• Save
AWS Best Practices - Ryland
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

AWS Best Practices - Ryland

on

  • 2,744 views

 

Statistics

Views

Total Views
2,744
Views on SlideShare
2,115
Embed Views
629

Actions

Likes
6
Downloads
0
Comments
0

22 Embeds 629

http://www.scoop.it 542
http://ammasajan.blogspot.in 27
http://ammasajan.blogspot.com 24
http://ammasajan.blogspot.sg 11
http://ammasajan.blogspot.jp 3
https://www.google.com 2
http://ammasajan.blogspot.com.au 2
http://ammasajan.blogspot.kr 2
http://ammasajan.blogspot.ro 2
http://ammasajan.blogspot.com.es 2
http://webcache.googleusercontent.com 1
http://ammasajan.blogspot.it 1
http://ammasajan.blogspot.mx 1
http://ammasajan.blogspot.pt 1
http://ammasajan.blogspot.be 1
http://ammasajan.blogspot.co.il 1
http://ammasajan.blogspot.ca 1
http://ammasajan.blogspot.cz 1
http://ammasajan.blogspot.co.uk 1
http://bslkb.elasticbeanstalk.com 1
http://ammasajan.blogspot.fr 1
http://www.linkedin.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Our goal, and what our customers tell us they see, is that this ratio is inverted after moving to AWS. When you move your infrastructure to the cloud, this changes things drastically. Only 30% of your time should be spent architecting for the cloud and configuring your assets. This gives you 70% of your time to focus on your business. Project teams are free to add value to the business and it's customers, to innovate more quickly, and to deliver products to market quickly as well.
  • Our goal, and what our customers tell us they see, is that this ratio is inverted after moving to AWS. When you move your infrastructure to the cloud, this changes things drastically. Only 30% of your time should be spent architecting for the cloud and configuring your assets. This gives you 70% of your time to focus on your business. Project teams are free to add value to the business and it's customers, to innovate more quickly, and to deliver products to market quickly as well.

AWS Best Practices - Ryland Presentation Transcript

  • 1. AWS BEST PRACTICES Mark Ryland | Chief Solutions Architect
  • 2. 1Choose your cloud workloads well
  • 3. Choose appropriate initial workloads Web Dev & Test Backup & DR Big Data Pain point A natural workload for Spin environments up Take part of your data or Cloud perfectly suited to Move specific service the cloud and down on demand business applications batch processing, aspects causing undue step- by-step into non- variable loads cost or management Loads are often highly Decouple dev and test production DR use burden variable and environments from No waiting in queue: unpredictable; perfect operations constraints Understand cloud each workgroup gets its Workflows, search for elastic cloud dynamics and test during own cluster—”PC” = indexing, media Explore elasticity in a controlled failovers personal cluster streaming, document Connect back to on- sandboxed environment archiving, constrainedprem systems using VPC, Shut it all off when Test systems at full databases DMZ subnets, private you’re not using it scale! subnets and a VPN Low hanging fruit can be easiest way to ‘cut teeth’
  • 4. Plan evolution & set goals PoC Production Automation Understand services Implement monitoring Automate corrective measuresExamples Test performance Change control and management Auto-scaling Architect for scale Security management Zero downtime deployments Build cross functional team capabilities Scalability System backup and recovery
  • 5. Plan evolution & set goals PoC Production Automation Understand services Implement monitoring Automate corrective measuresExamples Test performance Change control and management Auto-scaling Architect for scale Security management Zero downtime deployments Build cross functional team capabilities Scalability System backup and recovery Beanstalk APIs Beanstalk Cloud Formation CLI Cloud Watch Auto scaling IAM
  • 6. 2Govern deployments
  • 7. Govern deployments AccountsCreate an account structure that makes senseUse accounts like environmentswhere you need separation and control e.g. Dev Sandboxes Test Environments Business Units Products & Services
  • 8. Govern deployments Accounts BillingCreate an account structure Control access to billing that makes sense informationUse accounts like environments Use IAM users to keep billingwhere you need separation and information in the master account control Consolidate billing into a e.g. single account Dev Sandboxes Let one account pick up the bill for Test Environments multiple ‘sub accounts’ Business Units Products & Services Setup billing alerts and automated bill reporting Get CloudWatch notifications when billing reaches a point and output csv reports to S3 for analysis
  • 9. Enable CSV &Billing settings Programmatic Access Billing Preferences
  • 10. Billing settings Cost accounting in favorite package Billing Alerts Bill reached $x Dev 1 Dev 2 Test Master Account Production Data labeled by source in S3 Consolidated Billing Internal Systems
  • 11. Billing settings Dev 1 Dev 1 reached $100 Dev 2 Dev 2 reached $250 Test Master Account Test reached $1,000 Production Prod reached $1,200 Internal Internal reached $400 Systems
  • 12. Govern deployments Accounts BillingCreate an account structure Control access to billing that makes sense informationUse accounts like environments Use IAM users to keep billingwhere you need separation and information in the master account control Consolidate billing into a e.g. single account Dev Sandboxes Let one account pick up the bill for Test Environments multiple ‘sub accounts’ Business Units Products & Services Setup billing alerts and automated bill reporting Get CloudWatch notifications when billing reaches a point and output csv reports to S3 for analysis
  • 13. Govern deployments Accounts Billing Access KeysCreate an account structure Control access to billing Decide upon a key that makes sense information management strategyUse accounts like environments Use IAM users to keep billing Control access to EC2 instances viawhere you need separation and information in the master account SSH and embedded public key: control e.g. EC2 Key Pair per group of Consolidate billing into a instances, EC2 Key Pair per account e.g. single account Dev Sandboxes Consider SSH key rotation & Let one account pick up the bill for Test Environments multiple ‘sub accounts’ automation Business Units Limit exposure to private key Products & Services Setup billing alerts and compromise by rotating keys and replacing authorized_keys automated bill reporting listings on running instances Get CloudWatch notifications when Consider bootstrap automation to billing reaches a point and output grant developer access with csv reports to S3 for analysis developer unique keypairs
  • 14. Govern deployments Accounts Billing Access Keys Groups & RolesCreate an account structure Control access to billing Decide upon a key Use IAM Groups to manage that makes sense information management strategy console users and API accessUse accounts like environments Use IAM users to keep billing Control access to EC2 instances via Provide developers with IAM userwhere you need separation and information in the master account SSH and embedded public key: login and unique API access control e.g. EC2 Key Pair per group of credentials Consolidate billing into a instances, EC2 Key Pair per account Control & restrict what IAM users e.g. single account can do by placing them in groups Dev Sandboxes Consider SSH key rotation & with policies Let one account pick up the bill for Test Environments multiple ‘sub accounts’ automation Business Units Limit exposure to private key Assign EC2 Instances IAM Products & Services compromise by rotating keys and roles Setup billing alerts and replacing authorized_keys Let AWS manage API access automated bill reporting listings on running instances credentials on running instances by Get CloudWatch notifications when Consider bootstrap automation to assigning a system entitlement to an billing reaches a point and output grant developer access with instance csv reports to S3 for analysis developer unique keypairs e.g. instance can only read S3 bucket
  • 15. Identity & access management Account Administrators Developers Applications Jim Brad Reporting Bob Mark Console Susan Tomcat Kevin
  • 16. Identity & access management Groups Account Administrators Developers Applications Jim Brad Reporting Bob Mark Console Susan Tomcat Kevin Multi-factor authentication
  • 17. Identity & access management Groups Account Roles Administrators Developers Applications Jim Brad Reporting Bob Mark Console Susan Tomcat Kevin Multi-factor authentication AWS system entitlements
  • 18. IAM policies { "Statement": [ { "Effect": "Allow", "Action": [ "elasticbeanstalk:*",Policy driven "ec2:*",Declarative definition of rights for principals "elasticloadbalancing:*", "autoscaling:*",Policies control access to AWS APIs "cloudwatch:*", "s3:*", "sns:*" ], "Resource": "*" } ] }
  • 19. Identity Federation Sample• Use case: – Enterprise employee signs with his normal credentials – Access S3 with enterprise application• Setup – IIS for enterprise authentication against Active Directory – Client application to access S3 – Read-only access to S3
  • 20. 3Ensure security
  • 21. Shared responsibility Customer DataCustomer • Customers implement their Platform, Applications, Identity & Access Management own set of controls • Multiple customers with FISMA Low and Moderate Operating System, Network & Firewall Configuration ATOs Client-side Data Encryption & Data Server-side Encryption Network Traffic Protection Integrity Authentication (File System and/or Data) (Encryption/Integrity/Identity) Foundation Services • SAS-70 Type IIAmazon • ISO 27001/ 2 Certification Compute Storage Database Networking • Payment Card Industry (PCI) • Data Security Standard (DSS) • NIST Compliant Controls Availability Zones • DoD Compliant Controls AWS Global • FedRAMP Compliant Controls Edge Locations Infrastructure • HIPAA and ITAR Compliant Regions
  • 22. Leverage shared security model Understand your customer & form security stance
  • 23. Leverage shared security model Understand your customer & form security stance Engage with security assessors early in adoption cycle Don’t fear assessment – AWS meets high standards (PCI, ISO27001, SOC1…) As with any infrastructure provider, security assessments take time Derive value from architecture reviews early in deployment cycle
  • 24. Leverage shared security model Understand your customer & form security stance Engage with security assessors early in adoption cycle Use comprehensive materials and certifications provided by AWShttp://aws.amazon.com/security/ Risk and compliance paper AWS security processes paper NEW! CSA consensus assessments initiative questionnaire
  • 25. Leverage shared security model Understand your customer & form security stance Engage with security assessors early in adoption cycle Use comprehensive materials and certifications provided by AWS Build upon features of AWS and implement a ‘security by design’ environment
  • 26. Build upon AWS features Tiered Access Security Groups VPC Direct Connect & VPN IAM Instance firewalls Subnet control Private connections to VPC Control users and allow AWS to Firewall control on instances via Create low level networking Secured access to resources in AWS manage credentials in running Security Groups constraints for resource access, such over software or hardware VPN and instances for service access as public and private subnets, dedicated network links (allocation, rotation) CLIs and APIs internet gateways and NATs Instantly audit your entire AWS APIs vs. Instance infrastructure from scriptable APIs – Bastion hostsProvide developer API credentials generate an on-demand IT inventory Only allow access for management and control access to SSH keys enabled by programmatic nature of of production resources from a AWS bastion host. Turn off when not Temporary Credentials neededProvide developer API credentials and control access to SSH keys
  • 27. 4Architect to usecloud strengths
  • 28. Architect to use cloud strengths Review application architectures early – assess fit for cloud ? e.g. variable capacity requirements, ‘standard’ technology stacks, reference architectures* Can cloud benefits be leveraged with minimum effort outlay? ? e.g. Application performance improvement by migration of static content to S3/CloudFront Will cloud yield cost savings & agility improvements? ? e.g. Faster development cycles for dev/test, reduced cap-ex for application environments Can automation lead to a more agile & secure service? ? e.g. fully scripted deployments, IAM & EC2 instance roles, rolling deployments *http://aws.amazon.com/architecture
  • 29. Architect to use cloud strengthsDisposable compute ✓✓ Design systems that can suffer instance loss Dispose of compute when it is not ✓ ✓ required
  • 30. Architect to use cloud strengthsDisposable computeFlexible capacity ✓ ✓ ✓ Design for systems that potentially scale from zero instances to hundreds Use Auto-scaling (events, schedules etc) to ✓ ✓ ✓ drive capacity availability
  • 31. Architect to use cloud strengthsDisposable computeFlexible capacity ✓ ✓ ✓ Utilize 11 9s durability of objects in S3 Scale databases with RDS and use DynamoDB for high throughput NoSQLCost effective & reliable storage ✓ ✓✓
  • 32. Architect to use cloud strengthsDisposable computeFlexible capacity ✓ ✓ ✓ Automate everything from scaling to instance recovery from failureCost effective storageAutomation and control
  • 33. Bootstrapping – custom AMIs Instance AMI Custom machine1 Create instance of your OS choice image2 Configure environment Auto-scaling Manual deployments3 Install software Programmatic deployments4 Create AMI from instance5 Launch fully configured instances from AMI
  • 34. Bootstrapping – metadata service Instanc eMetadata service contains wealth of information about an instance AMIhttp://169.254.169.254/latest/meta-data Custom or standard machine imageami-id local-hostname Receive custom Metadata data to driveami-launch-index local-ipv4 Service bootstrappingami-manifest-path macblock-device-mapping networkhostname placementinstance-action profileinstance-id public-hostnameInstance-type public-ipv4kernel-id public-keys reservation-id
  • 35. Bootstrapping – metadata service Instanc eMetadata service contains wealth of information about an instance AMIhttp://169.254.169.254/latest/meta-data Custom or standard machine image+ user data Receive custom data to drive Metadata Service bootstrappingScripts in user-data field of metadata will be executed on launche.g. #!/bin/sh yum -y install httpd chkconfig httpd on /etc/init.d/httpd startOr: <powershell> … </powershell>
  • 36. Bootstrapping – metadata service Instanc eMetadata service contains wealth of information about an instance AMIhttp://169.254.169.254/latest/meta-data Custom or standard machine image+ user data Receive custom data to drive Metadata Service bootstrappingScripts in user-data field of metadata will be executed on launch Install software e.g. web server, app server, proxy Pull data and application packages from S3 Publish metadata for instance to other systems e.g. monitoring systems Setup security profile of instance based upon intended use e.g. pull latest config
  • 37. 1. Use multiple availability zones
  • 38. 2. Use RDS with replicas and standby
  • 39. 3. Use auto-scaling groups
  • 40. 4. Use Elastic Load Balancing
  • 41. 5. Use Route53 to host DNS zones
  • 42. Architect to use cloud strengths Elastic Load Balancing Route 53 RDS Auto-scaling Use at regional level Leverage SLA Scale databases without Dynamically scale resources & Combined with autoscaling will Improve application reliability with admin overhead control costs balance requests and resource Route 53’s SLA on requests served Choose instance size for databases Only provision the resources that capacity across availability zones and scale up over time are required with scale up and cool Weighted routing down policies that match demand Within VPC Perform A/B analysis, and staged Add high availability from Use to loadbalance between application roll-outs by moving a management console application tiers within an portion of traffic to new Create master-slave configurations availability zone infrastructure and read-replicas. AWS takes care of the failover and recreation of a new Instance migrations Control TTLs and updates slave in event of master DB loss Easily move instances from dev Take absolute control of DNSenvironments to test environments updates for more decisive system by moving between ELBs updates
  • 43. 5Be elastic and cost optimized
  • 44. Be elastic and cost optimized Elastic Load Balancing Auto-scaling policies Scalability Cost Optimization Availability Instance types and sizes
  • 45. Auto-scaling policies Manually By Schedule Preemptive manual scaling Send an API call or use CLI to Regular scaling up and down Scale up/down based on date of capacity launch/terminate instances – ofand time instances Only need marketing event add 10 e.g. before a to specify capacity e.g. scale from 0 to 2 to process SQS more instances messages every night or double change (+/-) capacity on a Friday night By Policy Auto-Rebalance Scale in response to changing Instances are automatically Dynamic scale based upon conditions, based on user Maintain capacity across launched/terminated to configuredmetrics custom real-time availability zones ensure the application is e.g. SQS queue depth, Average CPU e.g. Instance availability maintained in monitoring and alerts load, ELB latency balanced across multiple Azs event of AZ becoming unavailable
  • 46. Instance types / Pricing models On-demand instances Reserved instances Spot instances Unix/Linux instances start at 1- or 3-year terms Bid on unused EC2 capacity $0.02/hour Pay low up-front fee, receive significant hourly Spot Price based on supply/demand, Pay as you go for compute power discount determined automatically Low cost and flexibility Low Cost / Predictability Cost / Large Scale, dynamic workload handling Pay only for what you use, no up-front Helps ensure compute capacity is available commitments or long-term contracts when needed Use Cases: Use Cases: Use Cases: Applications with flexible start and end times Applications with short term, spiky, or unpredictable workloads; Applications with steady state or predictable Applications only feasible at very low compute usage prices Application development or testing Applications that require reserved capacity, including disaster recovery
  • 47. Leverage all models 7000 6000 Spot 5000 4000 On Demand 3000 2000 Reserved Instances 1000 0
  • 48. Cloud computing bottom line 30% 70% On-Premise Your Managing All of the Infrastructure Mission “Undifferentiated Heavy Lifting”
  • 49. Cloud computing bottom line 30% 70% On-Premise Your Managing All of IT’s Infrastructure Mission “Undifferentiated Heavy Lifting” AWS More Time and Resources to Focus on Configuring Your Cloud-Based Your Mission Cloud Assets Infrastructure 70% 30%
  • 50. THANK YOU