On average, I design Technical Architecture Solutions, for roughly around 10 green field TM1 Implementations a year. I was under the impression that I had seen it all, until I was asked to assist a customer with a IBM Cognos BI and TM1 Implementation on AWS, as part of a Hybrid Cloud Solution.
The Hybrid Cloud Solution contains the orchestrated services between the On-Premise Data Centre and AWS. In simple terms, AWS becomes an extension of the On-Premise Data Centre under the Hybrid Cloud Model.
AWS is all about new acronyms and if terms such as VPC, EC2, EBS, AKS, AMI and Availability Zones (AZ) makes sense to you, continue reading on. Otherwise, you might want have a look at the AWS Cheat Sheet.
In this blog I have listed factors to take into consideration for deploying TM1 Workloads on AWS, based on my recent field experience.
The mandate for many Enterprise Customers is for data to not leave the shores of Australia. AWS achieves this requirement via Regions and the underlying Availability Zones.
Figure: AWS Global Infrastructure with Existing and New Regions.
Asia Pacific (Sydney) Region which is also referred as ap-southeast-2, will be the region of choice for many local customers for obvious reasons.
Asia Pacific (Sydney) Region has 3 AZ’s to choose from for the Virtual Infrastructure to be hosted.
Public Cloud BYOSL Policy for IBM Software
The good news is AWS is an Eligible Public Cloud for hosting IBM Cognos TM1 Software as per the IBM Eligible Public Cloud BYOSL Policy.
Figure: PVU Rating for EC2 & Dedicated Instances on AWS.
This is where it gets interesting with the IBM Licensing Regime and AWS. The key focus point is the rating of PVU per vCPU on AWS compared to PVU per Core on Softlayer or Azure. The following statement describes how AWS defines a vCPU.
Each vCPU is a hyperthread of an internal Xeon core for M4, M3, C4, C3, R3, HS1, G2, I2 and D2.
So, what you get on AWS for a vCPU is a single thread of a Core and not a real logical core. AWS calls this a virtual core. However, if you were to have deployed TM1 on Softlayer or Azure you would have had a core to yourself. Something to keep in mind!
To comply with the IBM Virtualisation Capacity Licensing, you would have to install and configure IBM License Metric Tool (ILMT) Agent on the EC2 instances for bookkeeping purposes.
You will be spoilt for choice with the number of EC2 instance types available for selection. The mandatory factor that filters down the EC2 Models for deploying TM1 is the PVU based IBM Licensing Entitlements.
Figure: EC2 Models available for selection containing 4 vCPU.
EBS Volume Encryption
You need Storage for TM1 and the answer from AWS is EBS Volume Types.
They are good candidates for containing TM1 Software , TM1 Instances and any other TM1 related artefacts.
Figure: EBS Volume Types.
EBS Volume Encryption is facilitated by the AWS Key Management Service and encrypts:
- Data at Rest inside the volume
- All data moving between the volume and the instance
- All snapshots created from the volume
Since the encryption and decryption of the data is transparently done on the background by AWS, there is no overhead on the EC2 Instance or TM1. The same IOPS Performance can be expected on both encrypted and unencrypted volumes.
It’s a no brainer for EBS Volume Encryption to be chosen when Deploying TM1 on AWS as it helps you to sleep much better even if the EBS Volume falls into the wrong hands.
- Scalability of Memory:
The implication will be a change in cost to your ongoing AWS Bill. Keep the vCPU unchanged and choose a Model that has additional Memory.
- Scalability of vCPU:
The implications will be a change in cost to your ongoing AWS Bill and upfront PVU based IBM Licensing Cost. Choose a Model from the same/different family that has additional vCPU.
Scalability in EC2 is achieved by choosing a EC2 Model that fits close to your requirements.
Figure: Purchasing Options.
On-Demand Instances are great for a TM1 PoC Environment that is infrequently accessed, which could be stopped to save costs off your AWS Monthly Bill. Reserved Instances provide you a discount of up to 75% and are recommended for standard Life Cycle Environments, such as TM1 Non-Production and Production Environments.
Connectivity from On-Premise Data Centre
On a Hybrid Cloud Model, certain services such as Relational Databases, Active Directory Domain Controller and End User Workstations will still be running from the On-Premise Data Centre. Let us say this is located in Melbourne. We also know the AWS Infrastructure is in Sydney.
Hence the Connectivity becomes an important topic, especially if you are deploying TM1 on AWS where:
- TM1 needs to leverage services running in the On-Premise Data Centre
- End Users need to access TM1 running in AWS
Figure: Options available to facilitate this connectivity. Available options are NAT Gateway, VPN Instance, Internet Gateway, VPN Connection using a virtual private gateway, AWS Direct Connect and VPC Peering.
The recent customer project leveraged the AWS Direct Connect for connectivity from AWS to the On-Premise Data Centre, which is a dedicated Fibre Channel with attainable speeds of 1Gbps.
Performance Testing is recommended to be conducted early, as part of the Non-Production environment verification on AWS, to ensure that any factors affecting performance are appropriately addressed.
Some Test Cases to take into consideration:
- Performance when accessing TM1 Web, TM1 Web Applications and Operations Console hosted on AWS from end user workstations.
- Performance of TM1 Perspectives/Architect, Performance Modeler and CAFÉ installed on end user workstations.
- Performance when accessing Data Sources stored in the On-Premise Data Centre from TM1 hosted on AWS via ODBC.
External SSL for TM1 Web
If your organisation has a Risk and Compliance Team, you would already know why this recommendation is being made. Sometimes, Security Requirements can be stringent and they are there for a reason. If that is the case then I strongly encourage you to enable External SSL for TM1 Web.
An extremely useful IBM Technote on achieving this is outcome is publicly available.
Isolation of TM1 Lifecycle Environments
My recent experience with AWS indicates that if you require complete isolation between TM1 Non-Production and Production Environments, it is better done through Subnets within the same Availability Zones (AZ) under the VPC.
I still see many customers run critical TM1 Instances with infrequent backups, which would make the recovery as of today literally impossible.
At a minimum, the TM1 Instance needs to be backed up daily and your retention policy would determine how long you need to retain the back up for. On top of that, there is no harm done with EBS volume snapshots and backup in the form Amazon Machine Image (AMI).
If you fail to plan, you are bound to fail for things in general. Imagine the consequences when disaster strikes and you have no continuity plans.
Based on your organisational needs, you may wish to have a separate VPC Configured as a cold stand by with the objective of implementing your continuity plans.
If you are looking to plan your AWS deployments of Business Analytics tools across multiple vendor technologies, or would like some more information, please don’t hesitate to contact myself or Tridant today on the following details.