Microservices Building Scalable, Discoverable Secure Services on AWS - Chris Modica - AWS TechShift ANZ 2018

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Microservices :
Building scalable, discoverable,
secure services on AWS
Chris Modica – Enterprise Solution Architect - AWS ISV
@chris_modica_

The fast
companies are 440x
faster than
the slow
https://puppet.com/resources/whitepaper/state-of-devops-report
Time to Value

What is a Microservice ?
“is a software architecture style in
which complex applications are
composed of small, independent
processes communicating with each
other using language-agnostic APIs.
These services are small, highly
decoupled and focus on doing a
small task, facilitating a modular
approach to system-building.”
– Wikipedia

Services communicate with each
other over the network
“service-oriented
architecture
composed of
loosely coupled
elements
that have
bounded contexts”
Adrian Cockcroft (VP, Cloud Architecture Strategy at AWS)
What are Microservices ?

“service-oriented
architecture
composed of
loosely coupled
elements
that have
bounded contexts”
You can update the services
independently; updating one
service doesn’t require changing
any other services.

“service-oriented
architecture
composed of
loosely coupled
elements
that have
bounded contexts”
Self-contained; you can update
the code without knowing
anything about the internals of
other microservices

“Do one thing, and do it well”
“Swiss Army” by by Jim Pennucci. No alterations other than cropping. https://www.flickr.com/photos/pennuja/5363518281/
Image used with permissions under Creative Commons license 2.0, Attribution Generic License (https://creativecommons.org/licenses/by/2.0/)

“Tools” by Tony Walmsley: No alterations other than cropping. https://www.flickr.com/photos/twalmsley/6825340663/
Image used with permissions under Creative Commons license 2.0, Attribution Generic License (https://creativecommons.org/licenses/by/2.0/)
“Do one thing, and do it well”

What makes a microservice “micro”
Too big of a topic to get into
depth today!
Read about:
• Fine-grained systems
• Domain driven design (DDD)
• Bounded Contexts
• Smart endpoints, dumb
pipes
https://samnewman.io/books/building_microservices/

SOA
Coarse-grained
Microservices
Fine-grained
Monolithic
Single Unit
Evolution of Architecture

A Typical Application with Microservices
Webapp
Greeting Name
Client
Greeting
Greeting
Name
Name
Webapp
Webapp

Instances Containers Serverless
Microservices compute options

Amazon EC2

Elastic Beanstalk vs. DIY
Your code
HTTP server
Application server
Language interpreter
Operating system
Host
• Elastic Beanstalk configures
each EC2 instance in your
environment with the
components necessary to run
applications for the selected
platform.
• No more worrying about
logging into instances to
install and configure your
application stack.
Focus on building your application
Provided by you
Provided and managed by Elastic Beanstalk
On-instance configuration

What is a Container ?
• Containers provide a standard way to
package your application's code,
configurations, and dependencies into a
single object.
• The AWS Cloud offers infrastructure
resources optimized for running containers,
as well as a set of orchestration services
that make it easy for you to build and run
containerized applications in production.
• AWS supports OCI compliant containers,
including docker containers
Package your code and run it anywhere

Why do we love containers ?
Packaging Distribution
Immutable
infrastructure

Amazon Elastic Container Registry (ECR)
Amazon ECR
• Easily store, manage and deploy container images
• Full managed Docker container registry
• Integration with AWS Identity and Access management (IAM)
https://aws.amazon.com/ecr

Running containers on EC2
EC2 Instance EC2 InstanceEC2 InstanceEC2 InstanceEC2 Instance

Customers needed an easier way to manage large clusters of
Instances, place containers and run services

Amazon ECS : Running containers at Scale
Availability Zone #1 Availability Zone #2 Availability Zone #3
Scheduling and Orchestration
Cluster Manager Placement Engine

Amazon Elastic Container Service (ECS)
AWS VPC
networking mode
Advanced task
placement
Deep integration
with AWS platform
ECS CLI…{ }
Global footprint
Powerful scheduling
engines
Auto scaling
CloudWatch metrics
Load balancers

Helping customers scale containers
450+%
growth
Hundreds of millions
of containers started each week
millions
of container instances

Customers using Amazon ECS at scale
https://aws.amazon.com/ecs/resources/#Customer_stories

Vend: Amazon ECS + Amazon EC2
• https://www.vendhq.com
• Founded in 2010, Vend is a cloud-based point-
of-sale and retail-management software, first
launched in New Zealand.
• Vend’s software includes inventory
management, e-commerce, customer loyalty,
and reporting analytics, and integrates with
other business tools including Xero, Deputy,
Square, and PayPal.
• Vend is used by retailers in more than 140
countries and more than 18,000 stores
worldwide, with a business focus on Australia,
the United Kingdom, and North America.
Vend: From Monolith to Microservices with
Amazon ECS
https://aws.amazon.com/solutions/case-studies/vend/

Amazon ECS + Amazon EC2
ECS
Agent
Docker
Agent
OS
EC2 Instance
But you still end up managing more than just containers

Scaling the instance fleet for optimal utilization
Amazon ECS + Amazon EC2

ECS
Agent
Docker
Agent
OS
EC2 Instance
ECS
Agent
Docker
Agent
OS
EC2 Instance
ECS
Agent
Docker
Agent
OS
EC2 Instance
Elastic
Container
Service

Running Containers with ECS

Your
Containerized
Applications
MANAGED BY AWS
No EC2 Instances to provision, scale or manage
ELASTIC
Scale up & down seamlessly. Pay only for what you use
INTEGRATED
with the AWS ecosystem: VPC Networking,
Elastic Load Balancing, IAM Permissions, Cloudwatch and more.
AWS Fargate

Amazon ECS Deployment Example
ECS Instance ECS Instance ECS Instance ECS InstanceECS Instance ECS Instance
Notifications
Amazon ECS CLUSTER
Availability Zone #1 Availability Zone #2 Availability Zone #3
Subnet 2
172.31.2.0/24
Subnet 1
172.31.1.0/24
Subnet 3
172.31.3.0/24
Web
Shopping
Cart

Management
Deployment, scheduling, scaling, and management
of containerized applications
Hosting
Where the containers run
Image Registry
Container image repository
AWS Container Services landscape

Make AWS the
BEST PLACE
to run ANY containerized
applications

Community, Contribution, Choice

63%of Kubernetes workloads run on
AWS today
—CNCF survey

Amazon EKS Tenets
Tenet 1
EKS is a platform for enterprises
to run production-grade workloads
Tenet 2
EKS provides a native and
upstream Kubernetes experience
Tenet 3
If EKS customers want to use additional
AWS services, the integrations are seamless
and eliminate undifferentiated heavy lifting

Amazon EKS
mycluster.eks.amazonaws.com
Availability
Zone 1
Availability
Zone 2
Availability
Zone 3
Kubectl

Source Build Test Deploy
Secure
MonitorProvision
Microservices
Compute Data
Messaging Orchestration
API
Firewall
Firewall Manager, WAF
Access Control
IAM
Authentication
Cognito
Assessment
Inspector
Data Classification
Macie
Threat Detection
GuardDuty
Infrastructure as Code
CloudFormation
User Activity
CloudTrail
Configurations
AWS Config
Monitor & Respond
CloudWatch
Trace & Debug
X-Ray
CodePipeline
Cloud9
CodeCommit
Amazon ECR
CodeBuild CodeBuild
AWS
Amazon ECS
Kubernetes
Amazon EKS
Queues
SQS
Pub/Sub
SNS
Containers
Fargate
VMs
EC2
Object
S3
Non-relational
DynamoDB
Relational
Aurora Serverless
Sync
AppSync
Proxy
API Gateway
AWS has an end-to-end solution for building and deploying containerized
applications

Designing and Developing APIs the Serverless Way
Speaker:
Ed Lima, Solutions Architect, Amazon Web Services

Application communication is evolving
Functional calls Find endpoints,
then connect
Across the room
Dynamic name,
number, and location
Across cities / continents 1:1
Known endpoints, APIs

What is service discovery ?
• “Where is Service X?”
• Friendly name -> IP + port
• E.g., app: {10.0.4.5:8080, 10.0.4.6:8080 }

What is it not trivial ?
Dynamic by design:
• Number of containers & instances
• Auto assigned IP addresses & ports
• Placement, scheduling, scaling
• Deployments and upgrades
• Health and connectivity

Challenges : Service Discovery
Each microservice scales up and down independently of one
another:
• How does Service A know the URLs for all instances of
Service B?
• How do you allow services to scale independently while
still using load balancers?
• How does a new instance of a service announce itself to
other services?

Discovery mechanism
How does an application send traffic
to a service from the registry?
Registration mechanism
How is a service added to the registry?
Service Registry
Where is info about services stored?
Decision Criteria

Require install, setup and management
Load Balancers Service Registry
Key-value store
Service Mesh
Service
registry
Common Service Discovery patterns
https://docs.aws.amazon.com/aws-technical-content/latest/microservices-on-aws/service-discovery.html

This should be easier!
Predictable
Names
for services
Auto updated
with latest,
healthy IP, port
Managed: No
overhead of
installation or
monitoring
High availability,
high scale
Extensible:
Flexible
boundaries for
auto discovery

Route 53 provides Service Registry
Route 53 provides APIs to create
• Namespace
• CNAME per service auto name
• A records per task IP
• SRV records per task IP + portService
CNAME: A / SRV record
Namespace

1
Blue green deployments
• myapp.staging.local
• myapp.prod.local
• Private IP
• abstract cluster
details
2
Internal micro services
• web.myapp.local
• Expose Private IP
3
External micro services
• web.myapp.mycompany.com
• Expose public IP or ELB EIP
• network + container health
check
Enables these use cases

Enables these use cases
4
Across ECS & Kubernetes
• Service1.myapp.ecs
• Service2.myapp.eks
5
Across ECS &
AWS & On-Prem
• Service1.myapp.ecs
• Service2.myapp.ec2
• Service3.myapp.onprem
6
Expose to service mesh
• Service1.myapp.local
• Service2.myapp.local

Managed service discovery
Applications invoked by name
Automatically resolved to IP or port
Native to Amazon ECS services
No infrastructure to manage

Amazon ECS Service Discovery (Route 53)
ECS updates service registry based
on naming convention, task registrations, de-
registrations
and health
Route 53 provides Service Registry
Route 53ECS

Move fast. Stay secure.AND

Amazon API Gateway
InternetMobile / Web
app
Places where we can secure our application

AWS Config Rules
AWS Lambda
Incident
response
AWS Security solutions
AWS Identity & Access
Management (IAM)
AWS Organizations
AWS Cognito
AWS Directory Service
AWS Secrets Manager
AWS Single Sign-On
Identity
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
Detective
control
AWS Systems Manager
AWS Shield
AWS WAF – Web
application firewall
AWS Firewall Manager
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
Infrastructure
security
AWS Key Management
Service (KMS)
AWS CloudHSM
Amazon Macie
AWS Certificate Manager
Server-Side Encryption
Data
protection

Amazon API Gateway: Security
app

Defense-in-depth
• Network level (e.g. VPC, Security Groups, TLS)
• Server/container-level
• App-level
• IAM policies
Amazon API Gateway (“Front door”)
API Throttling
• Stage-level and Method-level throttling
Authentication & Authorization
• Client-to-service, as well as service-to-service
• AWS Cognito: user pools, federated identities
• API Gateway: custom Lambda authorizers
• IAM-based Authentication
• Token-based auth (JWT tokens, OAuth 2.0)
Secrets management
• S3 bucket policies + KMS + IAM
• Open-source tools (e.g. Vault, Keywhiz)

Mobile / Web
app
Internet • API Keys
• Auth integration
• Rate limiting
Roles
• authenticated users
• guests (no-auth)
• API function
API function(s)
• protected (req. auth)
• open (no auth)
User Pool
Federated identity

Amazon ECS: Security
app

Amazon ECS: Security
Defense-in-depth
• Network level (e.g. VPC, Security Groups, TLS)
• Server/container-level
• App-level
• IAM policies
• IAM roles on ECS tasks
• CloudTrail logs
Authentication & Authorization
• Client-to-service, as well as service-to-service
• IAM-based Authentication
Secrets management
• Parameter Store
• S3 bucket policies + KMS + IAM
• Open-source tools (e.g. Vault, Keywhiz)Container 2

• AWS Microservices Compute options – Instances, Containers and Serverless
• AWS Container Management – Amazon ECS and Amazon EKS
• AWS Container Hosting options – Amazon EC2 and AWS Fargate
• Microservices Service Discovery - Amazon Route 53 and Amazon ECS
• Microservice Security – Amazon API Gateway and Amazon ECS
It’s never been easier to build and launch APIs!
Summary

Enablement Training
2 Day Workshop
Checkpoints
Account Manager & Solution Architect,
Account Plan, Opportunity Review
ISV Deliverables
Multi-tenanted Architecture
2 x AWS Professional Certifications
AWS Deliverables
Sandbox Credits ($20k), Summit or
re:Invent sponsorship, This is My
Architecture & Solution Space listing
SaaS
Enablement Training
2 Day Workshop
Checkpoints
Monthly Office Hours, Deep Drive
Architecture sessions & Roadmap
Sharing, Opportunity Review
ISV Deliverables
Scalable Self Healing Architecture
2 x AWS Associate & 1 DevOps
Certifications
AWS Deliverables
Sandbox Credits ($10k), GTM Plan, MDF
($20k) & Partner Connections
Modernize
Enablement Training
1 Day Workshop
Checkpoints
Virtual Fortnightly Office Hours
ISV Deliverables
Replatformed High Availability
Architecture (QuickStart or Marketplace
Listing), Technical Essentials
AWS Deliverables
Sandbox Credits ($10k), Well Architected
Review, Demo Day
Timeframe: 3 Months
Migrate
Timeframe: 6 Months
Timeframe: 1 Year
AWS TechShift Accelerator
Sydney 5th February 2019
Melbourne 7th February 2019
Sydney 14-15th May 2019
Melbourne 16-17th May 2019
Register Your Interest: https://aws.amazon.com/events/techshift/accelerator/

GET TRAINED AND CERTIFIED ON AWS
Benefits to APN Partners:
• Free Digital Training, including AWS Cloud
Practitioner Essentials
• Online Accreditation Training courses to
learn at your own pace
• ILT and vILT sessions of our Solutions
Training for Partners (STP) courses
• Discounted Classroom Training for APN
Partners
• AWS Credits available when achieving AWS
Certification (all Partner Tiers)
Next steps:
1. Enroll now! aws.training
2. Talk to your Account Manager or Partner Development team (aws-anz-pdr@amazon.com) for more
details!

Thank You
Chris Modica
Enterprise Solution Architect - ISV, AWS
cmmodica@amazon.com
@Chris_Modica_

Microservices Building Scalable, Discoverable Secure Services on AWS - Chris Modica - AWS TechShift ANZ 2018

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Microservices Building Scalable, Discoverable Secure Services on AWS - Chris Modica - AWS TechShift ANZ 2018

Similar to Microservices Building Scalable, Discoverable Secure Services on AWS - Chris Modica - AWS TechShift ANZ 2018 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Microservices Building Scalable, Discoverable Secure Services on AWS - Chris Modica - AWS TechShift ANZ 2018