AWS Deployment Best Practices

AWS Government, Education, &
Nonprofits Symposium
Canberra, Australia | May 6, 2015
AWS Deployment Best Practices
Andrew Mitchell
Solutions Architect
Amazon Web Services

Dev & Test
Spin environments up and down
on demand
Decouple development and test
environments from operations
constraints
Explore elasticity in a sandboxed
environment
Backup & DR
Take part of your data or
business applications step- by-
step into non-production DR
use
Understand cloud dynamics
and test during controlled
failovers
Greenfield
Project
Embody best practice of cloud
computing in unconstrained
greenfield projects
Self contained web projects,
document archiving etc
Low hanging fruit can be easiest to pick
Pain point
Move specific service aspects
causing undue cost or
management burden
Workflows, search indexing,
media streaming, document
archiving, constrained
databases
Choose appropriate use cases

Enterprise Apps
Launch enterprise software
solutions from Microsoft, Oracle,
SAP and others on demand
Customize environments to meet
your specific security and
operational requirements
Deploy repeatable and consistent
deployments in minutes
Big Data & HPC
Solve challenge of increasing
volume, variety, and velocity of
digital information
Deploy large scale compute
clusters in minutes
Accelerate innovation, enable
deep analytics, and scale
without limits
Virtual Desktops
Workspaces fully managed
desktop accessed from choice
of device – laptop computer
(Mac OS or Windows), iPad,
Kindle Fire, or Android tablet.
No-upfront investment, secure
data storage, corp. directory
integration and PCoIP
technology from Teradici
Low hanging fruit can be easiest to pick
Web, Mobile &
Social Apps
Deliver on scalable web and
application servers, storage,
databases, content delivery,
cache, search, and other
application services that make it
easier to build and run apps that
deliver a great customer
experience.
Common Government and Education workloads
Choose appropriate use cases

PoC Production Automation
Understand services
Test performance
Architect for scale
Build cross functional team
capabilities
Implement monitoring
Change control and management
Security management
Scalability
Automate corrective measures
Auto-scaling
Zero downtime deployments
System backup and recovery
ExamplesPlan evolution & set goals

PoC Production Automation
Understand services
Test performance
Architect for scale
Build cross functional team
capabilities
Implement monitoring
Change control and management
Security management
Scalability
Automate corrective measures
Auto-scaling
Zero downtime deployments
System backup and recovery
ExamplesPlan evolution & set goals
Amazon Beanstalk
AWS Test Drive
AWS Free Usage Tier
Amazon Beanstalk
Amazon OpsWorks
Amazon Cloud Formation
Amazon Cloud Watch
Amazon IAM
APIs
CLI
Amazon Auto Scaling

AWS app store for business/IT software
– Broad selection
– Instant fulfillment, support of 1-Click and
CloudFormation
– Integrated AWS procurement and payments
– Seamless license management and
‘compliance by default’
Software for Testing, PoC and Production
– IT and business titles for Enterprise
production workloads
– Free, limited, and enterprise versions of titles
– customer can perform a low cost pilot, then
migrate seamlessly to production
– Customers of all sizes – F500 and SMB
– No overprovisioning, use only what you need
Easy Deployments via AWS Marketplace
http://aws.amazon.com/partners/aws-marketplace/

AWS Architecture Center
Reference Architectures
✓ Web Application Hosting
✓ Content and Media Serving
✓ Batch Processing
✓ Fault tolerance and High Availability
✓ Large Scale Processing and Huge Data sets
✓ Ad Serving
✓ Disaster Recovery for Local Applications
✓ File Synchronization
✓ Media Sharing
✓ Online Games
✓ Log Analysis
✓ Financial Services Grid Computing
✓ E-Commerce Websites
✓ Time Series Processing
http://aws.amazon.com/architecture

Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g.
Dev Sandboxes
Test Environments
Business Units
Products & Services
Govern deployments
Accounts

that makes sense
control
e.g.
Dev Sandboxes
Test Environments
Business Units
Products & Services
Control access to billing
information
Use Amazon IAM users to keep
billing information in the master
account
Consolidate billing into a single
account
Let one account pick up the bill for
multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get Amazon CloudWatch
notifications when billing reaches
a point and output csv reports to
Amazon S3 for analysis
Accounts Billing
Govern deployments

Enable CSV &
Programmatic Access
Billing
Preferences
Billing settings

Dev 1
Dev 2
Test Master
Account
Consolidated Billing
Data labeled by
source in Amazon S3
Production
Internal
Systems
Billing Alerts
Bill reached $x
Cost accounting in
favorite package
Billing settings

Dev 1
Dev 2
Test
Master
Account
Production
Internal
Systems
Dev 1 reached $100
Dev 2 reached $250
Test reached $1,000
Prod reached $1,200
Internal reached $400
Billing settings

Access Keys
Govern deployments
Decide upon a key
management strategy
Control access to Amazon EC2
instances via SSH and
embedded public key:
e.g. Amazon EC2 Key Pair per
group of instances, Amazon EC2
Key Pair per account
Consider SSH key rotation &
automation
Limit exposure to private key
compromise by rotating keys
and replacing authorized_keys
listings on running instances
Consider bootstrap automation
to grant developer access with
developer unique keypairs
that makes sense
control
e.g.
Dev Sandboxes
Test Environments
Business Units
Products & Services
information
account
account
Accounts Billing

Access Keys
Govern deployments
Decide upon a key
management strategy
Control access to Amazon EC2
instances via SSH and
embedded public key:
e.g. Amazon EC2 Key Pair per
group of instances, Amazon EC2
Key Pair per account
Consider SSH key rotation &
automation
Limit exposure to private key
compromise by rotating keys
and replacing authorized_keys
listings on running instances
Consider bootstrap automation
to grant developer access with
developer unique keypairs
that makes sense
control
e.g.
Dev Sandboxes
Test Environments
Business Units
Products & Services
information
account
account
Accounts Billing
Use Amazon IAM Groups to
manage console users and
API access
Provide developers with Amazon
IAM user login and unique API
access credentials
Control & restrict what Amazon
IAM users can do by placing
them in groups with policies
Assign Amazon EC2
Instances Amazon IAM Roles
Let AWS manage API access
credentials on running instances by
assigning a system entitlement to an
instance
e.g. instance can only read Amazon S3
bucket
Groups & Roles

Account
Administrators Developers Applications
Bob
Kevin
Tomcat
Jim Brad
Mark
Susan
Reporting
Console
Identity & access management

Account
Bob
Kevin
Tomcat
Jim Brad
Mark
Susan
Reporting
Console
Multi-factor authentication
Groups

RolesAccount
Bob
Kevin
Tomcat
Jim Brad
Mark
Susan
Reporting
Console
Multi-factor authentication
Groups

IAM policies
{
"Statement": [
{
"Allow",
"Action": [
"elasticbeanstalk:*",
"ec2:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*"
],
"Resource": "*"
}
]
}
Policy driven
Declarative definition of rights for
groups
Policies control access to AWS APIs

Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
AuthN & acct management
Authorization policies
+ =
Customer/Partner
• Re-focus your security professionals on a subset of the problem
• Take advantage of high levels of uniformity and automation
Visit http://aws.amazon.com/compliance/ for more details
Security is a Shared Responsibility

• Apply Your Information Management Program –
that integrates Information Assurance
• Standardize Machine Images – create gold copy
images for production deployment/to launch new
instances
• Build and test in a sandbox environment – work out
the bugs, figure out how to break it, architect to be
resilient
• Do the same stuff you do in-house – quarterly patch
management, logging, tripwire, etc.
• Conduct a Risk Assessment – to determine level of
security controls you require
• Role Based Access Controls – restrict access to
system components based upon need to know
• Use Encryption – for data in transit, for data at rest,
filesystem
• Key Management – rotate keys used to access your
resources (AWS does not hold these…you do)
• Setup Monitoring/Alerting – collect metrics and
enable alerting for when events occur
• Vulnerability Scans – allowed via a permission
process (else we will kill/block the source of scans)
• Prepare for Failure – create backups, store data in
more than one location, test backups, have a
contingency system ready
Examples of Customer Responsibilities

Leverage shared security model
Engage with security assessors early in adoption cycle
• Don’t fear assessment – AWS meets high standards (IRAP, PCI,
ISO27001, SOC1…)
• As with any infrastructure provider, security assessments take time
• Derive value from architecture reviews early in deployment cycle

Use comprehensive materials and certifications provided by AWS
http://aws.amazon.com/security/
• Risk and compliance paper
• AWS security processes paper
• CSA consensus assessments initiative
questionnaire

Build upon features of AWS and implement a ‘security by design’ environment
Use comprehensive materials and certifications provided by AWS

Build upon AWS features
Amazon IAM
Control users and allow AWS to
manage credentials in running
instances for service access
(allocation, rotation)
APIs vs. Instance
Provide developer API
credentials and control access
to SSH keys
Temporary Credentials
Provide developer API
credentials and control access
to SSH keys
Instance firewalls
Firewall control on instances
via Security Groups
CLIs and APIs
Instantly audit your entire AWS
infrastructure from scriptable
APIs – generate an on-demand
IT inventory enabled by
programmatic nature of AWS
Subnet control
Create low level networking
constraints for resource
access, such as public and
private subnets, internet
gateways and NATs
Bastion hosts
Only allow access for
management of production
resources from a bastion host.
Turn off when not needed
Tiered Access Security Groups Amazon VPC

Build upon AWS features
Store your cryptographic
keys
Use your most sensitive and
regulated data on Amazon EC2
without giving applications
direct access to your data's
encryption keys.
Migrate cryptographic
applications
Use AWS CloudHSM in
conjunction with your
compatible on-premise HSMs
to replicate keys among on-
premise HSMs and CloudHSMs
Fully Managed Key
Management Service
Create keys, implement key
rotation, create usage policies,
and enable key usage logging
Fully integrated with Amazon
S3, Amazon EBS, Amazon
Redshift, Amazon RDS,
Amazon Elastic Transcoder,
and Amazon WorkMail
Private connections to
Amazon VPC
Secured access to resources in
AWS over software or
hardware VPN and dedicated
network links
Amazon CloudHSM Amazon KMS
Amazon Direct Connect
& VPN

Architect to use
cloud strengths
4

Architect to use cloud strengths
e.g. Application performance improvement by migration of static content to Amazon S3/CloudFront
Review application architectures early – assess fit for cloud
Can cloud benefits be leveraged with minimum effort outlay?
e.g. variable capacity requirements, ‘standard’ technology stacks, reference architectures*
*http://aws.amazon.com/architecture
?
?
?
?
e.g. Faster development cycles for dev/test, reduced cap-ex for application environments
Will cloud yield cost savings & agility improvements?
e.g. fully scripted deployments, Amazon IAM & EC2 instance roles, rolling deployments
Can automation lead to a more agile & secure service?

Design systems that can suffer
instance loss
Dispose of compute when it is not
required
Disposable compute
Scalability
Availability
CostOptimization
✓
✓ ✓
✓

Disposable compute
Flexible capacity Design for systems that potentially scale
from zero instances to hundreds
Use Auto-scaling (events, schedules
etc) to drive capacity availability
✓
Scalability
Availability
CostOptimization
✓ ✓
✓
✓
✓

Utilize 99.999999999% durability of
objects in S3
Scale databases with RDS and use
DynamoDB for high throughput NoSQL
Disposable compute
Flexible capacity
Cost effective & reliable storage
Scalability
Availability
CostOptimization
✓
✓ ✓
✓
✓
✓

Disposable compute
Flexible capacity
Cost effective storage
Automation and control
Automate everything from scaling to
instance recovery from failure
Scalability
Availability
CostOptimization
✓ ✓✓

1 Create instance of your OS choice
2 Configure environment
3 Install software
4 Create Amazon Machine Image (AMI) from instance
5 Launch fully configured instances from AMI
Bootstrapping – Custom AMIs
AMI
Custom machine
image
Instance
Auto-scaling
Manual deployments
Programmatic deployments

ami-id
ami-launch-index
ami-manifest-path
block-device-mapping
hostname
instance-action
instance-id
Instance-type
kernel-id
local-hostname
local-ipv4
mac
network
placement
profile
public-hostname
public-ipv4
public-keys
reservation-id
http://169.254.169.254/latest/meta-data
Metadata service contains wealth of information about an instance
Bootstrapping – Metadata Service
AMI
Custom or standard
machine image
Instance
Metadata
Service
Receive custom
data to drive
bootstrapping

+ user data
Scripts in user-data field of metadata will be executed on launch
e.g.
Metadata service contains wealth of information about an instance
#!/bin/sh
yum -y install httpd
chkconfig httpd on
/etc/init.d/httpd start
<powershell>
…
</powershell>
Or:
AMI
Custom or standard
machine image
Metadata
Service
Receive custom
data to drive
bootstrapping
Instance

+ user data
Scripts in user-data field of metadata will be executed on
launch
Metadata service contains wealth of information about an instance AMI
Custom or standard
machine image
Metadata
Service
Receive custom
data to drive
bootstrapping
Install software e.g. web server, app server, proxy
Pull data and application packages from Amazon S3
Publish metadata for instance to other systems e.g. monitoring systems
Setup security profile of instance based upon intended use e.g. pull latest config
Instance

1. Use Multiple
Availability Zones

2. Use Amazon RDS with
Replicas and Standby

3. Use Amazon Auto
Scaling groups

4. Use Amazon Elastic
Load Balancing

5. Use Amazon Route53
to host DNS zones

Use at regional level
Combined with Amazon Auto
Scaling Amazon ELB will balance
requests and resource capacity
across Availability Zones
Within Amazon VPC
Use to loadbalance between
application tiers within an
Availability Zone
Instance migrations
Easily move instances from dev
environments to test environments
by moving between Amazon ELBs
Leverage SLA
Improve application reliability with
Amazon Route 53’s SLA on
requests served
Weighted routing
Perform A/B analysis, and staged
application roll-outs by moving a
portion of traffic to new
infrastructure
Health checks
DNS health checks and
health-based failover
Latency Based Routing
Route end users to lowest-latency
endpoints
Scale databases without
admin overhead
Choose instance size for
databases and scale up over time
Add high availability from
management console
Create Multi-AZ deployments and
Read-Replicas. AWS takes care of
the failover and recreation of a
new standby in event of master
DB loss
Amazon Elastic Load
Balancing
Amazon Route 53 Amazon RDS
Dynamically scale
resources & control costs
Only provision the resources that
are required with scale up and
cool down policies that match
demand
Easy setup for developers and
administrators via the AWS
Management Console.
Amazon Auto Scaling

Be elastic and cost
optimized
5

Reserved
Make a low, one-
time payment and
receive a significant
discount on the
hourly charge 
 
For committed
utilization
Free Tier
Get Started on
AWS with free
usage & no
commitment 
For POCs and  
getting started
On-Demand
Pay for compute
capacity by the hour
with no long-term
commitments 
 
For spiky
workloads,  
or to define needs
Spot
Bid for unused
capacity, charged at
a Spot Price which
fluctuates based on
supply and demand 
 
For time-insensitive
or transient
workloads
Dedicated
Launch instances
within Amazon VPC
that run on hardware
dedicated to a single
customer 
 
For highly sensitive
or compliance related
workloads
Many pricing models to support different workloads

100%
Capacity Over Time
AWS Spot Market Achieving economies of scale
0%

Reserved capacity
100%
Capacity Over Time
0%

On
On-demand
Reserved capacity
100%
Capacity Over Time
0%

On
On-demand
Reserved capacity
100%
Capacity Over Time
Spot
0%

COST OPTIMIZE 
(ELASTIC CAPACITY)

Manually
Send an API call or use CLI to
launch/terminate instances –
Only need to specify capacity
change (+/-)
By Schedule
Scale up/down based on date
and time
By Policy
Scale in response to changing
conditions, based on user
configured real-time monitoring
and alerts
Auto-Rebalance
Instances are automatically
launched/terminated to ensure
the application is balanced
across multiple AZs
Amazon Auto Scaling policies

Optimizing Costs With RIs
Up to 75% price discount compared to On-Demand Instance pricing.
1 year or 3 year terms
Flexible Payment Options
• All Upfront – Largest discount compared with On-Demand
• Partial Upfront – Small upfront payment then discounted hourly rate
• No Upfront – No upfront payment then discounted hourly rate
Details at http://aws.amazon.com/ec2/purchasing-options/reserved-instances/

COST OPTIMIZE
(INSTANCE TYPES)

Start
Choose instance that
meets your basic
requirements best
Match memory & virtual
cores
Instance types

Start
meets your basic
requirements best
cores
Tune
Change instance size
up or down based upon
monitoring
Use Trusted Advisor to
assess
Instance types

Start
meets your basic
requirements best
cores
Tune
monitoring
assess
Scale
Run instances across
multiple availability
zones
Smaller sizes equals
greater granularity
Instance types

Start
meets your basic
requirements best
cores
Tune
monitoring
assess
Scale
Run instances across
multiple availability
zones
Smaller sizes equals
greater granularity
Purchase RIs after the application
has been tuned and utilization
patterns are established
Instance types

• A one-on-one, fast-response support channel that is staffed 24x7x365 with
experienced and very technical support engineers
• Offers a range of plans that provide customers an unlimited number of support cases
with pay-by-the-month pricing and no long-term commitments
• In addition to providing industry standard reactive troubleshooting, we provide support
for:
– Help getting started on AWS
– Recommendations to save money, improve security, performance, and availability
– Implementing architectural best practices
– Integration of new AWS features (>200 releases in 2013)
– Configuration and troubleshooting for a growing list of 3rd party software
What is AWS Support?

AWS Support is a Global Organisation

• Basic Support – Free
Contact Customer Service for account and billing questions and receive technical support for resources that don’t pass
system health checks.
• Developer-level Support – Starting at US$49/month
Get started on AWS – ask technical questions and get a response to your web case within 12 hours during local
business hours.
• Business-level Support – Starting at US$100/month
24/7/365 real-time assistance by phone and chat, a 1 hour response to web cases, and help with 3rd party software.
Access Trusted Advisor to increase performance, fault tolerance, security, and potentially save money.
• Enterprise-level Support – Starting at US$15,000/month
15 minute response to web cases, an assigned technical account manager (TAM) who is an expert in your use case,
and white-glove case handling that notifies your TAM and the service engineering team of a critical issue.
AWS Support Plans

• AWS customers viewed over 700K Trusted Advisor recommendations
in 2014, and have reduced their AWS spend by over $140M
• 31 Checks in four categories (Cost Optimizing, Security, Fault
Tolerance, and Performance)
• Recommendations are accessible via the Support API
AWS Trusted Advisor

Your 
Mission
70%
On-Premises 
Infrastructure
30%
Managing All of the  
“Undifferentiated Heavy Lifting”
Cloud computing bottom line

AWS 
Cloud-Based 
Infrastructure
Your 
Mission
More Time to Focus on 
Your Mission
Configuring Your
Cloud Assets
70%
30%70%
On-Premises 
Infrastructure
30%
Managing All of the  
“Undifferentiated Heavy Lifting”
Cloud computing bottom line

Useful Resources & Links
• AWS Products & Services: https://aws.amazon.com/products/
• Documentation: http://aws.amazon.com/documentation
• Economics Center: https://aws.amazon.com/economics/
• Calculator: http://calculator.s3.amazonaws.com/calc5.html
• TCO Calculator: http://aws.amazon.com/tco-calculator/
• Architecture Center: http://aws.amazon.com/architecture/
• Security Center: http://aws.amazon.com/security
• Compliance Center: http://aws.amazon.com/compliance
• Whitepapers: http://aws.amazon.com/whitepapers
• Resources: http://aws.amazon.com/resources
• Case Studies: http://aws.amazon.com/solutions/case-studies
• Solution Providers: http://aws.amazon.com/solutions/global-solution-providers/
• AWS Blog: http://aws.typepad.com/

AWS Deployment Best Practices

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to AWS Deployment Best Practices

Similar to AWS Deployment Best Practices (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

AWS Deployment Best Practices