Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Getting Started on AWS

2,742 views

Published on

The Getting Started on AWS deck serves to introduce Amazon users and prospective customers to the Amazon VPC, EC2 and the concepts and components that are necessary building Fault Tolerant & High Available environments on AWS. It also serves to introduce services like Direct Connect, Router53 (Amazon DNS Service) and one of our new additions, the Amazon
Application Load Balancer (ALB). After perusing this deck, users should have a better understanding of what these services are and their propose benefits.

Published in: Technology

Getting Started on AWS

  1. 1. Getting Started with Amazon Web Services © 2015 Amazon Web Services, Inc. and its affiliates. All rights served. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon Web Services, Inc.
  2. 2. Agenda o Introduction to Amazon Cloud o Networking & The AWS Cloud o Introduction to Amazon EC2 o Fault Tolerance & High Availability
  3. 3. Introduction to The Amazon Cloud
  4. 4. What is AWS? • AWS provides a highly reliable, scalable, low-cost infrastructure platform in the cloud that powers hundreds of thousands of businesses in 190 countries around the world. • Benefits – Low Cost – Elasticity & Agility – Open & Flexible – Secure – Global Reach
  5. 5. What sets AWS apart? *as of July 31, 2014 Building and managing cloud since 2006 50+ services to support any cloud workload History of rapid, customer-driven releases 12 regions, 32 availability zones, 54 edge locations 51 proactive price reductions to date Thousands of partners; 2,100+ Marketplace products Experience Service Breadth & Depth Pace of Innovation Global Footprint Pricing Philosophy Ecosystem
  6. 6. AWS global infrastructure Region Edge Location 13 Regions 35 Availability Zones 54 Edge Locations
  7. 7. US West (OR) AZ A AZ B AZ C GovCloud (US) AZ A AZ B US West (CA) AZ A AZ B AZ C US East (VA) AZ A AZ B AZ C AZ D AZ E *A limited preview of the China (Beijing) Region is available to a select group of China-based and multinational companies with customers in China. These customers are required to create a AWS Account, with a set of credentials that are distinct and separate from other global AWS Accounts. EU (Ireland) AZ A AZ B AZ C AZ A AZ B S. America (Sao Paulo) Asia Pacific (Tokyo) AZ A AZ B AZ C AZ A AZ B Asia Pacific (Singapore) China (Bejing)Asia Pacific (Sydney) AZ A AZ B EU (Frankfurt) AZ A AZ B AWS Regions and Availability Zones China (Beijing)* AZ A AZ B Asia Pacific Mumbai AZ A AZ B Asia Pacific Seoul AZ A AZ B
  8. 8. Service Breadth & Depth TECHNICAL & BUSINESS SUPPORT Account Management Support Professional Services Solutions Architects Training & Certification Security & Pricing Reports Partner Ecosystem AWS MARKETPLACE Backup Big Data & HPC Business Apps Databases Development Industry Solutions Security MANAGEMENT TOOLS Queuing Notifications Search Orchestration Email ENTERPRISE APPS Virtual Desktops Storage Gateway Sharing & Collaboration Email & Calendaring Directories HYBRID CLOUD MANAGEMENT Backups Deployment Direct Connect Identity Federation Integrated Management SECURITY & MANAGEMENT Virtual Private Networks Identity & Access Encryption Keys Configuration Monitoring Dedicated INFRASTRUCTURE SERVICES Regions Availability Zones Compute Storage O b j e c t s , B l o c k s , F i l e s Databases SQL, NoSQL, Caching CDNNetworking PLATFORM SERVICES App Mobile & Web Front-end Functions Identity Data Store Real-time Development Containers Source Code Build Tools Deployment DevOps Mobile Sync Identity Push Notifications Mobile Analytics Mobile Backend Analytics Data Warehousing Hadoop Streaming Data Pipelines Machine Learning
  9. 9. Any Questions?
  10. 10. Networking & The Amazon Cloud
  11. 11. Amazon Networking Components VPC – Extend your network into a virtual private cloud Direct Connect – Physical cross connect into AWS Route53 – Managed DNS service
  12. 12. The Amazon Virtual Private Cloud
  13. 13. What is The Amazon VPC Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define. • Extend Your LAN into AWS • Tightly Control Packet Flow • Implement High Availability & Fault Tolerance that spans Availability Zones
  14. 14. Amazon VPC Components • VPC CIDR Definition • Private & Public Subnet • Route Tables • Internet Gateway • Virtual Private Gateway (WAN Gateway) • Security Groups (Stateful Firewall) • Network Access Control List (Stateless Firewall)
  15. 15. The Amazon VPC IP Space Plan, Design, Create • Consider future AWS region expansion • Consider future connectivity to corporate networks • Consider subnet design • VPC can be /16 between and /28 • CIDR cannot be modified once created • Overlapping IP spaces = future headache
  16. 16. VPC Security Building Blocks: Security Group Firewall Load Balancer Security Group Firewall Security Group Firewall DB Server Web (HTTP) 8080 Web Server Web Server
  17. 17. VPC Security Building Blocks: NACLS o Separate inbound & outbound rules, and each rule can either allow or deny
  18. 18. The Amazon VPC Route Tables o Your VPC has an implicit router. o Each VPC comes with a main route table that you can modify. o You can create additional custom route tables for your VPC. o Each subnet must be associated with a route table, o You cannot delete the main route table o Each route in a table specifies a destination CIDR and a target
  19. 19. • An Internet gateway is a : o horizontally scaled o Redundant & highly available VPC component • Allows communication between instances in your VPC and the Internet. • Imposes no availability risks or bandwidth constraints on your network traffic • Serves two purposes • Provides a target in your VPC route tables for Internet-routable traffic • Perform network address translation (NAT) for instances that have been assigned public IP addresses. • By default you can only create 5 Internet Gateway per Region
  20. 20. • EC2 Instance is located in a Public Subnet • Has a Public IP Address • It’s route table has a default route to the inter • The VPC Router passes internet bound traffic to the internet Gateway
  21. 21. • VPN Concentrator that sits on the edge of your network • Allows you to • Establish Static or Dynamic IPsec VPN Connections between your VPC & a customer’s gateway • Establish a point to point low latency WAN connection between your DC/LAN and your AWS VPC • Create Up to 5 Per Region
  22. 22. Enabling Access to the Internet To enable access to or from the Internet for instances in a VPC subnet, you must do the following: •Attach an Internet gateway to your VPC. •Ensure that o Your subnet's route table points to the Internet gateway. o Instances in your subnet have public IP addresses or Elastic IP addresses. o Your network access control and security group rules allow the relevant traffic to flow to and from your instance.
  23. 23. Enabling Private Subnets to Access to the Internet Resources in your private subnets only have private ipv4 addresses • Create a NAT Instance/NAT Gateway in a Public Subnet in the route table • Ensure that o Your private subnet's route table sends all Internet bound traffic to the NAT Instance /NAT Gateway o Your network access control and security group rules allow the relevant traffic to flow to and from your instance.
  24. 24. Multiple Ways to Provide Internet Access
  25. 25. The Amazon VPC NAT Instances • Enable instances in the private subnet to initiate outbound traffic to the Internet • No built-in redundancy / High availability by Default • Bandwidth depends on the instance type • Managed by You • Used in a public subnet • Prevents Instances from receiving inbound traffic initiated by someone on the Internet.
  26. 26. The Amazon VPC NAT Gateway Nat Gateway • High availability – built-in redundancy • High bandwidth – up to 10Gbps • Managed by Amazon • View NAT gateways’ traffic using Flow Logs • NAT gateways support TCP, UDP, and ICMP protocols • Network ACLs apply to NAT gateway’s traffic Private Route Table Destination Target 10.0.0.0/16 Local 0.0.0.0/0 IGW Private Route Table Destination Target 10.0.0.0/16 Local 0.0.0.0/0 NGW
  27. 27. The Amazon VPC Endpoints • No IGW • No NAT • No Public IP Address Needed • No Added Infrastructure Cost • Robust Access Control Amazon S3
  28. 28. Amazon VPC Peering Connections • Networking connection between two VPCs • Enables you to route traffic between VPC using private IP addresses. • Instances in either VPC can communicate with each other as if they are within the same network. • VPC peering connection can be created between your own VPCs, or with a VPC in another AWS account within the same region • There is no single point of failure for communication or a bandwidth bottleneck. VPC A VPC B VPC C
  29. 29. Connecting to other VPCs - VPC peering VPC Peering 172.31.0.0/16 10.55.0.0/1610.0.0.0/16 Private Route Table Destination Target 10.0.0.0/16 Local 172.31.0.0/16 VPC Peer Private Route Table Destination Target 171.31.0.0/16 Local 10.0.0.0/16 VPC Peer
  30. 30. Default VPCs Default VPC • Simplicity and Convenience • Automatically assigned network and subnets Security of VPC • Customer may create additional subnets and change routing rules • Additional network controls (Security Groups, NACLs, routing) • Hardware VPN options between corporate networks • Instances in default subnets have Security Group−controlled public and private IPs
  31. 31. IP Addressing Default VPC Virtual Private Cloud Dynamic Private IP Dynamic or Static Private IP Address Dynamic Public IP None by default (can be created with publicIP=true) Optional Static Public IP (EIP) Optional Static Public IP (EIP) AWS-provided DNS names • Private DNS name • Public DNS name AWS-provided public DNS lookup AWS-provided private DNS names Customer-controlled DNS options
  32. 32. Amazon Direct Connect
  33. 33. What is Amazon Direct Connect (DX)
  34. 34. Amazon DX Delivery Connection Type
  35. 35. Amazon DX Delivery Connection Type
  36. 36. Amazon Direct Connect Benefits
  37. 37. AWS Direct Connect • Decide on an AWS DX location and port size • Use AWS Management Console to create connection request(s) • Sends Letter of Authorization – Connecting Facility Assignment (LOA-CFA) via email • Establish WAN connectivity to DX location* • APN Partner or a network carrier of your choice • Provide LOA-CFA to an APN Partner or your service provider to establish the connection at the DX location • Use AWS Management Console to configure one or more virtual interfaces AWS DX Locations * Can be done in parallel with remaining steps once the AWS DX location has been selected
  38. 38. Today’s VPC Lab Outline 1. Create VPC 2. Create Private & Public Subnets Across Two AZ’s 3. Configure Private & Public Route Tables 4. Create An Internet Gateway 5. Configure Security Group 6. Create A VPC Endpoint 7. Create A NAT Gateway • https://events-aws.qwiklab.com/classrooms/6660 • https://events-aws.qwiklab.com
  39. 39. The Amazon EC2
  40. 40. Amazon EC2 & Elastic Block Store Amazon Elastic Compute Cloud (EC2) - Elastic Block Store
  41. 41. EC2 Terminology AMI Virtual Machine Configuration Instance Running or Stopped VM VPC AZ Availability Zone Amazon S3 EBS EBS EBS VPC EBS EBS EBS EBS Snapshots S3 Buckets Region
  42. 42. EC2 Network Environment Virtual Private Cloud • Bring your own network • Customer-managed subnets and routing • Additional network controls (Security Groups, NACLs, routing) • Hardware VPN options between corporate networks • Instances have Security Group−controlled private IPs (dynamic public IPs or EIPs optional) VPC
  43. 43. Default VPCs Default VPC • Automatically assigned network and subnets (can now include NAT) Security of VPC • Customer may create additional subnets and change routing rules • Additional network controls (Security Groups, NACLs, routing) • Additional networking features like enhanced networking and multiple IPs • Hardware VPN options between corporate networks • Instances in default subnets have Security Group−controlled public and private IPs VPC
  44. 44. Broad Set of Compute Instance Types M4 General purpose Compute optimized C4 C3 Storage and IO optimized I2 G2 GPU enabled Memory optimized R3D2 M3
  45. 45. 40+ Compute Instance Types M1 C1 CC2 HI1CG1 M2 CR1 M3 C3 D2 I2G 2 R3 31 “Current Generation” Instance Types 14 “Previous Generation” Instance Types * As of March 2015
  46. 46. Purchasing options at a glance Reserved Instances Pay a low upfront price Reserve an instance slot Secure a low hourly rate Sell & modify reservations if your needs change On-Demand Instances Pay as you go Flat hourly rate No commitment Spot Instances Bid what you like—your Spot instances run while your bid > the Spot price Save up to 90% off of On- Demand Run 1,000s of instances 10:00 10:05 10:10
  47. 47. Layer your options
  48. 48. 4 EC2 Security and Design
  49. 49. Details of a Virtual Machine EBS Amazon S3 Hypervisor VM Workspace One or more ephemeral (temporary) drives One or more EBS (persistent) drives Network I/O EBS SnapshotEBS SnapshotEBS Snapshot
  50. 50. EBS AMI First Time Boot EBS Amazon S3 Hypervisor VM Workspace Network I/O EBS SnapshotEBS SnapshotEBS Snapshot Drive attaches to hypervisor & boots
  51. 51. EBS AMI Restart EBS Amazon S3 Hypervisor VM Workspace Network I/O EBS SnapshotEBS SnapshotEBS Snapshot Drive reattached
  52. 52. EBS AMI Terminate (Default behavior) EBS Amazon S3 Hypervisor VM Workspace Network I/O EBS SnapshotEBS SnapshotEBS Snapshot Default behavior: Drive deleted
  53. 53. EC2 Host Virtualization Firewall Physical Interfaces Hypervisor Large Small… …Virtual Interfaces Security Groups Security Groups Security Groups Small Customer Instances Physical Host
  54. 54. EC2 Security Groups • Security Group Rules – Name – Description – Protocol – Port range – IP address, IP range, Security Group name
  55. 55. Tiered EC2 Security Groups • Hierarchical Security Group Rules – Dynamically created rules – Based on Security Group membership – Create tiered network architectures “Web” Security Group: TCP 80 0.0.0.0/0 TCP 22 “Mgmt” “App” Security Group: TCP 8080 “Web” TCP 22 “Mgmt” “DB” Security Group: TCP 3306 “App” TCP 22 “Mgmt” “Mgmt” Security Group: TCP 22 163.128.25.32/32
  56. 56. EC2 IP Addressing Default VPC Virtual Private Cloud Dynamic Private IP Dynamic or Static Private IP Address Dynamic Public IP None by default (can be created with publicIP=true) Optional Static Public IP (EIP) Optional Static Public IP (EIP) AWS-provided DNS names • Private DNS name • Public DNS name AWS-provided public DNS lookup AWS-provided private DNS names Customer-controlled DNS options
  57. 57. EC2-Specific Credentials • EC2 key pairs – Linux – SSH key pair for first-time host login – Windows – Retrieve Administrator password • Standard SSH RSA key pair – Public/Private Keys – Private keys are not stored by AWS • AWS approach for providing initial access to a generic OS – Secure – Personalized – Non-generic (NIST, PCI DSS) “Public Half” inserted by Amazon into each EC2 instance that you launch “Private Half” downloaded to your desktop
  58. 58. EC2 Instance access and Key Pairs • Linux launch (first boot) – Public key made available through metadata – Public key inserted into ~/.ssh/authorized_keys – User connects with SSH using their private key Instance metadata RSA public key Instance
  59. 59. EC2 Instance access and Key Pairs • Linux launch (first boot) – Public key made available through metadata – Public key inserted into ~/.ssh/authorized_keys – User connects with SSH using their private key • Windows launch (first boot sequence) – Public key made available through metadata – Sysprep – Random Administrator password – Password encrypted with public key – User decrypts password with their private key Instance metadata RSA public key Instance System log <Password> aGIhplGOqrJQmBJW … K9gTD31Q== </Password>
  60. 60. Instance Metadata • ami-id • ami-launch-index • ami-manifest-path • block-device-mapping/ • hostname • instance-action • instance-id • instance-type • kernel-id • local-hostname • local-ipv4 • mac • network/ • placement/availability-zone • profile • public-hostname • public-ipv4 • public-keys/ http://169.254.169.254/latest/meta-data/ contains a wealth of info
  61. 61. 3 Fault Tolerance & High Availability
  62. 62. Load Balancing Traffic in AWS • Load Balancing distributes incoming application traffic across o multiple EC2 instances o In multiple Availability Zones. • Increases the fault tolerance of your applications • Serves as a single point of contact for clients – Increases the availability of your application. • Add/Remove instances from your load balancer as your needs change, o without disrupting the overall flow of requests to your application • Scales your load balancer as traffic to your application changes over time o can scale to the vast majority of workloads automatically • Two Types Available o Application Load Balancer (Layer 7) o Classic Load Balancer (Layer 4)
  63. 63. Elastic Load Balancing (ELB) - Classic • In-Region Load Balancing Service • Distributes traffic across multiple Availability Zones – HTTP/S, TCP/S • Built-in Health Check • Fully fault-tolerant – Can span multiple AZs Web Server AZ-3 Web Server Web Server AZ-2 Web Server Region Elastic Load Balancer Web Server AZ-1 Web Server
  64. 64. ELB Considerations • ELB is a service, but runs on EC2 • The IP Addresses will change over time • Use CNAME records in DNS or Route 53 “Alias” records • Never use an A record • SSL is supported • Client SSL Termination • Backend ELB-to-Server mutual SSL • Cross-Zone Load Balancing • Sticky sessions
  65. 65. • Functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. • The load balancer makes routing decisions based on the content of the application traffic in the HTTP messages. Amazon Application Load Balancing
  66. 66. Amazon Application Load Balancing • Layer 7 Load Balancer • Content Based Routing • Supports Container Based Applications • Supports Web Sockets & HTTP/2 – Supports ws:// & wss:// protocols • Deeper Health Checks & Better Metrics
  67. 67. The Application Load Balancing Listener • Listeners support the following protocols and ports: – Protocols: HTTP, HTTPS – Ports: 1-65535 • Use HTTPS listener to offload the work of encryption and decryption to your ALB • Use WebSockets with both HTTP and HTTPS listeners. • Use HTTP/2 with HTTPS listeners. – You can send up to 128 requests in parallel using one HTTP/2 connection. Because HTTP/2 uses connections more efficiently, you might notice fewer connections between clients and the load balancer.
  68. 68. ELB Classic vs. Application ELB Application ELB Protocols HTTP, HTTPS Platforms EC2-VPC Sticky sessions (cookies) load balancer generated Back-end server authentication Back-end server encryption ✔ Idle connection timeout ✔ Connection draining ✔ Cross-zone load balancing † Always enabled Path-based routing ✔ Route to multiple ports on a single instance ✔ HTTP/2 support ✔ Websockets support ✔ Load balancer deletion protection ✔ Classic ELB Protocols HTTP, HTTPS, TCP, SSL Platforms EC2-Classic, EC2-VPC Sticky sessions (cookies) ✔ Back-end server authentication ✔ Back-end server encryption ✔ Idle connection timeout ✔ Connection draining ✔ Cross-zone load balancing † ✔ Path-based routing Route to multiple ports on a single instance HTTP/2 support Websockets support Load balancer deletion protection
  69. 69. Amazon Auto Scaling & Application Availability “Auto Scaling helps you maintain application availability and allows you to scale your Amazon EC2 capacity up or down automatically according to conditions you define.”
  70. 70. Amazon Auto Scaling Benefits • Maintain your Amazon EC2 instance availability – Use Auto Scaling to detect impaired EC2 instances and unhealthy applications, and replace the instances without your intervention – Ensures that your application is getting the compute capacity that you expect • Automatically Scale Your Amazon EC2 Fleet – Enables you to follow the demand curve for your applications closely, reducing the need to manually provision Amazon EC2 capacity in advance.
  71. 71. Amazon Auto Scaling Functionality With Amazon Auto Scaling, you can: – set a condition to add new Amazon EC2 instances in increments to the Auto Scaling group when the average utilization of your Amazon EC2 fleet is high – Similarly, you can set a condition to remove instances in the same increments when CPU utilization is low. If you have predictable load changes, you can: – Set a schedule through Auto Scaling to plan your scaling activities. – Use Amazon CloudWatch to send alarms to trigger scaling activities and Elastic Load Balancing to help distribute traffic to your instances within Auto Scaling groups. Auto Scaling enables you to run your Amazon EC2 fleet at optimal utilization.
  72. 72. Today’s Load Balancing (ELB) Lab Outline 1. Create a Public Facing Amazon Elastic Load Balancing 2. Attached EC2 Instance/s to ELB • https://events-aws.qwiklab.com/classrooms/6660 • https://events-aws.qwiklab.com
  73. 73. Today’s Auto Scaling Lab Outline 1. Create Launch Configuration 2. Create Amazon AutoScaling Group • https://events-aws.qwiklab.com/classrooms/6660 • https://events-aws.qwiklab.com
  74. 74. Amazon Route 53
  75. 75. Route53
  76. 76. Route53
  77. 77. Route53
  78. 78. Any Questions?

×