0% found this document useful (0 votes)
44 views50 pages

RunBook AWS Kerzner

Uploaded by

tg84143
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
44 views50 pages

RunBook AWS Kerzner

Uploaded by

tg84143
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 50

Kerzner – AWS Runbook

Submitted to: KERZNER

Version: 0.1 | Date:


1/27/2020

© Hexaware Technologies Limited. All www.hexaware.c


rights reserved. om
Version History
Implemented Revision
Version Approved By Reason
By Date

0.1 Prabhakara Kuppan 2/3/2020


Table of Contents

1.0 Introduction.......................................................................................................................................................5
1.1 Background.............................................................................................................................................................5
2.0 AWS Architecture...............................................................................................................................................7
3.0 AWS Architecture...............................................................................................................................................7
3.1 Kerzner AWS Control Tower Architect High Level Architecture..............................................................................7
3.2 KIP Architecture......................................................................................................................................................8
3.3 DLP (ForcePoint) architecture.................................................................................................................................8
4.0 AWS Shared Service.........................................................................................................................................10
4.1 VPC.................................................................................................................................................................... 10
4.2 Subnets............................................................................................................................................................10
4.3 Transit Gateway............................................................................................................................................11
4.4 Transit Gateway Attachments.................................................................................................................11
4.5 Transit Gateway Route Tables.................................................................................................................13
4.6 Customer Gateway......................................................................................................................................15
4.7 NAT Gateway.................................................................................................................................................16
4.8 Load Balancer & Target Groups..............................................................................................................17
4.9 Auto Scaling...................................................................................................................................................19
4.10 CheckPoint CloudGuard Firewall Setup and Configuration.........................................................20
5.0 AWS Production Account..................................................................................................................................24
5.1 VPC.................................................................................................................................................................... 24
5.2 Subnets............................................................................................................................................................24
5.3 Transit Gateway............................................................................................................................................26
5.4 Transit Gateway Attachments.................................................................................................................26
5.5 Customer Gateway......................................................................................................................................26
5.6 Virtual Private Gateway.............................................................................................................................26
5.7 EC2 Instances................................................................................................................................................28
5.8 NAT Gateway.................................................................................................................................................28
5.9 Load Balancer & Target Groups..............................................................................................................28
5.10 Direct Connect............................................................................................................................................30
6.0 AWS Preproduction Account............................................................................................................................31
6.1 VPC.................................................................................................................................................................... 31
6.2 Subnets............................................................................................................................................................31
6.3 Transit Attachments....................................................................................................................................31
6.4 Transit Gateway Attachments.................................................................................................................32
6.5 Virtual Private Gateway.............................................................................................................................32
6.6 EC2 Instances Backup................................................................................................................................33
6.7 NAT Gateway.................................................................................................................................................34
6.8 Load Balancer & Target Groups..............................................................................................................34
6.9 Direct Connect...............................................................................................................................................35
7.0 AWS Development Account..............................................................................................................................36
7.1 VPC.................................................................................................................................................................... 36
7.2 Subnets............................................................................................................................................................36
7.3 Transit Gateway............................................................................................................................................36
7.4 Transit Gateway Attachments.................................................................................................................36
7.5 NAT Gateway.................................................................................................................................................37
7.6 Elastic IPaddress...........................................................................................................................................37
8.0 AWS Logging....................................................................................................................................................38
9.0 AWS Audit........................................................................................................................................................40
10.0 Backup...........................................................................................................................................................41
11. Operation Inferences........................................................................................................................................43
12. Appendix..........................................................................................................................................................44
1.0 Introduction

1.1 Background

Kerzner International Datacenter migration to AWS Public Cloud, Hexaware partner involved during the
migration phase and implement to migrate the applications, Infrastructures workloads hosted in the
Datacenter to the AWS Public Cloud. The initial solutions, AWS Platform build, and setup has already
performed through 3rd Party (PowerUP Cloud) & direct AWS while Hexaware involved this transformation.
Based upon the Solution document received from PowerUP Cloud, AWS platform setup, replication tools
and server migration methodologies, Hexaware received the final migration server list to migrate from KIM
Datacenter to AWS Cloud. Also, Hexaware created additional AWS services based upon the application
requirements and functionalities to work post migration the application to AWS cloud.

This document contains the High-Level Architecture of AWS platform, the list of migrated applications and
servers from KIM DC to AWS Public Cloud and services build during the Hexaware involved.
2.0 AWS Accounts

AWS Account Name AWS Account ID VPC - CIDR Comments


10.31.127.0/24
Shared Service 4071-7615-1436 Landline Zone
10.31.128.0/24
10.31.64.0/20
Kerzner AWS Portal - Production 8252-6188-5912 10.31.80.0/20 Production Environment
10.31.96.0/20
UAT Environment & S3 Backup,
KIM Backup - UAT 1409-9477-5043 10.40.0.0/16
veenam backup
Kerzner AWS Development 6700-9137-0550 10.31.40.0/23 Dev Environment
The master account is the account
Kerzner Master 6036-3327-7996
that creates the organization
storing the logs of cloudtrail,
Log Archive 6330-9064-4827 Config, Cloudtrail-digest and VPC
flow logs, and ELK
Audit 5188-0431-9968 Security Account (GuardDuty)
3.0 AWS Architecture
This section describes the overall Kerzner AWS Architecture.

3.1 Kerzner AWS Control Tower Architect High Level Architecture.


A high-level view of the current Kerzner AWS architecture includes the all AWS accounts, VPC connection,
VPN connections and Inbound traffic flows through Check Point Firewall.

Key components and functionalities of the above architecture are described as under:

 Kerzner AWS environment setup in AWS Control Tower architecture.


 Automated setup of Landing Zone based on best-practice blueprints
 Apply guardrails for ongoing governance over Kerzner AWS workloads.
 AWS Control Tower offers a built-in Account Factory that helps automate the account provisioning
workflow in your organization.
 Dashboard view to see across all AWS accounts, guardrail enforcement and controls noncompliant
resources organized by accounts and OU.
 Checkpoint CloudGuard Firewall architecture setup with autoscaling and automatic NAT rule policies
based on Tags.
 AWS Transit Gateway leveraged for VPN connections and sharing to connect other AWS accounts
and VPC.
 Defines and controlled AWS Transit Routes propagated to route the networks to specific subnets
across the AWS accounts.
 VPC NetFlow logs captures the traffic flow across all the VPC and store in the S3 buckets in the
dedicate account.
 CloudTrail leverage to audit trail the changes and events performed across the AWS accounts.

3.2 KIP Architecture.


This section to overview the Production KIP application migration and end state architect running in AWS
environment. The KIP applications front end in each components and BES database nodes are placed each
one in different availability zone. These components are load balanced internally without autoscaling
groups.

KIP application servers are tagged for both backup (EBS Snapshots) and monitoring (CloudWatch Alarms).

3.3 DLP (ForcePoint) architecture


Kerzner Leverage Forcepoint DLP system and their related worked setup in on-premise (Not Live) migrated
the servers and few components servers build newly in AWS and setup as per the requirement received
from the Forcepoint vendor.

The below architecture represents the DLP system with associated AWS services and connectivity.
Leveraged AWS Classis Load balancer to forward the TCP 25 traffic to the Checkpoint instances. Load
Balancer DNS dlp-email-gw-1839743635.eu-west-1.elb.amazonaws.com (A Record) has been configured to
send the traffic to the AWS Classic balancer in the Microsoft office 365 and outbound traffic in the DLP
forcepoint server configured to send the analyzed email through the secondary interface utilizing the
Elastic IPaddress to the MIMECAST .
4.0 AWS Shared Service

AWS Shared service account it’s the landing zone environments for Kerzner. In this account AWS
transit gateway service leveraged which its shared across to other AWS accounts (Development,
Pre-Production & Production). The property site VPN connection terminate to the AWS Shared
Service Account using the Transit Gateway Attachments and Customer Gateway.
The external published application and inbound connections to Kerzner AWS infrastructure traffic
flow into this AWS account through External Load Balancers with Checkpoint Firewall. Then the
traffic from Checkpoint Firewall forward behind to the respective backend service through Source
& Target NAT Rule policies and response back via Checkpoint Firewall.

The Checkpoint Firewall for external communication, VPN tunnel for property sites through
Target Gateway, Primary Active Directory synchronization across remote site AD replication,
Shared Service infrastructure services like Anti-Virus, CyberArk, Infoblox DNS will also play vital
role in this AWS account.

NOTE: - This AWS account needs to be leveraged to host any services or application used
common across all environments within AWS and Kerzner Infrastructure.
4.1 VPC
Name VPC ID IPv4 CIDR NAT Gateway

VPC-SS vpc- 10.31.127.0/24,


0c43c0861078658
10.31.128.0/24
ba

4.2 Subnets
The below list of subnets and Available IPaddress as on 26 th Jan 2020. Most of Public IPaddress in
this account utilized but the External load balancer for which required Minimum 8 free available
IPaddress.

VPC IPv4 CIDR Subnet Subnet ID Availab Availabili


Name le Ips ty Zone

vpc- 10.31.127.19 PrivateSub subnet- 20 eu-west-


0c43c0861078658ba | 2/27 net-SS-1a 0da8fc716ad982 1a
VPC-SS 89d

vpc- 10.31.127.22 PrivateSub subnet- 21 eu-west-


0c43c0861078658ba | 4/27 net-SS-1b 0e606161825c6 1b
VPC-SS 6f41

vpc- 10.31.127.32/ PrivateSub subnet- 2 eu-west-


0c43c0861078658ba | 28 net-SS-1a 09a19e19c4076 1a
VPC-SS 75dc

vpc- 10.31.127.48/ PrivateSub subnet- 3 eu-west-


0c43c0861078658ba | 0753e76f80d9a0
VPC-SS 28 net-SS-1b 0e2 1b

vpc- 10.31.127.96/ PrivateSub subnet- 7 eu-west-


0c43c0861078658ba | 28 net-SS-1c 09e6eff6aa00e0 1c
VPC-SS 7be

vpc- 10.31.127.0/2 PublicSubn subnet- 6 eu-west-


0c43c0861078658ba | 8 et-SS-1a 03c185788c195 1a
VPC-SS 87a7

vpc- 10.31.127.64/ PublicSubn subnet- 8 eu-west-


0c43c0861078658ba | 28 et-SS-1a 009b2126fb51a5 1a
VPC-SS e55

vpc- 10.31.127.16/ PublicSubn subnet- 8 eu-west-


0c43c0861078658ba | 28 et-SS-1b 004b8fb0ad1826 1b
VPC-SS 858

vpc- 10.31.127.11 PublicSubn subnet- 8 eu-west-


0c43c0861078658ba | 2/28 et-SS-1b 09161dd82ab18 1b
VPC-SS b655

vpc- 10.31.127.80/ PublicSubn subnet- 3 eu-west-


0c43c0861078658ba | 28 et-SS-1c 0603c4cdf41c8d 1c
VPC-SS 0ff

vpc- 10.31.127.12 PublicSubn subnet- 10 eu-west-


0c43c0861078658ba | 8/28 et-SS-1c 0837f4ec15c31b 1c
VPC-SS 713

vpc- 10.31.128.0/2 PrivateSub subnet- 58 eu-west-


0c43c0861078658ba | 6 net-SS-1a 03f80ca6453f03 1a
VPC-SS ba7

vpc- 10.31.128.64/ PrivateSub subnet- 58 eu-west-


0c43c0861078658ba | 26 net-SS-1b 0f9cc1833c2178 1b
VPC-SS c14

vpc- 10.31.128.12 PublicSubn subnet- 56 eu-west-


0c43c0861078658ba | 8/26 et-SS-1a 0263a347e904f7 1a
VPC-SS ef8

vpc- 10.31.128.19 PublicSubn subnet- 55 eu-west-


0c43c0861078658ba | 2/26 et-SS-1b 0f8be22c321d17 1b
VPC-SS 83c

vpc- 10.31.127.16 CloudEndur subnet- 26 eu-west-


0c43c0861078658ba | 0/27 e 05ab2da8bd36b 1a
VPC-SS Replication c451
4.3 Transit Gateway
AWS Transit gateway leveraged as per specified above to connect multiple VPC and On-premise
network to a single gateway.

Name Transit Gateway ID Remarks

TGW-SS tgw-0d1fc2ed7298adeaa

4.4 Transit Gateway Attachments


The below transit attachments represent to each VPC and VPN connections. For each VPN
connection the transit gateway attachment will be create while establish connection leveraging
Transit Gateway.
Through this Transit gateway attachment ID the route are associated with in various route
tables.
Associati
TransitGatewayattach Resourcet Associatedroutetabl Remar
Name on
mentID ype eID ks
state
tgw-attach- tgw-rtb- associat
033752d8949bcce5f VPC 050e8032ed6fd20e8 ed
tgw-attach- tgw-rtb- associat
ASH-CHINA 024343eaf976ccb34 VPN 050e8032ed6fd20e8 ed
tgw-rtb- associat
AWS-PRD tgw-attach-0128e51cfe0f9cbd8 VPC 050e8032ed6fd20e8 ed
tgw-rtb- associat
BESAzureProd1 tgw-attach-037f99f578e97fdc2 VPN 03d863cca24ac5805 ed
tgw-rtb- associat
BESAzureProd2 tgw-attach-09bcf67fa53b79126 VPN 0d7b2e929b944abf1 ed
tgw-attach- tgw-rtb- associat
BESAzureUAT1 0c205894c90784094 VPN 03d863cca24ac5805 ed
tgw-attach- tgw-rtb- associat
BESAzureUAT2 05161a00784177d26 VPN 0d7b2e929b944abf1 ed
tgw-attach- tgw-rtb- associat
BESTEST 055727f360a610829 VPN 03d863cca24ac5805 ed
tgw-attach- tgw-rtb- associat
CMN-MOROCO 021dee73241c291a2 VPN 050e8032ed6fd20e8 ed
CPT-SOUTH tgw-attach- tgw-rtb- associat
AFRICA 075587eb6e7f2db91 VPN 050e8032ed6fd20e8 ed
tgw-rtb- associat
DXB-ATP-DUBAI tgw-attach-0c6cd2bf287e10c25 VPN 050e8032ed6fd20e8 ed
tgw-rtb- associat
Developement tgw-attach-09e0c62ac8960fba7 VPC 050e8032ed6fd20e8 ed
tgw-attach- tgw-rtb- associat
HEXAWARE-CHN 0820b8dd31ac8c6b9 VPN 050e8032ed6fd20e8 ed
tgw-rtb- associat
HEXAWARE-MUM tgw-attach-0d036dfc4cef8d7f2 VPN 050e8032ed6fd20e8 ed
tgw-attach- tgw-rtb- associat
HEXAWARE-PUNE 0d96413262f66252f VPN 050e8032ed6fd20e8 ed
tgw-rtb- associat
KIGALI-RWANDA tgw-attach-02ea9eb9f88bf962f VPN 03d863cca24ac5805 ed
tgw-attach- tgw-rtb- associat
KIM-DC-DUBAI 0d95df054db5f545e VPN 050e8032ed6fd20e8 ed
Kerzner Global tgw-attach- tgw-rtb- associat
Office 0d94b41934d950ded VPN 050e8032ed6fd20e8 ed
tgw-attach- tgw-rtb- associat
LDN-OFFICE-UK 00c7e89eebef75c28 VPN 03d863cca24ac5805 ed
tgw-attach- tgw-rtb- associat
LSG-MAURITIUS 06d1f4674bba7e312 VPN 050e8032ed6fd20e8 ed
LSG-MAURITIUS- tgw-attach- tgw-rtb- associat
PA 088d7c199541dc53f VPN 03d863cca24ac5805 ed
tgw-attach- tgw-rtb- associat
OODC-MALAYSIA 0812125dcb64290cb VPN 050e8032ed6fd20e8 ed
tgw-rtb- associat
OOGN-RWANDA tgw-attach-0ffb9ac473be8b222 VPN 050e8032ed6fd20e8 ed
OOMM-
associat
Mandarina- tgw-attach- tgw-rtb-
ed
Mexico 0612807030dc3a0da VPN 050e8032ed6fd20e8
tgw-rtb- associat
OONH-RWANDA tgw-attach-00cf8ff48be37fc45 VPN 050e8032ed6fd20e8 ed
OOPM- tgw-attach- tgw-rtb- associat
PORTONOVI 0c2309b52c215052b VPN 03d863cca24ac5805 ed
OOWV- tgw-attach- tgw-rtb- associat
AUSTRALIA 006ce757cca4ae736 VPN 050e8032ed6fd20e8 ed
tgw-attach- tgw-rtb- associat
OTP-DUBAI 059b48d7554b99dbd VPN 050e8032ed6fd20e8 ed
tgw-attach- tgw-rtb- associat
PreProduction 073a0932ecc6026b1 VPC 050e8032ed6fd20e8 ed
tgw-attach- tgw-rtb- associat
RRR-MALDIVES 0ab98e4767bbc944c VPN 050e8032ed6fd20e8 ed
tgw-attach- tgw-rtb- associat
RYM-DUBAI 00bc9069bfe8972e1 VPN 050e8032ed6fd20e8 ed
tgw-attach- tgw-rtb- associat
SJD-MEXICO 0ce973db47395e1ec VPN 050e8032ed6fd20e8 ed
tgw-attach- tgw-rtb- associat
ss 10.31.127 0675e4574d970db9a VPC 050e8032ed6fd20e8 ed

4.5 Transit Gateway Route Tables

Resoure
CIDR Attachment Network
Type
10.225.0.0/16 tgw-attach-006ce757cca4ae736 vpn-0bbac789bbf3ce433(52.18.67.224) VPN
tgw-attach- vpn-
10.24.12.0/22 00bc9069bfe8972e1 0ab723cb20d4de432(34.255.114.239) VPN
tgw-attach- vpn-
172.10.11.2/32 00bc9069bfe8972e1 0ab723cb20d4de432(34.255.114.239) VPN
tgw-attach- vpn-
172.24.12.0/24 00bc9069bfe8972e1 0ab723cb20d4de432(34.255.114.239) VPN
tgw-attach- vpn-
172.24.13.0/24 00bc9069bfe8972e1 0ab723cb20d4de432(34.255.114.239) VPN
tgw-attach- vpn-
172.24.14.0/24 00bc9069bfe8972e1 0ab723cb20d4de432(34.255.114.239) VPN
tgw-attach- vpn-
172.24.18.0/24 00bc9069bfe8972e1 0ab723cb20d4de432(34.255.114.239) VPN
tgw-attach- vpn-
172.24.2.0/24 00bc9069bfe8972e1 0ab723cb20d4de432(34.255.114.239) VPN
tgw-attach- vpn-
172.24.200.0/24 00bc9069bfe8972e1 0ab723cb20d4de432(34.255.114.239) VPN
tgw-attach- vpn-
172.24.64.0/18 00bc9069bfe8972e1 0ab723cb20d4de432(34.255.114.239) VPN
172.27.0.0/22 tgw-attach-00cf8ff48be37fc45 vpn-03eeae54ff7d88448(52.214.90.161) VPN
10.31.64.0/20 tgw-attach-0128e51cfe0f9cbd8 vpc-0a0223837b56f3b3b VPC
10.31.80.0/20 tgw-attach-0128e51cfe0f9cbd8 vpc-0a0223837b56f3b3b VPC
10.31.96.0/20 tgw-attach-0128e51cfe0f9cbd8 vpc-0a0223837b56f3b3b VPC
tgw-attach-
172.26.0.0/16 021dee73241c291a2 vpn-05e7c58327afe6da6(52.51.225.65) VPN
10.108.0.0/15 tgw-attach-024343eaf976ccb34 vpn-0cdc383cff1062221(52.30.199.187) VPN
10.31.129.0/24 tgw-attach-033752d8949bcce5f vpc-04492cdc49cac52df VPC
10.107.0.0/16 tgw-attach-037f99f578e97fdc2 vpn-0b57e6c171edf6e7e(34.246.47.57) VPN
10.113.0.0/16 tgw-attach-037f99f578e97fdc2 vpn-0b57e6c171edf6e7e(34.246.47.57) VPN
10.79.0.0/16 tgw-attach-037f99f578e97fdc2 vpn-0b57e6c171edf6e7e(34.246.47.57) VPN
10.86.0.0/16 tgw-attach-037f99f578e97fdc2 vpn-0b57e6c171edf6e7e(34.246.47.57) VPN
10.88.0.0/16 tgw-attach-037f99f578e97fdc2 vpn-0b57e6c171edf6e7e(34.246.47.57) VPN
10.91.0.0/16 tgw-attach-037f99f578e97fdc2 vpn-0b57e6c171edf6e7e(34.246.47.57) VPN
10.99.0.0/16 tgw-attach-037f99f578e97fdc2 vpn-0b57e6c171edf6e7e(34.246.47.57) VPN
tgw-attach- vpn-
10.11.0.0/16 055727f360a610829 068ad9a7cd5128b0a(34.249.104.245) VPN
tgw-attach-
10.140.0.0/16 0612807030dc3a0da vpn-02897a290831a7f8f(34.242.5.252) VPN
tgw-attach-
10.31.127.0/24 0675e4574d970db9a vpc-0c43c0861078658ba VPC
tgw-attach-
10.31.128.0/24 0675e4574d970db9a vpc-0c43c0861078658ba VPC
tgw-attach-
10.40.0.0/16 073a0932ecc6026b1 vpc-0db19b8f878111edc VPC
tgw-attach-
172.23.0.0/16 075587eb6e7f2db91 vpn-071948a679cb4bbad(99.80.173.50) VPN
tgw-attach- vpn-
10.120.0.0/16 0812125dcb64290cb 0137d3b04a90354f9(34.253.47.129) VPN
172.25.174.128/2 tgw-attach-
6 0820b8dd31ac8c6b9 vpn-09cc7ec727b926cde(63.34.220.43) VPN
172.25.32.0/21 tgw-attach-088d7c199541dc53f vpn-05fd13830a41fbe87(52.213.84.238) VPN
172.25.5.0/24 tgw-attach-088d7c199541dc53f vpn-05fd13830a41fbe87(52.213.84.238) VPN
10.31.40.0/23 tgw-attach-09e0c62ac8960fba7 vpc-08f48b33c71caf87e VPC
tgw-attach-
172.29.13.0/24 0ab98e4767bbc944c vpn-0ef921fe29f2a4c01(52.211.124.82) VPN
tgw-attach-
172.29.14.0/24 0ab98e4767bbc944c vpn-0ef921fe29f2a4c01(52.211.124.82) VPN
172.29.15.0/24 tgw-attach- vpn-0ef921fe29f2a4c01(52.211.124.82) VPN
0ab98e4767bbc944c
tgw-attach-
172.29.22.0/24 0ab98e4767bbc944c vpn-0ef921fe29f2a4c01(52.211.124.82) VPN
tgw-attach-
172.29.23.0/24 0ab98e4767bbc944c vpn-0ef921fe29f2a4c01(52.211.124.82) VPN
tgw-attach-
172.29.24.0/24 0ab98e4767bbc944c vpn-0ef921fe29f2a4c01(52.211.124.82) VPN
tgw-attach-
172.29.32.0/24 0ab98e4767bbc944c vpn-0ef921fe29f2a4c01(52.211.124.82) VPN
tgw-attach-
172.29.35.0/24 0ab98e4767bbc944c vpn-0ef921fe29f2a4c01(52.211.124.82) VPN
tgw-attach- vpn-
10.154.0.0/16 0c205894c90784094 042632f7a121bf0f0(52.208.118.253) VPN
tgw-attach- vpn-
10.161.0.0/16 0c205894c90784094 042632f7a121bf0f0(52.208.118.253) VPN
tgw-attach- vpn-
10.163.0.0/16 0c205894c90784094 042632f7a121bf0f0(52.208.118.253) VPN
tgw-attach- vpn-
10.166.0.0/16 0c205894c90784094 042632f7a121bf0f0(52.208.118.253) VPN
tgw-attach- vpn-
10.174.0.0/16 0c205894c90784094 042632f7a121bf0f0(52.208.118.253) VPN
tgw-attach- vpn-
10.178.0.0/16 0c205894c90784094 042632f7a121bf0f0(52.208.118.253) VPN
tgw-attach- vpn-
10.182.0.0/16 0c205894c90784094 042632f7a121bf0f0(52.208.118.253) VPN
tgw-attach-
10.150.0.0/16 0c2309b52c215052b vpn-023dd362046636c5a(52.49.111.51) VPN
10.10.20.0/24 tgw-attach-0c6cd2bf287e10c25 vpn-0536407fb6e0db1c4(52.19.173.175) VPN
10.10.40.0/24 tgw-attach-0c6cd2bf287e10c25 vpn-0536407fb6e0db1c4(52.19.173.175) VPN
10.100.0.0/14 tgw-attach-0c6cd2bf287e10c25 vpn-0536407fb6e0db1c4(52.19.173.175) VPN
10.254.1.0/24 tgw-attach-0c6cd2bf287e10c25 vpn-0536407fb6e0db1c4(52.19.173.175) VPN
192.168.107.0/25 tgw-attach-0c6cd2bf287e10c25 vpn-0536407fb6e0db1c4(52.19.173.175) VPN
192.168.108.0/25 tgw-attach-0c6cd2bf287e10c25 vpn-0536407fb6e0db1c4(52.19.173.175) VPN
tgw-attach-
172.29.10.0/24 0ce973db47395e1ec vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
tgw-attach-
172.29.11.0/24 0ce973db47395e1ec vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
tgw-attach-
172.29.12.0/24 0ce973db47395e1ec vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
tgw-attach-
172.29.17.0/24 0ce973db47395e1ec vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
tgw-attach-
172.29.8.0/24 0ce973db47395e1ec vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
tgw-attach-
172.29.9.0/24 0ce973db47395e1ec vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
tgw-attach-
172.30.10.0/24 0ce973db47395e1ec vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
172.30.11.0/24 tgw-attach- vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
0ce973db47395e1ec
tgw-attach-
172.30.12.0/24 0ce973db47395e1ec vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
tgw-attach-
192.168.100.3/32 0ce973db47395e1ec vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
tgw-attach-
192.168.28.0/22 0ce973db47395e1ec vpn-011cbd1fc14da3dc4(34.250.26.212) VPN
10.1.35.128/27 tgw-attach-0d036dfc4cef8d7f2 vpn-082b4d44065a15b90(52.50.221.42) VPN
10.1.35.64/26 tgw-attach-0d036dfc4cef8d7f2 vpn-082b4d44065a15b90(52.50.221.42) VPN
tgw-attach-
10.5.0.0/16 0d94b41934d950ded vpn-023855fe655acc52b(52.212.202.83) VPN
vpn-
10.20.0.0/16 tgw-attach-0d95df054db5f545e 08bdce1d7588967ca(34.250.137.250) VPN
vpn-
10.2.7.64/27 tgw-attach-0d96413262f66252f 082bf2db4e300cf78(34.248.113.236) VPN
10.130.0.0/16 tgw-attach-0ffb9ac473be8b222 vpn-0d33d6378afb322f8(3.248.18.167) VPN

4.6 Customer Gateway


For the VPN connection setup the Customer Gateway leveraged to create using the Client Side
Public IPaddress.
CustomerGat
Remark
Name VPNID CustomerGateway eway
s
Address
vpn0cdc383cff1062
ASHCHINA 221 cgw013f7bc9706073583|ASHCHINA 121.58.110.63
BESAzureProd vpn0b57e6c171edf6 cgw0cbce41cbb6f8fc0c|
1 e7e BESAzureProd1 52.158.114.98
BESAzureProd vpn0d76dc72f53db0 cgw0be1143abf7a1305e|
2 0ad BESAzureProd2 52.158.118.146
vpn068ad9a7cd512 cgw02469c2db490efbfd|
BESAzureTEST 8b0a BESAZURETEST 13.74.32.255
vpn042632f7a121bf cgw05dbeb30e9422be1c|
BESAzureUAT1 0f0 BESAzureUAT2 13.79.129.16
2BESAzureUAT vpn038522071977f2 cgw06e93753eba820c81|
2 d9a BESAzureUAT1 40.127.102.38
vpn05e7c58327afe6 cgw0417e5bc1a67f290b|
CMNMOROCO da6 CMNMOROCO 81.192.213.2
CPTSOUTHAFR vpn071948a679cb4 cgw0583e3972ac833321|
ICA bbad CPTSOUTHAFRICA 169.255.34.134
vpn0536407fb6e0db cgw0f2caaab5aedcb05c|
DXBATPDUBAI 1c4 DXBATPDUBAI 91.75.74.12
HEXAWARECH vpn09cc7ec727b926 cgw0ecc9f5bdd4dfc3fe|
N cde HEXAWARECHN 115.69.82.4
HEXAWAREMU vpn082b4d44065a1 cgw09eb9c2a43d6baeca|
M 5b90 HEXAWAREMUM 115.69.88.3
HEXAWAREPU vpn082bf2db4e300c cgw07fa554359af1166d|
NE f78 HEXAWAREPUNE 115.69.92.8
KIGALIRWAND vpn0cb914848f9b38 cgw02d7ca184f45547c7|
A 00c KIGALIRWANDA 41.223.224.234
vpn08bdce1d75889 cgw0a6f56cdc88c1c69b|
KIMDCDUBAI 67ca KIMDCDUBAI 94.207.38.6
vpn023855fe655acc
KerznerDRVPN 52b cgw02dd0b6be49a2a843|Kerzner 83.111.131.242
vpn01e8173a26978 cgw006a9d922db28a9f9|
LDNOFFICEUK 3123 LDNOFFICEUK 62.6.61.164
vpn0f9cefc9b1a9bcd cgw023bba734aba1b842|
LSGMAURITIUS 95 LSGMAURITIUS 196.192.2.6
OODCMALAYSI vpn0137d3b04a903 cgw0721d1a85bfa73010|
A 54f9 OODCMALAYSIA 210.19.11.34
OOGNRWAND vpn0d33d6378afb32 cgw01a1608bb4d6c4442|
A 2f8 OOGNRWANDA 105.179.9.98
OOMMMandari cgw07a73e740a0534642|
na vpn02897a290831a OOMMMandarina 189.254.194.23
Mexico 7f8f Mexico 7
OONHRWAND vpn03eeae54ff7d88 cgw03d2be288b8cdc63c|
A 448 OONHRWANDA 197.243.50.130
OOWVAUSTRA vpn0bbac789bbf3ce cgw0f03590ffa9685f0c|
LIA 433 OOWVAUSTRALIA 210.215.4.162
vpn0dca383f71311c cgw0061470c6630978e6|
OTPDUBAI 521 OTPDUBAI 94.200.52.210
vpn0ef921fe29f2a4c cgw0aa8c061b67fd0c44|
RRRMALDIVES 01 RRRMALDIVES 124.195.223.30
vpn0ab723cb20d4d
RYMDUBAI e432 cgw0e6b8f3caea424e36|RYMDUBAI 80.227.107.10
vpn011cbd1fc14da3 cgw01c414b50dbae2a99|
SJDMEXICO dc4 SJDMEXICO 148.223.76.210
vpn-
OOPM- 023dd362046636c5
PORTONOVI a cgw-0f7d3efe215acd002 94.102.234.226
LSG- vpn-
MAURITIUS-PA 05fd13830a41fbe87 cgw-0c1dbd49678590780 196.192.2.5
BESAzureUAT1
old cgw-0f334d35cceebdbc4 40.123.207.71
BESAzureUAT cgw-0422eb7b54bd17436 40.123.206.43

4.7 NAT Gateway


NAT Gateway in AWS SS VPC leveraged for internet access to the Private subnet EC2 instance.

Name NAT Gateway ID Elastic IPaddress Remarks

NGW-SS nat-01652fc002ae49860 34.252.122.116

Private Subnets associated to the NAT Gateway are screenshot below


4.8 Load Balancer & Target Groups
Elastic Load Balancers in Kerzner AWS environment play a major role in the Shared Service
Account. As specified in the High-Level Architecture and KIP application diagram the load balance
service leveraged to fulfil the requirements and achieve the applications and services accessible
across Internal and External Network.

Availabil Port
Stat ity Configurati
Name DNS name e Zones Type on Remarks

Citrix-StoreFront-
df61fdc727a31c8b.elb. eu-west-
Citrix- eu-west- acti 1b, eu- Citrix StoreFront
StoreFront 1.amazonaws.com ve west-1a network Internal

Citrix Access
CitrixAccessKerzner- Gateway point to
ca88763ace051334.el eu-west- the Netscalar
CitrixAccessKer b.eu-west- acti 1a, eu- Virtual Gateway
zner 1.amazonaws.com ve west-1c network Interface/IP
25 (TCP) ForcePoint Email
dlp-email-gw- eu-west- forwarding Gateway - O365
1839743635.eu-west- 1a, eu- to 8070 Inbound to TCP
dlp-email-gw 1.elb.amazonaws.com west-1b classic (TCP) port 25

eu-west-
1a, eu- Public Facing
public-facing-apps- west-1c, Applications
public-facing- 971598553.eu-west- acti eu-west- applicati listeners forward to
apps 1.elb.amazonaws.com ve 1b on CheckPoint Firewall

public-facing-apps- Public Facing


restrict-804648893.eu- eu-west- Applications
public-facing- west- acti 1a, eu- applicati listeners forward to
apps-restrict 1.elb.amazonaws.com ve west-1b on CheckPoint Firewall

Beyond the Load balancers the below list of Target groups associated to the respective Load
Balancers in the AWS Shared Service account.
Health Pat Healthy Protoc Target Success
Name Port check port h threshold ol type Load Balancer codes
instanc
bes-uat 8094 traffic-port / 5 HTTP e 200
instanc public-facing-
bes 8086 traffic-port / 5 HTTP e apps 200-404
instanc public-facing-
k-app 8085 443 / 5 HTTP e apps 200
instanc public-facing-
kip 8084 traffic-port / 5 HTTP e apps 200-404
instanc public-facing-
kip-uat-bubble 8092 traffic-port / 5 HTTP e apps 200-400
instanc public-facing-
netiq 8081 443 / 5 HTTP e apps 200
oxi-oopm 8093 traffic-port / 5 HTTP instanc public-facing- 200
e apps
instanc public-facing-
ramco 8082 443 / 5 HTTP e apps 200
uat-kip- instanc public-facing-
chameleon 8091 traffic-port / 5 HTTP e apps 200-404
instanc
Citrix-StoreFront 443 traffic-port / 3 TCP e Citrix-StoreFront 200-399
CitrixAccessKerz CitrixAccessKerz
ner 443 traffic-port / 3 TCP ip ner
instanc public-facing-
bes-ip 4430 / 5 HTTP e apps 200-404
5 HTTP instanc public-facing-
dlp-kerzner 8097 / e apps 200-403
5 HTTP public-facing-
ramco-test 80 / IP apps 200-302
5 HTTP instanc public-facing-
ramco9081 9081 / e apps 200
5 HTTP instanc public-facing-
sitecore 8088 / e apps 200
5 HTTP instanc public-facing-
uat-bes-amex 8096 / e apps 200
5 HTTP instanc public-facing-
uatbes 8095 / e apps 200-400

4.9 Auto Scaling


AWS Auto scaling leveraged in Kerzner only for the Checkpoint Cloud Guard. Based upon the
Launch configuration and Auto Scaling Groups the Checkpoint Instances will get scale up and
down.
AMI ID:- ami-012852ea581b7d96d
Instance Type:- C5.Large

Based upon the Tags in the checkpoint the auto NAT policies and provisioning of additional
Checkpoint nodes will get create.
Tag
New
Instanc
Key Value es
Name Check-Point-Gateway Yes
aws:cloudformation:logi
cal-id GatewayGroup Yes
arn:aws:cloudformation:eu-west-1:407176151436:stack/Check-
aws:cloudformation:sta Point-Security-Gateway-AutoScaling-new/636e1fa0-fee8-11e9-ad06-
ck-id 02673541b8d0 Yes
aws:cloudformation:sta
ck-name Check-Point-Security-Gateway-AutoScaling-new Yes
management=mgmt-aws:template=my-template:ip-
x-chkp-tags address=private Yes

4.10 CheckPoint CloudGuard Firewall Setup and Configuration


In Kerzner checkpoint firewall have been implemented through Checkpoint CloudGuard Auto Scaling
method. Auto Scaling is a service offered by Amazon Web Services (AWS) that helps, automatically adjust
their Amazon EC2 capacity according to the current load. Typically, EC2 instances here, Check Point
CloudGuard IaaS Security Gateways and Check Point CloudGuard IaaS Security Management Server.
Below are things been leveraged to deploy Checkpoint CloudGuard Auto scaling

 A highly available architecture that spans at least two Availability Zones.


 A virtual private cloud (VPC) configured with public and private subnets according to AWS best
practices, to provide you with your own virtual network on AWS.
 An internet gateway to allow access to the internet. This gateway is used by the CloudGuard Security
Gateways to send and receive traffic.
 In the public subnets, CloudGuard Security Gateways in an Auto Scaling group.
 Either an external Application Load Balancer that operates at the application layer or a Network Load
Balancer that operates at the transport level, to route traffic from the internet to the CloudGuard
Security Gateways.
 (Optional) In a public subnet, a preconfigured CloudGuard Security Management Server, to manage the
Security Gateways.
 (Optional) In the private subnets, an Auto Scaling group of web servers.
 If you choose to deploy your workload of web servers, an internal Application Load Balancer,
to route traffic from the Security Gateways to your workload
External Load Balancer:
AWS Elastic Load balancer (ELB) – Application type as External Load balancer, have been used.
Listeners:

Internal Load Balancer


Create a listener on Target groups, which created in external load balancer

Target Groups (Shared Service Accounts):


On Target Group we performing port forwarding to high custom ports for each Application

Netiq 8081 HTTP

Ramco 8082 HTTP

Citrix 8083 HTTP

Kip 8084 HTTP

k-app 8085 HTTP

Bes 8086 HTTP


DLPEMAILGATEWAY 8088 TCP

DLPEMAILGW 8089 TCP

uat-kip-chameleon 8091 HTTP

kip-uat-bubble 8092 HTTP

oxi-oopm 8093 HTTP

bes-uat 8094 HTTP


Traffic Flow:

External hosted applications are being protected by Check Point CloudGuard Firewall. And Checkpoint
firewall are deployed as auto scale method, so in the event of high no. of connection and/or CPU utilization
crosses the threshold, auto scaling will spin the new firewall gateway instances automatically. Currently
Autoscaling condition set with desired number is 2 and maximum no is set with 5.

All the hosted application requires CNAME entry for external (ELB) Elastic load balancer {let say for
example kip.kerzner.com} on the listener will be route the traffic based on the header check(URLs)
forward to checkpoint firewalls which configured. And in the Target group

Zero touch Configuration on firewall:


In Check point CloudGuard autoscaling deployment, there’s no need of manual configuration on firewall
side.
In the Internal load balancer need to add the tag with template values, as showed below.
Tags will be configuring as below in the Tags

Policy push will be done automatically, and, in the deployment, task can be seen as “Web API” which
denotes automatic policy push.

User data scripts will contains SIC keys; this will kick in auto deployment time.
5.0 AWS Production Account
AWS Production Account: - 825261885912 leveraged dedicate for Kerzner Production
applications workloads and services hosted. This account contains the Kerzner key production
applications workloads like KIP, iScala, Rambo, EDW and other infrastructure related services.
NOTE: - Kerzner didn’t follow any naming Convention for the production environment.
5.1 VPC
Name VPC ID IPv4 CIDR DHCP options set Remarks

Kerzner-Production vpc- 10.31.64.0/20 dopt- This VPC got 3


0a0223837b56f3b 10.31.80.0/20 083f8be4b1409645 CIDRs to avail
3b 10.31.96.0/20 6 | Kerzner-AWS- more subnets and
DC-DNS IPaddress

5.2 Subnets
The below list of subnets and Available IPaddress as on 26 th Jan 2020 .

VPC IPv4 Subnet Subnet ID Availa Availabil


CIDR Name ble Ips ity Zone
vpc- 10.31.1 Public- subnet- 246 eu-west-
0a0223837b56f3b3b 00.0/24 Subnet-1a 0f33509ce4 1a
| Kerzner-Production b8ada74
vpc- 10.31.1 Public- subnet- 250 eu-west-
0a0223837b56f3b3b 01.0/24 Subnet-1b 05dc12d9da 1b
| Kerzner-Production f1fec6a
vpc- 10.31.1 Public- subnet- 249 eu-west-
0a0223837b56f3b3b 02.0/24 Subnet-1c 0939b264ea 1c
| Kerzner-Production 34861d9
vpc- 10.31.6 group1_ALB subnet- 251 eu-west-
0a0223837b56f3b3b 4.0/24 _Layer_1a 03a7adeb7b 1a
| Kerzner-Production 25c8a7e
vpc- 10.31.6 group1_ALB subnet- 251 eu-west-
0a0223837b56f3b3b 5.0/24 _Layer_1b 03c485acac 1b
| Kerzner-Production 81b156b
vpc- 10.31.6 group1_ALB subnet- 251 eu-west-
0a0223837b56f3b3b 6.0/24 _Layer_1c 0f23dcc327 1c
| Kerzner-Production 1830ada
vpc- 10.31.7 group1_app subnet- 202 eu-west-
0a0223837b56f3b3b 0.0/24 _Layer_1a 0c8a88fe6e 1a
| Kerzner-Production a70027d
vpc- 10.31.7 group1_app subnet- 235 eu-west-
0a0223837b56f3b3b 1.0/24 _Layer_1b 02042ddaa1 1b
| Kerzner-Production 61bdf5a
vpc- 10.31.7 group1_app subnet- 237 eu-west-
0a0223837b56f3b3b 2.0/24 _Layer_1c 086ba5c742 1c
| Kerzner-Production d6ded35
vpc- 10.31.7 group1_db_ subnet- 248 eu-west-
0a0223837b56f3b3b 3.0/24 Layer_1a 0232c06624 1a
| Kerzner-Production ecd0520
vpc- 10.31.7 group1_db_ subnet- 250 eu-west-
0a0223837b56f3b3b 4.0/24 Layer_1b 0a79db1235 1b
| Kerzner-Production ee25c30
vpc- 10.31.7 group1_db_ subnet- 251 eu-west-
0a0223837b56f3b3b 5.0/24 Layer_1c 0dd3117575 1c
| Kerzner-Production 9075b3a
vpc- 10.31.6 group1_web subnet- 247 eu-west-
0a0223837b56f3b3b 7.0/24 _Layer_1a 077240ea3d 1a
| Kerzner-Production 9859aa5
vpc- 10.31.6 group1_web subnet- 250 eu-west-
0a0223837b56f3b3b 8.0/24 _Layer_1b 0990f00708 1b
| Kerzner-Production 47e0ea6
vpc- 10.31.6 group1_web subnet- 251 eu-west-
0a0223837b56f3b3b 9.0/24 _Layer_1c 041efff1e19 1c
| Kerzner-Production a007ff
vpc- 10.31.7 group2_ALB subnet- 251 eu-west-
0a0223837b56f3b3b 6.0/24 _Layer_1a 0f93d1b15a 1a
| Kerzner-Production b1dfdfc
vpc- 10.31.7 group2_ALB subnet- 251 eu-west-
0a0223837b56f3b3b 7.0/24 _Layer_1b 02728aaf40 1b
| Kerzner-Production 1284e79
vpc- 10.31.7 group2_ALB subnet- 250 eu-west-
0a0223837b56f3b3b 8.0/24 _Layer_1c 053b82d1dd 1c
| Kerzner-Production 59d5b44
vpc- 10.31.8 group2_app subnet- 249 eu-west-
0a0223837b56f3b3b 2.0/24 _Layer_1a 070d8b6d14 1a
| Kerzner-Production dd817d8
vpc- 10.31.8 group2_app subnet- 251 eu-west-
0a0223837b56f3b3b 3.0/24 _Layer_1b 038b628d6e 1b
| Kerzner-Production 42ea909
vpc- 10.31.8 group2_app subnet- 251 eu-west-
0a0223837b56f3b3b 4.0/24 _Layer_1c 0db07234d5 1c
| Kerzner-Production e35019d
vpc- 10.31.8 group2_db_ subnet- 251 eu-west-
0a0223837b56f3b3b 5.0/24 Layer_1a 0e42a2a34d 1a
| Kerzner-Production 24a3107
vpc- 10.31.8 group2_db_ subnet- 251 eu-west-
0a0223837b56f3b3b 6.0/24 Layer_1b 077bc4815a 1b
| Kerzner-Production 90945a7
vpc- 10.31.8 group2_db_ subnet- 251 eu-west-
0a0223837b56f3b3b 7.0/24 Layer_1c 00d121a5a2 1c
| Kerzner-Production 15ffdaf
vpc- 10.31.7 group2_web subnet- 248 eu-west-
0a0223837b56f3b3b 9.0/24 _Layer_1a 06f17f57315 1a
| Kerzner-Production 720599
vpc- 10.31.8 group2_web subnet- 249 eu-west-
0a0223837b56f3b3b 0.0/24 _Layer_1b 0c211a4267 1b
| Kerzner-Production 49d6664
vpc- 10.31.8 group2_web subnet- 251 eu-west-
0a0223837b56f3b3b 1.0/24 _Layer_1c 09f246b2ccf 1c
| Kerzner-Production 0c7095
vpc- 10.31.8 group3_ALB subnet- 251 eu-west-
0a0223837b56f3b3b 8.0/24 _Layer_1a 034ab2be2b 1a
| Kerzner-Production 01b3b8f
vpc- 10.31.8 group3_ALB subnet- 251 eu-west-
0a0223837b56f3b3b 9.0/24 _Layer_1b 051d93b280 1b
| Kerzner-Production 7d66c96
vpc- 10.31.9 group3_ALB subnet- 251 eu-west-
0a0223837b56f3b3b 0.0/24 _Layer_1c 0bad41e5e0 1c
| Kerzner-Production 16f6575
vpc- 10.31.9 group3_app subnet- 242 eu-west-
0a0223837b56f3b3b 4.0/24 _Layer_1a 04679b5c98 1a
| Kerzner-Production 561bda6
vpc- 10.31.9 group3_app subnet- 246 eu-west-
0a0223837b56f3b3b 5.0/24 _Layer_1b 01299a1663 1b
| Kerzner-Production ff5c489
vpc- 10.31.9 group3_app subnet- 250 eu-west-
0a0223837b56f3b3b 6.0/24 _Layer_1c 014e3ea9e9 1c
| Kerzner-Production 0be403b
vpc- 10.31.9 group3_db_ subnet- 243 eu-west-
0a0223837b56f3b3b 7.0/24 Layer_1a 0ad1732778 1a
| Kerzner-Production 2d7e86e
vpc- 10.31.9 group3_db_ subnet- 244 eu-west-
0a0223837b56f3b3b 8.0/24 Layer_1b 09efad9670 1b
| Kerzner-Production b0a296d
vpc- 10.31.9 group3_db_ subnet- 250 eu-west-
0a0223837b56f3b3b 9.0/24 Layer_1c 087b5545cd 1c
| Kerzner-Production 40a4fbf
vpc- 10.31.9 group3_web subnet- 249 eu-west-
0a0223837b56f3b3b 1.0/24 _Layer_1a 00e65ae603 1a
| Kerzner-Production e4b7565
vpc- 10.31.9 group3_web subnet- 249 eu-west-
0a0223837b56f3b3b 2.0/24 _Layer_1b 0d63b8549e 1b
| Kerzner-Production 55856f1
vpc- 10.31.9 group3_web subnet- 251 eu-west-
0a0223837b56f3b3b 3.0/24 _Layer_1c 043892cd8f 1c
| Kerzner-Production 448ead9
vpc- 10.31.1 group4_app subnet- 242 eu-west-
0a0223837b56f3b3b 06.0/24 _Layer_1a 020779c601 1a
| Kerzner-Production c0d6ecd
vpc- 10.31.1 group4_app subnet- 247 eu-west-
0a0223837b56f3b3b 07.0/24 _Layer_1b 01fcffbf9d0b 1b
| Kerzner-Production b5b58
vpc- 10.31.1 group4_app subnet- 246 eu-west-
0a0223837b56f3b3b 08.0/24 _Layer_1c 0a72aace12 1c
| Kerzner-Production 4258027
vpc- 10.31.1 group4_db_ subnet- 246 eu-west-
0a0223837b56f3b3b 09.0/24 Layer_1a 068b80973a 1a
| Kerzner-Production a77753c
vpc- 10.31.1 group4_db_ subnet- 248 eu-west-
0a0223837b56f3b3b 10.0/24 Layer_1b 0d116dd895 1b
| Kerzner-Production d57f9ca
vpc- 10.31.1 group4_db_ subnet- 251 eu-west-
0a0223837b56f3b3b 11.0/24 Layer_1c 0c5cfa86c28 1c
| Kerzner-Production babdf0
vpc- 10.31.1 group4_web subnet- 238 eu-west-
0a0223837b56f3b3b 03.0/24 _Layer_1a 0c25bf03c3 1a
| Kerzner-Production 009de8e
vpc- 10.31.1 group4_web subnet- 244 eu-west-
0a0223837b56f3b3b 04.0/24 _Layer_1b 0fe867af5ca 1b
| Kerzner-Production 19be1d
vpc- 10.31.1 group4_web subnet- 250 eu-west-
0a0223837b56f3b3b 05.0/24 _Layer_1c 08a135c19a 1c
| Kerzner-Production ec50a35

5.3 Transit Gateway


AWS Transit Gateway created in the AWS Production account sharing in this account VPC ID

Name Transit Gateway ID Remarks

TGW-SS tgw-0d1fc2ed7298adeaa

5.4 Transit Gateway Attachments


Transit Gateway attachments in this production associated to the VPC ID vpc-
0a0223837b56f3b3b and route table tgw-rtb-050e8032ed6fd20e8. Through this transit gateway
attachment, the production network connects to other networks through the routes specified
with CIDR ranges in the route tables.
Associati
TransitGatewayattach Resourcet Associatedroutetabl Remar
Name on
mentID ype eID ks
state
tgwattach0128e51cfe0f9 tgwrtb050e8032ed6fd associat
AWSPRD VPC
cbd8 20e8 ed
5.5 Customer Gateway
No Customer Gateway in the production account, VPN connection to this account & network
connects through the Transit Gateway.
5.6 Virtual Private Gateway
Virtual Private Gateway created and purpose to connect the AWS production network to KIM
Datacenter through AWS Direct Connect.

Name Virtual Gateway ID Remark


Connect KIM DC for
CloudEndure replication
AWSPROD to KIMDC vgw-09fcc8e626cbb27e4 through AWS Direct Connect.

AWS Direct Connect will be disconnected after the KIM DC decommission, then this Virtual
private gateway will not be necessary for any purpose.

5.7 EC2 Instances Backup

Amazon EBS Lifecycle Manager to automate the creation, retention, and deletion of snapshots taken to back up
your Amazon EBS volumes. Currently we have created the below policy to create a snapshot backup for every 12 hours
in a day.

Amazon EBS Lifecycle Manager


Snapshot Frequency (RPO) 12 hrs. (2x Daily)
Recovery Time (RTO) 30 - 60 mins
Retention Period 365 days
Target instances
Resourec
PolicyID Type Summary with these tags
policy- every 12 hours starting
005a5f169771ddda9 INSTANCE at 18:00 UTC. Backup:Yes

5.8 NAT Gateway


NAT Gateway in AWS Production VPC leveraged for internet access to the Private subnet EC2
instance.

Name NAT Gateway ID Elastic IPaddress Remarks

Kerzner-NAT nat- 52.214.72.193


0ab916ed6d941735f

All the Private Subnets within this VPC ID vpc-0a0223837b56f3b3b | Kerzner-Production got this
NAT Gateway associated.
5.9 Load Balancer & Target Groups
Elastic Load Balancers in Kerzner AWS environment play a major role in the Production Account.
As specified in the High-Level Architecture and KIP application diagram the load balance service
leveraged to fulfil the requirements and achieve the applications and services accessible across
Internal and External Network.

Stat Availability
Name DNS name Type
e Zones
eu-west-
internal-oxi-1870618599.eu-west- acti applica
Oxi 1b, eu-
1.elb.amazonaws.com ve tion
west-1a
eu-west-
internal-kipbizapp-uat-953723553.eu- acti applica
kipbizapp-uat 1b, eu-
west-1.elb.amazonaws.com ve tion
west-1a
eu-west-
internal-kipbizapp-3193304.eu-west- acti applica
kipbizapp 1b, eu-
1.elb.amazonaws.com ve tion
west-1a
eu-west-
internal-kipbes-uat-433477834.eu-west- acti applica
kipbes-uat 1b, eu-
1.elb.amazonaws.com ve tion
west-1a
eu-west-
internal-kipbes-319342328.eu-west- acti applica
kipbes 1b, eu-
1.elb.amazonaws.com ve tion
west-1a
eu-west-
internal-kipapp-uat-645973359.eu-west- acti applica
kipapp-uat 1b, eu-
1.elb.amazonaws.com ve tion
west-1a
eu-west-
internal-kipapp-158776806.eu-west- acti applica
kipapp 1a, eu-
1.elb.amazonaws.com ve tion
west-1b
DLPEMAILGWINTERNAL-
DLPEMAILGWINT acti networ
b5d8f040f5e8d490.elb.eu-west- eu-west-1c
ERNAL ve k
1.amazonaws.com
DLPEMAILGATEWAY-
DLPEMAILGATE acti networ
d04cbfb591f64a10.elb.eu-west- eu-west-1c
WAY ve k
1.amazonaws.com
eu-west-
CitrixSF-da03a755a41f2ede.elb.eu-west- acti networ
CitrixSF 1b, eu-
1.amazonaws.com ve k
west-1a
eu-west-
besuat-688681073.eu-west- acti applica
Besuat 1b, eu-
1.elb.amazonaws.com ve tion
west-1a
internal-dlp-kerzner-lb-429795583.eu- acti eu-west-1c, applica
dlp-kerzner-lb
west-1.elb.amazonaws.com ve eu-west-1a tion
eu-west-
internal-k-app-627209421.eu-west- acti applica
k-app 1b, eu-
1.elb.amazonaws.com ve tion
west-1a
eu-west-
internal-ramco-94347860.eu-west- acti applica
ramco 1a, eu-
1.elb.amazonaws.com ve tion
west-1b
sentry-c1e60ec6d1361aff.elb.eu-west- acti networ
sentry eu-west-1a
1.amazonaws.com ve k
eu-west-
internal-sitecore-243052522.eu-west- acti applica
sitecore 1b, eu-
1.elb.amazonaws.com ve tion
west-1a
eu-west-
internal-uat-bubble-1194002519.eu- acti applica
uat-bubble 1b, eu-
west-1.elb.amazonaws.com ve tion
west-1a

Beyond the Load balancers the below list of Target groups associated to the respective Load
Balancers in the AWS Production account.
Heal Suc
Healt Tar
P thy ces
h Prot get Load
Name or Path thre s
check ocol typ Balancer
t shol cod
port e
d es
inst 200
44 traffic-
besuat / 5 HTTP anc besuat -
30 port
e 400
CitrixSFKIM 44 traffic- /citrix/ 3 TCP_ inst CitrixSF 200
kimstorewe anc -
STORE 3 port UDP
b e 399
DLPEMAILG traffic- DLPEMAILGAT
25 3 TCP ip
ATEWAY port EWAY
DLPEMAILG traffic- DLPEMAILGWI
25 3 TCP ip
WNEW port NTERNAL
inst 200
44 traffic-
kipapp / 5 HTTP anc kipapp -
30 port
e 404
inst 200
44 traffic-
kipapp-uat / 5 HTTP anc kipapp-uat -
30 port
e 400
inst 200
44
kipbes 80 / 5 HTTP anc kipbes -
30
e 404
inst 200
44 traffic-
kipbes-uat / 5 HTTP anc kipbes-uat -
30 port
e 400
inst 200
44 traffic-
kipbizapp / 5 HTTP anc kipbizapp -
30 port
e 400
inst 200
kipbizapp- 44 traffic-
/ 5 HTTP anc kipbizapp-uat -
uat 30 port
e 400
inst
traffic-
oxi-oopm 80 / 5 HTTP anc oxi 200
port
e
inst 200
44 traffic- HTTP
dlp-kerzner / 5 anc dlp-kerzner-lb -
3 port S
e 403
inst
44 traffic- HTTP
k-app / 5 anc k-app 200
3 port S
e
inst
traffic-
ramco 80 / 5 HTTP anc ramco 200
port
e
inst
ramco- traffic-
80 / 5 HTTP anc ramco 200
9080 port
e
inst
16 traffic-
sentry-162 / 5 UDP anc sentry 200
2 port
e
inst
51 traffic- TCP_
Sentry-514 / 5 anc sentry 200
4 port UDP
e
inst
sentry- 15 traffic- TCP_
/ 5 anc sentry 200
1514 14 port UDP
e
inst
sentry- 65 traffic-
/ 5 TCP anc sentry 200
6514 14 port
e
sitecore 44 traffic- / 5 HTTP inst sitecore 200
anc
30 port
e
inst
44 traffic-
uat-bubble / 5 HTTP anc uat-bubble 200
30 port
e

.
5.10 Direct Connect
AWS Direct connection in the production account leveraged basically to replicate the servers from KIM DC to AWS. This
AWS direct connect configured and setup before Hexaware involved and it was utilized through the AWS Virtual Private
Gateway services and BGP between AWS & On-premise network.
AWS Direct Connect connection will become discontinued once KIM DC get shutdown since this network will not have
any role and necessary.
6.0 AWS Preproduction Account

AWS Preproduction account leveraged in Kerzner to host and utilizes for application contains the
Pre-Production, UAT & SIT environments.
As of now in Pre-Production environment the below list of UAT applications migrated

1. KIP UAT
2. EDW
3. DRA
4. JDE
5. Opera
6. Ramco
7. Iscala
6.1 VPC
Name VPC ID IPv4 CIDR DHCP options set Remarks

KIM-Backup-VPC vpc- 10.40.0.0/16 dopt-


0db19b8f878111e 0629ff18c0032dfa9
dc | Kerzner-AWS-DC-
DNS

6.2 Subnets
The below list of subnets and Available IPaddress as on 26th Jan 2020 .

VPC IPv4 Subnet Subnet ID Availa Availabil


CIDR Name ble Ips ity Zone
vpc- 10.40.0 ALB_Layer_ subnet- 250 eu-west-
0db19b8f878111edc .0/24 1A 0fe4fde26fb 1a
| Kerzner-UAT e2f1da
vpc- 10.40.1 ALB_Layer_ subnet- 249 eu-west-
0db19b8f878111edc .0/24 1B 03354a9d66 1b
| Kerzner-UAT 5f10eb1
vpc- 10.40.2 ALB_Layer_ subnet- 251 eu-west-
0db19b8f878111edc .0/24 1C 0a8cdd2c2f8 1c
| Kerzner-UAT 8357d7
vpc- 10.40.6 App_Layer_ subnet- 222 eu-west-
0db19b8f878111edc .0/24 1A 0e79e8b06c 1a
| Kerzner-UAT 67a8444
vpc- 10.40.7 App_Layer_ subnet- 245 eu-west-
0db19b8f878111edc .0/24 1B 040dd53007 1b
| Kerzner-UAT 827cfb3
vpc- 10.40.8 App_Layer_ subnet- 249 eu-west-
0db19b8f878111edc .0/24 1C 0f70d9be72 1c
| Kerzner-UAT 6d0cfdd
vpc- 10.40.1 CloudEndur subnet- 250 eu-west-
0db19b8f878111edc 2.0/24 e 028f41f58f2 1a
| Kerzner-UAT Replication cc4eb1
vpc- 10.40.9 DB_Layer_ subnet- 246 eu-west-
0db19b8f878111edc .0/24 1A 089aba1ba6 1a
| Kerzner-UAT eb7b38f
vpc- 10.40.1 DB_Layer_ subnet- 251 eu-west-
0db19b8f878111edc 0.0/24 1B 03a249619b 1b
| Kerzner-UAT 184fd36
vpc- 10.40.1 DB_Layer_ subnet- 251 eu-west-
0db19b8f878111edc 1.0/24 1C 06a79945eb 1c
| Kerzner-UAT 31aba3e
vpc- 10.40.3 Web_Layer subnet- 246 eu-west-
0db19b8f878111edc .0/24 _1A 0366291116 1a
| Kerzner-UAT f83acc6
vpc- 10.40.4 Web_Layer subnet- 250 eu-west-
0db19b8f878111edc .0/24 _1B 0a513f256b 1b
| Kerzner-UAT 070f5b3
vpc- 10.40.5 Web_Layer subnet- 250 eu-west-
0db19b8f878111edc .0/24 _1C 0343b7e4fd 1c
| Kerzner-UAT 4c5122e

6.3 Transit Attachments


AWS Transit Gateway created in the AWS Production account sharing in this account VPC ID

Name Transit Gateway ID Remarks

tgw-attach-073a0932ecc6026b1 Shared
6.4 Transit Gateway Attachments
Transit Gateway attachments in this production associated to the VPC ID vpc-
0db19b8f878111edc and route table tgw-attach-073a0932ecc6026b1. Through this transit gateway
attachment the production network connects to other networks through the routes specified with
CIDR ranges in the route tables.
Associati
TransitGatewayattach Resourcet Associatedroutetabl Remar
Name on
mentID ype eID ks
state
tgw-attach- tgw-rtb- associat
AWSPre-Prod VPC
073a0932ecc6026b1 050e8032ed6fd20e8 ed

.
6.5 Virtual Private Gateway
Virtual Private Gateway created and purpose to connect the AWS production network to KIM
Datacenter through AWS Direct Connect.
Name Virtual Gateway ID Remark
Connect KIM DC for
CloudEndure replication
KIM-Backup-VPG vgw-0b44ad661a4b72eae through AWS Direct Connect.
AWS Direct Connect will be disconnected after the KIM DC decommission, then this Virtual
private gateway willnot be necessary for any purpose.
6.6 EC2 Instances Backup

Amazon EBS Lifecycle Manager to automate the creation, retention, and deletion of snapshots taken to back up
your Amazon EBS volumes. Currently we have created the below policy to create a snapshot backup for every 12 hours
in a day.

Amazon EBS Lifecycle Manager


Snapshot Frequency (RPO) 24 hrs. (1x Daily)
Recovery Time (RTO) 30 - 60 mins
Retention 30 Days

Target instances with

PolicyID Resourec Type Summary these tags


policy-035b92190841872b8 INSTANCE every 24 hours starting at 18:00 UTC. Backup:Yes

DataBase Backup

Full database backup will be performed for all production databases for every 12hrs in a day. The database file
will be moved to separate S3 bucket with the below retention policy enabled.

Transaction Log Backup will be performed for all production databases every 30mins in a day. The log file will be
moved to separate S3 bucket with the below retention policy enabled

Bucket Name :- kerznerdbbackup

Database Backup - Retention


1-30 Days S3 Bucket
31-365 Days Glacier
6.7 NAT Gateway
NAT Gateway in AWS Pre-Production VPC leveraged for internet access to the Private subnet EC2
instance.

Name NAT Gateway ID Elastic IPaddess Remarks

Pre-Prod-NAT nat-0049aaf4fe5300c9a 54.77.56.198

All the Private Subnets within this VPC ID vpc-0db19b8f878111edc | KIM-Backup-VPC got this
NAT Gateway associated.
6.8 Load Balancer & Target Groups
The below Load balancers are created for the KIP UAT application internal.

Stat Availability Rema


Name DNS name e Zones Type rk

uat-kip- internal-uat-kip-chameleon-1148176119.eu- acti eu-west-1b, eu- applicati


chameleon west-1.elb.amazonaws.com ve west-1a on

uatbes- internal-uatbes-kerzner-com-484460573.eu- acti eu-west-1a, eu- applicati


kerzner-com west-1.elb.amazonaws.com ve west-1b on
Target groups behind the above load balancers
Health Succes
check Healthy Protoco Targe Load s Monitorin
Name Port port Path threshold l t type Balancer codes g
uat-kip- insta uat-kip-
chameleon 4430 80 / 5 HTTP nce chameleon 200
uatbes-
kerzner- insta uatbes-
com 4430 80 / 5 HTTP nce kerzner-com

6.9 Direct Connect


AWS Direct connection in the Pre-Production account leveraged basically to Zerto Backup & replicate the servers from
KIM DC to AWS. This AWS direct connect configured and setup before Hexaware involved and it was utilized through the
AWS Virtual Private Gateway services and BGP between AWS & On-premise network.
AWS Direct Connect connection will become discontinued once KIM DC get shutdown since this network will not have
any role and necessary.
7.0 AWS Development Account
AWS development account – 670091370550 create and utilize for development environments.
Currently in this account the KIP application development workloads and Hexaware IMS -
infrastructure management team servers (Jump box) migrated from KIM DC and running.
7.1 VPC
Name VPC ID IPv4 CIDR DHCP options set Remarks

Kerzner-Dev vpc- 10.31.40.0/23 dopt-


08f48b33c71caf87 06b8c1a2a8e17fec
e 7 | Kerzner-AWS-
DC-DNS

7.2 Subnets
The below list of subnets and Available IPaddress as on 26th Jan 2020.

VPC IPv4 Subnet Subnet ID Availabl Availabilit


CIDR Name e Ips y Zone

vpc-08f48b33c71caf87e | 10.31.40 Private-1a subnet- 92 eu-west-1a


Kerzner-Dev .0/25 07f8c7bff89f7d
b3c

vpc-08f48b33c71caf87e | 10.31.40 Private-1b subnet- 122 eu-west-1b


Kerzner-Dev .128/25 0fa551802443
b9eb4

vpc-08f48b33c71caf87e | 10.31.41 Public-1a subnet- 122 eu-west-1a


Kerzner-Dev .0/25 0e13778cf302
3253f

vpc-08f48b33c71caf87e | 10.31.41 Public-1b subnet- 123 eu-west-1b


Kerzner-Dev .128/25 0683808a1783
a6948

7.3 Transit Gateway


AWS Transit Gateway created in the AWS Development account sharing in this account VPC ID

Name Transit Gateway ID Remarks

Not specified tgw-0d1fc2ed7298adeaa Shared


7.4 Transit Gateway Attachments
Transit Gateway attachments in this production associated to the VPC vpc-08f48b33c71caf87e
and route table tgw-attach-09e0c62ac8960fba7. Through this transit gateway attachment, the
production network connects to other networks through the routes specified with CIDR ranges in
the route tables.

7.5 NAT Gateway


NAT Gateway in AWS Development VPC leveraged for internet access to the Private subnet EC2
instance.

Name NAT Gateway ID Elastic IPaddress Remarks

DEV-NAT nat- 34.255.201.210


0b8236dbfeeed35ed

All the Private Subnets within this VPC ID vpc-08f48b33c71caf87e | Kerzner-Dev got this NAT
Gateway associated
7.6 Elastic IPaddress

Nam Instan Private IP Network Interface


e Elastic IP Allocation ID ce address ID
34.255.201. eipalloc- - 10.31.41.93 eni-
210 0eba8de7e81ee551a 02d90c29b03bb8ad
2
8.0 AWS Logging
In Logging account, Powerup Cloud has setup and configured the CloudTrail for logging and detailed in this
sections.
This AWS account leveraged for storing the logs of CloudTrail, Config, CloudTrail -digest and VPC flow logs.
CloudTrail, Config and CloudTrail digest logs are storing in the S3 bucket - aws-controltower-logs-
633090644827-us-east-1 w.r.t the Account ID 633090644827

VPC FLOW LOGS are stored in the S3 bucket Ireland VPC flow logs.
S3 Bucket Name Service
aws-controltower-logs-633090644827-
us-east-1 Cloud-trail, Config and CloudTrail digest.
irelandvpcflowlogs VPC FlowLogs

In N. Virginia region, we have created CloudWatch alarms for Authorization Failures, IAM Policy Changes,
EC2 Instance Changes, VPC Changes, Network Gateway Changes, Network ACL Configuration Changes,
Security Group Configuration Changes, CloudTrail Changes and Console Sign-in Failures.
AuthorizationFailure:
AuthorizationFailure CloudWatch alarm that is triggered when an unauthorized API call is made.
Alarm Name Conditions
AuthorizationFailur AuthorizationFailureCount >= 1 for 1 datapoints within 5
es minutes

IAM Policy Changes:


IAM Policy Changes CloudWatch alarm that is triggered when an API call is made to change an IAM policy.
Alarm Name Conditions
IAMPolicyEventCount >= 1 for 1 datapoints within 5
IAM Policy Changes minutes

EC2 Instance changes:


EC2 Instance changes CloudWatch alarm that is triggered when an API call is made to create, terminate,
start, stop, or reboot an Amazon EC2 instance.
Alarm Name Conditions
EC2 Instance EC2InstanceEventCount >= 1 for 1 datapoints within 5
Changes minutes

VPC Changes:
VPC changes CloudWatch alarm that is triggered when an API call is made to create, update, or delete an
Amazon VPC, an Amazon VPC peering connection, or an Amazon VPC connection to classic Amazon EC2
instances.

Alarm Name Conditions

VPC Changes VPCEventCount >= 1 for 1 datapoints within 5 minutes


NETWORK GATEWAY CHANGES:
Network gateway changes CloudWatch alarm that is triggered when an API call is made to create, update,
or delete a customer or Internet gateway.

Alarm Name Conditions


GatewayEventCount >= 1 for 1 datapoints within 5
Network Gateway Changes minutes

NETWORK ACCESS CONTROL LIST CHANGES:


NETWORK ACCESS CONTROL LIST CHANGES CloudWatch alarm that is triggered when any configuration
changes happen involving network ACLs.
Alarm Name Conditions
Network ACL Configuration NetworkACLEventCount >= 1 for 1 datapoints within
Changes 5 minutes

SECURITY GROUP CONFIGURATION CHANGES:


Security Group Configuration Changes CloudWatch alarm that is triggered when configuration changes
happen that involve security groups.
Alarm Name Conditions
Security Group Configuration SecurityGroupEventCount >= 1 for 1 datapoints
Changes within 5 minutes

CLOUDTRAIL CHANGES:
CLOUDTRAIL CHANGES CloudWatch alarm that is triggered when an API call is made to create, update, or
delete a CloudTrail trail, or to start or stop logging a trail.
Alarm Name Conditions
CloudTrail Changes CloudTrailEventCount >= 1 for 1 datapoints within 5 minutes

CONSOLE SIGN-IN FAILURES:


Console Sign-in Failures CloudWatch alarm that is triggered when there are three or more sign-in failures
during a five minute period.
Name Conditions
ConsoleSigninFailureCount >= 3 for 1 datapoints within 5
Console Sign-in Failures minutes

NOTE:- Hexaware has not updated or change any of the above configurations which PUC has setup in this
environment. Currently Hexaware following the same logging and will verify the logs in the S3 whenever
required for investigation and other purpose during the operation state.
9.0 AWS Audit

Audit AWS account 518804319968 for Kerzner leveraged to audit the transactions across all AWS accounts
and platform.
Powerup Cloud (PUC) team has setup and configured AWS GuardDuty and Security Hub services in this
account for the audit purpose.

Using AWS GuardDuty all Kerzner AWS accounts are added and audited.

AWS Security Hub gives you a comprehensive view of your high-priority security alerts and compliance
status across AWS accounts.

NOTE:- Hexaware has not updated or change any of the above configuration which PUC has setup in these
services. Currently Hexaware following the same procedure , verify and action the events which triggers
compliance during the operation state.
10.0 Backup

During Hexaware involved this transformation Backup solution to the migrated servers not defined. During
the migration to backup the Critical workloads, Production and Pre-Production servers. Hexaware and
Kerzner decided to enable EBS snapshot backup for the migrated and new build servers in the AWS
platform.

Based upon the EBS snapshot backup solution, the current backup retention policies have been setup and
enabled tags.

Policy Name Snapshot Policy Start Retention Interval Unit


Schedule Duration Policy
Daily-Snapshot-Backup- 12 Hours 18:00 UTC 30 Days
Every-12hrs

Tag Key Tag screenshot


Backup Yes

NOTE:- Based upon the on-premise backup policy defined , Kerzner need Hexaware to proposal a backup
options and retention policies for the AWS workloads (migrated and newly build) . Hexaware Operation
team will analyze and proposal the long term backup option to Kerzner.

10-Feb-2020: - Hexaware proposed and setup the backup proposal for transaction backup and storing in
AWS S3 bucket for Kerzner Database servers. Based on Kerzner (Vikalp) confirmation increase the
Snapshot backup (System state) from 30 days to 1 Year.
Aside Hexaware (Arun Dayal Bhatia) performing Due diligence for new approach to migrate the SQL
database to RDS/Aurora.
11. Operation Inferences

1. Perform a optimization to scale down the underutilized EC2 instances based upon AWS Trusted advisor.
2. Cleanup the replication servers which doesn’t required for migration and remove from the CloudEndure.
3. Move the Kerzner FSMO roles from KIM DC active directory to AWS AD servers (Shared Services) and point all windows EC2 to
the AWS primary domain controller.
4. Setup AD connector to leverage Kerzner domain to login AWS accounts.
5. Citrix Netscalar appliance running without High availability, requires provisioning one more instances and configure into cluster.
6. Decommission the AWS Direct Connect.
7. Setup auto shutdown and startup on the DEV and IMS infra servers to reduce the running cost.
12. Appendix
The below list of AWS services used within Kerzner AWS accounts.
S. No Service Name Descriptions
1 AWS Amazon Web Services
2 S3 Amazon Simple Storage Service (Amazon S3) is an object storage service
that offers industry-leading scalability, data availability, security, and
performance.
3 EC2 Instance Elastic Computing (Virtual Machine)
4 EBS Elastic Block Storage
5 ELB Elastic Load Balancer
6 CloudWatch Monitoring services for performance and thresholds
7 CloudTrail Logging the events
8 CheckPoint Firewall to prevent detections and attacks.
9 Security Group Act as a virtual firewall for your instance to control inbound and outbound
traffic
10 ENI Elastic Network Interface
11 VPC Virtual Private Cloud
12 Transit Gateway Connect AWS VPC and On-premise to a single Gateway
13 VPN Virtual Private Network
14 EIP Elastic IPaddress
15 IAM Identity Access Management
16 Snapshot Snapshot is a point-in-time copy of your Amazon EBS volume
17 Subnets subnet is a logical subdivision of an IP network
18 Public Subnet A public subnet is a subnet that's associated with a route table that has a
route to an Internet gateway.
19 Private Subnet A private subnet with a size IPv4 CIDR block.
20 AMIs Amazon Machine Image
21 Auto Scaling Monitors and automatically adjusts capacity
22 Tag label that AWS assigns to an AWS resource. Each tag consists of a key and
a value.
23 Routes A route table contains a set of rules, called routes, that are used to
determine where network traffic from your subnet or gateway is directed.

You might also like