31. Disposable Numerous
Projects start and stop frequently
Required for short period of time
Golden masters preferred
Many environments support an
app
Preservation of known
configurations
Overlapping development cycles
32. Projects start and stop frequently
Required for short period of time
Golden masters preferred
Many environments support an
app
Preservation of known
configurations
Overlapping development cycles
Development & test in the cloud
33. Development & test in the cloud
Take lots of it when you need it
Unlimited elastic capacity
34. Development & test in the cloud
Take lots of it when you need it Throw it away when you don’t
Unlimited elastic capacity Cost optimization
35. Development & test in the cloud
Preserve it for future reference
Take lots of it when you need it Throw it away when you don’t
Unlimited elastic capacity Cost optimization
Durable imaging & storage
41. Higher-level Services
Stack through defining layers
Layers
Load balancing
HA Proxy installation in an
availability zone
Application container
Static, Node.js, Rails, PHP
Database layer
MySQL
Stack Layers ManagementApps
Elastic Beanstalk OpsWorks
Elastic Beanstalk for Java, Node.js,
Python, Ruby, PHP and .Net OpsWorks CloudFormationContainers & Deployment (PaaS)
42. Amazon Route 53 Elastic Load Balancer
S3 BucketCloudFront Distribution
Web Servers
Web Servers
Web ASG Elastic Beanstalk
App
App
Master
Standby
RR 1
RR 2
RR 3
RR 4
ElastiCache Cluster
This is a stack
Explicit Blue Printing with CloudFormation
Elastic Beanstalk for Java, Node.js,
Python, Ruby, PHP and .Net OpsWorks CloudFormationContainers & Deployment (PaaS)
43. This is a STACK.
JavaScript Object Notation ( JSON )
A template of your datacenter / workload.
Your infrastructure as code.
Headers
Parameters
Mappings
Resources
Outputs
Git
Subversion
Mercurial
Dev
Test
Prod
Elastic Beanstalk for Java, Node.js,
Python, Ruby, PHP and .Net OpsWorks CloudFormationContainers & Deployment (PaaS)
44. Cloud Formation is a great Cookie Cutter
Your infrastructure as code.
Elastic Beanstalk for Java, Node.js,
Python, Ruby, PHP and .Net OpsWorks CloudFormationContainers & Deployment (PaaS)
45. Cloud Formation is context aware
Your infrastructure as code.
Create: PROD
dev.mysite.com test.mysite.com prod.mysite.com
Create: TESTCreate: DEV
Elastic Beanstalk for Java, Node.js,
Python, Ruby, PHP and .Net OpsWorks CloudFormationContainers & Deployment (PaaS)
59. Create environments to support specific test types
Testing at scale
Unit & regression
Scale up and parallel run unit
and regression plans in a
fraction of the time
Load &
performance
Utilize spot market for
generating load and test how
applications perform with auto-
scaling
A/B
Run A/B scenario testing with
replica stacks
Security
Create sandboxes for
aggressive security testing
66. Platform Overview
Why AWS for development & test?
AWS services that can be employed
Common dev-test patterns
Security and Billing
Agenda
67. Control access and segregate duties everywhere
With AWS IAM you get to control who can do
what in your AWS environment and from where
Fine-grained control of your AWS cloud with two-
factor authentication
Integrated with your existing corporate directory
using SAML 2.0 and single sign-on
AWS account
owner
Network
management
Security
management
Server
management
Storage
management
68. You are making
API calls...
On a growing set of
services …
CloudTrail is
continuously
recording API
calls…
And delivering
log files to you
CloudTrail
71. The cloud makes development & test easy
You can make extensive savings by leveraging elasticity
Provides unique toolsets to help you create and manage environments
Let’s you perform at scale and agility beyond traditional physical environments
Lots of projects that start and stop. Had ot reuse environments to get efficiencies for the investment in the hardware they run on.
When you terminate an environment, you can persists the storage, but stop paying for compute.
Differenent environment for every project, and get started immediately. No lead time.
Repurpose dev environment for a new project.
Change, re-gear - pay for the time for this to happen.
Build websites that sleep at night. Build machines only live when you need it. Supercomput erin the hands of every dev.
Customer Network on the upper right
Internet on the upper left
VPC below both of those
Public Subnet and routing
Private Subnet and Routing
NAT to AWS APIs
VPN Connection
Discuss lightly pros/cons of each.
Elastic Beanstalk is easiest to start with, but offers less control. Opsworks gives you more tools, with a bit more work on your part. CloudFormation is a template driven tool with its own language, so a bit of a learning curve, but very very powerful. Lastly you could do all this manually, but at scale its nearly impossible without a huge team.
How does CloudFormation work? Let’s take a look at a system built in AWS. This entire system is considered the stack.
CloudFormation is this stack distilled into a template file.
Segregate roles and responsibilities to a fine-grained level that is probably in excess of what you can do in a physical environment
User A can change firewalls tagged ‘development’ only
User B can snapshot database storage volumes, but cannot access those volumes
All of this can be federated back to the existing enterprise directory – you do not need to setup a new directory within AWS. Your users sign into the existing directory (using existing authentication and MFA solutions), then are granted a temporary role within AWS to perform whatever duty they have been allocated. This role exists for a configurable period of time.
One even more awesome feature is that your EC2 instances themselves can have roles within identity and access management, to restrict what AWS APIs the instance can call. Thus, an attacker cannot use an EC2 instance to upload data to S3, if the role assigned to the instance does not include S3 API permissions.
AWS IAM also includes full multi-factor authentication for users, using either hardware Gemalto tokens, or soft tokens running on all three major phone platforms.
Segregate roles and responsibilities to a fine-grained level that is probably in excess of what you can do in a physical environment
User A can change firewalls tagged ‘development’ only
User B can snapshot database storage volumes, but cannot access those volumes
All of this can be federated back to the existing enterprise directory – you do not need to setup a new directory within AWS. Your users sign into the existing directory (using existing authentication and MFA solutions), then are granted a temporary role within AWS to perform whatever duty they have been allocated. This role exists for a configurable period of time.
One even more awesome feature is that your EC2 instances themselves can have roles within identity and access management, to restrict what AWS APIs the instance can call. Thus, an attacker cannot use an EC2 instance to upload data to S3, if the role assigned to the instance does not include S3 API permissions.
AWS IAM also includes full multi-factor authentication for users, using either hardware Gemalto tokens, or soft tokens running on all three major phone platforms.
Extension: SQS for queued builds
Full deve ennv with source control and devel workstations.
Vertical scaling on commodity hardware. Perfect for Hadoop.
Vertical scaling on commodity hardware. Perfect for Hadoop. 100 instances in Syd for 1 hour is $10.
Dexact copy of production, performance regression testing.
Each autoscaling group uses a different set of AMI
AMI-B contains the test code.
Enterprises segregate important duties to reduce risk of accidental or malicious changes
AWS allows fine-grained segregation across virtually all aspects of the service
For example, you can segregate
Who can change network configuration
Who can change firewalls
Who can change how the VPC connects to the Internet or back to your corporate premises
Who can start and stop servers
Who can snapshot and restore storage volumes
AWS IAM offers a programatic level of control and granularity that would not be possible to implement in traditional on-premise environments
CloudTrail is your eyes behind the scenes at AWS. It gives you insight into all of the API calls made which are associated with your account(s). It lets you understand the who did what from where, when.
Just a few weeks ago, we added the ability for CloudTrail to record both successful and unsuccessful console logins from your AWS IAM accounts as well.