Amazon S3 this year celebrated its 16th birthday. Launched on Pi Day (March 14) in 2006, the extremely popular cloud storage service was among AWS’ earliest offerings, along with Amazon Simple Queue Service and EC2. With the release of S3, Amazon revolutionized the world of computer storage and forever changed the way organizations look at IT infrastructure—compute, storage and network.
Today, AWS is the most comprehensive and broadly adopted public cloud platform, with over 200 services, 25 geographic regions, and more than 80 data centers around the world. AWS enables anyone—from individuals to international Fortune 500 companies—to leverage enterprise-grade services with a cost-efficient pay-as-you-go pricing model.
Over the past decade, and even more so since the global pandemic disruption, more and more companies have been shifting to public cloud platforms—not only to reduce their physical data-center footprints but also to innovate and adapt more quickly to changing demand. When it came to the enterprise world, certain industries were slower than others to adopt the public cloud, but even now that shift has become ubiquitous.
Large organizations, however, face inherent challenges regarding cloud adoption, such as procurement, legal, and financial aspects. But the biggest factor for the delayed start across many industries has been a lack of services capable of addressing some of their specific requirements related to geographic location, compliance, and specialized hardware, among others. Still, with the maturity and evolution of cloud services, there is hardly any reason left to prevent organizations from adopting the public cloud.
This article is a two-part series on moving your enterprise workloads to AWS. In this post, we will highlight some of the key points to consider when getting started.
Cloud Migration Models and How to Utilize Them
There are a few well-known strategies to migrate to the public cloud. The most popular approaches are known as rehosting (lift-and-shift), replatforming, and rebuilding.
All public cloud vendors provide infrastructure-as-a-service functionalities that enable organizations to rehost their existing infrastructure (virtual machines, data storage, network, etc.) to the cloud. According to Gartner, AWS is the current leader in the infrastructure-as-a-service (IaaS) segment, and by being a common denominator across on-premises and public cloud providers, IaaS remains one of the most popular and easiest ways to get started with AWS.
IaaS provides maximum control, but at the same time, requires maximum management tasks, such as configuring the system, resource monitoring and adjustments, and patching security updates. However, for a successful migration, your IT team will need to understand how AWS works at its core.
Figure 1: Gartner’s 2020 Magic Quadrant for Cloud Infrastructure & Platform Services
While IaaS is a popular starting point for migration, it may not be the most effective way to use AWS services. Rather, to build modern, cloud-native, scalable, and cost-effective applications, there are other categories to consider, such as platform as a service (PaaS) and software as a service (SaaS). And within these, it is worth exploring the concepts of functions as a service (FaaS) and containers as a service (CaaS), which radically changed the computing paradigm for software engineers.
These services share the same purpose: to abstract the underlying infrastructure pieces and provide developers with more freedom to focus on the application, rather than the infrastructure.
[ Multicloud Networking –The Definitive Guide ]
Take a deep dive on all things multicloud networking – from the fundamentals, through practical application, and even a real-world example to get you started.
This definitive guide will cover the core concepts behind networking in a multicloud world, as well as how to actually connect GCP and AWS with concrete examples. Download Now
Let’s take a closer look at PaaS and SaaS.
Platform as a Service
PaaS encapsulates platform configurations and OS-level tasks. For example, AWS Elastic Beanstalk automatically handles application deployment, capacity provisioning, load balancing, and autoscaling without additional manual effort. Another great example is AWS RDS, the managed relational database service that comes with out-of-the-box support for automatic snapshots, global tables, and replication, among many other features.
Software as a Service
SaaS encapsulates all internal details and provides an API-based interface to start using the service. One example is Amazon SES (Simple Email Service), which enables the programmatic sending and receiving of emails via an API. Another popular example is AWS Amplify, which enables developers to build and deploy a web or mobile application without any operational overhead.
Figure 2: Evolution of cloud services (Source: Red Hat)
While using a single cloud provider such as AWS is typical for most organizations, a multicloud strategy is often the popular choice for large enterprises. This provides more flexibility in M&A operations and offers additional options such as access to exclusive geographical locations, making it easier for an organization to meet business requirements related to latency or government regulations.
Understand Why You Want to Move to AWS
Every organization has different goals and priorities when beginning its cloud migration. Likewise, AWS has many services and features that can be utilized to accommodate different use cases, such as data backup, disaster recovery, high availability, low-cost storage, big-data processing, and more.
The most important parameter for a successful migration is understanding the core reasoning behind the move. Enterprises should ask themselves: Why do I want to migrate to AWS? The answer will help all stakeholders get on the same page. It will also help IT teams choose the right set of AWS services (based on the different migration models discussed earlier). For example, AWS provides multiple storage services and different types of load balancers, and selecting the right one depends on your use case and business requirements.
Security in the Cloud
Security is a very critical topic to any organization. Historically, security and compliance concerns have been one of the reasons many organizations, especially large enterprises, have been reluctant to adopt the cloud. Over the years, however, AWS has focused on making sure its infrastructure meets the strictest security and compliance standards; it also seeks to offer the proper tools and services for organizations in sectors such as finance, healthcare, and government to be able to run their systems in AWS Cloud.
There is a common misconception that all cloud workloads must be internet-facing. Naturally, this is not true, and one can easily build a completely private and isolated workload environment. Yet, public-facing workloads such as e-commerce applications were among the first to benefit from cloud-native capabilities such as autoscaling and pay-as-you-go pricing.
If you are looking to protect your internet-based applications from external threats like DDoS attacks or any of the vulnerabilities on OWASP’s list (injection, broken authentication, sensitive data exposure, etc.), AWS WAF and AWS Shield are great options. These built-in services leverage AWS’ own security expertise and make it easier for organizations to safely build globally distributed applications.
Here, I’ll take a closer look at how AWS manages security in the cloud.
The Shared Responsibility Model
According to AWS’ shared responsibility model, security and compliance are the shared responsibility of AWS and its customers. While AWS manages “security of the cloud,” the customer manages “security in the cloud.”
This means that AWS is responsible for protecting the infrastructure running all of its services, including the hardware, software, networking, and data-center facilities. However, customers are responsible for configuring and managing the AWS service(s) they decide to use. For instance, if you use Amazon EC2 instances to host your application, you—not AWS—will be responsible for the configurations and management of those instances.
The diagram below explains who protects which segments and how much control your IT team has over the public cloud infrastructure:
Figure 3: AWS shared responsibility model for cloud services (Source: AWS)
In an on-premises environment, the IT team can organize and restrict different applications, with the help of physical networks and boundaries. In an AWS environment, you can run all of your applications in the same account. However, this is not a recommended practice, as it may not be compliant with regulatory requirements (e.g., financial or healthcare applications that require process and data isolation for risk mitigation).
AWS Organizations is an account-management service that allows your IT team to easily create and manage multiple AWS accounts with the required security controls and supervision. By keeping different environments in different AWS accounts, you can limit potential security threats while simultaneously maintaining overall governance.
Figure 4: AWS Organizations can be used to create and manage group accounts (Source: AWS)
In an on-premises environment, the IT team can organize and restrict different applications with the help of physical networks and boundaries. In an AWS environment, you can run all of your applications in the same account. However, this is not a recommended practice, as it may not be compliant with regulatory requirements (e.g., financial or healthcare applications that require process and data isolation for risk mitigation).
AWS Organizations is an account management service that allows your IT team to easily create and manage multiple AWS accounts that comply with your organization’s own policies as well as follow established security controls. By keeping different environments in different AWS accounts, you can limit potential security threats while simultaneously maintaining overall governance:
Figure 5: AWS Single Sign-On (SSO) with enterprise identity systems like Microsoft Active Directory (Source: AWS)
Managing Governance and Compliance in AWS
Enterprise IT teams have to maintain the inventory of resources in use. For security and compliance reasons, they also have to regularly update the infrastructure and keep track of the changes. Below, I’ll review a few management and governance services that AWS provides. These are designed with simplicity, scale, and cost-effectiveness in mind, so they’re suitable for organizations of any size.
In a distributed, multi-account setup, you don’t want to completely depend on a central IT team to manage and perform all tasks manually. This will slow down the formation of a new environment and will also burden your team with unnecessary work. AWS has a number of management services that help IT teams carry out these tasks securely and reliably.
AWS Control Tower
AWS Control Tower helps set up the baseline environment in an automated and controlled way by following organizational policies. Control Tower enables the creation of rules, called guardrails, and provides recommendations for them. These help organizations enforce their policies via service control policies (SCPs) and can also detect policy violations so you stay compliant—functionalities you can automate for both new and existing accounts.
Are you a tech blogger?
AWS Systems Manager
AWS Systems Manager helps you centralize data from multiple AWS services and automate tasks across AWS resources. The service has some important features, including:
- Sessions Manager: For logging into instances from a web browser (among other things)
- Parameter Store: For storing important configurations, like passwords and database connection details, in an encrypted format
- Inventory: For collecting the configuration and inventory of instances
- Patch Manager: For easily applying software patches to a group of instances
Organizations want to achieve business agility by moving to the cloud, but at the same time, they want to maintain the necessary governance control. There are a few key AWS services worth exploring that provide auditing and compliance capabilities so that you can securely govern your resources at any scale.
AWS CloudTrail is the source-of-truth service for everything that happens in the AWS environment. By default, all the changes that occur in your AWS environment are done via platform API calls. CloudTrail keeps a record of all the API calls, who made the call, and when the call was placed. This helps track user and resource activity in your cloud environment.
In a large environment, it can be difficult to keep track of or identify changes, as well as maintain a snapshot of the environment at a particular point in time. AWS Config provides the inventory, history, and change notifications of your cloud resources and their configuration to enable better governance and an improved security posture.
AWS Trusted Advisor and AWS Well-Architected Tool
After working with thousands of enterprise customers over the years, AWS has gathered together its knowledge of best practices and successful cloud ops into two services: AWS Trusted Advisor and AWS Well-Architected Tool.
- AWS Trusted Advisor analyzes your environment, offering up recommendations for cost, performance, security, fault tolerance, and service limits per proven industry best practices.
- AWS Well-Architected Tool enables engineering teams to assess the state of their workloads and ways of working by comparing them to the latest AWS architecture best practices. This tool is designed to get feedback on different aspects of your application—operational excellence, performance efficiency, reliability, security, sustainability, and cost-optimization—and then generates a risk scorecard for each of these pillars.
There is a saying among large organizations that have successfully migrated to AWS Cloud: “Crawl, walk, run.” What does this mean for you?
- Crawl: Identify and set up a clear plan and resources to build a strong cloud foundation.
- Walk: Migrate and monitor your processes. This phase is all about learning and adopting the best cloud practices.
- Run: Iterate and modernize to reap the benefits of cloud computing. This is where you identify and innovate your business processes.
In short, define your goals, find the right strategy and people to accomplish them, and continue on your cloud path. What you learn along the way will help you evolve and adapt. As you probably know by now, cloud computing is here to stay, so the time to move your business to the cloud is now!
In the next post, we will cover areas such as operational monitoring, resource management, and cloud cost optimization, as well as discuss how to create an effective team culture for successful cloud adoption.