Black Belt Dojo - Daniel Hand - AWS Summit 2012 Australia

2,411 views

Published on

Daniel Hands's presentation at the Australian AWS Summit, Sydney 2012 - Ninja Track

Published in: Technology, Business
  • Be the first to comment

Black Belt Dojo - Daniel Hand - AWS Summit 2012 Australia

  1. 1. AWS Summit 2012 | Melbourne Welcome Daniel Hand Principal Solutions Architect, ANZ
  2. 2. Agenda Auto scaling
  3. 3. Agenda Auto scaling Deploying resources
  4. 4. Agenda Auto scaling Deploying resources Accessing resources
  5. 5. Agenda Auto scaling Deploying resources Accessing resources Tracking and identification of resources
  6. 6. Agenda Auto scaling Deploying resources Accessing resources Tracking and identification of resources Scaling databases
  7. 7. Helping you go from …
  8. 8. Static tiers
  9. 9. Inelastic tiers
  10. 10. Inefficient ops
  11. 11. Less secure use ofAWS credentials
  12. 12. To …
  13. 13. Elastic tiers
  14. 14. Scalable tiers
  15. 15. Efficient use ofresources
  16. 16. Efficient Operations
  17. 17. More secure use ofAWS credentials
  18. 18. Allowing you to … Do more in less time
  19. 19. Allowing you to … Do more in less time Deliver greater results with fewer resources
  20. 20. Allowing you to … Do more in less time Deliver greater results with fewer resources Increase manageability
  21. 21. Allowing you to … Do more in less time Deliver greater results with fewer resources Increase manageability Improve security
  22. 22. Happy days …
  23. 23. Auto ScalingAutomatically scale up/down EC2 resources
  24. 24. Define a launch configuration group Specify the properties of new instances added to an auto scaling group
  25. 25. Give the launch configuration a name$PROMPT>as-create-launch-configWidgetsIncConfig --image-id ami-e6f48ab4--instance-type t1.micro
  26. 26. Specify the AMI to use$PROMPT>as-create-launch-config WidgetsIncConfig--image-id ami-e6f48ab4--instance-type t1.micro
  27. 27. Specify the EC2 instance type to use$PROMPT>as-create-launch-config WidgetsIncConfig--image-id ami-e6f48ab4--instance-type t1.micro
  28. 28. Optional Parameters Block-device-mapping Detailed cloud watch monitoring SSH key Security group membership Ramdisk/kernel User-data
  29. 29. Define an auto scaling groupSpecify limits and placement of resources within an auto-scaling group
  30. 30. Give the auto scaling group a name$PROMPT>as-create-auto-scaling-groupWidgetsIncScalingGroup --launch-configurationWidgetsIncConfig --availability-zones ap-southeast-1a ap-southeast-1b --min-size 2 --max-size 3
  31. 31. Specify the launch config to use$PROMPT>as-create-auto-scaling-groupWidgetsIncScalingGroup --launch-configurationWidgetsIncConfig --availability-zones ap-southeast-1a ap-southeast-1b --min-size 2 --max-size 3
  32. 32. Specify the availability zones$PROMPT>as-create-auto-scaling-groupWidgetsIncScalingGroup --launch-configurationWidgetsIncConfig --availability-zones ap-southeast-1a ap-southeast-1b --min-size 2 --max-size 3
  33. 33. Specify group limits$PROMPT>as-create-auto-scaling-groupWidgetsIncScalingGroup --launch-configurationWidgetsIncConfig --availability-zones ap-southeast-1a ap-southeast-1b --min-size 2--max-size 3
  34. 34. Optional Parameters Cool down period
  35. 35. Optional Parameters Cool down period Grace period
  36. 36. Optional Parameters Cool down period Grace period Health check type
  37. 37. Optional Parameters Cool down period Grace period Health check type Load balancer
  38. 38. Optional Parameters Cool down period Grace period Health check type Load balancer Placement group
  39. 39. Optional Parameters Cool down period Grace period Health check type Load balancer Placement group VPC
  40. 40. Auto scalingType #1: Manual scaling
  41. 41. Scale to 3serversnow
  42. 42. Manual scaling Basic use of auto scaling Specify desired capacity Launch config and auto scaling group parameters apply$PROMPT> as-set-desired-capacityWidgetsIncScalingGroup --desired-capacity 3
  43. 43. Auto scalingType #2: Scheduled based scaling
  44. 44. Scale to 3servers atdate:time
  45. 45. Schedule based scaling Change the number of instances based on a schedule Scaling occurs as a function of time and date$ PROMPT> as-put-scheduled-update-group-actionscheduledAction1 –g WidgetsIncScalingGroup--time “2011-12-05T02:00:00Z” –-min 5 –-max10
  46. 46. Auto scalingType #3: Policy based scaling
  47. 47. 6:00AM
  48. 48. 8:00AM
  49. 49. 8:00AM
  50. 50. 8:00AM
  51. 51. 7:00PM
  52. 52. 7:00PM
  53. 53. 7:00PM
  54. 54. Policy based scaling Change the number of instances based on environmental changes e.g. increased CPU utilisation Environmental data provided by CloudWatch or custom user defined metrics Consists of two components {policies & alarms} Puts the AUTO in auto scaling
  55. 55. Give the scaling policy a name$ PROMPT>as-put-scaling-policy MyScaleUpPolicy--auto-scaling-group WidgetsIncScalingGroup--adjustment=1 --type ChangeInCapacity
  56. 56. Specify the auto scaling group it applies to$ PROMPT>as-put-scaling-policy MyScaleUpPolicy --auto-scaling-group WidgetsIncScalingGroup--adjustment=1 --type ChangeInCapacity
  57. 57. Specify the adjustment to take place$ PROMPT>as-put-scaling-policy MyScaleUpPolicy --auto-scaling-group WidgetsIncScalingGroup--adjustment=1 –type ChangeInCapacity
  58. 58. Give the metric alarm a name$ PROMPT>mon-put-metric-alarm MyHighCPUAlarm--comparison-operator GreaterThanThreshold--evaluation-periods 1 --metric-nameCPUUtilization --namespace "AWS/EC2" --period600 --statistic Average --threshold 80 --alarm-actions POLICY-ARN_from_previous_step--dimensions"AutoScalingGroupName=WidgetsIncScalingGroup"
  59. 59. Specify the comparison operator$ PROMPT>mon-put-metric-alarm MyHighCPUAlarm --comparison-operator GreaterThanThreshold--evaluation-periods 1 --metric-nameCPUUtilization --namespace "AWS/EC2" --period600 --statistic Average --threshold 80 --alarm-actions POLICY-ARN_from_previous_step--dimensions"AutoScalingGroupName=WidgetsIncScalingGroup"
  60. 60. Specify the evaluation period$ PROMPT>mon-put-metric-alarm MyHighCPUAlarm--comparison-operator GreaterThanThreshold--evaluation-periods 1 --metric-nameCPUUtilization --namespace "AWS/EC2" --period600 --statistic Average --threshold 80 --alarm-actions POLICY-ARN_from_previous_step--dimensions"AutoScalingGroupName=WidgetsIncScalingGroup"
  61. 61. Specify the metric name$ PROMPT>mon-put-metric-alarm MyHighCPUAlarm--comparison-operator GreaterThanThreshold--evaluation-periods 1 --metric-nameCPUUtilization --namespace "AWS/EC2"--period 600 --statistic Average --threshold80 --alarm-actions POLICY-ARN_from_previous_step--dimensions"AutoScalingGroupName=WidgetsIncScalingGroup"
  62. 62. Specify the period to take an average over$ PROMPT>mon-put-metric-alarm MyHighCPUAlarm--comparison-operator GreaterThanThreshold--evaluation-periods 1 --metric-nameCPUUtilization --namespace "AWS/EC2"--period 600 --statistic Average--threshold 80 --alarm-actions POLICY-ARN_from_previous_step --dimensions"AutoScalingGroupName=WidgetsIncScalingGroup"
  63. 63. Specify the % threshold to scale on$ PROMPT>mon-put-metric-alarm MyHighCPUAlarm--comparison-operator GreaterThanThreshold--evaluation-periods 1 --metric-nameCPUUtilization --namespace "AWS/EC2" --period600 --statistic Average --threshold 80--alarm-actions POLICY-ARN_from_previous_step--dimensions"AutoScalingGroupName=WidgetsIncScalingGroup"
  64. 64. Associate with a policy$ PROMPT>mon-put-metric-alarm MyHighCPUAlarm--comparison-operator GreaterThanThreshold--evaluation-periods 1 --metric-nameCPUUtilization --namespace "AWS/EC2" --period600 --statistic Average --threshold 80--alarm-actions <POLICY-ARN_from_previous_step> --dimensions"AutoScalingGroupName=WidgetsIncScalingGroup"
  65. 65. Specify the auto scaling group$ PROMPT>mon-put-metric-alarm MyHighCPUAlarm--comparison-operator GreaterThanThreshold--evaluation-periods 1 --metric-nameCPUUtilization --namespace "AWS/EC2" --period600 --statistic Average --threshold 80 --alarm-actions POLICY-ARN_from_previous_step--dimensions"AutoScalingGroupName=WidgetsIncScalingGroup"
  66. 66. What if you need to scale on ametric not available inCloudWatch?
  67. 67. Custom CloudWatch metrics Use CloudWatch to store and provide analysis on arbitrary metrics
  68. 68. Push custom metric into CloudWatch$ mon-put-data -namespace "System/Linux" -metric-name Memory -dimensions "Host=host1" -value 60
  69. 69. Specify a name space$ mon-put-data -namespace "System/Linux"-metric-name Memory -dimensions "Host=host1"-value 60
  70. 70. Specify a unique name for the metric$ mon-put-data -namespace "System/Linux"-metric-name Memory -dimensions "Host=host1" -value 60
  71. 71. Specify the dimensions of the metric$ mon-put-data -namespace "System/Linux" -metric-name Memory -dimensions "Host=host1" -value60
  72. 72. Specify the value to push$ mon-put-data -namespace "System/Linux" -metric-name Memory -dimensions "Host=host1" -value 60
  73. 73. Graph custom metric data
  74. 74. Use custom metric in alarm defintion$ PROMPT>mon-put-metric-alarmMyHighMemoryAlarm --comparison-operatorGreaterThanThreshold --evaluation-periods 1 --metric-name Memory --namespace”System/Linunx" --period 600 --statisticAverage --threshold 80 --alarm-actions <POLICY-ARN> --dimensions"AutoScalingGroupName=WidgetsIncScalingGroup"
  75. 75. How do I manage sessionstate when using autoscaling?
  76. 76. Session affinityEnsuring that users interact with the same web server throughout their session
  77. 77. Session affinity ELB or application generated session tokens
  78. 78. Session affinity ELB or application generated session tokens Session state contained within web server tier
  79. 79. What happens when I useHTTPS?
  80. 80. Session affinity over HTTPS Terminate session at the ELB
  81. 81. Session affinity over HTTPS Terminate session at the ELB Re-encrypt to back-end web servers if required
  82. 82. What happens during scale-down events?
  83. 83. Scale-down All user sessions existing within the web server are lost
  84. 84. Users needs to re-establish theirsession
  85. 85. Stateless web tier Move the state out of the auto scaling tier
  86. 86. Sessionsstored inElasticache
  87. 87. No sessions arelost during scaledown operation
  88. 88. Apache Tomcat
  89. 89. Apache Tomcat Install memcached-session-manager on each tomcat server
  90. 90. Apache Tomcat Install memcached-session-manager on each tomcat server Configure memcached to store copy of state in Elasticache
  91. 91. Apache Tomcat Install memcached-session-manager on each tomcat server Configure memcached to store copy of state in Elasticache If user session is not available from local cache, request it from Elasticache
  92. 92. Apache Tomcat Install memcached-session-manager on each tomcat server Configure memcached to store copy of state in Elasticache If user session is not available from local cache, request it from Elasticache Use with or without session affinity
  93. 93. Deploying Resources Techniques to increaseefficiency and productivity
  94. 94. You probably started with…
  95. 95. And then moved to …
  96. 96. You might even be using …
  97. 97. Room for improvement?
  98. 98. You bet!
  99. 99. CloudFormationAllows you to predictably create and manage a collection of AWSresources via text-based templates
  100. 100. Cloud formation templates
  101. 101. CloudFormation Define application stack via simple text file
  102. 102. CloudFormation Define application stack via simple text file Use stack parameters to customise
  103. 103. CloudFormation Define application stack via simple text file Use stack parameters to customise Deploy new stacks/update existing stacks
  104. 104. CloudFormation Define application stack via simple text file Use stack parameters to customise Deploy new stacks/update existing stacks Create templates from existing resources with CloudFormer
  105. 105. Define a load balancer
  106. 106. Specify AZs
  107. 107. Define cookie policy
  108. 108. Define listener ports
  109. 109. Define health check
  110. 110. DemonstrationDeploying AWS VPC includingsubnets, ELB and web server auto scaling group
  111. 111. Demonstration Using CloudFormer togenerate a cloud formation template
  112. 112. Log onto management console
  113. 113. Select CloudFormation stack
  114. 114. Specify parameters
  115. 115. Create stack
  116. 116. Specify parameters
  117. 117. Select region
  118. 118. Filter resources
  119. 119. Select DNS records
  120. 120. Select network resources
  121. 121. Select remaining resources Compute
  122. 122. Select remaining resources Compute Auto scaling configuration
  123. 123. Select remaining resources Compute Auto scaling configuration Storage
  124. 124. Select remaining resources Compute Auto scaling configuration Storage Security
  125. 125. Select remaining resources Compute Auto scaling configuration Storage Security Other – SQS/SimpleDB
  126. 126. Select remaining resources• Compute• Auto scaling configuration• Storage• Security• Other – SQS/SimpleDB• Operational – Auto scaling triggers
  127. 127. Save template
  128. 128. Access to ResourcesSecurely providing access to AWS resources
  129. 129. Secure access from EC2
  130. 130. Providingaccess toDynamoDB
  131. 131. Option #1Bake in AWS credentials
  132. 132. Bake in AWS credentials• AWS credentials provide full access to all your AWS resources
  133. 133. Bake in AWS credentials• AWS credentials provide full access to all your AWS resources• If the AMI or EC2 instance is compromised then the credentials can be used to access all your resources
  134. 134. Bake in AWS credentials• AWS credentials provide full access to all your AWS resources• If the AMI or EC2 instance is compromised then the credentials can be used to access all your resources• Rotating credentials requires rebuilding AMI
  135. 135. Need to improve securityand manageability
  136. 136. Identity & Access ManagementSecurely control user access to AWS resources
  137. 137. IAM Role based access control
  138. 138. Option #2Bake in IAM credentials
  139. 139. Bake in IAM credentials• Reduced the impact in the event that instance or AMI is compromised
  140. 140. Bake in IAM credentials• Reduced the impact in the event that instance or AMI is compromised• Rotating credentials still requires rebuilding AMI
  141. 141. Need to improvemanageability
  142. 142. Option #3Pass in IAM credentials at boot
  143. 143. Bake in IAM credentials• Pass in IAM credentials as user-data
  144. 144. Bake in IAM credentials• Pass in IAM credentials as user-data• Rotating credentials does not require rebuilding an AMI
  145. 145. Bake in IAM credentials• Pass in IAM credentials as user-data• Rotating credentials does not require rebuilding an AMI• We still need a way to rotate credentials if an instance is compromised
  146. 146. Bake in IAM credentials• Pass in IAM credentials as user-data• Rotating credentials does not require rebuilding an AMI• We still need a way to rotate credentials if an instance is compromised• IAM credentials available to any local user with access to http://169.254.169.254
  147. 147. Option #4Two stage look-up of IAM credentials
  148. 148. Two stage look-up of IAM credentials• Pass in a time-based pre-authenticated URL to IAM credentials stored in S3
  149. 149. Two stage look-up of IAM credentials• Pass in a time-based pre-authenticated URL to IAM credentials stored in S3• Download credentials from S3
  150. 150. Two stage look-up of IAM credentials• Pass in a time-based pre-authenticated URL to IAM credentials stored in S3• Download credentials from S3• If instance is compromised after URL expires then we expire the IAM credentials on S3
  151. 151. Two stage look-up of IAM credentials• Pass in a time-based pre-authenticated URL to IAM credentials stored in S3• Download credentials from S3• If instance is compromised after URL expires then we expire the IAM credentials on S3• Improved security but complicates auto scaling
  152. 152. Option #5Add IAM to config file management
  153. 153. Add IAM to config file management• Register instance with config management tool on boot e.g. puppet/chef
  154. 154. Add IAM to config file management• Register instance with config management tool on boot e.g. puppet/chef• Deploy latest valid credentials
  155. 155. Add IAM to config file management• Register instance with config management tool on boot e.g. puppet/chef• Deploy latest valid credentials• In the event that you need to rotate IAM credentials push the latest set to to each instance
  156. 156. Secure access from mobile devices
  157. 157. Option #1Create an IAM user for each connecting device
  158. 158. This isn’tgoing to scale
  159. 159. IAM temporarysecurity credentials Time-based access to AWS resources for IAM users
  160. 160. IAM temporary security credentials
  161. 161. IAM temporary security credentials• Create a small number of IAM users for mobile devices
  162. 162. IAM temporary security credentials• Create a small number of IAM users for mobile devices• Device user authenticates via session proxy
  163. 163. IAM temporary security credentials• Create a small number of IAM users for mobile devices• Device user authenticates via session proxy• Session proxy requests token from AWS security token service
  164. 164. IAM temporary security credentials• Create a small number of IAM users for mobile devices• Device user authenticates via session proxy• Session proxy requests token from AWS security token service• Token passed to device
  165. 165. Tracking &identification of resources
  166. 166. How can I keep track ofmy AWS resources?
  167. 167. Create order with tags
  168. 168. Create order with tags
  169. 169. View Name tags for EC2 resources
  170. 170. Filter based on tags
  171. 171. Tag instances based on use
  172. 172. Access Tags via the CLI$ PROMPT>ec2-create-tags ami-1a2b3c4di i-6f5d4e3a–tag webserver –tag stack=productionTAG ami-1a2b3c4di image webserverTAG ami-1a2b3c4di image stack productionTAG i-6f5d4e3a image webserverTAG i-6f5d4e3a image stack production
  173. 173. Tag auto scaling groups$ PROMPT>as-describe-auto-scaling-groups MyTagASGAUTO-SCALING-GROUP MyTagLC us-east-1a 1 10 5INSTANCE INSTANCE-ID AVAILABILITY-ZONE STATE STATUS LAUNCH-CONFIGTAG RESOURCE-ID RESOURCE-TYPE KEY VALUE PROPOGATE-AT-LAUNCH TAGMyTagASG auto-scaling-group version 1.0 true
  174. 174. Tag EBS volumes
  175. 175. CloudFormation & tags
  176. 176. Tag many types of resource• Image • VPC• Instance • Subnet• Security group • Internet gateway• EBS volume • VPN connection• EBS snap-shot • Virtual private gateway• Reserved instance • Customer gateway• Spot instance request • Route table • Network ACL
  177. 177. Scaling Databases
  178. 178. NoSQL Vs relational databases
  179. 179. Managed database services Amazon Relational Database (Amazon RDS)
  180. 180. Play Video• http://www.youtube.com/watch?v=oz-7wJJ9HZ0
  181. 181. Step #1: AvailabilityReplication between master and slave database servers
  182. 182. Synchronousreplication
  183. 183. Step #2: OptimisationApply traditional DB best practices
  184. 184. Optimisation• Index tables
  185. 185. Optimisation• Index tables• Write efficient queries
  186. 186. Optimisation• Index tables• Write efficient queries• Archive old data when not required
  187. 187. Step #3: Scale-upUse larger EC2 instance types
  188. 188. Step #4: CachingStore common queries in a memory cache such as ElastiCache
  189. 189. Elasticache
  190. 190. Form SQL statement
  191. 191. Return result if it is in the cache
  192. 192. Else query DB and update cache
  193. 193. Step 5: Scale-out Use read-replicas
  194. 194. Read replicas
  195. 195. Read replicas• Modify application to use a connection pool
  196. 196. Read replicas• Modify application to use a connection pool• Determine which reads need to be synchronous
  197. 197. Read replicas• Modify application to use a connection pool• Determine which reads need to be synchronous• Determine which reads can be asynchronous
  198. 198. Step 6: Scale-out Shard database
  199. 199. Shard database
  200. 200. Sharding• Choose a suitable primary key to shard on
  201. 201. Sharding• Choose a suitable primary key to shard on• Split database across multiple database servers
  202. 202. Sharding• Choose a suitable primary key to shard on• Split database across multiple database servers• Implement two-stage shard access at application tier • Stage #1 – What shard modulus does customer X use • Stage #2 - Direct query at relevant database
  203. 203. Thank You!

×