Journey through the Cloud - Best Practices Getting Started in the AWS Cloud

Best practices for getting started with AWS

Ryan Shuttleworth – Technical Evangelist @ryanAWS

Common use cases & stepping stones into the AWS cloud Learning from customer journeys

Best practices to bootstrap your projects

Journey through the cloud

Simple things to plan for when starting with AWS Some technical and human considerations

Helping you put your best foot forward from the off

Best practices

8 things you should know Where you should start Things to do up front

Agenda

Choose your use

case well

1

Choose use case that suits you

Low hanging fruit can be easiest way to ‘cut teeth’


Dev & Test

Spin environments up and down

on demand

Decouple development and test

environments from operations

constraints

Explore elasticity in a sandboxed

environment


Dev & Test


on demand



constraints


environment

Backup & DR

Take part of your data or

business applications step- by-

step into non-production DR use

Understand cloud dynamics and

test during controlled failovers



Dev & Test


on demand



constraints


environment

Backup & DR






Greenfield Project

Embody best practice of cloud

computing in unconstrained

greenfield projects

Self contained web projects,

document archiving etc



Dev & Test


on demand



constraints


environment

Backup & DR






Greenfield Project

Embody best practice of cloud

computing in unconstrained

greenfield projects

Self contained web projects,

document archiving etc


Pain point

Move specific service aspects

causing undue cost or

management burden

Workflows, search indexing,

media streaming, document

archiving, constrained databases


PoC Production Automation

Understand services

Test performance

Architect for scale

Build cross functional team capabilities

Implement monitoring

Change control and management

Security management

Scalability

Automate corrective measures

Auto-scaling

Zero downtime deployments

System backup and recovery Exam

ple

s Plan evolution & set goals

PoC Production Automation

Understand services

Test performance

Architect for scale

Build cross functional team capabilities

Implement monitoring

Change control and management

Security management

Scalability

Automate corrective measures

Auto-scaling

Zero downtime deployments

System backup and recovery Exam

ple

s Plan evolution & set goals

Beanstalk

Beanstalk Cloud Formation Cloud Watch IAM

APIs CLI Auto scaling

Organize your house

2

Create an account structure that makes sense

Use accounts like environments where you need separation and

control

e.g

Dev Sandboxes Test Environments

Business Units Products & Services

Organize your house

Accounts



control

e.g



Control access to billing information

Use IAM users to keep billing information in the master account

Consolidate billing into a

single account

Let one account pick up the bill for multiple ‘sub accounts’

Setup billing alerts and

automated bill reporting

Get CloudWatch notifications when billing reaches a point and output

csv reports to S3 for analysis

Accounts Billing

Organize your house

Enable CSV & Programmatic Access

Billing Preferences

Billing settings

Master Account

[email protected]

Division B [email protected]

User2 Dev2 Admin2

IAM

Master Account

[email protected]

consolidated billing information


User2 Dev2 Admin2

IAM

Tags: Own=Div Proj=P

Tags: Own=Div Proj=Q

Tags: Own=Div Proj=R

Master Account

[email protected]

consolidated billing information Tags: (key-value)

e.g Own=Div Proj=R

Operating Co. A [email protected]

User1 Dev1 Admin1

IAM

Tags: Own=OpCo Proj=A

Tags: Own=OpCo Proj=B

Tags: Own=OpCo Proj=C


User2 Dev2 Admin2

IAM




Business Unit C [email protected]

User3 Dev3 Admin3

IAM

Tags: Own=BusC Proj=X

Tags: Own=BusC Proj=Y

Tags: Own=BusC Proj=Z

Master Account

[email protected]



User1 Dev1 Admin1

IAM





User2 Dev2 Admin2

IAM





User3 Dev3 Admin3

IAM




Master Account

[email protected]



User1 Dev1 Admin1

IAM





User2 Dev2 Admin2

IAM





User3 Dev3 Admin3

IAM




Master Account

[email protected]


Programmatic billing access

S3 CSV


User1 Dev1 Admin1

IAM





User2 Dev2 Admin2

IAM





User3 Dev3 Admin3

IAM




Master Account

[email protected]


Programmatic billing access

S3 CSV



control

e.g






single account






Accounts Billing

Organize your house



control

e.g






single account






Decide upon a key management strategy

Control access to EC2 instances via SSH and embedded public key: e.g. EC2 Key Pair per group of

instances, EC2 Key Pair per account

Consider SSH key rotation &

automation

Limit exposure to private key compromise by rotating keys and replacing authorized_keys

listings on running instances

Consider bootstrap automation to grant developer access with developer unique keypairs

Accounts Billing Access Keys

Organize your house



control

e.g






single account






Decide upon a key management strategy

Control access to EC2 instances via SSH and embedded public key: e.g. EC2 Key Pair per group of

instances, EC2 Key Pair per account

Consider SSH key rotation &

automation

Limit exposure to private key compromise by rotating keys and replacing authorized_keys

listings on running instances

Consider bootstrap automation to grant developer access with developer unique keypairs

Accounts Billing Access Keys

Use IAM Groups to manage console users and API access

Provide developers with IAM user login and unique API access

credentials

Control & restrict what IAM users can do by placing them in groups

with policies

Assign EC2 Instances IAM roles

Let AWS manage API access credentials on running instances by

assigning a system entitlement to an instance

e.g instance can only read S3 bucket

Groups & Roles

Organize your house

Account

Administrators Developers Applications

Bob

Kevin

Tomcat

Jim Brad

Mark

Susan

Reporting

Console

Identity & access management

Account


Bob

Kevin

Tomcat

Jim Brad

Mark

Susan

Reporting

Console

Multi-factor authentication

Groups


AWS system entitlements

Roles Account


Bob

Kevin

Tomcat

Jim Brad

Mark

Susan

Reporting

Console

Multi-factor authentication

Groups


IAM policies

{

"Statement": [

{

"Effect": "Allow",

"Action": [

"elasticbeanstalk:*",

"ec2:*",

"elasticloadbalancing:*",

"autoscaling:*",

"cloudwatch:*",

"s3:*",

"sns:*"

],

"Resource": "*"

}

]

}

Policy driven

Declarative definition of rights for groups

Policies control access to AWS APIs

3 Think security

Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones

Edge Locations

Client-side Data Encryption & Data Integrity Authentication

Server-side Encryption (File System and/or Data)

Network Traffic Protection (Encryption/Integrity/Identity)

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer Data

Am

azo

n

You

Shared responsibility

Understand your customer & form security stance

Leverage shared security model



Your certifications Your processes

Penetration test requests

External audience



IAM

Administration

Architecture

Internal audience



External audience



IAM

Administration

Architecture

Internal audience



External audience

AWS Certifications

AWS White

Papers

AWS QSA Process

Regulated audience


Engage with security assessors early in adoption cycle


Don’t fear assessment – AWS meets high standards (PCI, ISO27001, SOC2…)

As with any infrastructure provider, security assessments take time

Derive value from architecture reviews early in deployment cycle



Use comprehensive materials and certifications provided by AWS


http://aws.amazon.com/security/

Risk and compliance paper

AWS security processes paper

CSA consensus assessments initiative questionnaire



Use comprehensive materials and certifications provided by AWS

Build upon features of AWS and implement a ‘security by design’ environment


Build upon AWS features

IAM

Control users and allow AWS to manage credentials in running

instances for service access (allocation, rotation)

APIs vs Instance

Provide developer API credentials and control access to SSH keys

Temporary Credentials

Provide developer API credentials and control access to SSH keys

Instance firewalls

Firewall control on instances via Security Groups

CLIs and APIs

Instantly audit your entire AWS infrastructure from scriptable APIs – generate an on-demand IT inventory enabled by programmatic nature of

AWS

Subnet control

Create low level networking constraints for resource access, such

as public and private subnets, internet gateways and NATs

Bastion hosts

Only allow access for management of production resources from a bastion host. Turn off when not

needed

Tiered Access Security Groups VPC

Private connections to VPC

Secured access to resources in AWS over software or hardware VPN and

dedicated network links

Direct Connect & VPN

Architect to use cloud

strengths

4

Architect to use cloud strengths

e.g. Application performance improvement by migration of static content to S3/CloudFront

Review application architectures early – assess fit for cloud

Can cloud benefits be leveraged with minimum effort outlay?

e.g. variable capacity requirements, ‘standard’ technology stacks, reference architectures*

*http://aws.amazon.com/architecture

?

?

?

?

e.g. Faster development cycles for dev/test, reduced cap-ex for application environments

Will cloud yield cost savings & agility improvements?

e.g. fully scripted deployments, IAM & EC2 instance roles, rolling deployments

Can automation lead to a more agile & secure service?


Design systems that can suffer

instance loss

Dispose of compute when it is not

required

Disposable compute

✓

✓ ✓

✓


Disposable compute

Flexible capacity Design for systems that potentially scale

from zero instances to hundreds

Use Auto-scaling (events, schedules etc) to

drive capacity availability

✓

✓ ✓

✓

✓

✓


Utilize 99.999999999% durability of objects

in S3

Scale databases with RDS and use

DynamoDB for high throughput NoSQL

Disposable compute

Flexible capacity

Cost effective & reliable storage

✓

✓ ✓

✓

✓

✓


Disposable compute

Flexible capacity

Cost effective storage

Automation and control

Automate everything from scaling to

instance recovery from failure ✓ ✓ ✓

1 Create instance for your OS choice

2 Configure environment

3 Install software

4 Create AMI from instance

5 Launch fully configured instances from AMI

Bootstrapping – custom AMIs

AMI

Custom machine image

Instance

Auto-scaling Manual deployments

Programmatic deployments

ami-id

ami-launch-index

ami-manifest-path

block-device-mapping

hostname

instance-action

instance-id

Instance-type

kernel-id

local-hostname

local-ipv4

mac

network

placement

profile

public-hostname

public-ipv4

public-keys

reservation-id

http://169.254.169.254/latest/meta-data

Metadata service contains wealth of information about an instance

Bootstrapping – metadata service

AMI

Custom or standard machine image

Instance

Metadata

Service

Receive custom data to drive

bootstrapping

+ user data Scripts in user-data field of metadata will be executed on launch

e.g.


Metadata service contains wealth of information about an instance

#!/bin/sh

yum -y install httpd

chkconfig httpd on

/etc/init.d/httpd start

<powershell>

…

</powershell>

Or:

AMI


Instance

Metadata

Service


bootstrapping


+ user data Scripts in user-data field of metadata will be executed on launch


Metadata service contains wealth of information about an instance AMI


Instance

Metadata

Service


bootstrapping


Install software e.g. web server, app server, proxy

Pull data and application packages from S3

Publish metadata for instance to other systems e.g. monitoring systems

Setup security profile of instance based upon intended use e.g. pull latest config

1. Use multiple

availability zones

2. Use RDS with replicas

and slaves

3. Use auto-scaling

groups

4. Use Elastic Load

Balancing

5. Use Route53 to host

DNS zones

Use at regional level

Combined with autoscaling will balance requests and resource

capacity across availability zones

Within VPC

Use to loadbalance between application tiers within an

availability zone

Instance migrations

Easily move instances from dev environments to test environments

by moving between ELBs

Leverage SLA

Improve application reliability with Route 53’s SLA on requests served

Weighted routing

Perform A/B analysis, and staged application roll-outs by moving a

portion of traffic to new infrastructure

Control TTLs and updates

Take absolute control of DNS updates for more decisive system

updates

Scale databases without admin overhead

Choose instance size for databases and scale up over time

Add high availability from

management console

Create master-slave configurations and read-replicas. AWS takes care of the failover and recreation of a new

slave in event of master DB loss

Elastic Load Balancing Route 53 RDS

Dynamically scale resources & control costs

Only provision the resources that are required with scale up and cool down policies that match demand

Auto-scaling


Services not software

5

AWS Cloud-Based

Infrastructure & Services

Your Business

More Time to Focus on Your Business

Configuring Your Cloud Assets

70%

30% 70%

Self Managed Software &

Infrastructure

30%

Managing All of the “Undifferentiated Heavy Lifting”


Relational Database Service Database-as-a-Service

No need to install or manage database instances

Scalable and fault tolerant configurations

DynamoDB Provisioned throughput NoSQL database

Fast, predictable performance

Fully distributed, fault tolerant architecture


Use RDS for databases

Use DynamoDB for high performance key-

value DB

Amazon SQS

Processing

task/processing

trigger

Processing results

Amazon SQS Reliable, highly scalable, queue service

for storing messages as they travel

between instances


Task A

Task B

(Auto-scaling)

Task C

2

3

1

Simple Workflow Reliably coordinate processing steps

across applications

Integrate AWS and non-AWS resources

Manage distributed state in complex

systems

Push inter-process workflows into the cloud with SWF

Reliable message queuing without

additional software

Cloud Search Elastic search engine based upon

Amazon A9 search engine

Fully managed service with sophisticated

feature set

Scales automatically

Document Server

Results

Search Server

Don’t install search software, use CloudSearch


Process large volumes of data cost effectively

with EMR

Elastic MapReduce Elastic Hadoop cluster

Integrates with S3 & DynamoDB

Leverage Hive & Pig analytics scripts

Integrates with instance types such as

spot

Be elastic and cost

optimized

6

Be elastic and cost optimized

Scalability

Availability

Cost Optimization

Elastic Load Balancing Auto-scaling policies

Instance types and sizes

Manually

Send an API call or use CLI to launch/terminate instances – Only need to specify capacity

change (+/-)

By Schedule

Scale up/down based on date and time

By Policy

Scale in response to changing conditions, based on user

configured real-time monitoring and alerts

Auto-Rebalance

Instances are automatically launched/terminated to ensure the application is

balanced across multiple Azs

Auto-scaling policies

Manually

Send an API call or use CLI to launch/terminate instances – Only need to specify capacity

change (+/-)

By Schedule

Scale up/down based on date and time

By Policy

Scale in response to changing conditions, based on user

configured real-time monitoring and alerts

Auto-Rebalance

Instances are automatically launched/terminated to ensure the application is

balanced across multiple Azs

Auto-scaling policies

Preemptive manual scaling of capacity

e.g. before a marketing event add 10 more instances

Regular scaling up and down of instances

e.g. scale from 0 to 2 to process SQS messages every night or double

capacity on a Friday night

Dynamic scale based upon custom metrics

e.g. SQS queue depth, Average CPU load, ELB latency

Maintain capacity across availability zones

e.g. Instance availability maintained in event of AZ becoming unavailable

Unix/Linux instances start at $0.02/hour

Pay as you go for compute power

Low cost and flexibility

Pay only for what you use, no up-front commitments or long-term contracts

Use Cases:

Applications with short term, spiky, or

unpredictable workloads;

Application development or testing

On-demand instances

1- or 3-year terms

Pay low up-front fee, receive significant hourly discount

Low Cost / Predictability

Helps ensure compute capacity is available

when needed

Use Cases:

Applications with steady state or predictable usage

Applications that require reserved capacity,

including disaster recovery

Reserved instances

Bid on unused EC2 capacity

Spot Price based on supply/demand, determined automatically

Cost / Large Scale, dynamic workload handling

Use Cases:

Applications with flexible start and end times

Applications only feasible at very low compute prices

Spot instances

Instance types

Use frameworks

7

Compute

Storage

Security Scaling

Database

Networking Monitoring

Messaging

Workflow

DNS

Load Balancing

Backup CDN

Everything is programmable

Access everything via CLI, API or

Console

Achieve the highest levels of automation

sophistication with ease

Quickly deploy and manage apps in AWS…

Elastic Beanstalk

CloudFormation

OpsWorks

CloudFormation components & terminology

Elastic Beanstalk

CloudFormation

Template CloudFormation

Stack

JSON formatted file

Parameter definition

Resource creation

Configuration actions

Configured AWS services

Comprehensive service support

Service event aware

Customisable

Framework

Stack creation

Stack updates

Error detection and rollback

OpsWorks

Powerful management framework with Chef support

Elastic Beanstalk

CloudFormation

Stack Layers Management

Managed

environment

Definition of environment such as production or test

Management

services

Scaling, cloning, user access, self healing

Collection of

resources

Blueprint for a collection of resources (instances, EBS, EIPs

etc)

OpsWorks

Apps

Your application

assets

Resources to deploy and run in layers

Get supported

8

Basic

Developer

Business

Enterprise

Offering

24x7x365 ✓

Forum Access ✓

Documentation ✓

Access to support Support for

HealthChecks

Basic

Developer

Business

Enterprise

Offering

24x7x365 ✓

Forum Access ✓

Documentation ✓

Access to support Support for

HealthChecks

Developer

Basic

Business

Enterprise

Offering

24x7x365 ✓

Forum Access ✓

Documentation ✓

Access to support Email

Named Contacts 1

Fastest Response Time 12 Hours

Architecture Support Building Blocks

Best Practice ✓

Diagnostics Tools ✓

Business

Basic

Developer

Enterprise

Offering

24x7x365 ✓

Forum Access ✓

Documentation ✓

Access to support Phone, Chat,

Email

Named Contacts 5

Fastest Response Time 1 Hour

Architecture Support Use Case

Guidance

Best Practice ✓


Direct Routing ✓

3rd Party Software ✓

Trusted Advisor ✓

Enterprise

Basic

Developer

Business

Offering

24x7x365 ✓

Forum Access ✓

Documentation ✓

Access to support Phone, Chat,

Email

Named Contacts Unlimited

Fastest Response Time 15 Minutes

Architecture Support Application

Architecture

Best Practice ✓


Direct Routing ✓

3rd Party Software ✓

Trusted Advisor ✓

Direct TAM Access ✓

White Glove Case Handling ✓

Management Business Review ✓

Trusted advisor

Security Fault Tolerance Cost Optimization

Open ports in Security Groups

World access (/0 CIDR)

IAM use

EBS snapshot age

ELB Optimization

Availability Zones

Unused Elastic Ips

Underutilized EC2 instances

Business and Enterprise Support has been enhanced to include best practice audits via AWS Trusted Advisor

3rd party software

Operating Systems 3rd Party Software

3rd Party Software Support Enhancements

Operating Systems including:

Amazon Linux

Ubuntu

Red Hat Enterprise Linux

SUSE Linux

Microsoft Windows 2003 & 2008 R2

Common application stack components including:

Apache and IIS web servers

Amazon SDKs

Sendmail

Postfix

FTP

Disk Management tools (LVM, RAID) VPN Solutions (OpenVPN, RRAS)

Databases (MySQL, SQL Server)

Summary

Choose your use case well

Organize your environments

Think security

Architect to cloud strengths


Be elastic & cost optimized

Use frameworks where appropriate

Get supported

aws.amazon.com

Technology

Journey through the Cloud - Best Practices Getting Started in the AWS Cloud