AWS RoadShow Edinburgh Part 3 - Getting Started with AWS

  • 100 views
Uploaded on

In part 3 of the materials from the June 17 AWS RoadShow in Edinburgh we discuss best practices for getting started with AWS and the next steps you can take to learn more about AWS and begin to use it …

In part 3 of the materials from the June 17 AWS RoadShow in Edinburgh we discuss best practices for getting started with AWS and the next steps you can take to learn more about AWS and begin to use it to run your applications and other IT workloads.

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
100
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Best practices for getting started with AWS Ian Massingham – Technical Evangelist @IanMmmm
  • 2. 8 things you should know Where you should start Things to do up front
  • 3. Choose your use case well 1
  • 4. Choose use case that suits you Make your first project a S.M.A.R.T one
  • 5. Choose use case that suits you Dev & Test Spin environments up and down on demand Decouple development and test environments from operations constraints Explore elasticity in a sandboxed environment Make your first project a S.M.A.R.T one
  • 6. Dev & Test Spin environments up and down on demand Decouple development and test environments from operations constraints Explore elasticity in a sandboxed environment Backup & DR Take part of your data or business applications step- by-step into non-production DR use Understand cloud dynamics and test during controlled failovers Choose use case that suits you Make your first project a S.M.A.R.T one
  • 7. Dev & Test Spin environments up and down on demand Decouple development and test environments from operations constraints Explore elasticity in a sandboxed environment Backup & DR Take part of your data or business applications step- by-step into non-production DR use Understand cloud dynamics and test during controlled failovers Greenfield Project Embody best practice of cloud computing in unconstrained greenfield projects Self contained web projects, document archiving etc Choose use case that suits you Make your first project a S.M.A.R.T one
  • 8. Dev & Test Spin environments up and down on demand Decouple development and test environments from operations constraints Explore elasticity in a sandboxed environment Backup & DR Take part of your data or business applications step- by-step into non-production DR use Understand cloud dynamics and test during controlled failovers Greenfield Project Embody best practice of cloud computing in unconstrained greenfield projects Self contained web projects, document archiving etc Pain Point Move specific service aspects causing undue cost or management burden Workflows, search indexing, media streaming, document archiving, constrained databases Choose use case that suits you Make your first project a S.M.A.R.T one
  • 9. PoC Production Automation Understand services Test performance Architect for scale Build cross functional team capabilities Implement monitoring Change control and management Security management Scalability Automate corrective measures Auto-scaling Zero downtime deployments System backup and recovery Examples Plan evolution & set goals
  • 10. PoC Production Automation Understand services Test performance Architect for scale Build cross functional team capabilities Implement monitoring Change control and management Security management Scalability Automate corrective measures Auto-scaling Zero downtime deployments System backup and recovery Examples Plan evolution & set goals Beanstalk Beanstalk Cloud Formation Cloud Watch IAM APIs CLI Auto scaling
  • 11. Lay Out Your Foundations 2
  • 12. Create an account structure that makes sense Use accounts like environments where you need separation and control e.g Dev Sandboxes Test Environments Business Units Products & Services Lay Out Your Foundations Accounts
  • 13. Create an account structure that makes sense Use accounts like environments where you need separation and control e.g Dev Sandboxes Test Environments Business Units Products & Services Control access to billing information Use IAM users to keep billing information in the master account Consolidate billing into a single account Let one account pick up the bill for multiple ‘sub accounts’ Setup billing alerts and automated bill reporting Get CloudWatch notifications when billing reaches a point and output csv reports to S3 for analysis Accounts Billing Lay Out Your Foundations
  • 14. Enable CSV & Programmatic Access Billing Preferences Billing settings
  • 15. Master Account aws.invoices@mycompany.com  
  • 16. Division B admin@divisionB.com   User2   Dev2   Admin2   IAM Master Account aws.invoices@mycompany.com   consolidated billing information
  • 17. Division B admin@divisionB.com   User2   Dev2   Admin2   IAM Tags: Own=Div   Proj=P   Tags: Own=Div   Proj=Q   Tags: Own=Div   Proj=R   Master Account aws.invoices@mycompany.com   consolidated billing information Tags: (key-value) e.g Own=Div   Proj=R  
  • 18. Operating Co. A admin@opcoa.com   User1   Dev1   Admin1   IAM Tags: Own=OpCo   Proj=A   Tags: Own=OpCo   Proj=B   Tags: Own=OpCo   Proj=C   Division B admin@divisionB.com   User2   Dev2   Admin2   IAM Tags: Own=Div   Proj=P   Tags: Own=Div   Proj=Q   Tags: Own=Div   Proj=R   Business Unit C admin@busUnitC.com   User3   Dev3   Admin3   IAM Tags: Own=BusC   Proj=X   Tags: Own=BusC   Proj=Y   Tags: Own=BusC   Proj=Z   Master Account aws.invoices@mycompany.com   consolidated billing information
  • 19. Operating Co. A admin@opcoa.com   User1   Dev1   Admin1   IAM Tags: Own=OpCo   Proj=A   Tags: Own=OpCo   Proj=B   Tags: Own=OpCo   Proj=C   Division B admin@divisionB.com   User2   Dev2   Admin2   IAM Tags: Own=Div   Proj=P   Tags: Own=Div   Proj=Q   Tags: Own=Div   Proj=R   Business Unit C admin@busUnitC.com   User3   Dev3   Admin3   IAM Tags: Own=BusC   Proj=X   Tags: Own=BusC   Proj=Y   Tags: Own=BusC   Proj=Z   Master Account aws.invoices@mycompany.com   consolidated billing information
  • 20. Master Account aws.invoices@mycompany.com   consolidated billing information Programmatic billing access S3 CSV Operating Co. A admin@opcoa.com   User1   Dev1   Admin1   IAM Tags: Own=OpCo   Proj=A   Tags: Own=OpCo   Proj=B   Tags: Own=OpCo   Proj=C   Division B admin@divisionB.com   User2   Dev2   Admin2   IAM Tags: Own=Div   Proj=P   Tags: Own=Div   Proj=Q   Tags: Own=Div   Proj=R   Business Unit C admin@busUnitC.com   User3   Dev3   Admin3   IAM Tags: Own=BusC   Proj=X   Tags: Own=BusC   Proj=Y   Tags: Own=BusC   Proj=Z  
  • 21. Master Account aws.invoices@mycompany.com   consolidated billing information Programmatic billing access S3 CSV Operating Co. A admin@opcoa.com   User1   Dev1   Admin1   IAM Tags: Own=OpCo   Proj=A   Tags: Own=OpCo   Proj=B   Tags: Own=OpCo   Proj=C   Division B admin@divisionB.com   User2   Dev2   Admin2   IAM Tags: Own=Div   Proj=P   Tags: Own=Div   Proj=Q   Tags: Own=Div   Proj=R   Business Unit C admin@busUnitC.com   User3   Dev3   Admin3   IAM Tags: Own=BusC   Proj=X   Tags: Own=BusC   Proj=Y   Tags: Own=BusC   Proj=Z  
  • 22. Create an account structure that makes sense Use accounts like environments where you need separation and control e.g Dev Sandboxes Test Environments Business Units Products & Services Control access to billing information Use IAM users to keep billing information in the master account Consolidate billing into a single account Let one account pick up the bill for multiple ‘sub accounts’ Setup billing alerts and automated bill reporting Get CloudWatch notifications when billing reaches a point and output csv reports to S3 for analysis Accounts Billing Lay Out Your Foundations
  • 23. Create an account structure that makes sense Use accounts like environments where you need separation and control e.g Dev Sandboxes Test Environments Business Units Products & Services Control access to billing information Use IAM users to keep billing information in the master account Consolidate billing into a single account Let one account pick up the bill for multiple ‘sub accounts’ Setup billing alerts and automated bill reporting Get CloudWatch notifications when billing reaches a point and output csv reports to S3 for analysis Decide upon a key management strategy Control access to EC2 instances via SSH and embedded public key: e.g. EC2 Key Pair per group of instances, EC2 Key Pair per account Consider SSH key rotation & automation Limit exposure to private key compromise by rotating keys and replacing authorized_keys listings on running instances Consider bootstrap automation to grant developer access with developer unique keypairs Accounts Billing Access Keys Lay Out Your Foundations
  • 24. Create an account structure that makes sense Use accounts like environments where you need separation and control e.g Dev Sandboxes Test Environments Business Units Products & Services Control access to billing information Use IAM users to keep billing information in the master account Consolidate billing into a single account Let one account pick up the bill for multiple ‘sub accounts’ Setup billing alerts and automated bill reporting Get CloudWatch notifications when billing reaches a point and output csv reports to S3 for analysis Decide upon a key management strategy Control access to EC2 instances via SSH and embedded public key: e.g. EC2 Key Pair per group of instances, EC2 Key Pair per account Consider SSH key rotation & automation Limit exposure to private key compromise by rotating keys and replacing authorized_keys listings on running instances Consider bootstrap automation to grant developer access with developer unique keypairs Accounts Billing Access Keys Use IAM Groups to manage console users and API access Provide developers with IAM user login and unique API access credentials Control & restrict what IAM users can do by placing them in groups with policies Assign EC2 Instances IAM roles Let AWS manage API access credentials on running instances by assigning a system entitlement to an instance e.g instance can only read S3 bucket Groups & Roles Lay Out Your Foundations
  • 25. Account Administrators Developers Applications Bob Kevin Tomcat Jim Brad Mark Susan Reporting Console Identity & access management
  • 26. Account Administrators Developers Applications Bob Kevin Tomcat Jim Brad Mark Susan Reporting Console Multi-factor authentication Groups Identity & access management
  • 27. AWS system entitlements RolesAccount Administrators Developers Applications Bob Kevin Tomcat Jim Brad Mark Susan Reporting Console Multi-factor authentication Groups Identity & access management
  • 28. IAM policies {      "Statement":  [          {              "Effect":  "Allow",              "Action":  [                  "elasticbeanstalk:*",                  "ec2:*",                  "elasticloadbalancing:*",                  "autoscaling:*",                  "cloudwatch:*",                  "s3:*",                  "sns:*"              ],              "Resource":  "*"          }      ]   }   Policy driven Declarative definition of rights for groups Policies control access to AWS APIs
  • 29. 3 Think security
  • 30. Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption & Data Integrity Authentication Server-side Encryption (File System and/or Data) Network Traffic Protection (Encryption/Integrity/Identity) Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer Data AmazonYou Shared responsibility
  • 31. Understand your customer & form security stance Leverage shared security model
  • 32. Understand your customer & form security stance Leverage shared security model Your certifications Your processes Penetration test requests External audience
  • 33. Understand your customer & form security stance Leverage shared security model IAM Administration Architecture Internal audience Your certifications Your processes Penetration test requests External audience
  • 34. Understand your customer & form security stance Leverage shared security model IAM Administration Architecture Internal audience Your certifications Your processes Penetration test requests External audience AWS Certifications AWS White Papers AWS QSA Process Regulated audience
  • 35. Understand your customer & form security stance Engage with security assessors early in adoption cycle Leverage shared security model Don’t fear assessment – AWS meets high standards (PCI, ISO27001, SOC2…) As with any infrastructure provider, security assessments take time Derive value from architecture reviews early in deployment cycle
  • 36. Understand your customer & form security stance Engage with security assessors early in adoption cycle Use comprehensive materials and certifications provided by AWS Leverage shared security model http://aws.amazon.com/security/ Risk and compliance paper AWS security processes paper CSA consensus assessments initiative questionnaire
  • 37. Understand your customer & form security stance Engage with security assessors early in adoption cycle Use comprehensive materials and certifications provided by AWS Build upon features of AWS and implement a ‘security by design’ environment Leverage shared security model
  • 38. Build upon AWS features IAM Control users and allow AWS to manage credentials in running instances for service access (allocation, rotation) APIs vs Instance Provide developer API credentials and control access to SSH keys Temporary Credentials Provide developer API credentials and control access to SSH keys Instance firewalls Firewall control on instances via Security Groups CLIs and APIs Instantly audit your entire AWS infrastructure from scriptable APIs – generate an on-demand IT inventory enabled by programmatic nature of AWS Subnet control Create low level networking constraints for resource access, such as public and private subnets, internet gateways and NATs Bastion hosts Only allow access for management of production resources from a bastion host. Turn off when not needed Tiered Access Security Groups VPC Private connections to VPC Secured access to resources in AWS over software or hardware VPN and dedicated network links Direct Connect & VPN
  • 39. Architect to use cloud strengths 4
  • 40. Architect to use cloud strengths e.g. Application performance improvement by migration of static content to S3/CloudFront Review application architectures early – assess fit for cloud Can cloud benefits be leveraged with minimum effort outlay? e.g. variable capacity requirements, ‘standard’ technology stacks, reference architectures* *http://aws.amazon.com/architecture ? ? ? ? e.g. Faster development cycles for dev/test, reduced cap-ex for application environments Will cloud yield cost savings & agility improvements? e.g. fully scripted deployments, IAM & EC2 instance roles, rolling deployments Can automation lead to a more agile & secure service?
  • 41. 1 Create instance for your OS choice 2 Configure environment 3 Install software 4 Create AMI from instance 5 Launch fully configured instances from AMI Bootstrapping – custom AMIs AMI Custom machine image Instance Auto-scaling Manual deployments Programmatic deployments
  • 42. ami-id ami-launch-index ami-manifest-path block-device-mapping hostname instance-action instance-id Instance-type kernel-id local-hostname local-ipv4 mac network placement profile public-hostname public-ipv4 public-keys reservation-id http://169.254.169.254/latest/meta-data Metadata service contains wealth of information about an instance Bootstrapping – metadata service AMI Instance Metadata Service Receive custom data to drive bootstrapping Custom or standard machine image
  • 43. + user data Scripts in user-data field of metadata will be executed on launch e.g. http://169.254.169.254/latest/meta-data Metadata service contains wealth of information about an instance #!/bin/sh   yum  -­‐y  install  httpd   chkconfig  httpd  on   /etc/init.d/httpd  start   <powershell>    …   </powershell>   Or: AMI Instance Metadata Service Receive custom data to drive bootstrapping Bootstrapping – metadata service Custom or standard machine image
  • 44. + user data Scripts in user-data field of metadata will be executed on launch http://169.254.169.254/latest/meta-data Metadata service contains wealth of information about an instance AMI Instance Metadata Service Receive custom data to drive bootstrapping Bootstrapping – metadata service Install software e.g. web server, app server, proxy Pull data and application packages from S3 Publish metadata for instance to other systems e.g. monitoring systems Setup security profile of instance based upon intended use e.g. pull latest config Custom or standard machine image
  • 45. 1.  Use multiple availability zones
  • 46. 2.  Use RDS with replicas and slaves
  • 47. 3.  Use auto-scaling groups
  • 48. 4.  Use Elastic Load Balancing
  • 49. 5.  Use Route53 to host DNS zones
  • 50. Use at regional level Combined with autoscaling will balance requests and resource capacity across availability zones Within VPC Use to loadbalance between application tiers within an availability zone Instance migrations Easily move instances from dev environments to test environments by moving between ELBs Leverage SLA Improve application reliability with Route 53’s SLA on requests served Weighted routing Perform A/B analysis, and staged application roll-outs by moving a portion of traffic to new infrastructure Control TTLs and updates Take absolute control of DNS updates for more decisive system updates Scale databases without admin overhead Choose instance size for databases and scale up over time Add high availability from management console Create master-slave configurations and read-replicas. AWS takes care of the failover and recreation of a new slave in event of master DB loss Elastic Load Balancing Route 53 RDS Dynamically scale resources & control costs Only provision the resources that are required with scale up and cool down policies that match demand Auto-scaling Architect to use cloud strengths Find out more at: aws.amazon.com/architecture
  • 51. Services not software 5
  • 52. AWS Cloud-Based Infrastructure & Services Your Business More Time to Focus on Your Business Configuring Your Cloud Assets 70% 30%70% Self Managed Software & Infrastructure 30% Managing All of the “Undifferentiated Heavy Lifting” Services not software
  • 53. Relational Database Service Database-as-a-Service No need to install or manage database instances Scalable and fault tolerant configurations DynamoDB Provisioned throughput NoSQL database Fast, predictable performance Fully distributed, fault tolerant architecture Services not software Use RDS for databases Use DynamoDB for high performance key- value DB
  • 54. Amazon SQS Processing task/ processing trigger Processing results Amazon SQS Reliable, highly scalable, queue service for storing messages as they travel between instances Services not software Task A Task B (Auto-scaling) Task C 2 3 1 Simple Workflow Reliably coordinate processing steps across applications Integrate AWS and non-AWS resources Manage distributed state in complex systems Push inter-process workflows into the cloud with SWF Reliable message queuing without additional software
  • 55. Cloud Search Elastic search engine based upon Amazon A9 search engine Fully managed service with sophisticated feature set Scales automatically Document Server Results Search Server Don’t install search software, use CloudSearch Services not software Process large volumes of data cost effectively with EMR Elastic MapReduce Elastic Hadoop cluster Integrates with S3 & DynamoDB Leverage Hive & Pig analytics scripts Integrates with instance types such as spot
  • 56. Be elastic and cost optimized 6
  • 57. Be elastic and cost optimized Scalability Availability Cost Optimization Elastic Load Balancing Auto-scaling policies Instance types and sizes
  • 58. Manually Send an API call or use CLI to launch/terminate instances – Only need to specify capacity change (+/-) By Schedule Scale up/down based on date and time By Policy Scale in response to changing conditions, based on user configured real-time monitoring and alerts Auto-Rebalance Instances are automatically launched/terminated to ensure the application is balanced across multiple Azs Auto-scaling policies
  • 59. Manually Send an API call or use CLI to launch/terminate instances – Only need to specify capacity change (+/-) By Schedule Scale up/down based on date and time By Policy Scale in response to changing conditions, based on user configured real-time monitoring and alerts Auto-Rebalance Instances are automatically launched/terminated to ensure the application is balanced across multiple Azs Auto-scaling policies Preemptive manual scaling of capacity e.g. before a marketing event add 10 more instances Regular scaling up and down of instances e.g. scale from 0 to 2 to process SQS messages every night or double capacity on a Friday night Dynamic scale based upon custom metrics e.g. SQS queue depth, Average CPU load, ELB latency Maintain capacity across availability zones e.g. Instance availability maintained in event of AZ becoming unavailable
  • 60. Unix/Linux instances start at $0.02/ hour Pay as you go for compute power Low cost and flexibility Pay only for what you use, no up-front commitments or long-term contracts Use Cases: Applications with short term, spiky, or unpredictable workloads; Application development or testing On-demand instances 1- or 3-year terms Pay low up-front fee, receive significant hourly discount Low Cost / Predictability Helps ensure compute capacity is available when needed Use Cases: Applications with steady state or predictable usage Applications that require reserved capacity, including disaster recovery Reserved instances Bid on unused EC2 capacity Spot Price based on supply/demand, determined automatically Cost / Large Scale, dynamic workload handling Use Cases: Applications with flexible start and end times Applications only feasible at very low compute prices Spot instances Instance types
  • 61. Use frameworks 7
  • 62. Compute Storage Security Scaling Database Networking Monitoring Messaging Workflow DNS Load Balancing BackupCDN Everything is programmable Access everything via CLI, API or Console Achieve the highest levels of automation sophistication with ease Find out more at: aws.amazon.com/developers/getting-started/
  • 63. Quickly deploy and manage apps in AWS… Elastic Beanstalk CloudFormationOpsWorks
  • 64. CloudFormation components & terminology Template CloudFormation Stack JSON formatted file Parameter definition Resource creation Configuration actions Configured AWS services Comprehensive service support Service event aware Customisable Framework Stack creation Stack updates Error detection and rollback Elastic Beanstalk CloudFormationOpsWorks
  • 65. Powerful management framework with Chef support Stack Layers Management Managed environment Definition of environment such as production or test Management services Scaling, cloning, user access, self healing Collection of resources Blueprint for a collection of resources (instances, EBS, EIPs etc) Apps Your application assets Resources to deploy and run in layers Elastic Beanstalk CloudFormationOpsWorks
  • 66. Get supported 8
  • 67. Basic Developer Business Enterprise Offering 24x7x365 ✓ Forum Access ✓ Documentation ✓ Access to support Support for HealthChecks Find out more at: aws.amazon.com/premiumsupport
  • 68. Basic Developer Business Enterprise Offering 24x7x365 ✓ Forum Access ✓ Documentation ✓ Access to support Support for HealthChecks Find out more at: aws.amazon.com/premiumsupport
  • 69. Developer Basic Business Enterprise Offering 24x7x365 ✓ Forum Access ✓ Documentation ✓ Access to support Email Named Contacts 1 Fastest Response Time 12 Hours Architecture Support Building Blocks Best Practice ✓ Diagnostics Tools ✓ Find out more at: aws.amazon.com/premiumsupport
  • 70. Business Basic Developer Enterprise Offering 24x7x365 ✓ Forum Access ✓ Documentation ✓ Access to support Phone, Chat, Email Named Contacts 5 Fastest Response Time 1 Hour Architecture Support Use Case Guidance Best Practice ✓ Diagnostics Tools ✓ Direct Routing ✓ 3rd Party Software ✓ Trusted Advisor ✓ Find out more at: aws.amazon.com/premiumsupport
  • 71. Enterprise Basic Developer Business Offering 24x7x365 ✓ Forum Access ✓ Documentation ✓ Access to support Phone, Chat, Email Named Contacts Unlimited Fastest Response Time 15 Minutes Architecture Support Application Architecture Best Practice ✓ Diagnostics Tools ✓ Direct Routing ✓ 3rd Party Software ✓ Trusted Advisor ✓ Direct TAM Access ✓ White Glove Case Handling ✓ Management Business Review ✓ Find out more at: aws.amazon.com/premiumsupport
  • 72. Trusted advisor
  • 73. Security Fault Tolerance Cost Optimization Open ports in Security Groups World access (/0 CIDR) IAM use EBS snapshot age ELB Optimization Availability Zones Unused Elastic Ips Underutilized EC2 instances Business and Enterprise Support has been enhanced to include best practice audits via AWS Trusted Advisor Find out more at: aws.amazon.com/premiumsupport/trustedadvisor
  • 74. 3rd party software
  • 75. Operating Systems 3rd Party Software 3rd Party Software Support Enhancements Operating Systems including: Ubuntu Linux Red Hat Enterprise Linux and Fedora SUSE Linux (SLES and openSUSE) CentOS Linux Microsoft Windows 2003 R2 Microsoft Windows 2008 Microsoft Windows 2008 R2 Microsoft Windows 2012 Common application stack components including: Amazon SDKs Apache, Nginx and IIS web servers Sendmail & Postfix MTAs SSH, SFTP & FTP Disk Management tools – LVM & Software RAID VPN Solutions – OpenVPN, RRAS Databases – MySQL & SQL Server
  • 76. Summary Next Steps
  • 77. Choose your use case well Organize your environments Think security Architect to cloud strengths Services not software Be elastic & cost optimized Use frameworks where appropriate Get supported
  • 78. AWS Training & Certification Cer$fica$on   aws.amazon.com/cer-fica-on   Demonstrate  your  skills,   knowledge,  and  exper-se   with  the  AWS  pla@orm   Self-­‐Paced  Labs   aws.amazon.com/training/   self-­‐paced-­‐labs   Try  products,  gain  new   skills,  and  get  hands-­‐on   prac-ce  working  with  AWS   technologies   aws.amazon.com/training   Training   Skill  up  and  gain  confidence   to  design,  develop,  deploy   and  manage  your   applica-ons  on  AWS  
  • 79. We typically see customers start by trying our services Get  started  now  at  :  aws.amazon.com/geHng-­‐started  
  • 80. Design your application for the AWS Cloud More  details  on  the  AWS  Architecture  Center  at  :  aws.amazon.com/architecture  
  • 81. AWS RoadShow Edinburgh Ian Massingham - Technical Evangelist 11 June 2014
  • 82. @AWS_UKI for local AWS events & news @AWScloud for Global AWS News and Announcements ©Amazon.com,  Inc.  and  its  affiliates.    All  rights  reserved.   #AWSRoadShow