2. What to expect from this short talk
AWS concepts: AWS Regions, Availability Zones
Understanding EC2 instance options and how to choose the right one/mix for your
workload
Understanding Storage options and how to choose the right one/mix for your workload
The basics of VPC networking and setting up a load balancer
Monitoring, Metrics & Logs
Security and Access Control
Deployment
3. AWS global infrastructure
16 regions
(a separate geographic
area) Each region has
multiple, isolated
locations known as
Availability Zones.
Resources aren't
replicated across
regions unless you do
so specifically.
42 Availability Zones
*Throughout the next year, the AWS global infrastructure will expand with at least
five new Availability Zones in new geographic regions: Ningxia in China, Paris in
France.
5. Amazon Elastic Compute Cloud (EC2) -
Elastic virtual servers in the cloud
Physical Servers in
AWS Global Regions
Host server
Hypervisor
Guest 1 Guest 2 Guest n
6. Amazon EC2 10+ years ago…
• First generation, single
instance family and size
• m1.small (1 vCPU, 1.7 GiB
RAM, 160 GB storage)
• Linux only
• On-Demand pricing only
8. Choosing the Right Amazon EC2 Instance
EC2 Instance types are optimized for different use cases & come in
multiple sizes. This allows you to optimally scale resources to your
workload requirements.
AWS utilizes Intel® Xeon® processors for EC2 Instances providing
customers with high performance and value.
Consider the following when choosing your instances: Core count,
Memory size, Storage size & type, Network performance, & CPU
technologies.
Hurry Up & Go Idle - A larger compute instance can save you time and
money, therefore paying more per hour for a shorter amount of time
can be less expensive.
9. Get the Intel® Advantage
Intel’s latest 22nm Haswell microarchitecture on new C4 instances,
with custom Intel® Xeon® v3 processors, provides new features:
Haswell microarchitecture has better branch prediction; greater
efficiency at prefetching instructions and data; along with other
improvements that can boost existing applications’ performance by
30% or more.
P state and C state control provides the ability to individually tune each
cores performance and sleep states to improve application
performance.
Intel® AVX2.0 instructions can double the floating-point performance for
compute-intensive workloads over Intel® AVX, and provide additional
instructions useful for compression and encryption.
10. Intel® Processor Technologies
Intel® AVX – Get dramatically better performance for highly
parallel HPC workloads such as life science engineering, data
mining, financial analysis, or other technical computing
applications. AVX also enhances image, video, and audio
processing.
Intel® AES-NI – Enhance your security with these new
encryption instructions that reduce the performance penalty
associated with encrypting/decrypting data.
Intel® Turbo Boost Technology – Get more computing power
when you need it with performance that adapts to spikes in your
workload with Intel® Turbo Boost Technology 2.0
22. A virtual network in your own logically isolated
area within the AWS cloud populated by
infrastructure, platform, and application services
that share common security and interconnection
Amazon VPC
aws.amazon.com/vpc/
23. ▶ Elastic network interface (ENI)
▶ Subnet
▶ Network access control list (ACL)
▶ Route table
▶ Internet gateway
▶ Virtual private gateway
▶ Route 53 private hosted zone
VPC Networking
24. Availability Zone 1a Availability Zone 1b
Internet
10.0.0.5
10.0.0.6
10.0.3.17
10.0.3.5
10.0.1.5
10.0.1.25
10.0.1.8
10.0.1.6
VPC Subnet
VPC Subnet
VPC Subnet
Virtual Private Gateway
Customer Gateway
VPN Connection
Internet Gateway
Customer Data Center
31. A monitoring service for AWS cloud resources and
the applications that you run on AWS.
Use Amazon CloudWatch to collect and track
metrics, collect and monitor log files,
and set alarms.
Amazon CloudWatch
aws.amazon.com/cloudwatch/
34. Monitoring Scripts for EC2 Instances
docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/mon-scripts.html
35. Monitor applications and systems using log data
Store in a highly durable storage and set retention
Access your log files via Web, CLI, or SDK
Amazon EC2 (Linux & Windows)
AWS Lambda
…
Amazon CloudWatch Logs
docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudWatchLogs.html
36. CloudWatch Metrics & Alarms
AWS
Resource
Your
Custom
Data
Metric Alarm Action
CloudWatch
37. CloudWatch Logs + Filter
AWS
Resource
Your
Custom
Data
Metric Alarm Action
CloudWatch
FilterLogs
41. Access a deep set of cloud security tools
Encryption
Key
Management
Service
CloudHSM Server-side
Encryption
Networking
Virtual
Private
Cloud
Web
Application
Firewall
Compliance
ConfigCloudTrailService
Catalog
Identity
IAM Active
Directory
Integration
SAML
Federation
42. Access credentials
Access key and secret key used to
authenticate when accessing
AWS APIs
Key pairs
Public key and private key used
to authenticate when accessing
an Amazon EC2 instance
Security and Access Foundations
43. USE IAM ROLES TO PASS ACCESS
CREDENTIALS TO AN INSTANCE
47. Amazon
maintained
Set of Linux and
Windows images
Kept up to date by
Amazon in each
region
Community
maintained
Images published by
other AWS users
Managed and
maintained by
Marketplace
partners
Your machine
images
AMIs you have
created from EC2
instances
Can be kept private
or shared with other
accounts
48. Bake an
AMI
Start an instance
Configure the instance
Create an AMI from your instance
Start new ones from the AMI
49. Bake an
AMI
Start an instance
Configure the instance
Create an AMI from your instance
Start new ones from the AMI
Configure
dynamically
Launch an instance
Use metadata service and
cloud-init to perform actions
on instance when it launches
50. Bake an
AMI
Build your base images and
set up custom initialization
scripts
Maintain your ‘golden’ base
Configure
dynamically
Use bootstrapping to pass
custom information in and
perform post launch tasks like
pulling code from SVN
+
54. Maintain EC2 instance
availability
Detects impaired EC2 instances
Replaces the instances automatically
Automatically Scale
Your Amazon EC2
Fleet
Follow the demand curve for
your applications
Reduce the need to manually
provision Amazon EC2 capacity
Run at optimal utilisation
55. Reusable Instance Templates
Provision instances based on a reusable template you
define, called a launch configuration.
Automated Provisioning
Keep your Auto Scaling group healthy and balanced,
whether you need one instance or 1,000.
Adjustable Capacity
Maintain a fixed group size or adjust dynamically based on
Amazon CloudWatch metrics.
56. Launch
Configuration
Describes what Auto Scaling
creates when adding Instances
Only one active launch
configuration at a time
aws autoscaling create-launch-configuration
--launch-configuration-name launch-config
--image-id ami-54cf5c3d
--instance-type m3.medium
--key-name mykey
--security-groups webservers
Auto Scaling
group
Auto Scaling managed grouping
of EC2 instances
Automatically scale the number
of instances by policy
aws autoscaling create-auto-scaling-group
--auto-scaling-group-name autoscaling-group
--availability-zones eu-west-1a eu-west-1b
--launch-configuration launch-config
--load-balancer-names myELB
--min-size 1
--max-size 5
Auto Scaling
policy
Parameters for performing an
Auto Scaling action
Scale in/out and by how much
aws autoscaling put-scaling-policy
--auto-scaling-group-name autoscaling-group
--policy-name autoscaling-policy
--min-adjustment-magnitude=2
--adjustment-type ChangeInCapacity
--cooldown 300
61. AWS CodeDeploy
• Scale from 1 instance to thousands
• Deploy without downtime
• Centralize deployment control and monitoring
• On-premises support
Staging
CodeDeployv1, v2, v3
Production
Dev
Coordinate automated deployments, just like Amazon
Application
Revisions
Deployment Groups
aws.amazon.com/codedeploy/
62. Amazon EC2 Container Service
A highly scalable, high performance container management service
aws.amazon.com/ecs/
Launch and
terminate
Docker containers
Across a cluster
of EC2 instances
Mount persistent
volumes at launch
Private Docker
repositories
63. Getting Started with Amazon EC2:
http://aws.amazon.com/ec2/getting-started/
Auto Scaling Getting Started Tutorial
http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/GettingStartedTutorial.html
Additional Resources and further Learning
We’ve also expanded globally
Our data center footprint spans 5 continents with highly redundant clusters of data centers in each region.
Our footprint is expanding continuously as we increase capacity, redundancy and add locations
You can easily take your application global in minutes
And each region has multiple, isolated availability zones, allowing you to place instances and data in multiple locations within the same region.
Amazon Elastic Compute Cloud is a web service that makes it easy for you to obtain virtual servers, also known as instances quickly, inexpensively, and without making up front capital expenditures
Guests/Instances comprise varying combinations of CPU, memory, storage
Region, AZ, Instance Type, AMI, PV vs HVM, OS….
Back when we started EC2, we had a fraction of the functionality we have today
We only had a single instance size, the m1.small, which offers 1 vCPU, 1.7 Gibibyte of RAM, and 160 GB of storage
We offered Linux operating systems, a single pricing model (On-Demand or by the hour),
And missing were many features commonly used with EC2 today, such as Elastic Block Store, Autoscaling, Elastic load balancing, the AWS Management Console, and Elastic IP addresses:
An Elastic IP address (EIP) is a static IP address designed for dynamic cloud computing. With an EIP, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account. Your EIP is associated with your AWS account, not a particular instance, and it remains associated with your account until you choose to explicitly release it.
Choosing the right EC2 Instance type matters. Selecting an appropriate instance type for your workload can save time and money. AWS has a wide variety of EC2 compute instance types to choose from. Each Instance type or family (like T2, M3, C4,C3, G2, R3, and so on) is optimized for different workloads or use cases. Within an EC2 family, you can choose from different sizes for example micro, small, medium, large, xlarge, 2xlarge, and so on. AWS utilizes Intel® Xeon® processors for the EC2 Instances to provide customers with high performance and value for their computing needs.
When you choose your instance type you should consider the several different attributes of each family; such as number of cores, amount of memory, amount & type of storage, network performance, and processor technologies.
Another important consideration is TCO. A lowest-price per hour instance is not necessarily a money saver; a larger compute instance can sometimes save both money and time. It is important to evaluate all the options to see what is best for your workload.
AWS recently launched C4 compute-optimized instances which utilize Intel’s latest 22nm Haswell microarchitecture. C4 instances use custom Intel® Xeon® v3 processors designed and built especially for AWS.
Through its relationship with Intel®, AWS provides its customers with the latest and greatest Intel® Xeon® processors that help in delivering the highest level of processor performance in EC2.
Intel® Xeon® processors have several other important technology features that can be leveraged by EC2 Instances.
Intel® AVX is perfect for highly parallel HPC workloads such as life sciences or financial analysis.
Intel® AES-NI accelerates encryption/decryption of data and therefore reduces the performance penalty that usually comes with encryption.
Intel® Turbo Boost Technology automatically gives you more computing power when your workloads are not fully utilizing all CPU cores. Think of it as automatic overclocking when you have thermal headroom.
The matrix on the slide highlights the individual Intel® technologies that were discussed previously and the EC2 instance family that can leverage each of these technologies.
A complete list of Amazon EC2 Instance types can be found here: http://aws.amazon.com/ec2/instance-types/
Here’s a visualization of the network components of a VPC, which can span availability zones
Traffic can be routed from a subnet to the internet, or it can be kept private
You can also route subnet traffic to a Virtual Private Gateway which connects via VPC to a customer data center
Elastic Load Balancer does health checks. If Elastic Load Balancing finds an unhealthy instance, it stops sending traffic to the instance and reroutes traffic to healthy instances.
At the same time, Auto Scaling periodically performs health checks on instances. When Auto Scaling determines that an instance is unhealthy, it terminates that instance and launches a new one.
Using this functionality across multiple availability zones allows your architecture to fail over to either availability zone, enabling a highly available web architecture within a region
You’ll notice as well that static content is delivered through CloudFront our Content Delivery Network
Elastic Load Balancer does health checks. If Elastic Load Balancing finds an unhealthy instance, it stops sending traffic to the instance and reroutes traffic to healthy instances.
At the same time, Auto Scaling periodically performs health checks on instances. When Auto Scaling determines that an instance is unhealthy, it terminates that instance and launches a new one.
Using this functionality across multiple availability zones allows your architecture to fail over to either availability zone, enabling a highly available web architecture within a region
You’ll notice as well that static content is delivered through CloudFront our Content Delivery Network
Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications you run on AWS. You can use Amazon CloudWatch to collect and track metrics, collect and monitor log files, and set alarms. Amazon CloudWatch can monitor AWS resources such as Amazon EC2 instances, Amazon DynamoDB tables, and Amazon RDS DB instances, as well as custom metrics generated by your applications and services, and any log files your applications generate. You can use Amazon CloudWatch to gain system-wide visibility into resource utilization, application performance, and operational health. You can use these insights to react and keep your application running smoothly.
Amazon CloudWatch monitors your Amazon Web Services (AWS) resources and the applications you run on AWS in real-time. You can use CloudWatch to collect and track metrics, which are the variables you want to measure for your resources and applications. CloudWatch alarms send notifications or automatically make changes to the resources you are monitoring based on rules that you define. For example, you can monitor the CPU usage and disk reads and writes of your Amazon Elastic Compute Cloud (Amazon EC2) instances and then use this data to determine whether you should launch additional instances to handle increased load. You can also use this data to stop under-used instances to save money. In addition to monitoring the built-in metrics that come with AWS, you can monitor your own custom metrics. With CloudWatch, you gain system-wide visibility into resource utilization, application performance, and operational health.
The Amazon CloudWatch Monitoring Scripts for Amazon Elastic Compute Cloud (Amazon EC2) Linux- and Windows-based instances demonstrate how to produce and consume Amazon CloudWatch custom metrics. These sample Perl scripts comprise a fully functional example that reports memory, swap, and disk space utilization metrics for a Linux instance. The scripts for Windows are sample PowerShell scripts that comprise a fully functional example that reports memory, page file, and disk space utilization metrics for a Windows instance. You can download the CloudWatch Monitoring Scripts for Linux and for Windows from the Amazon Web Services (AWS) sample code library and install them on your Linux- or Windows-based instances.
Your applications and data protected by highly secure facilities and infrastructure, as well as extensive network and security monitoring systems. Additional security measures include:
Secure API access –API endpoints allow secure HTTP access (HTTPS) so that you can establish secure communication sessions with your AWS services using SSL.
Built-in firewalls – You can control how accessible your EC2 instances are by configuring firewall rules
Unique users – The AWS Identity and Access Management (IAM) tool allows you to control the level of access your own users have to your AWS infrastructure services.
Multi-factor authentication (MFA)
Private Subnets – The AWS Virtual Private Cloud (VPC) service allows you to add another layer of network security to your instances by creating private subnets
Encrypted data storage – Customers can have the data stored in Amazon EBS automatically encrypted using Advanced Encryption Standard (AES) 256
Dedicated connection option – The AWS Direct Connect service allows you to establish a dedicated network connection from your premise to AWS.
To protect your application, AWS invests in a broad portfolio of security, identity, and management tools to help ensure your applications are secure and operate in a compliant manner.
--NETWORKING--
Amazon VPC: Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. With Amazon VPC, you can make the Amazon cloud a seamless extension of your existing on-premises resources.
AWS WAF: AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules.
--ENCRYPTION—
AWS KMS: AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. AWS Key Management Service is integrated with several other AWS services to help you protect your data you store with these services. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
AWS CloudHSM: The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud. With CloudHSM, you control the encryption keys and cryptographic operations performed by the HSM.
Server-side Encryption: AWS allows data to be encrypted with AWS service managed keys, AWS managed keys via AWS KMS, or customer managed keys. We also make the AWS Encyption SDK freely available to help developers correctly generate and use encryption keys, as well as protect the key after it has been used.
--IDENTITY--
AWS IAM: AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
AWS Directory Service: AWS Directory Service makes it easy to setup and run Microsoft Active Directory (AD) in the AWS cloud, or connect your AWS resources with an existing on-premises Microsoft Active Directory. Once your directory is created, you can use it to manage users and groups, provide single sign-on to applications and services, create and apply group policy, domain join Amazon EC2 instances, as well as simplify the deployment and management of cloud-based Linux and Microsoft Windows workloads.
SAML Federation: AWS IAM supports SAML 2.0 to allow identity integration with most major identity management solutions. [http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml_3rd-party.html]
--COMPLIANCE—
AWS Service Catalog: AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS. These IT services can include everything from virtual machine images, servers, software, and databases to complete multi-tier application architectures. AWS Service Catalog allows you to centrally manage commonly deployed IT services, and helps you achieve consistent governance and meet your compliance requirements, while enabling users to quickly deploy only the approved IT services they need.
AWS CloudTrail: AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. With CloudTrail, you can get a history of AWS API calls for your account, including API calls made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.
AWS Config: AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. Config Rules enables you to create rules that automatically check the configuration of AWS resources recorded by AWS Config. With AWS Config, you can discover existing and deleted AWS resources, determine your overall compliance against rules, and dive into configuration details of a resource at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.
Analytics
Complex analytics such as log scanning or simulations, typically performed as batch jobs, can be completed cost-effectively with Spot Instances.
Big Data
Spot Instances can be used with tools like Amazon Elastic MapReduce to process massive amounts of data, from human genomes to the Twitter fire hose.
Financial Modeling and Analysis
Financial Services firms use Spot Instances to reduce the time and cost to perform complex analysis ranging from wealth management simulations to Counterparty Value Analytics.
Geospatial Analysis
Geographic information system (GIS) providers use Spot to speed up and reduce the cost of batch processing jobs such rendering and satellite image processing.
Image and Media Encoding
Media and Entertainment companies can cost-effectively render and encode media assets using Spot Instances, scaling their infrastructures based on demand.
Scientific Computing
Scientific researchers and high performance computing customers use Spot to cost-effectively perform simulations ranging from drug discovery to genomics research.
Testing
Load, integration, canary, and security testing all benefit from the elasticity and price savings associated with Spot Instances.
Web Crawling
Web crawling processes can easily and cost-effectively scale-out on Spot Instances by leveraging Amazon Elastic MapReduce or other tools to get work done faster and typically cheaper.
The video from re:Invent 2014 includes further detail on event notifications and AWS Lambda