AWS DevDay Berlin - Automating building blocks choices you will face with container services
•Download as PPTX, PDF•
0 likes•67 views
New talk that covers some of the automation choices you will face on your journey when using the various container services.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to AWS DevDay Berlin - Automating building blocks choices you will face with container services
Similar to AWS DevDay Berlin - Automating building blocks choices you will face with container services (20)
More from Cobus Bernard
More from Cobus Bernard (20)
Recently uploaded
Recently uploaded (20)
AWS DevDay Berlin - Automating building blocks choices you will face with container services
- 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cobus Bernard Senior Technical Evangelist Amazon Web Services B E R L I N 25.10.19 Automating Building Blocks: Choices you will face with Container Services B A R 6 @cobusbernard cobusbernard cobusbernard
- 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Structureappsascollectionsofmicroservices Properties of microservices Microservices • Independent • Individually Deployed & Scaled • Polyglot • Modular - Easily Replaced • Decentralized
- 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Rigid Flexible Abstractions Easy Hard 1 System N Systems2 Systems
- 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Monolith Does everything Monoliths are OK
- 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Microservicedevelopment lifecycle developers services monitorreleasetestbuild delivery pipelines monitorreleasetestbuild monitorreleasetestbuild monitorreleasetestbuild monitorreleasetestbuild monitorreleasetestbuild
- 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Usecodetomodelapplicationsandinfrastructure Infrastructure ascode Declarative I tell you what I need I tell you what to do Imperative
- 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Usecodetomodelapplicationsandinfrastructure Infrastructure ascode goals 1. Make infrastructure changes repeatable and predictable 2. Release infrastructure changes using the same tools as code changes 3. Replicate production environment in a staging environment to enable continuous testing
- 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Model container environments withAWS Cloud Development Kit(CDK) • Open source framework to define cloud infrastructure • JavaScript, TypeScript, and Python, (Java, and C# in developer preview) • Provides library of higher-level resource types (“construct” classes) that have AWS best practices built in by default • Provisions resources with CloudFormation • Supports all CloudFormation resource types AWS CDK https://awslabs.github.io/aws-cdk
- 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. CDKtemplate import ec2 = require('@aws-cdk/aws-ec2'); import ecs = require('@aws-cdk/aws-ecs'); import cdk = require('@aws-cdk/cdk'); class BonjourFargate extends cdk.Stack { constructor(parent: cdk.App, name: string, props?: cdk.StackProps) { super(parent, name, props); const vpc = new ec2.VpcNetwork(this, 'MyVpc', { maxAZs: 2 }); const cluster = new ecs.Cluster(this, 'Cluster', { vpc }); new ecs.LoadBalancedFargateService( this, "FargateService", { cluster, image: ecs.DockerHub.image("amazon/amazon-ecs-sample"), }); } } const app = new cdk.App(); new BonjourFargate(app, 'Bonjour'); app.run();
- 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. CDKtemplate applets: MyHelloWorldService: type: @aws-cdk/aws-ecs:LoadBalancedFargateServiceApplet properties: image: 'amazon/amazon-ecs-sample’ $ cdk --app ./my-applet.yaml deploy
- 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Model pipelines withAWSCDK • Minimize copy-and-paste by using object-oriented language • Define microservice pipeline “shape” in one class, then re-use it across many pipelines • CDK includes many high-level constructs for modeling a CodePipeline pipeline, including automatically configuring IAM role policies
- 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. CDKpipelines:Construct export class MyMicroservicePipeline extends cdk.Construct { constructor(parent: cdk.Construct, name: string, props: MyMicroservicePipelineProps) { super(parent, name); const pipeline = new codepipeline.Pipeline(this, 'Pipeline', { pipelineName: props.serviceName, }); const githubAccessToken = new cdk.SecretParameter(this, 'GitHubToken', { ssmParameter: 'GitHubToken' }); new codepipeline.GitHubSourceAction(this, 'GitHubSource', { stage: pipeline.addStage('Source'), owner: 'myorg', repo: props.serviceName, oauthToken: githubAccessToken.value }); …
- 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. CDKpipelines:Stack import cdk = require('@aws-cdk/cdk'); import { MyMicroservicePipeline } from './pipeline'; class MyMicroservicePipelinesStack extends cdk.Stack { constructor(parent: cdk.App, name: string, props?: cdk.StackProps) { super(parent, name, props); new MyMicroservicePipeline(this, 'Pipeline1', { 'serviceName': 'Microservice1' }); new MyMicroservicePipeline(this, 'Pipeline2', { 'serviceName': 'Microservice2' }); new MyMicroservicePipeline(this, 'Pipeline3', { 'serviceName': 'Microservice3' }); new MyMicroservicePipeline(this, 'Pipeline4', { 'serviceName': 'Microservice4' }); } } const app = new cdk.App(); new MyMicroservicePipelinesStack(app, 'MyMicroservicePipelines'); app.run();
- 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sundays …
- 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Availability zone 1 Auto Scaling group AWS Region Availability zone 2 Auto-scaling for upgrades Elastic Load Balancing (ELB) X
- 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWSCodeBuild • Fully managed build service that compiles source code, runs tests, and produces software packages • Scales continuously and processes multiple builds concurrently • No build servers to manage • Pay by the minute, only for the compute resources you use • Monitor builds through CloudWatch Events
- 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Usecodetomodelapplicationsandinfrastructure Model function environments withAWSServerless Application Model (SAM) • Open source framework for building serverless applications on AWS • Shorthand syntax to express functions, APIs, databases, and event source mappings • Transforms and expands SAM syntax into AWS CloudFormation syntax on deployment • Supports all AWS CloudFormation resource types https://aws.amazon.com/serverless/sam/
- 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Containers and Docker A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another.1 1 https://www.docker.com/resources/what-container Server Operating System Docker Engine AppA AppB AppC AppD
- 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Container imagetagging for deployments • Docker tags are resolved when each container starts, not just during deployments • Deploying “latest” or “prod” can result in untested code in production after a scale-out event • Use unique “immutable” tags for deployments
- 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Container imagetagging for deployments
- 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Container imagetagging for deployments Build pushes new “latest” image Image: sha256@22222... (“latest”)
- 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Container imagetagging for deployments Service scales up, launching new tasks Image: sha256@22222... (“latest”)
- 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Container imagetagging for deployments Deploy using immutable tags { "name": "sample-app", "image": "amazon/amazon-ecs- sample@sha256:3e39d933b1d948c92309bb583b5a1f3d28f0119e1551ca1fe538ba414a41af48d" } { "name": "sample-app", "image": "amazon/amazon-ecs-sample:build-b2085490-359f-4eaf-8970-6d1e26c354f0" } SHA256 Digest Build ID
- 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Container imagetagging for deployments Compute immutable tags during build SHA256 Digest export IMAGE_URI=`docker inspect --format='{{index .RepoDigests 0}}' my_image:$IMAGE_TAG Example Result: amazon/amazon-ecs-sample@sha256:3e39d933b... Build ID export IMAGE_TAG=build-`echo $CODEBUILD_BUILD_ID | awk –F":" ‘{print $2}'` Example Result: build-b2085490-359f-4eaf-8970-6d1e26c354f0
- 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Container imagetagging for deployments
- 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Container imagetagging for deployments Build pushes new image tagged with new build ID Image: sha256@22222... (“build-22222”)
- 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Container imagetagging for deployments Service scales up, launching new tasks Image: sha256@22222... (“build-22222”)
- 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Container imagetagging for deployments Image: “build-22222” tag Deployment updates service’s task definition, replacing tasks Image: sha256@22222... (“build-22222”)
- 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Buildwithserverlesstechnologiesasmuchaspossible AWS container serviceslandscape Management Deployment, Scheduling, Scaling & Management of containerized applications Hosting Where the containers run Amazon Elastic Container Service Amazon Elastic Container Service for Kubernetes Amazon EC2AWS Fargate Image Registry Container Image Repository Amazon Elastic Container Registry
- 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon ECS key components Development cluster Container instance Container instance Container instance Productioncluster Container instance Container instance Container instance AmazonElastic Container Service (AmazonECS) Container Container Volume Taskdefinition AmazonElastic Container Registry
- 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubectl EKS Architecture
- 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. ShiftinInfrastructure Logic OSS Hystrix: code changes required Service Mesh: decentral, language agnostic, dumb endpoints https://www.infoq.com/articles/microservices-post-kubernetes ESB: clustered monolith
- 49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Open Source: Istio Service Mesh Connect, secure, and observe services • Shift in where functionality is located • Control plane = Istio • Data plane = set of all Envoy proxies • Envoy proxy as sidecar in K8s pod • Automatic or manual injection of proxy with EKS
- 50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Data Plane (Proxy) • Touches every packet / request • Service discovery • Health Checking • Routing • Load Balancing • Authentication / Authorization • Observability
- 51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IstioServiceMeshwithEnvoyProxy
- 52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Envoy Proxy • Level 7 proxy • HTTP, HTTP/2, gRPC, AWS Dynamo DB, MongoDB • C++11 code base , only 8 MB (statically linked) • No language or framework dependencies • Rquires no code changes • Battle proved OSS, started at Lyft • Works across compute options – also on EC2 • Envoy is not tightly coupled Istio
- 53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. UpdateStrategies A bath tub full of cold water ? K8s roling update 25% 1 pod at a time … or just wetten your feet? Service Mesh 3% Traffic routing 🛁 🛁 🛁 💦 🛀🏽🛁 🌊❄️🌊❄️🌊❄️ Fancy a Swim in the Arctic Sea ? Blue / Green 100% All services at once
- 54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. User Based Routing Traffic Shifting
- 55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. App Mesh works across compute services Amazon ECS AWS Fargate Amazon EKS Amazon EC2 Kubernetes on EC2
- 56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cobus Bernard Senior Technical Evangelist Amazon Web Services @cobusbernard cobusbernard cobusbernard
Editor's Notes
- Each team can move independently and simultaneously In contrast to Monolith (where the Deployment Unit is the entire program), Microservice has a separate deployment pipeline, enabling us to make small changes and speed up our Release Velocity. Each microprocessor can be written in a different language, and each team can choose its own technology stack - the most convenient or appropriate tools. Modularity - Because each unit is small, it can be easily replaced. Distributed work reduces dependence between different parts - but there are, however, common principles that aim to facilitate coordination and organizational standards.
- When you know you’re going to need to eventually handle more than one type of a thing, consider generalizing. Take for example integrating payments systems, building for one is easy but integrating with any system, even those you are unaware of is really hard. Click Generalize… But just barely-, make your system capable of handling two kinds of things. This will help you avoid too tightly coupling. Click As long as the systems are not too similar you will be abstracting a good amount of flexibility for the effort.
- Starting with a monolith is often the right choice, it allows for fast development at the early stage. As you don’t need to design the process boundaries ahead of time. A designed monolith can be scaled horizontally and broken apart later if needed. Depending on the type of startup, you may never outgrow the scaling capacity of a well-designed monolith.
- The solution is self-service tools and automation….enabling each one of the DevOps teams to own and manage their own release process.
- There are different approaches for IaC, but it is important to use one with declarative syntax, like CloudFormation or Terraform
- The AWS CDK is an infrastructure modeling framework that allows you to define your cloud resources using an imperative programming interface. The CDK is currently in developer preview. We look forward to community feedback and collaboration.
- OPTIONAL: a live demo with the CDK with this sample code
- Applets are YAML files that directly instantiate constructs, without writing any code.
- To configure AWS CodePipeline pipelines with the CDK. When you add a microservice, you need to create a new pipeline, similar to your other ones. With CDK you can use an higher level class instead of copying and pasting lots of YAML code.
- Constructs are the building blocks of AWS CDK applications. Constructs can have child constructs, which in turn can have child constructs, forming a hierarchical tree structure. The AWS CDK includes two different levels of constructs: CloudFormation Resource These constructs are low-level constructs that provide a direct, one-to-one, mapping to an AWS CloudFormation resource, as listed in the AWS CloudFormation topic AWS Resource Types Reference. All CloudFormation Resource members are found in the @aws-cdk/resources package. AWS Construct Library These constructs have been handwritten by AWS and come with convenient defaults and additional knowledge about the inner workings of the AWS resources they represent. In general, you will be able to express your intent without worrying about the details too much, and the correct resources will automatically be defined for you. AWS Construct Library members are found in the @aws-cdk/NAMESPACE packages, where NAMESPACE is the short name for the associated service, such as SQS for the AWS Construct Library for the Amazon SQS service. See the Reference section for descriptions of the AWS CDK packages and constructs.
- In the stack you can use the constructs you defines before, like the pipeline we created in the previous slide.
- The most common purpose for an auto scaling groups is resiliency; instances are put into a fixed-size auto scaling group so that if an instance fails, it is automatically replaced. The simplest use case is an auto scaling group has a min size bigger than 1.
- The current AWS container services landscape covers a broad set of products. Not all are serverless (Fargate) So you have other options. At the orchestration layer we’ve Amazon ECS and Amazon EKS. EKS makes it easy to deploy, manage, and scale containerized applications using Kubernetes on AWS. You can currently run your containers on ECS using either the EC2 launch type – where get to manage the the underlying instances on which your containers are running - or you can choose to run your containers in a serverless manner with the AWS Fargate launch type. Finally, we provide a registry services, Amazon ECR, where you can store your container images.
- Fully managed control plane: Multi az, right sized master setup etcd scaled automatically, Provisioned IOPS, snapshotted at intervals Worker nodes: Spot instances / GPU / autoscaling group You can think about EKS as a managed Kubernetes API endpoint. It’s upstream Kubernetes, no forking: So you can take your kubectl and communicate with the endpoint. Use all your tools
- Creation + storing Rotation Dynamic - storming
- ESB: Dumb endpoints smart pipes uS: Smart endpoints, dump pipes Retries, circuit breaker pattern, routing etc. Netflix Open Source Software Center
- Creating services is easier, Manage parts go harder. New pattern: offload to proxy Istio is the control plane and Envoy is the data plan Istio, at its core, handles the routing, load balancing, flow control and security needs of microservices. It sits on top of existing distributed applications and basically helps them talk to each other securely, while also providing logging, telemetry and the necessary policies that keep things under control (and secure). It also features support for canary releases, which allow developers to test updates with a few users before launching them to a wider audience, something that Google and other webscale companies have long done internally. The data plane is composed of a set of intelligent proxies (Envoy) deployed as sidecars. These proxies mediate and control all network communication between microservices Touches every packet/request in the system. Responsible for service discovery, health checking, routing, load balancing, authentication/authorization, and observability. Service mesh control plane: Provides policy and configuration for all of the running data planes in the mesh. Does not touch any packets/requests in the system. The control plane turns all proxies into a distributed system. https://blog.envoyproxy.io/service-mesh-data-plane-vs-control-plane-2774e720f7fc
- Originally from Lyft Envoy is a nice peace of engineering with a lot of good background articles to read: Now used by various cloud providers and in OSS projects to build everything from API GW to LBs Linkerd and Nginx have shown Istio integration. Data plane can be swapped. Not so tightly coupled Since it is level 7, it can route for URL, user agent = Safari / Chrome ,
- Explain sidecar pattern, same network namespace IP/ports. Sidecar injection: default namespace gets a tag. Istio injects pod when tag is set. Chaos engineering. Try to break things before they break in prod. Add delay of 5 seconds. Kubectl apply -f CRD: kubectl get virtualservices ### The service mesh a lot of attention right now (rightly so!) The Istio model of a service is independent of how it is represented in the underlying platform (Kubernetes, Mesos, Cloud Foundry, etc.). clients of a service have no knowledge of different versions of the service, continue to use host / IP VirtualService: rules that control how requests for a service are routed within an Istio service mesh. Kubetctl get virtualservices / destinationrules – uses CUSTOM RESOURCE DEF https://istio.io/docs/concepts/traffic-management/#rule-configuration
- Originally from Lyft Envoy is a nice peace of engineering with a lot of good background articles to read: Now used by various cloud providers and in OSS projects to build everything from API GW to LBs Linkerd and Nginx have shown Istio integration. Data plane can be swapped. Not so tightly coupled Since it is level 7, it can route for URL, user agent = Safari / Chrome ,
- Replica deployment / traffic flow Free symbol https://iccpic.com/free-icon/bathtub-house_64734.html https://iccpic.com/free-icon/foot_479564.html
- It is all the same mesh. Use mesh to migrate from monolith to containers Mesh Does not have to be container, helps to containerize. Remember the options for modernization of legacy apps: different solutions App mesh embraces them all Based on Istio data plane, but we implemented a control plane and that HA, for you. ECS, Fargate: You add the Envoy proxy image to the task definition OBSERV, Tracing: Iintegrated with Cwatch log & metric, X Ray Traffic Management: LB, Path based routing