從傳統 IDC 到 Hybrid Cloud 的演進及架構設計

Transcript

1. 從傳統 IDC 到 Hybrid Cloud 的 演進及架構設計 S c o

   t t . l i a o @ M r. 沙 先 ⽣生 < s h a z i . i n f o >

2. 2 HELLO! 104 資訊科技 ⼯工程經理理 我會 ... AWS、DevOps、打雜 ⾁肉搜 Mr.

   沙先⽣生 或是 Mr. 礦物先⽣生 找到我 • IT 鐵⼈人賽第九屆：Puppet 從入⾨門就放棄 • DevOpsDays Taipei 2018 講者 • SITCON 2019 講者 • DevOps Taiwan CI/CD/Pipeline Tools

3. 每個技術轉型的企業 104 & AWS 都有⼀一個杯桑的故事

4. 4 Infrastructure Data Center Cloud Data Center + Cloud

5. Data Center 傳統 5 Cloud 潮 衝突

6. 6 「我要很復古⼜又很潮的設計」

7. 「為了了⽣生活，我可以忍」 洪⾦金金寶說： 7

8. 8 「先攻他中路路」- 打通網路路環境 Internet VPN Intranet Direct Connect Intranet ✘

   policy ✔ money ✘ latency

9. 9 Direct Connect Intranet Provider：GCX / Chief Network：100M / 300M

   / 1G / 10G SLA：NO Type：Public / Private VIF Protocol：BGP

10. 10 Direct Connect Intranet

11. 11 130+ AWS Account

12. 12 Multiple Account Network REF：Netflix Solution：Internet VPC Peering Transit VPC

    ✔ Transit Gateway ✘ policy ✘ proxy endpoint ✘ expensive

13. 13 Multiple Account Network

14. 14 Multiple Account Network 《Transit VPC》 Subnet Not Overlay Not

    Share Cross Account Resource Subnet Range Limit Manage Cisco Cloud Services Router 1000V NLB Not Working for Cross Account

15. 15 Private / Public / AWS Only Domain

16. 16 Mix DNS Network DNS Master for Configuration DNS Resolver

    for Query - Unbound - Route 53 Resolver DNS Slave for Zone transfer

17. 17 Mix DNS Network《DNS Resolver》

18. 18 Mix DNS Network《DNS Resolver》 AWS Only Domain Name ?

    ex. VPC PrivateLink https://aws.amazon.com/tw/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-by-using-unbound/ Unbound (DNS Resolver) forward-zone: name: “amazonaws.com” forward-addr: 169.254.169.253

19. 19 Hybrid Cloud latency ? Tokyo <> Taiwan

20. 20 Hybrid Cloud Latency AWS Direct Connect 30ms ~ 35ms

    - ProxySQL - Database Replication fo Read - API Data Cache Where are Database

21. 21 How to migrate ? AWS <> IDC

22. 22 How to Migrate AWS CloudFront - https://www.104.com.tw/datacenter - https://www.104.com.tw/cloud

23. 23 Security for ISO 27001 ?

24. 24 ISO 27001 on Cloud Logs - CloudWatch Log -

    CloudTrail - Fluentd Control - Console Login with AWS AD、 AWS SSO - SSH Login Without SSH (AWS SSM) - Internet access With Proxy - AWS Service with VPC Privatelink Security - WAF、Shield、KMS、SSM - Guardduty、AWS Config、 Macie

25. 25 Notice Cloud Without DNS Cache (TTL 60s) Status Not

    Local, Termination of instance is ALWAYS Cloud Computing is expensive EOL is ALWAYS Automation is everything

26. THANK YOU!