Blog from October, 2024

Estimated reading time: 4 minutes

The October AWS NET+ Tech Share covered infrastructure migration strategies, innovative AI implementations, and upcoming community events. Here's a summary of the key discussions:

Key Events

• Webinar on NET+ AWS, NET+ GCP, NET+ Kion and CICP (slides and recording)
• NET+ AWS Barn Raising: Amplify AI Build Out (no recording, but blog will be coming soon)
• Upcoming re:Invent Keynote Watch Parties featuring main keynote, Werner's infrastructure presentation, and Peter Desantis's Monday night session
• Are you working on a project on AWS that you’ve been heads down on for the past few months? If so, you should consider submitting a proposal for the 2025 Cloud Forum.

Infrastructure Strategy Insights

Penn State University's Approach

Penn State University shared their comprehensive strategy for infrastructure transformation:

• Operating within a three-year VMware transition timeline
• Focusing on IT department centralization
• Implementing Kubernetes environment in AWS
• Maintaining flexibility between cloud and physical servers
• Taking an "if you build it, they will come" approach to cloud adoption

Cloud Migration Experiences

The UC Office of the President shared their experience migrating on-premises VMs to the cloud:

• Successfully addressing around 92,000 security findings during migration
• Rebuilding applications with new operating systems
• Implementing vulnerability mitigation strategies

Innovation Highlights

AWS shared notable implementations from recent tech conferences:

• UCLA Anderson School of Business: Developed GenAI-powered custom email templates for alumni donation campaigns, featuring adversarial model validation
• UC Irvine: Created an open-source alternative to paid backup services for AWS to S3 data backup

Hybrid Infrastructure Discussion

Several institutions explored hybrid cloud possibilities:

• Interest in AWS Outposts and Azure Stack HCI implementations
• Discussion of EKS and ECS anywhere deployments
• Questions about EKS anywhere on AWS outposts for on-premises Kubernetes management

Conclusion

This Tech Share highlighted the diverse approaches institutions are taking to infrastructure modernization, from full cloud migrations to hybrid solutions. The discussions emphasized the importance of careful planning and consideration of various deployment options to meet specific institutional needs.

Be sure to check out the other blog posts we've written. As always, feel free to send any feedback to tmanik[at]internet2[dot]edu.

Estimated reading time: 5 minutes

In our recent AWS Town Hall (recording), we discussed a challenge that resonates across the higher education landscape: managing multiple AWS accounts with a focus on strengthening security and maintaining compliance.

The session featured insights from AWS's higher education strategy team and technical experts who shared valuable perspectives on landing zones and AWS Control Tower.

Understanding the Challenge

Patrick Frontiera from AWS's higher education strategy team highlighted that higher education institutions face over 200 compliance regimes, with 24 specifically focused on IT. This complexity is further amplified by the decentralized nature of academic institutions, where IT responsibilities often span across departments and research units.

The key challenges institutions face include:

• Managing numerous evolving compliance requirements
• Balancing innovation with security in decentralized environments
• Coordinating hybrid and multi-cloud infrastructures
• Maintaining consistent security policies across diverse departments

AWS's Approach to Solutions

AWS has developed a comprehensive approach to these challenges, building upon their shared responsibility model. As institutions move towards managed services, AWS takes on more of the security and compliance burden. Some notable solutions include:

• Support for 143 compliance programs relevant to higher education (including FERPA, HIPAA, and NIST 800-171)
• AWS Audit Manager for identifying compliance gaps
• AWS Artifact for generating compliance reports

Landing Zones: A Foundation for Success

Chris Kuehn, AWS Solutions Architect, introduced landing zones as AWS's strategic solution for creating secure, scalable environments. A well-designed landing zone includes:

• Built-in security guardrails and encryption
• Integration with university identity systems
• Unified billing processes
• Pre-configured networking
• Customizable development environments

The Evolution of Landing Zones

The journey of AWS landing zones reflects the maturing needs of higher education:

1. Custom-Built Solutions (Early Days)
2. AWS Organizations (2017) - Introducing consolidated management
3. AWS Control Tower (2019) - Automating setup and management
4. Customizations for Control Tower (2020) - Adding flexibility for specific needs

Implementation Best Practices

AWS recommends a flat organizational unit (OU) structure to maintain simplicity while accommodating diverse needs; a flat structure means no nested OUs. A typical OU structure includes:

• Management Account (central authority)
• Core OU (logging and auditing)
• Shared Services OU (common infrastructure)
• Central IT OU
• Sandbox OU (experimentation space)
• College/Department OUs
• Compliance-Specific OUs (e.g., HIPAA workloads)

Practical Insights from Q&A

The session concluded with valuable questions from attendees. Key takeaways include:

• Testing Updates: Maintain a separate development landing zone for testing Control Tower updates
• Migration Strategy: Use a migration OU with relaxed controls for staging existing accounts
• Existing Organizations: While greenfield deployments are ideal, Control Tower can integrate existing accounts with proper planning

Looking Ahead

As compliance requirements continue to evolve, the structured approach offered by AWS landing zones becomes increasingly valuable. The key is to create guardrails, not roadblocks – enabling innovation while maintaining security.

For institutions looking to implement or optimize their landing zone strategy, AWS offers several solutions and support mechanisms:

• Landing Zone Accelerator (open-source solution)
• AWS Partner Network
• AWS Professional Services

Be sure to check out the other blog posts we've written. As always, feel free to send any feedback to tmanik[at]internet2[dot]edu.

Estimated reading time: 4 minutes

The October GCP NET+ Tech Share covered compliance challenges in GCP, SSL certificate renewal periods, and networking security issues in higher education. Here's a summary of the key discussions:

Recent Events Recap

Two significant events preceded this Tech Share:

1. The Google Rapid Innovation Team (RIT) Project Pitch Session showcased several innovative projects.
2. The NET+ GCP SAB meeting in NYC featured these RIT project pitches and a presentation from Washington University on GCP Support Plan challenges.

Upcoming Events

Several important events are on the horizon:

• Are you leveraging GCP to power your research or innovate cloud strategies on campus? Share your insights! Submit your Cloud Forum proposal by December 20th
• Webinar on NET+ AWS, NET+ GCP, NET+ Kion, and CICP (October 31, 11am PT/2pm ET)
• R&E FinOps Virtual Conference - January 23, 2025 10am-2pm PST/ 1-5pm EST (tentative)

Compliance in GCP

Vanderbilt University raised concerns about compliance in GCP, particularly in light of new CMMC changes. Key points of discussion included:

• Challenges of self-auditing vs. external audits for Controlled Unclassified Information (CUI)
• Difficulties in maintaining compliance in distributed environments
• The need for tooling or partnerships to create compliant accounts that can't be undone
• Interest in publicly available Terraform scripts (or other infrastructure as code) for setting security baselines

Jeff from Google mentioned a dedicated team that supports compliance audits and shared resources:

• Google Cloud Compliance
• Risk and Compliance as Code

Jeff will look internally to see if there is a team working on IaC for automated compliance checks.

SSL Certificate Renewal and Network Security

The discussion shifted to SSL certificate management and network security:

• Apple is lowering their SSL cert renewal period to 45 days, while Google is shortening theirs to 90 days
• Tailscale was suggested as a potential solution for servers with limited network access to renew SSL certs
• Penn State University expressed interest in moving towards hierarchical firewall rules to simplify complex routing and peering for compliance requirements

Northwestern University shared their experience with Next-Generation Firewall (NGFW) in their Secure Enclave setup, noting challenges with licensing and idle resources.

Future Discussions

The challenges around SSL certificate renewals on network-restricted machines naturally circled back to the conversation about compliance. This prompted planning a networking session with GCP Networking SMEs to address secure access for regulated workloads that remains user-friendly and manageable for IT administrators.

Be sure to check out the other blog posts we've written. As always, feel free to send any feedback to tmanik[at]internet2[dot]edu.

Estimated reading time: 4 minutes

The October AWS NET+ Tech Share covered FinOps challenges, account provisioning strategies, and an upcoming AI chatbot workshop. Here's a summary of the key discussions:

Recent Community Updates

The Landing Zone Accelerator (LZA) Community of Practice continues to meet regularly. For those interested in catching up, recent blog posts are available, including a recap of the NET+ AWS Private Marketplace series and the September Tech Share summary.

Key Events

• NET+ AWS Town Hall (October 16): Focusing on multi-account governance in AWS (slides and recording)
• Are you leading a cloud-powered research project or tackling strategic cloud challenges on campus? Share your expertise! Submit your Cloud Forum proposal by December 20th
• Webinar on NET+ AWS, NET+ GCP, NET+ Kion, and CICP (October 31, 11am PT/2pm ET)
• R&E FinOps Virtual Conference - January 23, 2025 10am-2pm PST/ 1-5pm EST (tentative)

FinOps Challenges and Solutions

A significant portion of the discussion centered around FinOps challenges and potential solutions:

Account Provisioning Strategies

• Implementing Service Control Policies (SCPs) to require tagging.
• Using AWS Control Tower for budget alarms and sandbox account provisioning.
• Setting up cost anomaly detection in new accounts.

Tagging Practices

• Tagging per grant or payment source can be useful, especially in research contexts.
• Dividing resources based on logical isolation (grant, lab, project).

Cost Control Measures

Northwestern University recommended setting up cost anomaly detection in new accounts to help manage expenses proactively.

University of Wisconsin-Madison's Approach

The University of Wisconsin-Madison shared their strategies for managing cloud resources:

• Using separate accounts for different projects, sometimes multiple accounts per researcher.
• Employing Terraform to standardize cost alerts.
• Utilizing account boundaries as the primary method for cost tracking.
• Offering weekly office hours to assist researchers.

AI Chatbot Workshop Announcement

An exciting announcement was made regarding an upcoming "barn raising" hands on session to build an AI chatbot using Vanderbilt's GenAI Platform with guidance from developers and architects. Institutions are encouraged to identify appropriate team members to participate in this hands-on workshop, which is estimated to take about 4 hours with proper preparation. For those that need additional guidance, Bob is creating a document to assist institutions in choosing appropriate participants.

Conclusion

This Tech Share provided valuable insights into FinOps challenges and solutions, highlighting the importance of proper account management and cost control in academic cloud environments. The upcoming AI chatbot workshop presents an exciting opportunity for institutions to dive into practical AI application development.

Be sure to check out the other blog posts we've written. As always, feel free to send any feedback to tmanik[at]internet2[dot]edu.

Estimated reading time: 4 minutes

The October 2nd AWS NET+ Tech Share covered collaborative projects, disaster recovery solutions, and cloud migration experiences. Here's a summary of the key discussions.

Recent Highlights and Upcoming Events

• NET+ AWS Tech Jam on AWS Marketplace (recording available)
• Ongoing Landing Zone Accelerator (LZA) Community of Practice meetings
• NET+ AWS Town Hall on October 16 at 11am PT/2pm ET: CCoE and AWS Organizations Best Practices

Collaborative "Barn Raisings"

The group continued to discuss the proposed "barn raisings" – collaborative sessions where community members get together with AWS experts to build out a solution in their environment. Here are some potential sessions that interest the community:

1. Indiana University's Audio Transcription Service: A tool that could benefit many institutions dealing with audio content.
2. Secure research environments: A crucial need for institutions handling sensitive data.
3. Arizona State University's PDF accessibility project: Addressing the important issue of document accessibility in higher education.

Disaster Recovery and Migration Insights

James from Old Dominion University sparked a discussion on AWS Elastic Disaster Recovery (DRS) experiences. Tommy from AWS explained that DRS, formerly CloudEndure, offers block-level replication from source to target, with both migration and DR options.

Rob from Loyola Marymount University shared valuable insights on using AWS Application Migration Service (MGN): While generally effective, MGN presented challenges with edge cases.

Gerard from Boston University (BU) added historical context, noting past issues with VMware agents and instance sizing during migration. These experiences highlight the ongoing challenges in cloud migration and the importance of careful planning.

SAP HANA in the Cloud: Balancing Performance and Cost

Gerard from BU raised a question about running SAP HANA in AWS. Currently using an on-premises solution across two data centers, they're exploring AWS as part of a tech refresh. Some participants with past SAP HANA experience shared how this is a big undertaking and would be interested to hear the outcome of it. Solutions Architects on the call recommended Gerard to talk to his dedicated AWS SA to loop in an SAP HANA specialist from AWS to discuss potential migration plans and their forecasted cost.

Data Lake and Account Management: A Holistic Approach

Max from Wayne State University (WSU) shared insights on their ongoing Data Lake project and AWS migration. His and his team’s work are mainly greenfield efforts, e.g. creating a new AWS Organization, setting up Control Tower, designing VPCs, and even building an integration for account provisioning with Grouper and EntraID.

For many folks on the call, this was a trip down memory lane, reminiscent of when they had to migrate their first set of workloads into AWS. We hope that the collective wisdom and experience of this group can help teams like Max’s navigate their AWS migration more smoothly and avoid common pitfalls

Control Tower in Academic Settings

Ethan from Carnegie Mellon University (CMU) inquired about experiences with decommissioning AWS Control Tower. Someone from a quantum computing course in CMU had set up Control Tower in their AWS environment. While no direct experiences were shared, the discussion pointed to AWS documentation and highlighted the growing use of AWS in course settings.

While initially talking about Control Tower, this conversation highlighted similar adoption of an uncommonly used AWS service: AWS Braket. Both CMU and BU have a quantum computing course which uses AWS Braket. BU claims that the course was well received.

Conclusion

The October AWS NET+ Tech Share demonstrated the higher education community's commitment to collaborative problem-solving and knowledge sharing. From exploring joint projects to discussing the intricacies of cloud migration and specialized use cases like SAP HANA, the discussions reflected the complex and evolving nature of cloud adoption in academic institutions.

Be sure to check out the other blog posts we've written. As always, feel free to send any feedback to tmanik[at]internet2[dot]edu.

Take your AWS Private Marketplace knowledge from theory to practice in this engaging 90-minute hands-on build lab. Designed as a follow-up to our August introduction to Private Marketplace, this session provides cloud and procurement teams from NET+ AWS institutions the opportunity to set up their own Private Marketplace with expert guidance from AWS specialists.

You'll work through a step-by-step process to configure your marketplace, applying the concepts and best practices discussed in the previous session. Our AWS experts will be on hand to provide real-time assistance, ensuring you leave with a functional Private Marketplace tailored to your institution's needs.

This practical session is your chance to implement powerful controls, streamline procurement processes, and optimize cloud resource management for your organization. Don't miss this opportunity to transform your cloud procurement strategy with AWS Private Marketplace.

CICP Subscribers can find slides, recordings, and any other assets here after the meeting. There's even a blog post of it!

The NET+ GCP community reconvenes for an exciting project pitch session, taking over the usual Tech Jam slot. This event marks the culmination of efforts sparked by the August Strat Call, where participants learned about the Rapid Innovation Team (RIT) initiative and began formulating their project ideas (recording).

During this session, members of the NET+ GCP community will have the opportunity to present their project proposals to the NET+ GCP Service Advisory Board (SAB) and Chris Daugherty from Google. Each pitch will showcase innovative ideas that leverage GCP to address critical needs within higher education institutions and potentially benefit the broader academic community.

Presenters will outline their project's objectives, potential impact, and how it aligns with RIT's goal of creating impactful prototypes for the research and education sector. The audience can expect to hear a diverse range of concepts, from AI-driven solutions to data management tools to advising systems and beyond.

After this session, the SAB and Chris will vote to select the top three projects. These finalists' ideas will be presented to the RIT at the face-to-face SAB meeting at Google's NYC offices on October 10.

This pitch session represents a pivotal moment for participants to transform their innovative concepts into tangible plans with the potential for realization through RIT's collaborative engagement. It's an unparalleled chance for higher education institutions to drive technological advancements in their field with the support of Google's expertise and resources.

CICP subscribers can find the slides, recordings, and other meeting assets here.

Higher education is a uniquely complex industry, with many independent groups building unique solutions that are all expected to comply with university policies and applicable regulatory frameworks. Working in AWS introduces a number of new tools: Organizations, Landing Zones, and Control Tower. We’ll discuss the roles of each of these and how you can build a secure and predictable environment for your customers across campus.

AWS Solution Architect for EDU, Chris Kuehn takes us through this month's topic on Wednesday, October 16 at 11am PT/2pm ET.

CICP Subscribers can find slides, recordings, and any other assets here after the meeting.

Estimated reading time: 5 minutes

On September 24, 2024, the Google Rapid Innovation Team (RIT) hosted a Project Pitch Session, bringing together innovative minds from various institutions within the Internet2 NET+ GCP community. This session, which replaced the usual Tech Jam, was a follow-up to the initiative introduced during the GCP Strat Call on August 20 by Google's Chris Daugherty. The goal was to present ideas for prototype game-changing solutions addressing real-world challenges in the research and education community.

The RIT Opportunity

The RIT offers a unique chance to work in 6-week sprints with teams from subscribing institutions to build functional prototypes of software applications. These applications aim to enhance research capabilities, improve student engagement, or streamline administrative processes in higher education.

Presented Ideas

Unlocking Historical Insights with AI and Big Data

Sheila Marie Zellner - Jenkins from the University of Maryland, College Park presented "Applying DocumentAI and BigQuery to diplomatic correspondence from the Allied Occupation of Japan." This project aims to:

• Use DocumentAI for OCR conversion of multilingual documents
• Ingest data into BigQuery for advanced SQL querying
• Employ Looker for data visualization and analysis

The project demonstrates the potential of AI tools in converting archival materials, regardless of language, into accessible digital databases, potentially revolutionizing approaches in various academic fields.

Cloud Migration Coach: Simplifying the Path to GCP

Bob Flynn from Internet2 proposed a "Cloud Migration Coach," addressing the challenge of getting started with Google Cloud. This tool aims to:

• Analyze on-prem architecture diagrams and workflows
• Provide customized migration plans and cost calculator input recommendations
• Pull in targeted learning resources from Google Cloud Skills Boost

Modernizing Applications with AI-Driven Analysis

Gabe Geise from Penn State University proposed an AI application to streamline application modernization efforts that builds on the Cloud Migration Coach idea. It does this by:

• Analyzing GitHub repositories to suggest containerization strategies
• Recommending relevant GCP services for deployment
• Providing documentation and training resources for implementation

This tool could assist in modernizing applications, identifying technical debt, and improving long-term code maintenance.

Pacer: Personalizing Student Time Management

Building on an idea initially mentioned during the August Strat Call, Bob presented "Pacer," a tool designed to help students manage their time more effectively. This concept aims to:

• Create personalized work plans based on students' curricula and commitments
• Ingest syllabi and class calendars to develop day-to-day personal work plans
• Integrate with Google Calendar and learning management systems
• Adapt to individual productivity patterns and preferences

Pacer represents a practical application of technology to address the common challenge of time management faced by students juggling multiple responsibilities. By providing personalized scheduling assistance, it has the potential to significantly improve students' academic performance and overall college experience.

The discussion around Pacer highlighted the importance of user privacy and the potential for the system to learn and improve its recommendations based on user behavior over time.

Next Steps

Following this pitch session, the Service Advisory Board (SAB) and Chris Daugherty will discuss the submissions, maybe add some of their own, and ultimately vote to select the top projects. These projects will be presented to the RIT leadership at a face-to-face SAB meeting on October 10 at Google's NYC offices.

Conclusion

The Google Rapid Innovation Team Project Pitch series of meetings highlights how the NET+ GCP community facilitates collective community conversations and innovative projects leveraging Google Cloud technologies in higher education. As the selection process moves forward, these projects have the potential to contribute to how universities address challenges in research, teaching, administration, and student success, furthering the superpower of collaboration for shared benefit within the higher education community.

You can always find details and recordings of the NET+ GCP quarterly calls on the Cloud Infrastructure Community Program (CICP) calendar. Be sure to check out the other blog posts we've written. As always, feel free to send any feedback to tmanik[at]internet2[dot]edu.