Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Best Practices for Getting Started Session

1,245 views

Published on

These are the slides from my Best Practices for Getting Started Session from the Business Track in AWS AWSome Day that took place in London on January 27th 2016

Published in: Technology

Best Practices for Getting Started Session

  1. 1. Best Practices for Getting Started with AWS ianmas@amazon.com @IanMmmm Ian Massingham — Technical Evangelist
  2. 2. Getting Started with AWS: Agenda Eight best practices you should focus on when getting started Resources you can use to learn more Getting Started with AWS
  3. 3. http://aws.amazon.com/getting-started/ Getting Started with AWS
  4. 4. Choose Your First Use Case Well 1
  5. 5. Chose Your First Use Case Well Make your first project a S.M.A.R.T one
  6. 6. Chose Your First Use Case Well Dev & Test Spin environments up and down on demand Decouple development and test environments from operations constraints Explore elasticity in a sandboxed environment Make your first project a S.M.A.R.T one
  7. 7. Chose Your First Use Case Well Dev & Test Spin environments up and down on demand Decouple development and test environments from operations constraints Explore elasticity in a sandboxed environment Backup & DR Take part of your data or business applications step- by-step into non- production DR use Understand cloud dynamics and test during controlled failover Make your first project a S.M.A.R.T one
  8. 8. Chose Your First Use Case Well Dev & Test Spin environments up and down on demand Decouple development and test environments from operations constraints Explore elasticity in a sandboxed environment Backup & DR Take part of your data or business applications step- by-step into non- production DR use Understand cloud dynamics and test during controlled failover Greenfield Project Embody best practice of cloud computing in unconstrained greenfield projects Self contained web projects, document archiving etc Make your first project a S.M.A.R.T one
  9. 9. Chose Your First Use Case Well Dev & Test Spin environments up and down on demand Decouple development and test environments from operations constraints Explore elasticity in a sandboxed environment Backup & DR Take part of your data or business applications step- by-step into non- production DR use Understand cloud dynamics and test during controlled failover Greenfield Project Embody best practice of cloud computing in unconstrained greenfield projects Self contained web projects, document archiving etc Pain point Move specific service aspects causing undue cost or management burden Workflows, search indexing, media streaming, document archiving, constrained databases Make your first project a S.M.A.R.T one
  10. 10. Plan Evolution and Set Goals Understand services Test performance Architect for scale Develop team capabilities Implement monitoring Change control and management Security management Scalability Automate corrective actions Auto-scaling Zero downtime deployments System backup and recovery Proof of Concept Production Automation SampleActivities
  11. 11. Lay Out Your Foundations 2
  12. 12. Accounts Create an account structure that makes sense Use accounts like environments where you need separation and control e.g. Dev Sandboxes Test Environments Business Units Products & Services Lay Out Your Foundations
  13. 13. BillingAccounts Create an account structure that makes sense Use accounts like environments where you need separation and control e.g. Dev Sandboxes Test Environments Business Units Products & Services Control access to billing information Use IAM users to keep billing information in the master account Consolidate billing into a single account Let one account pick up the bill for multiple ‘sub accounts’ Setup billing alerts and automated bill reporting Get CloudWatch notifications when billing reaches a point and output csv reports to S3 for analysis Lay Out Your Foundations
  14. 14. Enable delivery of billing reports with resources & tags Billing preferences Billing Settings
  15. 15. Billing Master Account aws.invoices@mycompany.com
  16. 16. Billing Consolidated Billing Relationship Master Account aws.invoices@mycompany.com Division B admin@divisionB.com User2 Dev2 Admin2 IAM
  17. 17. Billing Consolidated Billing Relationship Master Account aws.invoices@mycompany.com Division B admin@divisionB.com User2 Dev2 Admin2 IAM Tags: Own=Div Proj=P Tags: Own=Div Proj=Q Tags: Own=Div Proj=R Tags: (key-value) e.g Own=Div Proj=R
  18. 18. Billing Consolidated Billing Relationships Master Account aws.invoices@mycompany.com Business Unit C admin@busUnitC.com User3 Dev3 Admin3 IAM Tags: Own=BusC Proj=X Tags: Own=BusC Proj=Y Tags: Own=BusC Proj=Z Division B admin@divisionB.com User2 Dev2 Admin2 IAM Tags: Own=Div Proj=P Tags: Own=Div Proj=Q Tags: Own=Div Proj=R Operating Co. A admin@opcoA.com User1 Dev1 Admin1 IAM Tags: Own=OpCo Proj=A Tags: Own=OpCo Proj=B Tags: Own=OpCo Proj=C
  19. 19. Billing Consolidated Billing Relationships Master Account aws.invoices@mycompany.com Business Unit C admin@busUnitC.com User3 Dev3 Admin3 IAM Tags: Own=BusC Proj=X Tags: Own=BusC Proj=Y Tags: Own=BusC Proj=Z Division B admin@divisionB.com User2 Dev2 Admin2 IAM Tags: Own=Div Proj=P Tags: Own=Div Proj=Q Tags: Own=Div Proj=R Operating Co. A admin@opcoA.com User1 Dev1 Admin1 IAM Tags: Own=OpCo Proj=A Tags: Own=OpCo Proj=B Tags: Own=OpCo Proj=C Alert: Reached $500 Alert: Reached $3500 Alert: Reached $1250
  20. 20. S3CSV Billing ANALYSIS Programmatic Billing Access Consolidated Billing Relationships Master Account aws.invoices@mycompany.com Business Unit C admin@busUnitC.com User3 Dev3 Admin3 IAM Tags: Own=BusC Proj=X Tags: Own=BusC Proj=Y Tags: Own=BusC Proj=Z Division B admin@divisionB.com User2 Dev2 Admin2 IAM Tags: Own=Div Proj=P Tags: Own=Div Proj=Q Tags: Own=Div Proj=R Operating Co. A admin@opcoA.com User1 Dev1 Admin1 IAM Tags: Own=OpCo Proj=A Tags: Own=OpCo Proj=B Tags: Own=OpCo Proj=C
  21. 21. S3CSV Billing ANALYSIS Programmatic Billing Access Consolidated Billing Relationships Master Account aws.invoices@mycompany.com Business Unit C admin@busUnitC.com User3 Dev3 Admin3 IAM Tags: Own=BusC Proj=X Tags: Own=BusC Proj=Y Tags: Own=BusC Proj=Z Division B admin@divisionB.com User2 Dev2 Admin2 IAM Tags: Own=Div Proj=P Tags: Own=Div Proj=Q Tags: Own=Div Proj=R Operating Co. A admin@opcoA.com User1 Dev1 Admin1 IAM Tags: Own=OpCo Proj=A Tags: Own=OpCo Proj=B Tags: Own=OpCo Proj=C
  22. 22. S3CSV Billing ANALYSIS Programmatic Billing Access Consolidated Billing Relationships Master Account aws.invoices@mycompany.com Business Unit C admin@busUnitC.com User3 Dev3 Admin3 IAM Tags: Own=BusC Proj=X Tags: Own=BusC Proj=Y Tags: Own=BusC Proj=Z Division B admin@divisionB.com User2 Dev2 Admin2 IAM Tags: Own=Div Proj=P Tags: Own=Div Proj=Q Tags: Own=Div Proj=R Operating Co. A admin@opcoA.com User1 Dev1 Admin1 IAM Tags: Own=OpCo Proj=A Tags: Own=OpCo Proj=B Tags: Own=OpCo Proj=C
  23. 23. 3rd Party Cost Management Tools
  24. 24. Access KeysBillingAccounts Create an account structure that makes sense Use accounts like environments where you need separation and control e.g. Dev Sandboxes Test Environments Business Units Products & Services Control access to billing information Use IAM users to keep billing information in the master account Consolidate billing into a single account Let one account pick up the bill for multiple ‘sub accounts’ Setup billing alerts and automated bill reporting Get CloudWatch notifications when billing reaches a point and output csv reports to S3 for analysis Decide upon a key management strategy Control access to EC2 instances via SSH and embedded public key: e.g. EC2 Key Pair per group of instances, EC2 Key Pair per account Consider SSH key rotation & automation Limit exposure to private key compromise by rotating keys and replacing authorized_keys listings on running instances Consider bootstrap automation to grant developer access with developer unique keypairs Lay Out Your Foundations
  25. 25. Groups & RolesAccess KeysBillingAccounts Create an account structure that makes sense Use accounts like environments where you need separation and control e.g. Dev Sandboxes Test Environments Business Units Products & Services Control access to billing information Use IAM users to keep billing information in the master account Consolidate billing into a single account Let one account pick up the bill for multiple ‘sub accounts’ Setup billing alerts and automated bill reporting Get CloudWatch notifications when billing reaches a point and output csv reports to S3 for analysis Decide upon a key management strategy Control access to EC2 instances via SSH and embedded public key: e.g. EC2 Key Pair per group of instances, EC2 Key Pair per account Consider SSH key rotation & automation Limit exposure to private key compromise by rotating keys and replacing authorized_keys listings on running instances Consider bootstrap automation to grant developer access with developer unique keypairs Use IAM Groups to manage console users and API access Provide developers with IAM user login and unique API access credentials Control & restrict what IAM users can do by placing them in groups with associated policies Assign EC2 Instances IAM roles Let AWS manage API access credentials on running instances by assigning a system entitlement to an instance e.g. instance can only read S3 bucket Lay Out Your Foundations
  26. 26. Identity & Access Management - IAM Account ApplicationsAdministrators Developers Jim Gavin Steve Nigel Stephen Ingest Console Reporting
  27. 27. Identity & Access Management - IAM Account ApplicationsAdministrators Developers Jim Gavin Steve Nigel Stephen Ingest Console Reporting Groups Multi-factor Authentication
  28. 28. Identity & Access Management - IAM Account ApplicationsAdministrators Developers Jim Gavin Steve Nigel Stephen Ingest Console Reporting Groups Roles Multi-factor Authentication AWS API Credentials
  29. 29. IAM Policies { "Statement": [ { "Effect": "Allow", "Action": [ "elasticbeanstalk:*", "ec2:*", "elasticloadbalancing:*", "autoscaling:*", "cloudwatch:*", "s3:*", "sns:*" ], "Resource": "*" } ] } Create a policy to assign permissions to a user, group, role or resource. Policies are created using JSON. A policy consists of one or more statements, each of which describes one set of permissions. Policies control access to AWS APIs
  30. 30. Identity and Access Management - IAM For more details on IAM, visit: aws.amazon.com/iam
  31. 31. Think Security 3
  32. 32. Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption & Data Integrity Authentication Server-side Encryption (File System and/or Data) Network Traffic Protection (Encryption/Integrity/Identity) Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer Data AmazonYou Shared Security Responsibility
  33. 33. Understand your customer & determine your security stance Leverage AWS Security External Audience Regulatory Audience Internal Audience Architecture Administration IAM Certifications White Papers QSA Process Your Processes Your Certifications Penetration Test Results
  34. 34. Understand your customer & determine your security stance Engage with security assessors early in your adoption cycle Leverage AWS Security Don’t fear assessment – AWS meets high standards (PCI DSS, ISO27001) Security assessments take time, so allow for this in your planning Undertake architecture reviews early in your design/deployment process
  35. 35. Understand your customer & determine your security stance Engage with security assessors early in your adoption cycle Use comprehensive materials and certifications provided by AWS Leverage AWS Security For more details on AWS Security, visit: aws.amazon.com/security Risk and compliance white paper AWS security processes white paper CSA consensus assessments initiative questionnaire (requires NDA)
  36. 36. Understand your customer & determine your security stance Engage with security assessors early in your adoption cycle Use comprehensive materials and certifications provided by AWS Build upon the security features of AWS to implement ‘security by design’ Leverage AWS Security
  37. 37. Direct Connect & VPNVirtual Private CloudControl & AuditTiered Access IAM Control users and allow use IAM Roles to provide API credentials for instances to enable access to AWS resources via APIs APIs vs Instance Provide developers with API credentials with separately controlled access to SSH keys/ administrative logins Temporary Credentials Provide temporary API credentials for access to AWS resources Instance firewalls Firewall control on instances via Security Groups AWS CloudTrail The AWS API call history recorded by CloudTrail enables security analysis, resource change tracking, and compliance auditing AWS Config A fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance Subnet control Create low level networking constraints for resource access, such as public and private subnets, internet gateways and NATs Bastion hosts Only allow access for management of production resources from a bastion host. Turn off when not needed and restrict startup via MFA VPC Peering Connect privately to other VPCs- Peer VPCs together to share resources across multiple virtual networks owned by your or other AWS accounts. Private connections to VPC Secured access to resources in AWS over software or hardware VPN and dedicated network links Because your VPC can be hosted behind your corporate firewall, you can seamlessly move your IT resources into the cloud without changing how your users access these applications. Build on AWS Security Features
  38. 38. Build on the Strengths of the AWS Cloud 4
  39. 39. e.g. Application performance improvement by migration of static content to Amazon S3 & CloudFront Review application architectures early – assess their fit for the cloud Can cloud benefits be delivered with minimum effort & outlay? e.g. variable capacity requirements, ‘standard’ technology stacks, reference architectures* e.g. Faster development cycles for dev/test, reduced cap-ex for application environments Will cloud yield top-line growth, cost savings or agility improvements? e.g. fully scripted deployments, IAM & EC2 instance roles, rolling deployments Can automation lead to a more robust, agile & secure services? Build on the Strengths of the AWS Cloud 1 2 3 4
  40. 40. Disposable compute Design systems that can tolerate instance failures Scalability Availability CostOptimisation Build on the Strengths of the AWS Cloud ✖ ✖ Dispose of compute when it is not required ✖ ✖
  41. 41. Disposable compute Flexible capacity Design systems that can dynamically scale from zero to hundreds of instances Scalability Availability CostOptimisation Build on the Strengths of the AWS Cloud ✖ ✖ ✖ Use Auto-scaling (events, schedules etc) to drive capacity availability ✖ ✖ ✖
  42. 42. Disposable compute Flexible capacity Cost effective storage Use Amazon S3 for durable & cost effective storage Scalability Availability CostOptimisation Build on the Strengths of the AWS Cloud ✖ ✖ ✖ Deploy & scale relational databases with RDS & use DynamoDB for high throughput NoSQL tables ✖ ✖ ✖
  43. 43. Disposable compute Flexible capacity Cost effective storage Automation and control Automate everything from deployment, to scaling, to instance recovery from failure Scalability Availability CostOptimisation Build on the Strengths of the AWS Cloud ✖ ✖ ✖
  44. 44. Create instance for your OS choice Configure environment Install software Create AMI from instance Launch fully configured instances from AMI AMI Custom machine image Instances Auto-scaling Manual deployments Programmatic deployments Bootstrapping - Custom AMIs 1 2 3 4 5
  45. 45. ami-id ami-launch-index ami-manifest-path block-device-mapping hostname instance-action instance-id Instance-type kernel-id local-hostname local-ipv4 mac network placement profile public-hostname public-ipv4 public-keys reservation-id http://169.254.169.254/latest/meta-data The metadata service contains & provides information about an instance Metadata Service Receive custom data to drive bootstrapping Custom or standard machine image Bootstrapping - Metadata Service AMI Instances
  46. 46. http://169.254.169.254/latest/meta-data The metadata service contains & provides information about an instance Metadata Service Receive custom data to drive bootstrapping Custom or standard machine image Bootstrapping - Metadata Service AMI Instances + user data Scripts in user-data field of metadata will be executed on launch For example #!/bin/sh yum -y install httpd chkconfig httpd on /etc/init.d/httpd start <powershell> … </powershell> or
  47. 47. http://169.254.169.254/latest/meta-data The metadata service contains & provides information about an instance Bootstrapping - Metadata Service + user data Install software e.g. web server, app server, proxy Pull data and application packages from S3 Publish metadata for instance to other systems e.g. monitoring systems Setup security profile of instance based upon intended use e.g. pull latest config
  48. 48. 1. Use multiple availability zones
  49. 49. 2. Use RDS with replicas and slaves
  50. 50. 3. Use auto-scaling groups
  51. 51. 4. Use Elastic Load Balancing
  52. 52. 5. Use Route53 to host DNS zones
  53. 53. Auto-ScalingRDSRoute 53Elastic Load Balancing Use at regional level Combined with autoscaling will balance requests and resource capacity across availability zones Within VPC Use to load balance between application tiers within an availability zone Instance migrations Easily move instances from dev environments to test environments by moving between ELBs Leverage SLA Improve application reliability with Route 53’s SLA on requests served Weighted routing Perform A/B analysis, and staged application roll-outs by moving a portion of traffic to new infrastructure Control TTLs and updates Take absolute control of DNS updates for more decisive system updates Scale databases without admin overhead Choose instance size for databases and scale up over time Add high availability from management console Create master-slave configurations and read-replicas. AWS takes care of the failover and recreation of a new slave in event of master DB loss Dynamically scale resources & control costs Only provision the resources that are required with scale up and cool down policies that match demand Build on the Strengths of the AWS Cloud For more details, visit the AWS architecture center: aws.amazon.com/architecture
  54. 54. Services not Software 5
  55. 55. AWS Cloud
 Infrastructure & Services Your
 Business More Time to Focus on
 Your Business Configuring Cloud Services 70% 30%70% Self Managed Software & Infrastructure 30% Managing All of the 
 “Undifferentiated Heavy Lifting” Services Not Software
  56. 56. Relational Database Service Easy to set up, operate, and scale Handles time-consuming database management tasks, such as backups, patch management, and replication Supports MySQL, Oracle, Microsoft SQL Server, and PostgreSQL, with Amazon Aurora in preview NoSQL Database Service Fast, predictable performance Supports document & key-value data models Fully distributed, fault tolerant architecture Amazon RDS Amazon DynamoDB Services Not Software
  57. 57. Amazon SQS Processing task/ processing trigger Processing results Simple Queue Service Fast, reliable, scalable, fully managed message queuing service Transmit any volume of data, at any level of throughput Amazon SQS Amazon EMR Elastic MapReduce Uses Hadoop, an open source framework, to distribute your data and processing across EC2 instances Integrates with other AWS services, such S3 & DynamoDB Supports the broad Hadoop tools ecosystem Services Not Software
  58. 58. Optimise Your Costs 6
  59. 59. Use the Right Instance Types Use Auto Scaling Turn Off Unused Instances Use Reserved Instances 1 2 3 4 Use Spot Instances5 Use Storage Classes6 Offload Your Architecture7 Use Services, Not Software8 Use Consolidated Billing9 Use Cost Management Tools10
  60. 60. G2 GPU enabled M3 General purpose Memory optimized R3 CR1M2 Storage and IO optimized C4 Compute optimized C1 CC2 I2 HI1 HS1 CG1M1 C3 Use the Right Instance Types
  61. 61. Linux from $0.013/hour Windows from $0.018/hour Pay as you go for computing capacity Low cost and flexibility Pay only for what you use, no up-front commitments or long-term contracts Ideal for applications being developed or tested on EC2 for the fist time Use Cases: Applications with short term, spiky, or unpredictable workloads; Application development or testing On-demand Instances 1 or 3 year terms Three payment options: All Upfront, Partial Upfront & No Upfront Cost reduced in comparison to the on- demand purchasing option Predictable pricing, plus reserved capacity helps to ensure that compute capacity is available when needed Use Cases: Applications with steady state or predictable usage Applications that require reserved capacity, including disaster recovery Reserved Instances Bid on unused EC2 capacity Name your own price for EC2 computing capacity. Instances will run whenever your bid exceeds to the current Spot Price Spot Price varies in real-time based on supply/demand, determined automatically Cost / Large Scale, dynamic workload handling Use Cases: Applications with flexible start and end times, or which can be accelerated with additional computing capacity Applications only feasible at very low compute prices Spot Instances Instance Purchasing Options For more details, visit EC2 purchasing options: aws.amazon.com/ec2/purchasing-options/
  62. 62. Use Tools & Frameworks 7
  63. 63. Access everything via CLI, API or Console Use one of 9 (soon to be 10) fully supported SDKs to create or make use of existing AWS resources within your own code Leverage a broad ecosystem of open source, free and commercially licensed tools to work with AWS Services Achieve the highest levels of automation to support continuous deployment, define your infrastructure-as-code or automate your development, operations or DevOps processes Find out more at: aws.amazon.com/developers/getting-started/ Everything is Programmable
  64. 64. AWS Deployment & Management Tools AWS Elastic Beanstalk AWS OpsWorks AWS CloudFormation AWS CodeDeploy
  65. 65. Get Supported 8
  66. 66. Get Supported: AWS Support Options Four Support Tiers are Available. Chose from: Basic Developer Business Enterprise For more details on AWS Support, visit: aws.amazon.com/premiumsupport
  67. 67. Get Supported: Trusted Advisor
  68. 68. Get Supported: Trusted Advisor
  69. 69. Get Supported: Trusted Advisor
  70. 70. Operating systems on EC2 instances: Ubuntu Server Red Hat Enterprise Linux and Fedora SUSE Linux (SLES and openSUSE) CentOS Linux Microsoft Windows Server 2003 R2 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 Infrastructure components: Sendmail and Postfix MTAs OpenVPN and RRAS SSH, SFTP, and FTP LVM and Software RAID Web servers: Apache IIS Nginx Databases: MySQL Microsoft SQL Server Get Supported: 3rd Party Software For more details on AWS Support, visit: aws.amazon.com/premiumsupport
  71. 71. Resources You Can Use to Learn More aws.amazon.com/getting-started/ aws.amazon.com/premiumsupport aws.amazon.com/architecture aws.amazon.com/security aws.amazon.com/campaigns/emea-getting-started
  72. 72. Certification aws.amazon.com/certification Self-Paced Labs aws.amazon.com/training/
 self-paced-labs Try products, gain new skills, and get hands-on practice working with AWS technologies aws.amazon.com/training Training Validate your proven skills and expertise with the AWS platform Build technical expertise to design and operate scalable, efficient applications on AWS AWS Training & Certification
  73. 73. Follow us for m ore events & w ebinars @AWScloud for Global AWS News & Announcements @AWS_UKI for local AWS events & news @IanMmmm Ian Massingham — Technical Evangelist

×