Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWSome Day Glasgow | Technical Track

467 views

Published on

AWSome Day Glasgow | Technical Track

Published in: Technology
  • Be the first to comment

AWSome Day Glasgow | Technical Track

  1. 1. 1© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. The Lighthouse | Tuesday, September 27, 2016 Glasgow Ryan Little
  2. 2. 2© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Module Layout  Module 1: AWS History and Introduction  Module 2: AWS Infrastructure: Compute (EC2), Storage (S3, EBS), Networking (VPC)  Module 3: Security, Identity, and Access Management: IAM  Module 4: Databases: Amazon DynamoDB and Amazon RDS  Module 5: AWS Elasticity and Management Tools: Auto Scaling, Elastic Load Balancing, Amazon CloudWatch, and AWS Trusted Advisor
  3. 3. 3© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Module 1 AWS Introduction and History
  4. 4. 4© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon History 1994: Jeff Bezos Incorporated the Company 1995: Amazon.com Launched Online Bookstore 2005: Amazon Publishing Launched 2006: Amazon Web Services (AWS) Launched 2007: Kindle Launched 2011: Amazon Fresh Launched 2012: Amazon Game Studios Launched 2013: Amazon Art Launched 2014: Amazon Prime Now Launched 2015: Amazon Home Services & Amazon Echo Launched
  5. 5. 5© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Web Services (AWS) ComputeMessaging Mobile App Services Database Networking Development and Management Tools Payments VPC On-Demand Workforce Analytics Content Delivery Storage Enable businesses and developers to use web services to build scalable, sophisticated applications.
  6. 6. 6© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Rapid Pace of Innovation 2009 48 159 722 82 2011 2013 2015 New Features/Services Launched
  7. 7. 7© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Direct Connect AWS Elastic Beanstalk AWS GovCloud Amazon CloudTrail Amazon S3 Amazon WorkSpaces Amazon Kinesis Amazon AppStream Amazon SNS AWS IAM Amazon Route 53 Amazon SWF Amazon Redshift Amazon Dynamo DB Amazon CloudSearch AWS Data Pipeline Trusted Advisor AWS KMS Amazon Config Amazon RDS for Aurora Amazon WorkDocs AWS Directory Service AWS CodeCommit AWS CodePipeline AWS Service Catalog Amazon CloudWatch Logs Amazon EFS Amazon API Gateway Amazon Machine Learning AWS Device Farm AWS Web App Firewall Amazon Elasticsearch Service Amazon QuickSight AWS Import/Export Snowball RDS for MariaDB Amazon Inspector AWS IoT Amazon EC2 Container Registry Amazon ElastiCache AWS CloudFormation Amazon Mobile Analytics AWS Mobile Hub AWS Storage Gateway AWS OpsWorks AWS Elastic Transcoder Amazon SES Amazon EC2 Container Service Amazon Cognito AWS CodeDeploy Glacier* As of 1 February 2016 Amazon WorkMail AWS Lambda 1,950Services and Features
  8. 8. 8© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Customers Enterprise Customers Startup Customers Public Sector Customers
  9. 9. 9© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Six Advantages & Benefits of AWS Cloud Computing Trade capital expense for variable expense. Benefit from massive economies of scale. Stop guessing capacity. Go global in minutes. Increase speed and agility. Stop spending money on running and maintaining data centers.
  10. 10. 10© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Core Infrastructure and Services AWS Technical Essentials 3.8 ILT Security Network Security Network Security Groups NACLs Access Mgmt VPCVPC EC2 “Classic” “Public ” ELB On-Demand Provision Traditional Infrastructure Amazon Web Services Servers AMI Amazon EC2 InstancesOn-Premises Servers Security Security Groups NACLs AWS IAMFirewalls ACLs Administrators Networking VPCELBRouter Network Pipeline Switch Storage and Database RDBMSDAS SAN NAS Amazon EBS Amazon EFS Amazon S3 Amazon RDS
  11. 11. 11© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure Regions Edge LocationsAvailability Zones Foundation Services Compute (Virtual, Auto-scaling and Load Balancing) Networking Applications Virtual Desktops Collaboration and Sharing Platform Services Caching Relational No SQL Cluster Computing Real-time Data Workflows Data Warehouse Queuing Orchestration App Streaming Transcoding Email Search Containers Dev/ops Tools Resource Templates Usage Tracking Monitoring and Logs Identity Sync Mobile Analytics Notifications AWS Cloud Computing Databases Analytics App Services Deployment and Management Mobile Services Storage (Object, Block and Archive)
  12. 12. 12© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Global Infrastructure Regions Geographic locations Consists of at least two Availability Zones(AZs) Availability Zones Clusters of data centers Isolated from failures in other Availability Zones
  13. 13. 13© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Achieving High Availability Using Multi-AZ Availability Zone - A Availability Zone - B Availability Zone - C Region
  14. 14. 14© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Global Infrastructure
  15. 15. 15© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Global Infrastructure 50+ AWS Edge Locations: Local points-of-presence commonly supporting AWS services like:  Amazon Route 53  Amazon CloudFront
  16. 16. 16© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Knowledge Check Q: What is the AWS term for physically distinct groups of data centers within a region? True or False: There are more regions than Edge locations. True or False: AWS owns and maintains the infrastructure required for application services and you provision and use them as needed. Q: How do AZs in the same region differ? Availability Zone (AZ). False. True. Each Availability Zone is isolated, but the Availability Zones in a region are connected through low-latency links.
  17. 17. 17© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Management Console Demonstration
  18. 18. 18© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Module 2 AWS Infrastructure
  19. 19. 19© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Elastic Compute Cloud (EC2)
  20. 20. 20© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Elastic Compute Cloud (EC2) Resizable compute capacity Complete control of your computing resources Reduces the time required to obtain and boot new server instances to minutesAmazon EC2
  21. 21. 21© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EC2 Facts Scale capacity as your computing requirements change Pay only for capacity that you actually use Choose Linux or Windows Deploy across AWS Regions and Availability Zones for reliability
  22. 22. 22© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Launching an Amazon EC2 Instance via the Web Console 1. Determine the AWS Region in which you want to launch the Amazon EC2 instance. 2. Launch an Amazon EC2 instance from a pre-configured Amazon Machine Image (AMI). 3. Choose an instance type based on CPU, memory, storage, and network requirements. 4. Configure network, IP address, security groups, storage volume, tags, and key pair.
  23. 23. 23© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AMI Details An AMI includes the following: A template for the root volume for the instance (for example, an operating system, an application server, and applications). Launch permissions that control which AWS accounts can use the AMI to launch instances. A block device mapping that specifies the volumes to attach to the instance when it's launched.
  24. 24. 24© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Instances and AMIs Select an AMI based on: Region Operating system Architecture (32-bit or 64-bit) Launch permissions Storage for the root device AMI Instances Instance Launch instances of any type Host computer Host computer
  25. 25. 25© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EC2 Instances OS, Applications, & Configuration AMI Running or Stopped VM Instances AZ VPC Region EBS S3 EBS Snapshots S3 Buckets EBS EBS EBS EBS EBS AZ Instances Instances
  26. 26. 26© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS vs. Amazon EC2 Instance Store Amazon EBS  Data stored on an Amazon EBS volume can persist independently of the life of the instance.  Storage is persistent. Amazon EC2 Instance Store  Data stored on a local instance store persists only as long as the instance is alive.  Storage is ephemeral.
  27. 27. 27© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Marketplace – IT Software Optimized for the Cloud AWS Marketplace: Is an online store to discover, purchase, and deploy IT software on top of the AWS infrastructure.  Catalog of 2300+ IT software solutions • Including Paid, BYOL, Open Source, SaaS, & free to try options  Pre-configured to operate on AWS • Software checked by AWS for security and operability  Deploys to AWS environment in minutes  Flexible, usage-based billing models  Software charges billed to AWS account Includes AWS Test Drive. https://aws.amazon.com/marketplace
  28. 28. 28© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing the Right Amazon EC2 Instance EC2 instance types are optimized for different use cases and come in multiple sizes. This allows you to optimally scale resources to your workload requirements. AWS uses Intel® Xeon® processors for EC2 instances, providing customers with high performance and value. Consider the following when choosing your instances: Core count, memory size, storage size and type, network performance, and CPU technologies. Hurry Up and Go Idle - A larger compute instance can save you time and money, therefore paying more per hour for a shorter amount of time can be less expensive.
  29. 29. 29© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Intel® Processor Technologies Intel® AVX – Get dramatically better performance for highly parallel HPC workloads such as life science engineering, data mining, financial analysis, or other technical computing applications. AVX also enhances image, video, and audio processing. Intel® AES-NI – Enhance your security with these new encryption instructions that reduce the performance penalty associated with encrypting/decrypting data. Intel® Turbo Boost Technology – Get more computing power when you need it with performance that adapts to spikes in your workload with Intel® Turbo Boost Technology 2.0
  30. 30. 30© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Current Generation Instances Instance Family Some Use Cases General purpose (t2, m4, m3) • Low-traffic websites and web applications • Small databases and mid-size databases Compute optimized (c4, c3) • High performance front-end fleets • Video-encoding Memory optimized (r3) • High performance databases • Distributed memory caches Storage optimized (i2, d2) • Data warehousing • Log or data-processing applications GPU instances (g2) • 3D application streaming • Machine learning
  31. 31. 31© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Instance Metadata & User Data Instance Metadata: Is data about your instance. Can be used to configure or manage a running instance. Instance User Data: Can be passed to the instance at launch. Can be used to perform common automated configuration tasks. Runs scripts after the instance starts.
  32. 32. 32© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EC2 Purchasing Options On-Demand Instances Pay by the hour. Reserved Instances Purchase at significant discount. Instances are always available. 1-year to 3-year terms. Scheduled Instances Purchase a 1- year RI for a recurring period of time. Spot Instances Highest bidder uses instance at a significant discount. Spot blocks supported. Dedicated Hosts Physical host is fully dedicated to run your instances. Bring your per-socket, per-core, or per- VM software licenses to reduce cost.
  33. 33. 33© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Instructor Demo Amazon EC2
  34. 34. 34© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Simple Storage Service (S3) Amazon S3 Storage for the Internet Natively online, HTTP access Store and retrieve any amount of data, any time, from anywhere on the web Highly scalable, reliable, fast and durable
  35. 35. 35© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon S3 Facts Able to store an unlimited number of objects in a bucket Objects up to 5 TB; no bucket size limit Designed for 99.999999999% durability and 99.99% availability of objects over a given year HTTP/S endpoint to store and retrieve any amount of data, at any time, from anywhere on the web Highly scalable, reliable, fast, and inexpensive Optional server-side encryption using AWS or customer- managed provided client-side encryption Access logs for auditing Provides standards-based REST and SOAP interfaces
  36. 36. 36© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Common Use Scenarios Storage and Backup Application File Hosting Media Hosting Software Delivery Store AMIs and Snapshots
  37. 37. 37© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon S3 Concepts Amazon S3 stores data as objects within buckets An object is composed of a file and optionally any metadata that describes that file You can have up to 100 buckets in each account You can control access to the bucket and its objects Amazon S3 Bucket with Objects Bucket Object
  38. 38. 38© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Object Keys An object key is the unique identifier for an object in a bucket. http://doc.s3.amazonaws.com/2006-03-01/AmazonS3.html Bucket Object/Key
  39. 39. 39© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon S3 Security You can control access to buckets and objects with:  Access Control Lists (ACLs)  Bucket policies  Identity and Access Management (IAM) policies You can upload or download data to Amazon S3 via SSL encrypted endpoints. You can encrypt data using AWS SDKs.
  40. 40. 40© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon S3 Versioning Protects from accidental overwrites and deletes with no performance penalty. Generates a new version with every upload. Allows easily retrieval of deleted objects or roll back to previous versions. Three states of an Amazon S3 bucket  Un-versioned (default)  Versioning-enabled  Versioning-suspended Versioning Enabled Key: photo.gif ID: 121212 Key: photo.gif ID: 111111
  41. 41. 41© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon S3 Object Lifecycle Lifecycle management defines how Amazon S3 manages objects during their lifetime. Some objects that you store in an Amazon S3 bucket might have a well-defined lifecycle: Log files Archive documents Digital media archives Financial and healthcare records Raw genomics sequence data Long-term database backups Data that must be retained for regulatory compliance
  42. 42. 42© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Glacier Long term low-cost archiving service Optimal for infrequently accessed data Designed for 99.999999999% durability 3-5 hours retrieval time Less than $0.01 per GB / month (depending on region)
  43. 43. 43© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon S3 + Amazon Glacier S3 Lifecycle policies allow you to delete or move objects based on age and set rules per S3 bucket. bucket with objects 30 Days Glacier archive 365 Days
  44. 44. 44© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon S3 Region Considerations Amazon S3 creates a bucket in the region you select. You can choose a region to:  Optimize latency  Minimize costs  Address regulatory requirements Objects stored in a region never leave the region unless you explicitly transfer them to another region.
  45. 45. 45© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon S3 Storage Classes Storage Class Durability Availability Other Considerations Amazon S3 Standard 99.999999999% 99.99% None Amazon S3 Standard - Infrequent Access (IA) 99.999999999% 99.99% • Retrieval fee associated with objects • Most suitable for infrequently accessed data Glacier 99.999999999% 99.99% (after you restore objects) • Not available for real-time access • Must restore objects before you can access them
  46. 46. 46© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Elastic Block Store (EBS) Persistent block level storage volumes offering consistent and low-latency performance Automatically replicated within its Availability Zone Snapshots stored durably in Amazon S3 Amazon EBS
  47. 47. 47© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS Lifecycle Vast amounts of unused space Create Call CreateVolume 1 GB to 16 TB Attach Call AttachVolume to affiliate with one Amazon EC2 instance Attached and In Use • Format from Amazon EC2 instance OS • Mount formatted drive CreateSnapshot Snapshot to Amazon S3 Detach Call DetachVolume Deleted Call DeleteVolume
  48. 48. 48© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS Facts You can create:  EBS Magnetic volumes from 1 GiB to 1 TiB in size.  EBS General Purpose (SSD) and Provisioned IOPS (SSD) volumes up to 16 TiB in size. You can use encrypted EBS volumes to meet a wide range of data at-rest encryption requirements for regulated/audited data and applications. You can create point-in-time snapshots of EBS volumes, which are persisted to Amazon S3.
  49. 49. 49© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS and Amazon S3 Amazon EBS Amazon S3 Paradigm Block storage with file system Object store Performance Very fast Fast Redundancy Across multiple servers in an Availability Zone Across multiple facilities in a Region Security EBS Encryption – Data volumes and Snapshots Encryption Access from the Internet? No (1) Yes (2) Typical use case It is a disk drive Online storage (1) Accessible from the Internet if mounted to server and set up as FTP, etc. (2) Only with proper credentials, unless ACLs are world-readable
  50. 50. 50© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EC2 Instance Storage Local, complimentary direct attached block storage resource. Availability, number of disks, and size is based on EC2 instance type. Storage optimized instances for up to 365,000 Read IOPS and 315,000 First Write IOPS. SSD or magnetic. No persistence. All data is automatically deleted when an EC2 instance stops, fails or is terminated.
  51. 51. 51© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Reboot vs. Stop vs. Terminate Characteristic Reboot Stop/Start (EBS-backed instances only) Terminate Host computer The instance stays on the same host computer. The instance runs on a new host computer. N/A Private and public IP addresses Stay the same. Instance keeps its private IP address and gets a new public IP address. N/A Elastic IP addresses (EIP) EIP remains associated with the instance. EIP remains associated with the instance. The EIP is disassociated from the instance. Instance store volumes The data is preserved. The data is erased. The data is erased. EBS volume The volume is preserved. The volume is preserved. The volume is deleted by default. Billing Instance billing hour doesn’t change. You stop incurring charges as soon as state is changed to stopping. You stop incurring charges as soon as state is changed to shutting-down.
  52. 52. 52© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Instructor Demo Amazon S3
  53. 53. 53© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Networking Amazon VPC
  54. 54. 54© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Virtual Private Cloud (VPC) Provision a private, isolated virtual network on the AWS cloud. Have complete control over your virtual networking environment. Amazon VPC
  55. 55. 55© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. VPCs and Subnets A subnet defines a range of IP addresses in your VPC. You can launch AWS resources into a subnet that you select. A private subnet should be used for resources that won’t be accessible over the Internet. A public subnet should be used for resources that will be accessed over the Internet. Each subnet must reside entirely within one Availability Zone and cannot span zones.
  56. 56. 56© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon VPC Example Availability Zone A Virtual Private Cloud AWS Cloud Public Subnet Internet Virtual Private Cloud Availability Zone B Private Subnet Availability Zone C VPN Only Subnet DB Server DB Server App Server DB Server DB Server DB Server Web Server Web Server NAT Customer Network R
  57. 57. 57© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in Your VPC Security groups Network access control lists (ACLs) Subnet 10.0.0.0/24 Subnet 10.0.1.0/24 Internet GatewayVPN Gateway VPC Router 10.0.0.0/16 Security Group Security Group Security Group Network ACL Network ACL Routing Table Routing Table instance instance instance instance
  58. 58. 58© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Knowledge Check Answers Q: What AWS service would help support your web application to offload serving static assets and store user uploaded images and video off- instance? Q: How would you find out the private and public IP addresses for an EC2 instance? Q: What acts as an additional layer of security at the subnet level in a VPC? True or False: S3 Provides unlimited storage. True Retrieve the instance metadata. http://169.254.169.254/latest/meta-data/ Amazon S3 Network ACLs
  59. 59. 59© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Module 3 Security, Identity, and Access Management
  60. 60. 60© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared Responsibility – AWS AWS Client-side Data Encryption and Data Integrity Authentication Server-side Encryption (File System and/or Data) Network Traffic Protection (Encryption/Integrity/Identity) Platform, Applications, Identity and Access Management Operating System, Network and Firewall Configuration Customer Data Customer Foundation Services Compute Storage Database Network AWS Global Infrastructure Regions Availability Zones Edge Locations
  61. 61. 61© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Physical Security 24/7 trained security staff AWS data centers in nondescript and undisclosed facilities Two-factor authentication for authorized staff Authorization for data center access
  62. 62. 62© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Hardware, Software, and Network Automated change-control process Bastion servers that record all access attempts Firewall and other boundary devices AWS monitoring tools
  63. 63. 63© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Certifications and Accreditations ISO 9001, ISO 27001, ISO 27017, ISO 27018, IRAP (Australia), MLPS Level 3 (China), MTCS Tier 3 Certification (Singapore) and more …
  64. 64. 64© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. SSL Endpoints VPC Secure Transmission Establish secure communication sessions (HTTPS) using SSL/TLS. Instance Firewalls Configure firewall rules for instances using Security Groups. SSL Endpoints Security Groups Network Control In your Virtual Private Cloud, create low-level networking constraints for resource access. Public and private subnets, NAT and VPN support. SSL Endpoints
  65. 65. 65© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Groups SSL Endpoints Security Groups Instance Firewalls Configure firewall rules for instances using Security Groups. VPC Secure Transmission Establish secure communication sessions (HTTPS) using SSL/TLS. Network Control In your Virtual Private Cloud, create low-level networking constraints for resource access. Public and private subnets, NAT and VPN support.
  66. 66. 66© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Virtual Private Cloud (VPC) VPCSSL Endpoints Security Groups Network Control In your Virtual Private Cloud, create low-level networking constraints for resource access. Public and private subnets, NAT and VPN support. Instance Firewalls Configure firewall rules for instances using Security Groups. Secure Transmission Establish secure communication sessions (HTTPS) using SSL/TLS.
  67. 67. 67© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Multi-Tier Security Groups HTTP SSH/RDP Ports 80 and 443 only open to the Internet Engineering staff have SSH/RDP access to Bastion Host All other internet ports blocked by default Bastion
  68. 68. 68© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Identity and Access Management (IAM) AWS IAM 3 Manage federated users and their permissions 2 Manage AWS IAM roles and their permissions 1 Manage AWS IAM users and their access
  69. 69. 69© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Authentication Authentication AWS Management Console  User Name and Password IAM User
  70. 70. 70© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Authentication Access Key ID: AKIAIOSFODNN7EXAMPLE Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Java Python .NET AWS SDK & APIAWS CLI Authentication AWS CLI or SDK API  Access Key and Secret Key IAM User
  71. 71. 71© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM User Management - Groups User D DevOps Group User C AWS Account TestDev Group User BUser A
  72. 72. 72© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Authorization Authorization Policies:  Are JSON documents to describe permissions.  Are assigned to Users, Groups or Roles. IAM User IAM Group IAM Roles
  73. 73. 73© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Policy Elements { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1453690971587", "Action": [ "ec2:Describe*", "ec2:StartInstances", "ec2:StopInstances” ], "Effect": "Allow", "Resource": "*", "Condition": { "IpAddress": { "aws:SourceIp": "54.64.34.65/32” } } }, { "Sid": "Stmt1453690998327", "Action": [ "s3:GetObject*” ], "Effect": "Allow", "Resource": "arn:aws:s3:::example_bucket*” } ] } IAM Policy
  74. 74. 74© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Policy Assignment IAM User IAM Group Assigned Assigned IAM Policy
  75. 75. 75© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Policy Assignment IAM User IAM Group IAM Roles Assigned Assigned Assigned IAM Policy
  76. 76. 76© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Roles An IAM role uses a policy. An IAM role has no associated credentials. IAM users, applications, and services may assume IAM roles. IAM Roles
  77. 77. 77© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Policy Assignment IAM User IAM Group IAM Roles Assigned Assigned Assigned IAM Policy IAM User Assumed Assumed AWS Resources
  78. 78. 78© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Application Access to AWS Resources Python application hosted on an Amazon EC2 Instance needs to interact with Amazon S3. AWS credentials are required:  Option 1: Store AWS Credentials on the Amazon EC2 instance.  Option 2: Securely distribute AWS credentials to AWS Services and Applications. IAM Roles
  79. 79. 79© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Application Authentication AWS IAM Application No Support No Support OS
  80. 80. 80© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Authentication and Authorization Authentication  AWS Management Console • User Name and Password  AWS CLI or SDK API • Access Key and Secret Key Authorization  Policies IAM User IAM Group IAM Roles
  81. 81. 81© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Best Practices Delete AWS account (root) access keys. Create individual IAM users. Use groups to assign permissions to IAM users. Grant least privilege. Configure a strong password policy. Enable MFA for privileged users.
  82. 82. 82© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Best Practices (cont.) Use roles for applications that run on Amazon EC2 instances. Delegate by using roles instead of by sharing credentials. Rotate credentials regularly. Remove unnecessary users and credentials. Use policy conditions for extra security. Monitor activity in your AWS account.
  83. 83. 83© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Resource-Based Policies Are an alternative to IAM and supported by some services. Grant cross-account access to your resources. Use a principal to uniquely identify account in the policy. Supported AWS services include :  Amazon S3 Bucket Policy  Amazon SNS Topic Policy  Amazon SQS Queue Policy  Amazon Glacier Vault Policy  AWS OpsWorks Stack Policy  AWS Lambda Function Policy
  84. 84. 84© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Knowledge Check Answer Q: Your web application needs to read/write an Amazon DynamoDB table and an Amazon S3 bucket. This operation requires AWS credentials and authorization to use AWS services. What service would you use? AWS IAM Role
  85. 85. 85© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Module 4 Databases
  86. 86. 86© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. SQL and NoSQL Databases SQL NoSQL Data Storage Rows and Columns Key-Value Schemas Fixed Dynamic Querying Using SQL Focused on collection of documents Scalability Vertical Horizontal ISBN Title Author Format 9182932465265 Cloud Computing Concepts Wilson, Joe Paperback 3142536475869 The Database Guru Gomez, Maria eBook SQL NoSQL { ISBN: 9182932465265, Title: “Cloud Computing Concepts”, Author: “Wilson, Joe”, Format: “Paperback” }
  87. 87. 87© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Data Storage Considerations No one size fits all. Analyze your data requirements by considering:  Data formats  Data size  Query frequency  Data access speed  Data retention period
  88. 88. 88© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Managed Database Services Compute Storage AWS Global Infrastructure Database App Services Deployment and Administration Networking Amazon DynamoDB Amazon ElastiCache Amazon RDS Amazon Redshift AWS Database Migration Service
  89. 89. 89© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Relational Database Service (RDS) Cost-efficient and resizable capacity Manages time-consuming database administration tasks Access to the full capabilities of Amazon Aurora, MySQL, MariaDB, Microsoft SQL Server, Oracle, and PostgreSQL databases Amazon RDS
  90. 90. 90© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon RDS Use Case We were able to go from concept to delivered product in about six months with just a handful of engineers. Greg Scallan Chief Architect, Flipboard ” “ Flipboard is an online magazine with millions of users and billions of “flips” per month. Flipboard is one of the world’s first social media magazines. Flipboard uses Amazon RDS and its Multi-AZ capabilities to store mission critical user data.
  91. 91. 91© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon RDS Simple and fast to deploy Manages common database administrative tasks Compatible with your applications Fast, predictable performance Simple and fast to scale Secure Cost-effective
  92. 92. 92© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. How Amazon RDS Backups Work Automatic Backups:  Restore your database to a point in time.  Are enabled by default.  Let you choose a retention period up to 35 days. Manual Snapshots:  Let you build a new database instance from a snapshot.  Are initiated by the user.  Persist until the user deletes them.  Are stored in Amazon S3.
  93. 93. 93© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Cross-Region Snapshots Are a copy of a database snapshot stored in a different AWS Region. Provide a backup for disaster recovery. Can be used as a base for migration to a different region.
  94. 94. 94© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon RDS Security Run your DB instance in an Amazon VPC. Use IAM policies to grant access to Amazon RDS resources. Use security groups. Use Secure Socket Layer (SSL) connections with DB instances (Amazon Aurora, Oracle, MySQL, MariaDB, PostgreSQL, Microsoft SQL Server). Use Amazon RDS encryption to secure your RDS instances and snapshots at rest. Use network encryption and transparent data encryption (TDE) with Oracle DB and Microsoft SQL Server instances. Use the security features of your DB engine to control access to your DB instance.
  95. 95. 95© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. A Resilient, Durable Application Architecture Amazon RDS database instances: Master and Multi-AZ standby Application, in Amazon EC2 instances Elastic Load Balancing load balancer instance DB snapshots in Amazon S3
  96. 96. 96© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon RDS Best Practices Monitor your memory, CPU, and storage usage. Use Multi-AZ deployments to automatically provision and maintain a synchronous standby in a different Availability Zone. Enable automatic backups. Set the backup window to occur during the daily low in WriteIOPS. To increase the I/O capacity of a DB instance:  Migrate to a DB instance class with high I/O capacity.  Convert from standard storage to provisioned IOPS storage and use a DB instance class optimized for provisioned IOPS.  Provision additional throughput capacity (if using provisioned IOPS storage). If your client application is caching the DNS data of your DB instances, set a TTL of less than 30 seconds. Test failover for your DB instance.
  97. 97. 97© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon DynamoDB Store any amount of data with no limits Fast, predictable performance using SSDs Easily provision and change the request capacity needed for each table Fully managed, NoSQL database serviceAmazon DynamoDB
  98. 98. 98© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. DynamoDB Use Case AdRoll, an online advertising platform, serves 50 billion impressions a day worldwide with its global retargeting platforms. We spend more on snacks than we do on Amazon DynamoDB. Valentino Volonghi CTO, Adroll ” “ Adroll Uses AWS to grow by more than 15,000% in a year Needed high-performance, flexible platform to swiftly sync data for worldwide audience Processes 50 TB of data a day Serves 50 billion impressions a day Stores 1.5 PB of data Worldwide deployment minimizes latency
  99. 99. 99© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. DynamoDB Data Model Table: Music Items Attributes (name-value pairs) Artist Song Title Album Title Year Genre
  100. 100. 100© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Primary Keys Partition Key Sort Key Table: Music Partition Key: Artist Sort Key: Song Title (DynamoDB maintains a sorted index for both keys) Table: Music Artist Song Title Album Title Year Genre
  101. 101. 101© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Provisioned Throughput You specify how much provisioned throughput capacity you need for reads and writes. Amazon DynamoDB allocates the necessary machine resources to meet your needs. Read capacity unit:  One strongly consistent read per second for items as large as 4 KB.  Two eventually consistent reads per second for items as large as 4 KB. Write capacity unit:  One write per second for items as large as 1 KB.
  102. 102. 102© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon RDS and Amazon DynamoDB Factors Relational (Amazon RDS) NoSQL (Amazon DynamoDB) Application Type • Existing database apps • Business process–centric apps • New web-scale applications • Large number of small writes and reads Application Characteristics • Relational data models, transactions • Complex queries, joins, and updates • Simple data models, transactions • Range queries, simple updates Scaling Application or DBA–architected (clustering, partitions, sharding) Seamless, on-demand scaling based on application requirements QoS • Performance–depends on data model, indexing, query, and storage optimization • Reliability and availability • Durability • Performance–Automatically optimized by the system • Reliability and availability • Durability
  103. 103. 103© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Database Considerations If You Need Consider Using A relational database service with minimal administration Amazon RDS • Choice of Amazon Aurora, MySQL, MariaDB, Microsoft SQL Server, Oracle, or PostgreSQL database engines • Scale compute and storage • Multi-AZ availability A fast, highly scalable NoSQL database service Amazon DynamoDB • Extremely fast performance • Seamless scalability and reliability • Low cost A database you can manage on your own Your choice of AMIs on Amazon EC2 and Amazon EBS that provide scale compute and storage, complete control over instances, and more.
  104. 104. 104© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Module 5 AWS Elasticity and Management Tools
  105. 105. 105© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Auto Scaling Scale your Amazon EC2 capacity automatically Well-suited for applications that experience variability in usage Available at no additional chargeAuto Scaling
  106. 106. 106© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Trio of Services Latency Utilization CloudWatchAuto Scaling Elastic Load Balancing Auto Scaling group Execute AS Policy
  107. 107. 107© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Auto Scaling Benefits Better Cost Management Better Availability Better Fault Tolerance
  108. 108. 108© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Launch Configurations A launch configuration is a template that an Auto Scaling group uses to launch EC2 instances. When you create a launch configuration, you can specify:  AMI ID  Instance type  Key pair  Security groups  Block device mapping  User data
  109. 109. 109© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Auto Scaling Groups Contain a collection of EC2 instances that share similar characteristics. Instances in an Auto Scaling group are treated as a logical grouping for the purpose of instance scaling and management. Auto Scaling group Minimum size Desired capacity Maximum size Scale out as needed
  110. 110. 110© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Dynamic Scaling You can create a scaling policy that uses CloudWatch alarms to determine:  When your Auto Scaling group should scale out.  When your Auto Scaling group should scale in. You can use alarms to monitor:  Any of the metrics that AWS services send to Amazon CloudWatch.  Your own custom metrics.
  111. 111. 111© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Auto Scaling Basic Lifecycle instances Auto Scaling group Scale Out Amazon CloudWatch Scheduled Event Scale In Amazon CloudWatch Scheduled Event Launch Instance Terminate Instance X Attach to Group Detach from Group
  112. 112. 112© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Elastic Load Balancing Distributes traffic across multiple instances Supports health checks to detect unhealthy Amazon EC2 instances Supports the routing and load balancing of HTTP, HTTPS, and TCP traffic to Amazon EC2 instances Elastic Load Balancing
  113. 113. 113© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Elastic Load Balancing Example
  114. 114. 114© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Back-end Instances for Your Load Balancer Health Checks Security Groups Subnets Register De-Register Instances
  115. 115. 115© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon CloudWatch A monitoring service for AWS cloud resources and the applications you run on AWS Visibility into resource utilization, operational performance, and overall demand patterns Custom application-specific metrics of your own Accessible via AWS Management Console, APIs, SDK, or CLI Amazon CloudWatch
  116. 116. 116© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon CloudWatch Architecture AWS resources that support CloudWatch Amazon CloudWatch Amazon CloudWatch Alarm SNS Email Notification Auto Scaling Available Statistics Statistics Consumer AWS Management Console CloudWatch Metrics CPUUtilization StatusCheckFailed Custom Application- Specific Metrics PageViewCount
  117. 117. 117© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Supported AWS Services Auto Scaling Amazon CloudFront Amazon CloudWatch Amazon CloudSearch Amazon DynamoDB Amazon EC2 Amazon ElastiCache Amazon EBS Elastic Load Balancing Amazon EMR Amazon Kinesis Amazon EC2 Container Service AWS OpsWorks Amazon Redshift Amazon RDS Amazon Route 53 Amazon SNS Amazon SQS Amazon SWF Amazon S3AWS Storage Gateway Amazon WorkSpaces Amazon Machine Learning AWS Lambda AWS WAF
  118. 118. 118© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Trusted Advisor Best practice and recommendation engine. Provides AWS customers with performance and security recommendations in four categories: cost optimization, security, fault tolerance, and performance improvement. AWS Trusted Advisor
  119. 119. 119© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Cost Optimization Amazon EC2 Reserved Instance Optimization Low Utilization Amazon EC2 Instances Idle Load Balancers Underutilized Amazon EBS Volumes Unassociated Elastic IP Addresses Amazon RDS Idle DB Instances
  120. 120. 120© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Security Groups AWS IAM Use Amazon S3 Bucket Permissions MFA on Root Account AWS IAM Password Policy Amazon RDS Security Group Access Risk
  121. 121. 121© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Fault Tolerance Amazon EBS Snapshots Load Balancer Optimization Auto Scaling Group Resources Amazon RDS Multi-AZ Amazon Route 53 Name Server Delegations ELB Connection Draining
  122. 122. 122© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Performance Improvement High Utilization Amazon EC2 Instances Service Limits Large Number of Rules in EC2 Security Group Over Utilized Amazon EBS Magnetic Volumes Amazon EC2 to EBS Throughput Optimization Amazon CloudFront Alternate Domain Names
  123. 123. 123© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Module 6: Course Wrap-Up
  124. 124. 124© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Learning Path Cloud Computing Concepts • The AWS Cloud • History • Global Infrastructure • AWS Management Console AWS Foundational Services • Compute: • Amazon EC2 • Networking: • Amazon VPC • Storage: • Amazon EBS • Amazon S3 • Security • IAM • Databases: • Amazon DynamoDB • Amazon RDS AWS Management Tools • Trio of Services: • Auto Scaling • ELB • Amazon CloudWatch • AWS Trusted Advisor
  125. 125. 125© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Expand Your Cloud Skills with AWS Certification aws.amazon.com/certification Validate your proven technical expertise with the AWS platform and gain recognition for your skills Online videos and labs aws.amazon.com/training/ self-paced-labs Start working with an AWS service in minutes with free online instructional videos and labs aws.amazon.com/training Instructor-led courses Learn how to design, deploy, and operate highly available, cost-effective, and secure applications on AWS
  126. 126. 126© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Self-Paced Labs For more information, see aws.amazon.com/training/self-paced-labs/. Learn an individual AWS Service topic Follow a Learning Quest by AWS Service Area or Use Case Practice working with AWS as you prepare for an exam
  127. 127. 127© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Training Courses For more information about course description, see aws.amazon.com/training. AWS Technical Essentials Instructor-Led | 1 day Architecting on AWS Instructor-led | 3 days Developing on AWS Instructor-led | 3 days Systems Operations on AWS Instructor-led | 3 days Big Data Fundamentals Online | 3 hours Big Data on AWS Instructor-led | 3 days Advanced Architecting on AWS Instructor-led | 3 days DevOps Engineering on AWS Instructor-led | 3 days Security Operations on AWS Instructor-led | 3 days
  128. 128. 128© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Certification AWS Certified Solutions Architect - Associate AWS Certified Developer - Associate AWS Certified SysOps Administrator- Associate AWS Certified Solutions Architect - Professional AWS Certified DevOps Engineer - Professional For more information, see aws.amazon.com/certification.
  129. 129. 129© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits of AWS Certification Individual • Demonstrate expertise • Stand out • Industry visibility • Customer visibility • Peer recognition • Credibility with customers Employer • Baseline bar on AWS skills • Identify expert talent • Leverage best practices • Reduce operational risk • Increase business advantage • Maximize AWS efficiencies • Common vocabulary • Accelerate time to cloud
  130. 130. 130© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Preparing for AWS Certification Practice Exams Exam Guides & Sample Questions AWS Whitepapers & FAQs AWS Documentation & Reference Architectures For resources to help you prepare for the certification exam, see aws.amazon.com/certification.
  131. 131. 131© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Support
  132. 132. 132© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Support Comparison Enterprise Business Developer Basic Customer Service 24x7x365 Support Forums Documentation, White Papers, Best Practice Guides AWS Trusted Advisor Full Checks Full Checks Basic Checks Basic Checks Access to Technical Support Phone, chat, email, live screen sharing, TAM (24/7) Phone, chat, email, live screen sharing Email (local business hours) Support for Health Checks Primary Case Handling Sr. Cloud Support Engineer Cloud Support Engineer Cloud Support Associate Technical Customer Service Associate Users who can create Technical Support cases Unlimited (IAM supported) Unlimited (IAM supported) 1 (account credentials only) Case Severity/Response Times* Critical: < 15 minutes Urgent: < 1 hour High: < 4 hours Normal: < 12 hours Low: < 24 hours Urgent: < 1 hour High: < 4 hours Normal: < 12 hours Low: < 24 hours Normal: < 12 hours Low: < 24 hours Architecture Support Application Architecture Use case guidance Building blocks Best Practice Guidance Client-side Diagnostic Tools AWS Support API Third-Party Software Support Infrastructure Event Management Available at Additional cost AWS Concierge Direct access to Technical Account Manager (TAM) Prioritized Case Routing Management Business Reviews
  133. 133. 133© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. Errors or corrections? Email us at aws-course-feedback@amazon.com. For all other questions, contact us at: https://aws.amazon.com/contact-us/aws-training/. All trademarks are the property of their owners.

×