Best Practices for Getting Started with AWS

  • 1,855 views
Uploaded on

Getting started with Amazon Web Services (AWS) is fast and simple. This complimentary webinar will outline best practice guidance from many customers and the Amazon Web Services team, helping you gain …

Getting started with Amazon Web Services (AWS) is fast and simple. This complimentary webinar will outline best practice guidance from many customers and the Amazon Web Services team, helping you gain advantage as your implement your projects in AWS.

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,855
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
10

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Best practices for getting started with AWS Ryan  Shu)leworth  –  Technical  Evangelist   @ryanAWS  
  • 2. Agenda   Amazon  Web  Services  Background   UBlity  compuBng  &  ElasBcity     Best  pracBces    Choosing  your  use  case    Organizing  your  environments    Security    Architect  to  cloud  strengths    Services  not  soGware    Be  elasBc  &  cost  opBmized              
  • 3. Your  feedback  is  important  Tell us:What’s good, what’s notWhat you want to see at theseeventsWhat you want AWS to deliver foryou
  • 4. background
  • 5. Consumer Seller" IT Infrastructure Business Business Business Tens of millions of Sell on Amazon Cloud computing active customer websites infrastructure for accounts hosting web-scale Use Amazon solutions technology for your own retail website Eight countries:" Hundreds of US, UK, Germany, Leverage Amazon’s thousands of Japan, France, massive fulfillment registeredCanada, China, Italy center network customers in over 190 countries
  • 6. About  Amazon  Web   How did Amazon… Services  Deep experience in building and operating global web scale systems ? …get into cloud computing?
  • 7. Over 10 years in the makingEnablement of sellers on Amazon Internal need for scalable deployment environmentEarly forays proved developers were hungry for more
  • 8. AWS  Mission    Enable  businesses  and  developers  to   use  web  services*  to  build  scalable,   sophisBcated  applicaBons.         *What  people  now  call  “the  cloud”    
  • 9. Not excess capacity!
  • 10. Each  day  AWS  adds  the  equivalent  server  capacity   to  power  Amazon  when  it  was  a  global,  $2.76B   enterprise     (circa  2000)  
  • 11. Pace  of  innovaBon  April  2012:     May  2012:     June  2012:          AWS  CloudFormaBon  Support  for  CreaBng  VPC  Resources   Amazon  ElasBc  MapReduce  Now  Supports  Hive  0.8.1   AWS  ElasBc  Beanstalk  Announces  Updated  Command  Line       Interface  Amazon  DynamoDB  Now  Available  in  Three  AddiBonal   Amazon  RDS  Announces  Oracle  Enterprise  Manager  Support    Regions     Amazon  SES  Announces  Bounce  and  Complaint  NoBficaBons     Announcing  VM  Export  for  Amazon  EC2    AWS  ElasBc  Beanstalk  Now  Available  in  the  Asia  Pacific     Cluster  Compute  Eight  Extra  Large  Instance  Type  Now  Available  in  (Tokyo)  Region   AWS  Console  Enhancements  for  ElasBc  Load  Balancing:  Listener,   EU-­‐West     CerBficate,  and  Cipher  Management    Amazon  DynamoDB  Announces  BatchWriteItem  Feature     AWS  CloudFormaBon  Supports  Amazon  DynamoDB  and  Amazon     Amazon  RDS  announces  support  for  MySQL  Read  Replica  in  Amazon   CloudFront  Dynamic  Content  Introducing  AWS  Marketplace   VPC         New  Sydney,  Australia  Edge  LocaBon  for  Amazon  CloudFront  &  AWS  Announces  The  Availability  of  the  MicrosoG  SharePoint   AWS  ElasBc  Beanstalk  Now  Available  in  the  EU  (Ireland)  Region   Amazon  Route  53  Server  on  AWS  Reference  Architecture  White  Paper         Amazon  Simple  Email  Service  Announces  Domain  VerificaBon   AWS  Support  Expands  Free  Tier,  Adds  New  Features,  Lowers  Prices  AWS  Announces  CloudSearch         Amazon  CloudFront  Now  Supports  Dynamic  Content   Amazon  ElasBc  MapReduce  Announces  Support  for  HBase  Announcing  the  Availability  of  Reserved  Cache  Nodes  for      Amazon  ElasBCache   Monitor  Your  AWS  Charges  with  Billing  Alerts  Using  Amazon   Amazon  RDS  MySQL  on  t1.micro,  starBng  at  just  $19  a  month     CloudWatch    Live  Smooth  Streaming  for  Amazon  CloudFront     Announcing  AWS  IdenBty  and  Access  Management  (IAM)  roles  for   Announcing  API  and  AWS  IdenBty  &  Access  Management  Support  for   EC2  instances   AWS  Storage  Gateway       Announcing  Internal  Load  Balancing  in  Amazon  Virtual  Private   New  Managed  Services  for  Windows  Developers  Worldwide   Cloud       New  and  Updated  MicrosoG  SQL  Server  Offerings  on  Amazon  EC2   Announcing  Spot  IntegraBon  with  Auto  Scaling  and     CloudFormaBon   New  Amazon  RDS  for  Oracle  CapabiliBes  and  MulB-­‐AZ  Enhancements     AWS  Billing  enables  enhanced  CSV  reports  and  programmaBc   access     Amazon  ElasBCache  Launches  Free  Trial  Program  
  • 12. Pace  of  innovaBon  April  2012:     May  2012:     June  2012:          AWS  CloudFormaBon  Support  for  CreaBng  VPC  Resources   Amazon  ElasBc  MapReduce  Now  Supports  Hive  0.8.1   AWS  ElasBc  Beanstalk  Announces  Updated  Command  Line       Interface  Amazon  DynamoDB  Now  Available  in  Three  AddiBonal   Amazon  RDS  Announces  Oracle  Enterprise  Manager  Support    Regions`     Amazon  SES  Announces  Bounce  and  Complaint  NoBficaBons     Announcing  VM  Export  for  Amazon  EC2     Q2 2012AWS  ElasBc  Beanstalk  Now  Available  in  the  Asia  Pacific     Cluster  Compute  Eight  Extra  Large  Instance  Type  Now  Available  in  (Tokyo)  Region   AWS  Console  Enhancements  for  ElasBc  Load  Balancing:  Listener,   EU-­‐West     CerBficate,  and  Cipher  Management    Amazon  DynamoDB  Announces  BatchWriteItem  Feature     AWS  CloudFormaBon  Supports  Amazon  DynamoDB  and  Amazon     Amazon  RDS  announces  support  for  MySQL  Read  Replica  in  Amazon   CloudFront  Dynamic  Content   35Introducing  AWS  Marketplace   VPC         New  Sydney,  Australia  Edge  LocaBon  for  Amazon  CloudFront  &  AWS  Announces  The  Availability  of  the  MicrosoG  SharePoint   AWS  ElasBc  Beanstalk  Now  Available  in  the  EU  (Ireland)  Region   Amazon  Route  53  Server  on  AWS  Reference  Architecture  White  Paper         Amazon  Simple  Email  Service  Announces  Domain  VerificaBon   AWS  Support  Expands  Free  Tier,  Adds  New  Features,  Lowers  Prices  AWS  Announces  CloudSearch         Amazon  CloudFront  Now  Supports  Dynamic  Content   Amazon  ElasBc  MapReduce  Announces  Support  for  HBase  Announcing  the  Availability  of  Reserved  Cache  Nodes  for      Amazon  ElasBCache    Live  Smooth  Streaming  for  Amazon  CloudFront   CloudWatch     new features Monitor  Your  AWS  Charges  with  Billing  Alerts  Using  Amazon   Amazon  RDS  MySQL  on  t1.micro,  starBng  at  just  $19  a  month     Announcing  AWS  IdenBty  and  Access  Management  (IAM)  roles  for   Announcing  API  and  AWS  IdenBty  &  Access  Management  Support  for   EC2  instances   AWS  Storage  Gateway       Announcing  Internal  Load  Balancing  in  Amazon  Virtual  Private   New  Managed  Services  for  Windows  Developers  Worldwide   Cloud       New  and  Updated  MicrosoG  SQL  Server  Offerings  on  Amazon  EC2   Announcing  Spot  IntegraBon  with  Auto  Scaling  and     CloudFormaBon   New  Amazon  RDS  for  Oracle  CapabiliBes  and  MulB-­‐AZ  Enhancements     AWS  Billing  enables  enhanced  CSV  reports  and  programmaBc   access     Amazon  ElasBCache  Launches  Free  Trial  Program  
  • 13. Relational Database Service Virtual Private Cloud Simple Notification Service Elastic Map Reduce Route 53 Auto Scaling RDS Multi-AZ Reserved Instances Singapore Region Elastic Load Balancer 2009 2010 Identity Access Management 48 61 Cluster Instances Elastic Beanstalk Simple Email Service CloudFormation 2008 RDS for Oracle ElastiCache 24 SimpleDB CloudFront H1 2012 2011 63 82 EBS Availability Zones Elastic IPs20079 Amazon FPS Red Hat EC2 DynamoDB Simple Workflow CloudSearch Storage Gateway Route 53 Latency Based Routing number of released features, sample services described
  • 14. Objects in S3 1 Trillion 1000.000   750.000   500.000   250.000   0.000   750k+ peak transactions per second
  • 15. Utility computing
  • 16. Utility computing On demand Pay as you go Uniform Available
  • 17. Utility computing On demand Pay as you go Uniform Available
  • 18. Utility computing
  • 19. Utility computing On demand Pay as you go Compute   Scaling   Security   CDN   Backup   DNS   Database   Storage   Load  Balancing   Workflow   Monitoring   Networking   Uniform Messaging   Available
  • 20. On  a  global  footprint   Region US-WEST (N. California) EU-WEST (Ireland) GOV CLOUD ASIA PAC (Tokyo) US-EAST (Virginia)US-WEST (Oregon) ASIA PAC (Singapore) SOUTH AMERICA (Sao Paulo)
  • 21. On  a  global  footprint   Availability Zone
  • 22. On  a  global  footprint   Edge Locations London(2) Seattle South Bend New York (2) Amsterdam Newark Stockholm Dublin Palo Alto TokyoSan Jose Frankfurt(2) Paris(2) Ashburn(2) Milan Osaka Los Angeles (2) Jacksonville Dallas(2) Hong Kong St.Louis Miami Singapore(2) Sydney Sao Paulo
  • 23. At  the  end  of  a  web  service  ec2-run-instances ami-b232d0db ec2-run-instances ami-b232d0db --instance-count 3 --instance-count 5 --availability-zone eu-west-1a --availability-zone eu-west-1c --instance-type m1.small --instance-type m1.medium
  • 24. At  the  end  of  a  web  service   ec2-run-instances ami-b232d0db --instance-count 2 --availability-zone eu-east-1d --instance-type m1.xlargeec2-run-instances ami-b232d0db --instance-count 2 --availability-zone us-east-1b --instance-type m1.xlarge
  • 25. At  the  end  of  a  web  service   as-create-auto-scaling-group MyGroup ec2-authorize default -p 80 --launch-configuration MyConfig --availability-zones eu-west-1c --min-size 2 --max-size 200 elb-create-lb myLoadBalancer
  • 26. and  rich  console  services  
  • 27. Elasticity
  • 28. ElasBc  capacity   Traditional IT capacityCapacity Time Your IT needs
  • 29. ElasBc  capacity   On  and  Off   Fast  Growth   Variable  peaks   Predictable  peaks  
  • 30. ElasBc  capacity   WASTE On  and  Off   Fast  Growth   Variable  peaks   Predictable  peaks   CUSTOMER DISSATISFACTION
  • 31. ElasBc  capacity  Capacity   TradiBonal     IT  capacity   ElasBc  cloud  capacity   Time   Your  IT  needs  
  • 32. ElasBc  capacity   On  and  Off   Fast  Growth   Variable  peaks   Predictable  peaks  
  • 33. 503 Service Temporarily UnavailableThe server is temporarily unable to serviceyour request due to maintenance downtime orcapacity problems. Please try again later.
  • 34. 503 Service Temporarily UnavailableThe server is temporarily unable to serviceyour request due to maintenance downtime orcapacity problems. Please try again later.
  • 35. From  one  instance…  
  • 36. …to  thousands  
  • 37. Time: +00h <10 coresElastic Capacity
  • 38. Time: +24h >1500 coresElastic Capacity
  • 39. Time: +72h <10 coresElastic Capacity
  • 40. Time: +120h >600 coresElastic Capacity
  • 41. 40  servers  to  5000  in  3  days   EC2 scaled to peak of 5000 Number of EC2 Instances instances “Techcrunched” Launch of Facebook modification Steady state of ~40 instances 4/12/2008 4/13/2008 4/14/2008 4/15/2008 4/16/2008 4/17/2008 4/18/2008 4/19/2008 4/20/2008
  • 42. Best practices
  • 43. 1Choose your use case well
  • 44. Choose  use  case  that  suits  you   Low  hanging  fruit  can  be  easiest  way  to  ‘cut  teeth’  
  • 45. Choose  use  case  that  suits  you   Dev  &  Test  Spin  environments  up  and  down   on  demand  Decouple  development  and  test   environments  from  operaBons   constraints  Explore  elasBcity  in  a  sandboxed   environment   Low  hanging  fruit  can  be  easiest  way  to  ‘cut  teeth’  
  • 46. Choose  use  case  that  suits  you   Dev  &  Test   Backup  &  DR  Spin  environments  up  and  down   Take  part  of  your  data  or   on  demand   business  applicaBons  step-­‐  by-­‐ step  into  non-­‐producBon  DR  use  Decouple  development  and  test   environments  from  operaBons   Understand  cloud  dynamics  and   constraints   test  during  controlled  failovers  Explore  elasBcity  in  a  sandboxed   environment   Low  hanging  fruit  can  be  easiest  way  to  ‘cut  teeth’  
  • 47. Choose  use  case  that  suits  you   Dev  &  Test   Backup  &  DR   Greenfield  Project  Spin  environments  up  and  down   Take  part  of  your  data  or   Embody  best  pracBce  of  cloud   on  demand   business  applicaBons  step-­‐  by-­‐ compuBng  in  unconstrained   step  into  non-­‐producBon  DR  use   greenfield  projects  Decouple  development  and  test   environments  from  operaBons   Understand  cloud  dynamics  and   Self  contained  web  projects,   constraints   test  during  controlled  failovers   document  archiving  etc  Explore  elasBcity  in  a  sandboxed   environment   Low  hanging  fruit  can  be  easiest  way  to  ‘cut  teeth’  
  • 48. Choose  use  case  that  suits  you   Dev  &  Test   Backup  &  DR   Greenfield  Project   Pain  point  Spin  environments  up  and  down   Take  part  of  your  data  or   Embody  best  pracBce  of  cloud   Move  specific  service  aspects   on  demand   business  applicaBons  step-­‐  by-­‐ compuBng  in  unconstrained   causing  undue  cost  or   step  into  non-­‐producBon  DR  use   greenfield  projects   management  burden  Decouple  development  and  test   environments  from  operaBons   Understand  cloud  dynamics  and   Self  contained  web  projects,   Workflows,  search  indexing,   constraints   test  during  controlled  failovers   document  archiving  etc   media  streaming,  document   archiving,  constrained  databases  Explore  elasBcity  in  a  sandboxed   environment   Low  hanging  fruit  can  be  easiest  way  to  ‘cut  teeth’  
  • 49. Plan  evoluBon  &  set  goals   PoC   ProducBon   AutomaBon   Understand  services   Implement  monitoring   Automate  correcBve  measures  Examples   Test  performance   Change  control  and  management   Auto-­‐scaling   Architect  for  scale   Security  management   Zero  downBme  deployments   Build  cross  funcBonal  team  capabiliBes   Scalability   System  backup  and  recovery  
  • 50. Plan  evoluBon  &  set  goals   PoC   ProducBon   AutomaBon   Understand  services   Implement  monitoring   Automate  correcBve  measures  Examples   Test  performance   Change  control  and  management   Auto-­‐scaling   Architect  for  scale   Security  management   Zero  downBme  deployments   Build  cross  funcBonal  team  capabiliBes   Scalability   System  backup  and  recovery   Beanstalk   APIs   Cloud  FormaBon   Beanstalk   CLI   Cloud  Watch   Auto  scaling   IAM  
  • 51. 2Organize your house
  • 52. Organize  your  house   AccountsCreate  an  account  structure   that  makes  sense     Use  accounts  like  environments   where  you  need  separaBon  and   control     e.g   Dev  Sandboxes   Test  Environments   Business  Units   Products  &  Services    
  • 53. Organize  your  house   Accounts BillingCreate  an  account  structure   Control  access  to  billing   that  makes  sense   informaBon       Use  accounts  like  environments   Use  IAM  users  to  keep  billing   where  you  need  separaBon  and   informaBon  in  the  master  account   control       Consolidate  billing  into  a   e.g   single  account   Dev  Sandboxes     Let  one  account  pick  up  the  bill  for   Test  Environments   mulBple  ‘sub  accounts’   Business  Units     Products  &  Services   Setup  billing  alerts  and     automated  bill  reporBng     Get  CloudWatch  noBficaBons  when   billing  reaches  a  point  and  output   csv  reports  to  S3  for  analysis  
  • 54. Enable CSV &Billing  setngs   Programmatic Access Billing Preferences
  • 55. Billing  setngs   Cost accounting in favorite package Billing Alerts Bill reached $x Dev  1   Dev  2   Test     Master  Account   ProducBon   Data labeled by source in S3 Internal   Systems   Consolidated Billing
  • 56. Billing  setngs   Dev  1   Dev 1 reached $100 Dev  2   Dev 2 reached $250 Test     Master  Account   Test reached $1,000 ProducBon   Prod reached $1,200 Internal   Systems   Internal reached $400
  • 57. Organize  your  house   Accounts BillingCreate  an  account  structure   Control  access  to  billing   that  makes  sense   informaBon       Use  accounts  like  environments   Use  IAM  users  to  keep  billing   where  you  need  separaBon  and   informaBon  in  the  master  account   control       Consolidate  billing  into  a   e.g   single  account   Dev  Sandboxes     Let  one  account  pick  up  the  bill  for   Test  Environments   mulBple  ‘sub  accounts’   Business  Units     Products  &  Services   Setup  billing  alerts  and     automated  bill  reporBng     Get  CloudWatch  noBficaBons  when   billing  reaches  a  point  and  output   csv  reports  to  S3  for  analysis  
  • 58. Organize  your  house   Accounts Billing Access KeysCreate  an  account  structure   Control  access  to  billing   Decide  upon  a  key   that  makes  sense   informaBon   management  strategy         Use  accounts  like  environments   Use  IAM  users  to  keep  billing   Control  access  to  EC2  instances  via   where  you  need  separaBon  and   informaBon  in  the  master  account   SSH  and  embedded  public  key:   control     e.g.  EC2  Key  Pair  per  group  of     instances,  EC2  Key  Pair  per  account   Consolidate  billing  into  a   e.g   single  account     Dev  Sandboxes     Consider  SSH  key  rotaBon  &   Let  one  account  pick  up  the  bill  for   Test  Environments   mulBple  ‘sub  accounts’   automaBon     Business  Units     Limit  exposure  to  private  key   Products  &  Services   compromise  by  rotaBng  keys  and   Setup  billing  alerts  and   replacing  authorized_keys     automated  bill  reporBng     lisBngs  on  running  instances     Get  CloudWatch  noBficaBons  when   Consider  bootstrap  automaBon  to   billing  reaches  a  point  and  output   grant  developer  access  with   csv  reports  to  S3  for  analysis   developer  unique  keypairs    
  • 59. Organize  your  house   Accounts Billing Access Keys Groups & RolesCreate  an  account  structure   Control  access  to  billing   Decide  upon  a  key   Use  IAM  Groups  to  manage   that  makes  sense   informaBon   management  strategy     console  users  and  API  access         Use  accounts  like  environments   Use  IAM  users  to  keep  billing   Control  access  to  EC2  instances  via   Provide  developers  with  IAM  user   where  you  need  separaBon  and   informaBon  in  the  master  account   SSH  and  embedded  public  key:   login  and  unique  API  access   control     e.g.  EC2  Key  Pair  per  group  of   credenBals       instances,  EC2  Key  Pair  per  account   Consolidate  billing  into  a   Control  &  restrict  what  IAM  users   e.g   single  account     can  do  by  placing  them  in  groups   Dev  Sandboxes     Consider  SSH  key  rotaBon  &   with  policies   Let  one  account  pick  up  the  bill  for     Test  Environments   mulBple  ‘sub  accounts’   automaBon   Business  Units     Limit  exposure  to  private  key   Assign  EC2  Instances  IAM     Products  &  Services   compromise  by  rotaBng  keys  and   roles   Setup  billing  alerts  and     replacing  authorized_keys   Let  AWS  manage  API  access     automated  bill  reporBng     lisBngs  on  running  instances   credenBals  on  running  instances  by     Get  CloudWatch  noBficaBons  when   Consider  bootstrap  automaBon  to   assigning  a  system  enBtlement  to  an   billing  reaches  a  point  and  output   grant  developer  access  with   instance   csv  reports  to  S3  for  analysis   developer  unique  keypairs   e.g  instance  can  only  read  S3  bucket    
  • 60. IdenBty  &  access  management   Account   Administrators   Developers   ApplicaBons   Jim   Brad   ReporBng   Bob   Mark   Console   Susan   Tomcat   Kevin  
  • 61. IdenBty  &  access  management   Groups   Account   Administrators   Developers   ApplicaBons   Jim   Brad   ReporBng   Bob   Mark   Console   Susan   Tomcat   Kevin   MulB-­‐factor  authenBcaBon  
  • 62. IdenBty  &  access  management   Groups   Account   Roles   Administrators   Developers   ApplicaBons   Jim   Brad   ReporBng   Bob   Mark   Console   Susan   Tomcat   Kevin   MulB-­‐factor  authenBcaBon   AWS  system  enBtlements    
  • 63. IAM  policies   { "Statement": [ { "Effect": "Allow", "Action": [ "elasticbeanstalk:*",Policy  driven     "ec2:*", "elasticloadbalancing:*",Declara:ve  defini:on  of  rights  for  groups   "autoscaling:*", "cloudwatch:*",Policies  control  access  to  AWS  APIs   "s3:*", "sns:*" ], "Resource": "*" } ] }
  • 64. 3Think security
  • 65. Shared  responsibility   Customer  Data   You   Playorm,  ApplicaBons,  IdenBty  &  Access  Management   OperaBng  System,  Network  &  Firewall  ConfiguraBon   Client-­‐side  Data  EncrypBon  &  Data   Server-­‐side  EncrypBon     Network  Traffic  ProtecBon   Integrity  AuthenBcaBon   (File  System  and/or  Data)   (EncrypBon/Integrity/IdenBty)   FoundaBon  Services   Amazon   Compute   Storage   Database   Networking   Availability  Zones   AWS  Global   Edge  LocaBons   Infrastructure   Regions  
  • 66. Leverage  shared  security  model   Understand your customer & form security stance
  • 67. Leverage  shared  security  model   Understand your customer & form security stance PenetraBon  test  requests   Your  cerBficaBons   Your  processes   External   audience  
  • 68. Leverage  shared  security  model   Understand your customer & form security stance PenetraBon  test  requests   Your  cerBficaBons   Your  processes   External   audience   IAM   Internal  AdministraBon   audience   Architecture  
  • 69. Leverage  shared  security  model   Understand your customer & form security stance PenetraBon  test  requests   Your  cerBficaBons   Your  processes   External   audience   IAM   AWS  CerBficaBons   Internal   Regulated  AdministraBon   AWS  White  Papers   audience   audience   Architecture   AWS  QSA  Process  
  • 70. Leverage  shared  security  model   Understand your customer & form security stance Engage with security assessors early in adoption cycle Don’t  fear  assessment  –  AWS  meets  high  standards  (PCI,  ISO27001,  SOC1…)   As  with  any  infrastructure  provider,  security  assessments  take  Bme   Derive  value  from  architecture  reviews  early  in  deployment  cycle      
  • 71. Leverage  shared  security  model   Understand your customer & form security stance Engage with security assessors early in adoption cycle Use comprehensive materials and certifications provided by AWS h)p://aws.amazon.com/security/     Risk  and  compliance  paper   AWS  security  processes  paper   NEW!  CSA  consensus  assessments   iniBaBve  quesBonnaire  
  • 72. Leverage  shared  security  model   Understand your customer & form security stance Engage with security assessors early in adoption cycle Use comprehensive materials and certifications provided by AWS Build upon features of AWS and implement a ‘security by design’ environment
  • 73. Build  upon  AWS  features   Tiered Access Security Groups VPC Direct Connect & VPN IAM   Instance  firewalls   Subnet  control   Private  connecBons  to  VPC           Control  users  and  allow  AWS  to   Use  IAM  users  to  keep  billing   Create  low  level  networking   Secured  access  to  resources  in  AWS   manage  credenBals  in  running   informaBon  in  the  master  account   constraints  for  resource  access,  such   over  soGware  or  hardware  VPN  and   instances  for  service  access     as  public  and  private  subnets,   dedicated  network  links   (allocaBon,  rotaBon)   CLIs  and  APIs   internet  gateways  and  NATs             Instantly  audit  your  enBre  AWS   APIs  vs  Instance   infrastructure  from  scriptable  APIs  –   BasBon  hosts      Provide  developer  API  credenBals   generate  an  on-­‐demand  IT  inventory   Only  allow  access  for  management   and  control  access  to  SSH  keys   enabled  by  programmaBc  nature  of   of  producBon  resources  from  a     AWS   basBon  host.  Turn  off  when  not   needed   Temporary  CredenBals      Provide  developer  API  credenBals   and  control  access  to  SSH  keys    
  • 74. 4Architect to use cloud strengths
  • 75. Architect  to  use  cloud  strengths   Review  applicaBon  architectures  early  –  assess  fit  for  cloud   ?   e.g.  variable  capacity  requirements,  ‘standard’  technology  stacks,  reference  architectures*   Can  cloud  benefits  be  leveraged  with  minimum  effort  outlay?   ?   e.g.  Applica:on  performance  improvement  by  migra:on  of  sta:c  content  to  S3/CloudFront   Will  cloud  yield  cost  savings  &  agility  improvements?   ?   e.g.  Faster  development  cycles  for  dev/test,  reduced  cap-­‐ex  for  applica:on  environments   Can  automaBon  lead  to  a  more  agile  &  secure  service?     ?   e.g.  fully  scripted  deployments,  IAM  &  EC2  instance  roles,  rolling  deployments   *hLp://aws.amazon.com/architecture  
  • 76. Architect  to  use  cloud  strengths  Disposable  compute   Design  systems  that  can  suffer   ✓   ✓   instance  loss     Dispose  of  compute  when  it  is  not   ✓   ✓   required  
  • 77. Architect  to  use  cloud  strengths  Disposable  compute  Flexible  capacity   ✓   ✓   ✓   Design  for  systems  that  potenBally  scale   from  zero  instances  to  hundreds   Use  Auto-­‐scaling  (events,  schedules  etc)  to   ✓   ✓   ✓   drive  capacity  availability  
  • 78. Architect  to  use  cloud  strengths  Disposable  compute  Flexible  capacity   ✓   ✓   ✓   UBlize  99.999999999%  durability  of  objects   in  S3   Scale  databases  with  RDS  and  use  Cost  effecBve  &  reliable  storage   ✓   ✓   ✓   DynamoDB  for  high  throughput  NoSQL    
  • 79. Architect  to  use  cloud  strengths  Disposable  compute  Flexible  capacity   ✓   ✓   ✓   Automate  everything  from  scaling  to   instance  recovery  from  failure  Cost  effecBve  storage  AutomaBon  and  control  
  • 80. Bootstrapping  –  custom  AMIs   Instance   AMI  1   Create  instance  for  your  OS  choice   Custom  machine   image  2   Configure  environment   Auto-­‐scaling   Manual  deployments  3   Install  soGware   Programma:c  deployments  4   Create  AMI  from  instance  5   Launch  fully  configured  instances  from  AMI  
  • 81. Bootstrapping  –  metadata  service   Instance  Metadata  service  contains  wealth  of  informaBon  about  an  instance   AMI  h)p://169.254.169.254/latest/meta-­‐data   Custom  or  standard   machine  image  ami-­‐id   local-­‐hostname   Receive  custom   Metadata data  to  drive  ami-­‐launch-­‐index   local-­‐ipv4   Service bootstrapping  ami-­‐manifest-­‐path   mac  block-­‐device-­‐mapping   network  hostname   placement  instance-­‐ac:on   profile  instance-­‐id   public-­‐hostname  Instance-­‐type   public-­‐ipv4  kernel-­‐id   public-­‐keys   reserva:on-­‐id  
  • 82. Bootstrapping  –  metadata  service   Instance  Metadata  service  contains  wealth  of  informaBon  about  an  instance   AMI  h)p://169.254.169.254/latest/meta-­‐data   Custom  or  standard   machine  image  +  user  data   Receive  custom   data  to  drive   Metadata Service bootstrapping  Scripts  in  user-­‐data  field  of  metadata  will  be  executed  on  launch  e.g.   #!/bin/sh yum -y install httpd chkconfig httpd on /etc/init.d/httpd startOr:   <powershell> … </powershell>
  • 83. Bootstrapping  –  metadata  service   Instance  Metadata  service  contains  wealth  of  informaBon  about  an  instance   AMI  h)p://169.254.169.254/latest/meta-­‐data   Custom  or  standard   machine  image  +  user  data   Receive  custom   data  to  drive   Metadata Service bootstrapping  Scripts  in  user-­‐data  field  of  metadata  will  be  executed  on  launch   Install  soGware  e.g.  web  server,  app  server,  proxy   Pull  data  and  applicaBon  packages  from  S3   Publish  metadata  for  instance  to  other  systems  e.g.  monitoring  systems   Setup  security  profile  of  instance  based  upon  intended  use  e.g.  pull  latest  config  
  • 84. 1.  Use multiple availability zones
  • 85. 2.  Use RDS with replicas and slaves
  • 86. 3.  Use auto-scaling groups
  • 87. 4.  Use Elastic Load Balancing
  • 88. 5.  Use Route53 to host DNS zones
  • 89. Architect  to  use  cloud  strengths   Elastic Load Balancing Route 53 RDS Auto-scaling Use  at  regional  level   Leverage  SLA   Scale  databases  without   Dynamically  scale  resources  &       Combined  with  autoscaling  will   Improve  applicaBon  reliability  with   admin  overhead   control  costs       balance  requests  and  resource   Route  53’s  SLA  on  requests  served   Choose  instance  size  for  databases   Only  provision  the  resources  that   capacity  across  availability  zones     and  scale  up  over  Bme   are  required  with  scale  up  and  cool     Weighted  rouBng     down  policies  that  match  demand   Within  VPC     Perform  A/B  analysis,  and  staged   Add  high  availability  from     Use  to  loadbalance  between   applicaBon  roll-­‐outs  by  moving  a   management  console     applicaBon  Bers  within  an   porBon  of  traffic  to  new   Create  master-­‐slave  configuraBons   availability  zone   infrastructure   and  read-­‐replicas.  AWS  takes  care  of       the  failover  and  recreaBon  of  a  new   Instance  migraBons   Control  TTLs  and  updates   slave  in  event  of  master  DB  loss       Easily  move  instances  from  dev   Take  absolute  control  of  DNS  environments  to  test  environments   updates  for  more  decisive  system   by  moving  between  ELBs   updates      
  • 90. 5Services not software
  • 91. Services  not  soGware   Use  AWS  services   +    Your  technology  skills   =   Less  Bme  managing  and  installing  soGware   More  Bme  focused  on  business  applicaBons     let  AWS  do  the  heavy  liGing  
  • 92. Services  not  soGware   Relational Database ServiceUse RDS for Database-as-a-Servicedatabases No need to install or manage database instances Scalable and fault tolerant configurations DynamoDB Use DynamoDB for Provisioned throughput NoSQL database high performance Fast, predictable performance key-value DB Fully distributed, fault tolerant architecture
  • 93. Services  not  soGware  Processing results Amazon SQS Reliable message Reliable, highly scalable, queue Amazon SQS queuing without service for storing messages as they travel between instances additional software Processing task/ processing trigger 1 2 Push inter-process Simple Workflow Task A workflows into the Reliably coordinate processing steps Task B 3 across applications cloud with SWF (Auto-scaling) Integrate AWS and non-AWS resources Manage distributed state in complex systems Task C
  • 94. Services  not  soGware   DocumentDon’t install search Cloud Search Server Elastic search engine based uponsoftware, use Amazon A9 search engineCloudSearch Fully managed service with sophisticated feature set Search Scales automatically Server Results Elastic MapReduce Elastic Hadoop cluster Process large Integrates with S3 & DynamoDB volumes of data cost Leverage Hive & Pig analytics scripts effectively with EMR Integrates with instance types such as spot
  • 95. 6Be elastic and cost optimized
  • 96. Be  elasBc  and  cost  opBmized   Elastic Load Balancing Auto-scaling policies Scalability   Cost  OpBmizaBon   Availability   Instance types and sizes
  • 97. Auto-­‐scaling  policies   Manually   By  Schedule       Send  an  API  call  or  use  CLI  to   Scale  up/down  based  on  date   launch/terminate  instances  –   and  Bme   Only  need  to  specify  capacity   change  (+/-­‐)     By  Policy   Auto-­‐Rebalance       Scale  in  response  to  changing   Instances  are  automaBcally   condiBons,  based  on  user   launched/terminated  to   configured  real-­‐Bme   ensure  the  applicaBon  is   monitoring  and  alerts   balanced  across  mulBple  Azs        
  • 98. Auto-­‐scaling  policies   Manually   By  Schedule       Send  an  API  cmanual  scaling   PreempBve   all  or  use  CLI  to   Scale  up/down  based  on  own   Regular  scaling  up  and  d date   of  capacity   launch/terminate  instances  –     of  instances   and  Bme     Only  efore  a  mo  specify  capacity   e.g.  b need  t arke:ng  event  add  10   e.g.  scale  from  0  to  2  to  process  SQS   more  instances   messages  every  night  or  double   change  (+/-­‐)   capacity  on  a  Friday  night     By  Policy   Auto-­‐Rebalance       Scale  in  response  to  changing   Instances  are  automaBcally   Dynamic  scale  based  upon   condiBons,  based  on  user   Maintain  capacity  across   launched/terminated  to   custom  metrics   configured  real-­‐Bme     availability  zones   ensure  the  applicaBon  is     e.g.  SQS  queue  depth,  Average  CPU   e.g.  Instance  availability  maintained  in   monitoring  and  alerts   load,  ELB  latency   balanced  Z  becoming  unavailable   event  of  A across  mulBple  Azs        
  • 99. Instance  types   On-demand instances Reserved instances Spot instancesUnix/Linux  instances  start  at  $0.02/ 1-­‐  or  3-­‐year  terms   Bid  on  unused  EC2  capacity     hour         Pay  low  up-­‐front  fee,  receive  significant  hourly   Spot  Price  based  on  supply/demand,   Pay  as  you  go  for  compute  power   discount   determined  automaBcally         Low  cost  and  flexibility     Low  Cost  /  Predictability   Cost  /  Large  Scale,  dynamic  workload  handling         Pay  only  for  what  you  use,  no  up-­‐front   Helps  ensure  compute  capacity  is  available     commitments  or  long-­‐term  contracts   when  needed         Use  Cases:   Use  Cases:         Use  Cases:   Applica:ons  with  flexible  start  and  end  :mes   Applica:ons  with  short  term,  spiky,  or       unpredictable  workloads;   Applica:ons  with  steady  state  or  predictable   Applica:ons  only  feasible  at  very  low  compute     usage   prices   Applica:on  development  or  tes:ng         Applica:ons  that  require  reserved  capacity,   including  disaster  recovery  
  • 100. Leverage  all  models   7000 6000 Spot 5000 4000 On Demand 3000 2000 Reserved Instances 1000 0
  • 101. Instance  types   Choose instance type that matches requirements Start  with  memory  requirements  and  architecture  type  (32bit  or  64-­‐bit)   Then  choose  the  closest  number  of  virtual  cores  required   Scale across availability zones Smaller  sizes  give  more  granularity  for  deploying  to  mulBple  AZs   Start with on-demand and then assess utilization for RIs Instances  that  are  always  running  –  heavy  uBlizaBon  RIs   Instances  occasionally  used  in  auto-­‐scaling  –  light  uBlizaBon  RIs  
  • 102. Summary
  • 103. Cloud computing 30%   70%   On-­‐Premise   Your   Managing  All  of  the    Infrastructure   Business   “UndifferenBated  Heavy  LiGing”  
  • 104. Cloud computing 30%   70%   On-­‐Premise   Your   Managing  All  of  the    Infrastructure   Business   “UndifferenBated  Heavy  LiGing”   AWS   Cloud-­‐Based   More  Time  to  Focus  on   Configuring  Your   Your  Business   Cloud  Assets  Infrastructure   70%   30%  
  • 105. Agility
  • 106. aws.amazon.com" " get started with the free tier
  • 107. Agenda  Amazon  Web  Services  Background  UBlity  compuBng  &  ElasBcity    Best  pracBces    Choosing  your  use  case    Organizing  your  environments    Security    Architect  to  cloud  strengths    Services  not  soGware    Be  elasBc  &  cost  opBmized              
  • 108. Thank youRyan  Shu)leworth  –  Technical  Evangelist   @ryanAWS