AWS re:Invent 2020: Cisco and AWS innovations for a cloud-first world (Cisco)
welcome everybody for the cisco and aws innovations for a cloudforce award session my name is carlos pereira i'm the chief architect for the strategy emerging technology and incubation teams inside cisco and it's a pleasure to be with all of you here and reinvent 2020. so all teams are freeing all the pressures for an all digital award going out there and the majority of the companies have all those teams that are developing new cloud native applications the platform teams the cloud architects and the devops and the interface with the infra people or the teams that are responsible for integrations the security teams the itups have been challenging and the agility so far has been a very strong premises up to a point that 43 of the organizations want to release their changes very frequently and be able to restore on the event of any incident or any problem in an hour or maximum within a day so that tells that agility was a very strong premises upfront but now here comes the pandemic and the business before kovid was pretty much like applications run on aws cloud as i have in that example on the right hand side and the corporations have their own data centers and people accessing size and the security and integration in between those applications were working and there was the internet that connects the users and devices going to applications and data running in the cloud and then during and now after the cove environment what happens is there is a new element on this landscape and this new element is called home there's a lot of people working for home i myself and many of the attitudes on the 2020 section most likely will be on the similar situation and the home implies that i need a new place to guarantee a secure access towards and not only that to make sure that compliance policies and related to collaboration not only for collaboration at work but for learning schools and all this becomes part of that equation and cloud empowered this very nicely for this to happen and with that part of this new scenario not only agility was the initial qualification criteria for how applications were moving to cloud native but now we have resiliency as a very small and very key considerations that has evolved as the pandemic kept business reevaluating their own ways to go after cloud native so cisco launched back in june a new set of solutions called cisco business resident solutions which are predicated on three anchor themes the secure remote workforce that meant to answer the following question hey cisco i'm working now for home many of my employees are working for home is not that effective is not there proactive from a sense that i would like to be and i still need people to collaborate better and have some security profiles that i need to take care of can you help how the second aspect is there is the trusted workplace requirement when people come back to home from home sorry to the to the offices either manufacturing plans or regular office facilities when people need to have now social distance implementations and the whole trust or within environments go to a secondary level and comes on a third level and you had more and more deep dive on how a trusted workplace actually means and the last pillar of that business resilience solution has to do in how we optimize digital workloads as many customers and business are moving more and more to digital so i have been talking with customers that came to me and say hey carlos i had a digitization plan for my business and that was a two-year journey and i now need to do this in four months because my competitors are ahead everybody's working for home all my applications need to be scaling out and available to run from anywhere so that solution has been available from cisco since the mid of the year and this section here on aws reinvent is going to focus on the top one on the modern applications and how to optimize for digital workloads and the approach here is if application is the business for the majority of those customers and by the time that those business have the application being center in core for them revenue generation and relevance in the marketplace the experience of that application becomes the currency and optimizing that experience is how you succeed on the marketplace yourself so cisco brought the focus to optimize the application experience from a cloud native perspective by managing applications as experience it not necessarily focus on the locations or destinations where they may or may not be running so we do that by doing pretty much correlation for the applications associated workloads to the business to the network to the systems and at the same time considering the correlation between the infrastructure and application workloads that runs on top of that as it relates to security compliance and regulations that comes with that as you can see for that slide you have this touching upon multiple solutions from cisco but more than anything it brings together multiple teams as i had an initial slide the interaction between the teams is what makes the agility goes faster on the cloud native world and as we bring resilience and combination of agility all together the interaction between those teams and amongst the people that are part of those as we correlate this data between multiple disciplines is key to provide an optimization for the app experience with that said let me try to set the framework on how we're going to have the discussion during this session and i'm going to use a typical cloud native application when i have a hybrid environment some of these running on private cloud and the other piece running on aws cloud and the instance of that application running on the private cloud has a three-tier typical application just for the sake of an example here running on kubernetes so full containerizing and as you can see i have this running within a virtual machine which many customers still do and have some examples of infras infrastructures called the terraform and gitlab as a cicd pipeline and the devops user on the bottom left is being accessed and there is and this similar application now also three tier for my example is running on kubernetes through cloud native is running on aws cloud and the environment that i'm going to touch upon is what is that environment from the lens of the experience that is expected from there who can or cannot access it and where it runs on this case on a hybrid environment so as i start to look at the experience the first approach and the first lens that i'm going to bring to that is the application performance management which is the correlation of application and workloads to the line of business teams by correlating this to performance to the applications and for that we leverage cisco app dynamics which is available through aws including in the marketplace a very successful offer for us on aws marketplace and fully integrated with every components and services of aws cloud that is represented on the left hand side on this particular example for this application that i'm using here which is built on kubernetes then we have not only the monitoring and the embedded capabilities to capture information from the kubernetes nodes and all the clusters that may run on aws cloud in my example but also to generate metric services event services and one specific thing that's very interesting which is aum services the end user monitoring that goes with that which pretty much captures what would be the experience for the end user running on the mobile application on my example on ios and android and at the same time app dynamics correlates that with the business side of it so if you have an application generating revenue it's going to show you how many us dollars is or pounds or euros is being at the real time generator for that particular application so it's a very interesting component that we have on our solution for app experience monitoring but the data that app dynamics generates from aws cloud on this particular application can correlate and automatically correlates with cisco intercite which does the management from the itops lens for that environment so if you see on that screen i have a hybrid environment when i have part of that application the front end actually running on aws cloud and part of the back end on this particular example is running on premises on a mix of hypervisor between vmware and cisco itself and that intersect offer brings a real-time full visibility of a dependency map of a supply chain on which components within the application starting from the business application its process all the way down to network computing storage is being used and not only that it generates a graphic of optimization as you can see on that particular inter site screen you can see that the business application has all this independence portrayed and there are some reds there interesting to capture in this is the application and workloads correlation between the line of business teams and the itops team the system people in charge of that infrastructure when you can have for instance a typical scenario that may happen on the on a customer environment when i have let's say from a transaction per second i have less than 20 utilization so the infrastructure team may say hey it's not my problem the infrastructure is okay i have enough red room to run whatever you want and even more but if you look at that the response time for the end user perspective for that mobile app is 10 seconds which is unacceptable for anybody waits 10 seconds for a responsible screen on a mobile app so from that regards even though the infrastructure may be running with a lot of red room from that hybrid environment the application experience is still not good so what we did is we bring the solution to the market that correlates the up up dynamics generation fpm information on the top with exactly what runs at the infrastructure level on a hybrid environment by example and we bring real time recommendations on this case a scale-up recommendation we just say hey as the experience is associated on this particular application with the front-end and front-end is running on aws our recommendation in real-time is for you to right-size this by boosting and changing for an instance for an m5 to x large for a c5 for x large and it happens to run on aws west in oregon region and here's the name of the instance and not only that we integrate automatically with everything that relates with the itom on my example here services now and the turbo ticketing that's johnny generator for that and you can automate that procedure altogether and some customers just do they consider how much money would that change imply and correlate this with the revenue that app dynamics is showing you that you're not making but not making that transition so if you're not fixing you may be not making a hundred thousand dollars of revenue stream that that app may generate to you and that fix may cost you less than a thousand dollars a month so it's orders of magnitude difference and that correlation brings the decision process ahead and you've done this on multiple environments and applications within aws cloud the last approach that i want to touch on this size application experience consideration is the integration between app dynamics and thousand ice thousand eyes is a solution from cisco that brings end to end monitoring from the lens of the internet so we have the network as in internet being the network that communicates between an end user on a mobile device or a remote location an iot device and the application running for instance on aws cloud and we have this performance management aws cloud and the end user and the internet is in between so we now bring thousand eyes which brings synthetic visibility for all the internet traffic and we can hook them and stitch them together to have a full end-to-end and experience for that application including size apps that runs for instance on aws cloud so that was the initial aspect of this when i checked pretty much the line of business people and the itops system people and the correlation between those two let me touch upon the same application now from the lens of security if i'm trying to secure a cloud native application for both the lens of the consumer of that app and the developer how would that look like so let me take the same application i have the private environment aws cloud and i'm having now the devops user being represented as an off net user what does that mean is an user that is not within a location is not through a vpn is not authenticated to a particular security profile and access control and it for that i'm implementing zero trust policy for that particular user on this case representing my workforce being remote accessing an application that runs on a private environment and at the same time i also have a representation for the workplace where enterprise end users just go and access a building they having their own access controls to the building either via badges or biometrics or whatever it is and by the time they are inside the building there within the controls of the workplace but it doesn't mean that if carlos is within a building that belongs to the company that colors automatically has access for that application that happens to be running on aws cloud so you see the full zero trust between workplace and workforce as it relates to the workloads in this case a hybrid workload so if i look at this let me go a little bit more in details on how cisco can help on those workloads and for that i'm gonna leverage four solutions that we have on the market available with aws cloud which is appdynamics that i mentioned before stealthwatch cloud which provides network and pod from this kubernetes approach identification for anomalies on the network behavior titration on the other hand does application segmentation all the process profiling as a runtime for the kubernetes pods that runs on premises and on the aws cloud within those services and i'm leveraging also dual which does multi-factor authentication for all the application from the end user and also from the developer lens so let's go one by one so the first scenario would be a devops user that off net user accessing their own premises the private cloud application and instead of being the user is actually a tool let's say it's a gitlab tool and you're trying to push some code to update on the pipeline that's go there and what we provide with dual multi-factor authentication is a capability of networking gateway and reverse proxies that provide secure access to the cicd tool and the cicd pipeline that's running there and while all that is happening we can leverage cisco titration that provides zero trust private networking by doing profiling and segmentation of the applications while it's being built and at the same time stealthwatch cloud is doing baselining for the network traffic to catch or normalize and see an anomalous traffic that may provide a threat detection that may go on as i go for the aws cloud side as i'm portraying i have an authenticated enterprise user already within the perimeters of security access to the corporation but that person still needs to be authenticated for that app now running on aws cloud as the kubernetes front end of this web app and dual embeds our sdk for web app applications within this front end up running on containers on kubernetes for multi-factor authentication and while this is happening within aws we leverage the same app dynamics that i had before for performance managing but it does automatically tracing from within the application to see any variations on the security profile that may or may not happen why the application is running at the runtime and for the runtime standpoint we also have the kubernetes thread detection for behavior analysis with the same stealthwatch cloud running as aws services and the tetration is leveraged the same way now in this case for xero trust cloud for container app segmentation within the aws cloud runtime of this particular app and last but not least i can have the same devops user now instead of being the tool trying to access himself or herself the app running on aws cloud and the front end of that app on his own cell phone if you will and then we use cloud single sign-on for access gateway integration with dual for multi-factor authentication with aws cloud so all of that is available shipping and we have a lot of customers that have this ecosystem running together so we just saw how the hybrid environment works and all the pieces of the how you secure the developer and the consumer of that application may look like let's now deep dive a little bit more on the aws cloud let's imagine that this application is running on aws cloud only and we we provide the same security aspect by going a little deeper if you look at the qr code on the top and you access this you have a full design guide that goes in details on everything that i'm going to briefly share with you now so i'm looking at the same application within aws cloud it's a single vpc two availability zones a classical way to represent it's not necessarily how all the applications would run but just for an example here so you have the web front end running as an instance and so the databa the applications and the database i'm using rbs here in rds synchronous replication between the two availability zones that application is being accessible the front end within aws cloud for the private link direct connect and internet gateway and pretty much that's what we have and to go for the first wave i already mentioned before appdynamics for the full application performance management and the integration and correlation of data with intersight now we leverage the same app dynamics real-time monitoring of this kubernetes-based environment for also do tracing which i show on the example before it appeals to the line of business that are building that up and recollecting how much of the revenue that app may be generating to the business because as i said before application is the business on the cloud native environment and the experience of that is the currency but it also correlates with the i.t ops the system people that is managing the aws cloud environment here so if i go more to cisco titration on aws you have the agent's installs on the instance on this case the web front end and the application servers and that agent can send information to titration as a service on the cloud which provides not only the zero trust visibility model but also the enforcement by detecting vulnerabilities on the software package being used and provide micro segmentation for enforcement of zero thrust policy at a runtime you have two types of agents that can be implemented the visibility agent and enforcement agents and those are part of how you do that full runtime environment security and implementation of that within aws cloud the fourth the third component that i had there was stealthwatch cloud and aws it on this case does behavior analysis for the network by receiving on my example here on that screen just vpc logs or vpc flow logs rather from aws providing behavioral changes for reporting invisibility stealthwatch cloud not only monitored the networking aspect it fully support all the visibility for instance on aws lambda which i don't have on this particular example here and last but not least i have the duo for multi-factor authentication within aws which appeals to the three teams there the line of business that is built in the application embedding me mfa for the consumer of that and the it ops and the networking on how you have access control for the management console for nws coming for an external connectivity lens and for the security open how you define the multi-factor authentication as part of the security policy and compliance dual has a quick start within aws it's very easy to implement and the details on how you get this installed and configured within aws is all available on the quick start go please check it out is is fully there and the last piece that i didn't cover on the previous go and navigation of the hybrid environment is the cisco threads response cisco has a threat intelligence source that's called talos it's pretty strong and cisco and in amazon have a ties on the strat intelligence as it relates to talos but it is the source of information that feeds all the previous products that i said as it relates to threat intelligence contextual approach of vulnerabilities in real time that's happening out there and they have interactive visualization and the cisco threat response also maps with two other offers from cisco that relates to aws cloud which is the anti-malware cisco amp for endpoints which you can apply not only for the apps running on aws cloud but for consumers running also on the end devices being laptops or mobius devices and cisco umbrella which provides the cloud-based and furrow and all the capabilities for cars when you accessing sas applications and providing security for their environment all of those components you can have more details on the qr codes that i have with that and in order to wrap that security view we have an offer from cisco that is available shipping today with securex and what it does it has a single cockpit as i usually call for security operations the day to life cycle the security environment and that screen shows the security x product by itself when you can actually create your own dashboards by aggregating different sources of security information in my case here i have the anti-mirror i have the dns security i have email security i have file that provides information and on the bottom of that slide you can see a ribbon that causes incidents what we do is as i said in the beginning of the session the correlate of information from multiple sources on the case of cisco products and or multi-vendor offers for security when you correlate and help to aggregate on the incident cases if that eventually happen on you are under a tank or you use a ddos going on on the an application being presented for aws cloud and so on so forth another characteristic of security x is the orchestrator you have an embedded we have an embedded orchestrator with things secure x that allows anybody to create their own workflows so on this example on that screen you can see on the left hand side i have all the aws services and i'm creating a very basic workflow that is an inbound access control list for the block and you can drag and drop from the left and put on the middle canvas and you build the workflow the way you are it becomes an object and from that you can have this object as part of the validation and commit on that dashboard and be part of that data correlation aggregation for security infrastructure and application workloads and this is all embedded with aws and available today so we can also bring the aws on security services that integrate with cisco as part of this architecture like here i have web application file in aws shield as a services you can see how that will augment my whole end-to-end security for the provider and the developer of that particular application and i'm also including the access to that particular application running from aws cloud and in this case one or more regions and that is through the software defined in one area networking cisco sd1 provides that connectivity for instance for branches or remote locations to access that app running on aws it can be presented as instead a services or even a size workload that goes there before i go more on that sd1 next networking piece just to double check we already covered in the beginning app dynamics and interside from correlation to the line of business and the itup system piece we just wrap it how we did that for the security ops and let's go a little bit for the networking on the networking for cisco sd1 we have two ways to consume the cloud networking with aws cloud the first one is do it yourself it's fully available in aws marketplace you can get the components and build the way you want or you can also use the services that we have together which is cloud on ramp that allows you to jump for instance on edge collectors with partners like equinix or megaport that allows you to for multiple locations be able to run and access the cloud from an sd1 standpoint so the architecture how this comes together is available on that slide again i have a qr code on the top right that you can scan and it gives you for the details and go in on the design guides on that particular diagram and let me show you because you have two modes and two options for getting this coming together the first one is i'm demoing here on the cisco vmanage is our st1 console when i'm going cloud on ramp with aws for infrastructure as a service so you go there you put your keys to access the aws environment and what we are doing here i'm creating a transit vpc which is pretty much is going to be the hub and spoke for doing multiple host vpcs inside aws connected that transit vpc to where all the branches will access via sdn so as you can see what i'm doing now first is building the two vito edge devices for cisco sd1 inside of epc on within aws cloud that's going to be the transit and when that is instantiated and automatically instantiated you see that it will give me the capability to connect all the branches to that transit vpc which has been already automated on that example and then i use an aws account to discover which hosts vpc have mapped it to that and when discovering these hosts which ones i want to actually be part of the extended cloud networking access to that by the time i map the hosted vpcs we can then automate the interconnect between what is the transit vpc and the host vpcs within aws and map it back to the branches accessing that environment that's the solution in the architecture motion number one the other approach is using aws on transit gateway which is available in shipping today and we can do this including for using the cloud on ram edge by leveraging color partners as i mentioned before so in this example i have a customer that has two groups an engineer in a marketing group and i'm creating two different vpns being accessed for the branch for an sd1 edge and what happens is pretty much i'm ramping this to the cloud accessing let's say equinix partnership here and go into sd1 edge map into a tgw region number one and the same customer may have a third team hr running on a different country a different branch and different location that i'm peering to a cloud and ramp environment on the edge and also connecting to tgw on aws region number two and what we do is the full integration of cisco sd1 across all the access either being on top of classical networkings like mpls circuits or even through direct internet access in making this secure interconnection for mapping with the tgw here's the demo how we do that the same cisco v manager for sd1 on this case i'm going to do cloud on ramp but i'm going to leverage cloud ram for infrastructure as a service with the tgw so you see that visibility on this case i'm using my iem role for that particular environment and i'm going to define which region like i had before the west west and then i'm going to leverage the transit data that's available on that particular region as a service is from aws cloud and by configuring that i just click and cisco and aws integrations fully automated the configuration of the peering with the tgw and the cloud ramp in aws is already done we just pretty much sees all the sites that are connected how many intensities i'm using that particular region i have a geographic view to say where those branches are located and not only that i have a full topology view that maps all the hubs from the branches to get from the overlay through the tgw for all the host vpcs that exist within aws cloud on one region or multiple regions with that said that's pretty much covers the session we touch upon all the teams and we did application workload correlations to the business teams to the network systems and all together to the security and that pretty much concludes our session thank you very much for watching with us and please don't forget to complete this survey have a wonderful day
2021-02-10 03:31
