In 2017, the ITS Cloud Migration Strategy called for ITS to move as many applications as possible to a cloud environment. At the time, the U-M cloud environments (Technology, Knowledge) were not ready to receive ITS application migrations. Foundational elements were not in place to enable efficient and secure adoption. Teams attempting to migrate applications to the cloud needed to work outside of their project scope to establish foundational elements before their migration could begin. In addition, each migration team would be required to solve the same challenges, over and over again, causing a significant waste of time and resources. ITS determined that in order to successful migrate significant numbers of applications, foundational infrastructure needed to be built in the cloud.
To develop the critical components needed for application moves to a cloud Infrastructure as a Service environment, ITS chartered a Virtual Data Center (vDC) priority project.
For the Virtual Data Center project, ITS assembled and co-located a small core group of dedicated staff who were most excited about moving to the cloud, and challenged them to create a workable virtual data center (vDC) in one cloud provider, AWS. This team reached out to others in the organization for support, input, and requirements as needed. Working on a six (6) week timeframe, the first version of the vDC was built by December 2017.
With the launch of the Cloud Infrastructure Transformation Program in March, 2018, This core vDC group is now the CITP Technical Team. The Technical team continues to identify, prioritize, and solve issues related to deploying applications in AWS. They act as a strong central core for configuring and deploying core technologies in AWS, after which application moves to the cloud will be more straightforward and move more quickly.
The ITS Virtual Data Center (vDC) is a set of core technologies, network architectures, and account structures that allow ITS staff to more easily use Amazon Web Services (AWS). It is not an out-of-the-box solution for running applications in AWS; instead, the vDC provides basic services commonly available on campus like authentication, backups, and networking to provide ITS staff familiar technologies as they deploy solutions in AWS.
Specifications/Capabilities:
-
Consultation
-
Application Architecture review
-
Automation best practices
-
-
Two-Factor UM authentication to AWS Console and CLI
-
Images provided by RedHat
-
Custom UM Linux and Windows Images
-
Including ITS Systems Support managed servers
-
-
Automated EBS Snapshot Backups
-
This includes backups to a protected account
-
-
Optional File-level Backups to Spectrum Protect (TSM)
-
Managed Database options
-
Security, Network and Event Logging in Splunk
-
Preconfigured Network Design with reserved UM private address space
-
VPN connectivity
-
-
Dynamic DNS
-
Managed EC2 Power state
-
Comprehensive account structure
A best practice in AWS is to separate workloads under unique AWS accounts. For ITS, a workload is essentially a service, with some exceptions. This practice of separating workloads into accounts provides a “blast radius” around a service so that account-wide issues don't’ interrupt service in other accounts. It also allows for cost control and monitoring within an account. The ITS account structure also provides organization-wide views into all ITS accounts for activities such as OS patching as well as aggregated billing.
vDC Architecture
Every account will have one UM-provided VPC within the us-east-2 (Ohio) region.
VPC Architecture
Each account has a standard VPC as shown in the diagram.
The VPC is divided into 4 logical subnet groups: Public, VPN, Private, VPC-only.
-
Public subnets are accessible from the Internet using Amazon's public IP addresses.
-
VPN subnets are accessible from UM campus networks.
-
Private subnets are accessible from subnets within the same VPC as well as peered VPCs.
-
VPC-Only subnets are only accessible from subnets within the same VPC.
Each subnet group has 3 subnets, one per AWS Availability Zone. A fourth subnet is reserved, but not configured, for expanding into a fourth availability zone when it becomes available.
For more information about Accounts, networking, managed operating systems, and many more subjects for using the vDC, see the vDC Documentation repository on Gitlab. (Available on campus networks and VPN.)