3. Modernising your applications
• Go Service Oriented Architecture (& to
microservices and beyond!)
• Modernize with containers
• Build with DevOps
• Offload security considerations
5. Characteristics of Service Oriented Architectures
Do one
thing wellIndependent
Decentralized
Black box
Polyglot
You build it, you run it
6. Containers are Natural for SOA
• Simple to model
• Any app, any language
• Image is the version
• Test & deploy same artifact
• Stateless servers decrease change risk
7. Amazon ECS
• Fully managed, elastic service – you
don’t need to run anything, and the
service scales as your microservices
architecture grows
• Shared state optimistic scheduling
• Integration with Amazon CloudWatch for
monitoring and logging
• Integration with AWS DevOps services
for continuous integration and delivery
(CI/CD)
8. Deploying Containers on ECS – Choose a Scheduler
Batch Jobs
(Monthly reporting, consolidated shipping)
ECS task scheduler
Run tasks once
Batch jobs
RunTask (random)
StartTask (placed)
Long-Running Apps
(CRM web interface, content management module)
ECS service scheduler
Health management
Scale-up and scale-down
AZ aware
Grouped containers
9. Example Architecture on ECS
Amazon
ECR
Amazon
RDS
Application Load
Balancer
ECS Cluster
ECS Cluster
IAM
Amazon API
Gateway*
Amazon
Route 53
Amazon CloudWatch
10. Automatic Service Scaling
Publish metrics
Auto Scaling ECS service
Availability
Zone A
Availability
Zone B
Order
Module
Add/Remove ECS
tasks
Order
Module
ReportingScaling Policies
Amazon
CloudWatch
Amazon ECS
Application
Load Balancer
14. The DevOps Stack
Continuous Deployment
Delivery Pipelines
Deployment Automation
Continuous
Integration
Automated
Testing
Configuration
Management
Agile
Communication
15. DevOps Practices
• Infrastructure as code
• Application and Infrastructure version management
• Test Automation
• Monitoring and logging
• Continuous Integration/Deployment
17. DevOps Stack on AWS
17
MonitorProvisionDeployTestBuildCode
AWS Elastic Beanstalk
CloudWatchCloudFormationCodeDeploy
CodeCommit
CodePipeline AWS Opsworks
AWS Elastic Container Service
CodeBuild
18. Where do I go from here?
• Collect Metrics. Graph anything that moves
• Log everything, Centralize logging, Log Analytics
• Infrastructure as Code
• Automated configuration management
• One click environment creation
• CI-CD pipelines
• Automated testing
19. We have a strong partner list, and it’s growing
Source Build Test Deploy
*beta
22. Beyond the Front Door
Injecting Tenant
Context
Security &
Isolation
Tenant
Access
Roles
Tenant
Provisioning
23. First, We Need A Tenant
New Tenant
On-Boarding
Tenant
Identity Broker
Identity
Provider
Tenant
Management
Billing
• User: bob@abc.com
• TenantID: 491048735
• TenantID: 491048735
• Domain: abc.pandacrm.com
• Tier: Platinum
• Status: Active
Domain
Provisioning SSL
Certificate
IAM Policy
24. Key Tenant Provisioning Considerations
• Find a seamless model for binding tenant to identities
• Consider fault tolerance for 3rd Party integrations
• Need to factor in tenant lifecycle management
• Allow for tenant level variation in identity policies
• Let identity providers do the heavy lifting
• Lean on automation and repeatability
25. Identity & Isolation: Many Levels, One Goal
Full Stack
Isolation
Web Tier
App Tier
Tenant 1
Web Tier
App Tier
Tenant 2
Resource-Level
Isolation
Tenant 1 Tenant 2
Tenant 1 Tenant 2
Tenant 1 Tenant 2
Application-Level
Isolation
Tenant1
Tenant2
Tenant1
Tenant2
Tenant1
Tenant3
Key
26. IAM Policies Scope Tenant Access
Web Tier
App Tier
Tenant1 Access
Policy
CustomerTable
Tenant2 Access
Policy
T1-Bucket T2-Bucket
27. Binding Policies to Tenants
Web
Application
Tenant
Identity Broker
Identity
Provider
AWS cloud
Identity resolved to AWS Security Token
Services (STS)
• Acquire token with tenant-scoped
access
• Leverage a temporary token
• No need for separate AWS identity
28. Key Security & Isolation Considerations
• Applying isolation may require a hybrid of
AWS and application strategies
• Avoid having separate IAM users for each
tenant
• Automate testing of isolation policies/strategy
• Consider the scale, management, and
automation impacts of managing access
policies
• Let IAM enforce your tenant level scoping
29. Applying Tenant Context
Tenant
Access Control
Homepage
Access Control
Catalog
Service
Access Control
Cart Service
TenantContext
{
UserID: “bob@abc.com”
Role: “Admin”,
TenantID: “93194942”
}
JWT Token
Authorization: Bearer<JWT>
Authorization: Bearer<JWT>
Authorization: Bearer<JWT>
Access Control
Auth ServiceTenant Service
31. SaaS Identity Considerations
• SaaS identity is bigger than authentication
• Use identity broker pattern to decouple from identity
providers
• Leave the heavy lifting, risk, and innovation to someone
else
• Automate role and policy provisioning/management
• Add tenant context to identity token to limit bottlenecks
32. Recap: Be Agile
Elastic Container Services
helps modernize applications
in SOA.
With DevOps and offloading
identity, AWS services
provide the agility needed in
the SaaS world.
33. Takeaways
• Modernize the app with SOA on ECS
• DevOps with AWS Code* services for agility
• Offload SaaS identity and focus on app innovation