2017springitpf-enterprise infrastructure in the …...deploy using infrastructure-as-code (iac)...
TRANSCRIPT
EnterpriseInfrastructureintheAmazonWebServices
(AWS)CloudDavidZych,ErikColeman,PhilWinans
gotAWS?
• http://aws.illinois.edu• Let’sgo!
But…• ITserviceshavedependencies• ActiveDirectory• private resourcesoncampusnetwork• private resourcesinotherAWSaccounts
• packetsneedroads(routes)
Wherewe’regoing…
ØVPCNetworkingConcepts
• FantasticEnterpriseVPCsandHowtoBuildThem
• UsingActiveDirectoryintheCloud
• ThereAndBackAgain:aPacket’sJourneyfromUIUCtoAWS
VPCBasics
• VirtualPrivateCloud(VPC):alogicallyisolatedvirtualnetworkintheAWScloudwhichisdedicatedtoyourAWSaccount
• anAWSaccountmayhavemultipleVPCs
• eachVPCmaycontainmultipleSubnets
Location,Location,Location
• aVPCbelongstoasingleRegion(us-east-2:Ohio)• aSubnetbelongstoasingleAvailabilityZone(us-east-2a)
Public-facingSubnets
• bi-directionalcommunicationwithanyhostonthepublicInternet• ifpermittedbySecurityGroups
• privateIPv4addressesinternally
• 1:1NetworkAddressTranslation(NAT)mapseachprivateIPtoanElasticIPortransientpublicIP
NetworkAddressTranslation(Example)
DNS: example.com IN A 52.15.99.99
Campus-facingSubnets
• bi-directionaltocampus,withoutNAT• usingTechnologyServicesVPNconnection
• outbound-onlytoInternet(optional)
Wherewe’regoing…
• VPCNetworkingConcepts
ØFantasticEnterpriseVPCsandHowtoBuildThem
• UsingActiveDirectoryintheCloud
• ThereAndBackAgain:aPacket’sJourneyfromUIUCtoAWS
EnterpriseVPC(vsIndependentVPC)
• Enterprisenetworkingfeatures• Campus-facingsubnets• VPCPeeringtootherEnterpriseVPCs
• includingCoreServicesVPCs
• Restrictions• PrivateIPv4spacecentrallyallocatedbyTechnologyServices• us-east-2(Ohio)only
RecursiveDNSResolution
• AmazonProvidedDNS:default,preferred
• CannotresolveUniversity-restrictedDNSzones• ad.uillinois.edu• reverse-mappingzonesforRFC1918privateIPv4space
• oncampus• inAWSEnterpriseVPCs(ifmanagedinIPAM)
RecursiveDNSResolution(Options)
RecursiveDNSResolution(Options)
BuildingYourEnterpriseVPC
1. Planyourrequirements• Whichfeatures?• Whatsubnets?(types,sizes,AvailabilityZones)• HowmuchprivateIPv4space?
2. RequestallocationfromTechnologyServices3. DeployusingInfrastructure-as-Code(IaC)• Download,customize,run!• Terraform
SeeKnowledgebasefordetails.
EyeTest
Wherewe’regoing…
• VPCNetworkingConcepts
• FantasticEnterpriseVPCsandHowtoBuildThem
ØUsingActiveDirectoryintheCloud
• ThereAndBackAgain:aPacket’sJourneyfromUIUCtoAWS
ActiveDirectoryHybridArchitecture
HAB
PPSB
DCL
Node9
“Urbana”ADSite “Chicago”ADSite
RRB30s
“Radius”ADSite
RRBDCL
“AWS”ADSite
EC2 EC2
Zone Zone
US-East-2(Ohio)RegionCoreServicesVPC
360s900s
ADExtendedtoAWS
VPCPeerConnection
EnterpriseServicesVPC
Public-facingsubnet10.x.y.0/27
EC2
Campus-facingsubnet10.x.y.64/27
Campus-facingsubnet10.x.y.128/27
AvailabilityZone
LDAP(389)LDAPS(636)Keberos (88)
EC2
EC2
AvailabilityZone
CoreServicesVPC
Campus-facingsubnet10.224.n.64/27
AvailabilityZone
Campus-facingsubnet10.224.n.96/27
AWSDC1
AWSDC2
ELB
ldap-ad-aws.ldap.illinois.edu:389krb-ad-aws.kerberos.illinois.edu:88
SupportforDomain-Join
• Previouslyunsupported• Announcingfullsupporttoday!June8th,2017• ADSiteBoundariesforAWSIPspace• PreferredforAWScampus-facingsubnets• Reducedfunctionalityforprivate-facingandpublic-facingsubnets
SupportforDomain-JoinforEnterpriseVPCs
Privatesubnet
Campus-facingsubnet
Public-facingsubnet
PasswordSynchronization 15 mindelay ü 15 mindelay
AD SiteFailover û ü ûGlobalCatalogLookup û ü ûDynamic DNS ü ü ü*
*DDNSregistersprivateIPonly.Bestpracticeistoalwaysusecampus-publishedDNS(IPAM)forapplicationuse.Never publicizetheAD-registeredIPorDNShostname.
What’snext?
• EvaluateneedforLDAPoverSSL(port636)• ExploringAmazonIAMIntegration• EvaluateAWS-hostedADoptions• AWSDirectoryServicesforMicrosoftAD• SimpleAD• ADConnector
• Whatelsedoyouneed?
Wherewe’regoing…
• VPCNetworkingConcepts
• FantasticEnterpriseVPCsandHowtoBuildThem
• UsingActiveDirectoryintheCloud
ØThereAndBackAgain:aPacket’sJourneyfromUIUCtoAWS
AWSUSRegions
ToAWSFromCampus
DifferentWaysNetworksConnecttoAWS
UofI toInternet2tous-east-2
UofI toWiscNet tous-east-2
Resources
• http://aws.illinois.edu• Knowledgebase:searchfor“AWS”• [email protected]
• DavidZych<[email protected]>• ErikColeman<[email protected]>• PhilWinans <[email protected]>