Within Amazon, we often use the phrase "drinking our own champagne" to describe our practice of using our own products and services to prove them out under actual working conditions. We build products that we can use ourselves. We believe in them.
Amazon's Corporate IT recently wrapped up an important project and they have just documented the entire project in a new technical whitepaper.
Amazon's Corporate IT team deployed its corporate intranet to Amazon EC2 instances running Microsoft SharePoint 2010 and SQL Server 2008, all within a Virtual Private Cloud (Amazon VPC). This is a mission-critical internal corporate application that must deal with a large amount of very sensitive data.
The whitepaper describes the entire deployment process in step by step fashion: initial requirements analysis, security review, deployment success criteria, proof of concept, application architecture, configuration of SharePoint 2010 and SQL Server, and final production deployment.
There are a number of reasons why I am so excited about this project:
- During the deployment process our Corporate IT team treated AWS as they would treat any other vendor. They leveraged the same products that our other customers use. They paid for the AWS Premium Support service and received pre-implementation advice from our AWS Solution Architects the same way we give to other enterprise customers. They conducted a thorough security review and decided to encrypt all data at rest and in flight.They used EBS snapshots to reduce the risk of losing data, and also implemented a failover mechanism that can attach an existing EBS volume to a fresh EC2 instance when necessary.
- This project involved commercial software licenses and demonstrates that the flexibility of AWS allows our customers to run commercial enterprise-grade software (like Microsoft SharePoint and SQL Server Enterprise) in the cloud. The whitepaper not only discusses the technical architecture and implementation details but also how you can leverage key security features (like Windows DPAPI for Key management) to further enhance the security and reliability of your applications. Today, with Microsoft License Mobility with Software Assurance, you can bring your existing licenses of several Microsoft Windows server applications to the cloud.
- Real benefits emerged:
- Infrastructure procurement time was reduced from over four to six weeks to minutes.
- Server image build process that had previously taken a half day is now automated.
- Annual infrastructure costs were cut by 22 percent when on-premise hardware was replaced with equivalent cloud resources.
- Operational overhead of server lease returns were eliminated, freeing up approximately 2 weeks of engineering overhead per year by replacing servers with equivalent cloud resources.
Today, you can run enterprise software from Microsoft, Oracle, SAP, IBM and several other vendors in the AWS Cloud. If you are an ISV and you'd like to move your products to the cloud, we're ready to help. The AWS ISV program offers a wide variety of sales, technical, marketing, PR, and alliance benefits to qualified ISVs and solution providers.
The paper is a great example of how a complex mission-critical application can be deployed to the cloud in a way that makes it more reliable, more flexible, and less expensive to operate. Read it now and let me know what you think.
Update: We are checking with our team-mates to see if we can release some of the documentation and scripts described in the whitepaper. It appears that encryption of EBS volumes is a topic of interest to many people!
-- Jinesh
I found the Section of Data Encryption at rest very interesting. It is definitely the way we should have implemented our EBS Volumes. Where can I find additional information on this implementation,specifically the script used to manage the bitlocker keys during bootup.
Thank you.
Posted by: Orlando H | September 22, 2011 at 05:08 PM
Great article and thanks for sharing. I have a question on the total cost of ownership aspect of the migration. Was a TCO analysis done and what are the projected savings say over a 6 year period for the private cloud vs on-prem? What staffing reductions (SP Admin, architect, systems analyst) are assumed as part of the analysis? Do you have a ROI and break-even timeframe determined?
Posted by: Paul Nordlund | September 26, 2011 at 01:30 PM
I'd also like to see more details on the disk "activation" script. I know it wasn't produced by the AWS team directly, but is there any thought of merging this into an AMI or at least releasing it as part of an SDK?
Posted by: Hughkelley_mrh | September 28, 2011 at 09:32 AM
We are also interested in more details about IPsec GPO, excluding RDP and Kerberos, ICMP or how do you handle this point: "5. Enabling IPsec for all traffic between Windows hosts."
Posted by: Bruno | October 03, 2011 at 08:57 AM
I think the xections dealing with the security encryption was very good. i LIKE HOW IT STATES THINGS where implemented and structured. And how with opensource you can bring in your excisting microsoft licenss to sharepoint.
Posted by: marquis Blackmon | October 03, 2011 at 01:55 PM