I recently sat down with Avishai Wool, our CTO, and asked him for some tips for companies who are considering migrating their business applications to Amazon Web Services (AWS). Here’s what he had to say:
[JG] Where do you recommend companies start the process?
[AW] When migrating an application to AWS, the paths that the communication flows take – through the organization’s networks and the Internet – will change, and all communication flows must be “allowed” by the security infrastructure for the application to function properly. So you will need to configure both the AWS firewall and the traditional firewalls protecting the data center to allow the required flows along their changed paths.
To do this, you first need to identify and understand all the existing communication requirements for each application you wish to migrate: which servers it relies on (not just the servers its code runs on, but also the servers that the code connects to), and how they communicate with each other, etc. Then you need to identify all the clients that use the application, and the network segments in which they are located.
Once you have this information you can select all the servers you need to migrate to AWS. It’s important to note that due to various performance, compliance and other issues, some servers may need to remain in the traditional data center.
The next step is to clone the selected servers and place the copies in the AWS cloud, and then assign IP addresses to these clones.
At this point you can now configure the AWS security controls (i.e. Security Groups) and the traditional firewalls in the data center to allow all of the application’s flows using the new IP addresses and taking its new network paths into consideration.
[JG] Are there any potential glitches if you follow this process?
[AW] Every one of these steps can have pitfalls that slow down the process. However one of the biggest problems is identifying all the application’s traffic flows. It’s not easy – many organizations have poor records of such information, especially for “east-west” traffic flows within the data center, that do not cross any traditional firewalls along their path. Migrating even a single endpoint of such an east-west flow means that the flow has to be explicitly allowed by some firewall rules – either in the AWS firewall or in the traditional firewall. So if you don’t know about the flow’s existence you will neglect to write the necessary firewall rules and traffic that is critical for the application to function will be blocked.
[JG} Once you’re in the cloud, what’s next?
[AW] Once your applications are in the cloud you may think that they are now a separate data center, but nothing could be further from the truth. Your cloud environment is essentially an extension of your traditional data center and corporate data will flow across both environments. So you need to be able to see and manage both environments consistently and cohesively through a single solution.
Furthermore, you need to remember that these applications are now likely subject to regulatory compliance and internal audits. So you need to have the appropriate security controls as well as proper governance and management controls in place to support these requirements.
If you happen to be at the AWS Summit in NYC on Thursday, July 9, please make sure to stop by AlgoSec’s booth #415 where we can show you how we help companies migrate and manage their business applications across hybrid AWS environments.
Receive notifications of new posts by email.