1. Patent Search
  2. Details

MANAGED PUBLIC CLOUD

20200358672 ยท 2020-11-12

    Inventors

    Cpc classification

    International classification

    Abstract

    System for Managing Public Cloud (1) comprising at least a software and hardware arrangement for Basic support (or package A), said arrangement allowing to: Display on digital forms configuration questions and to fill up the forms Enable Centralized Billing and Reporting Decide on Security Functionality required among the selected choices Secured Global Account. (Owner Level) (Azure) Secured Root Account (AWS) Collection of audit logs with secure storage and retention Determine thresholds for giving Alert on Cloud Billing.

    Claims

    1. System for Managing Public Cloud (1) comprising at least a software and hardware arrangement for Basic support (or package A), said arrangement enabling a user to connect to the system for creating at least an account and to execute or provide two of the following: Display on user terminal digital configuration forms and to let fill up the forms by the user and memorize on the memory space attached to the user account such reply after validation by the user and offering options to select different service packages; Enable Centralized Billing and Reporting; Decide on Security Functionality required among selected choices made by user and memorized on the memory space attached to the user account; Propose a Secured Global Account. (Owner Level) (Azure) Propose a Secured Root Account (AWS) Collect audit logs with secure storage and retention; Determine Alert thresholds for giving Alert on Cloud Billing, said thresholds being determined by user and memorized on the memory space attached to the user account and to a service package selected.

    2. System for Managing Public Cloud (1) according to claim 1, in which said arrangement enables said user to select at least one Standard Service Requests (SSRs) or at least one set of SSRs, said SSRs memorized on the memory space attached to the user account and to a service package selected.

    3. System for Managing Public Cloud (1) according to claim 1 in which said arrangement is offering to a user the choice of a second option B (or package B) which allows the user to determine in addition: Automated creation and management of a virtual network environment with following minimal settings by using the memorized reply of a user for establishing: Two availability zones: Public Subnet, Private Subnet Internet Gateways Static Firewall configurations VPN/WAN Connectivity.

    4. System for Managing Public Cloud (1) according to claims 1 in which said arrangement is offering to a user the choice of a third option C (or package C) which allows the user to determine in addition: to control or execute all functionality via a Business Portal. the Customizable approval workflows support customers governance (Azure: T&M only) select and execute Standard Service Requests allowing the control of various cloud services to Compute Instances to manage and control DB Instances (AWS only) to Compute Storage and backup functions (Azure: restore within consolemanually) to determine the Firewall settings (policies) to define the Load balancing configurations (AWS only) DNS (AWS only) to integrate all deployed objects into MPC management framework to control for all objects monitoring, security and availability to Compute Instances Operating system managed by customer or ordered on top of this Package.

    5. System for Managing Public Cloud (1) according to claim 1, in which said arrangement offers the choice a few operational tasks performed by MPC-AWS (2) which are listed such as: Creation of new Virtual Private Cloud (VPC)'s Creation of new Subnet's in VPC's On-Going Management of Subnet's in VPC's Documentation of Subnet usage and intended purposes Creation of route tables Creation of Security Groups as part of a project Creation of Security Groups outside of a project.

    6. Method for managing Public Cloud (1) which includes an hardware and software arrangement for executing at least one the following steps: Displaying digital configuration forms and prompting user to fill up the forms Deciding on Security Functionality required among selected choices Propose a Secured Global Account. (Owner Level) (Azure) Propose a Secured Root Account (AWS) Collecting of audit logs with secure storage and retention Determine Alert thresholds for giving Alert on Cloud Billing Automated creation and management by MPC of a virtual network environment with following at least one of the minimal settings: One repository created for the MPC Azure Product; One repository created for the Customer Definitions and delta's. Two availability zones: Public Subnet, Private Subnet Internet Gateways Static Firewall configurations VPN/WAN Connectivity.

    7. Method for managing Public Cloud (1) which includes an hardware and software arrangement for executing at least one the following steps: Control or execute all functionality via Business Portal. the Customizable approval workflows support customers governance (Azure) Select and execute Standard Service Requests allowing the control of various cloud services Compute Instances Manage and control DB Instances (AWS) Compute Storage and backup functions (Azure: restore within consolemanually) Determine the Firewall settings (policies).

    Description

    SHORT DESCRIPTION OF THE FIGURES

    [0083] Other features, details and advantages of the invention will become apparent upon reading the description which follows with reference to the appended figures, which illustrate:

    [0084] FIG. 1, illustrates the options available for the management of a public cloud on a platform

    [0085] FIG. 2 represents the position of the MPC in a service stack.

    [0086] FIG. 3 represents use of managing public cloud software in a system for providing a MPC service called CANOPY.

    [0087] FIG. 4 represents the automation architecture of the managing public cloud (MPC) system with Azure.

    [0088] FIG. 5 represents the different subscriptions of 2 different customers from a unique CSP Account

    DETAILED DESCRIPTION OF DIFFERENT EMBODIMENTS OF THE INVENTION

    [0089] A user may connect on web to a MPC server to obtain credential to access a Managed Public Cloud service. The MPC offers several options to the customer.

    [0090] The Managed Public Cloud (MPC) service (1) provides customers a layered approach for the management of a public cloud infrastructure (2) and the workloads contained within. The layers vary from a standard account that the customer can use to perform all their customizations, to a fully managed environment where common requests can be made through a service catalogue with options.

    [0091] The choice of service can be made on an account-by-account basis, meaning that customers can choose to have a Foundation service in a sandbox account, whilst choosing full Instance Management for production purposes.

    [0092] Managed Public Cloud service can be delivered quickly worldwide using cloud management sites in either Poland or other operational center(s) where required.

    [0093] MPC is a multi-cloud service offering management for Microsoft Azure, Azure Stack as well as Amazon Web Services.

    [0094] MPC is also a part of hybrid cloud, where customers can easily integrate the solution with private cloud services from Atos or other third parties. This ensures workloads can be placed optimally to meet cost, infrastructure security and availability requirements, by defining the Load balancing configurations and by determining thresholds for giving Alert on Cloud Billing.

    [0095] Many combinations may be contemplated without departing from the scope of the invention; one skilled in the art will select either one depending on economical, ergonomical, dimensional constraints or others which he/she will have observed.

    [0096] More particularly, according to an embodiment illustrated by FIG. 1, the MPC comprises at least: [0097] a Cloud controller, that is a storage appliance that automatically moves data from on-premises storage to cloud storage, [0098] a Service Broker required to integrate any service with a Cloud Foundry instance, [0099] a Service Backend constituted by several Service instances, each linked to at least one Application, in a Droplet Execution Agent pool (DEA pool),
    which is responsible for running all applications, monitors all applications(CPU, Memory, IO, Threads, Disk, FDs, etc.),all applications looking the same for DEA, for expressing ability and desire to run an application (runtimes, options, cluster avoidance, memory/cpu), alerting on any change in state of applications, providing secure/constrained OS runtime (hypervisor, unix file and user, linux containers, single or multi-tenant).

    [0100] As shown by the FIG. 2, the MPC software (1) fits between the OS management and the Public Cloud Infrastructure in the service stack. MPC software include different modules at this position: console, architecture, catalogue, monitoring and compliancy. The Data center, network storage, server and virtualization are included in the Public Cloud Infrastructure (2) for example Microsoft AZURE or Amazon AWS.

    [0101] The MPC service offers three options to the customer.

    [0102] Foundation service is Basic support/package A which is the entry level service allowing by a combination of hardware and software arrangement the use of all native cloud functionality via cloud API/console

    [0103] The Customer receives an account with permissions to add and manage additional accounts and account privileges in self-management.

    [0104] Basic support or package A is limited to: [0105] Configuration questions. Today this is done via a set of onboarding workshops, captured via spreadsheets that in turn is used to drive JSON based configuration files. [0106] Centralized Billing and Reporting [0107] Security Functionality. Several Options are available and selectable depending on customer requirements; [0108] Secured Global Account. (Owner Level) (Azure or [0109] Secured Root Account (AWS) [0110] Collection of audit logs with secure storage and retention; Storage is the place where collection is stored, retention is the policy around how long they are stored for. The logs are stored with restricted access, meaning you need specific permissions to be able to look at them, and no one can delete them. [0111] Alert on Cloud Billing threshold.

    [0112] JSON based configuration files are used by MPC to determine whether AZURE cloud (2) or AWS Cloud (2) or a third private cloud should be used and enable user to access AZURE or AWS set of Standard Service Requests (SSRs) to make its selection of services.

    [0113] In addition to Package A the system for Managing Public Cloud (1) offers a second option B which allows on said arrangement: Automated creation and management of a virtual network environment by using captured information from the customer requirements which is fed into scripts that configure each account as required:

    with at least one of the following minimal settings: [0114] Two availability zones: Public Subnet, Private Subnet; [0115] Internet Gateways; [0116] Static Firewall configurations; [0117] VPN/WAN Connectivity.

    [0118] The virtual machines of the at least one public cloud managing system control engine, the at least one network node device of the cloud, or the at least one virtual network environment are configured to execute portions of the specific settings, wherein the portions of the specific settings are distributed based on capacity and efficiency characteristics of the respective virtual machine of the at least one public cloud managing system control engine, the at least one network node device of the cloud, or the at least one virtual network environment.

    [0119] Changes to the cloud environment are controlled through a Business portal by an hardware and software arrangement. One Cloud Account can have only one Service Variant selected A or B or C.

    [0120] Customer receives an account to self-manage accounts. Rights are limited to services not managed by Managing Public Cloud system (1) and can be accessed via native cloud console/API.

    [0121] The customers are informed on Technical updates applied to the service by an update hardware and software downloading arrangement.

    [0122] Customer can have many cloud accounts with different Service packages, as represented in FIG. 4.

    [0123] In addition to the both here above options a third option C allows by an hardware and software arrangement: [0124] to control or execute all functionality via Business Portal. [0125] the Customizable approval workflows support customers governance (Azure only) [0126] Standard Service Requests allows the control of various cloud services [0127] to Compute Instances [0128] DB Instances (AWS only) [0129] to Compute Storage and backup functions (Azure: restore within consolemanually) [0130] the Firewall settings (policies) [0131] the Load balancing configurations (AWS only) [0132] DNS (AWS only) [0133] to integrate all deployed objects into MPC management framework [0134] to control for all objects monitoring, security and availability [0135] to Compute Instances in Operating system is managed by customer or can be ordered on top of this Package.

    [0136] One of the key differences between package B and package C subscriptions involves the responsibility model. With package C, MPC service provider, such as Atos, has full responsibility and control over the subscription, enabling customers to focus on their core business, and simply consume managed Azure services through fully automates Self Service Requests in ServiceNow (3). For customers that need to have more control over the Azure environment package B might be more suitable. Scenarios include but are not limited to customers that have a CI/CD process in place or use a different ITSM product and do not want to integrate with ServiceNow.

    [0137] MPC Azure Package B is built around a shared responsibility model where Atos is still responsible for most of the foundational services, such as Azure subscription governance, networking, and monitoring, but the customer can be delegated control at resource group level to enable them to deploy and manage their own resources through the Azure portal and restful API's

    [0138] The MPC Service is operated centrally, by a MPC-provider, which provides an hardware and software arrangement for: [0139] Engineering and cloud operations support on the service with trained/skilled staff [0140] AWS supports with L4 skilled team [0141] All Cloud functionality is executed remotely by using the AWS console [0142] Managed OS on instances on top of MPC needs to be delivered by local GBU [0143] Modules with needed customer interaction to deliver the service option: [0144] Managed Customer Connectivity [0145] Federation Solution

    [0146] Visual Studio Team Services (VSTS) is used as the integration point between Bitbucket and Azure & Continuous Integration/Continuous Delivery.

    [0147] Atlassian Bitbucket will be used for source control. All code developed must be committed to the source control repository. Bitbucket is the standard source control used within MPC service. Bitbucket integrates with Jira and Confluence.

    [0148] Bitbucket is a web-based version control repository hosting service owned by Atlassian.

    [0149] Bitbucket need to use clear structure to avoid any ambiguity, it must be clear where to store/find a particular type of artifact.

    [0150] Source Control: All code developed must be stored in a source control repository. MPC service will use Atlassian Bitbucket for source control. [0151] One repository will be created for the MPC Azure Service or for MPC AWS Service depending on selections made by customer; [0152] One repository (4) will be created for each different Customer Definitions and Subscriptions (subscription 1 or 2 of customer 1, as shown on FIG. 5) and delta's.

    [0153] The managing public cloud system (1) comprises an hardware and software arrangement for enabling user to select one or several service requests among a set of Standard Service Requests (SSRs) adapted either for AWS or for AZURE and thereafter to send these requests either to AWS or AZURE for implementation.

    [0154] Each account can select different sets of SSRs, chosen in regard of the role the user will have. Thus, with this system for MPC, the choice of SSRs can be made on an account-by-account basis.

    [0155] Several SSRs, or a set of SSRs can be specific to security functionality, and to decide which one is required among selected choices made by user and memorized on the memory space attached to the user account, while others SSRs, or another set, can be specific to collect audit logs with secure storage and retention.

    [0156] In some embodiments, SSRs can be selected to execute or provide any of the following: [0157] Display on user terminal digital configuration forms and to let fill up the forms by the user and memorize on the memory space attached to the user account such reply after validation by the user; [0158] Enable Centralized Billing and Reporting; [0159] Decide on Security Functionality required among selected choices made by user and memorized on the memory space attached to the user account; [0160] Propose a Secured Global Account. (Owner Level) (Azure) [0161] Propose a Secured Root Account (AWS)Collect audit logs with secure storage and retention; [0162] Determine thresholds for giving Alert on Cloud Billing, said thresholds being determined by user and memorized on the memory space attached to the user account.

    [0163] Thanks to that, each user can select a specific package and specific SSRs, adapting the possibilities of his account to the user's role.

    [0164] AWS Standard Service Requests (SSRs) are grouped in Clusters: [0165] To effect Computation related to virtual machines, VM firewall rules, storage and backup [0166] To manage Database: related to RDS (relational database service) and snapshots/backup [0167] To effect Object Storage: related to S3 requests [0168] To manage Environment: related to VPC (Virtual Private Cloud) requests [0169] To manage Load balancer: related to Load balancer configurations

    [0170] In addition, Custom Tags and Cost Center can be added to SSRs when creating the resource to enable comprehensive billing reporting.

    [0171] A high level of automation is established in MPC AWS services by an hardware and software arrangement: [0172] VPC deployment & configuration, VPC peering between MPC-provider tooling and customer resource accounts, S3 bucket policies based on accounts, IAM VPC peering based on accounts, Auto tagging of AWS assets [0173] Most SSRs are fully automated

    [0174] AWS set of Standard Service Requests (SSRs) can be: [0175] Add Storage Virtual Server [0176] Change Owner of Virtual Server [0177] Create Snapshot [0178] Delete Storage Virtual Server [0179] Delete Virtual Server [0180] Delete Snapshot [0181] Expand Storage Virtual Server [0182] Power On/Off or Restart Virtual Server [0183] Create an Image from a Snapshot [0184] Change Virtual Server T-shirt size [0185] Create Virtual Server [0186] Change Security Group Virtual Server [0187] Create Load Balance [0188] Delete Load Balance [0189] Change Load Balancer Health Check policy [0190] Add or Remove Instance to a Load Balancer [0191] Create or Change Object Storage Lifecycle policy [0192] Add or Remove Security Group to a Load Balancer [0193] Request Key Pair [0194] Create Relational Database [0195] Delete Relational Database [0196] Restart Relational Database [0197] Snapshot Relational Database [0198] Change Relational Database [0199] Restore Relational Database [0200] Delete Object Storage bucket [0201] Create Object Storage bucket [0202] Create IAM user account [0203] Delete IAM user account [0204] Copy Virtual Server [0205] Virtual Server Service Generic Request [0206] Extend lease period [0207] Relational Database Service Generic Request [0208] Delete Network Security Group [0209] Create or Modify DNS Zone [0210] Network Service Generic Request [0211] Create Network [0212] Object Storage Service Generic Request [0213] Detach Storage Virtual Server [0214] Create Volume from Snapshot [0215] Restore a Volume from a Snapshot [0216] Backup Virtual Server and applications [0217] Create Amazon Account [0218] Load Balancer Service Generic Request

    [0219] AZURE set of Standard Service Requests (SSRs) are grouped in Clusters for [0220] Virtual Machine: related to virtual machines [0221] Storage: snapshots/backup [0222] Snapshot: related to VM Snapshots [0223] Scheduled Actions: scheduled start/stop requests [0224] Backups: Scheduled and ad-hoc backup and restore requests [0225] OMS: monitoring related requests

    [0226] AZURE set of Standard Service Requests (SSRs) can be: [0227] Create Resource Group [0228] Change Resource Group [0229] Create Virtual Server [0230] Start Virtual Server [0231] Restart Virtual Server [0232] Stop Virtual Server [0233] Change Virtual Server T-shirt size [0234] Change Virtual Server Region [0235] Delete Virtual Server [0236] Change Virtual Server Management [0237] Add Storage Virtual Server [0238] Expand Storage Virtual Server [0239] Delete Storage Virtual Server [0240] Create Snapshot [0241] Restore Snapshot [0242] Delete Snapshot [0243] Create Schedule for Virtual Server [0244] Edit Schedule for Virtual Server [0245] Delete Schedule for Virtual Server [0246] Restore Backup of a Virtual Server [0247] Create Ad-hoc Backup

    [0248] FIG. 3 shows the use of managing public cloud software in a system for implementing a service called CANOPY enabling the use and operation of an orchestrated hybrid cloud platform.

    [0249] The managing public cloud software used in CANOPY is integrated in the second application layer to orchestrate public cloud.

    [0250] First layer represent a service software executed on at least a processor of a platform to orchestrate services on behalf of a customer and make end to end management in the hybrid cloud through dialog with a second layer of several integrated software for application transformation and a third layer of other integrated software for infrastructure brokering with the different private or public clouds managed by the integrated software such as VMware for a private cloud, and AZURE, or AWS for a public cloud.

    [0251] The full list of operational tasks to be executed by MPC to switch on AWS cloud is listed here below: [0252] Development of VPC Engineering Standards [0253] Approval of VPC Engineering Standards [0254] Creation of new VPC's [0255] Creation of new Subnet's in VPC's [0256] On-Going Management of Subnet's in VPC's [0257] Approval of Subnet changes [0258] Documentation of Subnet usage and intended purposes [0259] Creation of route tables [0260] Modification of route tables [0261] Approval of route table changes [0262] Creation of Security Groups as part of a project [0263] Creation of Security Groups outside of a project [0264] Approval of the creation/modification of Security groups [0265] Modifying Security Groups [0266] Maintenance of Security Group documentation [0267] Creation of HA-Proxy instances [0268] Maintenance of HA-Proxy Instances [0269] CSR generation for SSL maintenance [0270] Importation of SSL certs into HA-Proxy [0271] Creation of NAT instances [0272] Maintenance of NAT instances [0273] Documentation of NAT instances [0274] Termination of NAT instances [0275] Creation of Internet Gateways [0276] Maintenance of Internet Gateways [0277] Termination of Internet Gateways [0278] Creation of AWS Console Accounts [0279] Domain Name Registration [0280] Route 53 Hosted Zone creation [0281] Route 53 Hosted Zone maintenance [0282] Route 53 Hosted Zone deletion [0283] Approval of Route 53 Add/Modify/Delete [0284] Route 53 Health Check Creation [0285] Route 53 Health Check Modify [0286] Route 53 Health Check Delete [0287] Route 53 and ELB integration [0288] Establishment of Route 53 Standards [0289] Approval of Route 53 standards [0290] Creation of ELBs [0291] Modification of ELB Health Checks [0292] Modification of ELB Targets [0293] Deletion of ELBs [0294] Documentation of ELB configuration [0295] Approval of ELB Add/Delete/Modify [0296] Development of ELB Standards [0297] Integration of ELB with Route 53 Health checks [0298] Creation of CSR for SSL cert creation [0299] Order of SSL Cert [0300] Installation of SSL Cert [0301] Creation of S3 Bucket [0302] Support end users to be able to upload objects into S3 Bucket [0303] Approval of S3 usage and Bucket creation [0304] Uploading of S3 objects [0305] Moving of S3 objects [0306] Deletion of S3 objects [0307] Deletion of S3 buckets [0308] Creation of IAM polices of S3 [0309] Creation of AWS Console accounts for S3 Access [0310] Approval of S3 account creation [0311] Creation of EC2 Instances as part of a project [0312] Creation of EC2 Instances outside of a project [0313] Modification of EC2 instances [0314] Instance Power On/Hard Power Off/Reset [0315] Creation of EBS Volumes as part of a project [0316] Creation of EBS Volumes outside of a project [0317] Creation of EC2 Tagging [0318] Changes to EC2 Tagging [0319] EBS Snapshot Setup [0320] EBS Snapshot Maintenance/Cleanup [0321] Deletion of EC2 Instances [0322] Set EC2 standards [0323] Approval of EC2 standards [0324] Generation of Key Pairs [0325] Creation of DB Instances [0326] Modification of DB Instances [0327] Snapshot Maintenance [0328] DBMS Modification [0329] Deletion of DB Instances [0330] Set RDS Standards [0331] Approval of RDS Standards
    In addition MPC service provider, such as Atos, offers a variety of add-on services, which are either relevant to an account, or an individual workload. Such examples of value added services are: [0332] Customer onboarding to the Atos Managed Public Cloud Services. [0333] Customer Image ManagementPackages Server/Application images for Variant C runnable at the respective public cloud. [0334] Managed Customer ConnectivityCreates a private connection with customer network with VPN configurations or via a private VPN connection to the public cloud service provider datacenter on a project base. [0335] Customer Federation SolutionsIntegrate an external Identity Management system [0336] Customer Server MigrationsMigrate workload from and to public cloud on a project managed basis [0337] Managed High Complexity BackupAgents running on the virtual machine enable an application aware backup. [0338] OS ManagementAvailability, Security, Patch management up to the operating system (available on project basis) [0339] DNS ManagementConfigures and xxxxx public cloud service provider DNS service. [0340] Instance BackupBackup of virtual machines with cloud native methods [0341] Managed Object Storageprovides object storage (S3-AWS or Blob-Azure) to deployed virtual machines

    [0342] It will be easily understood upon reading the present application that the particularities of the present invention, as generally described and illustrated in the figures, may be arranged and designed according to a great variety of different configurations. Thus, the description of the present invention and the related figures are not provided for limiting the scope of the invention but simply illustrating selected embodiments.

    [0343] One skilled in the art will understand that the technical features of a given embodiment may in fact be combined with features of another embodiment unless the opposite is explicitly mentioned or if it is obvious that these features are incompatible. Further, the technical features described in a given embodiment may be isolated from the other features of this embodiment unless the opposite is explicitly mentioned.

    [0344] It should be obvious for persons skilled in the art that the present invention allows embodiments under many other specific forms without departing from the field defined by the scope of the appended claims, these embodiments should be considered as an illustration and the invention should not be limited to the details given above.