SlideShare a Scribd company logo

Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019

Vanguard is running mission-critical applications on AWS Fargate that require enhanced security controls. In this session, we show you how Vanguard is using Amazon ECS, AWS Fargate, and Application Load Balancer to run its Docker-based microservices.

1 of 32
Download to read offline
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Containers and mission-critical
applications
Yonatan Ryabinski
Chief Enterprise Architect
Vanguard
S E P 3 0 9 - R 1
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Vanguard background
Began operations
on May 1, 1975, in
Valley Forge, PA
One of the world's largest investment companies
Wall St.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Containers journey at Vanguard
Reference architecture
Data protection
Identity and access management
Infrastructure protection
Reliability
Cost optimization
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Design principles
• Fully distributed architecture
• Enabled DevSecOps patterns
• Backward-compatiblility with legacy container orchestration platform
• Easy migration path from legacy container orchestration platform
• Full automation
• Security by default
• Cost-effectiveness
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon ElasticContainer Service (Amazon ECS) —
AWS Fargate stack
Amazon Elastic Container
Registry (Amazon ECR)Amazon ECS
AWS Fargate Amazon DynamoDB
Application
Load
Balancer
(ALB)
AWS Certificate Manager
(ACM)
VPC
Availability Zone 1
Amazon ECS
(task)
Amazon ECS
(service)
Availability Zone 2
Amazon ECS
(task)
Endpoint
Endpoint
AWS Auto Scaling
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Fargate security
• Taking advantage of the shared responsibility model
• Full tenant isolation at the hypervisor level via Firecracker
• An ability to use a task role for native AWS integration
• No operational overhead, no hosts to patch or maintain
• Compliance with PCI DSS Level 1, ISO 9001, ISO 27001, ISO 27017, ISO 27018,
SOC 1, SOC 2, SOC 3, and HIPAA

Recommended

Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...Amazon Web Services
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Amazon Web Services
 
Identity and access control for custom enterprise applications - SDD412 - AWS...
Identity and access control for custom enterprise applications - SDD412 - AWS...Identity and access control for custom enterprise applications - SDD412 - AWS...
Identity and access control for custom enterprise applications - SDD412 - AWS...Amazon Web Services
 
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Amazon Web Services
 
Securing serverless and container services - SDD306 - AWS re:Inforce 2019
Securing serverless and container services - SDD306 - AWS re:Inforce 2019 Securing serverless and container services - SDD306 - AWS re:Inforce 2019
Securing serverless and container services - SDD306 - AWS re:Inforce 2019 Amazon Web Services
 
Scale permissions management in AWS with attribute-based access control - SDD...
Scale permissions management in AWS with attribute-based access control - SDD...Scale permissions management in AWS with attribute-based access control - SDD...
Scale permissions management in AWS with attribute-based access control - SDD...Amazon Web Services
 
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019 Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019 Amazon Web Services
 
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019 Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019 Amazon Web Services
 

More Related Content

What's hot

Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Amazon Web Services
 
Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019
Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019 Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019
Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019 Amazon Web Services
 
Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...Amazon Web Services
 
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019 Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019 Amazon Web Services
 
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Amazon Web Services
 
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...Amazon Web Services
 
Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
 Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019  Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019 Amazon Web Services
 
Protect customer privacy with AWS - GRC351 - AWS re:Inforce 2019
Protect customer privacy with AWS - GRC351 - AWS re:Inforce 2019 Protect customer privacy with AWS - GRC351 - AWS re:Inforce 2019
Protect customer privacy with AWS - GRC351 - AWS re:Inforce 2019 Amazon Web Services
 
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Amazon Web Services
 
Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...Amazon Web Services
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Amazon Web Services
 
Building a well-engaged and secure AWS account access management - FND207-R ...
 Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Amazon Web Services
 
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Amazon Web Services
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWSAmazon Web Services
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Amazon Web Services
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Amazon Web Services
 
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019 Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019 Amazon Web Services
 
New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...Amazon Web Services
 
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...Amazon Web Services
 

What's hot (20)

Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
 
Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019
Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019 Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019
Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019
 
Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...
 
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019 Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019
 
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
 
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...
 
Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
 Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019  Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
 
Protect customer privacy with AWS - GRC351 - AWS re:Inforce 2019
Protect customer privacy with AWS - GRC351 - AWS re:Inforce 2019 Protect customer privacy with AWS - GRC351 - AWS re:Inforce 2019
Protect customer privacy with AWS - GRC351 - AWS re:Inforce 2019
 
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
 
Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...
 
Building a well-engaged and secure AWS account access management - FND207-R ...
 Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
 
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWS
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...
 
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019 Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
 
New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...
 
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
 

Similar to Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019

[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...
[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...
[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...Amazon Web Services Korea
 
Getting Started with Amazon EC2 Container Service
Getting Started with Amazon EC2 Container ServiceGetting Started with Amazon EC2 Container Service
Getting Started with Amazon EC2 Container ServiceAmazon Web Services
 
CMP209_Getting started with Docker on AWS
CMP209_Getting started with Docker on AWSCMP209_Getting started with Docker on AWS
CMP209_Getting started with Docker on AWSAmazon Web Services
 
Deep dive ECS & Fargate Deep Dive
Deep dive ECS & Fargate Deep DiveDeep dive ECS & Fargate Deep Dive
Deep dive ECS & Fargate Deep DiveAmazon Web Services
 
Getting Started with Docker on AWS
Getting Started with Docker on AWSGetting Started with Docker on AWS
Getting Started with Docker on AWSAmazon Web Services
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS)  | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS)  | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Amazon Web Services
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS)  | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS)  | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019AWS Summits
 
[NEW LAUNCH!] Scaling Tightly-coupled HPC workloads on HPC with Elastic Fabri...
[NEW LAUNCH!] Scaling Tightly-coupled HPC workloads on HPC with Elastic Fabri...[NEW LAUNCH!] Scaling Tightly-coupled HPC workloads on HPC with Elastic Fabri...
[NEW LAUNCH!] Scaling Tightly-coupled HPC workloads on HPC with Elastic Fabri...Amazon Web Services
 
The Best Practices and Hard Lessons Learned of Serverless Applications - AWS ...
The Best Practices and Hard Lessons Learned of Serverless Applications - AWS ...The Best Practices and Hard Lessons Learned of Serverless Applications - AWS ...
The Best Practices and Hard Lessons Learned of Serverless Applications - AWS ...Amazon Web Services
 
AWS Startup Day - Boston 2018 - The Best Practices and Hard Lessons Learned o...
AWS Startup Day - Boston 2018 - The Best Practices and Hard Lessons Learned o...AWS Startup Day - Boston 2018 - The Best Practices and Hard Lessons Learned o...
AWS Startup Day - Boston 2018 - The Best Practices and Hard Lessons Learned o...Chris Munns
 
利用 Fargate - 無伺服器的容器環境建置高可用的系統
利用 Fargate - 無伺服器的容器環境建置高可用的系統利用 Fargate - 無伺服器的容器環境建置高可用的系統
利用 Fargate - 無伺服器的容器環境建置高可用的系統Amazon Web Services
 
Serverless and Containers, AWS Federal Pop-Up Loft
Serverless and Containers, AWS Federal Pop-Up LoftServerless and Containers, AWS Federal Pop-Up Loft
Serverless and Containers, AWS Federal Pop-Up LoftAmazon Web Services
 
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...Amazon Web Services Japan
 
AWS FIS の実験テンプレートを書いてみよう!!
AWS FIS の実験テンプレートを書いてみよう!!AWS FIS の実験テンプレートを書いてみよう!!
AWS FIS の実験テンプレートを書いてみよう!!政雄 金森
 
AWS ECS Workshop A Journey to Modern Applications
AWS ECS Workshop A Journey to Modern ApplicationsAWS ECS Workshop A Journey to Modern Applications
AWS ECS Workshop A Journey to Modern ApplicationsAmazon Web Services
 

Similar to Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019 (20)

[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...
[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...
[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...
 
Getting Started with Amazon EC2 Container Service
Getting Started with Amazon EC2 Container ServiceGetting Started with Amazon EC2 Container Service
Getting Started with Amazon EC2 Container Service
 
CMP209_Getting started with Docker on AWS
CMP209_Getting started with Docker on AWSCMP209_Getting started with Docker on AWS
CMP209_Getting started with Docker on AWS
 
Deep dive ECS & Fargate Deep Dive
Deep dive ECS & Fargate Deep DiveDeep dive ECS & Fargate Deep Dive
Deep dive ECS & Fargate Deep Dive
 
Getting Started with Docker on AWS
Getting Started with Docker on AWSGetting Started with Docker on AWS
Getting Started with Docker on AWS
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS)  | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS)  | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS)  | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS)  | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
 
Containers on AWS
Containers on AWSContainers on AWS
Containers on AWS
 
AWS 容器服務入門實務
AWS 容器服務入門實務AWS 容器服務入門實務
AWS 容器服務入門實務
 
Compute@Scale
Compute@ScaleCompute@Scale
Compute@Scale
 
[NEW LAUNCH!] Scaling Tightly-coupled HPC workloads on HPC with Elastic Fabri...
[NEW LAUNCH!] Scaling Tightly-coupled HPC workloads on HPC with Elastic Fabri...[NEW LAUNCH!] Scaling Tightly-coupled HPC workloads on HPC with Elastic Fabri...
[NEW LAUNCH!] Scaling Tightly-coupled HPC workloads on HPC with Elastic Fabri...
 
The Best Practices and Hard Lessons Learned of Serverless Applications - AWS ...
The Best Practices and Hard Lessons Learned of Serverless Applications - AWS ...The Best Practices and Hard Lessons Learned of Serverless Applications - AWS ...
The Best Practices and Hard Lessons Learned of Serverless Applications - AWS ...
 
AWS Startup Day - Boston 2018 - The Best Practices and Hard Lessons Learned o...
AWS Startup Day - Boston 2018 - The Best Practices and Hard Lessons Learned o...AWS Startup Day - Boston 2018 - The Best Practices and Hard Lessons Learned o...
AWS Startup Day - Boston 2018 - The Best Practices and Hard Lessons Learned o...
 
利用 Fargate - 無伺服器的容器環境建置高可用的系統
利用 Fargate - 無伺服器的容器環境建置高可用的系統利用 Fargate - 無伺服器的容器環境建置高可用的系統
利用 Fargate - 無伺服器的容器環境建置高可用的系統
 
Serverless and Containers, AWS Federal Pop-Up Loft
Serverless and Containers, AWS Federal Pop-Up LoftServerless and Containers, AWS Federal Pop-Up Loft
Serverless and Containers, AWS Federal Pop-Up Loft
 
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
20191127 AWS Black Belt Online Seminar Amazon CloudWatch Container Insights で...
 
AWS Containers Day.pdf
AWS Containers Day.pdfAWS Containers Day.pdf
AWS Containers Day.pdf
 
AWS FIS の実験テンプレートを書いてみよう!!
AWS FIS の実験テンプレートを書いてみよう!!AWS FIS の実験テンプレートを書いてみよう!!
AWS FIS の実験テンプレートを書いてみよう!!
 
AWS ECS Workshop A Journey to Modern Applications
AWS ECS Workshop A Journey to Modern ApplicationsAWS ECS Workshop A Journey to Modern Applications
AWS ECS Workshop A Journey to Modern Applications
 
Containers - State of the Union
Containers - State of the UnionContainers - State of the Union
Containers - State of the Union
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019

  • 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Containers and mission-critical applications Yonatan Ryabinski Chief Enterprise Architect Vanguard S E P 3 0 9 - R 1
  • 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Vanguard background Began operations on May 1, 1975, in Valley Forge, PA One of the world's largest investment companies Wall St.
  • 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Containers journey at Vanguard Reference architecture Data protection Identity and access management Infrastructure protection Reliability Cost optimization
  • 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Design principles • Fully distributed architecture • Enabled DevSecOps patterns • Backward-compatiblility with legacy container orchestration platform • Easy migration path from legacy container orchestration platform • Full automation • Security by default • Cost-effectiveness
  • 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon ElasticContainer Service (Amazon ECS) — AWS Fargate stack Amazon Elastic Container Registry (Amazon ECR)Amazon ECS AWS Fargate Amazon DynamoDB Application Load Balancer (ALB) AWS Certificate Manager (ACM) VPC Availability Zone 1 Amazon ECS (task) Amazon ECS (service) Availability Zone 2 Amazon ECS (task) Endpoint Endpoint AWS Auto Scaling
  • 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Fargate security • Taking advantage of the shared responsibility model • Full tenant isolation at the hypervisor level via Firecracker • An ability to use a task role for native AWS integration • No operational overhead, no hosts to patch or maintain • Compliance with PCI DSS Level 1, ISO 9001, ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, and HIPAA
  • 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Data protection • Sensitive environment variables encryption • End-to-end encryption in motion • Certificates that are issued and rotated with ACM • Data access via VPC endpoints only
  • 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Sensitive environment variables encryption Pipeline agents Amazon ECS (task) AWS KMS "Action": [ "kms:Decrypt", "kms:Encrypt" ], "Effect": "Allow", "Resource": [ "Key1", "Key2" ] "Action": [ "kms:Decrypt" ], "Effect": "Allow", "Resource": [ "Key2" ]
  • 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. env_variable1_key_value = template.add_parameter(Parameter( "EnvVar1KeyVal", # regex that allows | separated key value as a single string AllowedPattern = "(([A-Za-z0-9+.-/_]+|[A-Za-z0-9+.-/_:,]+)|)", # Description = "Env Var 1 Key Value", Type = "String", NoEcho = True, )) Passing the environment variables via CFT
  • 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. decrypt_env_protected_variable1_key_value = template.add_resource(vg_encrypt_string_py_cr( "DecryptEnvProtectedVar1KeyVal", # using cloudformation Split function to extract the encrypted value EncryptedText=Select(1, Split("|", Ref(env_protected_variable1_key_value)) # ServiceToken=Join("", ["arn:aws:lambda:", Ref("AWS::Region"), ":", Ref("AWS::AccountId"), ":function:vgEncryptStringPyCR"]), )) Securing the environment variables: Decrypt
  • 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. encrypt_env_protected_variable1_key_value = template.add_resource(vg_encrypt_string_py_cr( "EncryptEnvProtectedVar1KeyVal", # get the decrypted value ClearText=GetAtt("DecryptEnvProtectedVar1KeyVal", "Decrypted") # ServiceToken=Join("", ["arn:aws:lambda:", Ref("AWS::Region"), ":", Ref("AWS::AccountId"), ":function:vgEncryptStringPyCR"]), KeyId=Ref(ecKmsKey) )) Securing the environment variables: Re-encrypt
  • 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. If("HasEnvProtectedVar1KeyVal", ecs.Environment( # parsing the | separated key value and pass to ECS via environment variable Name = Select(0, Split("|", Ref(env_protected_variable1_key_value))), Value = GetAtt(encrypt_env_protected_variable1_key_value, "Encrypted") # ), Ref("AWS::NoValue")), Parsing the environment variables in CFT
  • 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. acm_custom = template.add_resource(AcmDomainValidator( "AcmCertValidCustom", # pass all the SANs to the custom resource that issues and validates the certificate SANs=If("HasApplicationName", Split(",", Join(",", [ Join("", [ Ref(application_name), "-pre-", Ref(user_location), ".ecs.", If("HasRegionalDnsName", Join("", [Ref("AWS::Region"), "."]), Ref("AWS::NoValue")), Ref(hosted_zone_domain_name) ]), # ServiceToken = Join(":", [ "arn:aws:lambda", Ref("AWS::Region"), Ref("AWS::AccountId"), "function:AcmDomainValidator" ] ), HostedZoneId=GetAtt("Route53ZoneInfoPub", "ZoneId"), DomainName=Join(".", [ Join("-", [Ref("AWS::Region"),Ref(hosted_zone_domain_name) ]))) Requesting and validating a certificate with ACM
  • 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. application_lb_listener = template.add_resource(elasticloadbalancingv2.Listener( "ApplicationLbListener", # attaching the certificate ARN to the listener of ALB Certificates = [ elasticloadbalancingv2.Certificate( CertificateArn = If("HasNoCertificateId", GetAtt("AcmCertValidCustom", "CertificateArn"), Join("", ["arn:aws:acm:", Ref("AWS::Region"), ":", Ref("AWS::AccountId"), ":certificate/", Ref(certificate_id)]) ) ], # SslPolicy = If("IsAlb", Ref(alb_ssl_policy), Ref("AWS::NoValue")), LoadBalancerArn = Ref(application_lb), ... Issuing a certificate with ACM
  • 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Task roles • Similar to an instance profile for Amazon EC2 • Narrow the scope of the role to an individual task • Tighten the application-specific access
  • 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. application_ecs_task = template.add_resource(ecs.TaskDefinition( "ApplicationEcsTask", # task role parameter in task definition to attach to a task TaskRoleArn = If("HasTaskRole", Join("", [ "arn:aws:iam::", Ref("AWS::AccountId"), ":role/", Ref(task_role_name) ]), GetAtt('EcsTaskRole', 'Arn')), # ContainerDefinitions = [ecs.ContainerDefinition( ... )], ExecutionRoleArn = Join("", [ "arn:aws:iam::", Ref("AWS::AccountId"), ":role/ecsTaskExecutionRole" ]), )) Attaching a role to a task
  • 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure protection • Scan the Docker images • Protect the application at runtime • Make sure that only tasks with runtime protection can run • Alert when anomalies are detected • Prevent access in compromised scenario
  • 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Aqua stack in Amazon ECS – AWS Fargate Amazon ECS AWS Fargate VPC Application zone 1 ... N Aqua gatewayAmazon ECS (service) Aqua console AWS Auto Scaling Aqua scanners Postgre Amazon ECR Endpoint Network Load Balancer (NLB) ALB SSH Microenforcer
  • 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Scan the Docker images Scan the images in Amazon ECR 1. Aqua scanner is using role-based access to scan Docker images in Amazon ECR 2. Scanned images are tagged approved or unapproved based on policies 3. Images are periodically rescanned for the latest signatures
  • 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. FROM vdocker.artifactory.opst.c1.vanguard.com/ecs-python:python ... # Run in microenforcer # microenforcer only allows to start when span from an Approved image ENTRYPOINT [ "/microenforcer", "/start.sh" ] Protect application at runtime
  • 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Alert and block when anomalies are detected Block a malicious action 1. The microenforcer runs inside a container 2. It blocks all malicious or unauthorized code invocations 3. SOC is alerted when a malicious invocation attempt is made 4. Even compromised containers are protected
  • 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Reliability • Amazon ECS keeps the needed number of tasks running • A target group of an ALB performs a health check against each task • An automatic scaling service increases the number of wanted tasks based on Amazon CloudWatch metrics
  • 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Wanted number of tasks running Perform self-healing 1. Amazon ECS service evaluates the number of tasks running against the number of tasks wanted 2. If the number of tasks running is less than the number of tasks wanted, the service launches a new task
  • 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mapping between Amazon ECS and target group Amazon ECS service and load balancer 1. A target group is defined in Amazon ECS service 2. Load balancer service informs Amazon ECS service when health checks fail 3. Amazon ECS service restarts the failed task
  • 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Health check is performed by the target group Amazon ECS service and load balancer 1. Load balancer service performs health checks based on the parameters specified 2. If health checks have failed, load balancer informs Amazon ECS service that a task failed
  • 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon ECS automatic scaling Amazon ECS automatic scaling Using Amazon CloudWatch alarms, Amazon ECS increases or decreases the number of wanted tasks in a given service We are using the CPUUtilization metric; other metrics can be used also
  • 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Cost optimization and next steps • Finding an alternative to ALB will reduce the cost • Sizing the task’s memory and CPU will reduce the cost • Fine-tuning automatic scaling will reduce the cost • Smaller Docker images will reduce the cost • Experiment with AWS Cloud Map to see whether ALB can be retired • Experiment with AWS App Mesh for a better service-to-service call security model • Experiment with Amazon ECS health check using Docker API v1.35 for more aggressive self-healing and automatic scaling
  • 32. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.