Welcome and Introductions. Belegu Rinon Imsand Matthias

Transcription

1 Zürich

2 Welcome and Introductions Belegu Rinon Imsand Matthias

3 Agenda

4 Agenda

5 Agenda

6 Introduction: Rinon Belegu Rinon Belegu Digicomp (Technical-Lead AWS and Veeam) Legendary IT (Owner) Certification: AWS Mentor, AWS Trainer, Microsoft Certified Trainer, Veeam Trainer Cloud experience: Buildup diffrent Cloud-Solutions (Switzerland) Implementation of Private-,Public- and Hybrid-Cloud Solutions

7 Introduction: Matthias Imsand Datacenter and Cloud Solutions Matthias Imsand Founder Amanox Solutions (CTO) Dipl. Ing. FH Informatik AWS Instructor Cloud & Linux Module FFHS

8 Cloud Journey How to successfully move to the cloud ENABLING - Trainings - Workshops - Seminars - Labs PROOF OF CONCEPT - Pilot projects - Awareness programs - Test installation - Lesson learned APPLICATION MIGRATION - Forklift / Re-architecting - Containerization - Automation - CI / CD ASSESSMENT - Analysis - Potential, Readiness - Strategy - KPI Definition - Architecture DATA MIGRATION - Storage concept - Security - Migration planning - Identity / Accounting OPERATION - Supported by Amanox - Managed by Amanox - Operated by Amanox

9 AWS IoT connected Drone

10 AWS IoT connected Drone

11

12 AWS Basics

13 Amazon History 1994: Jeff Bezos incorporated the company. 2005: Amazon Publishing was launched. 2007: Kindle was launched. 2012: Amazon Game Studios was launched. 2014: Amazon Prime Now was launched. 1995: Amazon.com launched its online bookstore. 2006: Amazon Web Services (AWS) was launched. 2011: Amazon Fresh was launched. 2013: Amazon Art was launched. 2015: Amazon Home Services and Amazon Echo were launched.

14 Amazon Web Services (AWS) Enable businesses and developers to use web services to build scalable, sophisticated applications. Analytics Development and Management Tools Messaging Storage Content Delivery Compute App Services Database Payments Mobile Networking On-Demand Workforce VPC

15 AWS Pace of Innovation AWS has been continually expanding its services to support virtually any cloud workload, and it now has more than 90 services that range from compute, storage, networking, database, analytics, application services, deployment, management, developer, mobile, Internet of Things (IoT), Artificial Intelligence (AI), security, hybrid and enterprise applications. AWS has launched a total of 1,017 new features and/or services year to date* - for a total of 2,913 new features and/or services since inception in ,

16 Amazon Redshift AWS GovCloud (US) AWS Identity and Access Management Amazon AppStream Amazon DynamoDB AWS Data Pipeline AWS OpsWorks AWS CodeCommit Amazon SNS Amazon SES Amazon Elastic Transcoder Amazon WorkMail AWS Certificate Manager Amazon EFS Amazon QuickSight AWS WAF Amazon CloudSearch Amazon Glacier Amazon EC2 Container Service Amazon SWF Amazon WorkSpaces Amazon Kinesis 1,950 Services and Features (February 1, 2016) Amazon Machine Learning AWS Import/Export AWS CodeDeploy Amazon API AWS KMS Gateway Amazon WorkDocs AWS Direct Connect AWS Storage Gateway Amazon ElastiCache AWS CloudHSM AWS Config Elasticsearch Service AWS Directory Service Amazon RDS for MariaDB AWS IoT Amazon Inspector Amazon Cognito AWS Service Catalog AWS CloudTrail Amazon CloudWatch Logs AWS Elastic Beanstalk Amazon EC2 Container Registry AWS CodePipeline Amazon Route 53 AWS Lambda AWS CloudFormation AWS Device Farm Amazon RDS for Aurora AWS Mobile Hub Amazon Mobile Analytics AWS Import/Export

17 Amazon Redshift AWS GovCloud (US) AWS Identity and Access Management Amazon AppStream Amazon DynamoDB AWS Data Pipeline AWS OpsWorks AWS CodeCommit Amazon SNS Amazon SES Amazon Elastic Transcoder Amazon WorkMail AWS Certificate Manager Amazon EFS Amazon QuickSight AWS WAF Amazon CloudSearch Amazon Glacier Amazon EC2 Container Service Amazon SWF Amazon WorkSpaces Amazon Kinesis 2,420 Services and Features (August 1, 2016) Amazon Machine Learning AWS Import/Export AWS CodeDeploy Amazon API AWS KMS Gateway Amazon WorkDocs AWS Direct Connect AWS Storage Gateway Amazon ElastiCache AWS CloudHSM AWS Config Elasticsearch Service AWS Directory Service Amazon RDS for MariaDB AWS IoT Amazon Inspector Amazon Cognito AWS Service Catalog AWS CloudTrail Amazon CloudWatch Logs AWS Elastic Beanstalk Amazon EC2 Container Registry AWS CodePipeline Amazon Route 53 AWS Lambda AWS CloudFormation AWS Device Farm Amazon RDS for Aurora AWS Mobile Hub Amazon Mobile Analytics AWS Import/Export

18 Amazon Redshift AWS GovCloud (US) AWS Identity and Access Management Amazon AppStream Amazon DynamoDB AWS Data Pipeline AWS OpsWorks AWS CodeCommit Amazon SNS Amazon SES Amazon Elastic Transcoder Amazon WorkMail AWS Certificate Manager Amazon EFS Amazon QuickSight AWS WAF Amazon CloudSearch Amazon Glacier Amazon EC2 Container Service Amazon SWF Amazon WorkSpaces Amazon Kinesis 2,913 Services and Features (January 1, 2017) Amazon Machine Learning AWS Import/Export AWS CodeDeploy Amazon API AWS KMS Gateway Amazon WorkDocs AWS Direct Connect AWS Storage Gateway Amazon ElastiCache AWS CloudHSM AWS Config Elasticsearch Service AWS Directory Service Amazon RDS for MariaDB AWS IoT Amazon Inspector Amazon Cognito AWS Service Catalog AWS CloudTrail Amazon CloudWatch Logs AWS Elastic Beanstalk Amazon EC2 Container Registry AWS CodePipeline Amazon Route 53 AWS Lambda AWS CloudFormation AWS Device Farm Amazon RDS for Aurora AWS Mobile Hub Amazon Mobile Analytics AWS Import/Export

19 AWS Managed Services Redshift Amazon Pinpoint Dynamo DB AWS Snowball Amazon Workmail AWS IoT Schema Conversion Tool AWS OpsWorks CodeCommit Amazon Inspector AWS Batch AWS Snowmobile AWS Organizations Amazon Lex Amazon Kinesis Firehose Amazon Athena AWS WAF Amazon Polly AWS Personal Health Dashboard * As of 1 August 2017 EC2 Container Service AWS OpsWorks for Chef Automate WorkSpaces Amazon EC2 Systems Manager Amazon Lightsail AWS CodeDeploy AWS Greengrass AWS Direct Connect Amazon Lumberyard Device Farm WorkDocs AWS Step Functions AWS Storage Gateway Amazon ElastiCache Amazon Config 3,567 Services and Features (August 1, 2017) Machine Learning Amazon Inspector Amazon Appstream 2.0 AWS Shield AWS Snowball Edge Amazon Rekognition Amazon QuickSight AWS Discovery Services Amazon Cognito CloudWatch Logs AWS Service Catalog EFS AWS Elastic Beanstalk AWS Certificate Manager AWS CodePipeline Amazon Route 53 Lambda AWS Glue AWS X-Ray AWS Codebuild Amazon RDS for Aurora AWS Mobile Hub Mobile Analytics AWS Import/Export

20 AWS Positioned as a Leader in the Gartner Magic Quadrant for Cloud Infrastructure as a Service, Worldwide* AWS is positioned highest in execution and furthest in vision within the Leaders Quadrant *Gartner, Magic Quadrant for Cloud Infrastructure as a Service, Worldwide, Leong, Lydia, Petri, Gregor, Gill, Bob, Dorosh, Mike, August This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from AWS : Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

21 AWS Core Infrastructure and Services Traditional Infrastructure Security Firewalls ACLs Administrators Security Amazon Web Services Security Security Groups Network ACLs AWS IAM Security Groups NACLs Access Mgmt Network Router Network Pipeline Switch Networking Provision On-Demand Servers Public ELB EC2 Classic Network ELB VPC VPC VPC On-Premises Servers AMI Amazon EC2 Instances Storage DAS SAN NAS RDBMS and Database Amazon EBS Amazon EFS Amazon S3 Amazon RDS

22 AWS Cloud Computing Applications Virtual Desktops Collaboration and Sharing Platform Services Databases Relational NoSQL Caching Analytics Cluster Computing Real-time Data Warehouse Data Workflows App Services Queuing Orchestration App Streaming Transcoding Search Deployment and Management Containers Dev/ops Tools Resource Templates Usage Tracking Monitoring and Logs Mobile Services Identity Sync Mobile Analytics Notifications Foundation Services Compute (Virtual, Auto-scaling and Load Balancing) Networking Storage (Object, Block and Archive) Infrastructure Regions Availability Zones Edge Locations

23 AWS Regions IRELAND OREGON OHIO MONTREAL LONDON FRANKFURT BEIJING SEOUL N. CALIFORNIA N. VIRGINIA PARIS (Coming soon) NINGXIA (Coming soon) INDIA TOKYO AWS GOVCLOUD Region SINGAPORE AZ - A AZ - B SÃO PAULO AZ - C SYDNEY

24 AWS Availability Zones Each Availability Zone is: Made up of one or more data centers. Designed for fault isolation. Interconnected with other Availability Zones using high-speed private links. Availability Zone You choose your Availability Zones. AWS recommends replicating across AZs for resiliency.

25 AWS Edge Locations 16 AWS Regions 60+ AWS Edge Locations

26 Ways to access AWS AWS Management Console Easy-to-use graphical interface that supports majority of Amazon Web Services. Command Line Interface (CLI) Access to services via discrete commands that can be issued from a Linux command line, Linux shell script, Windows cmd prompt, Windows batch file, or Windows PowerShell. Software Development Kits (SDKs) Launch EC2 instances, configure networks, etc. from most major programming languages (Python, Ruby,.NET, Java, etc.).

27 AWS Management Console and Services Demonstration

28 Cloud Deployment Models Data Center Upfront capital expense Provision hardware and staff for normal operations and disaster recovery (DR) Limited experimentation and reusability Cloud Available when needed Build up, tear down and reuse with ease Reduced cost and planning for DR, storage redundancy More independence, innovation within the company Hybrid Model Connect data center and cloud resources

29 Amazon Virtual Private Cloud (VPC) Amazon VPC Provision a private, isolated virtual network on the AWS cloud. Have complete control over your virtual networking environment.

30 Amazon VPC Example Internet Customer Network Internet Gateway R Virtual Private Gateway Web Server VPC NAT Gateway App Server DB Server Web Server App Server DB Server Public Subnet Private Subnet VPN Only Subnet Virtual Private Cloud AWS Cloud

31 Amazon Elastic Compute Cloud (EC2) Amazon EC2 Resizable compute capacity Complete control of your computing resources Reduced time required to obtain and boot new server instances

32 Launching an Amazon EC2 Instance 1. Determine the AWS Region in which you want to launch the Amazon EC2 instance. 2. Launch an Amazon EC2 instance from a pre-configured Amazon Machine Image (AMI). 3. Choose an instance type based on CPU, memory, storage, and network requirements. 4. Configure network, IP address, security groups, storage volume, tags, and key pair.

33 1) Determine the AWS Region Proximity to customers (latency) Determine the right region for your services, applications, and data based on these factors. Data governance, legal requirements Services available within the region Costs (vary by region)

34 2) Launch Select an AMI based on: Region Operating system Architecture (32-bit or 64-bit) Launch permissions Storage for the root device Launch instances of any type AMI Instance Host computer Instances Host computer

35 3) Choose an instance type General purpose Compute optimized Storage and I/O optimized Memory optimized GPU- or FPGAenabled T2 M4 C4 I3 D2 X1 F1 M3 C3 I2 HS1 R4 P2 R3 G2

36 4) Configure Network placement and addressing Block Storage Ephemeral or EBS User data Server Role Security groups AMI Instance Tenancy Key pairs

37 Security Groups Restrict access to instances by: Port range IP range Security group or resource ID Instances can be associated with multiple security groups. Allow data ingress and egress. Can be added/modified after launch. Remote Access 22 NAT Remote Access 22 Web Servers Web Traffic 80 port 3306 DB

38 User Data Are supplied to initialize instances automatically and can be a Linux script Windows batch or PowerShell scripts Can install any software package, such as Web servers Database servers Configuration management tools Are executed by Cloud-init on Linux EC2Config service on Windows Runs once per instance-id by default

39 AWS EC2 Demonstration

40 Amazon Simple Storage Service (S3) Amazon S3 Storage for the Internet Natively online, HTTP access Storage that allows you to store and retrieve any amount of data, any time, from anywhere on the web Highly scalable, reliable, fast and durable

41 Amazon S3 Facts Can store an unlimited number of objects in a bucket Objects can be up to 5 TB; no bucket size limit Designed for % durability and 99.99% availability of objects over a given year Can use HTTP/S endpoints to store and retrieve any amount of data, at any time, from anywhere on the web Is highly scalable, reliable, fast, and inexpensive Can use optional server-side encryption using AWS or customer-managed provided client-side encryption Auditing is provided by access logs Provides standards-based REST and SOAP interfaces

42 AWS Storage Options: Block vs. Object Storage What if you want to change one character in a 1-GB file? Block Storage Change one block (piece of the file) that contains the character Object Storage Entire file must be updated

43 Common Use Scenarios Storage and backup Application file hosting Media hosting Software delivery Store AMIs and snapshots

44 Amazon S3 Concepts Amazon S3 To upload your data (photos, videos, documents, etc.): 1. Create a bucket in one of the AWS Regions. 2. Upload any number of objects to the bucket. Bucket [bucket name] name]/ Object Region code Bucket name Preview2.mp4 Tokyo Region (ap-northeast-1) name]/preview2.mp4 Key

45 Amazon S3 Security You can control access to buckets and objects with: Access Control Lists (ACLs) Bucket policies Identity and Access Management (IAM) policies You can upload or download data to Amazon S3 via SSL encrypted endpoints. You can encrypt data using AWS SDKs.

46 Amazon S3 Versioning Protects from accidental overwrites and deletes with no performance penalty. Generates a new version with every upload. Allows easily retrieval of deleted objects or roll back to previous versions. Three states of an Amazon S3 bucket Un-versioned (default) Versioning-enabled Versioning-suspended Key: photo.gif ID: Key: photo.gif ID: Versioning Enabled

47 Amazon Glacier Long term low-cost archiving service Optimal for infrequently accessed data Designed for % durability Three to five hours retrieval time Less than $0.01 per GB/month (depending on region)

48 S3 Lifecycle Policies Amazon S3 lifecycle policies allow you to delete or move objects based on age. Amazon S3 Standard Amazon S3 Standard - Infrequent Access Amazon Glacier Delete 30 Days 60 Days 365 Days Preview2.mp4 Preview2.mp4 Preview2.mp4

49 S3 Storage Class Standard Standard - Infrequent Access Reduced Redundancy Storage Glacier Durability % % 99.99% % Availability 99.99% 99.9% 99.99% N/A First Byte Latency ms ms ms 3-5h Lifecycle Management Policies Yes Yes Yes Yes

50 AWS S3 Demonstration

51 Knowledge Check Q: What AWS service would help support your web application by hosting static assets and storing user uploaded images and video offinstance? Amazon S3 Q: How would an EC2 instance find its private and public IP addresses? Retrieve the instance metadata. Q: You want to deploy a new version of your web application. How do you trigger the user data to run again and update your app? You don't. By default, user data is run once, when the instance first boots. Q: True or False: S3 limits the total amount you can store. False (There is a 5TB limit per object)

52 Agenda

53 Agenda

54 Security, Identities, and Access Management

55 Customers AWS Shared Responsibility Model Customer Applications & Content Platform, Applications, Identity, and Access Management Operating System, Network, and Firewall Configuration Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Customers are responsible for security IN the cloud AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Availability Zones Regions Edge Locations AWS is responsible for the security OF the cloud

56 Physical Security 24/7 trained security staff AWS data centers in nondescript and undisclosed facilities Two-factor authentication for authorized staff Authorization for data center access

57 Hardware, Software, and Network Automated change-control process Bastion servers that record all access attempts Firewall and other boundary devices AWS monitoring tools

58 Certifications and Accreditations ISO 9001, ISO 27001, ISO 27017, ISO 27018, IRAP (Australia), MLPS Level 3 (China), MTCS Tier 3 Certification (Singapore) and more

59 SSL Endpoints SSL Endpoints Security Groups VPC Secure Transmission Use secure endpoints to establish secure communication sessions (HTTPS). Instance Firewalls Use security groups to configure firewall rules for instances. Network Control Use public and private subnets, NAT, and VPN support in your virtual private cloud to create low-level networking constraints for resource access.

60 Security Groups SSL Endpoints Security Groups VPC Secure Transmission Use secure endpoints to establish secure communication sessions (HTTPS). Instance Firewalls Use security groups to configure firewall rules for instances. Network Control Use public and private subnets, NAT, and VPN support in your virtual private cloud to create low-level networking constraints for resource access.

61 AWS Multi-Tier Security Groups HTTP Ports 80 and 443 only open to the Internet SSH/RDP Engineering staff have SSH/RDP access to Bastion Host Bastion All other internet ports blocked by default

62 Amazon Virtual Private Cloud (VPC) SSL Endpoints Security Groups VPC Secure Transmission Use secure endpoints to establish secure communication sessions (HTTPS). Instance Firewalls Use security groups to configure firewall rules for instances. Network Control Use public and private subnets, NAT, and VPN support in your virtual private cloud to create low-level networking constraints for resource access.

63 AWS Identity and Access Management (IAM) Manage AWS IAMAWS IAM users and their access Manage AWS IAM roles and their permissions Manage federated users and their permissions

64 AWS IAM Authentication Authentication AWS Management Console User Name and Password IAM User

65 AWS IAM Authentication Authentication AWS CLI or SDK API Access Key and Secret Key IAM User Access Key ID: AKIAIOSFODNN7EXAMPLE Secret Access Key: wjalrxutnfemi/k7mdeng/bpxrficyexamplekey AWS CLI AWS SDK & API Java Python.NET

66 AWS IAM User Management - Groups AWS Account DevOps Group TestDev Group User A User B User C User D

67 AWS IAM Authorization Authorization Policies: Are JSON documents to describe permissions. Are assigned to users, groups or roles. IAM User IAM Roles IAM Group

68 AWS IAM Policy Elements { } "Version": " ", "Statement": [ { "Sid": "Stmt ", "Action": [ "ec2:describe*", "ec2:startinstances", "ec2:stopinstances ], "Effect": "Allow", "Resource": "*", "Condition": { "IpAddress": { "aws:sourceip": " /32 } } }, { "Sid": "Stmt ", "Action": [ "s3:getobject* ], "Effect": "Allow", "Resource": "arn:aws:s3:::example_bucket/* } ] IAM Policy

69 AWS IAM Policy Assignment Assigned Assigned IAM User IAM Policy IAM Group

70 AWS IAM Policy Assignment Assigned Assigned IAM User IAM Policy Assigned IAM Group IAM Roles

71 AWS IAM Roles An IAM role uses a policy. An IAM role has no associated credentials. IAM users, applications, and services may assume IAM roles. IAM Roles

72 AWS IAM Policy Assignment Assigned Assigned IAM User IAM Policy Assigned IAM Group Assumed Assumed IAM User IAM Roles AWS Resources

73 Example: Application Access to AWS Resources Python application hosted on an Amazon EC2 Instance needs to interact with Amazon S3. AWS credentials are required: Option 1: Store AWS Credentials on the Amazon EC2 instance. Option 2: Securely distribute AWS credentials to AWS Services and Applications. IAM Roles

74 Select IAM Role AWS IAM Roles - Instance Profiles Amazon EC2 Amazon S3 1 Create Instance 2 4 Application interacts with S3 App & 3 EC2 MetaData Service

75 AWS IAM Roles Assume Role Amazon S3 IAM Restricted Policy Access 3 Access 5 Assigned 1 2 Assume 4 Assume IAM User A-1 IAM User B-1 Assigned 1 IAM Admin Policy AWS Account A IAM Admin Role AWS Account B

76 Temporary Security Credentials (AWS STS) Session Access Key ID Secret Access Key Temporary Security Credentials Session Token Expiration 15 minutes to 36 hours Use Cases Cross account access Federation Mobile Users Key rotation for Amazon EC2-based apps

77 Application Authentication No Support No Support OS AWS IAM Application

78 AWS IAM Authentication and Authorization Authentication AWS Management Console User Name and Password AWS CLI or SDK API Access Key and Secret Key Authorization Policies IAM User IAM Roles IAM Group

79 AWS IAM Best Practices Delete AWS account (root) access keys. Create individual IAM users. Use groups to assign permissions to IAM users. Grant least privilege. Configure a strong password policy. Enable MFA for privileged users.

80 AWS IAM Best Practices (cont.) Use roles for applications that run on Amazon EC2 instances. Delegate by using roles instead of by sharing credentials. Rotate credentials regularly. Remove unnecessary users and credentials. Use policy conditions for extra security. Monitor activity in your AWS account.

81 AWS CloudTrail Records AWS API calls for accounts. Delivers log files with information to an Amazon S3 bucket. Makes calls using the AWS Management Console, AWS SDKs, AWS CLI and higher-level AWS services. Logs AWS CloudTrail Amazon S3 Bucket

82 Continuous Monitoring 24/7 monitoring to detect incidents. Industry-standard diagnostic procedures to drive resolution during business-impacting events. Preventative maintenance for continued operability of equipment.

83 Guess What This Is!

84 Guess What This Is! To This This

85 Instructor Demo IAM

86 AWS Database

87 SQL and NoSQL Databases SQL Data Storage Rows and Columns Key-Value Schemas Fixed Dynamic NoSQL Querying Using SQL Focused on collection of documents Scalability Vertical Horizontal SQL ISBN Title Author Format Cloud Computing Concepts The Database Guru Wilson, Joe Gomez, Maria Paperback ebook { } NoSQL ISBN: , Title: Cloud Computing Concepts, Author: Wilson, Joe, Format: Paperback

88 Data Storage Considerations No one size fits all. Analyze your data requirements by considering: Data formats Data size Query frequency Data access speed Data retention period

89 AWS Managed Database Services Deployment and Administration App Services Amazon DynamoDB Amazon ElastiCache Compute Storage Database Amazon RDS Amazon Redshift Networking AWS Database Migration Service AWS Global Infrastructure

90 Amazon Relational Database Service (RDS) Amazon RDS Cost-efficient and resizable capacity Manages time-consuming database administration tasks Access to the full capabilities of Amazon Aurora, MySQL, MariaDB, Microsoft SQL Server, Oracle, and PostgreSQL databases

91 Amazon RDS Simple and fast to deploy Manages common database administrative tasks Compatible with your applications Fast, predictable performance Simple and fast to scale Secure Cost-effective

92 DB Instances DB Instances are the basic building blocks of Amazon RDS. They are an isolated database environment in the cloud. They can contain multiple user-created databases.

93 How Amazon RDS Backups Work Automatic Backups: Restore your database to a point in time. Are enabled by default. Let you choose a retention period up to 35 days. Manual Snapshots: Let you build a new database instance from a snapshot. Are initiated by the user. Persist until the user deletes them. Are stored in Amazon S3.

94 Cross-Region Snapshots Are a copy of a database snapshot stored in a different AWS Region. Provide a backup for disaster recovery. Can be used as a base for migration to a different region.

95 Amazon RDS Security Run your DB instance in an Amazon VPC. Use IAM policies to grant access to Amazon RDS resources. Use security groups. Use Secure Socket Layer (SSL) connections with DB instances (Amazon Aurora, Oracle, MySQL, MariaDB, PostgreSQL, Microsoft SQL Server). Use Amazon RDS encryption to secure your RDS instances and snapshots at rest. Use network encryption and transparent data encryption (TDE) with Oracle DB and Microsoft SQL Server instances. Use the security features of your DB engine to control access to your DB instance.

96 A Simple Application Architecture Elastic Load Balancing load balancer instance Amazon EC2 Application Servers DB snapshots in Amazon S3 Amazon RDS database instance

97 Multi-AZ RDS Deployment With Multi-AZ operation, your database is synchronously replicated to another Availability Zone in the same AWS Region. Failover to the standby automatically occurs in case of master database failure. Planned maintenance is applied first to standby databases.

98 A Resilient, Durable Application Architecture Elastic Load Balancing load balancer instance Application, in Amazon EC2 instances DB snapshots in Amazon S3 Amazon RDS database instances: Master and Multi-AZ standby

99 Amazon RDS Best Practices Monitor your memory, CPU, and storage usage. Use Multi-AZ deployments to automatically provision and maintain a synchronous standby in a different Availability Zone. Enable automatic backups. Set the backup window to occur during the daily low in WriteIOPS. To increase the I/O capacity of a DB instance: Migrate to a DB instance class with high I/O capacity. Convert from standard storage to provisioned IOPS storage and use a DB instance class optimized for provisioned IOPS. Provision additional throughput capacity (if using provisioned IOPS storage). If your client application is caching the DNS data of your DB instances, set a TTL of less than 30 seconds. Test failover for your DB instance.

100 Amazon DynamoDB Amazon DynamoDB Allows you to store any amount of data with no limits. Provides fast, predictable performance using SSDs. Allows you to easily provision and change the request capacity needed for each table. Is a fully managed, NoSQL database service.

101 Provisioned Throughput You specify how much provisioned throughput capacity you need for reads and writes. Amazon DynamoDB allocates the necessary machine resources to meet your needs.

102 Supported Operations Query: Query a table using the partition key and an optional sort key filter. If the table has a secondary index, query using its key. It is the most efficient way to retrieve items from a table or secondary index. Scan: You can scan a table or secondary index. Scan reads every item slower than querying. You can use conditional expressions in both Query and Scan operations.

103 Simple Application Architecture Business logic Elastic Load Balancing Amazon EC2 app instances Amazon DynamoDB Clients

104 Amazon RDS and Amazon DynamoDB Factors Relational (Amazon RDS) NoSQL (Amazon DynamoDB) Application Type Application Characteristics Scaling QoS Existing database apps Business process centric apps Relational data models, transactions Complex queries, joins, and updates Application or DBA architected (clustering, partitions, sharding) Performance depends on data model, indexing, query, and storage optimization Reliability and availability Durability New web-scale applications Large number of small writes and reads Simple data models, transactions Range queries, simple updates Seamless, on-demand scaling based on application requirements Performance Automatically optimized by the system Reliability and availability Durability

105 Database Considerations If You Need Consider Using A relational database service with minimal administration A fast, highly scalable NoSQL database service A database you can manage on your own Amazon RDS Choice of Amazon Aurora, MySQL, MariaDB, Microsoft SQL Server, Oracle, or PostgreSQL database engines Scale compute and storage Multi-AZ availability Amazon DynamoDB Extremely fast performance Seamless scalability and reliability Low cost Your choice of AMIs on Amazon EC2 and Amazon EBS that provide scale compute and storage, complete control over instances, and more.

106 AWS Elasticity and Management Tools Belegu Rinon Imsand Matthias

107 November Traffic to Amazon.com Provisioned capacity 76% The challenge is to efficiently guess the unknown quantity of how much compute capacity you need. November 24% 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

108 Benefits of elastic services Better Fault Tolerance Better Availability Better Cost Management

109 Enable Scalability (1 of 2) Ensure that your architecture can handle changes in demand. A key advantage of a cloud-based infrastructure is how quickly you can respond to changes in resource needs. App servers at full capacity Users prevented from access Admin launches new server Anti-pattern New server takes time to launch 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

110 Enable Scalability (2 of 2) Ensure that your architecture can handle changes in demand. A key advantage of a cloud-based infrastructure is how quickly you can respond to changes in resource needs. App servers at alarm threshold Users never experience interruption in accessibility New server is ready before capacity is reached Auto Scaling is alerted and scales out Best practice 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

111 Vertical vs. Horizontal Scaling Vertical scaling Scale up and down Change in the specifications of instances (more CPU, memory, etc.) Horizontal scaling Scale in and out Change in the number of instances (Add and remove instances as needed) small xlarge 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

112 Triad of Services Elastic Load Balancing Latency Utilization Auto Scaling group Auto Scaling Execute AS Policy CloudWatch

113 Elastic Load Balancing Elastic Load Balancing Distributes traffic across multiple EC2 instances, in multiple Availability Zones Supports health checks to detect unhealthy Amazon EC2 instances Supports the routing and load balancing of HTTP, HTTPS, SSL, and TCP traffic to Amazon EC2 instances

114 Classic Load Balancer - How It Works Register instances with your load balancer. load balancer X Availability Zone A Availability Zone B

115 Application Load Balancer How It Works Register instances as targets in a target group, and route traffic to a target group. Listener load balancer Listener Rule Rule Rule Target Target Target Target Target Target Target Target Group Health Check Target Group /api Health Check Target Group /mobile Health Check

116 ELB - Features Sticky Sessions Connection Draining Cross Zone Loadbalancing SSL Termination IPv6 Support Request Tracing (Header Injection) WAF Integration AWS Shield Integration (DDoS Protection)

117 Load Balancer Comparison Classic Load Balancer benefits include support for: EC2-Classic. VPC. TCP and SSL listeners. Sticky sessions. OSI Layer 4 (network protocol level) ALB benefits include support for: Path-based routing. Routing requests to multiple services on a single EC2 instance. Containerized applications. Monitoring the health of each service independently. OSI Layer 7 (application level)

118 Amazon CloudWatch Amazon CloudWatch A monitoring service for AWS cloud resources and the applications you run on AWS Visibility into resource utilization, operational performance, and overall demand patterns Custom application-specific metrics of your own Accessible via AWS Management Console, APIs, SDK, or CLI

119 Amazon CloudWatch Facts Monitor other AWS resources View graphics and statistics Set Alarms

120 Amazon CloudWatch Architecture Amazon CloudWatch AWS resources that support CloudWatch CPUUtilization StatusCheckFailed Amazon CloudWatch Alarm SNS Notification PageViewCount Custom Application- Specific Metrics CloudWatch Metrics Available Statistics Auto Scaling AWS Management Console Statistics Consumer

121 CloudWatch Metrics Examples

122 CloudWatch Alarm Examples Amazon EC2 If CPU utilization is > 60% for 5 minutes Amazon RDS If number of simultaneous connections is > 10 for one minute Amazon ELB If number of healthy hosts is < 5 for 10 minutes

123 CloudWatch Alarms and Actions Stop, terminate, reboot, or recover an Amazon EC2 instance Scale an Auto Scaling group in or out CloudWatch alarms: Measure a single metric and perform one or more actions Send message to Amazon Simple Notification Service (SNS)

124 Auto Scaling Auto Scaling Scale your Amazon EC2 capacity automatically Well-suited for applications that experience variability in usage Available at no additional charge

125 Do Not Guess About Resource Needs Build a flexible system that will react to changes in customer demand and manage costs dynamically. Alarm CloudWatch Auto Scaling group Availability Zone Availability Zone

126 Launch Configurations A launch configuration is a template that an Auto Scaling group uses to launch EC2 instances. When you create a launch configuration, you can specify: AMI ID Instance type Key pair Security groups Block device mapping User data

127 Auto Scaling Groups Contain a collection of EC2 instances that share similar characteristics. Instances in an Auto Scaling group are treated as a logical grouping for the purpose of instance scaling and management. Auto Scaling group Minimum size Scale out as needed Desired capacity Maximum size

128 Scaling Actions Dynamic Scaling You can create a scaling policy that uses CloudWatch alarms to determine: When your Auto Scaling group should scale out. When your Auto Scaling group should scale in. You can use alarms to monitor: Any of the metrics that AWS services send to Amazon CloudWatch. Your own custom metrics. Manual Scaling Scheduled Actions API Calls

129 Auto Scaling Basic Lifecycle Attach to Group Scale Out Launch Instance instances Auto Scaling group Amazon CloudWatch Scheduled Event Scale In Terminate Instance X Detach from Group Amazon CloudWatch Scheduled Event

130 Triad of Services Elastic Load Balancing Latency Utilization Auto Scaling group Auto Scaling Execute AS Policy CloudWatch

131 AWS Trusted Advisor AWS Trusted Advisor Best practice and recommendation engine. Provides AWS customers with performance and security recommendations in four categories: Cost optimization Security Fault tolerance Performance improvement.

132 Cost Optimization Amazon EC2 Reserved Instance Optimization Low-utilization Amazon EC2 Instances Idle load balancers Underutilized Amazon EBS volumes Unassociated Elastic IP addresses Amazon RDS idle DB instances

133 Security Security groups AWS IAM use Amazon S3 bucket permissions MFA on Root Account AWS IAM password policy Amazon RDS security group access risk

134 Fault Tolerance Amazon EBS Snapshots Load balancer optimization Auto Scaling Group Resources Amazon RDS Multi-AZ Amazon Route 53 name server delegations ELB connection draining

135 Performance Improvement High-utilization Amazon EC2 instances Service limits Large number of rules in EC2 security group Over-utilized Amazon EBS magnetic volumes Amazon EC2 to EBS throughput optimization Amazon CloudFront alternate domain names

136 AWS AutoScaling Demonstration

137 The Challenges of Cloud Deployments Updating live servers. Rollouts across multiple geographical locations. Ability to manage a rollback. Debugging deployments. Managing dependencies on systems and subsystems.

138 Technologies for Automated, Repeatable Deployments Custom Scripts and Applications Use AWS CLI or API to automate deployments in a variety of languages. Userdata AWS CloudFormation Use a simple, declarative domain-specific language (DSL) to build a template file that creates and deletes a collection of resources together as a single unit (a stack). AWS OpsWorks Use a simple, declarative domain-specific language (DSL) to create AWS resources.

139 What is AWS CloudFormation? Declarative programming language for deploying AWS resources. Supports many AWS services. Create, update, and delete a set of resources as a single unit (stack). Infrastructure as Code. Free of Charge.

140 What Does Infrastructure as Code Mean? Techniques, practices, and tools from software development applied to creating reusable, maintainable, extensible and testable infrastructure.

141 CloudFormation: Infrastructure as Code Allows you to launch, configure, and connect AWS resources with JavaScript Object Notation (JSON) and YAML-formatted templates Template AWS CloudFormation Engine Stack JSON-formatted file describing the resources to be created Treat it as source code: put it in your repository YAML-formatted template support AWS service component Interprets AWS CloudFormation template into stacks of AWS resources A collection of resources created by AWS CloudFormation Tracked and reviewable in the AWS Management Console Cross stack references

142 Benefits of Treating Infrastructure as Code Repeatability Reusability Load balancer Development Load balancer Load balancer Production Load balancer Auto Scaling group Auto Scaling group Auto Scaling group Auto Scaling group template

143 Benefits of Treating Infrastructure as Code Maintainability, Consistency, and Parallelization Load balancer Development Load balancer Load balancer Production Load balancer security group Auto Scaling group security group Auto Scaling group security group Auto Scaling group security group Auto Scaling group Template updated template

144 AWS Elasticity and Management Tools Questions

145 Knowledge Check 1 How does Auto Scaling scale instances? Scale up and down, or Scale in and out? Answer: Scale in and out. In other words, change the quantity of instances in the Auto Scaling group.

146 Knowledge Check 2 True or False: Memory Utilization is a basic monitoring metric of CloudWatch. Answer: False. It is a custom metric and has to be implemented by using CloudWatch Logs

147 Knowledge Check 3 You have configured a CloudWatch alarm to trigger when CPU rises above 60%. CPU is currently at 80%. What is the status of the alarm? OK ALARM INSUFFICIENT DATA Answer: Alarm, but only if the period condition has also been met (i.e. above 60% for one minute).

148 Knowledge Check 4 Can you deploy Configuration Files with CloudFormation? Answer: Yes, by using CloudFormation:Init.

149 Further Information Official AWS Events Transformation Day AWSomeDay Meetups Digicomp Trainings Amanox Events Bootcamp DevOps Microservices and Docker

150

151