Amazon Web Service (AWS) Cloud Terminology

Below is a list of cloud-related terminology that may be helpful for those who are new to the public cloud infrastructure.

  • Access & Roles
    • Identity and access management permissions within AWS (e.g., System Administrator, View, etc.). Roles can be applied to accounts and/or resources within an account. ITS staff are grouped in Roles to give permission to manage Resources in AWS.
    • The ITS On-Premise Equivalents are Active Directory Groups.
  • Account
    • A population (e.g., individual, MCommunity group) using  AWS services. Each account can: 
      • Login using an email and password (additional login steps are required if you have access to more than one account).
      • Control the resources within their account.
      • Be billed for the AWS resources they consume .
    • The vDC will group like workloads (e.g., PeopleSoft Systems, Core Infrastructure, Reporting & Analytics, etc.) into individual accounts.
    • There is no ITS On-Premise Equivalent.
  • Amazon Machine Images (AMI)
    • AMIs are templates that are used when launching EC2 instances in AWS. AMIs include a template of properties for the instance (such as Operating System (OS), tags, purpose, etc), permissions, and default storage options. ITS has created two AMIs for the vDC: Microsoft Windows and Redhat Linux (RHEL). These AMIs also include managed OS image features such as monitoring, patching, etc. Standard AWS AMIs are available, but do not provide the additional managed features.
    • The ITS On-Premise Equivalents are gold images that machines are built from.
  • AWS Account Template
    • AWS CloudFormation template for visualizing and configuring accounts and VPC structures as they are added to the vDC. Helpful tool to aid new vDC users and teams in understanding the vDC structure and options.
    • There is no ITS On-Premise Equivalent.
  • Availability Zones
    • AWS data centers that are physically isolated from one another but located within the same region. 
    • The ITS On-Premise Equivalents are MACC, MDC, ASB, and NCDC Data Centers.
  • Billing
    • Permits ITS to segment AWS costs by an account and bill that account accordingly for the appropriate amount of AWS resources consumed.
    • The ITS On-Premise Equivalents are:
      • MiServer Billing. 
      • Pinnacle Billing Systems.
  • Core Services
    • Services that ITS considers to be fundamental services to our business (e.g., Active Directory, Nagios & Splunk monitoring, etc.). Our core services are grouped into a single account within the vDC.
    • There is no ITS On-Premise Equivalent.
  • Data Preservation & System Backups
    • Strategy for preserving and backing up ITS systems data. Replicates our on-premise approach, but preserves the backups in AWS, not on campus. Each service will have two backup instances:
      • One located in their VPC, accessible using account login credentials. 
      • A second backup copy located in a single ITS backup account, accessible by a limited number of AWS administrators.
      • This approach increases the security of system backups by isolating copies of backups into two seperate accounts. If one account is compromised, it is unlikely the second account would also be compromised.
    • The ITS On-Premise Equivalents are On-Premise Backups.
  • Domain Name System (DNS)
    • Connects the vDC to the campus DNS service. Translates domain names (e.g., its.umich.edu) into IP addresses.
    • The ITS On-Premise Equivalents are:
      • Using On-Premise DNS Instance.
      • Not replicating in AWS. 
  • Elastic Compute (EC2) Instances
    • AWS computing resources which serve as the processing engine for our vDC services.
    • The ITS On-Premise Equivalents are MiServer or Virtual Machines.
      • Hard Drive.
      • Enterprise SAN Volume.
  • Elastic Block Storage (EBS)
    • AWS storage resources. Allows ITS to create mountable (accessible) storage shares for campus files and data.
    • The ITS On-Premise Equivalents are:
      • Hard Drive.
      • Enterprise SAN Volume.
  • Load Balancer
    • Balances the network traffic within a VPC to effectively spread the network traffic and workload. 
    • The ITS On-Premise Equivalent is the On-Premise Load Balancer Service.
  • Network Access Controls
    • AWS has multiple ways to direct communications and apply network controls between AWS and campus. ITS has created a global network access control configuration for the vDC and VPCs we create. Additional network controls can be applied based on individual account and/or VPC requirements. By default, AWS VPCs cannot communicate with campus networks; traffic must be routed over VPN connections to reach private campus destinations. This VPN connectivity is a feature the vDC provides.
    • Equivalent to network controls currently used on campus.
  • Policies 
    • Identity and access management permissions to perform tasks within AWS (e.g., grant access, view, query, create, manage, or delete resources). Policies are applied to specific roles within each AWS account.
    • The ITS On-Premise Equivalent is System or service access.
  • Read-Only Open Lightweight Directory Access Protocol (LDAP)
    • Connects the vDC to the campus publically available LDAP service. Enables individuals to locate organizations, individual, and other resources (e.g., files, devices in a network). Required for services such as the ITS Mail Gateway and other services.
    • The ITS On-Premise Equivalents are:
      • Using On-Premise LDAP Instance.
      • Not replicating in AWS.
  • Regions
    • Locations where AWS places their physical data centers to achieve fault tolerance and stability. There are 16 regions at this time. ITS has chosen to locate our vDC in the United State Eastern Region #2 (us-east-2) in Ohio. 
    • The ITS On-Premise Equivalents are:
      • Ann Arbor Campus
      • Dearborn Campus
      • Flint Campus
      • Iron Mountain Backup Site 
  • Resources
    • Anything created within an AWS account (e.g., network, virtual machine, database, S3 bucket, etc.).
    • The ITS On-Premise Equivalents are the same resource hosted on premises.
  • Resource Groups
    • Groups of AWS Resources that allow you to manage those resources as a single entity, based on your project or other logical construct. Resource Groups can display metrics, alarms, and configuration details in custom dashboards.
    • There is no On-Premise Equivalent. 
  • Simple Storage Service (S3) Bucket
    • AWS object storage resource. Allows accounts to store objects (e.g., images, OS components, etc.), provide a URL for access, and allows applications to access the objects.
    • The ITS On-Premise Equivalent is OSiRIS (for research data; no equivalent for administrative/instructional data).
  • Site to Site Virtual Private Network (VPN)
    • A secure, encrypted connection between the university network and our vDC. 
    • The ITS On-Premise Equivalents are Faculty & Staff VPN Connections.
  • Subscription
    • The university agreement with AWS under which all of our ITS accounts fall.
    • There is no On-Premise Equivalent
  • Subnet
    • Each VPC has 4 subnets per availability zone designed direct communications and apply controls to secure and control network traffic.
    • Equivalent to subnets on premise
  • System Monitoring & Logging
    • AWS uses the products CloudTrail and CloudWatch to feed monitoring information into our Splunk service in addition to our Nagios service to monitor the resources and systems housed in the vDC. Allows ITS to receive alerts of system degradation and/or outages.
    • The ITS On-Premise Equivalents are:
      • On-Premise Splunk Service
      • On-Premise Nagios Service
  • Two Factor Authentication
    • Connects the vDC to the Duo two factor authentication system. Provides identity and access management for accounts that require two factor authentication.
    • The ITS On-Premise Equivalents are:
      • Using Duo Two Factor Instance.
      • Not replicating in AWS.
  • Virtual Private Cloud (VPC)
    • Each account has at least one (or up to five) unique VPC(s) which further segment an account. Each VPC has:
      • A configured network.
      • Shared resources, such as virtual machines or database servers.
      • Isolation from other VPCs .
    • VPCs can be large (e.g., a full Production PeopleSoft system) or small (e.g., a single utility server). 
    • The ITS On-Premise Equivalents are:
      • Server racks in a Data Center.
      • Shared resources.
  • Windows Active Directory
    • Connects the vDC to the campus Windows AD system through the VPN connection. Provides identity and access management for accounts, as well as automation support.
    • The ITS On-Premise Equivalents are:
      • Using On-Premise Windows AD Instance.
      • Not replicating in AWS.