Introduction to AWS and Terraform. In these slides we introduce AWS, cloud networking and cloud native workflows using infrastructure as code via Terraform.
3. AWS Regions
● Designed to be isolated from other Amazon Regions
● Achieve the greatest possible fault tolerance and stability
● Most AWS Resources are tied to the Regions except some
Global Services like Identity and Access Management
(IAM)
● For example, we may want to launch instances in the EU to
be near European customers or to meet legal requirements
4. AWS Availability Zones (AZ)
● Availability Zones are multiple, isolated locations within each
Region
● Represented by a Region code followed by a letter identifier; for
example, eu-central-1a
● Consist of one or more discrete data centers, each with
redundant power, networking, and connectivity
● Offer the ability to operate applications that are more highly
available, fault tolerant, and scalable
5. Amazon EC2
● EC2 = Elastic Compute Cloud = Infrastructure as a Service
● You can use Amazon EC2 to launch as many or as few virtual servers as you need,
configure security and networking, and manage storage
● Knowing EC2 is fundamental to understand how the Cloud works
● Operating System (OS): Linux, Windows or Mac OS
● How much compute power & cores (CPU)
● How much random-access memory (RAM)
● How much storage space
● Network card: speed of the card, Public IP address
7. AWS ELB
● An ELB (EC2 Load Balancer) is a managed load
balancer
● AWS takes care of upgrades, maintenance
● Spreads load across multiple downstream instances
● Exposes a single point of access (DNS) to your
application
● Does regular health checks to your instances
● High availability across zones
● Separates public traffic from private traffic
● Provide SSL termination (HTTPS) for your websites
8. Types of load balancer on AWS
● Classic Load Balancer (v1 - old generation) – HTTP, HTTPS, TCP
● Application Load Balancer (v2 - new generation) – HTTP, HTTPS,
WebSocket
● Network Load Balancer (v2 - new generation) – TCP, TLS & UDP
You can setup internal (private) or external (public) ELBs
9. AWS VPC
● VPC = Virtual Private Cloud to hold all of our AWS
resources
● Restricts what sort of traffic, IP addresses and also the
users that can access our instances
● VPC is private, only the Private IP ranges are allowed
(10.0.0.0–10.255.255.255 / 172.16.0.0–172.31.255.255 /
192.168.0.0–192.168.255.255)
● Up to 5 per region – soft limit
● A VPC’s CIDR (Classless Inter-Domain Routing) should
not overlap with your other networks
10. AWS VPC Components
● Subnet: A segment of a VPC’s IP address range where you can place groups of isolated
resources
● Internet Gateway: The Amazon VPC side of a connection to the public Internet
● NAT Gateway: Highly available, managed service for resources in a private subnet to access the
Internet
● Virtual private gateway: The Amazon VPC side of a VPN connection
● Peering Connection: Route traffic via private IP addresses between two peered VPCs
● VPC Endpoints: Enables private connectivity to services hosted in AWS, from within your VPC
● Egress-only Internet Gateway: A stateful gateway to provide egress only access for IPv6 traffic
from the VPC to the Internet
11. AWS Internet Gateways (IG)
● VPC are in a private network -> Can not
reach internet
● IG helps our VPC instances connect with the
internet
● Managed by AWS, scales horizontally and is
HA
● One VPC can only be attached to one IGW
and vice versa
12. AWS Subnets
● Are containers within VPC that segment off a slice
of the CIDR block you define in your VPC
● Subnets allow you to give different access rules and
place resources in different containers where those
rules should apply
● Is a Availability Zone resource
● Can be public (accessible from the internet) or
private (not accessible from the internet)
13. AWS Route Tables
● Contains a set of rules, called routes, that are used to
determine where network traffic from your subnet or
gateway is directed
● Each subnet in your VPC must be associated with a route
table, which controls the routing for the subnet (subnet
route table)
● Each route in a table specifies a destination and a target
● For example, to enable a subnet to access the internet
through an internet gateway, we can use the route table
entry from the second image
14. AWS NAT Gateway
● Allows instances in the private subnets to connect to
the internet.
● Must be launched in a public subnet.
● Managed by AWS
● NAT is created in a specific AZ, uses an EIP
● 1 NAT per AZ to have fault-tolerance and HA (High
Availability)
● Requires an IGW (Private Subnet => NAT => IGW)
15. Network ACLs
● NACL are like a firewall which control traffic from and to subnet
● Are placed on subnet level
● Default NACL allows everything outbound and everything inbound
● One NACL per Subnet
● Deny and Allow rules
● Stateless
16. AWS Security Groups
● They control how traffic is allowed into or out of our EC2 Instances.
● Security groups only contain rules
● Security groups rules can reference by IP or by security group
● Stateful: Changes in incoming rules applied to outgoing rules
17. AWS NACLs vs SG
Security Group NACL
Instance level Subnet level
Stateful Stateless
Allow rules only Allow and Deny rules
All rules are evaluated before traffic is
allowed
Rules are evaluated in the order specified
First layer of defense for egress traffic First layer of defense for ingress traffic
18. AWS ECS
● ECS = Elastic Container Service
● Launch Docker containers on AWS
● Simplifies running containers in a HA
manner across multiple Availability
Zones within a Region
● Serverless with AWS Fargate
19. ● Is Region specific
● Is a logical grouping of tasks and services
● Uses one or more EC2 Instances to run tasks
● EC2 instances of the cluster run the ECS agent
● The ECS agent registers the instance to the Cluster
● Serverless using AWS Fargate
ECS Cluster
20. ECS Task Definition
● A JSON file that describes one or more containers for ECS to run
● Can be thought of as a blueprint for your application
● Docker image to use with each container in your task
● CPU and memory to use with each task
● Which ports should be opened for your application
● What data volumes should be used with the containers in the task
21. ECS Services
● Allows to run and maintain a specified number of tasks
● If any of the tasks fails, ECS launches another task in order to maintain the
desired number of tasks in the service
● Task placement strategies and constraints to customise task placement
decisions
● Three deployment types: rolling update, blue/green, and external
● Can be linked to an ELB (Load Balancer)
22. Terraform
● Infrastructure as Code (described using a high-level configuration syntax)
● Is a tool for building, changing, and versioning infrastructure safely and efficiently
● Configuration files describe to Terraform the components needed to run
● Generates an execution plan describing what it will do to reach the desired state
● Executes the plan to build the described infrastructure
● Determines what changed and creates incremental execution plans
● Can manage low-level components (compute instances, networking), as well as high-
level components (DNS entries, SaaS features)
DIMOS:
Amazon web service is an online platform that provides scalable and cost-effective cloud computing solutions.
AWS is a broadly adopted cloud platform which offers several on-demand operations like compute power, database storage, content delivery, etc.
AWS has many services and on the table you can see a list of these services.
Some of the most known services are: AWS EC2, AWS Lambda, AWS S3 etc
ALEX
AWS Regions are separate geographic areas that AWS uses to house its infrastructure.
distributed around the world
The closer your region is to you, the better, so that you can reduce network latency
They are designed to be isolated from the other regions, μετα να αναφερουμε τις τελειες 2-3-4
ALEX
An AWS Availability Zone (AZ) is the logical building block that makes up an AWS Region
are isolated data centers (each of them has its own network/connectivity) within a region.
Each region has multiple AZs and when you design your infrastructure to have backups of data in other AZs you are building a very efficient model of resiliency, i.e. a core concept of cloud computing.
Selecting multiple AZ when we design the deployment of we get the ability to operate applications that are more highly available, fault tolerant, and scalable
DIMOS:
Amazon EC2 is one of the most used and most basic services in Amazon, and is fundamental to understand how the cloud works. But the first question here is, what is EC2?
Well, to be very simple, it is a machine with an operating system and hardware components of your choice. You can choose your operating system eg. Linux or Windows or OS
The main difference is that it is totally virtualized. So you can run multiple virtual computers in a single physical hardware. Also you can choose your compute power and cores, you can pick how much memory you want and how much storage space you want. You can attach a network card in order to get a public ip. So ec2 is configurable and help us to deploy our services.
DIMOS
We can see in this table that there are a lot of types of ec2 instaces which are optimized to fit different use cases.
Instance types have varying combinations of CPU, memory, storage, and networking capacity and give you the flexibility to choose the appropriate mix of resources for our applications.
Each instance type includes one or more instance sizes, allowing us to scale our resources to the requirements of your target workload
ALEX
AWS ELB is a managed load balancer, as aws takes care of upgrades, maintenance
kes
A load balancer distributes workloads across multiple compute resources,
Using a load balancer increases the availability and fault tolerance of your applications.
Μετα πες τελειες 4-5-6-7-8
ALEX:
ALB — Layer 7 (HTTP/HTTPS traffic), Flexible
NLB — Layer 4 (TLS/TCP/UDP traffic), Static IPs
ALB: Layer-7 load balancer, HTTP and HTTPS listeners only. route traffic based upon rules, host based or path based.
NLB: layer 4 (TCP) and distribution of traffic based on network variables, such as IP address and destination ports.
Differences:
The network load balancer just forward requests
the application load balancer examines the contents of the HTTP request to determine where to route the request
DIMOS
Lets dive in more details about network in AWS. The first component we should know is VPC.
- VPC is a virtual private network dedicated to our AWS account, which allows us to build our own virtual network within AWS. Using cidr_block we can specify that IPv4 address range of the VPC. Because is a private network, only private ip ranges are allowed.
- It is logically isolated from other virtual networks in the AWS Cloud.
- Also it gives us control over the complete cloud network environment, including subnets, route table configuration, and network gateways.
- There is a soft limit of 5 VPCs per region but you can open a ticket to AWS to increase it.
- We have to be careful before create vpc and selection cidr, in order not to overlap with our other’s vpc networks
DIMOS
Here we have a list of the most important VPC components. Some of them are subnets / IG / NAT GW. We will see each of them in the following slides.
ALEX
is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.
serves two purposes:
to provide a target in your VPC route tables for internet-routable traffic
2) to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses
basically IG allows communication between the instances in the VPC and the internet.
meta teleia 3,4
ALEX
WE can think of a VPC in AWS as an apartment that separates resources.
Subnets are different rooms in your apartment that segment off a slice of the CIDR block you define in your VPC.
Subnets allow you to give different access rules and place resources in different containers where those rules should apply, as can be defined as public or private
ALEX
A route table is a logical construct within a VPC that contains a set of rules (called routes) that applied to the subnet and used to determine where network traffic is directed.
Αναφερε 2-3-4
By entering (0.0.0.0/0) we are creating a route table that will direct all traffic to the internet gateway and associate this route table with the subnets that we created earlier.
DIMOS
When we put instances in private subnets, we are not able to reach internet. In order to overcome this issue, AWS provides the NAt GW which allow instances in private subnets to connect to internet
But we have to add NAT in public subnets in order to be able to assing to it a public IP (an elastic one).
The good thing is that is managed from AWS, compared to old solutions.
Also, In order to achieve high availability and fault tolerance we have to add 1NAT per AZ. A single NAT gateway in a single AZ has redundancy within that AZ only, so if there were zonal issues then instances in other AZs would have no route to the internet.
DIMOS
Lets see a few things about security in VPC.
NACL refers to Network Access Control List, which helps us to provide a layer of security.
It sits inside our VPC but outside of our subnets. Its works like a fire wall, which control traffic from and to subnets.
A nacl can be assigned to many subnets, however you can not assign a subnet to many nacls.
A nacl is composed by a series of rules(deny and allow) that allow traffic of a particular sort (i.e. http, https, ssh etc..) or IP range. We can create many rules and these rules are evaluated in numerical order based on the smallest number first.
Finally is stateless, which means that a request checked for inbound rules when it arrives, but also the return traffic is checked too
DIMOS
A security group serves as a virtual stateful firewall that controls inbound and outbound network traffic to AWS resources(ALB or Postgres) and Amazon EC2 instances
When we create an instance you’ll have to associate it with a security group. Otherwise the VPCs default security group will be allocated.
SGs also have rules which can be ip addresses or other sg groups
Also SGs are stateful, so the incoming rules applied to outgoing rules
DIMOS
Here we can a see a table which contains the main differences among ΝΑCL and SG
Network ACLs are applicable at the subnet level, so any instance in the subnet with an associated NACL will follow rules of NACL. That’s not the case with security groups, security groups has to be assigned explicitly to the instance.
μετα πες και τις αλλες τελειες.
ALEX
ALEX
DIMOS
DIMOS
ALEX
Write infrastructure as code using declarative configuration files and the HashiCorp Configuration Language (HCL)
A lot of Modules available to configure quickly and easily resources in AWS, Azure, Google Cloud and others
DIMOS
We can see here a diagram of deploying a service in AWS. As you can see we have deployed in a specific region. We have created a VPC, and in order to the service be High Available and fault-tolerance, we deploy the service in multiple AZ. This way if one AZ is down (the data centers in this specific AZ are down) the requests will be routed to the other AZ.