Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

EC2_and_VPC_workshop

1.402 visualizaciones

Publicado el

Slides from Workshop on June 20

  • Sé el primero en comentar

EC2_and_VPC_workshop

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Core Services and Big Data Portfolio of Services
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Overview
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Run applications – reliably and securely Provision network, compute, storage and database services in the cloud with the click of a button Everything you’d want to do in a traditional datacenter What is Amazon Web Services (AWS)?
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Core Infrastructure and Services Traditional Infrastructure Amazon Web Services Security Network Security Network Security Groups NACLs Access Mgmt VPCVPC EC2 Classic Public ELB On-Demand Provision Servers AMI Amazon EC2 InstancesOn-Premises Servers Security Security Groups Network ACLs AWS IAMFirewalls ACLs Administrators Storage and Database RDBMSDAS SAN NAS Amazon EBS Amazon EFS Amazon S3 Amazon RDS Networking VPCELBRouter Network Pipeline Switch Traditional Infrastructure Amazon Web Services
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Integrated Networking Rules Engine Device Shadows Device SDKs Device Gateway Registry Local Compute Machine Learning Conversational Interface Virtual Desktops App Streaming Schema Conversion Image Recognition Sharing & Collaboration Exabyte-Scale Data Migration Text to Speech Corporate Email Application Migration Database Migration Regions Availability Zones Points of Presence Data Warehousing Business Intelligence Elasticsearch Hadoop/Spark Data Pipelines Streaming Data Collection ETL Streaming Data Analysis Interactive SQL Queries Queuing & Notifications Workflow Email Transcoding Deep Learning Frameworks Server Migration Communications Business Apps Business Intelligence DevOps Tools Security Networking StorageDatabases API Gateway Single Integrated Console Identity Sync Mobile Analytics Mobile App Testing Targeted Push Notifications One-click App Deployment DevOps Resource Management Application Lifecycle Management Containers Triggers Resource Templates Build and Test Analyze and Debug Compute VMs, Auto- scaling, Load Balancing, Containers, Virtual Private Servers, Batch Computing, Cloud Functions, Elastic GPUs, Edge Computing Storage Object, Blocks, File, Archivals, Import/Export, Exabyte-scale data transfer CDN Databases Relational, NoSQL, Caching, Migration, PostgreSQL compatible Networking VPC, DX, DNS Identity Management Key Management & Storage Monitorin g & Logs Configuration Compliance Web Application Firewall Assessment & Reporting Resource & Usage Auditing Access Control Account Grouping DDOS Protection Support Professional Services Optimization Guidance Partner Ecosystem Training & Certification Solutions Management Account Management Security & Billing Reports Personalized Dashboard TECHNICAL & BUSINESS SUPPORT MARKETPLACE Monitoring Manage Resources Data Integration Integrated Identity & Access Integrated Resource & Deployment Management Integrated Devices & Edge Systems Resource Templates Configuration Tracking Server Management Service Catalogue Search HYBRID ARCHITECTUREANALYTICS MOBILE SERVICESDEV/OPS IoT AI ENTERPRISE APPS MIGRATION APP SERVICES INFRASTRUCTURE CORE SERVICES SECURITY & COMPLIANCE MANAGEMENT TOOLS
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Shared Responsibility Model Customers are responsible for their security and compliance IN the Cloud AWS is responsible for the security OF the Cloud CustomerAWS
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Your own accreditation Meet your own security objectives Your own certifications Your own external audits Customer scope and effort is reduced Better results through focused efforts Built on AWS consistent baseline controls CustomerAWS
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Security full fine-grained level control: a customer might restrict a user to create only a database in a specific region, from 3-5 pm on Monday to Friday, only on a virtual private cloud, and only in an M4 instance with a maximum number of IOPs. This can only be done in AWS. AWS natively built-in security from the ground up. Over 1 million active customers inform our security with capabilities built for our most stringent customers. AWS has more than 50 compliance certifications and accreditations, more than any other cloud provider. “We determined that security in AWS is superior to our on-premises data center across several dimensions, including patching, encryption, auditing and logging, entitlements, and compliance.” —John Brady, CISO, FINRA (Financial Industry Regulatory Authority)
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 21 Regions, 66 Availability Zones, 155 Edge Locations Region & Number of Availability Zones AWS GovCloud (6) EU Ireland (3) US West Frankfurt (3) Oregon (4) London (3) Northern California (3) Paris (3) US East Asia Pacific N. Virginia (6), Ohio (3) Singapore (3) Sydney (3), Tokyo (4), Canada Seoul (2), Mumbai (2) Central (2) China South America Beijing (2) São Paulo (3) Ningxia (3) Hong Kong S.A.R (3) New Region (coming soon) Bahrain, Cape Town, Jakarta, Milan AWS Global Infrastructure https://infrastructure.aws/
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Region Design AWS Availability Zone (AZ) A Region is a physical location in the world where we have multiple Availability Zones. Availability Zones consist of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities. AZ AZ AZ AZ Tran sit Tran sit AWS Region AWS Regions are comprised of multiple AZs for high availability, high scalability, and high fault tolerance. Applications and data are replicated in real time and consistent in the different AZs
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AZ – Availability Zone Single digit ms Network multiple tier-1 transit providers Power isolated electrical grids, UPS, onsite backup generator Geo isolated fault lines flood plains Network multiple tier-1 transit providers Power isolated electrical grids, UPS, onsite backup generator Geo isolated fault lines flood plains
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AZ – Availability Zone Network multiple tier-1 transit providers Power isolated electrical grids, UPS, onsite backup generator Geo isolated fault lines flood plains Network multiple tier-1 transit providers Power isolated electrical grids, UPS, onsite backup generator Geo isolated fault lines flood plains Web DB Master Load Balancer DB Slave Web Storage StorageSingle digit ms
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Edge Locations 155 AWS Edge Locations: Local points-of-presence commonly supporting AWS services including: • Amazon Route 53 • Amazon CloudFront
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Any questions?
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Virtual Private Cloud (VPC)
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is an Amazon Virtual Private Cloud (VPC)? “A virtual network that closely resembles a traditional network that you'd operate in your own data center” Instance Availability Zone Instance Availability Zone
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Creating an Internet-connected VPC Steps Choosing an address range Create subnets in Availability Zones Creating a route to the Internet Authorizing traffic to/from the VPC IGW
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Choosing an IP address range
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Choosing an IP address range for your VPC 172.31.0.0/16 Recommended: RFC1918 range Recommended: /16 (65,536 addresses) Avoid ranges that overlap with other networks to which you might connect.
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Subnets VPC Subnet
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC subnets and Availability Zones 172.31.0.0/16 Availability Zone Availability Zone Availability Zone VPC subnet VPC subnet VPC subnet 172.31.0.0/24 172.31.1.0/24 172.31.2.0/24 ap-east-1a ap-east-1b ap-east-1c
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Route to the InternetIGW
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Routing in your VPC • Route tables contain rules for which packets go where • Your VPC has a default (main) route table • But, you can assign different route tables to different subnets
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Internet gateway Send packets here if you want them to reach the Internet
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Everything that isn’t destined for the VPC: send to the Internet
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Network security in your VPC: Security groups
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “MyWebServers” Security Group “MyBackends” Security Group Allow web traffic on 0.0.0.0/0 Allow only “MyWebServers” Security groups follow application structure
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security groups example: Web servers Allow all HTTP traffic Rule descriptions
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Any questions?
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Elastic Compute Cloud (EC2)
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Elastic Compute Cloud (EC2) Resizable compute capacity Complete control of your computing resources Reduces the time required to obtain and boot new server instances to minutesAmazon EC2
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EC2 Facts Scale capacity as your computing requirements change Pay only for capacity that you actually use Choose Linux or Windows Deploy across AWS Regions and Availability Zones for reliability
  35. 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Launching an Amazon EC2 Instance via the Web Console 1. Determine the AWS Region in which you want to launch the Amazon EC2 instance. 2. Launch an Amazon EC2 instance from a pre-configured Amazon Machine Image (AMI). 3. Choose an instance type based on CPU, memory, storage, and network requirements. 4. Configure network, IP address, security groups, storage volume, tags, and key pair.
  36. 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Machine Image (AMI) Details An AMI includes the following: A template for the root volume for the instance (for example, an operating system, an application server, and applications). Launch permissions that control which AWS accounts can use the AMI to launch instances. A block device mapping that specifies the volumes to attach to the instance when it's launched.
  37. 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Instances and AMIs Select an AMI based on: Region Operating system Architecture (32-bit or 64-bit) Launch permissions Storage for the root device AMI Instances Instance Launch instances of any type Host computer Host computer
  38. 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EC2 Instances OS, Applications, & Configuration AMI Running or Stopped VM Instances AZ VPC Region EBS S3 EBS Snapshots S3 Buckets EBS EBS EBS EBS EBS AZ Instances Instances
  39. 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EBS vs. Amazon EC2 Instance Store Amazon EBS • Data stored on an Amazon EBS volume can persist independently of the life of the instance. • Storage is persistent. Amazon EC2 Instance Store • Data stored on a local instance store persists only as long as the instance is alive. • Storage is ephemeral.
  40. 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EBS vs. Amazon EC2 Instance Store Amazon EC2 Instance StoreAmazon EBS
  41. 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Marketplace – IT Software Optimized for the Cloud An online store to discover, purchase, and deploy IT software on top of the AWS infrastructure. • Catalog of 2300+ IT software solutions • Including Paid, BYOL, Open Source, SaaS, & free to try options • Pre-configured to operate on AWS • Software checked by AWS for security and operability • Deploys to AWS environment in minutes • Flexible, usage-based billing models • Software charges billed to AWS account
  42. 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. M5 General purpose Compute optimized C5 Storage and IO optimized D2I3 G3 GPU enabled P3 Memory optimized X1e/X1 R4C4M4 H1 Instance Types
  43. 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Current Generation Instances Instance Family Some Use Cases General purpose (t2,t3,m5,m4,m3) • Low-traffic websites and web applications • Small databases and mid-size databases Compute optimized (c4, c3) • High performance front-end fleets • Video-encoding Memory optimized (x1e, x1, r4) • High performance databases • Distributed memory caches Storage optimized (i3, d2, h1) • Data warehousing • Log or data-processing applications GPU instances (p3, g3) • 3D application streaming • Machine learning
  44. 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. C4.xlarge (Compute-Optimized) FamilyGeneration TypeFamily
  45. 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. M2 2nd Generation Compute M4 4th Generation Compute Upgrade
  46. 46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Instance Metadata & User Data Instance Metadata: Is data about your instance. Can be used to configure or manage a running instance. Instance User Data: Can be passed to the instance at launch. Can be used to perform common automated configuration tasks. Runs scripts after the instance starts.
  47. 47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Retrieving Instance Metadata To view all categories of instance metadata from within a running instance, use the following URI: http://169.254.169.254/latest/meta- data/ On a Linux instance, you can use: • $ curl http://169.254.169.254/latest/meta-data/ • $ GET http://169.254.169.254/latest/meta-data/ All metadata is returned as text (content type text/plain).
  48. 48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Adding User Data You can specify user data when launching an instance. User data can be: • Linux script – executed by cloud-init • Windows batch or PowerShell scripts – executed by EC2Config service User data scripts run once per instance-id by default.
  49. 49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. User Data Example Linux User data shell scripts must start with the #! characters and the path to the interpreter you want to read the script. Install Apache web server Enable the web server Start the web server #!/bin/sh yum -y install httpd chkconfig httpd on /etc/init.d/httpd start
  50. 50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. User Data Example Windows <powershell> Import-Module ServerManager Install-WindowsFeature web-server, web-webserver Install-WindowsFeature web-mgmt-tools </powershell> Import the Server Manager module for Windows PowerShell. Install IIS Install Web Management Tools
  51. 51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Retrieving User Data To retrieve user data, use the following URI: http://169.254.169.254/ latest/user-data On a Linux instance, you can use: • $ curl http://169.254.169.254 /latest/user-data/ • $ GET http://169.254.169.254 /latest/user-data/
  52. 52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EC2 Purchasing Options On-Demand Instances Pay by the hour. Reserved Instances Purchase at significant discount. Instances are always available. 1-year to 3-year terms. Scheduled Instances Purchase a 1- year RI for a recurring period of time. Spot Instances Highest bidder uses instance at a significant discount. Spot blocks supported. Dedicated Hosts Physical host is fully dedicated to run your instances. Bring your per-socket, per-core, or per- VM software licenses to reduce cost.
  53. 53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Any questions about Amazon EC2?
  54. 54. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Simple Storage Service (S3)
  55. 55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon S3 By The Numbers 66 Availability Zones 20 Regions Trillions of objects Millions of requests per second One of first three AWS Services (2006) 99.999999999% Durability
  56. 56. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon S3 Availability Zones S3 stores data in at least 3 Availability Zones (AZ’s) Each AZ can be up to 8 physical data centers Unavailability of a data center or an AZ does not impact overall S3 availability Low latency private network connect data centers and AZ’s Physically separate – even extremely uncommon disasters would only affect a single AZ Data is automatically distributed across a minimum of 3 AZ’s GEO separated within an AWS Region
  57. 57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefits of Amazon S3 & Glacier Durable, Available, & Scalable Security & Compliance Query In Place Flexible Management Ecosystem
  58. 58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Your choice of Amazon S3 storage classes • Active, frequently accessed data • Milliseconds access • > 3 AZ • From: $0.0210/GB • Data with changing access pattern • Milliseconds access • > 3 AZ • From: $0.0210 to $0.0125/GB • Monitoring fee per obj. • Min storage duration • Infrequently accessed data • Milliseconds access • > 3 AZ • From: $0.0125/GB • Retrieval fee per GB • Min storage duration • Min object size S3 Standard S3 Standard-IA S3 One Zone- IA S3 Glacier • Re-creatable less accessed data • Milliseconds access • 1 AZ • From: $0.0100/GB • Retrieval fee per GB • Min storage duration • Min object size • Archive data • Minutes to hours access • > 3 AZ • From: $0.0040/GB • Retrieval fee per GB • Min storage duration • Min object size S3 Intelligent- Tiering S3 Glacier Deep Archive • Archive data • Hours access • > 3 AZ • From: $0.00099/GB • Retrieval fee per GB • Min storage duration • Min object size N E W ! N E W ! Frequent InfrequentAccess Frequency
  59. 59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lifecycle Policies Create rules to automatically transition or expire your storage Lifecycle rules take action based on object age Example policy: • Move all objects older than 90 days to Amazon S3 Standard–Infrequent Access • Move all objects older than 180 days to Amazon Glacier Amazon S3 Standard Amazon S3 Standard - Infrequent Access Amazon Glacier
  60. 60. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Getting Started - Creating your next bucket Name and region Properties and management • Versioning • Logging • Bucket tags • Default encryption • S3 Object Lock NEW! • Amazon CloudWatch request metrics Permissions • S3 Block Public Access NEW! • Bucket access control lists
  61. 61. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Versioning Protect your data from accidental deletion • Create a new version with every upload • Previous versions are retained, not overwritten • Protect from unintended user deletes • Making delete requests without a version ID removes access to objects, but keeps the data • Manage previous versions with lifecycle • Transition or expire objects a specified number of days after they are no longer the current version
  62. 62. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bucket Permissions Permissions • S3 Block Public Access NEW! • Bucket access control lists (ACLs)
  63. 63. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. With a few clicks in the S3 management console, you can apply S3 Block Public Access to every bucket in your account – both existing and any new buckets created in the future – and make sure that there is no public access to any object S3 Block Public Access NEW! Set at the account or bucket-level
  64. 64. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption Support in Amazon S3 • Encryption in motion – HTTPS/TLS • Encryption at rest • Client side encryption – Encrypt before upload • Server-side encryption • SSE-S3 – Amazon S3 manages the data and master encryption keys • SSE-C – You manage the encryption key • SSE-KMS – Amazon S3 manages the data key; you manage the master key in the AWS KMS
  65. 65. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Any questions about Amazon S3?

×