Aws Architecture Fundamentals

AWS Services, Regions & Availability Zones

Regions and Availability Zones
 Global Resources
 IAM Users
 Route 53 Records
 Regional Resources
 S3 Buckets
 VPCs
 ELB
 EIPs
 PEM keys
 AZ Resources
 EBS Volumes
 EC2 Instances
 RDS Instances
 Subnets
 ENIs

Security and Compliance – Shared Security Model

Security and Compliance – Security Groups
o Security Groups are similar to a firewall rule
o They can be associated to resources
independent of a subnet or CIDR range
o Security Groups are limited only to the VPC in
which you create them

o Deny by default
 IP Whitelisting
 Specify a CIDR block that is allowed to access resources in your AWS environment.
 This can be as large or small as you desire, giving it extreme flexibility.
 Specifying a 32 bit block will whitelist a single IP ( 50.99.20.230/32 )
 Allow port and protocol
 You can allow TCP, UDP, ICMP or a combination of all three
 No explicit deny
 Let’s say you want to block a malicious user coming from an IP in Amsterdam. While it would be
possible to explicitly allow all CIDR ranges on either side of an IP, it would be unwieldy. This is a task
best left to ACL’s.

o SG trust relationships
 SGs can establish trust relationships
 These trust relationships link
resources and security policies
 Not required to specify an IP
address
 Trust relationships are only valid
within a VPC
o Ingress and Egress
 EC2-classic security groups only
have ingress rules
 VPC security groups have both
ingress and egress
 Security groups are stateful

Identity and Access Management

IAM Users
o Identity and Access Management
o Create Users and Groups
o Establish Trust Relationships
o Govern Access via Policy Documents

IAM - Groups, Roles & Instance Profiles
o Deny by default
 Explicit allow required to grant access
 Explicit deny always trumps an explicit allow
o Users/Groups
 Policies can be applied at the group or user level
o Roles
 Policies can be applied to roles
o Instance Profile
 Assumes role
 Credentials are stored in instance metadata
 Only Access Key ID and Temporary Token

Amazon
S3
Amazon
DynamoDB
Role: Allow Amazon S3
access but nothing else
Amazon EC2 Instance
EC2 Instance Profiles
Overview of AWS IAM
Identity & Access Management
IAM - Instance Profiles

IAM - Instance & Account
o Instance
 PEM keys
 Use SSH with the PEM to access Linux instances
 Use the AWS console and the instance PEM to decode the Administrator password for Windows
instances
o Account
 Master/Root Account Permissions
 Always treat the master account credentials as if they could launch an ICBM
 Allow by default
 MFA

AWS Virtual Private Cloud Overview

Virtual Private Cloud – Overview

Virtual Private Cloud – Network and Subnets
 Network Topology
o Private address space
 Any range is valid, but we suggest a non-routable CIDR
 Public CIDR ranges are only reachable via a Virtual Private Gateway
 CIDR ranges can be as large as a /16 to as small as a /28
 Subnets
o Public subnets have a 0.0.0.0/0 route to the Internet Gateway (IGW)
 Instances that require a public IP need to reside in a public subnet
o Private subnets do not have an outbound route through the IGW
 NAT instances are commonly used as an outbound gateway for private instances
o Subnets cannot span AZ’s, but subnets can share routing tables, which provides similar
functionality.

Virtual Private Cloud – Route Tables
 Route Tables
o Can be applied to multiple subnets
o Typical routing entries
 10.0.0.0/16 = Local
 0.0.0.0/16 = Internet Gateway
(Public Subnet)
 -or-
 0.0.0.0/16 = eni-12345678
(Private Subnet)

Virtual Private Cloud – Peering
 Peering
o VPC -> VPC peering
o Unique CIDR
o VPN solutions
 OpenVPN
 OpenSwan

EC2 - AMI
 AMI
 Instances are based on an Amazon
Machine Image
 You can create new AMIs from a
running instance
 AMIs are stored in S3 for 11 9’s of
durability
 AMIs are unique to each region

EC2 - Instance Types
 Instance Types
 Choosing the correct instance type for the required workload
o T2 for utility and testing
o M3 for general purpose
o R3 for memory heavy applications
o C3 for compute heavy applications
o G2 for GPU intensive applications
o I2 for storage heavy applications (random)
o HS1 for storage heavy applications (sequential)

EC2 - Running Instances
 Running instances
 Instances are launched into an existing VPC subnet, or into EC2-classic
 CloudWatch monitoring is enabled by default
o CPU Utilization, Network I/O are the primary data points of interest
o Memory and Disk require an additional script that will post a to a custom CloudWatch
metric
 Status checks
o OS check
o Network reachability check

EC2 - Bootstrapping
 User Data
 Provides a hook to inject scripting into any standard instance you decide to launch
o These include the Amazon Linux, Windows and Ubuntu AMIs
o User Data can only be modified while the instance is stopped
 Suggested patterns
o Install security updates
 yum update -y
o Install middleware
 yum install -y httpd
 chkconfig httpd on
o Download and execute a remote script
 Assign an IAM Profile to the EC2 instance
 Aws s3 cp s3://mybucket/myscript.sh /tmp/myscript.sh
 ./tmp/myscript.sh

EC2 - Pricing
o Pricing
 On Demand
 This is the most common and flexible pricing option
 Pay only for what you use
 Stopped instances will not accrue hourly compute costs
 Pay by the instance hour
 Reserved
 Light
o Small capex hit with a slightly reduced per/hour charge
 Medium
o Medium capex hit with a moderately reduced per/hour charge
 Heavy
o Large capex hit with a greatly reduced per/hour charge
o Always accruing charges, even when the instance is stopped
o This is the only selection which provides a true capacity reservation

EC2 - Pricing
 Spot
 Useful for “worker pool”
scenarios
o Transcode, map reduce
task nodes
 Can be lost as soon as
someone is willing to pay
more for that instance

AWS Elastic Load Balancing Overview

Elastic Load Balancer - Overview
Elastic Pool of Virtual Load Balancers
 Public Side
 Consists of an endpoint which is the equivalent to a traditional VIP
 Does not use a static IPv4, but rather an Alias/CNAME
 The endpoint will not always resolve to the same IP
o How do you deal with this for the zone apex?
 Private Side
 Minimum of one virtual ELB node per AZ
 Private IPs will differ, code accordingly
 X-forwarded-for
 Pre-warm ELBs before known traffic spikes
 Certificate Termination
 Only one SSL certificate per ELB
 Multi-Domain certificates are valid
 Wild Card certificates are valid
 If ELB termination is not an option, use a TCP 443->443 listener

ELB – Spans Multiple Availability Zones

 Auto Scaling Key Features
 Adds or removes servers based on load
 Self-healing pool of resources
 Every instance is based on a “gold” master image
Auto Scaling - Overview

 Auto scaling group
 Instance location
o Subnet
o Load Balancer
 Number of instances
o Min
o Max
o Desired
 Launch config
 Instance details
o Size
o PEM key
o IAM Profile
o Security Group(s)
o User data
Auto Scaling - Components

Auto Scaling - Multi-AZ
 Multi-AZ Auto Scaling
 Highly Available
 Production Standard
 Spans Datacenters

Auto Scaling - CloudWatch
CloudWatch is the final piece of the auto scaling puzzle. You can create alarms based on instance
metrics which trigger auto scaling actions
Scaling policies
Scale up alarm
• Execute policy when: CPU is greater than 60%
• Take the action: Add 2 instances
• And then wait: 10 minutes
Scale down alarm
• Execute policy when: CPU is less than 20%
• Take the action: Remove 2 instances
• And then wait: 10 minutes

Route53 - Basic Feature Set
 Zone Creation
 Zone Import
o Import your zone file from a previous provider
o Delegate this zone to the AWS name servers
 Record Types
o A
o CNAME
o TXT,MX,DKIM
o Alias
o S3 buckets and ELBs can be an alias target, allows zone apex magic

Route53 - Advanced Feature Set
 Weighted record sets
 Health Checks
 Global Load Balancer
o Using weighted record sets, you can create a pool of endpoints from which to balance traffic
o Enabling a health-check on this pool allows for a DNS based load balancer which can be
applied to any resource (AWS or non-AWS)
 Latency Based Routing

Route53 – Global Failover
 Global Failover Pattern
 Uses R53 Health Checks
Route 53
Virginia Region
myapp.example.com
Ireland Region

Directory Service - Overview
o Two types of directory services: Simple Directory and AD Connector
o Simple Directory
 Create your own authoritative directory managed within AWS
 Users and Groups can be created directly in the AWS console
 Windows servers can auto-join this domain as they would in an AD environment
 Manage AWS resources using your simple directory credentials
o AD Connector
 Connect your on-prem AD to your AWS account
 Associate AD users/groups with IAM users/groups
 Windows servers can auto-join this domain as they would in an AD environment
 Manage the AWS console using your AD credentials

Directory Service – AD Connector
• Active Directory Connector instances
are launched into your VPC
• AD Connectors communicate with on-
prem AD servers
• AD credentials are no longer
necessary when joining instances to a
domain (Auto-Join)

AD Connector - Single Sign On Flow

Traditional Platform - Storage Architecture
In the old days…
• Hardware acquisition and datacenter space required
advanced planning
• Disk space and I/O allocation juggling for the entire
application lifecycle
• Volume and file redundancy not built-in
• Capital commitment and refresh budget
considerations
/root C:
/swap
Pagefile
Temp Dir
/app
/data
Program
Files
Data
Server Head
NAS or Fileserver
/DirShare01/
File01
File02
/DirShare02/
File01
Tape Library
ArchiveVol02
ArchiveVol01
SMB/ CIFS
Platform Monitoring Tools

AWS Instance Volumes and Data Storage
The new [improved] way of doing things…
• Elastic pay-as-you-go model
• Redundancy and snapshot utilities built-in
• New APIs and tools simplify application development,
administration and data lifecycle management

Elastic Block Store (EBS) - Overview
Block storage ideal for creating versatile OS volumes
• Define type, size and optionally I/O capacities [within service limits]
• Magnetic, SSD and Provisioned IOPS
• Mount to a single instance, similar to local drive
• Simplified Encryption options
Persistent and durable
• Redundant copies stored in single AZ
• Not permanently bound to a server instance and will survive server crash or shutdown
Snapshot capabilities for point-in-time backups
• Resizing and duplicating volumes
• Moving across AZs; Exporting across Regions
Performance metrics available through CloudWatch

Elastic Block Store (EBS) – Best Practices
Recommended for applications
• Making frequent data changes
• Requiring consistent I/O performance
• Needing to persist data beyond server instance stop/start cycles
• Requiring fine-grain control of raw, unformatted data blocks
Define appropriate configuration options
• EBS Optimized instances can handle higher I/O bandwidth
• Underlying technology (Magnetic, General Purpose (SSD), Provisioned IOPS (SSD)
Pre-warm volumes
/root C:
/swap
Pagefile
Temp Dir
/app
/data
Program
Files
Data
Server Virtual Head

Ephemeral Drives (EC2 Instance Store) Overview
Block device attached to the host machine
• Available to server instance
• May be mounted and used for temporary storage
• No additional usage charges for disk space or I/O
Not redundant: no built-in RAID or snapshot function
Data loss will result if any of the following occur:
• Host server or instance crash
• Instance termination
• Disk failure
/root C:
/swap
Pagefile
Temp Dir
/app
/data
Program
Files
Data
Server Virtual Head

Simple Storage Service (S3) – Overview
Object storage container with virtually unlimited capacity
• Store files (objects) in containers (buckets)
• Redundant copies for high durability and reliability
• Available on the internet via REST requests directly or through SDK
• Multiple strategies to secure contents
• Set permissions, access policies and optionally require MFA
• Encryption: Server (simplified) or Client-side
• Audit logging (optional) will record all access requests via api
• Built-in tools for managing versioning, object lifecycle and creating static websites
• Low pay-as-you-go pricing a function of storage amount (~$.03/GB/Month) plus metering of
I/O requests
/mybucket01/
File01
File02
/mybucket02/
File01
Http / Https
Amazon S3

Amazon Glacier - Overview
Storage service optimized for reliable and low cost storage of archive data
• Data objects are securely archived, however not immediately accessible
• Create vaults (containers) to hold archives (any file based object)
• Upload archives programmatically
• Submit requests to retrieve archives. Available in about 4 hours
• Cost is approximately $.01/GB/Month plus modest API and retrieval charges [if applicable]

AWS Structured Data Services
• Deploying structured data systems (for example SQL, NoSQL and Data Warehouse
applications) in a traditional environment may be complex, costly, and time consuming
• Amazon provides a set of structured data services with the following advantages:
• Simple to deploy, operate and scale
• Many common administrative and operational tasks are automated
• Pay-as-you-go pricing
• Support for a wide variety of standard and emerging application models

Relational Data Services (RDS)
Fully managed relational database service offering popular platforms with the following key
advantages:
• Amazon manages resource redundancy, software patching, backups, failure detection and
recovery
• Ability to configure specific resources to cost-effectively scale your application
• Pay-as-you-go model offering included license or license portability [see fine print to ensure
license compliance]
• Streamlined management options to easily configure highly available A/P topologies, create
database snapshots and deploy test instances

DynamoDB
Fully managed NoSQL database service offering the following key advantages:
• Seamless and virtually unlimited scalability conveniently managed automatically by Amazon
• Ability to define specific resource allocation limits to ensure predictable performance while
containing costs
• Easy administration and well-supported development model
• Integration with other core Amazon data services (for example Redshift and EMR)

Redshift
Fully managed Enterprise-class data warehouse service offering the following advantages:
• High performance, massively parallel columnar storage architecture providing streamlined
scalability
• Mainstream SQL query syntax allowing for rapid platform adoption
• Flexible node type and RI options allowing for workload alignment and cost efficiency

General Information
Contact Us
1-888-317-7920
info@2ndwatch.com
www.2ndwatch.com
Randall Barnes
Principal Architect
rbarnes@2ndwatch.com
Travis Greenstreet
Senior Cloud Architect
travis@2ndwatch.com
Locations
SEATTLE
NEW YORK
VIRGINIA
ATLANTA
PHILADELPHIA
HOUSTON
LIBERTY LAKE
LOS ANGELES
CHICAGO

Aws Architecture Fundamentals

More Related Content

What's hot (20)

Similar to Aws Architecture Fundamentals (13)

More from 2nd Watch (20)

Recently uploaded (20)

Aws Architecture Fundamentals