Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Aws user group #04 landing zones


Published on

This month we were joined by Gerald from Contino who answered the question on why friends don't let friends build landing zones.
Add a public comment...

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Aws user group #04 landing zones

  1. 1. AWS User Group #04 - Landing Zones 5th June 2019
  2. 2. Sponsors
  3. 3. • 18:00 - 18:20 - Introduction • 18:20 - 18.40 - Session 1: David Williams, PolarSeven Cloud Engineer - ‘What’s new(ish) in AWS’ • 18:40 - 19:10 - Pizza & Beer • 19:10 - 19:40 - Session 2: Gerald Bachlmayr, Contino Principal Technical Consultant - 'Friends don’t let friends build landing zones.’ • 19:40 - 20:30 - Networking Tonight:
  4. 4. Best Polar Bear Photo:
  5. 5.
  6. 6. Current first place:
  7. 7. Session One: David Williams Cloud Engineer, PolarSeven “'What’s new(ish) in AWS - Fargate, Session Manager'”
  8. 8. Introduction: David Williams Site Reliability Engineer “Keeping up with AWS”
  9. 9. Fargate, Systems Manager plus Fargate ● Why use it ● Why not use it ● Fargate pricing - As of Jan 19 30-50% Less ● Performance Systems Manager ● Session Manager ● Runcommand ● Patching ● Parameter store
  10. 10. Fargate - It’s about the ship Fargate completely abstracts the underlying infrastructure, and you see each and every one of your containers as a single machine.
  11. 11. Fargate Why Use Fargate ● Takes away the burden of instance management ● Need only specify the memory and cpu required ● Only get charged for what you use, CPU+Memory x time ● Can use SSM secrets in containers ● No longer need to scale clusters ● You can focus on applications and not infrastructure
  12. 12. Fargate Why not use Fargate ● Targeted to stateless container solutions - no EFS ● Each task gets up to 4 Gb of shared storage but only lasts for the lifetime of the task ● Stable container count - use EC2 with reserved instances for cost savings ● Scaling can be slow (relatively)
  13. 13. Systems Manager Session Manager ● Need SSM agent and SSM/EC2 Policy ● No open inbound ports - no SSH keys ● IAM controlled access - policies ● Encrypted tunnel ● Auditability - logs to S3 or CloudWatch ● Demo Time
  14. 14. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringLike": { "ssm:resourceTag/Finance": [ "WebServers" ] } } }, { "Effect": "Allow", "Action": [ "ssm:TerminateSession" ], "Resource": [ "arn:aws:ssm:*:*:session/${aws:username}-*" ] } ] }
  15. 15. Systems Manager Parameter Store ● Store Latest AMI value in one place ● Have your stacks look up that value AMIID: Description: The latest Linux AMI Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>' Default: /P7/latest-ami
  16. 16. Systems Manager Parameter Store ● Store Latest AMI value in one place ● Have your stacks look up that value AMIID: Description: The latest Linux AMI Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>' Default: /P7/latest-ami
  17. 17. Systems Manager Parameter Store AMIID: Description: The latest Linux AMI Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>' Default: /aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_ 4-gp2
  18. 18. S3 Depraction of Path Based Access Path Based Virtual Hosted Style my.bucket.logs => NO my-bucket-logs => YES
  19. 19. Introducing Amazon CloudWatch Container Insights for Amazon EKS and Kubernetes - Now in Preview Posted On: May 20, 2019 You can use Amazon CloudWatch Container Insights, now in preview, to monitor, isolate, and diagnose your containerized applications and microservices environments. With this preview, DevOps and Systems Engineers have access to automated dashboards summarizing the performance and health of their Amazon Elastic Container Service for Kubernetes (EKS) and Kubernetes clusters by pod, node, namespace, and services. You can get started collecting detailed performance metrics, logs, and meta-data from your containers and clusters in just a few clicks by following these steps in the CloudWatch Container Insights documentation. Note that CloudWatch Container Insights is available in limited regions only for preview. Reference the documentation for more details.
  20. 20. Session two: Gerald Bachlmayr Principal Technical Consultant Contino “Friends don’t let friends build landing zones.”
  21. 21. Friends don’t let friends build landing zones
  22. 22. Agenda 01 | Quick Introduction 02 | Why do we need Landing Zones? 03 | What is a Landing Zone 04 | Undifferentiated Heavy Lifting 05 | Landing Zone in AWS 06 | Lessons Learnt (build) 07 | Q & A intro why what uhl aws build q&a
  23. 23. Quick introduction Andrew Khoury Gerald Bachlmayr Technical Principal @Contino Sydney / New York Technical Principal @Contino Sydney Advocate for data-driven decision making. Always automating all the things™. Cloud Native advocate. Private cloud is an urban legend. intro why what uhl aws build q&a
  24. 24. Why do we need Landing Zones? ● Security & compliance: Consider and build rules for compliance and security ● Connectivity: Consider connectivity between public cloud, on-prem, third parties, public users ● Account management: Create new AWS Accounts and manage updates to each Account ● Costs: Report on cost and usage with the ability to implement cost optimisation ● Operational efficiencies: Implement backups, monitoring, alerts and tagging ● Segregation of duty: Can be enforced by account separation and policies intro why what uhl aws build q&a
  25. 25. LZ in the enterprise - typical drivers for cloud Common issues with an on-prem environment: ● Data center cannot scale ● Data center is lacking automation features ● Not enough environments ● Environments are inconsistent ● DR is painful intro why what uhl aws build q&a
  26. 26. LZ in the enterprise - don’t go chasing waterfalls intro why what uhl aws build q&a Thinking Meetings, taskforce, CoE, roundtable, cloud governance body, cloud guild Planning Architecture design, documentation, HLD, consultancy engaged, steering committee, security design Doing/Perfecting Oh S*@! nothing we planned will work, new ways of doing things are already out. On-prem firewalls & static IPs are causing issues. This doesn’t meet our requirements Let’s get started
  27. 27. What is a Landing Zone? You might already know “Landing Zone” by one of it’s many other names in the industry: ● Platform ● Foundations ● Scaffolding ● Building blocks ● Platform as a service ● Factory ● Cloud control plane For the rest of this presentation we will use the following as our definition of a Landing Zone: “The creation, configuration, and management of public cloud accounts for enterprise customers, in a way that is secure and production-ready.” intro why what uhl aws build q&a
  28. 28. ● LZs are not a core business offering - cloud management only ● LZs are not the reason your business exists ● Nice log files and cool pipelines do not impress the customer or increase the turnover ● Reduce your UHL effort → business can focus on things that provide it the most value ● We call this the value stream: we can measure how easy it is to go from an idea to delivering a product or service to your customer Understanding undifferentiated heavy lifting (UHL) intro why what uhl aws build q&a
  29. 29. Customers Platform/Infrastructure/Servers Take Advantage of: Agile, DevOps, SaaS, CloudNative, Serverless. THE LINE OF DIFFERENTIATION Platform/Infrastructure/Servers Operational Overhead. Manual processes. Managing infrastructure & DBs. Managing supporting systems, and platforms: build servers, proxy servers, container orchestration. THE LINE OF DIFFERENTIATION $ $ $ $ $ $ Traditional IT Value Stream / Product / DevOps Customers Reduce your UHL intro why what uhl aws build q&a
  30. 30. A value-stream focused enterprise journey What’s our recommended approach? ● Devs engaged from beginning on ● Deliver the in smaller increments → learnings → improvements ● Optimise for building & deploying apps ● Offload as much UHL as is possible/practical for your business intro why what uhl aws build q&a Cloud MVP ● LZ to support first app ● Application migration strategy ● Understand HL Reqs from all apps Cloud Improvements - Wave 1 ● Focus on feedback (from previous phase) ● Implement new features Wave of apps deployed Cloud Improvements - Wave 2 ● Focus on feedback ● Implement new features ● Work towards production-ready Wave of apps deployedFirst app deployed
  31. 31. Hand-crafted vs AWS Landing Zone Feature Hand-crafted AWS LZ Short planning phase, lightweight specification - + Quick base setup - + Effort to update baseline template - + Self-service account setup - + Flexible network design + ~ Build skills required - + intro why what uhl aws build q&a
  32. 32. Let AWS do the UHL Using a solution like AWS Landing Zone takes UHL out of your organisation → focus on delivering value to your customers ● The AWS CF template creates a LZ comprising four AWS accounts ● New accounts can be created via the Account Vending Machine → differentiator intro why what uhl aws build q&a
  33. 33. Lessons learnt - during the setup 1. Around 4 hours - bring your popcorn 2. Master account creation - manual process 3. Increase two service limits Max. number of accounts >= 4 Max. number of Stack Sets >= 50 4. Email addresses 5. CloudTrail, Config, VPC FlowLogs → $$$ 6. MFA intro why what uhl aws build q&a
  34. 34. 1. Account creation - AWS Organizations → billing 2. Service Catalogue - portfolios & products 3. Transit Gateway - Direct Connect 4. Level of complexity - best practices 5. Drift Management 6. Logging 7. Cost optimisation 8. Deletion - CW log groups, S3 buckets Lessons learnt - at run-time intro why what uhl aws build q&a
  35. 35. More screenshots intro why what uhl aws build q&a
  36. 36. Tips and conclusions 1. Keep it simple - OOTB 2. Look at Trusted Advisor 3. AWS LZ is not a silver bullet 4. You still need to follow the Well Architected Framework for enhancements/modifications/integrations 5. Stay tuned - Control Tower 6. UHL does not help your core business 7. Friends don't let friends build Landing Zones intro why what uhl aws build q&a
  37. 37. Q&A intro why what uhl aws build q&a
  38. 38. Draw Prize:
  39. 39. Next User Group 3rd July 2019 Build a Serverless application with Amplify - Greg Cockburn
  40. 40. 1300 659 575