, every 2 hours a day snapped. 2.112 million mobile phones, 1460 people, Guinness World Records
Architecture situation:
- Front-end on AWS, via ELB+EC2
- Data + back-end applications in Xiaomi Local
- Direct connection via DC line
5. Summary 5.1. Common Hybrid Cloud applications
- Backup, archive
- Storage extensions
- Disaster recovery
- Development, test validation
- Business-critical applications (e.g. Oracle, SQL Server database, etc.)
- Big Data analytics
5.2. Summary
- Hybrid architecture is the journey to the cloud, not the ultimate goal
- Connectivity is key to implementing a hybrid architecture
- Large and small enterprises are changing their early journey
"Summary" leverages AWS to build a hybrid cloud architecture
