This document provides an overview and agenda for an AWS workshop on building an application with a baked AMI. The goals are to learn how to build an application that connects to AWS services like S3 and RDS using a baked AMI, scales automatically, balances load, distributes to CDN, and uses a custom domain name. The agenda covers AWS resources like EC2, VPC, RDS, load balancing, auto scaling, S3, Route 53, CloudFront, and IAM. It also discusses tools like Packer and Terraform for building AWS resources and AMIs. The workshop will walk through building a TodoMVC application on AWS using these services and tools.
2. Goals
Learn to build a application capable of
● connecting to AWS cloud storage and DB instance
● configuring application by a baked AWS machine image (AMI)
● scaling application instances automatically
● balancing load between application instances
● distributing the application onto CDN
● naming instance by a self-defined domain name
3. Agenda
● Introduction of AWS Resources
– Elastic Compute Cloud (EC2)
– Virtual Private Cloud (VPC)
– Relational Database Service (RDS)
– Load Balacnce
– Auto Scaling
– Simple Storage Service (S3)
– Route 53
– CloudFront
– Identity and Access Management (IAM)
● Tools to Build AWS Resources - Packer
● Building up the Service - TodoMVC
● Tools to Build AWS Resources - Terraform
5. Elastic Compute Cloud (EC2)
● A virtual computing instance
● Various configurations of CPU, memory, storage, and networking
capacity for instances
● Secure login for an instance using one key pair
Amazon Machine Image (AMI)
● The configuration to launch an instance
6. Virtual Private Cloud (VPC)
● A logically isolated virtual network of the AWS Cloud where AWS
resources are launched
● Physical locations are composed of regions (e.g., us-west-1) and
availability zones (e.g., us-west-1a, us-west-1b)
Subnet
● A range of IP addresses
● Either public- or private-facing controlled by route table
Security Group
● Controll inbound and outbound traffic at instance level
7. ● Managed relational database service
● Automated backups to restore a database
● Replication with the primary instance
DB Instance
● An isolated database instance in the cloud
● Supports different configurations of computation and memory capacity
Subnet Group
● A VPC's IP address range to group DB instances
● Have at least two availability zones (AZ)
Relational Database Service (RDS)
8. Parameter Group
● Configure parameters of DB engine, such as max_connections,
character_set_connection
● Apply changes of static paramters after rebooting DB instance
● Apply change of dynamic parameters immediately
Option Group
● Additional features for DB engine, such as memcached for MySQL
Relational Database Service (RDS)
9. Load Balacnce
● Servce as a single point for clients
● Distribute incoming application traffic across multiple EC2 instances,
in multiple availability zones
● Forward traffic only to healthy instances
Classic Load Balance (ELB)
● One ELB forwards traffic on one endpoint
Application Load Balance (ALB)
● One ALB forwards traffic on multiple endpoints
● EC2 instances are grouped called target groups
10. Auto Scaling
● Configure automatic scaling for the scalable AWS resources
● Scale EC2 instances created by launch configurations
11. Simple Storage Service (S3)
● A web storage used to store and retrieve data
● Store data as objects
● An object consists of a file and any metadata that describes that file
Buckets
● The containers for objects
12. ● A DNS service
● Register domain names
● Route internet traffic to the resources for your domain
Hosted Zone
● Public - route traffic on the internet
● Private - route traffic within the VPC
Route 53
13. CloudFront
● Distribute services and deliver contents through edge locations of
network (collections of servers in geographically dispersed data
centers)
● Cache the content in the edge locations
14. Identity and Access Management (IAM)
● Controll access to AWS resource securely
● Provide authentication for identities (people or processes)
User
● Represent the person or service
● Primary uses are to give people ability to sign in to AWS console and
make programmatic requests
Group
● A collection of users
● Any user in that group automatically has the permissions that are
assigned to the group
15. Identity and Access Management (IAM)
Role
● Similar to a user but without password or access keys
● Can also be assigned to a federated user who signs in by using an
external identity provider
17. Introduction
● Build machine images automatically, including AWS AMI
● Code with json file which contains three parts
○ variables: from the command-line, environment variables, or files
○ builders: responsible for creating a machine and turning that machine into
an image
○ provisoiners: able to install and configure software into the images
● Do NOT manage images, e.g., create instance from image or delete
image
19. Lifecycle - Building AWS AMI as the Example
1. Create keypair and security group to access an EC2 instance
2. Create an EC2 instance and wait until it becomes ready
3. SSH to the instance and provision
4. Stop the EC2 instance
5. Create an AMI from the instance and wait until it is available
6. Terminate the EC2 instance
7. Delete keypair and security group
24. Configuration of Network
Create a VPC
● Region: US West (Oregon)
● Name tag: demo-vpc
● IPv4 CIDR block: 10.0.0.0/16
● Set DNS Hostnames as Yes after VPC is created
Note. DNS resolution and DNS hostnames should be both yes to allow Route 53
private DNS
25.
26.
27. Create two private subnets where database is launched
● Name tag: demo-private-subnet-2a | demo-private-subnet-2b
● VPC: demo-vpc
● Availability Zone: us-west-2a | us-west-2b
● IPv4 CIDR block: 10.0.3.0/24 | 10.0.4.0/24
Configuration of Private Subnets
Note. The subnets should be in different availability zones to make RDS works
28.
29.
30. Create two public subnets where webserver is launched
● Name tag: demo-public-subnet-2a | demo-public-subnet-2b
● VPC: demo-vpc
● Availability Zone: us-west-2a | us-west-2b
● IPv4 CIDR block: 10.0.1.0/24 | 10.0.2.0/24
Configuration of Public Subnets
Note.
1. The subnets should be in different availability zones to make load balance works
2. Subnets are NOT really public until attached with internet gateway and associate
with route table
31.
32.
33. Create internet gateway and attach to the VPC
● Name tag: demo-internet-gateway
Create route table to associate to subnets
● Name tag: demo-public-route-table
● VPC: demo-vpc
● Routes
○ Destination: 0.0.0.0/0
○ Target: demo-internet-gateway
● Subnet Associations: demo-public-subnet-2a and
demo-public-subnet-2b
Configuration of Public Subnets
34.
35.
36.
37.
38.
39. Create a security group for webserver
● Name tag: demo-sg-webserver
● Group name: demo-sg-webserver
● VPC: demo-vpc
● Inbound Rules
○ Type: HTTP
○ Protocol: TCP
○ Port Range: 80
○ Source: 0.0.0.0/0
Security of Webserver
40.
41.
42. Create a security group for database
● Name tag: demo-sg-mysql
● Group name: demo-sg-mysql
● VPC: demo-vpc
● Inbound Rules
○ Type: Custom TCP Rule
○ Protocol: TCP
○ Port Range: 3306
○ Source: demo-sg-webserver
Security of Database
Note. Source can also be referred to CIDR 10.0.1.0/24 and
10.0.2.0/24 while security group of the resource is recommended for
better management
46. Configuration of Database’ Subnets
Create a RDS subnet group
● Name: demo-mysql-subnet-group
● VPC ID: demo-vpc
● Subnets: 10.0.3.0/24 and 10.0.4.0/24
47.
48. Configuration of Database
Create a RDS instance
● Engine: MySQL
○ Check box: Free tier eligible only
● Instance Specifications
○ Check the box: Only show options that are eligible for RDS Free
Tier
○ DB Instance Identifier: demo-mysql
○ Master Username: root
○ Master Password/Confirm Password: password
54. Configuration of Database Engine Parameters
(Optional) Create a RDS parameter group
● Parameter Group Family: mysql5.6
● Type: DB Paramter Group
● Group Name: demo-mysql-parameter
● Edit the mysql parameters after the group is created
55.
56.
57. Configuration of Database Engine Features
(Optional) Create a RDS option group
● Name: demo-mysql-option
● Engine: mysql
● Major Engine Version: 5.6
● Add option after the group is created
58.
59.
60. Private Alias for Domain Name of Database
Create hosted zone under Route 53
● Domain Name: lynn.demo
● Type: Private Hosted Zone for Amazon VPC
● VPC ID: demo-vpc
Create record set under hosted zone
● Name: db
● Type: CNAME
● Value: endpoint of RDS demo-mysql
65. File storage for images
Create S3 bucket
● Bucket Name: demo-todo-image
● Region: US West (Oregon)
66.
67. CDN for Files Storing in S3
Create distribution under Cloudfront
● Get started with Web
● Origin Settings
○ Origin Domain Name: demo-todo-image.s3.amazonaws.com
○ Origin ID: S3-demo-todo-image
● Default Cache Behavior Settings
○ Viewer Protocol Policy: Redirect HTTP to HTTPS
○ Object Caching: Customize
○ Minimum TTL: 0
○ Maximmum TTL: 300
○ Default TTL: 60
● Distribution Settings
○ Price Class: Use Only US, Canada and Europe
75. Authentication for Webserver to Access S3
Create an IAM policy
● Name: demoS3FullAccessToDemoTodoImage
● By visual editor
○ Service: S3
○ Actions: All S3 actions (s3:*)
○ Resources: arn:aws:s3:::demo-todo-image/*
76.
77. Authentication for Webserver to Access S3
● By json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::demo-todo-image/*"
}
]
}
78.
79.
80. Authentication for Webserver to Access S3
Create an IAM role with the policy attached
● Trusted entities: AWS service: ec2.amazonaws.com
● Policies: demoS3FullAccessToDemoTodoImage
● Role Name: demoInstanceRoleAccessS3
83. Machine Image for EC2 Instance
Create AMI manually by AWS console
● Launch an t2.micro EC2 instance of linux ubuntu
● SSH to the instance and execute script
● Back to the AWS console and create an image
● AMI name: demo-laravel-todo
84.
85.
86. Machine Image for EC2 Instance
Create AMI automatically by packer
● Create an access key for packer to grant corresponding authorities
● Clone the packer-example project and follow the instructions to run
89. Load Balance Between Webserver Instances
Create target group for with empty instance
● Target group name: demo-target-group-webserver
● Protocol: HTTP
● Port: 80
● Target Type: instance
● VPC: demo-vpc
90.
91.
92. Create application load balance (ALB)
● Name: demo-alb-webserver
● Scheme: internet-facing
● IP address type: ipv4
● Listeners
○ Load Balancer Protocol: HTTP
○ Load Balancer Port: 80
● Availability zones: demo-public-subnet-2a and
demo-public-subnet-2b
● Security groups: demo-sg-webserver
● Target group name: demo-target-group-webserver
● Skip the step of registering targets
Load Balance Between Webserver Instances
93.
94.
95.
96.
97.
98.
99. (Optional) Edit the forwarding rules of listeners
● Listen differnt port and forward to different target group
● Define mulitple rules of forwarding in one listening port
Load Balance Between Webserver Instances
100.
101.
102. Create launch configuration for EC2 instances to be scaled
● AMI: demo-laravel-todo of My AMIs
● Instance Type: t2.micro
● Launch configuration
○ Name: demo-launch-laravel-todo
○ IAM Role: demoInstanceRoleAccessS3
○ User data: paste the script and replace the value of IMAGE_S3_BUCKET and
IMAGE_DOMAIN
○ IP Address Type: Assign a public IP address to every instances
● Security group: demo-sg-webserver
Auto Scaling of Websever Instances
103.
104.
105. Auto Scaling of Websever Instances
Create auto scaling group to manage EC2 instances
● Launch configuration: demo-launch-laravel-todo
● Group name: demo-asg-laravel-todo
● Group size: 2
● Netwrok: demo-vpc
● Subnet: demo-public-subnet-2a and demo-public-subnet-2b
● Load Balancing: Receive traffic from one or more load balancers
● Target Groups: demo-target-group-webserver
● Scaling policies: Keep this group at its initial size
106.
107.
108.
109. Auto Scaling of Websever Instances
(Optional) Set scaling policies for EC2 instances
● Two types of scaling policies
○ Maintain the load on a target value
■ Mantain the average CPU utilization on 50%
○ Increase or decrease a number of instances step by step when the load
reaches a threshold
■ Increase 1 instance when average CPU utilization larger than 70%
110.
111. Create distribution under Cloudfront
● Get started with Web
● Origin Settings
○ Origin Domain Name:
demo-alb-webserver-xxx.us-west-2.elb.amazonaws.com
○ Origin ID: ALB-demo-alb-webserver
CDN for Webserver
112. ● Default Cache Behavior Settings
○ Viewer Protocol Policy: Redirect HTTP to HTTPS
○ Allowed HTTP Methods: GET, HEAD, OPTIONS, PUT, POST, PATCH,
DELETE
○ Object Caching: Customize
○ Minimum TTL: 0
○ Maximmum TTL: 0
○ Default TTL: 0
● Distribution Settings
○ Price Class: Use Only US, Canada and Europe
CDN for Webserver
117. Introduction
● Code the infrastructure to build, change and version resources,
including AWS VPC, S3, EC2 etc.
● Code with terraform file (.tf) which contains two parts:
○ provider: infrastructure service provider
○ resource: infrastructure component
● Use a json file (terraform.tfstatus) as the infrastrucuture’s current
status
● Do not rollback resources when the build fails
118. Lifecycle
1. Validate the configuration (.tf)
2. Compare the current status (.tfstate) and configuration (.tf)
3. Build the resources according to the compared result
4. Gernerate the new status (.tfstate) after build successes
119. 1. Download all files (.tf and .tpl) in the folder,
CreateALaravelProjectBuiltByAMI of terraform-example
2. Install terraform
3. Create a variable file named terraform.tfvars in the same folder
// terraform.tfvars
access_key = "your aws access key"
secret_key = "your aws secret key"
ami = "ami id of todoMVC"
Steps
Note. Make sure the IAM user has corresponding authority to access AWS resources
120. 4. Execute the commands to create resources
5. Check the result after build is completed
6. Execute the command to remove all resources
Steps
$ terraform init
$ terraform apply
$ terraform destroy