If you want to know what Amazon's big plans are for Amazon Web Services (AWS), one of the most reliable tells is to watch where Microsoft and Google cloud services are gaining traction. At last year's annual Amazon re:Invent technical conference, the big news for cloud customers was Elastic Kubernetes Service (EKS), a managed container service based on industry-leading Kubernetes—an open source platform championed by Google. And this year at re:Invent 2018, Amazon announced its counter to Microsoft's Azure Stack with a new on-premises offering of its own.

Amazon Outposts, a service scheduled to become available in the second half of 2019, will allow customers to provision physical racks of Amazon Web Services (AWS) servers and have them shipped to their own data centers. The racks will be configured with the same servers that Amazon runs in its AWS data centers; once installed, the racks will connect back to the AWS mothership over the Internet and then can be configured with storage services and virtual machines through Amazon's AWS Management Console. And just as with services hosted in Amazon's own data centers, customers won't own these racks—they'll rent them. The costs and connectivity requirements associated with Outpost have yet to be determined.

Living on the edge

Using Outpost's "edge computing" model has some potential benefits for companies transitioning to the cloud or with large existing hybrid cloud deployments mixing on-site and cloud resources. In his re:Invent keynote, AWS CEO Andy Jassy said that consistency in operations was the primary motivation for Outpost, since customers will be able to use the same Application Programming Interfaces (APIs) and control pane with Outposts that they currently use with AWS. But Outpost also guarantees on-demand access to the virtual machines and storage on these systems, whereas in normal AWS cloud usage, customers would have to reserve those services in advance to guarantee on-demand availability. Additionally, customers may be able to eventually run many AWS cloud services locally in their own data center—services that they might currently rely on third-party software for because of performance or security concerns related to the not-local nature of AWS.

At launch, in the second half of 2019, Outpost will only support provisioning of Elastic Compute Cloud (EC2) virtual machines and Elastic Block Store (EBS) file system. But Amazon executives expect to offer other services in the future, such as managed databases (AWS Relational Database Service), as well as Apache Hadoop and Spark (Amazon's Elastic MapReduce service).

Outpost isn't Amazon's only on-premises cloud in play. Amazon already offers storage and compute that you can rent and run in your data center without a network connection: Snowball Edge. Introduced in July 2018, Snowball Edge is an armored box that comes in two flavors: storage optimized (100TB of storage and 24 virtual CPUs) or compute optimized (52 virtual CPUs and 8TB of storage). You can even run a cluster of Snowball Edge boxes. As with Outpost, you provision Snowball Edge using the AWS Management Console, and the boxes are then shipped to your data center. But Snowball Edge does not require a network connection back to AWS—Snowball Edge boxes are designed to run VM servers and server-less AWS Lambda invocations independent of AWS data center connectivity.

Pumping up the hardware

Amazon had other hardware announcements at re:Invent, including new A1 virtual machines based on the 64-bit ARM architecture Graviton CPU developed by Annapurna Labs, a 2015 Amazon acquisition. VMs based on the Graviton are already available to launch in the AWS Management console in several AWS regions, using the latest versions of Ubuntu, Red Hat, and Amazon Linux. Script-based apps will work right away on A1 instances, but compiled applications will have to be rebuilt with an ARM compiler before they can be ported to the new VM type.

The Graviton chip is part of a continuing movement by Amazon to create physical server technology that it owns and is optimized for its cloud environment. The Amazon Nitro hypervisor, introduced last year at re:Invent and now Amazon's default virtualization platform, performs hardware virtualization based on custom ASICs developed by Annapurna Labs. In theory, at least, the performance of Amazon's virtual machines running on Nitro should approach bare-metal performance. Yet another non-Intel option Amazon announced in early November consists of VM servers running on AMD EPYC CPUs, which give customers yet another potentially lower-cost, yet high-performance, choice. VM servers using these CPUs are also available today in several AWS regions.

Although Jassy won't publicly admit that Amazon is heading toward direct competition with established server vendors like HP and Dell, there seems little reason to believe otherwise—though it's also possible that a partnership could see Dell and HP using their build capacity to deliver servers based on Amazon's chips as well. Thousands of major enterprises use Amazon's software services in the cloud, and if Amazon can give them the option of using Amazon's own hardware, either on-site or in the cloud, that's more computing at scale that they can control from both a price and performance perspective.

One console to rule them all

Amazon Outpost may be a beachhead for AWS taking on an even greater role in managing the entirety of Amazon customers' infrastructure. A number of tools for managing large multi-account AWS operations were also announced at re:Invent, including AWS Control Tower—a management platform that provides a single, automated environment for AWS account and workload provisioning based on what Amazon calls "best-practices blueprints." Control Tower can tap into both AWS Single Sign-on and Microsoft Active Directory to manage user identities and access. Connected to AWS Service Catalog, AWS CloudTrail log archiving, and other AWS management instrumentation, Control Tower can enforce pre-packaged security, operations, and compliance rules.

Also on the security front, Amazon announced AWS Security Hub, a centralized security management console that integrates with Amazon CloudWatch and AWS Lambda as well as customers' own automation workflows and third-party tools (i.e., security information and event management (SIEM) and trouble ticketing systems) to quickly take action on issues. A long list of security service providers have already built connectors for Security Hub: Alert Logic, Armor, Barracuda, Check Point, Cloud Custodian, CrowdStrike, CyberArk, Demisto, F5, Fortinet, GuardiCore, IBM, McAfee, Palo Alto Networks, Qualys, Rapid7, Splunk, Sophos, Sumo Logic, Symantec, Tenable, Trend Micro, Turbot, and Twistlock. AWS executives said more were in the pipeline.

In essence, these new management platforms are aimed squarely at the same enterprise customers who have relied on Microsoft management tools for their data centers in the past and are looking increasingly toward a blended cloud environment—one that Amazon wants to own.

Jason Levitt is a former InformationWeek editor, a former Yahoo technology evangelist, and a current Austin-based consultant.