With the multitude of different software development platforms, tools, and methodologies, it can be daunting to get started and ensure you are on the right architectural track in the cloud. AWS understands architectural best practices for designing reliable, secure, efficient, and cost-effective systems in the AWS cloud. This session will introduce you to the "Well-Architected" framework along with a number of key takeaways on setting solid architectural foundations.
Speaker: Ben Potter, Security Consultant, Amazon Web Services
Featured Customer - Reckon
2. What We Will Cover
• The Well-Architected Framework
• Key Best Practices
• How to Get Started
• Resources
3. Main Pillars
Security Reliability Performance
Efficiency
Cost
Optimisation
Account
Access Keys
Network
Services
High Availability
Load Balancing
Backup and DR
Auto Scaling
Right-Sizing
Benchmarking
Load Testing
Monitoring
Managed-
Services
Cost Awareness
Tagging
4. General Design Principles
• Secure from the Start
• Stop Guessing your Capacity Needs
• Test Systems at Production Scale
• Lower the Risk of Architecture Change
• Automate to make Architectural Experimentation Easier
• Allow for Evolutionary Architectures
8. Security
The ability to protect information, systems and assets while
delivering business value through risk assessments and
mitigation strategies.
• Data Protection
• Privilege Management
• Infrastructure Protection
• Detective Controls
9. Security: Shared Responsibility
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network, and Firewall Configuration
Customer applications & content
Customers
10. Security: Credentials
• As soon as you Create a new AWS Account Enable MFA
• Use Identity and Access Management Service (IAM) to
Create Users, even if its only 1
• Protect all of your Credentials
• DO NOT place Access Keys in Code…EVER!
'key' => '1111-2222-3333-4444-5555’,
'secret' => 'aaaa-bbbb-cccc-dddd-eeee',
11. Security: EC2 Role
1: Create EC2 role
Create role in IAM service with
limited policy
2: Launch EC2 instance
Launch instance with role
3: App retrieves credentials
Using AWS SDK application
retrieves temporary credentials
4: App accesses AWS resource(s)
Using AWS SDK application uses
credentials to access resource(s)
Instance
12. Security: EC2 Role – PHP SDK
• PHP SDK: Using an Instance Profile (EC2 role)
use AwsCredentialsCredentialProvider;
use AwsS3S3Client;
$provider = CredentialProvider::instanceProfile();
// Be sure to memoize the credentials
$memoizedProvider = CredentialProvider::memoize($provider);
$client = new S3Client([
‘region' => ’ap-southeast-2',
'version' => '2006-03-01',
'credentials' => $memoizedProvider
]);
13. Security: Cognito
Identity
Providers
Unique
Identities
Any Device
Any Platform
Any AWS
Service
Helps implement Security Best Practices
Securely access any AWS Service from mobile
device. It simplifies the interaction with AWS
Identity and Access Management
Support Multiple Login Providers
Easily integrate with major login providers for
authentication.
Unique Users vs. Devices
Manage unique identities. Automatically
recognise unique user across devices and
platforms.
Mobile Analytics S3 DynamoDB Kinesis
Joe Anna Bob
14. Security: Network and Boundary
• Security Groups are Built-in Stateful Firewalls
• Divide Layers of the Stack into Subnets
• Use a Bastion Host for Access
• Implement Host Based Controls
15. Two Layers with Security Groups
Availability Zone A
User
Availability Zone B
WEB
Server
RDS DB Instance
Web Subnet A
DB Subnet A
WEB
Security Group
DB
Security Group
16. Security: Instance, Monitoring and Auditing
• Configure Encryption Everywhere Possible
• Configure CloudTrail Service
• Configure VPC Flow Logs
• Collect all Logs Centrally and Alert
Virtual Private
Cloud
Identity &
Access
Manager
Key
Management
Service
CloudTrail AWS
Config
19. Reliability
The ability of a system to recover from infrastructure or
service failures, dynamically acquire computing resources
to meet demand and mitigate disruptions such as
misconfigurations or transient network issues.
• Foundations
• Change Management
• Failure Management
20. Reliability: High Availability
• No Single Point of Failure
• Multiple Availability Zones
• Load Balancing
• Auto Scaling and Healing
21. Multi AZ, Load Balanced, Auto Scaled
Availability Zone A
Amazon
Route 53User
Availability Zone B
Elastic Load
Balancing
WEB
Server
WEB
Server
WEB
Server
WEB
Server
WEB
Server
WEB
Server
RDS DB Instance
Standby
RDS DB Instance
Active
Auto Scaling
Group
Web Subnet A Web Subnet B
DB Subnet A DB Subnet B
Amazon
S3
Amazon
CloudWatch
25. Performance Efficiency
The ability to use computing resources efficiently to meet
system requirements and to maintain that efficiency as
demand changes and technologies evolve.
• Compute
• Storage
• Database
28. Performance Efficiency: Proximity and Caching
• Session State in ElastiCache (Redis) for .NET:
<sessionState mode="Custom" customProvider="MySessionStateStore">
<providers>
<add name="MySessionStateStore" type="Microsoft.Web.Redis.RedisSessionStateProvider"
host="aspnet.k30h8n.0001.use1.cache.amazonaws.com"
accessKey="" ssl="false" />
</providers>
</sessionState>
29. Multi AZ, Load Balanced, Auto Scaled, Caching
Availability Zone A
Amazon
Route 53User
Amazon
CloudFront
Availability Zone B
Elastic Load
Balancing
RDS DB Instance
Read Replica
WEB
Server
WEB
Server
WEB
Server
ElastiCache RDS DB Instance
Read Replica
WEB
Server
WEB
Server
WEB
Server
ElastiCacheRDS DB Instance
Standby
RDS DB Instance
Active
Auto Scaling
Group
Web Subnet A Web Subnet B
DB Subnet A
AWS WAF
Amazon
S3
Amazon
CloudWatch
DB Subnet B
30. Authenticate Users
Authorise Access
Analyse User Behavior
Store and Share Media
Synchronise Data
AWS Mobile SDK
Amazon Mobile
Analytics
Deliver Media
Amazon Cognito
(Sync)
AWS Identity and
Access Management
Amazon Cognito
(Identity Broker)
Amazon S3
Transfer Manager
Amazon CloudFront
(Device Detection)
Store Shared Data
Amazon DynamoDB
(Object Mapper)
Stream Real-time Data
Amazon Kinesis
(Recorder)
Send Push Notifications
Amazon SNS
Mobile Push
Your
Mobile
App
Run Business Logic
AWS Lambda
32. Cost Optimisation
The ability to avoid or eliminate unneeded cost or
suboptimal resources.
• Matching Capacity and Demand
• Cost-effective Resources
• Expenditure Awareness
• Optimising Over Time
33. Cost Optimisation: Capacity Matching
• Demand Based
• Queue Based
• Schedule Based
• Appropriately Provisioned
• Instance Matching
• Pro-active Monitoring and Action
Amazon
SQS
Optimised
instance
Amazon
SWF
38. Who I Am and What I Do
• Solution Architect
• Head up our AWS Platform Architecture and DevOps
Team
• Involved in various aspects of our Application
Architecture and Product Technical Development
39. AWS is a Developer Platform
• Access to Advanced Tools like Load Balancers without
Network Knowledge
• Control the Infrastructure as Code… something we are
already comfortable with
• Platform Removes a lot of Undifferentiated Heavy Lifting
40. Cloud Formation
• Cloud Formation is Worth Learning
• Comes with great Developer Documentation and written
in JSON
• Has Calls and Support for almost all of the Platform
• Has become a Corner Stone of our Environment
41. Code Deploy
• Push Code to Servers
• Integrates with GitHub Auto Deploy Trigger from
Commits
• Can Deploy Code to Non-AWS Servers as well
• Is Simple and Flexible
42. Some Things We’ve Learned
• Faster to Deploy Services – No more waiting for IT
• Its Not a Perfect World – Smart Compromises can be
Key
• Manage your Costs as you go
• Have a Tag Policy – Doesn’t have to be Complex
43. Our Tag Policy
• KISS Policy Applies!
• Lambda can help with some Tag Management
54. Developer Support
The Developer Support plan offers resources for customers
testing or developing on AWS, as well as any customers
who:
• Want Access to Guidance and Technical Support
• Are Exploring how to Quickly put AWS to Work
• Use AWS for Non-production Workloads or Applications
• Trusted Advisor – Core Checks
• Architecture Support – Developer
55.
56. Get Started
Architecture Centre: https://aws.amazon.com/architecture/
AWS Well-Architected Framework
https://aws.amazon.com/whitepapers/
10m Tutorials: https://aws.amazon.com/getting-started/
58. AWS Training & Certification
Intro Videos & Labs
Free videos and labs to
help you learn to work
with 30+ AWS services
– in minutes!
Training Classes
In-person and online
courses to build
technical skills –
taught by accredited
AWS instructors
Online Labs
Practice working with
AWS services in live
environment –
Learn how related
services work
together
AWS Certification
Validate technical
skills and expertise –
identify qualified IT
talent or show you
are AWS cloud ready
Learn more: aws.amazon.com/training
59. Your Training Next Steps:
ü Visit the AWS Training & Certification pod to discuss your
training plan & AWS Summit training offer
ü Register & attend AWS instructor led training
ü Get Certified
AWS Certified? Visit the AWS Summit Certification Lounge to pick up your swag
Learn more: aws.amazon.com/training