This document provides an overview of AWS and tips for launching infrastructure in the cloud. It discusses AWS services like EC2, S3, VPC, IAM, and auto-scaling. It emphasizes the importance of security, performance, fault tolerance and scale, and cost optimization. Specifically, it recommends choosing the right instance types and storage, using a CDN, auto-scaling for fault tolerance, and turning off unused resources to control costs. The overall message is how to build infrastructure on AWS that is secure, high-performing, fault-tolerant and cost-effective.
3. LAUNCH Festival 2014
Chris Munns - @chrismunns
Amazon Web Services Solutions Architect
New Yorker
Formerly Senior Operations @Etsy & @Meetup
Little time at a Hedgefund and Xerox
Rochester Institute of Technology: Applied
Networking and Systems Administration ‘05
– Internet Geek
–
–
–
–
–
6. What is AWS?
Deployment & Administration
Application Services
Compute
Storage
Networking
AWS Global Infrastructure
Database
7. Regions
US-WEST (Oregon)
EU-WEST (Ireland)
AWS GovCloud (US)
ASIA PAC (Tokyo)
US-EAST (Virginia)
ASIA PAC
(Sydney)
US-WEST (N. California)
SOUTH AMERICA (Sao Paulo)
ASIA PAC
(Singapore)
8. Availability Zones
US-WEST (Oregon)
EU-WEST (Ireland)
AWS GovCloud (US)
ASIA PAC (Tokyo)
US-EAST (Virginia)
ASIA PAC
(Sydney)
US-WEST (N. California)
SOUTH AMERICA (Sao Paulo)
ASIA PAC
(Singapore)
13. AWS Multi-Factor Authentication
Helps prevent anyone with unauthorized knowledge of your email address and password from impersonating you
• Integrated into
– AWS Management Console
– Key pages on the AWS Portal
• Forums, Support Center, and Account/Usage
Activity pages
– S3 (Secure Delete)
• Virtual MFA
– App for Android
– Google Authenticator (iOS, Android, and Blackberry)
14. Temporary Security Credentials (sessions)
• Temporary security credentials containing
Identity for authentication
Access Policy to control permissions
Configurable Expiration (1 – 36 hours)
• Supports
AWS Identities (including IAM Users)
Federated Identities (users customers authenticate)
• Scales to millions of users
–
No need to create an IAM identity for every user
• Use Cases
Identity Federation to AWS APIs
Mobile and browser-based applications
Consumer applications with unlimited users
15. AWS Identity and Access Management (IAM)
•
•
•
•
•
•
•
•
•
Users and Groups within Accounts
Roles for EC2 instances
Unique security credentials
• Access keys
• Login/Password
• optional MFA device
Policies control access to AWS APIs
Policies to restrict access to resources based on
tags and other identifiers (subnet, class, AMI)
API calls must be signed
Deep integration into some Services
• S3: policies on objects and buckets
• Fine-Grained Access Control for DynamoDB
AWS Management Console supports User log on
Not for Operating Systems or Applications
• use LDAP, Active Directory/ADFS, etc...
16. Multi-tier Security Approach Example
Web Tier
Application Tier
Database Tier
Ports 80 and 443 only
open to the Internet
Engineering staff have ssh
access to the App Tier, which
acts as Bastion
Sync with on-premises
database
Amazon EC2
Security Group Firewall
All other Internet ports
blocked by default
18. Choose the right instance type
• Over 25 instance types:
• High CPU
• High Memory
• High Storage
• High I/O
• Bigger isn’t always better!
• Going Horizontal isn’t always
better either!
• Don’t go with the cheapest
instances because its
cheapest. This laptop is
several times more powerful
than an m1.small
20. Choose the right storage
2 types of EC2 storage on AWS:
• Local(ephemeral/instance based)
– Regular disk
– SSD
• EBS
– Standard
– PIOPs
21. Choose the right storage
2 types of EC2 storage on AWS:
• Local(ephemeral/instance based)
– Not Persistent
– RAID for increased performance
• EBS
–
–
–
–
Persistent
Snapshots
Flexible size/performance tuned by you
RAID for increased performance
22. Choose the right storage
2 types of EC2 storage on AWS:
• Local(ephemeral/instance based)
– Local app/OS data
– Database data that is highly replicated
• EBS
– Database data less replicated
– Important data for your apps
23. Amazon Simple Storage Service
•
•
•
•
Object based storage for the web
11 9s of durability
Good for things like:
– Static assets ( css, js, images,
videos )
– Backups
– Logs
– Ingest of files for processing
“Infinitely scalable”
5
•
•
•
•
•
•
•
Supports fine grained permission
control
Ties in well with CloudFront
Ties in with EMR
Acts as a logging endpoint for
S3/CloudFront/Billing
Supports Encryption at transit and at
rest
Reduced Redundancy 1/3 cheaper
Glacier for super long term storage
3
26. Use a CDN!
CDN for Static
CDN for Static &
Content
No CDN
Dynamic Content
•
Server
Load
Response Time
Server
Load
Response Time
Server Load
•
•
•
•
•
•
•
Cache static content at the edge for faster
delivery
Helps lower load on origin infrastructure
Dynamic and Static Content
Streaming Video
Zone Apex support
Custom SSL certificates
Low TTLs ( as short as 0 seconds )
Lower costs for origin fetches ( between S3/EC2
and CloudFront )
Optimized to work with EC2, S3, ELB, and Route53
Volume of Data
Delivered (Gbps)
•
Response Time
Amazon CloudFront is a web service for
scalable content delivery.
80
70
60
50
40
30
20
10
0
8:00
AM
9:00
AM
10:00 11:00 12:00
AM
AM
PM
1:00
PM
2:00
PM
3:00
PM
4:00
PM
5:00
PM
6:00
PM
7:00
PM
8:00
PM
9:00
PM
30. Your instances: Pets vs. Cattle
https://secure.flickr.com/photos/81015532@N00/2192612785 vs.
31. MOOOO IM AN INSTANCE
• No “pet” infrastructure, aka
resources you’d be heartbroken if
they went away
• Infrastructure should be tolerable
of handling failed/lost
components
• Have no “golden eggs”
• 2+ of EVERYTHING
• Automate bootstrapping +
deployment
• Make this painless and
notification-less for your team
https://secure.flickr.com/photos/anemoneprojectors/9374133369
MOOOOOOOOOOOOO….
39. Auto-Scaling
Trigger auto-scaling
policy
Amazon
CloudWatch
Automatic resizing of compute
clusters based on demand
Feature
Details
Control
Define minimum and maximum instance pool
sizes and when scaling and cool down occurs.
Integrated to Amazon
CloudWatch
Use metrics gathered by CloudWatch to drive
scaling.
Instance types
Run Auto Scaling for On-Demand and Spot
Instances. Compatible with VPC.
aws autoscaling create-auto-scaling-group
--auto-scaling-group-name MyGroup
--launch-configuration-name MyConfig
--min-size 4
--max-size 200
--availability-zones us-west-2c
40. Leverage Elastic Load Balancing
Feature
Available
Details
Load balance across instances in
multiple Availability Zones
Health checks
Automatically checks health of
instances and takes them in or out of
service
Session
stickiness
Route requests to the same instance
Elastic Load
Balancer
•
Create highly scalable applications
•
Secure sockets
layer
Distribute load across EC2 instances
in multiple availability zones
•
Little to no administration necessary
•
Automatically attach instances on
bootup via API or via Auto-Scaling
Monitoring
Supports SSL offload from web and
application servers with flexible
cipher support
Publishes metrics to CloudWatch
42. Understand Cost Models
Amazon
EC2
Amazo
n
EMR
• On
Demand
• Reserved
Instances
• Spot
Amazon Amazon Amazon
ElastiCache RedShift
RDS
Amazon
CloudFront
• Price
Classes
Amazon
S3
• Standard
• Reduced
Redundancy
• Glacier*
Amazon
DynamoDB
• Provisioned
Capacity
• Reserved
Capacity
• On
Demand
• Reserved
Instances
*Glacier isn’t a pricing model for S3, but another service part of the Storage family of services
46. Turn things Off!
• Unused and forgotten EC2
instances
• Shrink disk space if you don’t
need it now
• Auto-Scaling to shrink tiers
during lower traffic periods
• Dev/Test environments
during nights
• Use smaller instances if
resource usage is always low
(see CloudWatch data)
https://secure.flickr.com/photos/93307674@N03/8548071813/