 So maybe that the trend of the Talk is about implementing loud foundry right into the middle of an existing data center Jürgen and I just want to talk the experiences we had about doing this approach Which it's a little bit different from the other approaches where cloud foundry is implemented as an island just beside the existing stuff to make a lot of innovation there and the old Installations are left behind Maybe we introduce ourselves very shortly. My name is Andreas Landenberger I worked more than 20 years for IBM before I joined Datif in 2009 then since then I'm working on Developing our platforms at Datif and my mission is to build a very good platform For our future applications and to make this future proof. Yeah, I welcome everybody for me My name is Jürgen Susner. I work for Datif for about 12 years now. I was once a Java GE developer I was five years a web sphere admin and for two and a half years I'm building together with Andreas the Datif cloud platform right in the middle of the Datif data center Okay, maybe first it makes sense that we introduce Datif to you Datif is a cooperative The main reason for founding Datif is in the quote here below The idea was to tackle as a group what each of us would not have Managed on their own. This is the mission of our fund founder and This is very important for all we do at Datif. So we are there To for the Benefits of our the members of Datif. We are not a company which is making a lot of money for shareholders We are supporting our members and this is also something which goes right down to the decisions. We sometimes make a Datif This long-term investments we see a Datif Sometimes help us a lot because we are not driven by quarters But sometimes they also Hinder us because we as Datif as a company always have to be very careful not to get into economic interest Interests together with our members To collide with their interests at end users for our applications. We do not only have the Datif members, but we also have a lot of Clients of the Datif members more than 100,000 small and medium-sized companies at Germany are Collaborating over the Datif data center with their tax advisor and their lawyers. So this is very important For the business we are running. So the Datif data center is the collaboration platform for these things Now if we talk about the Datif data center What are Is the main information here on the one hand side the Datif data center? We have main frames. We have AIX systems, Unix systems, big ones, and we have thousands of Windows and Linux service All of this is spread out over three data centers We have in Nuremberg in Germany and these three data centers are coupled via fiber channels From the business side of view This platform is used For example to generate more than 30 million Payslips each month and process all the payments of this It is used to store more than 750 electronically stored documents Which are exchanged between the clients of the tax advisors for example and the tax advisor So that the tax advisor can do the booking on it and this data center also does all the electronic processing between a tax advisor or a small and medium-sized company and all the revenue Institutes in Germany to determine states to pay taxes all the social insurance companies and so on so there's a lot of data processing there now Why do we need a Datif such a cloud platform? What is the driver behind this first? Let's take a look backwards. How are Applications at Datif being developed current in the old days we had a developer here who was Who was isolated from the internet? So an air gap network they had no direct access to the internet and they used Artifactory to Get in some packages. They need to develop the developer built his application using git deployed via Jenkins on the development stage To do this he had to get into contact with the administrator of the development stage because here We had a also barrier between development and operations the typical scenario. You see many Customers if you want to get further Here do you start that if proprietary tool to deploy it on the QA stage and also to production in all these steps The administrator was always involved. So he had the administrator had to allocate J e data sources and all these things, you know, there was a lot of emails going back and forth and deployment things and so on Now What drove us that we said we need cloud technology at Datif The point is that the developer productivity is one important thing We wanted the developers to be more productive that we want to get rid of all these communication going on the other point was We wanted to build self-sufficient teams which meant a lot of Isolation also into the cloud platform. We wanted that that development team a could not interfere with development team B We wanted to give that developers self-services and Simple process steps and full access also in development QS and production of their applications and If you look into the future even now Going ahead the point is that we wanted To have a platform which could be used as a base for Datif ecosystem Their partners of Datif would be able to implement their platforms also on Now is this enough to think about a platform and to choose a platform in our opinion. This is not enough We in 2016 we evaluated platforms like the Docker ecosystem We evaluated OpenShift and it looked at Azure as a pretty cursor of Azure stack and so on and Finally, we said we have a set of criteria each of the platforms have to fulfill when we build it at Datif The first thing is the platform has to be widely adopted. We do not want to only Put our efforts into the platform of one provider The second thing is we want to have the platform to be polyglot Which means the platform has to not only support the latest Java stuff. We want to have support for Languages like for PHP and so on but also for the point of to run Windows 16 applications this is very important for us because Datif has a long history and a lot of Applications and business logic and developers which come from the Windows area We have a lot of desktop applications and we want the Possibility to take this intelligence and logic to bring it to run on our platform And the second important point was you had to be running a data center private data center air gap for Datif due to the sensitivity of the data we are processing it's no option to go to public clouds and After evaluating all these points and making tests on various systems and various implementations We ended up using Cloud Foundry for this Okay, now Jürgen will take over and guide you what we did to make Cloud Foundry happen in our own air gap data center Thanks. We first had a talk. I will do the fun part and all the technical stuff well as we mentioned security is really important for Datif and The first thing we have to consider about the cloud platform is how to separate different workloads within a cloud platform To illustrate that I will Highlight what are the different types of workload we have we have these these public workload You don't have to authenticate for you get information from a data website. This is public workload. Everyone can access you have Medium secure workload. We call it. It's the type of workload Which a datif shop some by example offers for example offers if you have if you would shop for material for Products and all that stuff and we have that high sensitive data The customer gave us through the payroll processing to do the invoices and all that stuff And the first challenge was to separate these workloads and the solution was it as isolation segments We heavily use isolation segments in Cloud Foundry to separate these types of workload So that an application that do does payroll processing never gets the possibility because it's network Technically segmented and separated from the other one. We don't mix and match public and secure application on the same Diego cell but self service and isolation segment Well, it does not match because if you want to assign an isolation segment you have to have admin privileges and we solved this by creating a service in the marketplace We predefined for isolation segments in the platform and we created a self service marketplace service Where the developer can book such an isolation segment? These service takes care about assigning all the placement tags and everything that is necessary And if the developer pushes an application to that space flagged with such a service The application gets delivered in the correct isolation segment. It was one of the challenges. We're facing the other one was We told you we put platform right in the middle of the data center So we put it really deep in the data center. So how can we integrate it with everything we have already in the data center? So just let me show you what the data center of that if looks in a great or higher of you like We have that internet that cloudy thing We have authentication authorization gateways and we have HTTP routing tiers and behind these routing tiers We already had Jee in dot net application servers And what we did we put cloud foundry right besides our existing application servers Which actually means the cloud foundry domains are not accessible At at first so we have to solve different things HTTP routing how can we achieve a self service that a developer pushing an application to cloud foundry Gets a route that this application will be accessible from the internet via the existing gateways The other one was about how connecting to legacy services to all the existing services We already have in the data center and what about logging monitoring and all this stuff we need Well, as you're supposed we created service in the marketplace for that One service was HTTP routing as a service the developer can book this service and it creates Exactly this route that is necessary that the application can be called from the outside world Another another service we bought we called it legacy as a service because it's not only one service It's more than one we created services for creating DB twos on the mainframe We utilizing IBM COS MF and that helps us to create on-the-fly DB twos on the mainframe system So the DB two at a start have became Just as as any other postgres the developer can book it gets its own user It's full DB admin access and can use these DB two just like a postgres or any other database And also we created services for accessing all the legacy backends We have which they are not not even a protocol name to access them But we have them in the data center and we want to access them for from Cloud Foundry as well Another thing is monitoring Also a service the developer can't decide if it one if you want monitoring or not and he can book these Service we have a huge infrastructure from see a Wiley Well, actually it's a APM at the moment. They always change the name and Developer can opt into that and say okay I want my application to be monitored and all these monitoring data It's the same infrastructure we use on their other platforms so the developer can match the data generated by the Cloud Foundry applications and compare it and Compare it with any other application running on any other platform So it's it gets a full view of the complete data center and all the applications no matter what platform they are and We did exactly the same with Splunk we use Splunk for logging So we also integrated Cloud Foundry and all the locks Cloud Foundry produces in the Splunk system So you can check what can see your application locks and all the infrastructure locks around it even down till the firewall locks So if you check for a problem you have all the locks there and what's important These locks are visible to all data to all data developers Everyone in data can see all these log data and all these monitoring data The obscise do not see any more than the developers see and that was one key point, which is really important for us Also, we thought about well going the cloud native way developing new applications is one part But we have that huge infrastructure. We have IIS we have exist many existing JEE applications about three to four hundred JEE Applications running on a traditional website cluster. We will have the need to port them But these applications are created and they rely on specific Things like naming conventions like files in the file system Which exists they write logs in the file system because we told the developers always don't use standard out You have 20 applications on one application server if you use standard out no more no one will know which locks are from watch process So we told them to use log files, but if you want to write log files in a Cloud Foundry environment, it's well not that good actually So we created a build pack We created our own build pack and these build pack Helps us to fill this gap. This build pack creates an environment for the application Well that the existing JEE application has zero to no migration effort Almost no migration effort the applications can be ported to Cloud Foundry and the build pack takes care about generating the application server configuration about Taking the logs which are written to the file system to a Splunk for example and all the other things that are necessary and With this build pack we can achieve that JEE applications at Datif can be run on any application server now whether it's classical web sphere It's Cloud Foundry web celebrity actually in Cloud Foundry, or if it's even a CICS or kick system on the mainframe where also web celebrity application server runs and These really helps us to keep the door open for any existing applications to be ported to Cloud Foundry So I will hand over to Andreas. Okay. Thanks again Now what are the plans and Where are we now? First where are we now we started in January 2017 with setting up Cloud Foundry in April our Development environment was ready. So pilot projects began to do this and in September production was live What we achieved is that now we have this product teams Enabled that they can really work self-sufficient on the platform The interference with administrators or the support of administrators is very much reduced On the other hand side We not only have now JEE as Application but also we now go into the direction of spring boot And so on and we support Windows and we even have now a colleague who is written his application in go because he said I'm doing some the kind of Credentials stuff and so goes my language and okay We have you guys presented some of the marketplace entries we have we have a much much more And so our marketplace and by this also self-service is growing very rapidly and this is very important for us And we see a company-wide adoption of this platform currently we have roughly 950 developers registered for the platforms one More very active one less active, but you know also the cold Education at Darthiff is going into the direction of Cloud Foundry Okay, these are the numbers we have produced so far as I said in April We started with development Environment going live and in September with production. These are the running app instances one side note perhaps We are using the autosleep service to To make Stop applications which are not needed and this helps us to reduce resource consumption and also licensing costs Well, actually we use autosleep just in development. Yeah for sure Yeah, what our future plans as I already said we want to go into the direction of spring Much more. We want to go into the direction of windows 2016 applications We have currently a very big project with windows at our door front Which will at least require the same infrastructure we have behind this currently running cloud also for this application alone So this will be a challenge for us and very interesting on the other hand side for the platform we want to go into the direction of Kubernetes container runtime because We see from the business the demand on the one hand side to buy off the shelf Products and to run it in our data center and this will be delivered as Docker containers So we make that them integrated into our platform on the other hand side. We want to have databases be provisioned as Docker containers we want to have Container networking running and this is not only for performance but this is also for security reason because container networking gives us the opportunity to only Make the really needed applications and services externally accessible and the rest can be hidden and We want to go into the direction of grad hub or vault because we have encrypted Credentials in our platform, but the management of these credentials is still one of them our main pain points We have you know these are and so Encrypting these credentials in decrypting and so on this is not the way we would like the platform to behave and so we go Into this direction one of the points that limits a bit self-services in production because It's always still hard that a developer again can get the production password for the DB2 instance For example, and that's why we heavily investing in credit up or in vault. Yeah, okay What is our channel vision we are following it's platform as a product I've heard this term at this conference more than once and it's it's good So so we are not the only ones thinking into this direction and it's based on a Article or blog post by engineer better. They guys have a booth up there already so They posted it under post DevOps I will have the link in it there and this for thinking Has influenced also what we want to do we want on one hand side We want a platform team which is platform DevOps development and operations in the platform And so this is very important This also goes hand-in-hand with the Google site reliability engineering thinking you only have to do not only have Operations people in the platform You also have a lot of development there to make more self-services to automate it even better And this platform team defines a platform contract for example by the implementation of self-services and Based on these platform contract there all of these Application development teams and operation seems application DevOps seems they implement their application So we still have a very clean separation of concerns the application DevOps teams can run their Applications and it implement them, but they have a Solid platform below them so they can concentrate on the application. This is the focus we have there Okay, this is the promised link to the colleagues from engineer better. Okay, what are the lessons we learned? Is it advisable to deploy pass as an island? No in our Experience it's very good to implement it into existing world because you know if you're building a serious application sooner or later you have to talk to the other systems and Implementing pass also into the existing world in my opinion is also very good to Take the people who are building or running that they're already Existing systems take them with you. So there is no other guys doing something in a corner of their company No, it's all people are involved to bring this platform ahead and this is important for us The thinking of post DevOps as already said is important To have this clean separation But to be honest we have application DevOps teams now knocking at the door of the platform DevOps team is saying hey guys you have such a knowledge about these technologies and so on could you please help us? So one of the things we are now thinking about is implementing Application support service or having the opportunity for the application DevOps teams that they can book a premium support by the platform seems so even there the Boundary will now get a little bit open Cloud Foundry in our experience is a much about people's mind. It's not only technology It breaks a lot of barriers down within the company So if you run such a platform you have to interact with most of the departments in your company This is very important for us and one thing is that now our developers are also beginning to think about day two. There is no Barrier anymore where they can take their Deployment artifacts throw it over the wall and then operations will take care of no that they can see their thing run They can access it and and they see their baby fail No, and this is very important from them from the mindset We are going to Okay next question we also Had a lot of discussions with is you know as I told you in January 2017 we began setting up the platform and in April we had to deliver and so we always thought you know Do we have to take all processes we already have in the existing world take them over do we have the time to modify them do we? Should we take them over with us and our experience is that you can should be very careful with this, you know You have to find a balance between Taking everything from the old world and implementing the cloud foundry all the old thinking and then the cloud foundry will not Live up to its value on the other hand side It will take in a company a lot of discussions It will over months now with IT security all these people to get something working if you say we start from zero and the last point is Don't underestimate the effort to change everything you know in the company as I said we To bring cloud funding to life in an existing data center you have to touch so many points any of tabs so many discussions Even if you say okay, we a little bit behave like the old world. This is a lot of effort but some things Stay the same or even get more important. The one thing is monitoring Cloud Foundry is very good and also you can showed to monitoring points We are also integrating but monitoring such a complex platform and These 12 fact-app applications, this is very important and monitoring is not only about the technology monitoring But also about monitoring business KPIs The second point is communication our PO Peter Sieber is doing an excellent job to communicate constantly about the platform we are building but this is an effort all in the teams have to do You know, we have to so our also our colleagues who are running the base platform They are making block entries into for example into the block of the development departments and so on so we are very open on this and The theme of working together in a company. This is very important for us because No cloud foundry is not as I already said about technology. It's about mindset and cloud foundry not only enable us to a new set of Working together. I in my opinion it forces us to a new set of working together and this is for us very important, okay, so This was a very short very fast introduction what we are doing Any questions, I know that the data from the past was very much idle oriented Yes, and now you're doing it a very agile way Yeah, how did you change your processes was in doubt if to make that happen? This is a good question. I We talked about isolation of things our colleagues from the idle part and also our operation teams were very much focused to say We need changes and so on because we are not isolated if you break something, you know the whole ecosystem might break So so you know we had meetings with as much people as here in the room for big change meetings you know and now with cloud foundry where we say this is so much isolated we come from the public cloud area, you know from where The clients are isolated and if this Breaks the this did application that it breaks itself that they're you know, so the so we ended up that People building applications on this platform do not have to go to the big change meeting They only are making a doku change, which means I just documented that I changed something so that if something Explodes can't everybody can see that something changed, but I do not have to you know to agree on it You know that this is a big change The technology helped us to bring this forward, but a good question. Thank you And even more these creation of documentation changes is already automated within development pipelines within Jenkins pipelines So so if you push you know to a stage it already created so Nobody can can forget it Is that build pack the gateway drug build pack is that available for others you Considered contributing to open source. Yeah, we have we have this discussion in doubt if internally And you know we have to how do I say we have to clarify this with our legal department How much we are allowed to contribute to the to the open source because in our opinion at least of urine and mine We should contribute it because you know we you cannot always take from a community You have to give back something actually this question is already asked by IBM because IBM was really fascinated about the Possibility of porting a web sphere traditional application as it is to Cloud Foundry Which is already the glue code between the standard IBM Liberty build pack and that what we put on top of it Yeah, but but to be honest, you know if you make it publicly Available that then you would have to make at least the data specifics things You know, we would have to make this configurable somehow, you know, because nobody would ever want to have some data JVM properties or something like this in his environment, which is understandable So in the classical networking world, you usually have classical security concepts with security zoning and Firewalling etc. Whereas in in the cloud native setting you you typically have Production workload running in the same platform or you can have production running in the same platform as dev work How did you have challenges in this in this area of Where these two worlds were clashing? We have we have three foundations We have test QA and broad foundation which are strictly separated from a networking point of view And currently as Jürgen has shown the isolation segments. They are The own villains so so so they are really separated from the other thing. So even if you would manage to take over a public Application of data and you would manage to break out of the container of the public application into the VM You know that then you would only be able to see the VMs and the ego cells for the for the pub data of public workloads You would not from the firewall you would not be able to go somewhere from there So we also have the the the data if we call it the core isolation segment Well, the Diego brain and all of that if of the cloud foundry is running This is also separate in its own Vlan and you can only communicate from the core isolation segment to the public isolation segment But not the other way around Actually, no application from that if is running in the core segment except the system applications of the foundry Yeah, yeah, but yeah, but we are currently we have approach sector going on to take this strict isolation with isolation segments and and This Vlan's and all these things to open it up a little bit more maybe So that you can at least in the secured areas You can have the policy not on the on this big block of data You know very highly confidential data and only data you can access the truth and password To build more intelligence into the applications or in API gateways or something like this to go to go a bit above the networking layer Okay, I know data from my history a little bit more before well, and I have what I understand It's that you're running Cloud Foundry for your data center computing processes, which means your own shops and the Processes of the our customer which sense the data center but I think the main development software development of data force in the past on dot see and was introduced to Netframe of the data workspace. Yeah, and my question is now Do you plan something like to enable our customers to go to a cloud or its own Cloud Foundry's installation with that applications which run on Cloud Foundry. Is this plan something? Because that's the main development of your Well, if you have a reminder the keynote this morning there was this shape of JVN.net and that Really left such shifted white box. That's actually kind of what that if looks like we have a little on Dot net on this platform, but yeah as you said we are shipping a lot of software as a d4d to the customers and a lot of business code that That's why we are investing in Windows Server 2016 and container isolation and you want to make Windows 2016 Containers first class citizens in the platform with all the same features to enable all these dot net developers to use the language They're used to in their buildings tools. They're used to but use it on the cloud platform Maybe it's Data text software from the past has some I will say more or less performance is you are scalable Things inside. It's not really scalable. So when you try to start to go to Cloud Foundry with this dot net application Yeah, you really enable the bigger customer one. Yeah to scale it Yeah, because they have really issues with the performance and yeah, and if this is a Exist a plans. Yeah This is so your question touches a lot of different layers of thinking. Yeah, so so so the first one is the the data favor strategy for for the cloud or online world The so we have scenarios where you have Clients of that if of text consultants or B2C market these are in our opinion are native cloud Applications we have to go and nobody will install a dative software as a B2C customer Now our opinions is so we have to make this cloud native from and move very much into this direction The second thing is the as you said in the text advisor and so on the installations He currently runs on premise in his own office Yeah, we have the decision that we will make bring them to the cloud wherever it makes sense for the text advisor Maybe, you know, he has he says some data I want to keep locally because it's about my own business and I do not want to have data to have a way to look at Or whatever Objections he might have so we will have I think in the future also desktop applications, but but you know our Target is to make all scenarios that make sense to bring it into the data center for example, we have areas where In in bookkeeping and so on, you know, where the collaboration also between the text advisor client and the text advisor Also now needs close cooperation and this has to be online also from the few of the text advisor So this is something where we The in in five years not All that if applications which are currently running in the text office will be cloud based application But this business area is let's say where it makes sense the other ones like text advisor clients or B2C customers like This will be definitely And you mean also this data from line and so on as well if you say Custom and so on which uses data for online features and Do It depends where it makes sense actually We are not here with Cloud Foundry to To abandon any other platform we have in the data center as long as it makes sense to port it to Cloud Foundry We will do so but if it does not make sense or if we don't have the time to do it The other platforms are just fine as well They also first class citizens in the data center for the developer can finally decide which platform So when you say a data online you mean that if Unternehmen online for example, yes So so also there, you know, we will not we do not have a date to say that if anyone will be moved to Cloud Foundry at the 21st of something, you know, but but there as we shown you Due to the close cooperation between the platforms, you know, also these colleagues are saying I'm now being something you and I will start You know there and we will have to Okay, okay, since since we're already over time if you have any further questions We are here at the conference of the all day Or feel free to contact us whenever you want. We are happy to answer any questions. Okay? Thank you