Case Study: Lucidchart's Migration to VPC
MatthewBarlocker
1,103 views
21 slides
Oct 23, 2013
Slide 1 of 21
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
About This Presentation
Originally presented at CloudConnect 2013 in Chicago, IL.
Slide Content
www.lucidchart.com/jobs
Case Study:
Lucidchart'sMigration to VPC
by Matthew Barlocker
Case Study:
Lucidchart'sMigration to VPC
by Matthew Barlocker
www.lucidchart.com/jobs
“The Barlocker”
•Chief Architect at Lucid Software
Incsince 2011
•Bachelors in CS from BYU
•Managed data center,
Rackspace and AWS
deployments
•Love to play board games, go 4-
wheeling, wrestle my sons, and
fly airplanes
•nineofclouds.blogspot.com
“The Barlocker”
•Chief Architect at Lucid Software
Incsince 2011
•Bachelors in CS from BYU
•Managed data center,
Rackspace and AWS
deployments
•Love to play board games, go 4-
wheeling, wrestle my sons, and
fly airplanes
•nineofclouds.blogspot.com
www.lucidchart.com/jobs
Why Lucid Chose VPC
•Same price as EC2 Classic
•Interoperability with existing AWS services
(S3, Route53, etc)
•New features like Internal ELBs and on-the-fly security
group changes
•Heightened security using only private IPs
Why Lucid Chose VPC
•Same price as EC2 Classic
•Interoperability with existing AWS services
(S3, Route53, etc)
•New features like Internal ELBs and on-the-fly security
group changes
•Heightened security using only private IPs
www.lucidchart.com/jobs
Other Benefits
•All ELBs have security groups
•Additional security layer with Network ACLs
•Elastic IPs stay associated with stopped instances
•VPN support for common hardware
•Reserved instances can be transferred between EC2
classic and VPC
Other Benefits
•All ELBs have security groups
•Additional security layer with Network ACLs
•Elastic IPs stay associated with stopped instances
•VPN support for common hardware
•Reserved instances can be transferred between EC2
classic and VPC
www.lucidchart.com/jobs
Drawbacks
•Cost & maintenance of NAT instance(s)
•Setup time
•New terminology
•VPN or SSH tunnel is required to access instances on
private subnets
•Internal DNS names are disabled by default
Drawbacks
•Cost & maintenance of NAT instance(s)
•Setup time
•New terminology
•VPN or SSH tunnel is required to access instances on
private subnets
•Internal DNS names are disabled by default
www.lucidchart.com/jobs
Things You Should Know
•Instances in the public subnets musthave an elastic IP to
communicate with the internet
•NAT instances are just normal instances that are
configured to be routers
•NAT instances must be in a public subnet
•Public & private subnets are defined by their route tables,
network ACLs, and DHCP options
Things You Should Know
•Instances in the public subnets musthave an elastic IP to
communicate with the internet
•NAT instances are just normal instances that are
configured to be routers
•NAT instances must be in a public subnet
•Public & private subnets are defined by their route tables,
network ACLs, and DHCP options
www.lucidchart.com/jobs
Migration Plan
Migration Plan
www.lucidchart.com/jobs
Migration Constraints
•EC2 cannot connect to private VPC servers
•Private VPC server connections must go through the NAT
instances
•EC2 & VPC have different security groups, load balancers,
autoscalegroups
•EC2 & VPC share EBS volumes, snapshots, instance sizes,
zones, regions
Migration Constraints
•EC2 cannot connect to private VPC servers
•Private VPC server connections must go through the NAT
instances
•EC2 & VPC have different security groups, load balancers,
autoscalegroups
•EC2 & VPC share EBS volumes, snapshots, instance sizes,
zones, regions
www.lucidchart.com/jobs
Migration Plan
•Move top layer first
•Move one layer at a time
•Meticulously manage security groups
•Move monitoring/utility servers last
•http://nineofclouds.blogspot.com/search/label/VPC
Migration Plan
•Move top layer first
•Move one layer at a time
•Meticulously manage security groups
•Move monitoring/utility servers last
•http://nineofclouds.blogspot.com/search/label/VPC
www.lucidchart.com/jobs
Starting Layout
Starting Layout
www.lucidchart.com/jobs
Move Webservers First
Move Webservers First
www.lucidchart.com/jobs
Move Next Layer
Move Next Layer
www.lucidchart.com/jobs
Move Databases Next
Move Databases Next
www.lucidchart.com/jobs
Top 5 Pain Points
Top 5 Pain Points
www.lucidchart.com/jobs
5. Setup & Terminology
•Took time to determine which VPC configuration we wanted
•Took time to troubleshoot network ACL and security group
issues
•It took us 3 days with 1 person
•We have not had to revisit the configuration since we got it
working
•Unavoidable
5. Setup & Terminology
•Took time to determine which VPC configuration we wanted
•Took time to troubleshoot network ACL and security group
issues
•It took us 3 days with 1 person
•We have not had to revisit the configuration since we got it
working
•Unavoidable
www.lucidchart.com/jobs
4. Security Groups
•Private VPC instances communicate through the NAT
instances
•EC2 instances only see traffic from the NAT
•EC2 security groups were open to entire VPC
•Avoidable by doing 2 moves –one to public VPC, one to
private VPC
4. Security Groups
•Private VPC instances communicate through the NAT
instances
•EC2 instances only see traffic from the NAT
•EC2 security groups were open to entire VPC
•Avoidable by doing 2 moves –one to public VPC, one to
private VPC
www.lucidchart.com/jobs
3. VPN
•Highly available configuration supported for some
hardware
•We chose OpenVPN, which took 3 days to configure and
test properly
•Avoidable in a number of different ways
3. VPN
•Highly available configuration supported for some
hardware
•We chose OpenVPN, which took 3 days to configure and
test properly
•Avoidable in a number of different ways
www.lucidchart.com/jobs
2. MongoDBElection = Downtime
•MongoDBhas an election process to determine primary
and secondaries
•To elect a primary, a majority of servers must vote
•Because EC2 cannot speak to VPC, we had to move each
server to the public subnet, and then to the private
afterward
•During move from public to private, MongoDBdied for 15
minutes
•Avoidable by not using MongoDB
2. MongoDBElection = Downtime
•MongoDBhas an election process to determine primary
and secondaries
•To elect a primary, a majority of servers must vote
•Because EC2 cannot speak to VPC, we had to move each
server to the public subnet, and then to the private
afterward
•During move from public to private, MongoDBdied for 15
minutes
•Avoidable by not using MongoDB
www.lucidchart.com/jobs
1. NAT Bandwidth
•The traffic between private VPC and EC2 exceeded the
capacity for our NAT instances
•Requests timed out as throughput maxed out
•Downtime of 30 minutes on some services
•Completely avoidable! During the migration, increase size
of NAT instances. Decrease after the migration is done.
1. NAT Bandwidth
•The traffic between private VPC and EC2 exceeded the
capacity for our NAT instances
•Requests timed out as throughput maxed out
•Downtime of 30 minutes on some services
•Completely avoidable! During the migration, increase size
of NAT instances. Decrease after the migration is done.
www.lucidchart.com/jobs
Thank You
Thank You
www.lucidchart.com/jobs
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 1,103
- Slides 21
- Favorites 3
- Age 4425 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
48 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
35 views
21
Know for Certain
DaveSinNM
23 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views