AWS Introduction
•Download as PPTX, PDF•
0 likes•163 views
Introduction to AWS and Terraform by out dear colleagues Dimosthenis Botsaris and Alexandros Koufatzis.. In these slides they introduce AWS, cloud networking and cloud native workflows using infrastructure as code via Terraform.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to AWS Introduction
Similar to AWS Introduction (20)
Recently uploaded
Recently uploaded (20)
AWS Introduction
- 3. AWS Regions ● Designed to be isolated from other Amazon Regions ● Achieve the greatest possible fault tolerance and stability ● Most AWS Resources are tied to the Regions except some Global Services like Identity and Access Management (IAM) ● For example, we may want to launch instances in the EU to be near European customers or to meet legal requirements
- 4. AWS Availability Zones (AZ) ● Availability Zones are multiple, isolated locations within each Region ● Represented by a Region code followed by a letter identifier; for example, eu-central-1a ● Consist of one or more discrete data centers, each with redundant power, networking, and connectivity ● Offer the ability to operate applications that are more highly available, fault tolerant, and scalable
- 5. Amazon EC2 ● EC2 = Elastic Compute Cloud = Infrastructure as a Service ● You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage ● Knowing EC2 is fundamental to understand how the Cloud works ● Operating System (OS): Linux, Windows or Mac OS ● How much compute power & cores (CPU) ● How much random-access memory (RAM) ● How much storage space ● Network card: speed of the card, Public IP address
- 6. EC2 Types EC2 Instance Types Comparison (and how to remember them) - ParkMyCloud
- 7. AWS ELB ● An ELB (EC2 Load Balancer) is a managed load balancer ● AWS takes care of upgrades, maintenance ● Spreads load across multiple downstream instances ● Exposes a single point of access (DNS) to your application ● Does regular health checks to your instances ● High availability across zones ● Separates public traffic from private traffic ● Provide SSL termination (HTTPS) for your websites
- 8. Types of load balancer on AWS ● Classic Load Balancer (v1 - old generation) – HTTP, HTTPS, TCP ● Application Load Balancer (v2 - new generation) – HTTP, HTTPS, WebSocket ● Network Load Balancer (v2 - new generation) – TCP, TLS & UDP You can setup internal (private) or external (public) ELBs
- 9. AWS VPC ● VPC = Virtual Private Cloud to hold all of our AWS resources ● Restricts what sort of traffic, IP addresses and also the users that can access our instances ● VPC is private, only the Private IP ranges are allowed (10.0.0.0–10.255.255.255 / 172.16.0.0–172.31.255.255 / 192.168.0.0–192.168.255.255) ● Up to 5 per region – soft limit ● A VPC’s CIDR (Classless Inter-Domain Routing) should not overlap with your other networks
- 10. AWS VPC Components ● Subnet: A segment of a VPC’s IP address range where you can place groups of isolated resources ● Internet Gateway: The Amazon VPC side of a connection to the public Internet ● NAT Gateway: Highly available, managed service for resources in a private subnet to access the Internet ● Virtual private gateway: The Amazon VPC side of a VPN connection ● Peering Connection: Route traffic via private IP addresses between two peered VPCs ● VPC Endpoints: Enables private connectivity to services hosted in AWS, from within your VPC ● Egress-only Internet Gateway: A stateful gateway to provide egress only access for IPv6 traffic from the VPC to the Internet
- 11. AWS Internet Gateways (IG) ● VPC are in a private network -> Can not reach internet ● IG helps our VPC instances connect with the internet ● Managed by AWS, scales horizontally and is HA ● One VPC can only be attached to one IGW and vice versa
- 12. AWS Subnets ● Are containers within VPC that segment off a slice of the CIDR block you define in your VPC ● Subnets allow you to give different access rules and place resources in different containers where those rules should apply ● Is a Availability Zone resource ● Can be public (accessible from the internet) or private (not accessible from the internet)
- 13. AWS Route Tables ● Contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed ● Each subnet in your VPC must be associated with a route table, which controls the routing for the subnet (subnet route table) ● Each route in a table specifies a destination and a target ● For example, to enable a subnet to access the internet through an internet gateway, we can use the route table entry from the second image
- 14. AWS NAT Gateway ● Allows instances in the private subnets to connect to the internet. ● Must be launched in a public subnet. ● Managed by AWS ● NAT is created in a specific AZ, uses an EIP ● 1 NAT per AZ to have fault-tolerance and HA (High Availability) ● Requires an IGW (Private Subnet => NAT => IGW)
- 15. Network ACLs ● NACL are like a firewall which control traffic from and to subnet ● Are placed on subnet level ● Default NACL allows everything outbound and everything inbound ● One NACL per Subnet ● Deny and Allow rules ● Stateless
- 16. AWS Security Groups ● They control how traffic is allowed into or out of our EC2 Instances. ● Security groups only contain rules ● Security groups rules can reference by IP or by security group ● Stateful: Changes in incoming rules applied to outgoing rules
- 17. AWS NACLs vs SG Security Group NACL Instance level Subnet level Stateful Stateless Allow rules only Allow and Deny rules All rules are evaluated before traffic is allowed Rules are evaluated in the order specified First layer of defense for egress traffic First layer of defense for ingress traffic
- 18. AWS ECS ● ECS = Elastic Container Service ● Launch Docker containers on AWS ● Simplifies running containers in a HA manner across multiple Availability Zones within a Region ● Serverless with AWS Fargate
- 19. ● Is Region specific ● Is a logical grouping of tasks and services ● Uses one or more EC2 Instances to run tasks ● EC2 instances of the cluster run the ECS agent ● The ECS agent registers the instance to the Cluster ● Serverless using AWS Fargate ECS Cluster
- 20. ECS Task Definition ● A JSON file that describes one or more containers for ECS to run ● Can be thought of as a blueprint for your application ● Docker image to use with each container in your task ● CPU and memory to use with each task ● Which ports should be opened for your application ● What data volumes should be used with the containers in the task
- 21. ECS Services ● Allows to run and maintain a specified number of tasks ● If any of the tasks fails, ECS launches another task in order to maintain the desired number of tasks in the service ● Task placement strategies and constraints to customise task placement decisions ● Three deployment types: rolling update, blue/green, and external ● Can be linked to an ELB (Load Balancer)
- 22. Terraform ● Infrastructure as Code (described using a high-level configuration syntax) ● Is a tool for building, changing, and versioning infrastructure safely and efficiently ● Configuration files describe to Terraform the components needed to run ● Generates an execution plan describing what it will do to reach the desired state ● Executes the plan to build the described infrastructure ● Determines what changed and creates incremental execution plans ● Can manage low-level components (compute instances, networking), as well as high- level components (DNS entries, SaaS features)
- 24. AWS Monolith API design with fault-tolerance and HA
- 25. Thank you Alexandros and Dimosthenis
Editor's Notes
- DIMOS: Amazon web service is an online platform that provides scalable and cost-effective cloud computing solutions. AWS is a broadly adopted cloud platform which offers several on-demand operations like compute power, database storage, content delivery, etc. AWS has many services and on the table you can see a list of these services. Some of the most known services are: AWS EC2, AWS Lambda, AWS S3 etc
- ALEX AWS Regions are separate geographic areas that AWS uses to house its infrastructure. distributed around the world The closer your region is to you, the better, so that you can reduce network latency They are designed to be isolated from the other regions, μετα να αναφερουμε τις τελειες 2-3-4
- ALEX An AWS Availability Zone (AZ) is the logical building block that makes up an AWS Region are isolated data centers (each of them has its own network/connectivity) within a region. Each region has multiple AZs and when you design your infrastructure to have backups of data in other AZs you are building a very efficient model of resiliency, i.e. a core concept of cloud computing. Selecting multiple AZ when we design the deployment of we get the ability to operate applications that are more highly available, fault tolerant, and scalable
- DIMOS: Amazon EC2 is one of the most used and most basic services in Amazon, and is fundamental to understand how the cloud works. But the first question here is, what is EC2? Well, to be very simple, it is a machine with an operating system and hardware components of your choice. You can choose your operating system eg. Linux or Windows or OS The main difference is that it is totally virtualized. So you can run multiple virtual computers in a single physical hardware. Also you can choose your compute power and cores, you can pick how much memory you want and how much storage space you want. You can attach a network card in order to get a public ip. So ec2 is configurable and help us to deploy our services.
- DIMOS We can see in this table that there are a lot of types of ec2 instaces which are optimized to fit different use cases. Instance types have varying combinations of CPU, memory, storage, and networking capacity and give you the flexibility to choose the appropriate mix of resources for our applications. Each instance type includes one or more instance sizes, allowing us to scale our resources to the requirements of your target workload
- ALEX AWS ELB is a managed load balancer, as aws takes care of upgrades, maintenance kes A load balancer distributes workloads across multiple compute resources, Using a load balancer increases the availability and fault tolerance of your applications. Μετα πες τελειες 4-5-6-7-8
- ALEX: ALB — Layer 7 (HTTP/HTTPS traffic), Flexible NLB — Layer 4 (TLS/TCP/UDP traffic), Static IPs ALB: Layer-7 load balancer, HTTP and HTTPS listeners only. route traffic based upon rules, host based or path based. NLB: layer 4 (TCP) and distribution of traffic based on network variables, such as IP address and destination ports. Differences: The network load balancer just forward requests the application load balancer examines the contents of the HTTP request to determine where to route the request
- DIMOS Lets dive in more details about network in AWS. The first component we should know is VPC. - VPC is a virtual private network dedicated to our AWS account, which allows us to build our own virtual network within AWS. Using cidr_block we can specify that IPv4 address range of the VPC. Because is a private network, only private ip ranges are allowed. - It is logically isolated from other virtual networks in the AWS Cloud. - Also it gives us control over the complete cloud network environment, including subnets, route table configuration, and network gateways. - There is a soft limit of 5 VPCs per region but you can open a ticket to AWS to increase it. - We have to be careful before create vpc and selection cidr, in order not to overlap with our other’s vpc networks
- DIMOS Here we have a list of the most important VPC components. Some of them are subnets / IG / NAT GW. We will see each of them in the following slides.
- ALEX is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. serves two purposes: to provide a target in your VPC route tables for internet-routable traffic 2) to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses basically IG allows communication between the instances in the VPC and the internet. meta teleia 3,4
- ALEX WE can think of a VPC in AWS as an apartment that separates resources. Subnets are different rooms in your apartment that segment off a slice of the CIDR block you define in your VPC. Subnets allow you to give different access rules and place resources in different containers where those rules should apply, as can be defined as public or private
- ALEX A route table is a logical construct within a VPC that contains a set of rules (called routes) that applied to the subnet and used to determine where network traffic is directed. Αναφερε 2-3-4 By entering (0.0.0.0/0) we are creating a route table that will direct all traffic to the internet gateway and associate this route table with the subnets that we created earlier.
- DIMOS When we put instances in private subnets, we are not able to reach internet. In order to overcome this issue, AWS provides the NAt GW which allow instances in private subnets to connect to internet But we have to add NAT in public subnets in order to be able to assing to it a public IP (an elastic one). The good thing is that is managed from AWS, compared to old solutions. Also, In order to achieve high availability and fault tolerance we have to add 1NAT per AZ. A single NAT gateway in a single AZ has redundancy within that AZ only, so if there were zonal issues then instances in other AZs would have no route to the internet.
- DIMOS Lets see a few things about security in VPC. NACL refers to Network Access Control List, which helps us to provide a layer of security. It sits inside our VPC but outside of our subnets. Its works like a fire wall, which control traffic from and to subnets. A nacl can be assigned to many subnets, however you can not assign a subnet to many nacls. A nacl is composed by a series of rules(deny and allow) that allow traffic of a particular sort (i.e. http, https, ssh etc..) or IP range. We can create many rules and these rules are evaluated in numerical order based on the smallest number first. Finally is stateless, which means that a request checked for inbound rules when it arrives, but also the return traffic is checked too
- DIMOS A security group serves as a virtual stateful firewall that controls inbound and outbound network traffic to AWS resources(ALB or Postgres) and Amazon EC2 instances When we create an instance you’ll have to associate it with a security group. Otherwise the VPCs default security group will be allocated. SGs also have rules which can be ip addresses or other sg groups Also SGs are stateful, so the incoming rules applied to outgoing rules
- DIMOS Here we can a see a table which contains the main differences among ΝΑCL and SG Network ACLs are applicable at the subnet level, so any instance in the subnet with an associated NACL will follow rules of NACL. That’s not the case with security groups, security groups has to be assigned explicitly to the instance. μετα πες και τις αλλες τελειες.
- ALEX
- ALEX
- DIMOS
- DIMOS
- ALEX Write infrastructure as code using declarative configuration files and the HashiCorp Configuration Language (HCL) A lot of Modules available to configure quickly and easily resources in AWS, Azure, Google Cloud and others
- DIMOS We can see here a diagram of deploying a service in AWS. As you can see we have deployed in a specific region. We have created a VPC, and in order to the service be High Available and fault-tolerance, we deploy the service in multiple AZ. This way if one AZ is down (the data centers in this specific AZ are down) the requests will be routed to the other AZ.