30. Security Groups: Multi-AZ by default
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
sa-east-1a sa-east-1b sa-east-1c
31. Security Groups: Grouping and Securing
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
sa-east-1a sa-east-1b sa-east-1c
sg-web
sg-app
sg-db
32. Security Groups: Grouping and Securing
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
sa-east-1a sa-east-1b sa-east-1c
sg-web
sg-app
sg-db
33. Open HTTPS port access from anywhere
Open backend access to a specific security-group
ID Port Range Source
sg-web 443 (HTTPS) 0.0.0.0/0
ID Port Range Source
sg-app 22 (SSH) sg-web
Open database access to a specific security-group
ID Port Range Source
sg-db 3306 (MySQL) sg-app
Security Groups - Examples
34. Security Groups: Grouping and Securing
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
sa-east-1a sa-east-1b sa-east-1c
sg-web
sg-app
sg-db
35. Security Groups: Multi-AZ as a feature
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
sa-east-1a sa-east-1b sa-east-1c
52. DevOps: What is AWS CloudFormation?
Declarative programming language for deploying AWS resources.
Uses templates and stacks to provision resources.
Create, update, and delete a set of resources as a single unit (stack).
Create/delete
AWS CloudFormation
Create/delete AWS
resources
Template Stack
- Basic definition of
resources to create
- JSON text file
- Collection of AWS
resources
53. Example
Environment
Templates
Dev Apps
Stack
Dev Base
Stack
Test Apps
Stack
Test Base
Stack
Private
Subnet
App tier
Private
Subnet
DB tier
Master
Public
Subnet
Private
Subnet
Web tier
Private
Subnet
App tier
Private
Subnet
DB tier
NAT
Master
AMIs Amazon EBS
snapshots
Internet Gateway Internet Gateway
Development Account Production Account
Private
Subnet
Web tier
NAT
Public
Subnet
56. S U M M I T
São Paulo
https://www.cvent.com/events/aws-summit-sao-paulo/registration-89802b17e4ab403db6baeed7ba5917cc.aspx?lang=pt-
BR&fqp=true&refid=sp_summit_2019
Each AZ is placed in a way to ensure that latency is as low as 2 ms 99% of the time.
Let’s take a look at some examples of security groups in action. In the first example, we use a source description of 0.0.0.0/0 to specify that any computer from anywhere on the Internet can access a web server on our instance that is listening on port 80.
Note that security groups that restrict access by IP actually specify an IP range using a convention called CIDR Notation. CIDR is short for Classless Inter-Domain Routing. We will discuss CIDR in more depth in the VPC module. For now, it is enough to know that the address 0.0.0.0/0 specifies any IP address, and that the address 10.50.2.133/32 is how we specify a single IP address (in this case, 10.50.2.133) in CIDR notation.
In the second example, we specify that we only want to allow access from a specific IP address.
In the third example, we specify that members of this security group should only allow SSH access from an instance that belongs to the security group that has the security group ID sg-4ad3712f. This can be very useful when you need instances to communicate with one another, but only want to grant this permission to instances that serve a particular function in your network. A great example of this is the bastion host, which we will discuss in more detail in the next module.
Notes:
Here’s a basic system. Remember, it is important to build security into every layer of your design.
Notes:
Here’s a basic system. Remember, it is important to build security into every layer of your design.
AWS CloudFormation enables you to create and provision AWS infrastructure deployments in a predictable, repeatable, and automated fashion. You can create templates for the service or application architectures you want and then have AWS CloudFormation use those templates for quick and reliable provisioning of the services or applications (called “stacks”). When you use AWS CloudFormation, you work with templates and stacks.
An AWS CloudFormation template is a JSON text file used to describe the AWS resources and their properties in your infrastructure. For example, in a template, you can describe an Amazon EC2 instance, such as the instance type, the AMI ID, block device mappings, and its Amazon EC2 key pair name. You use these templates to create a stack. A stack is a collection of AWS resources that has been created from a template. You may provision (create) a stack numerous times.
When a stack is provisioned, the AWS resources specified by its template are created. Any AWS usage changes incurred from using these services will start accruing as they are created as part of the AWS CloudFormation stack. When a stack is deleted, the resources associated with the stack are deleted. The order of deletion is determined by AWS CloudFormation; you do not have direct control over what gets deleted when.
AWS CloudFormation enables you to create and provision AWS infrastructure deployments in a predictable, repeatable, and automated fashion. You can create templates for the service or application architectures you want and then have AWS CloudFormation use those templates for quick and reliable provisioning of the services or applications (called “stacks”). When you use AWS CloudFormation, you work with templates and stacks.
An AWS CloudFormation template is a JSON text file used to describe the AWS resources and their properties in your infrastructure. For example, in a template, you can describe an Amazon EC2 instance, such as the instance type, the AMI ID, block device mappings, and its Amazon EC2 key pair name. You use these templates to create a stack. A stack is a collection of AWS resources that has been created from a template. You may provision (create) a stack numerous times.
When a stack is provisioned, the AWS resources specified by its template are created. Any AWS usage changes incurred from using these services will start accruing as they are created as part of the AWS CloudFormation stack. When a stack is deleted, the resources associated with the stack are deleted. The order of deletion is determined by AWS CloudFormation; you do not have direct control over what gets deleted when.
With Infrastructure as Code, you can automate your entire dev, test, or production environment to be deployed, configured, and ready to use within minutes. For example, the entire setup on this slide can be deployed using AWS CloudFormation templates. You can create baseline templates for your Dev and Test environments, and then create stacks as needed from those templates. You can easily create production-like setups to perform your development and testing as part of your software development lifecycle. All the templates can be stored in a version control system like Git or AWS CodeCommit.
In this reference diagram note that you can have many S3 buckets: 1. Public S3 buckets, that will store static files to be cached by Cloudfront and 2. Private S3 buckets that can store logs, backups, config files that can be read by any server in any AZ.