• Save
So you think you are an aws ninja   dean samuels
Upcoming SlideShare
Loading in...5
×
 

So you think you are an aws ninja dean samuels

on

  • 1,229 views

 

Statistics

Views

Total Views
1,229
Views on SlideShare
1,229
Embed Views
0

Actions

Likes
1
Downloads
0
Comments
1

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Hi Amazon Web Service, if your writing about DRBD® then please include always following sentence:

    DRBD®, the DRBD logo, LINBIT®, and the LINBIT logo are trademarks or registered trademarks of LINBIT in Austria, the United States and other countries.

    Many Thanks!
    Manfred Ostermann
    LINBIT Marketing Manager
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

So you think you are an aws ninja   dean samuels So you think you are an aws ninja dean samuels Presentation Transcript

  • © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc. So You Think You’re An AWS Ninja? Dean Samuels Amazon Web Services
  • AWS Pace of Innovation
  • Ninja Tips •  Compute and Networking •  Storage & Content Delivery •  Deployment & Management •  Security •  Big Data & App Services……maybe!
  • Meet Simon •  Black Belt Tip –  Route53 & Elastic Load Balancing •  Cross-Zone Load Balancing….finally! •  Application Failover via DNS….really? Simon is all about Compute & Networking •  Design for failure is his motto •  Simon prefers to get the most performance out of components rather than simply upsizing •  Simon manages many AWS resources across several accounts •  Integrates with third-party providers in the cloud too!
  • •  Route 53 DNS Failover ELB & Route53 •  Cross-Zone Load Balancing
  • Meet Simon •  Black Belt Tip –  Route53 & Elastic Load Balancing •  Cross-Zone Load Balancing….finally! •  Application Failover via DNS….really? •  Ninja Tip –  VPC Peering •  Trust thy neighbour! –  VPC peering within an account –  VPC peering between accounts Simon is all about Compute & Networking •  Design for failure is his motto •  Simon prefers to get the most performance out of components rather than simply upsizing •  Simon manages many AWS resources across several accounts •  Integrates with third-party providers in the cloud too!
  • VPC Peering Simon’s Shared Services VPC 10.1.0.0/16 Simon’s Workspaces VPC 192.168.0.0/20 Simon’s Enterprise Apps VPC 172.16.0.0/16 Third-Party WAF VPC 10.100.0.0/16 Simon’s Web Apps VPC 10.11.0.0/16 Simon’s Test/Dev VPC 10.10.0.0/16 Simon’s Proxy VPC 10.20.10.0/24 Internet
  • This is Jeff •  Black Belt Tip –  Storage Gateway File Shares •  S3 Backed NAS –  Large volume file shares, no upfront cost –  On-premise or in the AWS Cloud Jeff is ‘Mr Storage’…optimising use of AWS storage tiers is his thing •  Instance storage for temporary data •  EBS storage for persistent storage •  S3 for backups, serving web & media and even as a BitTorrent seeder •  Glacier for archiving data •  Hates paying for storage he doesn’t use •  But loves the S3 price reductions!
  • Next Generation Storage File Servers Corporate Data center AWS Cloud Internet or WAN SSL On-Premise AWS Storage Gateway Cache & Upload Buffer Storage Direct Attached or Storage Area Network Disks iSCSI Cached-Volumes Multi-Terabyte AWS Storage Gateway Service “Block” Volumes @ S3 Prices “Block” Volumes @ S3 Prices Encrypted & Compressed Volume Snapshots EC2 File Servers iSCSI Cached-Volumes Multi-Terabyte CIFS/ NFS Clients CIFS/ NFS EC2 Clients Third-Party options too: •  Riverbed Whitewater •  SoftNAS •  Maginatics EC2 AWS Cached Storage Gateway Cache & Upload Buffer EBS PIOPS
  • This is Jeff •  Black Belt Tip –  Storage Gateway File Shares •  S3 Backed NAS –  Large volume file shares no upfront cost –  On-premise or in the AWS Cloud •  Ninja Tip –  Instance Storage •  Normally ephemeral storage –  Using replication = durable storage –  EBS PIOPs and Enhanced Networking Jeff is ‘Mr Storage’…optimising use of AWS storage tiers is his thing •  Instance storage for temporary data •  EBS storage for persistent storage •  S3 for backups, serving web & media and even as a BitTorrent seeder •  Glacier for archiving data •  Hates paying for storage he doesn’t use •  But loves the S3 price reductions!
  • High Speed* & High Density* Instance storage for durable data Instance Storage with sync to EBS Instance Storage to Instance Storage to EBS *I2 and C3 Instances: - Multiple 10s & 100’s GB SSD-based instance storage - Enhanced Networking = Higher PPS and lower jitter & latency EBS Optimized MDADM RAID 0 array DRBD protocol A (asynchronous) Up to 50,000 IOPs = 800MBs General Network Traffic EBS PIOPS SSD Backed Data Store EC2 Instance MDADM RAID 0 or 1+0 array HDD or SSD (100,000s IOPS) Enhanced Networking*
  • Say Hi to Rodos •  Black Belt Tip –  Programmable resources •  AWS Support –  It’s an API too! •  Automated/Self Healing infrastructures –  Servers != Our Pets Rodos doesn’t like to make mistakes…so he automates everywhere. •  Uses CloudFormation wherever possible….but not everything is supported by CloudFormation? •  AutoScaling! AutoScaling! AutoScaling! •  Interacts with AWS Support to have things optimised and fixed…but Rodos doesn’t scale •  Happy to write scripts to interact with AWS API
  • Programmatic Access to Resources •  Monitoring Your Service Limits –  Via Service API •  aws iam get-account-summary •  aws autoscaling describe-account-limits •  aws ec2 describe-account-attributes •  aws ses get-send-quota –  Via Trusted Advisor •  aws support describe-trusted-advisor-check-result --check-id <check_id> --language en •  Accessing Support via API –  Integrate with your own management/monitoring systems –  Automatically log tickets via CloudFormation
  • Resource Management with Tags #!/usr/bin/ruby require 'aws-sdk' AWS.regions.sort_by(&:name).each do |region|   puts region.name   region.ec2.instances.each do |instance|     if instance.status == :stopped and instance.tags.to_h.has_key?(’DevProjectA')       instance.start puts "t#{instance.id} starting”     end   end end for region in $(aws ec2 describe-regions --query 'Regions[*].RegionName' --output text) do echo ${region} aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId]' --filters "Name=instance-state-name,Values=running" "Name=tag-key,Values=BusinessHoursOnly" --output text | xargs aws ec2 stop-instances --instance-ids 2> /dev/null done Ruby SDK AWS CLI
  • Say hi to Rodos •  Black Belt Tip –  Programmable resources •  AWS Support –  It’s an API too! •  Automated/Self Healing infrastructures –  Servers != Our Pets •  Ninja Tip –  CloudFormation •  Taking it to the next level! –  Custom Resources Rodos doesn’t like to make mistakes... so he automates everywhere. •  Uses CloudFormation wherever possible….but not everything is supported by CloudFormation? •  AutoScaling! AutoScaling! AutoScaling! •  Interacts with AWS Support to have things optimised and fixed but Rodos doesn’t scale •  Happy to write scripts to interact with AWS API
  • CloudFormation Custom Resources Region SQS Queue AWS CloudFormation Custom Resource Topic Auto scaling Group Custom Resource Implementation •  Add New Resources –  Including AWS resources not currently supported by CFN •  Interact with the CloudFormation Workflow •  Inject dynamic data into a stack •  Extend the capabilities of existing resources •  Data management via CloudFormation •  It’s really simple if you use aws-cfn-resource-bridge –  Install or fork from https://github.com/aws/aws-cfn-resource-bridge Create Parameter1:Value1 Parameter2:Value2 …. Parametern:Valuen Data Export Data Import DynamoDB S3Datapipeline 1 2 3 4 5 6 Output Parameter1:Value1 Parameter2:Value2 …. Parametern:Valuen
  • CloudFormation Custom Resources Region SQS Queue AWS CloudFormation Custom Resource Topic Auto scaling Group Custom Resource Implementation •  Add New Resources –  Including AWS resources not currently supported by CFN •  Interact with the CloudFormation Workflow •  Inject dynamic data into a stack •  Extend the capabilities of existing resources •  Data management via CloudFormation •  It’s really simple if you use aws-cfn-resource-bridge –  Install or fork from https://github.com/aws/aws-cfn-resource-bridge Delete Parameter1:Value1 Parameter2:Value2 …. Parametern:Valuen Data Import Data Export DynamoDB S3Datapipeline 1 2 3 4 5 Output Parameter1:Value1 Parameter2:Value2 …. Parametern:Valuen 6
  • What’s up Squigg? •  Black Belt Tip – IAM Roles with EC2 •  Don’t leave home without it! Squigg is always concerned about user password and credential leaks •  Admin users with no MFA •  Users leaving credentials in software •  Users not rotating their credentials •  Users not using strong password policies •  Finds it hard to keep track of individual IAM identifies for users
  • IAM Roles for EC2 Instances AWS Cloud Amazon S3 Amazon DynamoDB Your Application AWS IAM Your Application Your Application Your Application Auto Scaling Your Application Auto Scaling Role: RW access to objects, items and instances •  Eliminates use of long-term credentials •  Automatic credential rotation •  Less coding – AWS SDK does all the work •  Easier and more Secure! Amazon EC2
  • What’s up Squigg? •  Black Belt Tip – IAM Roles with EC2 •  Don’t leave home without it! •  Ninja Tip – Limit number of IAM Users •  Use IAM Roles instead –  Cross-Account IAM Access –  Identity Federation Squigg is always concerned about password and user credential leaks •  Admin users with no MFA •  Users leaving credentials in software •  Users not rotating their credentials •  Users not using strong password policies •  Finds it hard to keep track of individual IAM identifies for users
  • dsamuel@amazon.com Acct ID: 111122223333 ec2-role {  "Statement":  [      {          "Action":  [              "ec2:StartInstances",              "ec2:StopInstances"          ],          "Effect":  "Allow",          "Resource":  "*"      }   ]  }   squigg@amazon.com Acct ID: 123456789012 Authenticate with squigg access keys Optionally also with MFA Get temporary security credentials for ec2-role Call AWS APIs using temporary security credentials of ec2-role {  "Statement":  [      {        "Effect":  "Allow",        "Action":  "sts:AssumeRole",        "Resource":      "arn:aws:iam::111122223333:role/ec2-­‐role"      }   ]  }   {  "Statement":  [      {        "Effect":"Allow",        "Principal":{"AWS":"123456789012"},        "Action":"sts:AssumeRole"      }   ]  }   Cross-account API access ec2-role trusts IAM users from the AWS account squigg@amazon.com (123456789012) Permissions assigned to squigg granting him permission to assume ec2-role in dsamuel@amazon.com account IAM user: squigg Permissions assigned to ec2-role STS Amazon EC2
  • Console Federation Using SAML Enterprise (Identity Provider) AWS (Service Provider) AWS Sign-in Browser interface Corporate identity store Identity provider 1User browses to Identity provider 2 Receives AuthN response Redirect client AWS Management Console 5 3 Post to Sign-In Passing AuthN Response 4
  • Hey there Russell But you can visit Russell and other AWS Solution Architects at the SA Corner at the AWS Booth Russell & Big Data are like Peas & Carrots….. But unfortunately we are out of time!
  • How to Keep Up to Date •  AWS Podcast –  https://aws.amazon.com/awspodcast •  Amazon Web Services Blog –  http://aws.typepad.com/ •  What’s New? –  http://aws.amazon.com/about-aws/whats-new/ •  Social Media –  @awscloud & /amazonwebservices •  Your Friendly Solution Architect Team –  Speak to the team today at the SA Corner +