Paul Bockelman,AWS Principal Solutions Architect (WWPS)
Haider Witwit,AWS Senior Solutions Architect (WWPS)
LHC3376BUS
#VMworld #LHC3376BUS
AWS Native Services Integration with VMware Cloud on AWS
Technical Deep Dive
VMworld 2017 Content: Not fo
r publication or distri
bution
What to expect from the session
#LHC3376BUS CONFIDENTIAL
• Technical recap – VMware Cloud on AWS
• {Sample} Integration use case
• Services introduction & solution designs
• Solution summary
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
VMware Cloud on AWSTechnical Recap
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
VMware Cloud on AWS: Overview
vRealize Suite, PowerCLI
VMware Cloud on AWS
AWS Global InfrastructureCustomer data
center
Management
(vCenter
Server)
vCenter ServerSingle pane of glass and API across on-premises and cloud
Access to all AWS services
Amazon EC2
AmazonS3
AmazonRDS
AWS Direct Connect
IAMAmazon Redshift
…
…
…
…
AWS CloudFormation, AWS CLI, AWS SDK
AWS Global InfrastructureVMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
VMware Cloud on AWS: AWS view
VMwareoperated, supported,
and maintained
… Fully configured VMware software stack
running on state-of-the-art infrastructure
provisioned on-demand in minutes
Latest software
• VCSA, ESXi, NSX, VSAN, H5 client
Dynamic capacity
• DRS/HA compute cluster (Intel x86)
• VSAN storage cluster (SSD)
• NSX network virtualization (10 Gbps+)
Flexible topology
• Standalone cloud cluster
• Hybrid connectivity to on-premises
• Cloud-to-cloud connectivity
Overview
…
…
…
ESXi
ESXi
ESXi
…ESXi
…ESXi
…ESXi
Single-tenant (dedicated) bare-metal
Amazon EC2 hardware
vCenter
Server
Gateway
NSX Manager
VMware Cloud on AWS
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
AWS Global Infrastructure
VMware Cloud on AWS: AWS integration
Access to all native AWS services
Amazon EC2
AmazonS3
AmazonRDS
AWS Direct Connect
IAMAWS IoT
…
…
…
…
VMware Cloud on AWS
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Cloud on AWS: Base Topology
AWS Customer VPC
AZ A AZ B AZ C
VMware Cloud ENI
Customer
Data Center
IGW
AWS Region ServicesD
MZ-
Ou
t (P
ub
lic)
VPC S3
Endpoint
Amazon
CloudWatch
AWS
CloudTrail
Amazon S3
VMware Cloud VPC
ESXi
Amazon EC2
ESXi ESXi ESXi
Resource Pool
DM
Z-I
n
(Priva
te)
Ap
p
(Priva
te)
DM
Z-O
ut
(Pu
blic
)
IGW
Compute Gateway
Compute Gateway
Management Gateway
OS
DB1
OS
DB2
OS
RWP
OS
APP2
OS
APP1
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
{Sample} Integration Use Case
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
Integration Use Case: Overview
VMware Cloud on AWS customer, ACME Distribution, is hosting two (2) web-based and internet-facing applications in their VMware Cloud on AWS SDDC account and are launching a third web application in their AWS account.
ACME is seeking to meet the following requirements from an integration with native AWS Services:
• Horizontally scale SDDC ‘Application 2’ and consolidate public application access across accounts (require SSL)
• Globally distributed (from a single origins) application(s) with effective mitigation of DDoS and L3/L4/L7 attacks
• Increased security visibility and (near) real-time access control
VMware Cloud VPC
ESXi
Amazon EC2
ESXi ESXi ESXi
Resource Pool
DM
Z-I
n
(Priva
te)
Ap
p
(Priva
te)
DM
Z-O
ut
(Pu
blic
)
OS
DB1
IGW
Compute Gateway
Management Gateway
OS
DB2
OS
RWP
OS
APP2
OS
APP1
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
Services introduction & solution designs
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
Req #1 – Scale and Consolidate Public Access
The following native AWS Services will be used to horizontally scale Application 2...
• AWS Storage Gateway (File Interface)
- A virtual appliance that uses industry-standard storage protocols to connect to AWS cloud storage services
- Files are stored as objects in your S3 buckets, accessed through a Network File System (NFS) mount point
- Once in S3, objects can be managed as native S3 objects, and bucket policies such as versioning, lifecycle management, and cross-region replication apply directly to objects stored in your bucket
• Amazon Elastic Compute Cloud (Amazon EC2)- Deployed as a cluster of reverse web proxy instances for traffic forwarding to
VMware Cloud on AWS virtual machines (for Applications 1 & 2)- Reverse web proxy cluster is deloyed as an Auto Scaling Group and registered
as an Application Load Balancer Target GroupVMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
Req #1 – Scale and Consolidate Public Access
The following native AWS Services will be used to horizontally scale Application 2...
• Amazon Relational Database Service (Amazon RDS)
- Using the Amazon Aurora MySQL engine, Amazon RDS is a managed relational database service built on a fully distributed and self-healing storage system
- Provides enterprise-level capabilities including database monitoring, database cloning, cross-region copying and replication
- Amazon Aurora's storage is fault-tolerant and self-healing (each 10GB chunk of your database volume is replicated six ways, across three Availability Zones)
- On entire instance failure, Amazon Aurora will automatically failover to one of up to 15 read replicas
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
• Elastic Load Balancing (ELB) – Application Load Balancer mode- Routing decisions are at the application layer (HTTP/HTTPS)- Supports host-based routing that can route requests to one or more ports on
each EC2 instance- Native integration with other AWS services such as Auto Scaling groups, AWS
WAF Web ALCs, and Amazon CloudWatch- Native IPv6 support (users can connect to the ALB using IPv4 or v6)
Req #1 – Scale and Consolidate Public Access
The following native AWS Services will be used to consolidate public access for all
applications…
• AWS Certificate Manager (ACM)
- Provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services such as Elastic Load Balancers, Amazon CloudFront distributions, and APIs on API Gateway
- Supports the import of SSL/TLS certificates issued by third-party Certificate Authorities (CAs) and deploy them with your supported AWS resources
- AWS Certificate Manager can easily handle certificate renewals
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
Req #1 – Scale and Consolidate Public Access
The following native AWS Services will be used to consolidate public access for all
applications…
• Amazon Route 53
- A highly available and scalable global Domain Name System (DNS) service
- Designed to propagate DNS updates to the world-wide network of authoritative DNS servers within 60 seconds (under normal conditions)
- Fully compliant with IPv6
VMworld 2017 Content: Not fo
r publication or distri
bution
Req #1 – Scale and Consolidate Public Access (base)
AWS Customer VPC
AZ A AZ B AZ C
VMware Cloud ENI
Customer
Data Center
IGW
AWS Region ServicesD
MZ-
Ou
t (P
ub
lic)
VMware Cloud VPC
ESXi
Amazon EC2
ESXi ESXi ESXi
Resource Pool
DM
Z-I
n
(Priva
te)
Ap
p
(Priva
te)
DM
Z-O
ut
(Pu
blic
)
IGW
Compute Gateway
Compute Gateway
Management Gateway
OS
DB1
OS
DB2
OS
RWP
OS
APP2
OS
APP1
VPC S3
Endpoint
Amazon CloudWatch
AWS CloudTrail
Amazon S3
VMworld 2017 Content: Not fo
r publication or distri
bution
Req #1 – Scale and Consolidate Public Access
VMware Cloud VPC
ESXi
Amazon EC2
ESXi ESXi ESXi
Resource Pool
RDS Aurora
(shared)
AWS Customer VPC
AZ A AZ B AZ C
VMware Cloud ENI
App3ASG
OS
DB1
Customer
Data Center
Route53
Amazon EFS
SSL Encrypted
Traffic
Compute Gateway
Compute Gateway
AWS Region Services
OS
APP2
OS
APP1
OS
RWP
Management Gateway
DM
Z-O
ut
(Pu
blic
)
DM
Z-I
n
(Priva
te)
Ap
p
(Priva
te)
DM
Z-O
ut
(Pu
blic
) ACM
IGW IGW
RWP (SDDC)
ELB
VPC S3
Endpoint
Amazon CloudWatch
AWS CloudTrail
Amazon S3
NFS S3-backed Cluster File System
Reverse Web Proxy
& Application Load-
Balancer
OS
APP2
OS
APP2
OS
VMworld 2017 Content: Not fo
r publication or distri
bution
Req #1 - Demo
VMworld 2017 Content: Not fo
r publication or distri
bution
Req #2 – Globally distributed with DDoS Mitigation
The following native AWS Service will be used to protect the environment…
• Amazon CloudFront
- A global content delivery network (CDN) service that securely delivers data, videos, applications, and APIs with low latency and high transfer speeds
- 79 edge locations and 11 regional edge cache locations across 22 countries and 48 cities (as of 03-Aug-2017)
- Can deliver secure APIs or applications via SSL/TLS, with advanced SSL features
- Native IPv6 support
- Deeply integrated with AWS services including:
o Amazon S3
o Amazon EC2
o Elastic Load Balancing (ELB)
o Integration with AWS Lambda
o Amazon API Gateway
o AWS WAF
o AWS Shield
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
Req #2 – Globally distributed with DDoS Mitigation
The following native AWS Service will be used to protect the environment…
• AWS WAF
- A web application firewall that helps detect and block malicious web requests targeted at your web applications like SQL injection and cross-site scripting
- Able to be integrated with ALB and/or a CloudFront distribution
- Provides real-time metrics and captures raw requests that include details about IP addresses, geo locations, URIs, User-Agent and Referrers
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
Req #2 – Globally distributed with DDoS Mitigation
The following native AWS Service will be used to protect the environment…
• AWS Shield/Shield Advanced
- A managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS
- Provides always-on detection and automatic inline mitigations that minimize application downtime and latency
- For web applications running on Elastic Load Balancing (ELB), Amazon CloudFront, and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced
- AWS Shield Advanced also gives you access to the AWS DDoS Response Team(DRT) and protection against DDoS related spikes in your protect resources
VMworld 2017 Content: Not fo
r publication or distri
bution
Req #2 – Globally distributed with DDoS Mitigation
VMware Cloud VPC
ESXi
Amazon EC2
ESXi ESXi ESXi
Resource Pool
RDS Aurora
(shared)
AWS Customer VPC
AZ A AZ B AZ C
ELB
VMware Cloud ENI
App3ASG
RWP (SDDC)
Amazon EFS
OS
DB1
Customer
Data Center
VPC S3
Endpoint
AWS Shield
Amazon CloudWatch
Route53
WAF & ACM-
enabled Edge
Location(s)
CloudFront
SSL Encrypted
Traffic
NFS S3-backed Cluster File System
Compute Gateway
Compute Gateway
AWS Region Services
Reverse Web Proxy
& Application Load-
Balancer
OS
APP2
OS
APP2
OS
APP2
OS
APP1
OS
RWP
Management Gateway
OS
DM
Z-O
ut
(Pu
blic
)
DM
Z-I
n
(Priva
te)
Ap
p
(Priva
te)
DM
Z-O
ut
(Pu
blic
) ACM
IGW IGW
AWS CloudTrail
Amazon S3
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
Req #2 - Demo
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
Req #3 – Increased Security Visibility
The following native AWS Service will be used to create network insight…
• Amazon Virtual Private Cloud (Amazon VPC) – Flow Logs
- Enables the capture of information about the IP traffic going to and from network interfaces within a VPC (minus the payload)
- A flow log can be created for a VPC, a subnet, or a network interface
- Flow log data is stored using Amazon CloudWatch Logs
2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 20641 22 6 20 4249 1438530010 1438530070 ACCEPT OK
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
Req #3 – Increased Security Visibility
The following native AWS Service will be used to monitor resources…
• Amazon CloudWatch
- Collect and track metrics, collect and monitor log files (including custom logs), set alarms, and automatically react to changes in your AWS resources
- Metrics such as CPU utilization, latency, and request counts are provided automatically
- Using CloudWatch Logs, you can monitor your logs, in near real-time, for specific phrases, values or patterns (metrics)
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
Req #3 – Increased Security Visibility
The following native AWS Service will be used to durably store logs…
• Amazon Simple Storage Service (Amazon S3)
- An object storage built to store and retrieve any amount of data from anywhere
- Designed to deliver 99.999999999% durability
- Data is stored as objects within resources called "buckets”
- Unlimited objects can be contained within a bucket with individual object size of up to a limit of 5 terabytes
- Buckets are accessible via IPv6 addresses via “dual-stack” endpoints
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
Req #3 – Increased Security Visibility
The following native AWS Service will be used to ingest data streams…
• Amazon Kinesis Firehose
- Ingest real-time data in near real-time such as application logs, website clickstreams, IoT telemetry data, and more into databases, data lakes and data warehouses
- Will be used to stream VPC Flow Logs, Application Load-Balancer, and CloudFront application logs from CloudWatch into the Amazon Elastic Search service
- Process and analyze data as it arrives and respond in real-time for downstream processing (supports hundreds of thousands of data sources simultaneously)
Amazon ES
Amazon Kinesis Firehose
Amazon S3
Amazon Redshift
Amazon
QuckSight
Amazon
Athena
Streaming Data Source(s)
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
Req #3 – Increased Security Visibility
The following native AWS Service will be used to index log data…
• Amazon Elasticsearch Service (Amazon ES)
- An open-source search and analytics engine for big data use cases such as log and click stream analysis
- Ingest structured and unstructured data from a variety of sources
- Amazon Elasticsearch Service manages the capacity, scaling, patching, and administration of Elasticsearch clusters
- Direct access to the Elasticsearch API
- Includes built-in support for Kibana (an open-source analytics and visualization platform) and AWS services including: Amazon Kinesis Firehose, AWS Lambda, and Amazon CloudWatch
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
Req #3 – Increased Security Visibility
The following native AWS Service will be used to analyze and visualize…
• Amazon Athena
- Interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL (uses Presto with ANSI SQL support)
- Uses Amazon S3 as its underlying data store (highly durable)
- Quickly tap into data in Amazon S3 without the need to set up complex processes to extract, transform, and load the data (ETL)
• Amazon QuickSight
- A business analytics service that makes it easy to build visualizations, perform ad-hoc analysis
- Uses SPICE – The Super-fast, Parallel, In-memory, Calculation Engine
- Upload (CSV or XLS) and/or ingest data from AWS data sources such as Amazon Redshift, Amazon RDS, Amazon Aurora, Amazon Athena, Amazon S3, and Amazon EMR (Presto and Apache Spark)
- Connect to databases like SQL Server, MySQL, and PostgreSQL (in the cloud or on-premises)
VMworld 2017 Content: Not fo
r publication or distri
bution
Req #3 – Increased Security Visibility
VMware Cloud VPC
ESXi
Amazon EC2
ESXi ESXi ESXi
Resource Pool
RDS Aurora
(shared)
AWS Customer VPC
AZ A AZ B AZ C
ELB
VMware Cloud ENI
App3ASG
RWP (SDDC)
Amazon EFS
OS
DB1
Customer
Data Center
VPC S3 Endpoint
AWS Shield
Amazon ES
Route53
CloudFront
WAF & ACM-
enabled Edge
Location(s)
SSL Encrypted
Traffic
NFS S3-backed Cluster File System
Compute Gateway
Compute Gateway
AWS Region Services
AWS CloudTrail
VPC Flow logs
Reverse Web Proxy
& Application Load-
Balancer
OS
APP2
OS
APP2
OS
APP2
OS
APP1
OS
RWP
Amazon Kinesis Firehose
Amazon CloudWatch
Amazon QuckSight
Amazon Athena
Management Gateway
OS
DM
Z-O
ut
(Pu
blic
)
DM
Z-I
n
(Priva
te)
Ap
p
(Priva
te)
DM
Z-O
ut
(Pu
blic
) ACM
Amazon S3
IGW IGW
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
Req #3 - Demo
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
But wait…
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
{BONUS}: Automation and ‘Touchless Management’
The following native AWS Service can be used to automate…
• AWS Lambda
- Serverless Compute service that can execute code in response to triggers such as changes in data, shifts in system state, or actions by users
- Automatically parses access logs to identify suspicious behavior and add the corresponding source IP addresses to an AWS WAF block list
- Automatically checks third-party IP reputation lists hourly for malicious IP addresses to add to an AWS WAF block list
• AWS CodeDeploy
- A service that automates code deployments to any instance, including Amazon EC2 instances and instances running on-premises
- Rapidly release and automate software deployments, eliminating the need for error-prone manual operations
- Centralize control to launch and track the status of application deployments through the AWS Management Console or the AWS CLI
VMworld 2017 Content: Not fo
r publication or distri
bution
WAF & ACM-
enabled Edge
Location(s)
AWS Lambda
{BONUS}: Automation and ‘Touchless Management’
VMware Cloud VPC
ESXi
Amazon EC2
ESXi ESXi ESXi
Resource Pool
RDS Aurora
(shared)
AWS Customer VPC
AZ A AZ B AZ C
ELB
VMware Cloud ENI
App3ASG
RWP (SDDC)
Amazon EFS
OS
DB1
Customer
Data Center
VPC S3 Endpoint
AWS Shield
Amazon ES
Route53
CloudFront
SSL Encrypted
Traffic
NFS S3-backed Cluster File System
Compute Gateway
Compute Gateway
AWS Region Services
AWS CloudTrail
VPC Flow logs
Reverse Web Proxy
& Application Load-
Balancer
OS
APP2
OS
APP2
OS
APP2
OS
APP1
OS
RWP
Amazon Kinesis Firehose
Amazon CloudWatch
Amazon QuckSight
Amazon Athena
Management Gateway
OS
DM
Z-O
ut
(Pu
blic
)
DM
Z-I
n
(Priva
te)
Ap
p
(Priva
te)
DM
Z-O
ut
(Pu
blic
) ACM
Amazon S3
IGW IGW
VMworld 2017 Content: Not fo
r publication or distri
bution
{BONUS}: Automation and ‘Touchless Management’
WAF & ACM-
enabled Edge
Location(s)
VMware Cloud VPC
ESXi
Amazon EC2
ESXi ESXi ESXi
Resource Pool
RDS Aurora
(shared)
AWS Customer VPC
AZ A AZ B AZ C
ELB
VMware Cloud ENI
App3ASGAmazon
EFS
OS
DB1
Customer
Data Center
VPC S3 Endpoint
AWS Shield
Amazon ES
Route53
CloudFront
SSL Encrypted
Traffic
NFS S3-backed Cluster File System
Compute Gateway
Compute Gateway
AWS Region Services
AWS CloudTrail
VPC Flow logs
Reverse Web Proxy
& Application Load-
Balancer
OS
APP2
OS
APP2
OS
APP2
OS
APP1
Amazon Kinesis Firehose
Amazon CloudWatch
Amazon QuckSight
Amazon Athena
Management Gateway
OS
DM
Z-O
ut
(Pu
blic
)
DM
Z-I
n
(Priva
te)
Ap
p
(Priva
te)
DM
Z-O
ut
(Pu
blic
) ACM
Amazon S3
IGW IGW
AWS Lambda
RWP (SDDC)
OS
RWP
Remember the Reverse Web
Proxys?
Manage them using
AWS CodeDeploy
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
{BONUS}: Automation and ‘Touchless Management’
EditConfiguration
File(s)
Push updatesfile(s) to a
code repository
Commitchange(s)
AWS CodeDeploydetects the
update
AWS CodeDeploydoes a rolling
deployment of updates
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
Solution Summary
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
Solution Summary
Requirement #1• AWS Storge Gateway
• Amazon EC2
• Amazon RDS
• AWS Certificate Manager
• Elastic Load Balancing
• Amazon Route 53
Requirement #2• Amazon CloudFront
• AWS WAF
• AWS Shield/Shield
Advanced
Requirement #3• VPC Flow Logs
• Amazon CloudWatch
• Simple Storage Service
(S3)
• Amazon Kinesis Firehose
• Amazon Elasticsearch
Service (ES)
• Amazon Athena
• Amazon QuickSight
• AWS Lambda
• AWS CodeDeploy
VMworld 2017 Content: Not fo
r publication or distri
bution
#LHC3376BUS CONFIDENTIAL
AWS Booth Demos
• Demo 1: Securing Workloads in VMware Cloud on AWS
Understand the added value of using native AWS security features with workloads running in VMware Cloud on AWS
• Demo 2: VM Workload Analytics
Learn how to use native AWS services integration to manage and analyze VM workloads running in a VMware Cloud on AWS SDDC cluster
• Demo 3: Dev/Test Workloads with VMware Cloud on AWS
Demonstrate the use of an Oracle RAC (two-node cluster) test environment running in VMware Cloud on AWS
• Demo 4: Microsoft Applications on VMware Cloud on AWS
Demonstrate a Microsoft SharePoint deployment using native AWS web front-end services and backed by Microsoft SQL Server (Always-On Availability Groups) in VMware Cloud on AWS
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution