This document discusses DevOps concepts and practices including: - DevOps aims to improve collaboration between development and operations teams through practices like continuous integration, deployment automation, and infrastructure as code. - The five pillars of DevOps are: microservices, infrastructure as code, automation and configuration management, continuous integration and continuous delivery, and logging and monitoring. - Specific DevOps practices discussed include building infrastructure templates with CloudFormation, implementing continuous integration and delivery pipelines with CodePipeline/CodeBuild/CodeDeploy, and automating infrastructure provisioning and configuration changes.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sun Yong
Developer Specialist Solutions Architect
ASEAN
윈도 닷넷 개발자를 위한
솔루션 클라우드
인증/데브옵스 솔루션

2. Paradigm Shift

3. What is Paradigm?
Universally recognized scientific achievements that, for a time,
provide model problems and solutions for a community of
practitioners
- Thomas Kuhn, the historian of science, in his book ”The Structure of Scientific Revolutions”
“Common concepts accepted in some area and period”

4. Two pictures of 5th Ave in history
exemplified how rapidly things can
change with technology innovation
1900 1913
VS
Source: Morgan Stanley

5. SDK overview

6. v
Programming in AWS ?

7. vv
What is programmable?
Cloud Computing can be controlled with APIs
• In the case of AWS, almost all services have APIs
• From the network to the platform itself, every layer are
programmable – you can control it.
• Use service transparently based on abstract framework of
each service

8. v
As you want

9. vv
AWS SDK
• Control all AWS services programably
• Wrapped APIs provided by AWS services
• Communication : HTTP / HTTPS
- communication destination depends on the endpoint for each service
- http://docs.aws.amazon.com/general/latest/gr/rande.html
• SDK for various languages

10. vv
SDK
Start, stop
Put,Get
Start DB
BackupAWS SDK
Ceritification
login
Monitoring

11. vv
AWS Management Console
AWS CLI
Demo

12. vv
It means…
• An API is defined for all operation of each service
• Execute through AWS Management Console and CLI
It is able to record operations on the Management Console as API
logs with AWS CloudTrail

13. vv
AWS SDK
Used in codes of server development (server, batch processing and etc)
Android iOS
Java NodeJS .NET PHP Python Ruby
Javascript
in
Browser
Used in codes running on the client side, the end user's terminal or service
Client side SDK
C++ Go
IDE toolkit
Eclipse Visual Studio

14. vv
AWS Mobile SDK
SDK for Mobile Application
• Common authentication mechanism to all
services
• Handling online and offline automatically
• Optimization for Mobile OS
- Example: Architecture using local offline cache
• Reduce memory footprint
- Install selected package with services

15. vv
Additional Resources
• Sample Code & Libraries : https://aws.amazon.com/code/

16. vv
AWS Mobile SDK for Unity

17. vv
AWS Mobile SDK for Xamarin

18. vv
AWS SDK Usage
• Control of AWS resources
Automation of infrastructure construction / operation
Manipulate AWS resources such as EC2 and RDS by programs
Each SDK not exactly same - supporting services and operations
• Use of AWS service
• Include service’s operation as part of the application
• Save data to S3, input/output data to DynamoDB, SQS and etc.

19. vv
SDK for Service (Partial)
• Amazon Kinesis
– Process large amounts of stream data without loss in
real time
• Amazon SQS
– Fully managed message queuing service
• AWS Lambda
– cloud computing, event-driven application
implementation without servers
• Amazon SNS
– Various messaging services including push notification
• Amazon DynamoDB
– Full managed NoSQL database service
• Amazon SES
– massive outgoing mail sending service

20. vv
Basic Steps of AWS SDK
• Install required SDK for the language
defferent installation procedure in each laguage
• Prepare Credential (AWS API authentication information) or IAM role
Create an IAM user or IAM role with the minimum authorization for SDK operation
• Instantiate the client object of the service (for example, S3)
Pass Credential at this time
• Operations (eg, PutObject) using methods of client objects
• Some languages have more highly abstracted SDKs.

21. vv
More Highly Abstracted (eg. Python)
• Boto3 Resource vs Client
• Resource provide a higher-level abstraction than the raw, low-level calls
made by service clients.
sqs = boto3.resource('sqs')
s3 = boto3.resource('s3')
sqs= boto3.client('sqs')
s3= boto3.client('s3')

22. vv
More Highly Abstracted (eg. Python)
ddb = boto3.client('dynamodb’)
ddb.put_item(
TableName=table_name,
Item={
'username' : {'S':'ruanb'},
'first_name' : {'S':'ruan'},
'last_name' : {'S':'bekker'},
'age' : {'N' : '30'},
'account_type': {'S':'administrator'} }
)
ddb = boto3.resource('dynamodb’)
table = ddb.Table('staff')
table.put_item(
Item={
'username': 'ruanb3',
'first_name': 'ruan3',
'last_name': 'bekker',
'age': 30,
'account_type': 'administrator', }
)

23. vv
Let’s see code (node.js)
var AWS = require('aws-sdk');
AWS.config = new AWS.Config();
AWS.config.accessKeyId = "accessKey";
AWS.config.secretAccessKey = "secretKey";
AWS.config.region = "us-east-1";
var s3 = new AWS.S3();
// Bucket names must be unique across all S3 users
var myBucket = ’seon_sin_bucket';
var myKey = ’hello.txt';
s3.createBucket({Bucket: myBucket}, function(err, data) {
if (!err) {
params = {Bucket: myBucket, Key: myKey, Body: 'Hello!'};
s3.putObject(params, function(err, data) {
if (!err) { {
console.log("Successfully uploaded data to myBucket/myKey");
}
});
}
});
1. Include required library
2. Set credential
3. Create an instance of service
4. Call a method for operation of each service
Do not include
credential in your
codes
Demo

24. vv
Handling credential in using SDK
• You should not embed your credentials in your app
The access key will be distributed over a wide area
Updating the access key is not practical due to the application's update
• Provide different authentication information for end users / terminals
It is important to give the minimum necessary privileges to each user
Suspension of unauthorized users when unauthorized use is detected
• The authentication information should be invalidated when it expires
Impact of unauthorized users on time

25. Authentication AuthN
Authorization AuthR
What is?

26. vv
Handling credential in using SDK
• It depens on where the program to run
In EC2 : Use IAM role
In Mobile App : Use Amazon Cognito
• The pattern that is embedded directly in the program is strongly
prohibited
Problems of security
Problems of mentality
• Do not forget to configure your IAM's authority as least privileged

27. vv
Handling credential in using SDK
• Most SDKs will automatically read the following cases
Loaded from the shared credentials file
Loaded from environment variables (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as
environment variables)
Use IAM Roll (only when running on AWS)
However, there are differences in behavior such as the order which SDK will look for

28. vv
Loaded from Shared credentials
[default]
aws_access_key_id = XXXXXXXXXXXXXXXXXXXX
aws_secret_access_key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
• Prepare a file containing the authentication information in advance
• location
Linux/Mac users: ~/.aws/credentials
Windows users: C:UsersUSER_NAME.awscredentials
• example

29. vv
Handling credential in using .Net SDK
• Using SDK Store
The Toolkit for Visual Studio includes a graphical user interface for managing profiles
You can manage your profiles from the command line by using the AWS Tools for Windows PowerShell
You can manage your profiles programmatically using the Amazon.Util.ProfileManager class.
• Using a Credential File
if your user name is awsuser, the credentials file would be C:usersawsuser.awscredentials.
• Using Credential in an Application
Access key and secret key values that are stored in the application's App.config or Web.config file
Specify the location by adding a profilesLocation attribute value to the <aws> element.

30. vv
IAM Role
• A mechanism for granting AWS operational rights to
entities, such as AWS services and applications
For example, by granting a roll to an application, this application
can manupulate AWS Services
• Not tied to IAM users or groups
• EC2, Beanstalk, Datapipeline and etc

31. vv
IAM Role
Grant the specified role to the EC2 instance
• The authentication information is set to the metadata
• Authentication information is STS (Security Token Service)
Different keys for each instance
If the expiration date is reached, obtain new credential
• Application obtains credentials from EC2 meta-data and access the AWS service
Access to metadata from within the instance
Obtain an access key ID, a secret access key, and a session token
API calls with three credentials
Program
IAM Role
Meta-data

32. v
Look up within EC2 (meta-data) with IAM Role
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/EC2_Admin
{
"Code" : "Success",
"LastUpdated" : "2014-06-08T01:51:52Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIAJY2YJ5S2ZYK25BLQ",
"SecretAccessKey" : "Kp1NblZ7mov/4ln7GLu8dqvN5GztXXXXXXXXXXXXXX",
"Token" : "AQoDYXdzELP//////////wEa0ANmvPx2CpTfOWjuPSMQ+/XXXXXXXXXXXXXXXX",
"Expiration" : "2014-06-08T08:17:52Z"
}
Role
STS session tokenCertificate
validity period

33. v• Loaded from a JSON file on disk
{ "accessKeyId": <YOUR_ACCESS_KEY_ID>,
"secretAccessKey": <YOUR_SECRET_ACCESS_KEY>,
"region": "us-east-1" }
AWS.config.loadFromPath('./config.json');
• Loaded from Lambda
Additional Ways

34. vv
Amazon Cognito for Mobile
• Embedding the authentication information in the application
- Easy "temporary" acquisition of temporary credentials assigned by the IAM role
• Fine-grained access to AWS's various resources
- Use the IAM Policy to set the thin access rights
• Easy implementation of security best practices
- Sophisticated implementation using STS based on Serverless

35. v
Cognito federation
STS
5. Receive
AWS
Credentials
3. Assume Role2. OpenID Token
Mobile Client
Cognito
“IDP”
1. Get or
Create
Identity
4. Validate
Amazon S3
6. Store Data
Identity Provider

36. vv
Cognito Sign-in flows for AWS Access Control
Device Cognito Identity AWS STS
Login
GetId
Validation
Validation
GetCredentialsForIdentity
Cognito Sign-in
Token
Identity Id
Credential
User Pools
(Identity Provider)

37. vv
Mobile（Android）
CognitoCachingCredentialsProvider provider = new CognitoCachingCredentialsProvider(
myActivity.getContext(),
"IDENTITY_POOL_ID", // Identity pool ID
Regions.US_EAST_1
);
s3 = new AmazonS3Client(provider);
List<Bucket> buckets = s3.listBuckets;

38. vv
Cognito UserPool Authentication
Uncheck Client Secret
Enable server-based authentication
(ADMIN_NO SRP_AUTH)
Amazon Cognito uses the Secure Remote Password (SRP) protocol, which allows
for secure password entry and transmission from code running on the client
device. If C# code runs on a trusted and secured backend server, you don’t need
to implement SRP.

39. vv
Cognito UserPool Authentication
After installation of AWS tookit for
Visual Studio.
Is able to install individual Packages
by using NuGet.
For Cognito, Install CognitoIdentity,
CognitoIdentityProvider

40. vv
Cognito UserPool Authentication - ADMIN_NO_SRP_AUTH
var authReq = new AdminInitiateAuthRequest()
{
UserPoolId = _poolId,
ClientId = _clientId,
AuthFlow = AuthFlowType.ADMIN_NO_SRP_AUTH
};
authReq.AuthParameters.Add("USERNAME", userName);
authReq.AuthParameters.Add("PASSWORD", password);
AdminInitiateAuthResponse authResp = _client.AdminInitiateAuth(authReq);
Console.WriteLine("IdToken="+authResp.AuthenticationResult.IdToken);
Console.WriteLine("AccessToken=" + authResp.AuthenticationResult.AccessToken);
Console.WriteLine("RefreshToken=" + authResp.AuthenticationResult.RefreshToken);
Trusted Backend Server

41. vv
Cognito UserPool Authentication
Uncheck Client Secret
Uncheck ADMIN_NO_SRP_AUTH
Using SRP(Secure Remote Protocol)

42. vv
Cognito UserPool Authentication -USER_SRP_AUTH
User Pools
(Identity Provider)
Program
Untrusted
Server
AuthFlow='USER_SRP_AUTH',
AuthParameters={
username
'SRP_A'
'SECRET_HASH':
},
ClientMetadata=UserPool Id,
ClientId
Challenge
ChallengeName=PASSWORD_VERIFIER
SECRET_BLOCK
USER_ID_FOR_SRP
Init_Auth
ResponseToAuthChallenge
ClientId ChallengeName='PASSWORD_VERIFIER',
ChallengeResponses={
'PASSWORD_CLAIM_SIGNATURE',
'PASSWORD_CLAIM_SECRET_BLOCK' ,
'TIMESTAMP' :
'USERNAME' :
'SECRET_HASH'
}

43. vv
Cognito UserPool Authentication –SRP_A, SECRET_HASH
• SECRET_HASH
Msg = UserName + ClientId
SHA256 encoded string of Clinet_Secret + msg
• SRP_A : Secure Remote Protocol
https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol
AuthenticateHelper.cs
https://gist.github.com/dbeattie71/44ea3a13145f185d303e620c299ab1c5

44. Why DevOps

45. DevOps
What is it ?
• A philosophy? Cultural change? Paradigm shift ?
• Alignment of development and IT operations with better communication and
collaboration ?
• Improvement in software deployment ?
• Breaking down the barriers between development and IT operations ?
• Akin to Agile software development applied to infrastructure and IT operations
Code
W
a
l
l
Developer IT Operations
It’s all of the above Principles !!!

47. Provision Configure Orchestrate Deploy Report Monitor
DevOps
• Continuous Integration
• Continuous Deployment
• IT Automation
• Application Management
Evolution of DevOps from Agile
Business Case Requirements Use Case Features Plan Go to market
Business
Design Code Refactor Unit Test Bug Fix Deploy
Developers
(application)
IT Operations
(infrastructure
)
Agile
Development
• Iterative development
• Scrum, sprints, stories
• Velocity
Business
Agility
IT
Agility

48. DevOps 5 pillar
Microservices
Infrastructure as a code
Automation and Configuration Management
Continuous Integration and Continuous Delivery
Logging and Monitoring

49. Build services around the business capabilities you require
Scale up and down as required with virtually no notice
Make configuration code changes repeatable and
standardized
API-driven model enables management of infrastructure with
language typically used in application code
Free developers from manually configuring operating
systems, system applications, and server software
1. Microservices
Build applications as a set of small services that communicates with other
services through APIs

50. Provision the server, storage, and networking capacity you need
on demand
Deploy independently, as a single service, or a group of services
Make configuration changes repeatable and standardized
Build custom templates to provision resources in a controlled and
predictable way
Use version control to keep track of all changes made to your
infrastructure and application stack
2. Infrastructure as Code
Replace traditional infrastructure provisioning and management with
code-based techniques

51. Here’s some infrastructure as Code
"WebServer": {
"Type": "AWS::EC2::Instance",
"Metadata" : {
"AWS::CloudFormation::Init" : {
"config" : {
"packages" : {
"yum" : {
"httpd" : [],
"php" : [],
"php-mysql" : [],
"php-gd" : [],
"php-xml" : [],
"php-mbstring" : [],
"mysql" : []
}
},
"sources" : {
"/var/www/html" : "http://ftp.drupal.org/files/projects/drupal-7.8.tar.gz",
"/home/ec2-user" : "http://ftp.drupal.org/files/projects/drush-7.x-4.5.tar.gz"
},
AWS
CloudFormation
template

52. 3. Automation and Configuration Management
Declarative Approach to:
• Provisioning
• Configuration
• Orchestration
• Reporting
Elastic
Beanstalk
CloudFormation
OpsWorks

53. Model and visualize your own custom release workflow
Automate deployments of new code
Improve developer productivity and deliver updates faster
Find and address bugs quicker with more frequent and
comprehensive testing
Store anything from source code to binaries using existing
Git tools
4. Continuous Integration and Continuous Delivery
Rapidly and reliably build, test, and deploy your applications, while
improving quality and reducing time to market.

54. • Integration
tests with
other systems
• Load testing
• UI tests
• Penetration
testing
Release processes have four major phases
Source Build Test Production
• Check in
source code,
such as .java
files
• Peer review
new code
• Compile code
• Unit tests
• Style checkers
• Code metrics
• Create
container
images
• Deployment
to production
environments

55. Release processes levels
Source Build Test Production
Continuous integration
Continuous delivery
Continuous deployment

56. AWS Code Services
Source Build Test Production
Third Party
Tooling
Software Release Steps:
AWS CodeCommit AWS CodeBuild AWS CodeDeploy
AWS CodePipeline
AWS CodeStar Project Management

57. .NET Visual Studio toolkit

59. Infrastructure as Code

62. Blue Green Deployment

63. ENTERPRISE
APPS
DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS
Data
Warehousing
Hadoop/
Spark
Streaming Data
Collection
Machine
Learning
Elastic
Search
Virtual
Desktops
Sharing &
Collaboration
Corporate
Email
Backup
Queuing &
Notifications
Workflow
Search
Email
Transcoding
One-click App
Deployment
Identity
Sync
Single Integrated
Console
Push
Notifications
DevOps Resource
Management
Application Lifecycle
Management
Containers
Triggers
Resource
Templates
TECHNICAL &
BUSINESS
SUPPORT
Account
Management
Support
Professional
Services
Training &
Certification
Security
& Pricing
Reports
Partner
Ecosystem
Solutions
Architects
MARKETPLACE
Business
Apps
Business
Intelligence
Databases
DevOps
Tools
NetworkingSecurity Storage
Regions
Availability
Zones
Points of
Presence
INFRASTRUCTURE
CORE SERVICES
Compute
VMs, Auto-scaling,
& Load Balancing
Storage
Object, Blocks,
Archival, Import/Export
Databases
Relational, NoSQL,
Caching, Migration
Networking
VPC, DX, DNS
CDN
Access
Control
Identity
Management
Key
Management
& Storage
Monitoring
& Logs
Assessment
and reporting
Resource &
Usage Auditing
SECURITY & COMPLIANCE
Configuration
Compliance
Web application
firewall
HYBRID
ARCHITECTURE
Data
Backups
Integrated
App
Deployments
Direct
Connect
Identity
Federation
Integrated
Resource
Management
Integrated
Networking
API
Gateway
IoT
Rules
Engine
Device
Shadows
Device
SDKs
Registry
Device
Gateway
Streaming Data
Analysis
Business
Intelligence
Mobile
Analytics

74. Continuous Deployment

75. • Integration
tests with
other systems
• Load testing
• UI tests
• Penetration
testing
Release processes have four major phases
Source Build Test Production
• Check in
source code,
such as .py
files
• Peer review
new code
• Compile code
• Unit tests
• Style checkers
• Code metrics
• Create
container
images
• Deployment
to production
environments

76. Release processes have four major phases
Source Build Test Production
AWS
CodeCommit
AWS
CodeDeploy
AWS
CodePipeline
AWS
CodeBuild
AWS X-Ray
AWS
Device Farm

86. Automation for every use case
CHOOSE YOUR
AUTOMATION
Amazon EC2
AWS CloudFormation
AWS OpsWorks AWS Elastic
BeanStalk
AWS Lambda
SERVERLESSDEVOPS DEVOPS
AUTOMATION

87. ”
“
Newforma Scales to Support Fast Global Growth Using AWS
Newforma offers project information
management (PIM) solutions to customers
throughout the world.
AWS meets our scalability
requirements and makes it
easy for us to deliver our
project information
management solution to
more and more users.
.
• Needed an easy, cost-effective way to scale its main
project information management solution
• Runs its cloud-hosted products and features on AWS
• Scales to meet fast global growth
• Deploys software updates in weeks instead of months
• Ensures strong security and high availability
Jamie Peloquin,
DevOps Manager
”
“

88. Serverless architectures

89. Choose from existing templates

90. One-click publish

91. Customize your deployment

92. Customize your deployment

93. Customize your deployment

94. Leverage AWS CloudFormation

95. Manage your deployed environment

97. www.awsdevday.co.kr
Dev Day 모바일 웹을 통해
지금 세션 평가에 참여하시면,
행사 후 기념 티셔츠를 드립니다.
• 발표 자료 및 녹화 동영상은 AWS Korea 공식
소셜 채널로 공유될 예정입니다.
• #AWSDevDay 해시 태그로 의견을 남겨주세요!

98. What we covered
A view on DevOps
DevOps practices
AWS and Microsoft Visual Studio
New architectures

99. How to get started
Create an AWS Account and leverage the AWS Free Tier
Contact us and come meet us at AWS / partner events
AWS and partners offer training and certification
Amazon
EC2
AWS
Lambda
Amazon
DynamoDB