In part 2 of the materials from the July 10 AWS RoadShow in Bristol we discuss best practices for getting started with AWS and the next steps you can take to learn more about AWS and begin to use it to run your applications and other IT workloads.
4. Choose use case that suits you
Make your first project a S.M.A.R.T one
5. Choose use case that suits you
Dev & Test
Spin environments up and
down on demand
Decouple development and test
environments from operations
constraints
Explore elasticity in a
sandboxed environment
Make your first project a S.M.A.R.T one
6. Dev & Test
Spin environments up and
down on demand
Decouple development and test
environments from operations
constraints
Explore elasticity in a
sandboxed environment
Backup & DR
Take part of your data or
business applications step- by-
step into non-production DR
use
Understand cloud dynamics
and test during controlled
failovers
Choose use case that suits you
Make your first project a S.M.A.R.T one
7. Dev & Test
Spin environments up and
down on demand
Decouple development and test
environments from operations
constraints
Explore elasticity in a
sandboxed environment
Backup & DR
Take part of your data or
business applications step- by-
step into non-production DR
use
Understand cloud dynamics
and test during controlled
failovers
Greenfield Project
Embody best practice of cloud
computing in unconstrained
greenfield projects
Self contained web projects,
document archiving etc
Choose use case that suits you
Make your first project a S.M.A.R.T one
8. Dev & Test
Spin environments up and
down on demand
Decouple development and test
environments from operations
constraints
Explore elasticity in a
sandboxed environment
Backup & DR
Take part of your data or
business applications step- by-
step into non-production DR
use
Understand cloud dynamics
and test during controlled
failovers
Greenfield Project
Embody best practice of cloud
computing in unconstrained
greenfield projects
Self contained web projects,
document archiving etc
Pain Point
Move specific service aspects
causing undue cost or
management burden
Workflows, search indexing,
media streaming, document
archiving, constrained
databases
Choose use case that suits you
Make your first project a S.M.A.R.T one
9. PoC Production Automation
Understand services
Test performance
Architect for scale
Build cross functional team capabilities
Implement monitoring
Change control and management
Security management
Scalability
Automate corrective measures
Auto-scaling
Zero downtime deployments
System backup and recovery
Examples Plan evolution & set goals
10. PoC Production Automation
Understand services
Test performance
Architect for scale
Build cross functional team capabilities
Implement monitoring
Change control and management
Security management
Scalability
Automate corrective measures
Auto-scaling
Zero downtime deployments
System backup and recovery
Examples Plan evolution & set goals
Beanstalk
Beanstalk
Cloud Formation
Cloud Watch
IAM
APIs
CLI
Auto scaling
12. Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g
Dev Sandboxes
Test Environments
Business Units
Products & Services
Lay Out Your Foundations
Accounts
13. Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g
Dev Sandboxes
Test Environments
Business Units
Products & Services
Control access to billing
information
Use IAM users to keep billing
information in the master account
Consolidate billing into a
single account
Let one account pick up the bill
for multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get CloudWatch notifications
when billing reaches a point and
output csv reports to S3 for
analysis
Accounts Billing
Lay Out Your Foundations
17. Division B
admin@divisionB.com
User2
Dev2
Admin2
IAM
Tags:
Own=Div
Proj=P
Tags:
Own=Div
Proj=Q
Tags:
Own=Div
Proj=R
Master Account
aws.invoices@mycompany.com
consolidated billing information
Tags: (key-value)
e.g Own=Div
Proj=R
18. Operating Co. A
admin@opcoa.com
User1
Dev1
Admin1
IAM
Tags:
Own=OpCo
Proj=A
Tags:
Own=OpCo
Proj=B
Tags:
Own=OpCo
Proj=C
Division B
admin@divisionB.com
User2
Dev2
Admin2
IAM
Tags:
Own=Div
Proj=P
Tags:
Own=Div
Proj=Q
Tags:
Own=Div
Proj=R
Business Unit C
admin@busUnitC.com
User3
Dev3
Admin3
IAM
Tags:
Own=BusC
Proj=X
Tags:
Own=BusC
Proj=Y
Tags:
Own=BusC
Proj=Z
Master Account
aws.invoices@mycompany.com
consolidated billing information
19. Operating Co. A
admin@opcoa.com
User1
Dev1
Admin1
IAM
Tags:
Own=OpCo
Proj=A
Tags:
Own=OpCo
Proj=B
Tags:
Own=OpCo
Proj=C
Division B
admin@divisionB.com
User2
Dev2
Admin2
IAM
Tags:
Own=Div
Proj=P
Tags:
Own=Div
Proj=Q
Tags:
Own=Div
Proj=R
Business Unit C
admin@busUnitC.com
User3
Dev3
Admin3
IAM
Tags:
Own=BusC
Proj=X
Tags:
Own=BusC
Proj=Y
Tags:
Own=BusC
Proj=Z
Master Account
aws.invoices@mycompany.com
consolidated billing information
20. Master Account
aws.invoices@mycompany.com
consolidated billing information
Programmatic billing access
S3 CSV
Operating Co. A
admin@opcoa.com
User1
Dev1
Admin1
IAM
Tags:
Own=OpCo
Proj=A
Tags:
Own=OpCo
Proj=B
Tags:
Own=OpCo
Proj=C
Division B
admin@divisionB.com
User2
Dev2
Admin2
IAM
Tags:
Own=Div
Proj=P
Tags:
Own=Div
Proj=Q
Tags:
Own=Div
Proj=R
Business Unit C
admin@busUnitC.com
User3
Dev3
Admin3
IAM
Tags:
Own=BusC
Proj=X
Tags:
Own=BusC
Proj=Y
Tags:
Own=BusC
Proj=Z
21. Master Account
aws.invoices@mycompany.com
consolidated billing information
Programmatic billing access
S3 CSV
Operating Co. A
admin@opcoa.com
User1
Dev1
Admin1
IAM
Tags:
Own=OpCo
Proj=A
Tags:
Own=OpCo
Proj=B
Tags:
Own=OpCo
Proj=C
Division B
admin@divisionB.com
User2
Dev2
Admin2
IAM
Tags:
Own=Div
Proj=P
Tags:
Own=Div
Proj=Q
Tags:
Own=Div
Proj=R
Business Unit C
admin@busUnitC.com
User3
Dev3
Admin3
IAM
Tags:
Own=BusC
Proj=X
Tags:
Own=BusC
Proj=Y
Tags:
Own=BusC
Proj=Z
22. Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g
Dev Sandboxes
Test Environments
Business Units
Products & Services
Control access to billing
information
Use IAM users to keep billing
information in the master account
Consolidate billing into a
single account
Let one account pick up the bill
for multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get CloudWatch notifications
when billing reaches a point and
output csv reports to S3 for
analysis
Accounts Billing
Lay Out Your Foundations
23. Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g
Dev Sandboxes
Test Environments
Business Units
Products & Services
Control access to billing
information
Use IAM users to keep billing
information in the master account
Consolidate billing into a
single account
Let one account pick up the bill
for multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get CloudWatch notifications
when billing reaches a point and
output csv reports to S3 for
analysis
Decide upon a key
management strategy
Control access to EC2 instances
via SSH and embedded public
key:
e.g. EC2 Key Pair per group of
instances, EC2 Key Pair per
account
Consider SSH key rotation
& automation
Limit exposure to private key
compromise by rotating keys and
replacing authorized_keys
listings on running instances
Consider bootstrap automation to
grant developer access with
developer unique keypairs
Accounts Billing Access Keys
Lay Out Your Foundations
24. Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g
Dev Sandboxes
Test Environments
Business Units
Products & Services
Control access to billing
information
Use IAM users to keep billing
information in the master account
Consolidate billing into a
single account
Let one account pick up the bill
for multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get CloudWatch notifications
when billing reaches a point and
output csv reports to S3 for
analysis
Decide upon a key
management strategy
Control access to EC2 instances
via SSH and embedded public
key:
e.g. EC2 Key Pair per group of
instances, EC2 Key Pair per
account
Consider SSH key rotation
& automation
Limit exposure to private key
compromise by rotating keys and
replacing authorized_keys
listings on running instances
Consider bootstrap automation to
grant developer access with
developer unique keypairs
Accounts Billing Access Keys
Use IAM Groups to manage
console users and API
access
Provide developers with IAM user
login and unique API access
credentials
Control & restrict what IAM users
can do by placing them in groups
with policies
Assign EC2 Instances IAM
roles
Let AWS manage API access
credentials on running instances
by assigning a system
entitlement to an instance
e.g instance can only read S3
bucket
Groups & Roles
Lay Out Your Foundations
32. Understand your customer & form security stance
Leverage shared security model
Your certifications Your processes
Penetration test requests
External
audience
33. Understand your customer & form security stance
Leverage shared security model
IAM
Administration
Architecture
Internal
audience
Your certifications Your processes
Penetration test requests
External
audience
34. Understand your customer & form security stance
Leverage shared security model
IAM
Administration
Architecture
Internal
audience
Your certifications Your processes
Penetration test requests
External
audience
AWS
Certifications
AWS White
Papers
AWS QSA
Process
Regulated
audience
35. Understand your customer & form security stance
Engage with security assessors early in adoption cycle
Leverage shared security model
Don’t fear assessment – AWS meets high standards (PCI, ISO27001, SOC2…)
As with any infrastructure provider, security assessments take time
Derive value from architecture reviews early in deployment cycle
36. Understand your customer & form security stance
Engage with security assessors early in adoption cycle
Use comprehensive materials and certifications provided by AWS
Leverage shared security model
http://aws.amazon.com/security/
Risk and compliance paper
AWS security processes paper
CSA consensus assessments
initiative questionnaire
37. Understand your customer & form security stance
Engage with security assessors early in adoption cycle
Use comprehensive materials and certifications provided by AWS
Build upon features of AWS and implement a ‘security by design’ environment
Leverage shared security model
38. Build upon AWS features
IAM
Control users and allow AWS to
manage credentials in running
instances for service access
(allocation, rotation)
APIs vs Instance
Provide developer API credentials
and control access to SSH keys
Temporary Credentials
Provide developer API credentials
and control access to SSH keys
Instance firewalls
Firewall control on instances via
Security Groups
CLIs and APIs
Instantly audit your entire AWS
infrastructure from scriptable
APIs – generate an on-demand
IT inventory enabled by
programmatic nature of AWS
Subnet control
Create low level networking
constraints for resource access,
such as public and private
subnets, internet gateways and
NATs
Bastion hosts
Only allow access for
management of production
resources from a bastion host.
Turn off when not needed
Tiered Access Security Groups VPC
Private connections to VPC
Secured access to resources in
AWS over software or hardware
VPN and dedicated network links
Direct Connect & VPN
40. Architect to use cloud strengths
e.g. Application performance improvement by migration of static content to S3/CloudFront
Review application architectures early – assess fit for cloud
Can cloud benefits be leveraged with minimum effort outlay?
e.g. variable capacity requirements, ‘standard’ technology stacks, reference architectures*
*http://aws.amazon.com/architecture
?
?
?
?
e.g. Faster development cycles for dev/test, reduced cap-ex for application environments
Will cloud yield cost savings & agility improvements?
e.g. fully scripted deployments, IAM & EC2 instance roles, rolling deployments
Can automation lead to a more agile & secure service?
41. 1 Create instance for your OS choice
2 Configure environment
3 Install software
4 Create AMI from instance
5 Launch fully configured instances from AMI
Bootstrapping – custom AMIs
AMI
Custom machine
image
Instance
Auto-scaling
Manual deployments
Programmatic deployments
43. + user data
Scripts in user-data field of metadata will be executed on launch
e.g.
http://169.254.169.254/latest/meta-data
Metadata service contains wealth of information about an instance
#!/bin/sh
yum
-‐y
install
httpd
chkconfig
httpd
on
/etc/init.d/httpd
start
<powershell>
…
</powershell>
Or:
AMI
Instance
Metadata
Service
Receive custom
data to drive
bootstrapping
Bootstrapping – metadata service
Custom or standard
machine image
44. + user data
Scripts in user-data field of metadata will be executed on launch
http://169.254.169.254/latest/meta-data
Metadata service contains wealth of information about an instance AMI
Instance
Metadata
Service
Receive custom
data to drive
bootstrapping
Bootstrapping – metadata service
Install software e.g. web server, app server, proxy
Pull data and application packages from S3
Publish metadata for instance to other systems e.g. monitoring systems
Setup security profile of instance based upon intended use e.g. pull latest config
Custom or standard
machine image
50. Use at regional level
Combined with autoscaling will
balance requests and resource
capacity across availability zones
Within VPC
Use to loadbalance between
application tiers within an
availability zone
Instance migrations
Easily move instances from dev
environments to test
environments by moving between
ELBs
Leverage SLA
Improve application reliability with
Route 53’s SLA on requests
served
Weighted routing
Perform A/B analysis, and staged
application roll-outs by moving a
portion of traffic to new
infrastructure
Control TTLs and updates
Take absolute control of DNS
updates for more decisive system
updates
Scale databases without
admin overhead
Choose instance size for
databases and scale up over time
Add high availability from
management console
Create master-slave
configurations and read-replicas.
AWS takes care of the failover
and recreation of a new slave in
event of master DB loss
Elastic Load Balancing Route 53 RDS
Dynamically scale
resources & control costs
Only provision the resources that
are required with scale up and
cool down policies that match
demand
Auto-scaling
Architect to use cloud strengths
Find out more at: aws.amazon.com/architecture
52. AWS
Cloud-Based
Infrastructure & Services
Your
Business
More Time to Focus on
Your Business
Configuring Your
Cloud Assets
70%
30%70%
Self Managed
Software &
Infrastructure
30%
Managing All of the
“Undifferentiated Heavy Lifting”
Services not software
53. Relational Database Service
Database-as-a-Service
No need to install or manage database instances
Scalable and fault tolerant configurations
DynamoDB
Provisioned throughput NoSQL database
Fast, predictable performance
Fully distributed, fault tolerant architecture
Services not software
Use RDS for
databases
Use DynamoDB for
high performance key-
value DB
54. Amazon SQS
Processing task/
processing trigger
Processing results
Amazon SQS
Reliable, highly scalable, queue service
for storing messages as they travel
between instances
Services not software
Task A
Task B
(Auto-scaling)
Task C
2
3
1
Simple Workflow
Reliably coordinate processing steps
across applications
Integrate AWS and non-AWS
resources
Manage distributed state in complex
systems
Push inter-process
workflows into the
cloud with SWF
Reliable message
queuing without
additional software
55. Cloud Search
Elastic search engine based upon
Amazon A9 search engine
Fully managed service with
sophisticated feature set
Scales automatically
Document
Server
Results
Search
Server
Don’t install search
software, use
CloudSearch
Services not software
Process large volumes
of data cost effectively
with EMR
Elastic MapReduce
Elastic Hadoop cluster
Integrates with S3 & DynamoDB
Leverage Hive & Pig analytics scripts
Integrates with instance types such as
spot
57. Be elastic and cost optimized
Scalability
Availability
Cost Optimization
Elastic Load Balancing Auto-scaling policies
Instance types and sizes
58. Manually
Send an API call or use CLI to
launch/terminate instances –
Only need to specify capacity
change (+/-)
By Schedule
Scale up/down based on date
and time
By Policy
Scale in response to changing
conditions, based on user
configured real-time monitoring
and alerts
Auto-Rebalance
Instances are automatically
launched/terminated to ensure
the application is balanced
across multiple Azs
Auto-scaling policies
59. Manually
Send an API call or use CLI to
launch/terminate instances –
Only need to specify capacity
change (+/-)
By Schedule
Scale up/down based on date
and time
By Policy
Scale in response to changing
conditions, based on user
configured real-time monitoring
and alerts
Auto-Rebalance
Instances are automatically
launched/terminated to ensure
the application is balanced
across multiple Azs
Auto-scaling policies
Preemptive manual scaling of
capacity
e.g. before a marketing event add 10
more instances
Regular scaling up and down
of instances
e.g. scale from 0 to 2 to process SQS
messages every night or double
capacity on a Friday night
Dynamic scale based upon
custom metrics
e.g. SQS queue depth, Average CPU
load, ELB latency
Maintain capacity across
availability zones
e.g. Instance availability maintained in
event of AZ becoming unavailable
60. Unix/Linux instances start at $0.02/
hour
Pay as you go for compute power
Low cost and flexibility
Pay only for what you use, no up-front
commitments or long-term contracts
Use Cases:
Applications with short term, spiky, or
unpredictable workloads;
Application development or testing
On-demand instances
1- or 3-year terms
Pay low up-front fee, receive significant
hourly discount
Low Cost / Predictability
Helps ensure compute capacity is available
when needed
Use Cases:
Applications with steady state or
predictable usage
Applications that require reserved capacity,
including disaster recovery
Reserved instances
Bid on unused EC2 capacity
Spot Price based on supply/demand,
determined automatically
Cost / Large Scale, dynamic workload
handling
Use Cases:
Applications with flexible start and end
times
Applications only feasible at very low
compute prices
Spot instances
Instance types
63. Quickly deploy and manage apps in AWS…
Elastic
Beanstalk
CloudFormationOpsWorks
64. CloudFormation components & terminology
Template
CloudFormation
Stack
JSON formatted file
Parameter definition
Resource creation
Configuration actions
Configured AWS services
Comprehensive service support
Service event aware
Customisable
Framework
Stack creation
Stack updates
Error detection and rollback
Elastic
Beanstalk
CloudFormationOpsWorks
65. Powerful management framework with Chef support
Stack Layers Management
Managed
environment
Definition of environment
such as production or test
Management
services
Scaling, cloning, user
access, self healing
Collection of
resources
Blueprint for a
collection of resources
(instances, EBS, EIPs
etc)
Apps
Your application
assets
Resources to deploy
and run in layers
Elastic
Beanstalk
CloudFormationOpsWorks
69. Developer
Basic
Business
Enterprise
Offering
24x7x365 ✓
Forum Access ✓
Documentation ✓
Access to support Email
Named Contacts 1
Fastest Response Time 12 Hours
Architecture Support Building Blocks
Best Practice ✓
Diagnostics Tools ✓
Find out more at: aws.amazon.com/premiumsupport
70. Business
Basic
Developer
Enterprise
Offering
24x7x365 ✓
Forum Access ✓
Documentation ✓
Access to support Phone, Chat, Email
Named Contacts 5
Fastest Response Time 1 Hour
Architecture Support Use Case
Guidance
Best Practice ✓
Diagnostics Tools ✓
Direct Routing ✓
3rd Party Software ✓
Trusted Advisor ✓
Find out more at: aws.amazon.com/premiumsupport
71. Enterprise
Basic
Developer
Business
Offering
24x7x365 ✓
Forum Access ✓
Documentation ✓
Access to support Phone, Chat, Email
Named Contacts Unlimited
Fastest Response Time 15 Minutes
Architecture Support Application
Architecture
Best Practice ✓
Diagnostics Tools ✓
Direct Routing ✓
3rd Party Software ✓
Trusted Advisor ✓
Direct TAM Access ✓
White Glove Case Handling ✓
Management Business Review ✓
Find out more at: aws.amazon.com/premiumsupport
73. Security Fault Tolerance Cost Optimization
Open ports in Security Groups
World access (/0 CIDR)
IAM use
EBS snapshot age
ELB Optimization
Availability Zones
Unused Elastic Ips
Underutilized EC2 instances
Business and Enterprise Support has been enhanced to include best practice
audits via AWS Trusted Advisor
Find out more at: aws.amazon.com/premiumsupport/trustedadvisor
75. Operating Systems 3rd Party Software
3rd Party Software Support Enhancements
Operating Systems including:
Ubuntu Linux
Red Hat Enterprise Linux and Fedora
SUSE Linux (SLES and openSUSE)
CentOS Linux
Microsoft Windows 2003 R2
Microsoft Windows 2008
Microsoft Windows 2008 R2
Microsoft Windows 2012
Common application stack components including:
Amazon SDKs
Apache, Nginx and IIS web servers
Sendmail & Postfix MTAs
SSH, SFTP & FTP
Disk Management tools – LVM & Software RAID
VPN Solutions – OpenVPN, RRAS
Databases – MySQL & SQL Server
77. Choose your use case well
Organize your environments
Think security
Architect to cloud strengths
Services not software
Be elastic & cost optimized
Use frameworks where appropriate
Get supported
78. AWS Training & Certification
Cer$fica$on
aws.amazon.com/cer-fica-on
Demonstrate
your
skills,
knowledge,
and
exper-se
with
the
AWS
pla@orm
Self-‐Paced
Labs
aws.amazon.com/training/
self-‐paced-‐labs
Try
products,
gain
new
skills,
and
get
hands-‐on
prac-ce
working
with
AWS
technologies
aws.amazon.com/training
Training
Skill
up
and
gain
confidence
to
design,
develop,
deploy
and
manage
your
applica-ons
on
AWS
79. We typically see customers start by trying our services
Get
started
now
at
:
aws.amazon.com/geHng-‐started
80. Design your application for the AWS Cloud
More
details
on
the
AWS
Architecture
Center
at
:
aws.amazon.com/architecture
81. AWS RoadShow Bristol
Ian Massingham - Technical Evangelist
10 July 2014
ianmas@amazon.com
@IanMmmm