2. AWS Trivia
• The annual cost of a high utilization reserved usage depends on the
number of hours used?
• As an alternative to prewarming the ELB, we can assign a smaller ELB to
load balance between multiple ELBs.
• In Amazon Route 53, while creating a CNAME record the ideal TTL values
while mapping the CNAME (a) to an existing domain and (b) to an ELB or
S3 are:
• It is possible to change the size of a Virtual Private Cloud after it’s creation.
• Route 53 offers Weighted Round Robin (DNS Load Balancing) that allows
assigning weights to DNS records to specify routing of traffic
• Pick True or False for the two statements “S3 has an SLA of 99.5%
availability” and “S3 has 99.999999999% durability”
3. What is Cloud Computing?
• "Cloud Computing", by definition, refers to the on-demand delivery of IT
resources and applications via the Internet with pay-as-you-go pricing.
• Cloud Computing provides a simple way to access servers, storage,
databases and a broad set of application services over the Internet. Cloud
Computing providers such as Amazon Web Services own and maintain the
network-connected hardware required for these application services,
while you provision and use what you need via a web application.
4. Download and Install the CLI Tools
• Download the tools. The CLI tools are available as a .zip file on this site
wget http://s3.amazonaws.com/ec2-downloads/ec2-api-tools.zip
• sudo mkdir /usr/local/ec2
• sudo unzip ec2-api-tools.zip -d /usr/local/ec2
Set JAVA_HOME to the full path of the Java home directory.
• $ export JAVA_HOME="/usr/lib/jvm/java-7-openjdk-amd64/jre”
• $JAVA_HOME/bin/java -version
To set the EC2_HOME and PATH environment variables on Linux/Unix
• export EC2_HOME=/usr/local/ec2/ec2-api-tools-1.7.0.0
• export PATH=$PATH:$EC2_HOME/bin
• export AWS_ACCESS_KEY=your-aws-access-key-id
• export AWS_SECRET_KEY=your-aws-secret-key
5. Regions and Availability Zones
concepts
• Each region is completely independent. Each Availability Zone is isolated,
but the Availability Zones in a region are connected through low-latency
links. The following diagram illustrates the relationship between regions
and Availability Zones.
6. Zones
• Each Amazon EC2 region is designed to be completely isolated from the
other Amazon EC2 regions. This achieves the greatest possible fault
tolerance and stability.
• Amazon EC2 provides multiple regions so that you can launch Amazon EC2
instances in locations that meet your requirements. For example, you
might want to launch instances in Europe to be closer to your European
customers or to meet legal requirements. The following table lists the
regions that provide support for Amazon EC2.
7. Code Name
ap-northeast-1 Asia Pacific (Tokyo)
ap-southeast-1 Asia Pacific (Singapore)
ap-southeast-2 Asia Pacific (Sydney)
eu-central-1 EU (Frankfurt)
eu-west-1 EU (Ireland)
sa-east-1 South America (Sao Paulo)
us-east-1 US East (N. Virginia)
us-west-1 US West (N. California)
us-west-2 US West (Oregon)
8. Availability Zones
• You can list the Availability Zones that are available to your account.
• When you launch an instance, you can select an Availability Zone or let us choose
one for you. If you distribute your instances across multiple Availability Zones and
one instance fails, you can design your application so that an instance in another
Availability Zone can handle requests.
AWS CLI to find regions and availability zones
1. ec2-describe-availability-zones
1. ec2 describe-availability-zones --region us-east-1
1. ec2-describe-regions
2. ec2-describe-availability-zones --region us-east-1
9. Amazon EC2
• Amazon EC2 enables you to increase or decrease capacity within minutes,
not hours or days. You can commission one, hundreds or even thousands
of server instances simultaneously. Of course, because this is all controlled
with web service APIs, your application can automatically scale itself up
and down depending on its needs.
10. Launching an Instance
To launch a single Amazon EC2 instance using the AMI you selected, use the run-instances
command. Depending on the platforms that your account supports, you can launch the instance
into EC2-Classic or EC2-VPC.
Initially, your instance is in the pending state, but will be in the running state in a few minutes.
EC2-Classic
The below command launches a t1.micro instance in EC2-Classic:
ec2 run-instances --image-id ami-xxxxxxxx --count 1 --instance-type t1.micro --key-name
MyKeyPair --security-groups MySecurityGroup
EC2-VPC
ec2 run-instances --image-id ami-xxxxxxxx --count 1 --instance-type t1.micro --key-name
MyKeyPair --security-group-ids sg-xxxxxxxx --subnet-id subnet-xxxxxxxx
12. Amazon Elastic Block StoreAmazon Elastic Block Store (EBS) provides block level storage volumes for use with Amazon EC2
instances. In a typical block level storage device, raw storage volumes are created and then the
server-based operating system connects to these volumes (over Fibre Channel, iSCSI etc) and
uses them as individual drives. This fundamental flexibility makes block level storage usable for
variety of application needs like file storage, database storage, virtual machine volumes and
more. You can have variety of file system running on the block level storage, example NTFS for
windows and ext3/XFS etc for Linux. In simpler terms Amazon EBS is like a massive SAN (Storage
Area Network) in the AWS infrastructure. The physical storage could be hard disks, SSD’s etc
under the EBS hood. Amazon EBS is one of the most important and heavily used storage services
of AWS, even the building blocks like RDS, DynamoDB, CloudSearch etc possibly rely on EBS in the
Cloud.
In Amazon EBS you can allocate a disk volume of 1GB to 1TB in size and data written will persist
independently (unlike ephemeral disks) from the life of an Amazon EC2 instance attached with it.
The volume is internally stored on redundant disks in an Amazon Availability Zone scope, which
means that the EC2 instances using the EBS Volumes also should reside on the same AZ. The data
is automatically replicated within the same Availability Zone (internally some form of RAID is
employed by AWS) to prevent data loss due to failure of any single hardware component. Since
the Amazon EBS lifetime is separate from the instance on which it is mounted, you can detach it
and later attach it on another EC2 instance in the same availability zone.
13. Some Terminology Regarding EBS
Throughput Read / Write rate to storage in seconds
(MB/s)
Capacity Volume of Data that can be stored (GB)
AZ Availability Zone within the Same Amazon
EC2 region
IOPS Input Output Operations Per Second
SAN Storage Area Network
RAID Redundant Array of Independent Disks
14. EBS Volumes can currently be classified into two types. They are Standard EBS Volumes and
Provisioned IOPS Volumes. Standard EBS Volumes are the first generation EBS Volumes that are
suitable for sequential IO workloads. PIOPS Volumes are more consistent and are targeted
towards OLTP workloads.
• Standard Storage
• Provisioned IOPS Volumes
15. Standard Storage
Standard EBS Volumes were the first generation of block storage volumes . In a shared resource
model a busy client can slow down other clients that share the same EBS backend. In case there
are no noisy neighbors you are lucky to enjoy very good IOPS at very low cost in this standard
volumes model. The Standard EBS volumes are internally copied to multiple disks and you will get
higher throughput (at times with higher variance in measurements). Standard volumes deliver
approximately 100 IOPS on average with burst capability on a best effort basis up to hundreds of
IOPS (depending upon disk size provisioned and your noisy neighbors). One common
performance technique followed by experienced AWS Cloud architects is to allocate a 1TB
volume (max size) which reduces the amount of multi-tenant sharing between the clients and
gives you a better consistency with EBS. When you combine this 1 TB volume logic with High IO
Capacity EC2 instances (Example Quadruple or High IO/CPU EC2 etc) you get better NW
bandwidth between EC2 and EBS as well. This is not an always guaranteed technique On the
negative side you might not need 1 TB capacity and could be wasting space and there by usage
cost. Standard EBS volumes are usually suitable for applications only with moderate or bursty I/O
requirements. AWS customers had been using them for RDBMS, NoSQL etc till sometime back
because of limited options available and many are still using now because lack of knowledge in
AWS infra.
16. Provisioned IOPS Volumes
Provisioned IOPS Volumes is the latest type of EBS volumes introduced by AWS. They are also
multi- tenant with Availability zone scope, but the major difference is that they offer consistent IO
performance. It is particularly designed for IO intensive applications with random Read/Write
pattern requiring up to 10,000 IOPS or more with consistency. They follow random r/w IO
pattern and require consistent IOPS. Depending upon the size of the volume you can chose the
IOPS you require for that volume and Provisioned IOPS volume will guarantee that throughput to
you. Since the IOPS is provisioned and dedicated you can expect a consistent IO throughput when
you use these volumes. The least size of a provisioned IOPS volume is 10 GB and maximum
throughput currently you can extract from a 1 TB EBS Volume is 4000 IOPS (Refer AWS site for the
latest value). The ratio of IOPS provisioned to the volume size requested can be a maximum of
10:1. For example, a volume with 1000 IOPS must be at least 100 GB. As best practice it is always
recommended to combine Provisioned IOPS volumes with EBS optimized instances when you are
architecting a performance sensitive production database. Usually high performance databases
have minimal variability in workloads and require dedicated EC2->EBS traffic with High IOPS
performance. The EBS optimized+ Provisioned IOPS proves to be an ideal combination for these
needs.
17. Pre Warming the EBS volume
New EBS Volumes always experience a “First Use Penalty” in AWS; means there will be a
performance hit on the first write to an unused block on the EBS Volume and will perform slower
than subsequent writes. During this time you can experience spike in volume metrics like service
times, I/O latency and then subsequently leading to normalization. It is observed that 5 to 50
percent reduction in IOPS when you first access the data on a volume. Performance is restored
after the data is accessed once. Therefore, it is recommended that you read or write to all the
blocks on your volume before you use it.
$ dd if=/dev/md0 of=/dev/null
In Linux, the above command reads from all blocks on a volume and pre-warms the volume. On
Windows, formatting the new EBS volume pre-warms it.
“dd” is not verbose by default so download and use the following script from the github, it shows
the status of the pre warming of EBS Volumes,
URL: https://gist.github.com/muhqu/3293988
18. Elastic Load Balancing
• Algorithms supported by Amazon ELB
Currently Amazon ELB only supports Round Robin(RR) and Session Sticky Algorithms.
Current Version of ELB does not support Weighted or Least Connection algorithms
like other Reverse proxies. We can probably expect these algorithms to be
supported in future.
• Amazon ELB can be pre warmed on request basis
Amazon ELB can be pre warmed by raising a request to Amazon Web Service Support
Team. Amazon team will pre warm the Load Balancers in the ELB tier to handle the
sudden load/flash traffic.
• Amazon ELB is not designed for sudden load spikes /Flash traffic
• Amazon ELB is designed to handle unlimited concurrent requests per second with “gradually
increasing” load pattern. It is not designed to handle heavy sudden spike of load or flash
traffic.
19. • Protocols supported by Amazon ELB
Currently Amazon ELB only supports following protocols: HTTP, HTTPS (Secure
HTTP), SSL (Secure TCP) and TCP protocols. ELB supports load balancing for the
following TCP ports: 25, 80, 443, and 1024-65535. In case RTMP or HTTP Streaming
protocol is needed, we need to use Amazon CloudFront CDN in your architecture.
• Amazon ELB does not provide Permanent or Fixed IP for its load Balancers
Currently Amazon ELB does not provide fixed or permanent IP address for the Load
balancing instances that are launched in its tier. This will be a bottleneck for
enterprises which have compulsion to whitelist their Load balancer IP’s in external
firewalls/gateways. For such use cases, currently we can use HAProxy, NginX,
NetScaler over EC2 attached with Elastic IPs as load balancers in AWS infrastructure.
20. • Amazon ELB cannot do Multi AWS Region Load Balancing
Amazon ELB can be used to Load balance
Multiple EC2 instances launched inside a Single Amazon Availability Zone
Multiple EC2 instances launched inside Multiple Availability Zones inside a Single
Region
• Amazon ELB can easily support more than 20K+ Concurrent reqs/sec
21. Amazon VPC
• Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically
isolated section of the Amazon Web Services (AWS) Cloud where you can
launch AWS resources in a virtual network that you define. You have
complete control over your virtual networking environment, including
selection of your own IP address range, creation of subnets, and
configuration of route tables and network gateways.
• You can easily customize the network configuration for your Amazon
Virtual Private Cloud. For example, you can create a public-facing subnet
for your webservers that has access to the Internet, and place your
backend systems such as databases or application servers in a private-
facing subnet with no Internet access. You can leverage multiple layers of
security, including security groups and network access control lists, to help
control access to Amazon EC2 instances in each subnet.
22. Overcoming Outages in AWS : High Availability Architectures
Desing For Failure:
While working with cloud always remember above slogan
• High Availability Web Application Layer.
• High Availability Load Balancer Layer.
• High Availability Database Layer.
• Architecting High Availability across Amazon AZ’s
• Architecting High Availability across AWS Regions
• Architecting High Availability across Cloud and Hosting Providers/DC
23. Securing AWS
• Lock it Down: Close All Unnecessary Ports
The basic mechanism for controlling network access to your EC2 instance is the
Security Group, which acts like a built-in software firewall for your instance. You
can use it to limit inbound traffic to specific ports and protocols and specify which
IP addresses can have access.
• Ditch Those Passwords: Use SSH Keys
Once you've launched an EC2 instance, you can connect to it just like any other
remote server. Additional security can be provided by using secure authentication
methods. We recommend using public-key authentication instead of passwords to
remotely log in to your instances with SSH.
• Provide access only to those users who have a business need to be on your systems.
• Give them the minimum access and privileges they need to perform their specific tasks.
• Provide temporary escalated privileges such as sudo for users who need to perform
occasional privileged tasks.
• Have a procedure to revoke access when it is no longer needed.
24. • Bastion Hosts:
Bastion Hosts are simply a choke point that provides access to the hosts behind it
only to authorized users. A bastion host serves the same purpose as a bouncer at a
bar: like the bouncer the bastion host checks everyone’s ID before they are allowed
inside.
• OpenVPN:
Secure and remote access to VPC resources and applications from anywhere in the
World.Secure and seamless bridge between a company's existing IT infrastructure
and VPC using OpenVPN Gateway Client configuration.