Upload
amazon-web-services
View
1.171
Download
5
Tags:
Embed Size (px)
DESCRIPTION
YouTube recording: http://youtu.be/DWMfXH3OfoE Getting started with Amazon Web Services (AWS) is fast and simple. These slides from our Best Practices webinar outline best practice guidance from many customers and the Amazon Web Services team, helping you gain advantage as your implement your projects in AWS. It also covers how you can ensure your applications are simple to manage, resilient and cost effective and how to set up accounts and use consolidated billing.
Citation preview
Best practices for getting started with AWS
Ryan Shuttleworth – Technical Evangelist @ryanAWS
Common use cases & stepping stones into the AWS cloud Learning from customer journeys
Best practices to bootstrap your projects
Journey through the cloud
Simple things to plan for when starting with AWS Some technical and human considerations
Helping you put your best foot forward from the off
Best practices
8 things you should know Where you should start Things to do up front
Agenda
Choose your use
case well
1
Choose use case that suits you
Low hanging fruit can be easiest way to ‘cut teeth’
Choose use case that suits you
Dev & Test
Spin environments up and down
on demand
Decouple development and test
environments from operations
constraints
Explore elasticity in a sandboxed
environment
Low hanging fruit can be easiest way to ‘cut teeth’
Dev & Test
Spin environments up and down
on demand
Decouple development and test
environments from operations
constraints
Explore elasticity in a sandboxed
environment
Backup & DR
Take part of your data or
business applications step- by-
step into non-production DR use
Understand cloud dynamics and
test during controlled failovers
Low hanging fruit can be easiest way to ‘cut teeth’
Choose use case that suits you
Dev & Test
Spin environments up and down
on demand
Decouple development and test
environments from operations
constraints
Explore elasticity in a sandboxed
environment
Backup & DR
Take part of your data or
business applications step- by-
step into non-production DR use
Understand cloud dynamics and
test during controlled failovers
Greenfield Project
Embody best practice of cloud
computing in unconstrained
greenfield projects
Self contained web projects,
document archiving etc
Low hanging fruit can be easiest way to ‘cut teeth’
Choose use case that suits you
Dev & Test
Spin environments up and down
on demand
Decouple development and test
environments from operations
constraints
Explore elasticity in a sandboxed
environment
Backup & DR
Take part of your data or
business applications step- by-
step into non-production DR use
Understand cloud dynamics and
test during controlled failovers
Greenfield Project
Embody best practice of cloud
computing in unconstrained
greenfield projects
Self contained web projects,
document archiving etc
Low hanging fruit can be easiest way to ‘cut teeth’
Pain point
Move specific service aspects
causing undue cost or
management burden
Workflows, search indexing,
media streaming, document
archiving, constrained databases
Choose use case that suits you
PoC Production Automation
Understand services
Test performance
Architect for scale
Build cross functional team capabilities
Implement monitoring
Change control and management
Security management
Scalability
Automate corrective measures
Auto-scaling
Zero downtime deployments
System backup and recovery Exam
ple
s Plan evolution & set goals
PoC Production Automation
Understand services
Test performance
Architect for scale
Build cross functional team capabilities
Implement monitoring
Change control and management
Security management
Scalability
Automate corrective measures
Auto-scaling
Zero downtime deployments
System backup and recovery Exam
ple
s Plan evolution & set goals
Beanstalk
Beanstalk Cloud Formation Cloud Watch IAM
APIs CLI Auto scaling
Organize your house
2
Create an account structure that makes sense
Use accounts like environments where you need separation and
control
e.g
Dev Sandboxes Test Environments
Business Units Products & Services
Organize your house
Accounts
Create an account structure that makes sense
Use accounts like environments where you need separation and
control
e.g
Dev Sandboxes Test Environments
Business Units Products & Services
Control access to billing information
Use IAM users to keep billing information in the master account
Consolidate billing into a
single account
Let one account pick up the bill for multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get CloudWatch notifications when billing reaches a point and output
csv reports to S3 for analysis
Accounts Billing
Organize your house
Enable CSV & Programmatic Access
Billing Preferences
Billing settings
Master Account
Division B [email protected]
User2 Dev2 Admin2
IAM
Tags: Own=Div Proj=P
Tags: Own=Div Proj=Q
Tags: Own=Div Proj=R
Master Account
consolidated billing information Tags: (key-value)
e.g Own=Div Proj=R
Operating Co. A [email protected]
User1 Dev1 Admin1
IAM
Tags: Own=OpCo Proj=A
Tags: Own=OpCo Proj=B
Tags: Own=OpCo Proj=C
Division B [email protected]
User2 Dev2 Admin2
IAM
Tags: Own=Div Proj=P
Tags: Own=Div Proj=Q
Tags: Own=Div Proj=R
Business Unit C [email protected]
User3 Dev3 Admin3
IAM
Tags: Own=BusC Proj=X
Tags: Own=BusC Proj=Y
Tags: Own=BusC Proj=Z
Master Account
consolidated billing information
Operating Co. A [email protected]
User1 Dev1 Admin1
IAM
Tags: Own=OpCo Proj=A
Tags: Own=OpCo Proj=B
Tags: Own=OpCo Proj=C
Division B [email protected]
User2 Dev2 Admin2
IAM
Tags: Own=Div Proj=P
Tags: Own=Div Proj=Q
Tags: Own=Div Proj=R
Business Unit C [email protected]
User3 Dev3 Admin3
IAM
Tags: Own=BusC Proj=X
Tags: Own=BusC Proj=Y
Tags: Own=BusC Proj=Z
Master Account
consolidated billing information
Operating Co. A [email protected]
User1 Dev1 Admin1
IAM
Tags: Own=OpCo Proj=A
Tags: Own=OpCo Proj=B
Tags: Own=OpCo Proj=C
Division B [email protected]
User2 Dev2 Admin2
IAM
Tags: Own=Div Proj=P
Tags: Own=Div Proj=Q
Tags: Own=Div Proj=R
Business Unit C [email protected]
User3 Dev3 Admin3
IAM
Tags: Own=BusC Proj=X
Tags: Own=BusC Proj=Y
Tags: Own=BusC Proj=Z
Master Account
consolidated billing information
Programmatic billing access
S3 CSV
Operating Co. A [email protected]
User1 Dev1 Admin1
IAM
Tags: Own=OpCo Proj=A
Tags: Own=OpCo Proj=B
Tags: Own=OpCo Proj=C
Division B [email protected]
User2 Dev2 Admin2
IAM
Tags: Own=Div Proj=P
Tags: Own=Div Proj=Q
Tags: Own=Div Proj=R
Business Unit C [email protected]
User3 Dev3 Admin3
IAM
Tags: Own=BusC Proj=X
Tags: Own=BusC Proj=Y
Tags: Own=BusC Proj=Z
Master Account
consolidated billing information
Programmatic billing access
S3 CSV
Create an account structure that makes sense
Use accounts like environments where you need separation and
control
e.g
Dev Sandboxes Test Environments
Business Units Products & Services
Control access to billing information
Use IAM users to keep billing information in the master account
Consolidate billing into a
single account
Let one account pick up the bill for multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get CloudWatch notifications when billing reaches a point and output
csv reports to S3 for analysis
Accounts Billing
Organize your house
Create an account structure that makes sense
Use accounts like environments where you need separation and
control
e.g
Dev Sandboxes Test Environments
Business Units Products & Services
Control access to billing information
Use IAM users to keep billing information in the master account
Consolidate billing into a
single account
Let one account pick up the bill for multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get CloudWatch notifications when billing reaches a point and output
csv reports to S3 for analysis
Decide upon a key management strategy
Control access to EC2 instances via SSH and embedded public key: e.g. EC2 Key Pair per group of
instances, EC2 Key Pair per account
Consider SSH key rotation &
automation
Limit exposure to private key compromise by rotating keys and replacing authorized_keys
listings on running instances
Consider bootstrap automation to grant developer access with developer unique keypairs
Accounts Billing Access Keys
Organize your house
Create an account structure that makes sense
Use accounts like environments where you need separation and
control
e.g
Dev Sandboxes Test Environments
Business Units Products & Services
Control access to billing information
Use IAM users to keep billing information in the master account
Consolidate billing into a
single account
Let one account pick up the bill for multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get CloudWatch notifications when billing reaches a point and output
csv reports to S3 for analysis
Decide upon a key management strategy
Control access to EC2 instances via SSH and embedded public key: e.g. EC2 Key Pair per group of
instances, EC2 Key Pair per account
Consider SSH key rotation &
automation
Limit exposure to private key compromise by rotating keys and replacing authorized_keys
listings on running instances
Consider bootstrap automation to grant developer access with developer unique keypairs
Accounts Billing Access Keys
Use IAM Groups to manage console users and API access
Provide developers with IAM user login and unique API access
credentials
Control & restrict what IAM users can do by placing them in groups
with policies
Assign EC2 Instances IAM roles
Let AWS manage API access credentials on running instances by
assigning a system entitlement to an instance
e.g instance can only read S3 bucket
Groups & Roles
Organize your house
Account
Administrators Developers Applications
Bob
Kevin
Tomcat
Jim Brad
Mark
Susan
Reporting
Console
Identity & access management
Account
Administrators Developers Applications
Bob
Kevin
Tomcat
Jim Brad
Mark
Susan
Reporting
Console
Multi-factor authentication
Groups
Identity & access management
AWS system entitlements
Roles Account
Administrators Developers Applications
Bob
Kevin
Tomcat
Jim Brad
Mark
Susan
Reporting
Console
Multi-factor authentication
Groups
Identity & access management
IAM policies
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:*",
"ec2:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*"
],
"Resource": "*"
}
]
}
Policy driven
Declarative definition of rights for groups
Policies control access to AWS APIs
3 Think security
Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data Encryption & Data Integrity Authentication
Server-side Encryption (File System and/or Data)
Network Traffic Protection (Encryption/Integrity/Identity)
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer Data
Am
azo
n
You
Shared responsibility
Understand your customer & form security stance
Leverage shared security model
Understand your customer & form security stance
Leverage shared security model
Your certifications Your processes
Penetration test requests
External audience
Understand your customer & form security stance
Leverage shared security model
IAM
Administration
Architecture
Internal audience
Your certifications Your processes
Penetration test requests
External audience
Understand your customer & form security stance
Leverage shared security model
IAM
Administration
Architecture
Internal audience
Your certifications Your processes
Penetration test requests
External audience
AWS Certifications
AWS White
Papers
AWS QSA Process
Regulated audience
Understand your customer & form security stance
Engage with security assessors early in adoption cycle
Leverage shared security model
Don’t fear assessment – AWS meets high standards (PCI, ISO27001, SOC2…)
As with any infrastructure provider, security assessments take time
Derive value from architecture reviews early in deployment cycle
Understand your customer & form security stance
Engage with security assessors early in adoption cycle
Use comprehensive materials and certifications provided by AWS
Leverage shared security model
http://aws.amazon.com/security/
Risk and compliance paper
AWS security processes paper
CSA consensus assessments initiative questionnaire
Understand your customer & form security stance
Engage with security assessors early in adoption cycle
Use comprehensive materials and certifications provided by AWS
Build upon features of AWS and implement a ‘security by design’ environment
Leverage shared security model
Build upon AWS features
IAM
Control users and allow AWS to manage credentials in running
instances for service access (allocation, rotation)
APIs vs Instance
Provide developer API credentials and control access to SSH keys
Temporary Credentials
Provide developer API credentials and control access to SSH keys
Instance firewalls
Firewall control on instances via Security Groups
CLIs and APIs
Instantly audit your entire AWS infrastructure from scriptable APIs – generate an on-demand IT inventory enabled by programmatic nature of
AWS
Subnet control
Create low level networking constraints for resource access, such
as public and private subnets, internet gateways and NATs
Bastion hosts
Only allow access for management of production resources from a bastion host. Turn off when not
needed
Tiered Access Security Groups VPC
Private connections to VPC
Secured access to resources in AWS over software or hardware VPN and
dedicated network links
Direct Connect & VPN
Architect to use cloud
strengths
4
Architect to use cloud strengths
e.g. Application performance improvement by migration of static content to S3/CloudFront
Review application architectures early – assess fit for cloud
Can cloud benefits be leveraged with minimum effort outlay?
e.g. variable capacity requirements, ‘standard’ technology stacks, reference architectures*
*http://aws.amazon.com/architecture
?
?
?
?
e.g. Faster development cycles for dev/test, reduced cap-ex for application environments
Will cloud yield cost savings & agility improvements?
e.g. fully scripted deployments, IAM & EC2 instance roles, rolling deployments
Can automation lead to a more agile & secure service?
Architect to use cloud strengths
Design systems that can suffer
instance loss
Dispose of compute when it is not
required
Disposable compute
✓
✓ ✓
✓
Architect to use cloud strengths
Disposable compute
Flexible capacity Design for systems that potentially scale
from zero instances to hundreds
Use Auto-scaling (events, schedules etc) to
drive capacity availability
✓
✓ ✓
✓
✓
✓
Architect to use cloud strengths
Utilize 99.999999999% durability of objects
in S3
Scale databases with RDS and use
DynamoDB for high throughput NoSQL
Disposable compute
Flexible capacity
Cost effective & reliable storage
✓
✓ ✓
✓
✓
✓
Architect to use cloud strengths
Disposable compute
Flexible capacity
Cost effective storage
Automation and control
Automate everything from scaling to
instance recovery from failure ✓ ✓ ✓
1 Create instance for your OS choice
2 Configure environment
3 Install software
4 Create AMI from instance
5 Launch fully configured instances from AMI
Bootstrapping – custom AMIs
AMI
Custom machine image
Instance
Auto-scaling Manual deployments
Programmatic deployments
ami-id
ami-launch-index
ami-manifest-path
block-device-mapping
hostname
instance-action
instance-id
Instance-type
kernel-id
local-hostname
local-ipv4
mac
network
placement
profile
public-hostname
public-ipv4
public-keys
reservation-id
http://169.254.169.254/latest/meta-data
Metadata service contains wealth of information about an instance
Bootstrapping – metadata service
AMI
Custom or standard machine image
Instance
Metadata
Service
Receive custom data to drive
bootstrapping
+ user data Scripts in user-data field of metadata will be executed on launch
e.g.
http://169.254.169.254/latest/meta-data
Metadata service contains wealth of information about an instance
#!/bin/sh
yum -y install httpd
chkconfig httpd on
/etc/init.d/httpd start
<powershell>
…
</powershell>
Or:
AMI
Custom or standard machine image
Instance
Metadata
Service
Receive custom data to drive
bootstrapping
Bootstrapping – metadata service
+ user data Scripts in user-data field of metadata will be executed on launch
http://169.254.169.254/latest/meta-data
Metadata service contains wealth of information about an instance AMI
Custom or standard machine image
Instance
Metadata
Service
Receive custom data to drive
bootstrapping
Bootstrapping – metadata service
Install software e.g. web server, app server, proxy
Pull data and application packages from S3
Publish metadata for instance to other systems e.g. monitoring systems
Setup security profile of instance based upon intended use e.g. pull latest config
1. Use multiple
availability zones
2. Use RDS with replicas
and slaves
3. Use auto-scaling
groups
4. Use Elastic Load
Balancing
5. Use Route53 to host
DNS zones
Use at regional level
Combined with autoscaling will balance requests and resource
capacity across availability zones
Within VPC
Use to loadbalance between application tiers within an
availability zone
Instance migrations
Easily move instances from dev environments to test environments
by moving between ELBs
Leverage SLA
Improve application reliability with Route 53’s SLA on requests served
Weighted routing
Perform A/B analysis, and staged application roll-outs by moving a
portion of traffic to new infrastructure
Control TTLs and updates
Take absolute control of DNS updates for more decisive system
updates
Scale databases without admin overhead
Choose instance size for databases and scale up over time
Add high availability from
management console
Create master-slave configurations and read-replicas. AWS takes care of the failover and recreation of a new
slave in event of master DB loss
Elastic Load Balancing Route 53 RDS
Dynamically scale resources & control costs
Only provision the resources that are required with scale up and cool down policies that match demand
Auto-scaling
Architect to use cloud strengths
Services not software
5
AWS Cloud-Based
Infrastructure & Services
Your Business
More Time to Focus on Your Business
Configuring Your Cloud Assets
70%
30% 70%
Self Managed Software &
Infrastructure
30%
Managing All of the “Undifferentiated Heavy Lifting”
Services not software
Relational Database Service Database-as-a-Service
No need to install or manage database instances
Scalable and fault tolerant configurations
DynamoDB Provisioned throughput NoSQL database
Fast, predictable performance
Fully distributed, fault tolerant architecture
Services not software
Use RDS for databases
Use DynamoDB for high performance key-
value DB
Amazon SQS
Processing
task/processing
trigger
Processing results
Amazon SQS Reliable, highly scalable, queue service
for storing messages as they travel
between instances
Services not software
Task A
Task B
(Auto-scaling)
Task C
2
3
1
Simple Workflow Reliably coordinate processing steps
across applications
Integrate AWS and non-AWS resources
Manage distributed state in complex
systems
Push inter-process workflows into the cloud with SWF
Reliable message queuing without
additional software
Cloud Search Elastic search engine based upon
Amazon A9 search engine
Fully managed service with sophisticated
feature set
Scales automatically
Document Server
Results
Search Server
Don’t install search software, use CloudSearch
Services not software
Process large volumes of data cost effectively
with EMR
Elastic MapReduce Elastic Hadoop cluster
Integrates with S3 & DynamoDB
Leverage Hive & Pig analytics scripts
Integrates with instance types such as
spot
Be elastic and cost
optimized
6
Be elastic and cost optimized
Scalability
Availability
Cost Optimization
Elastic Load Balancing Auto-scaling policies
Instance types and sizes
Manually
Send an API call or use CLI to launch/terminate instances – Only need to specify capacity
change (+/-)
By Schedule
Scale up/down based on date and time
By Policy
Scale in response to changing conditions, based on user
configured real-time monitoring and alerts
Auto-Rebalance
Instances are automatically launched/terminated to ensure the application is
balanced across multiple Azs
Auto-scaling policies
Manually
Send an API call or use CLI to launch/terminate instances – Only need to specify capacity
change (+/-)
By Schedule
Scale up/down based on date and time
By Policy
Scale in response to changing conditions, based on user
configured real-time monitoring and alerts
Auto-Rebalance
Instances are automatically launched/terminated to ensure the application is
balanced across multiple Azs
Auto-scaling policies
Preemptive manual scaling of capacity
e.g. before a marketing event add 10 more instances
Regular scaling up and down of instances
e.g. scale from 0 to 2 to process SQS messages every night or double
capacity on a Friday night
Dynamic scale based upon custom metrics
e.g. SQS queue depth, Average CPU load, ELB latency
Maintain capacity across availability zones
e.g. Instance availability maintained in event of AZ becoming unavailable
Unix/Linux instances start at $0.02/hour
Pay as you go for compute power
Low cost and flexibility
Pay only for what you use, no up-front commitments or long-term contracts
Use Cases:
Applications with short term, spiky, or
unpredictable workloads;
Application development or testing
On-demand instances
1- or 3-year terms
Pay low up-front fee, receive significant hourly discount
Low Cost / Predictability
Helps ensure compute capacity is available
when needed
Use Cases:
Applications with steady state or predictable usage
Applications that require reserved capacity,
including disaster recovery
Reserved instances
Bid on unused EC2 capacity
Spot Price based on supply/demand, determined automatically
Cost / Large Scale, dynamic workload handling
Use Cases:
Applications with flexible start and end times
Applications only feasible at very low compute prices
Spot instances
Instance types
Use frameworks
7
Compute
Storage
Security Scaling
Database
Networking Monitoring
Messaging
Workflow
DNS
Load Balancing
Backup CDN
Everything is programmable
Access everything via CLI, API or
Console
Achieve the highest levels of automation
sophistication with ease
Quickly deploy and manage apps in AWS…
Elastic Beanstalk
CloudFormation
OpsWorks
CloudFormation components & terminology
Elastic Beanstalk
CloudFormation
Template CloudFormation
Stack
JSON formatted file
Parameter definition
Resource creation
Configuration actions
Configured AWS services
Comprehensive service support
Service event aware
Customisable
Framework
Stack creation
Stack updates
Error detection and rollback
OpsWorks
Powerful management framework with Chef support
Elastic Beanstalk
CloudFormation
Stack Layers Management
Managed
environment
Definition of environment such as production or test
Management
services
Scaling, cloning, user access, self healing
Collection of
resources
Blueprint for a collection of resources (instances, EBS, EIPs
etc)
OpsWorks
Apps
Your application
assets
Resources to deploy and run in layers
Get supported
8
Basic
Developer
Business
Enterprise
Offering
24x7x365 ✓
Forum Access ✓
Documentation ✓
Access to support Support for
HealthChecks
Basic
Developer
Business
Enterprise
Offering
24x7x365 ✓
Forum Access ✓
Documentation ✓
Access to support Support for
HealthChecks
Developer
Basic
Business
Enterprise
Offering
24x7x365 ✓
Forum Access ✓
Documentation ✓
Access to support Email
Named Contacts 1
Fastest Response Time 12 Hours
Architecture Support Building Blocks
Best Practice ✓
Diagnostics Tools ✓
Business
Basic
Developer
Enterprise
Offering
24x7x365 ✓
Forum Access ✓
Documentation ✓
Access to support Phone, Chat,
Named Contacts 5
Fastest Response Time 1 Hour
Architecture Support Use Case
Guidance
Best Practice ✓
Diagnostics Tools ✓
Direct Routing ✓
3rd Party Software ✓
Trusted Advisor ✓
Enterprise
Basic
Developer
Business
Offering
24x7x365 ✓
Forum Access ✓
Documentation ✓
Access to support Phone, Chat,
Named Contacts Unlimited
Fastest Response Time 15 Minutes
Architecture Support Application
Architecture
Best Practice ✓
Diagnostics Tools ✓
Direct Routing ✓
3rd Party Software ✓
Trusted Advisor ✓
Direct TAM Access ✓
White Glove Case Handling ✓
Management Business Review ✓
Trusted advisor
Security Fault Tolerance Cost Optimization
Open ports in Security Groups
World access (/0 CIDR)
IAM use
EBS snapshot age
ELB Optimization
Availability Zones
Unused Elastic Ips
Underutilized EC2 instances
Business and Enterprise Support has been enhanced to include best practice audits via AWS Trusted Advisor
3rd party software
Operating Systems 3rd Party Software
3rd Party Software Support Enhancements
Operating Systems including:
Amazon Linux
Ubuntu
Red Hat Enterprise Linux
SUSE Linux
Microsoft Windows 2003 & 2008 R2
Common application stack components including:
Apache and IIS web servers
Amazon SDKs
Sendmail
Postfix
FTP
Disk Management tools (LVM, RAID) VPN Solutions (OpenVPN, RRAS)
Databases (MySQL, SQL Server)
Summary
Choose your use case well
Organize your environments
Think security
Architect to cloud strengths
Services not software
Be elastic & cost optimized
Use frameworks where appropriate
Get supported
aws.amazon.com