RunBook AWS Kerzner
RunBook AWS Kerzner
1.0 Introduction.......................................................................................................................................................5
1.1 Background.............................................................................................................................................................5
2.0 AWS Architecture...............................................................................................................................................7
3.0 AWS Architecture...............................................................................................................................................7
3.1 Kerzner AWS Control Tower Architect High Level Architecture..............................................................................7
3.2 KIP Architecture......................................................................................................................................................8
3.3 DLP (ForcePoint) architecture.................................................................................................................................8
4.0 AWS Shared Service.........................................................................................................................................10
4.1 VPC.................................................................................................................................................................... 10
4.2 Subnets............................................................................................................................................................10
4.3 Transit Gateway............................................................................................................................................11
4.4 Transit Gateway Attachments.................................................................................................................11
4.5 Transit Gateway Route Tables.................................................................................................................13
4.6 Customer Gateway......................................................................................................................................15
4.7 NAT Gateway.................................................................................................................................................16
4.8 Load Balancer & Target Groups..............................................................................................................17
4.9 Auto Scaling...................................................................................................................................................19
4.10 CheckPoint CloudGuard Firewall Setup and Configuration.........................................................20
5.0 AWS Production Account..................................................................................................................................24
5.1 VPC.................................................................................................................................................................... 24
5.2 Subnets............................................................................................................................................................24
5.3 Transit Gateway............................................................................................................................................26
5.4 Transit Gateway Attachments.................................................................................................................26
5.5 Customer Gateway......................................................................................................................................26
5.6 Virtual Private Gateway.............................................................................................................................26
5.7 EC2 Instances................................................................................................................................................28
5.8 NAT Gateway.................................................................................................................................................28
5.9 Load Balancer & Target Groups..............................................................................................................28
5.10 Direct Connect............................................................................................................................................30
6.0 AWS Preproduction Account............................................................................................................................31
6.1 VPC.................................................................................................................................................................... 31
6.2 Subnets............................................................................................................................................................31
6.3 Transit Attachments....................................................................................................................................31
6.4 Transit Gateway Attachments.................................................................................................................32
6.5 Virtual Private Gateway.............................................................................................................................32
6.6 EC2 Instances Backup................................................................................................................................33
6.7 NAT Gateway.................................................................................................................................................34
6.8 Load Balancer & Target Groups..............................................................................................................34
6.9 Direct Connect...............................................................................................................................................35
7.0 AWS Development Account..............................................................................................................................36
7.1 VPC.................................................................................................................................................................... 36
7.2 Subnets............................................................................................................................................................36
7.3 Transit Gateway............................................................................................................................................36
7.4 Transit Gateway Attachments.................................................................................................................36
7.5 NAT Gateway.................................................................................................................................................37
7.6 Elastic IPaddress...........................................................................................................................................37
8.0 AWS Logging....................................................................................................................................................38
9.0 AWS Audit........................................................................................................................................................40
10.0 Backup...........................................................................................................................................................41
11. Operation Inferences........................................................................................................................................43
12. Appendix..........................................................................................................................................................44
1.0 Introduction
1.1 Background
Kerzner International Datacenter migration to AWS Public Cloud, Hexaware partner involved during the
migration phase and implement to migrate the applications, Infrastructures workloads hosted in the
Datacenter to the AWS Public Cloud. The initial solutions, AWS Platform build, and setup has already
performed through 3rd Party (PowerUP Cloud) & direct AWS while Hexaware involved this transformation.
Based upon the Solution document received from PowerUP Cloud, AWS platform setup, replication tools
and server migration methodologies, Hexaware received the final migration server list to migrate from KIM
Datacenter to AWS Cloud. Also, Hexaware created additional AWS services based upon the application
requirements and functionalities to work post migration the application to AWS cloud.
This document contains the High-Level Architecture of AWS platform, the list of migrated applications and
servers from KIM DC to AWS Public Cloud and services build during the Hexaware involved.
2.0 AWS Accounts
Key components and functionalities of the above architecture are described as under:
KIP application servers are tagged for both backup (EBS Snapshots) and monitoring (CloudWatch Alarms).
The below architecture represents the DLP system with associated AWS services and connectivity.
Leveraged AWS Classis Load balancer to forward the TCP 25 traffic to the Checkpoint instances. Load
Balancer DNS dlp-email-gw-1839743635.eu-west-1.elb.amazonaws.com (A Record) has been configured to
send the traffic to the AWS Classic balancer in the Microsoft office 365 and outbound traffic in the DLP
forcepoint server configured to send the analyzed email through the secondary interface utilizing the
Elastic IPaddress to the MIMECAST .
4.0 AWS Shared Service
AWS Shared service account it’s the landing zone environments for Kerzner. In this account AWS
transit gateway service leveraged which its shared across to other AWS accounts (Development,
Pre-Production & Production). The property site VPN connection terminate to the AWS Shared
Service Account using the Transit Gateway Attachments and Customer Gateway.
The external published application and inbound connections to Kerzner AWS infrastructure traffic
flow into this AWS account through External Load Balancers with Checkpoint Firewall. Then the
traffic from Checkpoint Firewall forward behind to the respective backend service through Source
& Target NAT Rule policies and response back via Checkpoint Firewall.
The Checkpoint Firewall for external communication, VPN tunnel for property sites through
Target Gateway, Primary Active Directory synchronization across remote site AD replication,
Shared Service infrastructure services like Anti-Virus, CyberArk, Infoblox DNS will also play vital
role in this AWS account.
NOTE: - This AWS account needs to be leveraged to host any services or application used
common across all environments within AWS and Kerzner Infrastructure.
4.1 VPC
Name VPC ID IPv4 CIDR NAT Gateway
4.2 Subnets
The below list of subnets and Available IPaddress as on 26 th Jan 2020. Most of Public IPaddress in
this account utilized but the External load balancer for which required Minimum 8 free available
IPaddress.
TGW-SS tgw-0d1fc2ed7298adeaa
Resoure
CIDR Attachment Network
Type
10.225.0.0/16 tgw-attach-006ce757cca4ae736 vpn-0bbac789bbf3ce433(52.18.67.224) VPN
tgw-attach- vpn-
10.24.12.0/22 00bc9069bfe8972e1 0ab723cb20d4de432(34.255.114.239) VPN
tgw-attach- vpn-
172.10.11.2/32 00bc9069bfe8972e1 0ab723cb20d4de432(34.255.114.239) VPN
tgw-attach- vpn-
172.24.12.0/24 00bc9069bfe8972e1 0ab723cb20d4de432(34.255.114.239) VPN
tgw-attach- vpn-
172.24.13.0/24 00bc9069bfe8972e1 0ab723cb20d4de432(34.255.114.239) VPN
tgw-attach- vpn-
172.24.14.0/24 00bc9069bfe8972e1 0ab723cb20d4de432(34.255.114.239) VPN
tgw-attach- vpn-
172.24.18.0/24 00bc9069bfe8972e1 0ab723cb20d4de432(34.255.114.239) VPN
tgw-attach- vpn-
172.24.2.0/24 00bc9069bfe8972e1 0ab723cb20d4de432(34.255.114.239) VPN
tgw-attach- vpn-
172.24.200.0/24 00bc9069bfe8972e1 0ab723cb20d4de432(34.255.114.239) VPN
tgw-attach- vpn-
172.24.64.0/18 00bc9069bfe8972e1 0ab723cb20d4de432(34.255.114.239) VPN
172.27.0.0/22 tgw-attach-00cf8ff48be37fc45 vpn-03eeae54ff7d88448(52.214.90.161) VPN
10.31.64.0/20 tgw-attach-0128e51cfe0f9cbd8 vpc-0a0223837b56f3b3b VPC
10.31.80.0/20 tgw-attach-0128e51cfe0f9cbd8 vpc-0a0223837b56f3b3b VPC
10.31.96.0/20 tgw-attach-0128e51cfe0f9cbd8 vpc-0a0223837b56f3b3b VPC
tgw-attach-
172.26.0.0/16 021dee73241c291a2 vpn-05e7c58327afe6da6(52.51.225.65) VPN
10.108.0.0/15 tgw-attach-024343eaf976ccb34 vpn-0cdc383cff1062221(52.30.199.187) VPN
10.31.129.0/24 tgw-attach-033752d8949bcce5f vpc-04492cdc49cac52df VPC
10.107.0.0/16 tgw-attach-037f99f578e97fdc2 vpn-0b57e6c171edf6e7e(34.246.47.57) VPN
10.113.0.0/16 tgw-attach-037f99f578e97fdc2 vpn-0b57e6c171edf6e7e(34.246.47.57) VPN
10.79.0.0/16 tgw-attach-037f99f578e97fdc2 vpn-0b57e6c171edf6e7e(34.246.47.57) VPN
10.86.0.0/16 tgw-attach-037f99f578e97fdc2 vpn-0b57e6c171edf6e7e(34.246.47.57) VPN
10.88.0.0/16 tgw-attach-037f99f578e97fdc2 vpn-0b57e6c171edf6e7e(34.246.47.57) VPN
10.91.0.0/16 tgw-attach-037f99f578e97fdc2 vpn-0b57e6c171edf6e7e(34.246.47.57) VPN
10.99.0.0/16 tgw-attach-037f99f578e97fdc2 vpn-0b57e6c171edf6e7e(34.246.47.57) VPN
tgw-attach- vpn-
10.11.0.0/16 055727f360a610829 068ad9a7cd5128b0a(34.249.104.245) VPN
tgw-attach-
10.140.0.0/16 0612807030dc3a0da vpn-02897a290831a7f8f(34.242.5.252) VPN
tgw-attach-
10.31.127.0/24 0675e4574d970db9a vpc-0c43c0861078658ba VPC
tgw-attach-
10.31.128.0/24 0675e4574d970db9a vpc-0c43c0861078658ba VPC
tgw-attach-
10.40.0.0/16 073a0932ecc6026b1 vpc-0db19b8f878111edc VPC
tgw-attach-
172.23.0.0/16 075587eb6e7f2db91 vpn-071948a679cb4bbad(99.80.173.50) VPN
tgw-attach- vpn-
10.120.0.0/16 0812125dcb64290cb 0137d3b04a90354f9(34.253.47.129) VPN
172.25.174.128/2 tgw-attach-
6 0820b8dd31ac8c6b9 vpn-09cc7ec727b926cde(63.34.220.43) VPN
172.25.32.0/21 tgw-attach-088d7c199541dc53f vpn-05fd13830a41fbe87(52.213.84.238) VPN
172.25.5.0/24 tgw-attach-088d7c199541dc53f vpn-05fd13830a41fbe87(52.213.84.238) VPN
10.31.40.0/23 tgw-attach-09e0c62ac8960fba7 vpc-08f48b33c71caf87e VPC
tgw-attach-
172.29.13.0/24 0ab98e4767bbc944c vpn-0ef921fe29f2a4c01(52.211.124.82) VPN
tgw-attach-
172.29.14.0/24 0ab98e4767bbc944c vpn-0ef921fe29f2a4c01(52.211.124.82) VPN
172.29.15.0/24 tgw-attach- vpn-0ef921fe29f2a4c01(52.211.124.82) VPN
0ab98e4767bbc944c
tgw-attach-
172.29.22.0/24 0ab98e4767bbc944c vpn-0ef921fe29f2a4c01(52.211.124.82) VPN
tgw-attach-
172.29.23.0/24 0ab98e4767bbc944c vpn-0ef921fe29f2a4c01(52.211.124.82) VPN
tgw-attach-
172.29.24.0/24 0ab98e4767bbc944c vpn-0ef921fe29f2a4c01(52.211.124.82) VPN
tgw-attach-
172.29.32.0/24 0ab98e4767bbc944c vpn-0ef921fe29f2a4c01(52.211.124.82) VPN
tgw-attach-
172.29.35.0/24 0ab98e4767bbc944c vpn-0ef921fe29f2a4c01(52.211.124.82) VPN
tgw-attach- vpn-
10.154.0.0/16 0c205894c90784094 042632f7a121bf0f0(52.208.118.253) VPN
tgw-attach- vpn-
10.161.0.0/16 0c205894c90784094 042632f7a121bf0f0(52.208.118.253) VPN
tgw-attach- vpn-
10.163.0.0/16 0c205894c90784094 042632f7a121bf0f0(52.208.118.253) VPN
tgw-attach- vpn-
10.166.0.0/16 0c205894c90784094 042632f7a121bf0f0(52.208.118.253) VPN
tgw-attach- vpn-
10.174.0.0/16 0c205894c90784094 042632f7a121bf0f0(52.208.118.253) VPN
tgw-attach- vpn-
10.178.0.0/16 0c205894c90784094 042632f7a121bf0f0(52.208.118.253) VPN
tgw-attach- vpn-
10.182.0.0/16 0c205894c90784094 042632f7a121bf0f0(52.208.118.253) VPN
tgw-attach-
10.150.0.0/16 0c2309b52c215052b vpn-023dd362046636c5a(52.49.111.51) VPN
10.10.20.0/24 tgw-attach-0c6cd2bf287e10c25 vpn-0536407fb6e0db1c4(52.19.173.175) VPN
10.10.40.0/24 tgw-attach-0c6cd2bf287e10c25 vpn-0536407fb6e0db1c4(52.19.173.175) VPN
10.100.0.0/14 tgw-attach-0c6cd2bf287e10c25 vpn-0536407fb6e0db1c4(52.19.173.175) VPN
10.254.1.0/24 tgw-attach-0c6cd2bf287e10c25 vpn-0536407fb6e0db1c4(52.19.173.175) VPN
192.168.107.0/25 tgw-attach-0c6cd2bf287e10c25 vpn-0536407fb6e0db1c4(52.19.173.175) VPN
192.168.108.0/25 tgw-attach-0c6cd2bf287e10c25 vpn-0536407fb6e0db1c4(52.19.173.175) VPN
tgw-attach-
172.29.10.0/24 0ce973db47395e1ec vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
tgw-attach-
172.29.11.0/24 0ce973db47395e1ec vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
tgw-attach-
172.29.12.0/24 0ce973db47395e1ec vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
tgw-attach-
172.29.17.0/24 0ce973db47395e1ec vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
tgw-attach-
172.29.8.0/24 0ce973db47395e1ec vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
tgw-attach-
172.29.9.0/24 0ce973db47395e1ec vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
tgw-attach-
172.30.10.0/24 0ce973db47395e1ec vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
172.30.11.0/24 tgw-attach- vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
0ce973db47395e1ec
tgw-attach-
172.30.12.0/24 0ce973db47395e1ec vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
tgw-attach-
192.168.100.3/32 0ce973db47395e1ec vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
tgw-attach-
192.168.28.0/22 0ce973db47395e1ec vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
10.1.35.128/27 tgw-attach-0d036dfc4cef8d7f2 vpn-082b4d44065a15b90(52.50.221.42) VPN
10.1.35.64/26 tgw-attach-0d036dfc4cef8d7f2 vpn-082b4d44065a15b90(52.50.221.42) VPN
tgw-attach-
10.5.0.0/16 0d94b41934d950ded vpn-023855fe655acc52b(52.212.202.83) VPN
vpn-
10.20.0.0/16 tgw-attach-0d95df054db5f545e 08bdce1d7588967ca(34.250.137.250) VPN
vpn-
10.2.7.64/27 tgw-attach-0d96413262f66252f 082bf2db4e300cf78(34.248.113.236) VPN
10.130.0.0/16 tgw-attach-0ffb9ac473be8b222 vpn-0d33d6378afb322f8(3.248.18.167) VPN
Availabil Port
Stat ity Configurati
Name DNS name e Zones Type on Remarks
Citrix-StoreFront-
df61fdc727a31c8b.elb. eu-west-
Citrix- eu-west- acti 1b, eu- Citrix StoreFront
StoreFront 1.amazonaws.com ve west-1a network Internal
Citrix Access
CitrixAccessKerzner- Gateway point to
ca88763ace051334.el eu-west- the Netscalar
CitrixAccessKer b.eu-west- acti 1a, eu- Virtual Gateway
zner 1.amazonaws.com ve west-1c network Interface/IP
25 (TCP) ForcePoint Email
dlp-email-gw- eu-west- forwarding Gateway - O365
1839743635.eu-west- 1a, eu- to 8070 Inbound to TCP
dlp-email-gw 1.elb.amazonaws.com west-1b classic (TCP) port 25
eu-west-
1a, eu- Public Facing
public-facing-apps- west-1c, Applications
public-facing- 971598553.eu-west- acti eu-west- applicati listeners forward to
apps 1.elb.amazonaws.com ve 1b on CheckPoint Firewall
Beyond the Load balancers the below list of Target groups associated to the respective Load
Balancers in the AWS Shared Service account.
Health Pat Healthy Protoc Target Success
Name Port check port h threshold ol type Load Balancer codes
instanc
bes-uat 8094 traffic-port / 5 HTTP e 200
instanc public-facing-
bes 8086 traffic-port / 5 HTTP e apps 200-404
instanc public-facing-
k-app 8085 443 / 5 HTTP e apps 200
instanc public-facing-
kip 8084 traffic-port / 5 HTTP e apps 200-404
instanc public-facing-
kip-uat-bubble 8092 traffic-port / 5 HTTP e apps 200-400
instanc public-facing-
netiq 8081 443 / 5 HTTP e apps 200
oxi-oopm 8093 traffic-port / 5 HTTP instanc public-facing- 200
e apps
instanc public-facing-
ramco 8082 443 / 5 HTTP e apps 200
uat-kip- instanc public-facing-
chameleon 8091 traffic-port / 5 HTTP e apps 200-404
instanc
Citrix-StoreFront 443 traffic-port / 3 TCP e Citrix-StoreFront 200-399
CitrixAccessKerz CitrixAccessKerz
ner 443 traffic-port / 3 TCP ip ner
instanc public-facing-
bes-ip 4430 / 5 HTTP e apps 200-404
5 HTTP instanc public-facing-
dlp-kerzner 8097 / e apps 200-403
5 HTTP public-facing-
ramco-test 80 / IP apps 200-302
5 HTTP instanc public-facing-
ramco9081 9081 / e apps 200
5 HTTP instanc public-facing-
sitecore 8088 / e apps 200
5 HTTP instanc public-facing-
uat-bes-amex 8096 / e apps 200
5 HTTP instanc public-facing-
uatbes 8095 / e apps 200-400
Based upon the Tags in the checkpoint the auto NAT policies and provisioning of additional
Checkpoint nodes will get create.
Tag
New
Instanc
Key Value es
Name Check-Point-Gateway Yes
aws:cloudformation:logi
cal-id GatewayGroup Yes
arn:aws:cloudformation:eu-west-1:407176151436:stack/Check-
aws:cloudformation:sta Point-Security-Gateway-AutoScaling-new/636e1fa0-fee8-11e9-ad06-
ck-id 02673541b8d0 Yes
aws:cloudformation:sta
ck-name Check-Point-Security-Gateway-AutoScaling-new Yes
management=mgmt-aws:template=my-template:ip-
x-chkp-tags address=private Yes
External hosted applications are being protected by Check Point CloudGuard Firewall. And Checkpoint
firewall are deployed as auto scale method, so in the event of high no. of connection and/or CPU utilization
crosses the threshold, auto scaling will spin the new firewall gateway instances automatically. Currently
Autoscaling condition set with desired number is 2 and maximum no is set with 5.
All the hosted application requires CNAME entry for external (ELB) Elastic load balancer {let say for
example kip.kerzner.com} on the listener will be route the traffic based on the header check(URLs)
forward to checkpoint firewalls which configured. And in the Target group
Policy push will be done automatically, and, in the deployment, task can be seen as “Web API” which
denotes automatic policy push.
User data scripts will contains SIC keys; this will kick in auto deployment time.
5.0 AWS Production Account
AWS Production Account: - 825261885912 leveraged dedicate for Kerzner Production
applications workloads and services hosted. This account contains the Kerzner key production
applications workloads like KIP, iScala, Rambo, EDW and other infrastructure related services.
NOTE: - Kerzner didn’t follow any naming Convention for the production environment.
5.1 VPC
Name VPC ID IPv4 CIDR DHCP options set Remarks
5.2 Subnets
The below list of subnets and Available IPaddress as on 26 th Jan 2020 .
TGW-SS tgw-0d1fc2ed7298adeaa
AWS Direct Connect will be disconnected after the KIM DC decommission, then this Virtual
private gateway will not be necessary for any purpose.
Amazon EBS Lifecycle Manager to automate the creation, retention, and deletion of snapshots taken to back up
your Amazon EBS volumes. Currently we have created the below policy to create a snapshot backup for every 12 hours
in a day.
All the Private Subnets within this VPC ID vpc-0a0223837b56f3b3b | Kerzner-Production got this
NAT Gateway associated.
5.9 Load Balancer & Target Groups
Elastic Load Balancers in Kerzner AWS environment play a major role in the Production Account.
As specified in the High-Level Architecture and KIP application diagram the load balance service
leveraged to fulfil the requirements and achieve the applications and services accessible across
Internal and External Network.
Stat Availability
Name DNS name Type
e Zones
eu-west-
internal-oxi-1870618599.eu-west- acti applica
Oxi 1b, eu-
1.elb.amazonaws.com ve tion
west-1a
eu-west-
internal-kipbizapp-uat-953723553.eu- acti applica
kipbizapp-uat 1b, eu-
west-1.elb.amazonaws.com ve tion
west-1a
eu-west-
internal-kipbizapp-3193304.eu-west- acti applica
kipbizapp 1b, eu-
1.elb.amazonaws.com ve tion
west-1a
eu-west-
internal-kipbes-uat-433477834.eu-west- acti applica
kipbes-uat 1b, eu-
1.elb.amazonaws.com ve tion
west-1a
eu-west-
internal-kipbes-319342328.eu-west- acti applica
kipbes 1b, eu-
1.elb.amazonaws.com ve tion
west-1a
eu-west-
internal-kipapp-uat-645973359.eu-west- acti applica
kipapp-uat 1b, eu-
1.elb.amazonaws.com ve tion
west-1a
eu-west-
internal-kipapp-158776806.eu-west- acti applica
kipapp 1a, eu-
1.elb.amazonaws.com ve tion
west-1b
DLPEMAILGWINTERNAL-
DLPEMAILGWINT acti networ
b5d8f040f5e8d490.elb.eu-west- eu-west-1c
ERNAL ve k
1.amazonaws.com
DLPEMAILGATEWAY-
DLPEMAILGATE acti networ
d04cbfb591f64a10.elb.eu-west- eu-west-1c
WAY ve k
1.amazonaws.com
eu-west-
CitrixSF-da03a755a41f2ede.elb.eu-west- acti networ
CitrixSF 1b, eu-
1.amazonaws.com ve k
west-1a
eu-west-
besuat-688681073.eu-west- acti applica
Besuat 1b, eu-
1.elb.amazonaws.com ve tion
west-1a
internal-dlp-kerzner-lb-429795583.eu- acti eu-west-1c, applica
dlp-kerzner-lb
west-1.elb.amazonaws.com ve eu-west-1a tion
eu-west-
internal-k-app-627209421.eu-west- acti applica
k-app 1b, eu-
1.elb.amazonaws.com ve tion
west-1a
eu-west-
internal-ramco-94347860.eu-west- acti applica
ramco 1a, eu-
1.elb.amazonaws.com ve tion
west-1b
sentry-c1e60ec6d1361aff.elb.eu-west- acti networ
sentry eu-west-1a
1.amazonaws.com ve k
eu-west-
internal-sitecore-243052522.eu-west- acti applica
sitecore 1b, eu-
1.elb.amazonaws.com ve tion
west-1a
eu-west-
internal-uat-bubble-1194002519.eu- acti applica
uat-bubble 1b, eu-
west-1.elb.amazonaws.com ve tion
west-1a
Beyond the Load balancers the below list of Target groups associated to the respective Load
Balancers in the AWS Production account.
Heal Suc
Healt Tar
P thy ces
h Prot get Load
Name or Path thre s
check ocol typ Balancer
t shol cod
port e
d es
inst 200
44 traffic-
besuat / 5 HTTP anc besuat -
30 port
e 400
CitrixSFKIM 44 traffic- /citrix/ 3 TCP_ inst CitrixSF 200
kimstorewe anc -
STORE 3 port UDP
b e 399
DLPEMAILG traffic- DLPEMAILGAT
25 3 TCP ip
ATEWAY port EWAY
DLPEMAILG traffic- DLPEMAILGWI
25 3 TCP ip
WNEW port NTERNAL
inst 200
44 traffic-
kipapp / 5 HTTP anc kipapp -
30 port
e 404
inst 200
44 traffic-
kipapp-uat / 5 HTTP anc kipapp-uat -
30 port
e 400
inst 200
44
kipbes 80 / 5 HTTP anc kipbes -
30
e 404
inst 200
44 traffic-
kipbes-uat / 5 HTTP anc kipbes-uat -
30 port
e 400
inst 200
44 traffic-
kipbizapp / 5 HTTP anc kipbizapp -
30 port
e 400
inst 200
kipbizapp- 44 traffic-
/ 5 HTTP anc kipbizapp-uat -
uat 30 port
e 400
inst
traffic-
oxi-oopm 80 / 5 HTTP anc oxi 200
port
e
inst 200
44 traffic- HTTP
dlp-kerzner / 5 anc dlp-kerzner-lb -
3 port S
e 403
inst
44 traffic- HTTP
k-app / 5 anc k-app 200
3 port S
e
inst
traffic-
ramco 80 / 5 HTTP anc ramco 200
port
e
inst
ramco- traffic-
80 / 5 HTTP anc ramco 200
9080 port
e
inst
16 traffic-
sentry-162 / 5 UDP anc sentry 200
2 port
e
inst
51 traffic- TCP_
Sentry-514 / 5 anc sentry 200
4 port UDP
e
inst
sentry- 15 traffic- TCP_
/ 5 anc sentry 200
1514 14 port UDP
e
inst
sentry- 65 traffic-
/ 5 TCP anc sentry 200
6514 14 port
e
sitecore 44 traffic- / 5 HTTP inst sitecore 200
anc
30 port
e
inst
44 traffic-
uat-bubble / 5 HTTP anc uat-bubble 200
30 port
e
.
5.10 Direct Connect
AWS Direct connection in the production account leveraged basically to replicate the servers from KIM DC to AWS. This
AWS direct connect configured and setup before Hexaware involved and it was utilized through the AWS Virtual Private
Gateway services and BGP between AWS & On-premise network.
AWS Direct Connect connection will become discontinued once KIM DC get shutdown since this network will not have
any role and necessary.
6.0 AWS Preproduction Account
AWS Preproduction account leveraged in Kerzner to host and utilizes for application contains the
Pre-Production, UAT & SIT environments.
As of now in Pre-Production environment the below list of UAT applications migrated
1. KIP UAT
2. EDW
3. DRA
4. JDE
5. Opera
6. Ramco
7. Iscala
6.1 VPC
Name VPC ID IPv4 CIDR DHCP options set Remarks
6.2 Subnets
The below list of subnets and Available IPaddress as on 26th Jan 2020 .
tgw-attach-073a0932ecc6026b1 Shared
6.4 Transit Gateway Attachments
Transit Gateway attachments in this production associated to the VPC ID vpc-
0db19b8f878111edc and route table tgw-attach-073a0932ecc6026b1. Through this transit gateway
attachment the production network connects to other networks through the routes specified with
CIDR ranges in the route tables.
Associati
TransitGatewayattach Resourcet Associatedroutetabl Remar
Name on
mentID ype eID ks
state
tgw-attach- tgw-rtb- associat
AWSPre-Prod VPC
073a0932ecc6026b1 050e8032ed6fd20e8 ed
.
6.5 Virtual Private Gateway
Virtual Private Gateway created and purpose to connect the AWS production network to KIM
Datacenter through AWS Direct Connect.
Name Virtual Gateway ID Remark
Connect KIM DC for
CloudEndure replication
KIM-Backup-VPG vgw-0b44ad661a4b72eae through AWS Direct Connect.
AWS Direct Connect will be disconnected after the KIM DC decommission, then this Virtual
private gateway willnot be necessary for any purpose.
6.6 EC2 Instances Backup
Amazon EBS Lifecycle Manager to automate the creation, retention, and deletion of snapshots taken to back up
your Amazon EBS volumes. Currently we have created the below policy to create a snapshot backup for every 12 hours
in a day.
DataBase Backup
Full database backup will be performed for all production databases for every 12hrs in a day. The database file
will be moved to separate S3 bucket with the below retention policy enabled.
Transaction Log Backup will be performed for all production databases every 30mins in a day. The log file will be
moved to separate S3 bucket with the below retention policy enabled
All the Private Subnets within this VPC ID vpc-0db19b8f878111edc | KIM-Backup-VPC got this
NAT Gateway associated.
6.8 Load Balancer & Target Groups
The below Load balancers are created for the KIP UAT application internal.
7.2 Subnets
The below list of subnets and Available IPaddress as on 26th Jan 2020.
All the Private Subnets within this VPC ID vpc-08f48b33c71caf87e | Kerzner-Dev got this NAT
Gateway associated
7.6 Elastic IPaddress
VPC FLOW LOGS are stored in the S3 bucket Ireland VPC flow logs.
S3 Bucket Name Service
aws-controltower-logs-633090644827-
us-east-1 Cloud-trail, Config and CloudTrail digest.
irelandvpcflowlogs VPC FlowLogs
In N. Virginia region, we have created CloudWatch alarms for Authorization Failures, IAM Policy Changes,
EC2 Instance Changes, VPC Changes, Network Gateway Changes, Network ACL Configuration Changes,
Security Group Configuration Changes, CloudTrail Changes and Console Sign-in Failures.
AuthorizationFailure:
AuthorizationFailure CloudWatch alarm that is triggered when an unauthorized API call is made.
Alarm Name Conditions
AuthorizationFailur AuthorizationFailureCount >= 1 for 1 datapoints within 5
es minutes
VPC Changes:
VPC changes CloudWatch alarm that is triggered when an API call is made to create, update, or delete an
Amazon VPC, an Amazon VPC peering connection, or an Amazon VPC connection to classic Amazon EC2
instances.
CLOUDTRAIL CHANGES:
CLOUDTRAIL CHANGES CloudWatch alarm that is triggered when an API call is made to create, update, or
delete a CloudTrail trail, or to start or stop logging a trail.
Alarm Name Conditions
CloudTrail Changes CloudTrailEventCount >= 1 for 1 datapoints within 5 minutes
NOTE:- Hexaware has not updated or change any of the above configurations which PUC has setup in this
environment. Currently Hexaware following the same logging and will verify the logs in the S3 whenever
required for investigation and other purpose during the operation state.
9.0 AWS Audit
Audit AWS account 518804319968 for Kerzner leveraged to audit the transactions across all AWS accounts
and platform.
Powerup Cloud (PUC) team has setup and configured AWS GuardDuty and Security Hub services in this
account for the audit purpose.
Using AWS GuardDuty all Kerzner AWS accounts are added and audited.
AWS Security Hub gives you a comprehensive view of your high-priority security alerts and compliance
status across AWS accounts.
NOTE:- Hexaware has not updated or change any of the above configuration which PUC has setup in these
services. Currently Hexaware following the same procedure , verify and action the events which triggers
compliance during the operation state.
10.0 Backup
During Hexaware involved this transformation Backup solution to the migrated servers not defined. During
the migration to backup the Critical workloads, Production and Pre-Production servers. Hexaware and
Kerzner decided to enable EBS snapshot backup for the migrated and new build servers in the AWS
platform.
Based upon the EBS snapshot backup solution, the current backup retention policies have been setup and
enabled tags.
NOTE:- Based upon the on-premise backup policy defined , Kerzner need Hexaware to proposal a backup
options and retention policies for the AWS workloads (migrated and newly build) . Hexaware Operation
team will analyze and proposal the long term backup option to Kerzner.
10-Feb-2020: - Hexaware proposed and setup the backup proposal for transaction backup and storing in
AWS S3 bucket for Kerzner Database servers. Based on Kerzner (Vikalp) confirmation increase the
Snapshot backup (System state) from 30 days to 1 Year.
Aside Hexaware (Arun Dayal Bhatia) performing Due diligence for new approach to migrate the SQL
database to RDS/Aurora.
11. Operation Inferences
1. Perform a optimization to scale down the underutilized EC2 instances based upon AWS Trusted advisor.
2. Cleanup the replication servers which doesn’t required for migration and remove from the CloudEndure.
3. Move the Kerzner FSMO roles from KIM DC active directory to AWS AD servers (Shared Services) and point all windows EC2 to
the AWS primary domain controller.
4. Setup AD connector to leverage Kerzner domain to login AWS accounts.
5. Citrix Netscalar appliance running without High availability, requires provisioning one more instances and configure into cluster.
6. Decommission the AWS Direct Connect.
7. Setup auto shutdown and startup on the DEV and IMS infra servers to reduce the running cost.
12. Appendix
The below list of AWS services used within Kerzner AWS accounts.
S. No Service Name Descriptions
1 AWS Amazon Web Services
2 S3 Amazon Simple Storage Service (Amazon S3) is an object storage service
that offers industry-leading scalability, data availability, security, and
performance.
3 EC2 Instance Elastic Computing (Virtual Machine)
4 EBS Elastic Block Storage
5 ELB Elastic Load Balancer
6 CloudWatch Monitoring services for performance and thresholds
7 CloudTrail Logging the events
8 CheckPoint Firewall to prevent detections and attacks.
9 Security Group Act as a virtual firewall for your instance to control inbound and outbound
traffic
10 ENI Elastic Network Interface
11 VPC Virtual Private Cloud
12 Transit Gateway Connect AWS VPC and On-premise to a single Gateway
13 VPN Virtual Private Network
14 EIP Elastic IPaddress
15 IAM Identity Access Management
16 Snapshot Snapshot is a point-in-time copy of your Amazon EBS volume
17 Subnets subnet is a logical subdivision of an IP network
18 Public Subnet A public subnet is a subnet that's associated with a route table that has a
route to an Internet gateway.
19 Private Subnet A private subnet with a size IPv4 CIDR block.
20 AMIs Amazon Machine Image
21 Auto Scaling Monitors and automatically adjusts capacity
22 Tag label that AWS assigns to an AWS resource. Each tag consists of a key and
a value.
23 Routes A route table contains a set of rules, called routes, that are used to
determine where network traffic from your subnet or gateway is directed.