2. AWS well-architected framework
Security Reliability Performance
efficiency
Cost optimization
Set of questions you can use to evaluate how well an architecture is
aligned to AWS best practices
Operational
excellence
4. Customer Challenges
Faster response to change
in market
Delivery time Change Management Reduce human errors
Faster recovery High availability AutomationScaling to demand
5. AWS Design Principles
Stop guessing
capacity needs
Test systems at scale Data-driven architectures
Automate to enable
experimentation
Allow for evolution
Security by design
9. Security pillar
Security at all layers Enable traceability
Implement a principle
of least privilege
Focus on securing
system
Automate security
best practices
Protect information, systems, and assets while delivering business value
through risk assessments and mitigation strategies
10. Shared Responsibility
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network, and Firewall Configuration
Customer applications & content
Customers
11. Credentials
• Enforce MFA for everyone from day 1.
• Use AWS IAM Users and Roles from day 1.
• Enforce strong passwords.
• Protect and rotate credentials.
• No access keys in code.
12. EC2 Role
1: Create EC2 role
Create role in IAM service with
limited policy
2: Launch EC2 instance
Launch instance with role
3: App retrieves credentials
Using AWS SDK application
retrieves temporary credentials
4: App accesses AWS resource(s)
Using AWS SDK application uses
credentials to access resource(s)
Instance
13. Network and Boundary
• Security groups are built-in stateful firewalls
• Divide layers of the stack into subnets
• Use a bastion host for access
• Implement host based controls
14. Layers with Security Groups
Availability Zone A
User
WEB
Server
RDS DB Instance
Web Subnet A
DB Subnet A
WEB
Security Group
DB
Security Group
15. Bastion Host & Security Groups
Availability Zone A
Developer
WEB
Server
RDS DB Instance
Public Subnet A
Private Subnet A
WEB
Security Group
DB
Security Group
Bastion
Host
Bastion
Security Group
Port 22
IP restriction
> start_bastion
> ssh -A
> stop_bastion
20. Reliability pillar
Test recovery
procedures
Automatically
recover from failure
Scale horizontally to
increase availability
Stop guessing
capacity
Ability of a system to recover from infrastructure or service disruptions,
dynamically acquire computing resources to meet demand, and mitigate
disruptions such as misconfigurations or transient network issues
22. High Availability
• No Single Point of Failure
• Multiple Availability Zones
• Load Balancing
• Auto Scaling and Healing
23. Multi-AZ Architecture
Web
Instance
RDS DB Instance
Active (Multi-AZ)
Availability Zone Availability Zone
Web
Instance
RDS DB Instance
Standby (Multi-AZ)
Elastic Load
Balancing
Amazon
Route 53
User
24. Multi-AZ, Load Balanced, Auto Scaled
Availability Zone A
Amazon
Route 53User
Availability Zone B
Elastic Load
Balancing
WEB
Server
WEB
Server
WEB
Server
WEB
Server
WEB
Server
WEB
Server
RDS DB Instance
Standby
RDS DB Instance
Active
Auto Scaling
Group
Web Subnet A Web Subnet B
DB Subnet A DB Subnet B
Amazon
S3
Amazon
CloudWatch
25. Backup and DR
• Define Objectives
• Backup Strategy
• Periodic Recovery Testing
• Automated Recovery
• Periodic Reviews
26. Automated backups using AWS Lambda
AWS Lambda Amazon Redshift ClusterRules: every 15min
Amazon
Cloudwatch
Snapshot
27. Performance efficiency pillar
Democratize
advanced
technologies
Go global in
minutes
Use server-less
architectures
Experiment more
often
Efficiently use of computing resources to meet requirements, and
maintaining that efficiency as demand changes and technologies evolve
29. Proximity and Caching
• Content Delivery Network (CDN)
• Database Caching
• Reduce Latency
• Pro-active Monitoring and Notification
Amazon
CloudFront
Amazon
ElastiCache
RDS DB
instance read
replica
30. Scaling all the layers
Availability Zone
Amazon
Route 53
User
Amazon S3
Amazon
Cloudfront
Availability Zone
Elastic Load
Balancing
RDS DB Instance
Read Replica
Web
Instance
Web
Instance
Web
Instance
ElastiCache RDS DB Instance
Read Replica
Web
Instance
Web
Instance
Web
Instance
ElastiCacheRDS DB Instance
Standby (Multi-AZ)
RDS DB Instance
Master (Multi-AZ)
Auto
Scaling
Group
Auto
Scaling
Group
31. More decoupling
RDS DB Instance
Active (Multi-AZ)
Availability Zone
Elastic Load
Balancer
RDS DB Instance
Read Replica
RDS DB Instance
Read Replica
Web
Instance
Web
Instance
Web
Instance
Web
Instance
Amazon
Route 53
User
Amazon S3
Amazon
Cloudfront
Amazon
DynamoDB
Amazon SQS
ElastiCache
Worker
Instance
Worker
Instance
Amazon
CloudWatch
Internal App
Instance
Internal App
Instance
Amazon SES
33. Key scenarios
Data Triggers
Customize
behavior on data
updates in S3,
SNS and DDB
Control systems
Customize responses
and response workflows
to state changes within
AWS
Serverless
backends
Execute server
side backend logic
in a cross platform
fashion
Big data
Realtime
processing of
streaming data
updates using
Kinesis
34. Cost optimization pillar
Analyze and attribute
expenditure
Managed services to
reduce TCO
Adopt a consumption
model
Benefits from
economies of scale
Stop spending money on
data center operations
Assess your ability to avoid or eliminate unneeded costs or suboptimal
resources, and use those savings on differentiated benefits for your business
36. Capacity Matching
• Demand based
• Queue based
• Schedule based
• Appropriately provisioned
• Pro-active monitoring and action
37. Auto Start/Shutdown of Instances
AWS Lambda
Amazon
Cloudwatch
Rules: every day at 21h30
Rules: every day at 6h15
Sleep trigger
Wakeup trigger
AWS Resources
(EC2 instances)
38. Managed Services
• Let AWS do the heavy lifting.
• Databases, caches and big data solutions.
• Application Level Services.
Amazon
RDS
Amazon
DynamoDB
Amazon
Redshift
Amazon
ElastiCache
AWS
Elastic
Beanstalk
Amazon
Elasticsearch
Service
39. Manage Expenditure
• Tag Resources
• Track Project Lifecycle
• Profile Applications vs Cost
• Monitor Usage & Spend
40. Auto Tagging resources as they start
Amazon
Cloudwatch
AWS LambdaEvents:
RunInstances
EC2 Instances
Tag:
Owner = userName
PrincipalId = aws:userid
41. Operational excellence pillar
Perform operations
with code
Align operations processes
to business objectives
Make regular, small,
incremental changes
Test for responses to
unexpected events
Learn from operational
events and failures
Keep operations
procedures current
Operational practices and procedures used to manage production workloads
43. Some tips … from my own experience
• Architecture as code – code everything.
• Automate everything: “Invest time to save time”
• Don’t reinvent the wheel; managed services are your best friends.
• Embrace security early on.
• Test your DR strategy regularly.
• Serverless architectures free you from managing infrastructure.
• Did I mention automation?