40, 1173 & 516. What do these numbers mean? Since inception AWS has introduced more than 40 major new services, released over 1173 new services and features, with 516 new features and services announced in 2014 alone. How you use the AWS platform last year may be very different to how you utilise it today to maximize innovation, outcomes and remaining competitive. In this advanced technical session an AWS Solution Architect will address technical requirements for successfully deploying and managing applications on the AWS platform, how solutions were potentially architected previously, both off-cloud and on-cloud, and some of the best practice recommendations on AWS today.
Speaker: Dean Samuels, Solutions Architect, Amazon Web Services
3. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
Amazon SQS
Auto Scaling groups
AWS Region
SNS
4. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Amazon SQS
Auto Scaling groups
AWS Region
SNS
5. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Amazon SQS
Auto Scaling groups
AWS Region
SNS
6. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Amazon SQS
Auto Scaling groups
AWS Region
SNS
7. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Amazon SQS
Auto Scaling groups
AWS Region
SNS
8. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Amazon SQS
Auto Scaling groups
AWS Region
SNS
9. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Applications
Amazon SQS
Auto Scaling groups
AWS Region
SNS
10. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Applications
Presentation
Amazon SQS
Auto Scaling groups
AWS Region
SNS
11. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Applications
Presentation
Amazon SQS
Auto Scaling groups
AWS Region
SNS
12. How can I optimise the performance of these
AWS services
13. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Applications
Presentation
Amazon SQS
Auto Scaling groups
AWS Region
SNS
14. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Applications
Presentation
Amazon SQS
Auto Scaling groups
AWS Region
SNS
33. Amazon EBS
Cost Optimisation
• 1TB PIOPS volume with 4K IOPS
– $429.32* per month per volume
_________________________________
*Pricing for AWS Sydney region – ap-southeast-2
34. Amazon EBS
Cost Optimisation
• 1TB PIOPS volume with 4K IOPS
– $429.32* per month per volume
_________________________________
• GP2 1TB volume with 3000 IOPS
– $122.88*
*Pricing for AWS Sydney region – ap-southeast-2
35. Amazon EBS
Cost Optimisation
• 1TB PIOPS volume with 4K IOPS
– $429.32* per month per volume
_________________________________
• GP2 1TB volume with 3000 IOPS
– $122.88*
• GP2 2 x 500GB volumes at 3K, burst to 6K
– $122.88*
~70% Cost Savings. 50% more peak I/O with
*Pricing for AWS Sydney region – ap-southeast-2
36. Amazon EBS
Cost Optimisation
• 1TB PIOPS volume with 4K IOPS
– $429.32* per month per volume
_________________________________
• GP2 1TB volume with 3000 IOPS
– $122.88*
• GP2 2 x 500GB volumes at 3K, burst to 6K
– $122.88*
~70% Cost Savings. 50% more peak I/O with
General Purpose (SSD)
*Pricing for AWS Sydney region – ap-southeast-2
37. Amazon EBS
Cost Optimisation
• 1TB PIOPS volume with 4K IOPS
– $429.32* per month per volume
_________________________________
• GP2 1TB volume with 3000 IOPS
– $122.88*
• GP2 2 x 500GB volumes at 3K, burst to 6K
– $122.88*
~70% Cost Savings. 50% more peak I/O with
General Purpose (SSD)
Management Optimisation
*Pricing for AWS Sydney region – ap-southeast-2
38. Amazon EBS
Cost Optimisation
• 1TB PIOPS volume with 4K IOPS
– $429.32* per month per volume
_________________________________
• GP2 1TB volume with 3000 IOPS
– $122.88*
• GP2 2 x 500GB volumes at 3K, burst to 6K
– $122.88*
~70% Cost Savings. 50% more peak I/O with
General Purpose (SSD)
Management Optimisation
• Leverage tags to add metadata to snapshots
– Application stack
– Instance Id
– Volume Id
– Version
– Type (daily, weekly)
*Pricing for AWS Sydney region – ap-southeast-2
Use together with new AMI
creation date
49. Amazon S3 – Distributing Key Names
<my_bucket>/2013_11_13-164533125.jpg
<my_bucket>/2013_11_13-164533126.jpg
<my_bucket>/2013_11_13-164533127.jpg
<my_bucket>/2013_11_13-164533128.jpg
<my_bucket>/2013_11_12-164533129.jpg
<my_bucket>/2013_11_12-164533130.jpg
<my_bucket>/2013_11_12-164533131.jpg
<my_bucket>/2013_11_12-164533132.jpg
<my_bucket>/2013_11_11-164533133.jpg
Don’t Do This!
You end up with this
50. Amazon S3 – Distributing Key Names
<my_bucket>/2013_11_13-164533125.jpg
<my_bucket>/2013_11_13-164533126.jpg
<my_bucket>/2013_11_13-164533127.jpg
<my_bucket>/2013_11_13-164533128.jpg
<my_bucket>/2013_11_12-164533129.jpg
<my_bucket>/2013_11_12-164533130.jpg
<my_bucket>/2013_11_12-164533131.jpg
<my_bucket>/2013_11_12-164533132.jpg
<my_bucket>/2013_11_11-164533133.jpg
1 2 N
1 2 N
Don’t Do This!
You end up with this
51. Amazon S3 – Distributing Key Names
<my_bucket>/2013_11_13-164533125.jpg
<my_bucket>/2013_11_13-164533126.jpg
<my_bucket>/2013_11_13-164533127.jpg
<my_bucket>/2013_11_13-164533128.jpg
<my_bucket>/2013_11_12-164533129.jpg
<my_bucket>/2013_11_12-164533130.jpg
<my_bucket>/2013_11_12-164533131.jpg
<my_bucket>/2013_11_12-164533132.jpg
<my_bucket>/2013_11_11-164533133.jpg
1 2 N
1 2 N
Partition Partition Partition Partition
Don’t Do This!
You end up with this
52. Amazon S3 – Distributing Key Names
<my_bucket>/2013_11_13-164533125.jpg
<my_bucket>/2013_11_13-164533126.jpg
<my_bucket>/2013_11_13-164533127.jpg
<my_bucket>/2013_11_13-164533128.jpg
<my_bucket>/2013_11_12-164533129.jpg
<my_bucket>/2013_11_12-164533130.jpg
<my_bucket>/2013_11_12-164533131.jpg
<my_bucket>/2013_11_12-164533132.jpg
<my_bucket>/2013_11_11-164533133.jpg
1 2 N
1 2 N
Partition Partition Partition Partition
Don’t Do This!
You end up with this
53. Amazon S3 – Distributing Key Names
<my_bucket>/2013_11_13-164533125.jpg
<my_bucket>/2013_11_13-164533126.jpg
<my_bucket>/2013_11_13-164533127.jpg
<my_bucket>/2013_11_13-164533128.jpg
<my_bucket>/2013_11_12-164533129.jpg
<my_bucket>/2013_11_12-164533130.jpg
<my_bucket>/2013_11_12-164533131.jpg
<my_bucket>/2013_11_12-164533132.jpg
<my_bucket>/2013_11_11-164533133.jpg
1 2 N
1 2 N
Partition Partition Partition Partition
Don’t Do This!
You end up with this
54. Amazon S3 – Distributing Key Names
<my_bucket>/2013_11_13-164533125.jpg
<my_bucket>/2013_11_13-164533126.jpg
<my_bucket>/2013_11_13-164533127.jpg
<my_bucket>/2013_11_13-164533128.jpg
<my_bucket>/2013_11_12-164533129.jpg
<my_bucket>/2013_11_12-164533130.jpg
<my_bucket>/2013_11_12-164533131.jpg
<my_bucket>/2013_11_12-164533132.jpg
<my_bucket>/2013_11_11-164533133.jpg
1 2 N
1 2 N
Partition Partition Partition Partition
If you want a bucket capable of
routinely exceeding 100 TPS
Don’t Do This!
You end up with this
55. Amazon S3 – Distributing Key Names
<my_bucket>/2013_11_13-164533125.jpg
<my_bucket>/2013_11_13-164533126.jpg
<my_bucket>/2013_11_13-164533127.jpg
<my_bucket>/2013_11_13-164533128.jpg
<my_bucket>/2013_11_12-164533129.jpg
<my_bucket>/2013_11_12-164533130.jpg
<my_bucket>/2013_11_12-164533131.jpg
<my_bucket>/2013_11_12-164533132.jpg
<my_bucket>/2013_11_11-164533133.jpg
1 2 N
1 2 N
Partition Partition Partition Partition
If you want a bucket capable of
routinely exceeding 100 TPS
Note: 100 TPS is A LOT!
Don’t Do This!
You end up with this
56. Amazon S3 – Distributing Key Names
<my_bucket>/2013_11_13-164533125.jpg
<my_bucket>/2013_11_13-164533126.jpg
<my_bucket>/2013_11_13-164533127.jpg
<my_bucket>/2013_11_13-164533128.jpg
<my_bucket>/2013_11_12-164533129.jpg
<my_bucket>/2013_11_12-164533130.jpg
<my_bucket>/2013_11_12-164533131.jpg
<my_bucket>/2013_11_12-164533132.jpg
<my_bucket>/2013_11_11-164533133.jpg
<my_bucket>/521335461-2013_11_13.jpg
<my_bucket>/465330151-2013_11_13.jpg
<my_bucket>/987331160-2013_11_13.jpg
<my_bucket>/465765461-2013_11_13.jpg
<my_bucket>/125631151-2013_11_13.jpg
<my_bucket>/934563160-2013_11_13.jpg
<my_bucket>/532132341-2013_11_13.jpg
<my_bucket>/565437681-2013_11_13.jpg
<my_bucket>/234567460-2013_11_13.jpg
1 2 N
1 2 N
Partition Partition Partition Partition
If you want a bucket capable of
routinely exceeding 100 TPS
Note: 100 TPS is A LOT!
Don’t Do This!
You end up with this
57. Amazon S3 – Distributing Key Names
<my_bucket>/2013_11_13-164533125.jpg
<my_bucket>/2013_11_13-164533126.jpg
<my_bucket>/2013_11_13-164533127.jpg
<my_bucket>/2013_11_13-164533128.jpg
<my_bucket>/2013_11_12-164533129.jpg
<my_bucket>/2013_11_12-164533130.jpg
<my_bucket>/2013_11_12-164533131.jpg
<my_bucket>/2013_11_12-164533132.jpg
<my_bucket>/2013_11_11-164533133.jpg
<my_bucket>/521335461-2013_11_13.jpg
<my_bucket>/465330151-2013_11_13.jpg
<my_bucket>/987331160-2013_11_13.jpg
<my_bucket>/465765461-2013_11_13.jpg
<my_bucket>/125631151-2013_11_13.jpg
<my_bucket>/934563160-2013_11_13.jpg
<my_bucket>/532132341-2013_11_13.jpg
<my_bucket>/565437681-2013_11_13.jpg
<my_bucket>/234567460-2013_11_13.jpg
1 2 N
1 2 N
Partition Partition Partition Partition
If you want a bucket capable of
routinely exceeding 100 TPS
Note: 100 TPS is A LOT!
Don’t Do This!
You end up with this
58. Amazon S3 – Distributing Key Names
<my_bucket>/2013_11_13-164533125.jpg
<my_bucket>/2013_11_13-164533126.jpg
<my_bucket>/2013_11_13-164533127.jpg
<my_bucket>/2013_11_13-164533128.jpg
<my_bucket>/2013_11_12-164533129.jpg
<my_bucket>/2013_11_12-164533130.jpg
<my_bucket>/2013_11_12-164533131.jpg
<my_bucket>/2013_11_12-164533132.jpg
<my_bucket>/2013_11_11-164533133.jpg
<my_bucket>/521335461-2013_11_13.jpg
<my_bucket>/465330151-2013_11_13.jpg
<my_bucket>/987331160-2013_11_13.jpg
<my_bucket>/465765461-2013_11_13.jpg
<my_bucket>/125631151-2013_11_13.jpg
<my_bucket>/934563160-2013_11_13.jpg
<my_bucket>/532132341-2013_11_13.jpg
<my_bucket>/565437681-2013_11_13.jpg
<my_bucket>/234567460-2013_11_13.jpg
1 2 N
1 2 N
Partition Partition Partition Partition
If you want a bucket capable of
routinely exceeding 100 TPS
Note: 100 TPS is A LOT!
Don’t Do This!
You end up with this
Do this…
59. Amazon S3 – Distributing Key Names
<my_bucket>/2013_11_13-164533125.jpg
<my_bucket>/2013_11_13-164533126.jpg
<my_bucket>/2013_11_13-164533127.jpg
<my_bucket>/2013_11_13-164533128.jpg
<my_bucket>/2013_11_12-164533129.jpg
<my_bucket>/2013_11_12-164533130.jpg
<my_bucket>/2013_11_12-164533131.jpg
<my_bucket>/2013_11_12-164533132.jpg
<my_bucket>/2013_11_11-164533133.jpg
<my_bucket>/521335461-2013_11_13.jpg
<my_bucket>/465330151-2013_11_13.jpg
<my_bucket>/987331160-2013_11_13.jpg
<my_bucket>/465765461-2013_11_13.jpg
<my_bucket>/125631151-2013_11_13.jpg
<my_bucket>/934563160-2013_11_13.jpg
<my_bucket>/532132341-2013_11_13.jpg
<my_bucket>/565437681-2013_11_13.jpg
<my_bucket>/234567460-2013_11_13.jpg
1 2 N
1 2 N
Partition Partition Partition Partition
1 2 N
1 2 N
Partition Partition Partition Partition
If you want a bucket capable of
routinely exceeding 100 TPS
Note: 100 TPS is A LOT!
Don’t Do This!
You end up with this
Do this…
You end up with this
60. Amazon S3 – Distributing Key Names
<my_bucket>/2013_11_13-164533125.jpg
<my_bucket>/2013_11_13-164533126.jpg
<my_bucket>/2013_11_13-164533127.jpg
<my_bucket>/2013_11_13-164533128.jpg
<my_bucket>/2013_11_12-164533129.jpg
<my_bucket>/2013_11_12-164533130.jpg
<my_bucket>/2013_11_12-164533131.jpg
<my_bucket>/2013_11_12-164533132.jpg
<my_bucket>/2013_11_11-164533133.jpg
<my_bucket>/521335461-2013_11_13.jpg
<my_bucket>/465330151-2013_11_13.jpg
<my_bucket>/987331160-2013_11_13.jpg
<my_bucket>/465765461-2013_11_13.jpg
<my_bucket>/125631151-2013_11_13.jpg
<my_bucket>/934563160-2013_11_13.jpg
<my_bucket>/532132341-2013_11_13.jpg
<my_bucket>/565437681-2013_11_13.jpg
<my_bucket>/234567460-2013_11_13.jpg
1 2 N
1 2 N
Partition Partition Partition Partition
1 2 N
1 2 N
Partition Partition Partition Partition
If you want a bucket capable of
routinely exceeding 100 TPS
Note: 100 TPS is A LOT!
Don’t Do This!
You end up with this
Do this…
You end up with this
61. Amazon S3 – Distributing Key Names
<my_bucket>/2013_11_13-164533125.jpg
<my_bucket>/2013_11_13-164533126.jpg
<my_bucket>/2013_11_13-164533127.jpg
<my_bucket>/2013_11_13-164533128.jpg
<my_bucket>/2013_11_12-164533129.jpg
<my_bucket>/2013_11_12-164533130.jpg
<my_bucket>/2013_11_12-164533131.jpg
<my_bucket>/2013_11_12-164533132.jpg
<my_bucket>/2013_11_11-164533133.jpg
1 2 N
1 2 N
Partition Partition Partition Partition
1 2 N
1 2 N
Partition Partition Partition Partition
If you want a bucket capable of
routinely exceeding 100 TPS
Note: 100 TPS is A LOT!
Don’t Do This!
You end up with this
Do this…
You end up with this
62. Amazon S3 – Distributing Key Names
<my_bucket>/2013_11_13-164533125.jpg
<my_bucket>/2013_11_13-164533126.jpg
<my_bucket>/2013_11_13-164533127.jpg
<my_bucket>/2013_11_13-164533128.jpg
<my_bucket>/2013_11_12-164533129.jpg
<my_bucket>/2013_11_12-164533130.jpg
<my_bucket>/2013_11_12-164533131.jpg
<my_bucket>/2013_11_12-164533132.jpg
<my_bucket>/2013_11_11-164533133.jpg
1 2 N
1 2 N
Partition Partition Partition Partition
1 2 N
1 2 N
Partition Partition Partition Partition
If you want a bucket capable of
routinely exceeding 100 TPS
Note: 100 TPS is A LOT!
Don’t Do This!
You end up with this
Do this…
You end up with this
<my_bucket>/images/521335461-2013_11_13.jpg
<my_bucket>/images/465330151-2013_11_13.jpg
<my_bucket>/images/987331160-2013_11_13.jpg
<my_bucket>/movies/465765461-2013_11_13.jpg
<my_bucket>/movies/125631151-2013_11_13.jpg
<my_bucket>/thumbs-small/934563160-2013_11_13.jpg
<my_bucket>/thumbs-small/532132341-2013_11_13.jpg
<my_bucket>/thumbs-small/565437681-2013_11_13.jpg
<my_bucket>/thumbs-small/234567460-2013_11_13.jpg
63. Amazon S3 – Distributing Key Names
<my_bucket>/2013_11_13-164533125.jpg
<my_bucket>/2013_11_13-164533126.jpg
<my_bucket>/2013_11_13-164533127.jpg
<my_bucket>/2013_11_13-164533128.jpg
<my_bucket>/2013_11_12-164533129.jpg
<my_bucket>/2013_11_12-164533130.jpg
<my_bucket>/2013_11_12-164533131.jpg
<my_bucket>/2013_11_12-164533132.jpg
<my_bucket>/2013_11_11-164533133.jpg
1 2 N
1 2 N
Partition Partition Partition Partition
1 2 N
1 2 N
Partition Partition Partition Partition
If you want a bucket capable of
routinely exceeding 100 TPS
Note: 100 TPS is A LOT!
Don’t Do This!
You end up with this
Do this…
You end up with this
<my_bucket>/images/521335461-2013_11_13.jpg
<my_bucket>/images/465330151-2013_11_13.jpg
<my_bucket>/images/987331160-2013_11_13.jpg
<my_bucket>/movies/465765461-2013_11_13.jpg
<my_bucket>/movies/125631151-2013_11_13.jpg
<my_bucket>/thumbs-small/934563160-2013_11_13.jpg
<my_bucket>/thumbs-small/532132341-2013_11_13.jpg
<my_bucket>/thumbs-small/565437681-2013_11_13.jpg
<my_bucket>/thumbs-small/234567460-2013_11_13.jpg
This is also ok
64. Amazon S3 – Secondary Lists
Restrict Use of S3 LIST
DynamoDB
RDS
CloudSearch
EC2
S3 ObjectCreated
Notification
Lambda
SQS Workers
65. Amazon S3 – Secondary Lists
Restrict Use of S3 LIST
DynamoDB
RDS
CloudSearch
EC2
S3 ObjectCreated
Notification
Lambda
SQS Workers
66. Amazon S3 – Secondary Lists
Restrict Use of S3 LIST
DynamoDB
RDS
CloudSearch
EC2
S3 ObjectCreated
Notification
Lambda
SQS Workers
68. How can I simplify encryption for data in
transit and data at rest?
69. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Applications
Presentation
Amazon SQS
Auto Scaling groups
AWS Region
SNS
70. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Applications
Presentation
Amazon SQS
Auto Scaling groups
AWS Region
SNS
Elastic Load
Balancer with
SSL Termination
(Announced 2010)
71. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Applications
Presentation
Amazon SQS
Auto Scaling groups
AWS Region
SNS
Elastic Load
Balancer with
SSL Termination
(Announced 2010)
CloudFront with
HTTPS Access
With Custom
Domain Names
(Announced 2013)
72. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Applications
Presentation
Amazon SQS
Auto Scaling groups
AWS Region
SNS
Elastic Load
Balancer with
SSL Termination
(Announced 2010)
CloudFront with
HTTPS Access
With Custom
Domain Names
(Announced 2013)
RDS with SSL
(MySQL - 2010)
(SQL Server – 2012)
(Oracle/NNE – 2013)
(PostgreSQL – 2013)
73. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Applications
Presentation
Amazon SQS
Auto Scaling groups
AWS Region
SNS
Elastic Load
Balancer with
SSL Termination
(Announced 2010)
CloudFront with
HTTPS Access
With Custom
Domain Names
(Announced 2013)
RDS with SSL
(MySQL - 2010)
(SQL Server – 2012)
(Oracle/NNE – 2013)
(PostgreSQL – 2013)
74. Simplifying encryption in AWS – Today
Amazon S3
Object
Amazon EBS
Volume
Amazon RDS
or Redshift
Custom
Application
AWS KMS
Store Data
with Envelope
Encryption
Client Application
Announced 2014
75. Simplifying encryption in AWS – Today
Amazon S3
Object
Amazon EBS
Volume
Amazon RDS
or Redshift
Custom
Application
AWS KMS
1) User creates Customer Master Keys (CMK)
Store Data
with Envelope
Encryption
Client Application
Announced 2014
76. Simplifying encryption in AWS – Today
Amazon S3
Object
Amazon EBS
Volume
Amazon RDS
or Redshift
Custom
Application
AWS KMS
2) User associates resource with CMK
Store Data
with Envelope
Encryption
Client Application
Announced 2014
77. Simplifying encryption in AWS – Today
Amazon S3
Object
Amazon EBS
Volume
Amazon RDS
or Redshift
Custom
Application
AWS KMS
Obj
3) Request to store data & context for encryption
Data
Data
Data
Requests
Store Data
with Envelope
Encryption
Client Application
Announced 2014
78. Simplifying encryption in AWS – Today
Amazon S3
Object
Amazon EBS
Volume
Amazon RDS
or Redshift
Custom
Application
AWS KMS
Obj
Data
Data
Data
4) Service requests encryption key with context
Store Data
with Envelope
Encryption
Client Application
Announced 2014
79. Simplifying encryption in AWS – Today
Amazon S3
Object
Amazon EBS
Volume
Amazon RDS
or Redshift
Custom
Application
AWS KMS
Obj
Data
Data
Data
5) AWS KMS returns an encryption (data) key
+ an encrypted version of the key
+ +
+ +Store Data
with Envelope
Encryption
Client Application
Announced 2014
80. Simplifying encryption in AWS – Today
Amazon S3
Object
Amazon EBS
Volume
Amazon RDS
or Redshift
Custom
Application
AWS KMS
6) Service encrypts the data with the encryption key
then deletes the key from memory
Store Data
with Envelope
Encryption
Client Application
Announced 2014
81. Simplifying encryption in AWS – Today
Amazon S3
Object
Amazon EBS
Volume
Amazon RDS
or Redshift
Custom
Application
AWS KMS
7) Service stores the data along with the
encrypted key
Store Data
with Envelope
Encryption
Client Application
Announced 2014
82. Simplifying encryption in AWS – Today
Amazon S3
Object
Amazon EBS
Volume
Amazon RDS
or Redshift
Custom
Application
AWS KMS
Client Application
Retrieve Data
with Envelope
Encryption
Announced 2014
83. Simplifying encryption in AWS – Today
Amazon S3
Object
Amazon EBS
Volume
Amazon RDS
or Redshift
Custom
Application
AWS KMS
Client Application
Request Request Request Request
1) Request to retrieve data
Retrieve Data
with Envelope
Encryption
Announced 2014
84. Simplifying encryption in AWS – Today
Amazon S3
Object
Amazon EBS
Volume
Amazon RDS
or Redshift
Custom
Application
AWS KMS
Client Application
Request Request Request Request
2) Service retrieves the encrypted data
& encrypted key.
Retrieve Data
with Envelope
Encryption
Announced 2014
85. Simplifying encryption in AWS – Today
Amazon S3
Object
Amazon EBS
Volume
Amazon RDS
or Redshift
Custom
Application
AWS KMS
Client Application
3) Service sends the encrypted key and
the UserID to KMS.
Retrieve Data
with Envelope
Encryption
Announced 2014
86. Simplifying encryption in AWS – Today
Amazon S3
Object
Amazon EBS
Volume
Amazon RDS
or Redshift
Custom
Application
AWS KMS
Client Application
4) AWS KMS unencrypts the encryption key and
returns the key to the service
Retrieve Data
with Envelope
Encryption
Announced 2014
87. Simplifying encryption in AWS – Today
Amazon S3
Object
Amazon EBS
Volume
Amazon RDS
or Redshift
Custom
Application
AWS KMS
Client Application
5) Service decrypts the data with the
encryption key, then deletes the key from
memory
Data Data DataObj
Retrieve Data
with Envelope
Encryption
Announced 2014
88. 6) Service returns the
data to the user
Simplifying encryption in AWS – Today
Amazon S3
Object
Amazon EBS
Volume
Amazon RDS
or Redshift
Custom
Application
AWS KMS
Client Application
Data Data
Data
Obj
Retrieve Data
with Envelope
Encryption
Announced 2014
90. I’ve hit some obstacles with my VPC in terms of
integration and performance, what are some of my options
91. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Applications
Presentation
Amazon SQS
Auto Scaling groups
AWS Region
SNS
92. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Applications
Presentation
Amazon SQS
Auto Scaling groups
AWS Region
SNS
This is a bottleneck &
SPOF!
93. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Applications
Presentation
Amazon SQS
Auto Scaling groups
AWS Region
SNS
This is a bottleneck &
SPOF!
These are bandwidth-
intensive for Internet
egress
94. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Applications
Presentation
Amazon SQS
Auto Scaling groups
AWS Region
SNS
This is a bottleneck &
SPOF!
These are bandwidth-
intensive for Internet
egress
Applications with
legacy network reqs
104. 10.0.0.0/16 10.0.0.0/16
Subnet 1
10.1.1.0/24
Subnet 2
10.1.2.0/24
10.1.0.0/16Route Table Subnet 1
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-1
A
B C
Taking VPC Peering to the next Level
PCX-1 PCX-2
105. 10.0.0.0/16 10.0.0.0/16
Subnet 1
10.1.1.0/24
Subnet 2
10.1.2.0/24
10.1.0.0/16Route Table Subnet 1
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-1
Route Table Subnet 2
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-2
A
B C
Taking VPC Peering to the next Level
PCX-1 PCX-2
106. 10.0.0.0/16 10.0.0.0/16
Subnet 1
10.1.1.0/24
Subnet 2
10.1.2.0/24
10.1.0.0/16Route Table Subnet 1
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-1
Route Table Subnet 2
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-2
A
B C
Taking VPC Peering to the next Level
PCX-1 PCX-2
Route Table Subnet #
Destination Target
10.0.0.0/16 local
10.1.1.0/24 PCX-1
Route Table Subnet #
Destination Target
10.0.0.0/16 local
10.1.2.0/24 PCX-1
107. 10.0.0.0/16 10.0.0.0/16
Subnet 1
10.1.1.0/24
Subnet 2
10.1.2.0/24
10.1.0.0/16Route Table Subnet 1
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-1
Route Table Subnet 2
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-2
A
B C
Taking VPC Peering to the next Level
Floating NAT
Network
PCX-1 PCX-2
Route Table Subnet #
Destination Target
10.0.0.0/16 local
10.1.1.0/24 PCX-1
Route Table Subnet #
Destination Target
10.0.0.0/16 local
10.1.2.0/24 PCX-1
108. 10.0.0.0/16 10.0.0.0/16
Subnet 1
10.1.1.0/24
Subnet 2
10.1.2.0/24
10.1.0.0/16Route Table Subnet 1
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-1
Route Table Subnet 2
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-2
A
B C
Taking VPC Peering to the next Level
Floating NAT
Network
10.0.0.58
PCX-1 PCX-2
Route Table Subnet #
Destination Target
10.0.0.0/16 local
10.1.1.0/24 PCX-1
Route Table Subnet #
Destination Target
10.0.0.0/16 local
10.1.2.0/24 PCX-1
109. 10.0.0.0/16 10.0.0.0/16
Subnet 1
10.1.1.0/24
Subnet 2
10.1.2.0/24
10.1.0.0/16Route Table Subnet 1
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-1
Route Table Subnet 2
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-2
A
B C
Taking VPC Peering to the next Level
Floating NAT
Network
10.0.0.58 10.0.0.105
PCX-1 PCX-2
Route Table Subnet #
Destination Target
10.0.0.0/16 local
10.1.1.0/24 PCX-1
Route Table Subnet #
Destination Target
10.0.0.0/16 local
10.1.2.0/24 PCX-1
110. 10.0.0.0/16 10.0.0.0/16
Subnet 1
10.1.1.0/24
Subnet 2
10.1.2.0/24
10.1.0.0/16Route Table Subnet 1
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-1
Route Table Subnet 2
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-2
A
B C
Taking VPC Peering to the next Level
Floating NAT
Network
10.0.0.58 10.0.0.105
PCX-1 PCX-210.1.1.105 10.1.2.105
Route Table Subnet #
Destination Target
10.0.0.0/16 local
10.1.1.0/24 PCX-1
Route Table Subnet #
Destination Target
10.0.0.0/16 local
10.1.2.0/24 PCX-1
111. 10.0.0.0/16 10.0.0.0/16
Subnet 1
10.1.1.0/24
Subnet 2
10.1.2.0/24
10.1.0.0/16Route Table Subnet 1
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-1
Route Table Subnet 2
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-2
A
B C
Taking VPC Peering to the next Level
Floating NAT
Network
SRC: 10.0.0.58
DST: 10.1.1.105
SRC: 10.1.2.105
DST: 10.0.0.105
10.0.0.58 10.0.0.105
PCX-1 PCX-210.1.1.105 10.1.2.105
Route Table Subnet #
Destination Target
10.0.0.0/16 local
10.1.1.0/24 PCX-1
Route Table Subnet #
Destination Target
10.0.0.0/16 local
10.1.2.0/24 PCX-1
112. 10.0.0.0/16 10.0.0.0/16
Subnet 1
10.1.1.0/24
Subnet 2
10.1.2.0/24
10.1.0.0/16Route Table Subnet 1
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-1
Route Table Subnet 2
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-2
A
B C
Taking VPC Peering to the next Level
Floating NAT
Network
SRC: 10.0.0.58
DST: 10.1.1.105
SRC: 10.1.2.105
DST: 10.0.0.105
10.0.0.58 10.0.0.105
PCX-1 PCX-210.1.1.105 10.1.2.105
Route Table Subnet #
Destination Target
10.0.0.0/16 local
10.1.1.0/24 PCX-1
Route Table Subnet #
Destination Target
10.0.0.0/16 local
10.1.2.0/24 PCX-1
113. 10.0.0.0/16 10.0.0.0/16
Subnet 1
10.1.1.0/24
Subnet 2
10.1.2.0/24
10.1.0.0/16Route Table Subnet 1
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-1
Route Table Subnet 2
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-2
A
B C
Taking VPC Peering to the next Level
Floating NAT
Network
SRC: 10.0.0.58
DST: 10.1.1.105
SRC: 10.1.2.105
DST: 10.0.0.105
10.0.0.58 10.0.0.105
PCX-1 PCX-210.1.1.105 10.1.2.105
Route Table Subnet #
Destination Target
10.0.0.0/16 local
10.1.1.0/24 PCX-1
Route Table Subnet #
Destination Target
10.0.0.0/16 local
10.1.2.0/24 PCX-1
114. 10.0.0.0/16 10.0.0.0/16
Subnet 1
10.1.1.0/24
Subnet 2
10.1.2.0/24
10.1.0.0/16Route Table Subnet 1
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-1
Route Table Subnet 2
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-2
A
B C
Taking VPC Peering to the next Level
Floating NAT
Network
SRC: 10.0.0.58
DST: 10.1.1.105
SRC: 10.1.2.105
DST: 10.0.0.105
10.0.0.58 10.0.0.105
PCX-1 PCX-210.1.1.105 10.1.2.105
Route Table Subnet #
Destination Target
10.0.0.0/16 local
10.1.1.0/24 PCX-1
Route Table Subnet #
Destination Target
10.0.0.0/16 local
10.1.2.0/24 PCX-1
115. 10.0.0.0/16 10.0.0.0/16
Subnet 1
10.1.1.0/24
Subnet 2
10.1.2.0/24
10.1.0.0/16Route Table Subnet 1
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-1
Route Table Subnet 2
Destination Target
10.1.0.0/16 local
10.0.0.0/16 PCX-2
A
B C
Taking VPC Peering to the next Level
Floating NAT
Network
SRC: 10.0.0.58
DST: 10.1.1.105
SRC: 10.1.2.105
DST: 10.0.0.105
10.0.0.58 10.0.0.105
PCX-1 PCX-210.1.1.105 10.1.2.105
Route53 Private
Hosted Zone
Route53 Private
Hosted Zone
Route Table Subnet #
Destination Target
10.0.0.0/16 local
10.1.1.0/24 PCX-1
Route Table Subnet #
Destination Target
10.0.0.0/16 local
10.1.2.0/24 PCX-1
117. Availability Zone A
Private Subnet
Availability Zone B
Private Subnet
Internet
AWS
region
Public Subnet Public Subnet
NAT
• Use Auto Scaling for NAT
availability
• Create 1 NAT per Availability
Zone
• All private subnet route tables to
point to same zone NAT
• 1 Auto Scaling group per NAT
with min and max size set to 1
• Let Auto Scaling monitor the
health and availability of your
NATs
• NAT bootstrap script updates
route tables programmatically
• Latest version of script – uses
tags: https://github.com/ralex-aws/vpc
Auto scale HA NAT
Dynamo DB
Scaling Internet egress capacity
NAT
ASG
min=1
max=1
ASG
min=1
max=1
SQS
SNS
118. Availability Zone A
Private Subnet
Availability Zone B
Private Subnet
Internet
AWS
region
Public Subnet Public Subnet
NAT
• Use Auto Scaling for NAT
availability
• Create 1 NAT per Availability
Zone
• All private subnet route tables to
point to same zone NAT
• 1 Auto Scaling group per NAT
with min and max size set to 1
• Let Auto Scaling monitor the
health and availability of your
NATs
• NAT bootstrap script updates
route tables programmatically
• Latest version of script – uses
tags: https://github.com/ralex-aws/vpc
Auto scale HA NAT
Dynamo DB
Scaling Internet egress capacity
NAT
ASG
min=1
max=1
ASG
min=1
max=1
SQS
SNS
119. Availability Zone A
Private Subnet
Availability Zone B
Private Subnet
Internet
AWS
region
Public Subnet Public Subnet
NAT
• Use Auto Scaling for NAT
availability
• Create 1 NAT per Availability
Zone
• All private subnet route tables to
point to same zone NAT
• 1 Auto Scaling group per NAT
with min and max size set to 1
• Let Auto Scaling monitor the
health and availability of your
NATs
• NAT bootstrap script updates
route tables programmatically
• Latest version of script – uses
tags: https://github.com/ralex-aws/vpc
Auto scale HA NAT
Dynamo DB
Scaling Internet egress capacity
NAT
ASG
min=1
max=1
ASG
min=1
max=1
SQS
SNS
120. Availability Zone A
Private Subnet(s) Private Subnet(s)
AWS region
VPN connection
Customer data
center
Intranet AppsIntranet Apps
Availability Zone B
Internal customers
Controlling the border
Internal
Load
balancer
Elastic Load Balancing
Private Subnet
Elastic Load Balancing
Private Subnet
S3
Scaling Internet egress capacity
Direct
Connect
DynamoDBSQS
121. Availability Zone A
Private Subnet(s) Private Subnet(s)
AWS region
VPN connection
Customer data
center
Intranet AppsIntranet Apps
Availability Zone B
Internal customers
Controlling the border
Internal
Load
balancer
Elastic Load Balancing
Private Subnet
Elastic Load Balancing
Private Subnet
S3
Scaling Internet egress capacity
Direct
Connect
DynamoDBSQS
122. Availability Zone A
Private Subnet(s) Private Subnet(s)
AWS region
VPN connection
Customer data
center
Intranet AppsIntranet Apps
Availability Zone B
Internal customers
Controlling the border
Internal
Load
balancer
Elastic Load Balancing
Private Subnet
Elastic Load Balancing
Private Subnet
• Squid Proxy layer deployed
between internal load balancer
and the IGW border.
Public Subnet Public Subnet
S3
Scaling Internet egress capacity
Direct
Connect
DynamoDBSQS
123. Availability Zone A
Private Subnet(s) Private Subnet(s)
AWS region
VPN connection
Customer data
center
Intranet AppsIntranet Apps
Availability Zone B
Internal customers
Controlling the border
Internal
Load
balancer
Elastic Load Balancing
Private Subnet
Elastic Load Balancing
Private Subnet
• Squid Proxy layer deployed
between internal load balancer
and the IGW border.
Public Subnet Public Subnet
S3
• Only proxy subnets have route to
IGW.
Scaling Internet egress capacity
# CIDR AND Destination Domain based Allow
# CIDR Subnet blocks for Internal ELBs
acl int_elb_cidrs src 10.1.3.0/24 10.1.4.0/24
# Destination domain for target S3 bucket
acl aws_v2_endpoints dstdomain .amazonaws.com
# Squid does AND on both ACLs for allow match
http_access allow int_elb_cidrs aws_v2_endpoints
# Deny everything else
http_access deny all
Direct
Connect
DynamoDBSQS
124. Availability Zone A
Private Subnet(s) Private Subnet(s)
AWS region
VPN connection
Customer data
center
Intranet AppsIntranet Apps
Availability Zone B
Internal customers
Controlling the border
Internal
Load
balancer
Elastic Load Balancing
Private Subnet
Elastic Load Balancing
Private Subnet
• Squid Proxy layer deployed
between internal load balancer
and the IGW border.
Public Subnet Public Subnet
S3
• Only proxy subnets have route to
IGW.
Scaling Internet egress capacity
# CIDR AND Destination Domain based Allow
# CIDR Subnet blocks for Internal ELBs
acl int_elb_cidrs src 10.1.3.0/24 10.1.4.0/24
# Destination domain for target S3 bucket
acl aws_v2_endpoints dstdomain .amazonaws.com
# Squid does AND on both ACLs for allow match
http_access allow int_elb_cidrs aws_v2_endpoints
# Deny everything else
http_access deny all
Direct
Connect
DynamoDBSQS
125. Availability Zone A
Private Subnet(s) Private Subnet(s)
AWS region
VPN connection
Customer data
center
Intranet AppsIntranet Apps
Availability Zone B
Internal customers
Controlling the border
Internal
Load
balancer
Elastic Load Balancing
Private Subnet
Elastic Load Balancing
Private Subnet
• Squid Proxy layer deployed
between internal load balancer
and the IGW border.
Public Subnet Public Subnet
S3
• Only proxy subnets have route to
IGW.
• Proxy security group allows
inbound only from Elastic Load
Balancing security group.
Scaling Internet egress capacity
# CIDR AND Destination Domain based Allow
# CIDR Subnet blocks for Internal ELBs
acl int_elb_cidrs src 10.1.3.0/24 10.1.4.0/24
# Destination domain for target S3 bucket
acl aws_v2_endpoints dstdomain .amazonaws.com
# Squid does AND on both ACLs for allow match
http_access allow int_elb_cidrs aws_v2_endpoints
# Deny everything else
http_access deny all
Direct
Connect
DynamoDBSQS
126. Availability Zone A
Private Subnet(s) Private Subnet(s)
AWS region
VPN connection
Customer data
center
Intranet AppsIntranet Apps
Availability Zone B
Internal customers
Controlling the border
Internal
Load
balancer
Elastic Load Balancing
Private Subnet
Elastic Load Balancing
Private Subnet
• Squid Proxy layer deployed
between internal load balancer
and the IGW border.
Public Subnet Public Subnet
S3
HTTP/S
• Only proxy subnets have route to
IGW.
• Proxy security group allows
inbound only from Elastic Load
Balancing security group.
• Proxy restricts which URLs may
pass. In this example,
*.amazonaws.com is allowed.
Scaling Internet egress capacity
# CIDR AND Destination Domain based Allow
# CIDR Subnet blocks for Internal ELBs
acl int_elb_cidrs src 10.1.3.0/24 10.1.4.0/24
# Destination domain for target S3 bucket
acl aws_v2_endpoints dstdomain .amazonaws.com
# Squid does AND on both ACLs for allow match
http_access allow int_elb_cidrs aws_v2_endpoints
# Deny everything else
http_access deny all
Direct
Connect
DynamoDBSQS
127. Availability Zone A
Private Subnet(s) Private Subnet(s)
AWS region
VPN connection
Customer data
center
Intranet AppsIntranet Apps
Availability Zone B
Internal customers
Controlling the border
Internal
Load
balancer
Elastic Load Balancing
Private Subnet
Elastic Load Balancing
Private Subnet
• Squid Proxy layer deployed
between internal load balancer
and the IGW border.
Public Subnet Public Subnet
S3
HTTP/S
• Only proxy subnets have route to
IGW.
• Proxy security group allows
inbound only from Elastic Load
Balancing security group.
• Proxy restricts which URLs may
pass. In this example,
*.amazonaws.com is allowed.
• Egress NACLs on proxy subnets
enforce HTTP/S only.
Scaling Internet egress capacity
# CIDR AND Destination Domain based Allow
# CIDR Subnet blocks for Internal ELBs
acl int_elb_cidrs src 10.1.3.0/24 10.1.4.0/24
# Destination domain for target S3 bucket
acl aws_v2_endpoints dstdomain .amazonaws.com
# Squid does AND on both ACLs for allow match
http_access allow int_elb_cidrs aws_v2_endpoints
# Deny everything else
http_access deny all
Direct
Connect
DynamoDBSQS
128. Availability Zone A
Private Subnet(s) Private Subnet(s)
AWS region
VPN connection
Customer data
center
Intranet AppsIntranet Apps
Availability Zone B
Internal customers
Controlling the border
Internal
Load
balancer
Elastic Load Balancing
Private Subnet
Elastic Load Balancing
Private Subnet
• Squid Proxy layer deployed
between internal load balancer
and the IGW border.
Public Subnet Public Subnet
S3
HTTP/S
• Only proxy subnets have route to
IGW.
• Proxy security group allows
inbound only from Elastic Load
Balancing security group.
• Proxy restricts which URLs may
pass. In this example,
*.amazonaws.com is allowed.
• Egress NACLs on proxy subnets
enforce HTTP/S only.
Scaling Internet egress capacity
# CIDR AND Destination Domain based Allow
# CIDR Subnet blocks for Internal ELBs
acl int_elb_cidrs src 10.1.3.0/24 10.1.4.0/24
# Destination domain for target S3 bucket
acl aws_v2_endpoints dstdomain .amazonaws.com
# Squid does AND on both ACLs for allow match
http_access allow int_elb_cidrs aws_v2_endpoints
# Deny everything else
http_access deny all
Direct
Connect
DynamoDBSQS
129. Availability Zone A
Private Subnet(s) Private Subnet(s)
AWS region
VPN connection
Customer data
center
Intranet AppsIntranet Apps
Availability Zone B
Internal customers
Controlling the border
Internal
Load
balancer
Elastic Load Balancing
Private Subnet
Elastic Load Balancing
Private Subnet
• Squid Proxy layer deployed
between internal load balancer
and the IGW border.
Public Subnet Public Subnet
S3
HTTP/S
• Only proxy subnets have route to
IGW.
• Proxy security group allows
inbound only from Elastic Load
Balancing security group.
• Proxy restricts which URLs may
pass. In this example,
*.amazonaws.com is allowed.
• Egress NACLs on proxy subnets
enforce HTTP/S only.
Scaling Internet egress capacity
# CIDR AND Destination Domain based Allow
# CIDR Subnet blocks for Internal ELBs
acl int_elb_cidrs src 10.1.3.0/24 10.1.4.0/24
# Destination domain for target S3 bucket
acl aws_v2_endpoints dstdomain .amazonaws.com
# Squid does AND on both ACLs for allow match
http_access allow int_elb_cidrs aws_v2_endpoints
# Deny everything else
http_access deny all
Direct
Connect
DynamoDBSQS
130. Availability Zone A
Private Subnet(s) Private Subnet(s)
AWS region
VPN connection
Customer data
center
Intranet AppsIntranet Apps
Availability Zone B
Internal customers
Controlling the border
Internal
Load
balancer
Elastic Load Balancing
Private Subnet
Elastic Load Balancing
Private Subnet
• Squid Proxy layer deployed
between internal load balancer
and the IGW border.
Public Subnet Public Subnet
S3
HTTP/S
• Only proxy subnets have route to
IGW.
• Proxy security group allows
inbound only from Elastic Load
Balancing security group.
• Proxy restricts which URLs may
pass. In this example,
*.amazonaws.com is allowed.
• Egress NACLs on proxy subnets
enforce HTTP/S only.
Scaling Internet egress capacity
# CIDR AND Destination Domain based Allow
# CIDR Subnet blocks for Internal ELBs
acl int_elb_cidrs src 10.1.3.0/24 10.1.4.0/24
# Destination domain for target S3 bucket
acl aws_v2_endpoints dstdomain .amazonaws.com
# Squid does AND on both ACLs for allow match
http_access allow int_elb_cidrs aws_v2_endpoints
# Deny everything else
http_access deny all
Direct
Connect
DynamoDBSQS
• Could also have HA NATs
NATNAT
131. Availability Zone A
Private Subnet(s) Private Subnet(s)
AWS region
VPN connection
Customer data
center
Intranet AppsIntranet Apps
Availability Zone B
Internal customers
Controlling the border
Internal
Load
balancer
Elastic Load Balancing
Private Subnet
Elastic Load Balancing
Private Subnet
• Squid Proxy layer deployed
between internal load balancer
and the IGW border.
Public Subnet Public Subnet
S3
HTTP/S
• Only proxy subnets have route to
IGW.
• Proxy security group allows
inbound only from Elastic Load
Balancing security group.
• Proxy restricts which URLs may
pass. In this example,
*.amazonaws.com is allowed.
• Egress NACLs on proxy subnets
enforce HTTP/S only.
Scaling Internet egress capacity
# CIDR AND Destination Domain based Allow
# CIDR Subnet blocks for Internal ELBs
acl int_elb_cidrs src 10.1.3.0/24 10.1.4.0/24
# Destination domain for target S3 bucket
acl aws_v2_endpoints dstdomain .amazonaws.com
# Squid does AND on both ACLs for allow match
http_access allow int_elb_cidrs aws_v2_endpoints
# Deny everything else
http_access deny all
Direct
Connect
DynamoDBSQS
• Could also have HA NATs
NATNAT
134. Multicast on AWS
• Not directly supported
10.0.0.54
10.0.0.79
10.0.1.132
Subnet 10.0.0.0/24 Subnet 10.0.1.0/24
10.0.1.18310.0.0.41
135. Multicast on AWS
• Not directly supported
• Can be implemented with an overlay network
– GRE or L2TP tunnels, Ntop’s N2N
10.0.0.54
10.0.0.79
10.0.1.132
Subnet 10.0.0.0/24 Subnet 10.0.1.0/24
10.0.1.18310.0.0.41
136. Multicast on AWS
• Not directly supported
• Can be implemented with an overlay network
– GRE or L2TP tunnels, Ntop’s N2N
10.0.0.54
10.0.0.79
10.0.1.132
Subnet 10.0.0.0/24 Subnet 10.0.1.0/24
Tunnel
10.0.1.18310.0.0.41
137. Multicast on AWS
• Not directly supported
• Can be implemented with an overlay network
– GRE or L2TP tunnels, Ntop’s N2N
10.0.0.54
10.0.0.79
10.0.1.132192.16.0.10
192.168.0.13
Subnet 10.0.0.0/24 Subnet 10.0.1.0/24
Tunnel
10.0.1.18310.0.0.41
138. Multicast on AWS
• Not directly supported
• Can be implemented with an overlay network
– GRE or L2TP tunnels, Ntop’s N2N
• GRE configuration can be automated
– Multicast configuration stored in tags
10.0.0.54
10.0.0.79
10.0.1.132192.16.0.10
192.168.0.12
192.168.0.13
Subnet 10.0.0.0/24 Subnet 10.0.1.0/24
Tunnel
10.0.1.18310.0.0.41
192.168.0.12
192.168.0.0/24 Overlay
139. Multicast on AWS
• Not directly supported
• Can be implemented with an overlay network
– GRE or L2TP tunnels, Ntop’s N2N
• GRE configuration can be automated
– Multicast configuration stored in tags
10.0.0.54
10.0.0.79
10.0.1.132192.16.0.10
192.168.0.12
192.168.0.13
Subnet 10.0.0.0/24 Subnet 10.0.1.0/24
Tunnel
10.0.1.18310.0.0.41
192.168.0.12
192.168.0.0/24 Overlay
TAG: multicast
App1,192.168.0.13/24
TAG: multicast
App1,192.168.0.12/24
TAG: multicast
App1,192.168.0.10/24
140. Multicast on AWS
• Not directly supported
• Can be implemented with an overlay network
– GRE or L2TP tunnels, Ntop’s N2N
• GRE configuration can be automated
– Multicast configuration stored in tags
10.0.0.54
10.0.0.79
10.0.1.132192.16.0.10
192.168.0.12
192.168.0.13
Subnet 10.0.0.0/24 Subnet 10.0.1.0/24
Tunnel
10.0.1.18310.0.0.41
192.168.0.12
192.168.0.0/24 Overlay
TAG: multicast
App1,192.168.0.13/24
TAG: multicast
App1,192.168.0.12/24
TAG: multicast
App1,192.168.0.10/24
Setup Guide:
http://bit.ly/aws-multi
141. Multicast on AWS
• Not directly supported
• Can be implemented with an overlay network
– GRE or L2TP tunnels, Ntop’s N2N
• GRE configuration can be automated
– Multicast configuration stored in tags
• Periodically check for new members (60 seconds)
10.0.0.54
10.0.0.79
10.0.1.132192.16.0.10
192.168.0.12
192.168.0.13
Subnet 10.0.0.0/24 Subnet 10.0.1.0/24
Tunnel
10.0.1.18310.0.0.41
192.168.0.12
192.168.0.0/24 Overlay
TAG: multicast
App1,192.168.0.13/24
TAG: multicast
App1,192.168.0.12/24
TAG: multicast
App1,192.168.0.10/24
Setup Guide:
http://bit.ly/aws-multi
144. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Applications
Presentation
Amazon SQS
Auto Scaling groups
AWS Region
SNS
145. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Applications
Presentation
Amazon SQS
Auto Scaling groups
AWS Region
SNS
What about
services with no
native CloudWatch
integration
146. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Applications
Presentation
Amazon SQS
Auto Scaling groups
AWS Region
SNS
What about
services with no
native CloudWatch
integration
Managing non-
CloudFormation
supported
resources/events
147. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Applications
Presentation
Amazon SQS
Auto Scaling groups
AWS Region
SNS
What about
services with no
native CloudWatch
integration
Collecting and
analysing non-EC2
logs
Managing non-
CloudFormation
supported
resources/events
148. Your Application Stacks
Availability Zone A Availability Zone B
Private subnetPrivate subnet
Public subnetPublic subnet
Private subnetPrivate subnet
CloudFront
Glacier
S3
DynamoDB
Route 53
CloudWatch
CloudFormation
NAT
Stacks for:
VPC
Edge Services
Datastores
Applications
Presentation
Amazon SQS
Auto Scaling groups
AWS Region
SNS
What about
services with no
native CloudWatch
integration
Collecting and
analysing non-EC2
logs
Managing non-
CloudFormation
supported
resources/events
149. Advanced uses of CloudWatch – Custom Metrics
#!/usr/bin/python
import boto.ec2.cloudwatch
import boto.vpc
AWS_Regions=["us-east-1","us-west-2","us-west-1","eu-west-1"]
CloudWatch_Region="us-east-1"
cw = boto.ec2.cloudwatch.connect_to_region(CloudWatch_Region)
for region in AWS_Regions:
vpcconn = boto.vpc.connect_to_region(region)
vpns = vpcconn.get_all_vpn_connections()
for vpn in vpns:
if vpn.state == "available":
active_tunnels = 0
if vpn.tunnels[0].status == "UP":
active_tunnels+=1
if vpn.tunnels[1].status == "UP":
active_tunnels+=1
print vpn.id+" has "+str(active_tunnels)+" active tunnels!”
cw.put_metric_data("VPNStatus", vpn.id, value=active_tunnels,
dimensions={'VGW':vpn.vpn_gateway_id, 'CGW':vpn.customer_gateway_id})
150. Advanced uses of CloudWatch – Custom Metrics
#!/usr/bin/python
import boto.ec2.cloudwatch
import boto.vpc
AWS_Regions=["us-east-1","us-west-2","us-west-1","eu-west-1"]
CloudWatch_Region="us-east-1"
cw = boto.ec2.cloudwatch.connect_to_region(CloudWatch_Region)
for region in AWS_Regions:
vpcconn = boto.vpc.connect_to_region(region)
vpns = vpcconn.get_all_vpn_connections()
for vpn in vpns:
if vpn.state == "available":
active_tunnels = 0
if vpn.tunnels[0].status == "UP":
active_tunnels+=1
if vpn.tunnels[1].status == "UP":
active_tunnels+=1
print vpn.id+" has "+str(active_tunnels)+" active tunnels!”
cw.put_metric_data("VPNStatus", vpn.id, value=active_tunnels,
dimensions={'VGW':vpn.vpn_gateway_id, 'CGW':vpn.customer_gateway_id})
151. Advanced uses of CloudWatch – Custom Metrics
#!/usr/bin/python
import boto.ec2.cloudwatch
import boto.vpc
AWS_Regions=["us-east-1","us-west-2","us-west-1","eu-west-1"]
CloudWatch_Region="us-east-1"
cw = boto.ec2.cloudwatch.connect_to_region(CloudWatch_Region)
for region in AWS_Regions:
vpcconn = boto.vpc.connect_to_region(region)
vpns = vpcconn.get_all_vpn_connections()
for vpn in vpns:
if vpn.state == "available":
active_tunnels = 0
if vpn.tunnels[0].status == "UP":
active_tunnels+=1
if vpn.tunnels[1].status == "UP":
active_tunnels+=1
print vpn.id+" has "+str(active_tunnels)+" active tunnels!”
cw.put_metric_data("VPNStatus", vpn.id, value=active_tunnels,
dimensions={'VGW':vpn.vpn_gateway_id, 'CGW':vpn.customer_gateway_id})
152. Advanced uses of CloudWatch – Custom Metrics
#!/usr/bin/python
import boto.ec2.cloudwatch
import boto.vpc
AWS_Regions=["us-east-1","us-west-2","us-west-1","eu-west-1"]
CloudWatch_Region="us-east-1"
cw = boto.ec2.cloudwatch.connect_to_region(CloudWatch_Region)
for region in AWS_Regions:
vpcconn = boto.vpc.connect_to_region(region)
vpns = vpcconn.get_all_vpn_connections()
for vpn in vpns:
if vpn.state == "available":
active_tunnels = 0
if vpn.tunnels[0].status == "UP":
active_tunnels+=1
if vpn.tunnels[1].status == "UP":
active_tunnels+=1
print vpn.id+" has "+str(active_tunnels)+" active tunnels!”
cw.put_metric_data("VPNStatus", vpn.id, value=active_tunnels,
dimensions={'VGW':vpn.vpn_gateway_id, 'CGW':vpn.customer_gateway_id})
And Not Just For AWS
Resources!
154. Advanced uses of CloudWatch – Logs
EC2
CloudWatch
Logs
OS Agent-based
155. Advanced uses of CloudWatch – Logs
EC2
Traditional
Server
CloudWatch
Logs
OS Agent-based
OS Agent-based
156. Advanced uses of CloudWatch – Logs
CloudTrail
EC2
Traditional
Server
CloudWatch
Logs
OS Agent-based
OS Agent-based
Native
157. Advanced uses of CloudWatch – Logs
CloudTrail
S3
EC2
Traditional
Server
CloudWatch
Logs
OS Agent-based
OS Agent-based
Native
Pull/Push
Lambda??
158. Advanced uses of CloudWatch – Logs
CloudTrail
S3
EC2
Traditional
Server
CloudWatch
Logs
CloudFront
OS Agent-based
OS Agent-based
Native
Pull/Push
Lambda??
Pull/Push
Lam
bda??
159. Advanced uses of CloudWatch – Logs
CloudTrail
S3
EC2
Traditional
Server
CloudWatch
Logs
CloudFront
OS Agent-based
OS Agent-based
Native
Pull/Push
Lambda??
Pull/Push
Lam
bda??
Metrics filters:
160. Advanced uses of CloudWatch – Logs
CloudTrail
S3
EC2
Traditional
Server
CloudWatch
Logs
CloudFront
OS Agent-based
OS Agent-based
Native
Pull/Push
Lambda??
Pull/Push
Lam
bda??
Metrics filters:
• Literal Terms
161. Advanced uses of CloudWatch – Logs
CloudTrail
S3
EC2
Traditional
Server
CloudWatch
Logs
CloudFront
OS Agent-based
OS Agent-based
Native
Pull/Push
Lambda??
Pull/Push
Lam
bda??
Metrics filters:
• Literal Terms
162. Advanced uses of CloudWatch – Logs
CloudTrail
S3
EC2
Traditional
Server
CloudWatch
Logs
CloudFront
OS Agent-based
OS Agent-based
Native
Pull/Push
Lambda??
Pull/Push
Lam
bda??
Metrics filters:
• Literal Terms
• Common Log Format
163. Advanced uses of CloudWatch – Logs
CloudTrail
S3
EC2
Traditional
Server
CloudWatch
Logs
CloudFront
OS Agent-based
OS Agent-based
Native
Pull/Push
Lambda??
Pull/Push
Lam
bda??
Metrics filters:
• Literal Terms
• Common Log Format
164. Advanced uses of CloudWatch – Logs
CloudTrail
S3
EC2
Traditional
Server
CloudWatch
Logs
CloudFront
OS Agent-based
OS Agent-based
Native
Pull/Push
Lambda??
Pull/Push
Lam
bda??
Metrics filters:
• Literal Terms
• Common Log Format
• JSON
165. Lambda-powered custom resources
EC2
instance
Software pkgs,
config, & dataCloudWatch
alarms
Your AWS CloudFormation stack
// Implement custom logic here
Look up an AMI ID
Your AWS Lambda functions
Look up VPC ID and Subnet ID
Reverse an IP address
Lambda-powered
custom resources
166. Lambda-powered custom resources
security group
Auto Scaling group
EC2
instance
Elastic Load
Balancing
ElastiCache
memcached
cluster
Software pkgs,
config, & dataCloudWatch
alarms
Your AWS CloudFormation stack
// Implement custom logic here
Look up an AMI ID
Your AWS Lambda functions
Look up VPC ID and Subnet ID
Reverse an IP address
Lambda-powered
custom resources