AWS Foundation Service Introduction - ntut.edu.tjykuo/course/AWS-Training-Deck-Day1.pdf · Amazon EC2 Container Service Amazon Cognito AWS CodeDeploy Amazon CloudSearch Amazon WorkMail

1

AWS Foundation Service Introduction Getting Started with AWS

© 2017, eCloudValley Amazon Web Services Partner. All rights reserved.

Module Layout

2

•  Module 1: AWS Foundation Knowledge and Infrastructure •  Module 2: Computing on AWS – Amazon EC2

•  Module 3: Networking on AWS – Amazon VPC


Module 1 AWS Foundation Knowledge and Infrastructure

3 © 2017, eCloudValley Amazon Web Services Partner. All rights reserved.

Amazon Web Services (AWS)

Messaging

Mobile Database

Networking

Development and Management Tools

Compute App Services

Payments

On-Demand Workforce VPC

Analytics Content Delivery

Storage Enable businesses and developers to use web services to build scalable, sophisticated applications.


AWS Rapid Pace of Innovation

2009 2011 2013 2015

722

New Features/Services Launched

159

82

48


2,420 Connect

AWS Elastic Beanstalk

AWS CloudTrail

Amazon WorkSpaces

Amazon Kinesis

Amazon SNS

Amazon Route 53

Amazon SWF

Amazon AppStream

Amazon DynamoDB

AWS Data Pipeline

AWS Config

Amazon RDS for Aurora

Amazon WorkDocs AWS Direct

AWS Directory Service

AWS CodeCommit

AWS Service Catalog

Amazon CloudWatch Logs Amazon API

Gateway Amazon Machine

Learning

AWS Device Farm

AWS WAF

Elasticsearch Service

Amazon QuickSight

AWS Import/Export

Amazon Inspector

AWS IoT

Amazon EC2 Container Registry

AWS CodePipeline

Amazon ElastiCache

AWS CloudHSM

Amazon Mobile Analytics

AWS Import/Export

Amazon RDS for MariaDB AWS Mobile Hub AWS KMS

AWS Storage Gateway

AWS GovCloud (US)

AWS OpsWorks

Amazon SES

Amazon Elastic Transcoder

Amazon EC2 Container Service

Amazon Cognito

AWS CodeDeploy

Amazon CloudSearch Amazon Glacier

Amazon WorkMail

AWS Certificate Manager

Amazon EFS Amazon Redshift

AWS Identity and Access

Management

AWS Lambda AWS

CloudFormation

Services and Features

© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 6

Advantages and Benefits of AWS Cloud Computing

Trade capital expense for variable expense. Benefit from massive economies of scale. Stop guessing capacity.

Increase speed and agility.

Stop spending money on running and maintaining data centers. Go global in minutes.


Infrastructure

Regions Availability Zones Edge Locations

Foundation Services

Compute (Virtual, Auto-scaling and Load Balancing)

Networking

Applications Virtual Desktops Collaboration and Sharing

Platform Services

AWS Cloud Computing

Databases

Relational

NoSQL

Caching

Analytics

Cluster Computing

Real-time

Data Warehouse

Data Workflows

App Services

Queuing

Orchestration

App Streaming

Transcoding

Email

Search

Deployment and Management

Containers

Dev/ops Tools

Resource Templates

Usage Tracking

Monitoring and Logs

Mobile Services

Identity

Sync

Mobile Analytics

Notifications

Storage (Object, Block and Archive)


Compute Network Storage Security & Identity Applications

AWS Foundation Services

Amazon EC2

AWS Lambda

Amazon EC2 Container Service

AWS Elastic

Beanstalk

Elastic Load

Balancing

Amazon VPC

AWS Direct

Connect

Amazon Route 53

Amazon S3

Amazon CloudFront

Amazon Elastic File

System

Amazon Glacier

AWS Storage Gateway

AWS Import/ Export

AWS Identity and Access Management

AWS Directory Service

AWS Cloud HSM

AWS KMS

AWS WAF

Amazon WorkDocs

Amazon WorkSpaces

Auto Scaling

Amazon WorkMail


Databases Analytics App Services Management Tools

Developer Tools

Mobile Services

Internet of Things

AWS Platform Services

Amazon RDS

Amazon DynamoDB

Amazon ElastiCache

Amazon Redshift

Amazon EMR

AWS Data Pipeline

Amazon Kinesis

Amazon Amazon Elasticsearch Machine

Service Learning

Amazon API Gateway

Amazon AppStream

Amazon CloudSearch

Amazon Elastic

Transcoder

Amazon SES

Amazon SQS

Amazon SWF

AWS CloudTrail

AWS AWS CloudFormation Config

AWS Amazon OpsWorks CloudWatch

AWS Service Catalog

AWS CodeCommit

AWS CodeDeploy

AWS CodePipeline

AWS Device Farm

Amazon Mobile

Analytics

Amazon Cognito

Amazon SNS

Mobile Hub

AWS IoT

Trusted Advisor

AWS Database Migration Service

AWS Certificate Manager


AWS Data Center

•  Single data center typically more that 50,000 servers and often more than 80,000

•  Up to 102 Tbps provisioned to a single data center

•  AWS custom network equipment: •  Multi ODM sourced

•  Amazon custom network protocol stack © 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 11

AWS Availability Zone

AZ

AZ

AZ AZ AZ

Transit

Transit

•  1 of 44 AZs worldwide •  Each AZ is 1 or more data center

•  No data center is in two AZs

•  Some AZs have as many as 6 data centers

•  All regions have 2 or more AZs •  DCs in AZ less than 2 milliseconds apart

•  Don’t need inter AZ independence

•  Don’t require low latency © 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 12

AWS Region

AZ

AZ

AZ AZ AZ

Transit

Transit

•  1 of 16 AWS world wide AWS regions •  Redundant paths to transit centers •  Transit centers connect to:

•  Private links to other AWS regions •  Internet through peering and paid

transit •  AZs < 2 milliseconds apart and usually

<1 millisecond © 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 13

AWS Global Infrastructure

14

16 x AWS Regions

70+ x AWS Edge Locations(CDN/DNS)


Your and AWS share responsibility for security

AWS foundation services

compute storage database networking

AWS global infrastructure

regions

Availability Zones

edge loca8ons

network security

server security

customer applica8ons and content You get to define your controls in the cloud

AWS takes care of the security of the cloud

mission owner & partner

data security

access control


Console Demo

21 © 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 16

Module 2 Computing on AWS Amazon EC2


Amazon EC2 Facts

§  Resizable compute instances in the cloud §  Provision 1 or many instances §  Pay for what you use; no minimum

commitment §  Familiar operating systems, with cloud

benefits

18

Amazon EC2


AWS EC2 Instances family

19

AWS Instance Type

High Memory

X1

Compute-‐ Op8mized

C4

Storage-‐ Op8mized

D2

General Purpose M4

Memory-‐ Op8mized

R3

IO-‐ Op8mized

I2

Graphics-‐ Op8mized

G2

Burstable Performance

T2

Intel Processor

Intel Xeon E7-‐8880 v3

Custom Intel Xeon

E5-‐2666 v3

Custom Intel Xeon

E5-‐2676 v3

Custom Intel Xeon

E5-‐2676 v3



Intel Xeon E5-‐2670

Intel Xeon Family

Intel AVX AVX 2.0 AVX 2.0 AVX 2.0 AVX 2.0 Yes Yes Yes Yes

Intel AES-‐NI Yes Yes Yes Yes Yes Yes No No

Intel Turbo Boost Yes Yes Yes Yes Yes Yes Yes Yes

Intel TSX Yes No No No No No No No

Per core P-‐ and C-‐state control

No

Yes (8xlarge only)

No No No No No No

SSD Storage

EBS OpPmized by

default

EBS OpPmized by

default No

EBS OpPmized by

default Yes Yes Yes EBS only


Completely Controlled


Completely Controlled

§  You have control of your instances §  Log on as root (Linux) / Administrator (Windows) §  Install the software you need §  Make the configuration changes you like §  Create an AMI (Amazon Machine Image) §  Start/Stop and control via console or APIs



Flexible


Multiple Instance Types

§  Choose the instance type that suits you §  Change the instance type when you want to §  Attach as much or as little storage as you need §  Choose your operating system §  Choose a pre-configured image (AMI)


Reliable


Build Reliable Architectures

§  Easily build highly available applications §  AWS Elastic Load Balancing distributes load §  Auto Scaling helps ensure availability and scale §  Use multiple Availability Zones (AZs)



Amazon EC2 purchasing option


On-Demand instances

On-demand instances

Unix/Linux instances start at

$0.02/hour

Pay as you go for compute power

Low cost and flexibility

Pay only for what you use, no up-‐front commitments or long-‐term contracts

Use Cases:

Applica'ons with short term, spiky, or

unpredictable workloads;

Applica'on development or tes'ng


Reserved instances

On-demand instances


$0.02/hour




Use Cases:




1-‐ or 3-‐year terms Pay low up-‐front fee, receive significant hourly

discount

Low Cost / Predictability Helps ensure compute capacity is available

when needed

Use Cases: Applica'ons with steady state or predictable

usage Applica'ons that require reserved capacity,

including disaster recovery

Reserved instances


Spot instances

On-demand instances


$0.02/hour




Use Cases:




1-‐ or 3-‐year terms Pay low up-‐front fee, receive significant hourly

discount

Low Cost / Predictability Helps ensure compute capacity is available

when needed

Use Cases: Applica'ons with steady state or predictable

usage Applica'ons that require reserved capacity,

including disaster recovery

Reserved instances

Bid on unused EC2 capacity

Spot Price based on supply/demand, determined automaPcally

Cost / Large Scale, dynamic workload handling

Use Cases: Applica'ons with flexible start and end 'mes Applica'ons only feasible at very low compute

prices

Spot instances


AWS Marketplace

§  AWS Online Software Store §  Find, research and buy software §  Simple pricing, aligns with the utility model §  1-Click launch products - run in minutes §  Over 1300 products listed in 25 categories §  Free trials and Enterprise offerings §  – Move seamlessly from PoC to production


Easy to get started!


Demo


Module 3 Networking on AWS Amazon VPC


Amazon VPC Facts

§  Provision a logically isolated section of the AWS cloud §  Control your virtual networking environment

§  Subnets §  Route Tables §  Security Groups §  Network ACLs

§  Connect to your on-premises network via hw VPN §  Control if and how your instances access the

Internet 36

Amazon VPC


Walkthrough: setting up an Internet-connected VPC


Creating an Internet-connected VPC: steps

Choosing an address range

Setting up subnets in Availability Zones

Creating a route to the Internet

Authorizing traffic to/from the VPC


Choosing an IP address range


CIDR notation review

CIDR range example:

172.31.0.0/16

1010 1100 0001 1111 0000 0000 0000 0000


Choosing an IP address range for your VPC

172.31.0.0/16

Recommended: RFC1918 range

Recommended: /16

(64K addresses)


Subnets


VPC subnets and Availability Zones

172.31.0.0/16

VPC subnet Availability Zone



172.31.0.0/24 172.31.1.0/24 172.31.2.0/24

eu-west-1a eu-west-1b eu-west-1c


VPC subnet recommendations §  /16 VPC (64K addresses) §  /24 subnets (251 addresses) §  One subnet per Availability Zone


Route to the Internet


Routing in your VPC §  Route tables contain rules for which packets go

where §  Your VPC has a default route table §  … but you can assign different route tables to

different subnets


Traffic destined for my VPC stays in my VPC


Internet Gateway

Send packets here if you want them to reach the Internet


Everything that isn’t destined for the VPC: Send to the Internet


Network security in VPC: Network ACLs / Security Groups


Network ACLs vs. security groups

NACLs

Security Groups

51

§  Applied to subnets §  Stateless §  Allow and deny (blacklist) §  Rules processed in order

§  Applied to instance ENI §  Stateful §  Allow only (whitelist) §  Rules evaluated as a whole §  Can reference other security

groups in the same VPC

security group

VPC subnet

Network ACL


Network ACLs: Stateless firewalls

English translation: Allow all traffic in

Can be applied on a subnet basis


Security groups example: web servers

In English: Hosts in this group are reachable from the Internet on port 80 (HTTP)


Security groups example: backends

In English: Only instances in the MyWebServers Security Group can reach instances in this Security Group


Amazon VPC Network Security Controls


Security groups in VPC: additional notes

§  Follow the Principle of Least Privilege §  VPC allows creation of egress as well as ingress

Security Group rules §  Many application architectures lend themselves to a 1:1

relationship between security groups (who can reach me) and IAM roles (what I can do).


Connectivity options for VPCs


Beyond Internet connectivity

Restricting Internet access Connecting to your corporate network

Connecting to other VPCs


Restricting Internet access: Routing by subnet


Routing by subnet

VPC subnet

Has route to Internet

VPC subnet Has no route to Internet


Outbound-only Internet access: NAT gateway

VPC subnet VPC subnet

0.0.

0.0/

0

Public IP: 54.161.0.39

0.0.0.0/0

NAT gateway


Inter-VPC connectivity: VPC peering


Example VPC peering use: shared services VPC Common/core services

•  Authentication/directory •  Monitoring •  Logging •  Remote administration •  Scanning


Security groups across peered VPCs

VPC Peering

172.31.0.0/16 10.55.0.0/16

Orange Security Group Blue Security Group

ALLOW


Establish a VPC peering: initiate request

172.31.0.0/16 10.55.0.0/16

Step 1

Initiate peering request


Establish a VPC peering: accept request

172.31.0.0/16 10.55.0.0/16

Step 1


Step 2 Accept peering request


Establish a VPC peering: create route

172.31.0.0/16 10.55.0.0/16 Step 1


Step 2

Accept peering request

Step 3 Create routes

In English: Traffic destined for the peered VPC should go to the peering


Connecting to on-premises networks: Virtual Private Network & Direct Connect


Extend an on-premises network into your VPC

VPN

Direct Connect


AWS VPN basics

Customer Gateway

Virtual Gateway

Two IPSec tunnels

192.168.0.0/16 172.31.0.0/16

192.168/16

Your networking device


VPN and AWS Direct Connect §  Both allow secure connections between

your network and your VPC §  VPN is a pair of IPSec tunnels over the

Internet §  DirectConnect is a dedicated line with lower

per-GB data transfer rates §  For highest availability: Use both


VPC and the rest of AWS


VPC and the rest of AWS

AWS Services in Your VPC

VPC Endpoints for Amazon S3

DNS in-VPC with Amazon Route 53

Logging VPC Traffic with VPC Flow Logs


AWS services in your VPC


Example: Amazon RDS database in your VPC

Reachable via DNS Name: mydb-cluster-1 ….us-west-2.rds.amazonaws.com


Example: AWS Lambda function in your VPC


Best practices for in-VPC AWS services

§  Many AWS services support running in-VPC. §  Use security groups for Least-Privilege network access. §  For best availability, use multiple Availability Zones.

Examples: §  Multi-zone RDS deployments §  Use a zonal mount point for EFS access


VPC Endpoints for Amazon S3


S3 and your VPC

S3 Bucket

Your applications

Your data


AWS VPC endpoints for S3

S3 Bucket


AWS VPC endpoin ts for S3

S3 Bucket

Route S3-bound traffic to the VPCE


IAM policy for VPC endpoints

S3 Bucket

IAM Policy at VPC Endpoint: Restrict actions of VPC in S3

IAM Policy at S3 Bucket: Make accessible from

VPC Endpoint only © 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 82

DNS in a VPC


Availability Zone 1a Availability Zone 1b

Internet

10.0.0.5

10.0.0.6

10.0.3.17

10.0.3.5

10.0.1.5

10.0.1.25 10.0.1.8

10.0.1.6

VPC Subnet

VPC Subnet

VPC Subnet

Virtual Private Gateway

Internet Gateway

VPN Connection Customer Gateway

Customer Data Center © 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 84

Demo


Module 4 Storage on AWS Amazon S3, EBS


Object Storage v.s Block Storage


Object Storage


Simple Storage Service (S3) §  Storage for the Internet §  Store and retrieve any amount of data, at any time,

from anywhere on the web §  Highly scalable, reliable, and secure §  Supports encryption §  Pay only for what you use


S3 event notifications

Delivers notifications to Amazon SNS, Amazon SQS, or AWS Lambda when events occur in S3

S3

Events

SNS topic

SQS queue

Lambda function

Notifications

Notifications

Notifications

Foo() { … }


•  Preserve, retrieve, and restore every version of every object stored in your bucket

•  S3 automatically adds new versions and preserves deleted objects with delete markers unless an explicit versioned DELETE operation is made

•  Easily control the number of versions kept by using lifecycle expiration policies

•  Easy to turn on in the AWS Management Console

S3 versioning


S3 cross-region replication

Source (Ireland)

•  Only replicates new PUTs. Once S3 is configured, all new uploads into a source bucket will be replicated

•  Entire bucket or prefix based

•  1:1 replication between any 2 regions

•  Versioning required

Automated, fast, and reliable asynchronous replication of data across AWS regions

Use cases: •  Compliance—store data hundreds of miles apart •  Lower latency—distribute data to regional customers •  Security—create remote replicas managed by separate AWS accounts

Destination (Frankfurt)


S3 use cases

•  Web-scale storage capacity and performance for web applications

•  Single-origin store with delivery through Amazon CloudFront

•  Staging and persistent store for Big Data applications

•  Storage target for backup and active archive


Glacier Facts

§  Low cost storage for archiving and backup §  Secure and durable §  No limit to amount of data stored §  Flexible §  Pay only for what you use §  Simple integration with S3

Archive Storage in the Cloud © 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 94

Amazon Glacier benefits

•  Reduce cost for long-term archiving •  Leverage unlimited storage capacity •  Replace tape museums •  Improve durability


Block Storage


Elastic Block Store (EBS) Facts

§  Persistent off-instance storage §  SSD or magnetic disk §  Durable snapshots to S3 §  Encryption support §  Provisioned IOPS option

Block Storage for EC2





EBS Volume Type Price Performance

Magnetic General Purpose Provisioned IOPS Use cases Infrequent data

access

Boot volumes Small to med DBs

Dev and Test

I/O intensive Relational DBs

NoSQL DBs

Storage media Magnetic disk- backed SSD-backed SSD-backed

Max IOPS 40–200 IOPS 10,000 IOPS 20,000 IOPS Latency (random

read) 20–40 ms 1–2 ms 1–2 ms

Availability Designed for 99.999% Designed for 99.999% Designed for 99.999%

Price $.05/GB-month $.05/million I/O $.10/GB-month $.125/GB-month

$.065/provisioned IOPS


Amazon EBS snapshots


Instance storage


Thank you


Documents

AWS Foundation Service Introduction - ntut.edu.tjykuo/course/AWS-Training-Deck-Day1.pdf · Amazon EC2 Container Service Amazon Cognito AWS CodeDeploy Amazon CloudSearch Amazon WorkMail