Introduction to the AWS Cloud
Define what the AWS Cloud is and describe the basic global infrastructure
Cloud Computing: the on demand delivery of IT resources and applications via the internet
- Instead of having to design and build our data centers, we can access a data center and all of its resources over the internet
- Allows us to scale as computing goes up without having to plan
- Frees companies from the limitation of running our own servers
Scalabe computing platform - AWS CLOUD
ALL THREE ACCESS THE AWS API
AWS CLI
- Open source tool built for interacting with AWS services
- Environments:
- Linux: linux, macOS, unix
- Windows: PowerShell or Windows Command Processor
- Remotely: Run commands on Amazon EC2 instances, SSH, or with Amazon EC2 systems manager
AWS SDK allow you to manage infrastructure as code (Python Boto as an example!)
Knowledge Check: The power to scale computing up or down easily?
- Elasticity
Core Services
EC2 Elastic Compute Cloud
- Cloud hosted compute resources that can be elastic (increase or decrease instances depending on demand)
- Called EC2 Instances
- Pay as you go
- Broad selection of Hardware and Software
- Selection of where to host (Global hosting)
Product Demonstration
- Login to console
- Choose a region
- Launch EC2 Wizard
- Select AMI (SoftWare or SW)
- Amazon Machine Image
- Select instance type (Hardware or HW)
- Configure network
- Configure storage
- Configure key pairs
- Launch & connect
Elastic Block Store
Designed to be available and durable
You can change sizes without shutting down the instance
S3
- Managed cloud storage service
- Store virtually unlimited number of objects
- Access any time, from anywhere
- Rich security controls
You can access s3 through the console, cli, and sdks
Virtual Private Cloud (VPC)
Integrated Services
Application Load Balancer The second type of load balancer.
- Supported request protocols
- CloudWatch Metrics
- Access Logs
- Health Checks Features:
- Ability to add path and host-based routing
- Native IPv6 support
- AWS WAF
- Dynamic Ports
- Deletion Protection & Request Tracing
1 Example: The ability to use containers to host micro services and route to those applications from the load balancer.
Application Load Balancer allow you to route different requests to the same instance but differ the path based on the port.
Auto Scaling Auto Scaling helps you ensure that you have the correct number of ec2 instances available to handle the load for your application. Answers two questions:
- How can I ensure that my workload has enough EC2 resources to meet fluctuating performance requirements? - SCALABILITY
- How can I automate EC2 resource provisioning to occur on-demand? - AUTOMATION
Scaling out - adding more instances Scaling in - terminating instances
- Launch Configuration
- What will be launched by auto scaling?
- AMI
- Instance type
- Security Groups
- Roles
- What will be launched by auto scaling?
- Auto Scaling Group
- Where a deployment takes place and some boundaries for deployment
- VPC and Subnets
- Load balancer
- Minimum instances
- Maximum instances
- Desired capacity
- Where a deployment takes place and some boundaries for deployment
- Auto Scaling Policy
- When to launch or terminate EC2 instances
- Scheduled
- On-demand
- Scale-out policy
- Scale-in policy
- When to launch or terminate EC2 instances
Route 53 DNS - Domain Name System
53 is a DNS service to route users to application.
DNS is a reliable way to route end users to endpoints
DNS Resolution Strategies
- Simple routing
- Geo-location
- Failover
- Weighted round robin
- Latency-based
- Multi-value answer
Domain Registration Global, highly available DNS Public and private DNS names Multiple routing algorithms Both IPv4 and IPv6 Integrated with other AWS cloud services
RDS (relational Database Services) Challenges of Relational Databases:
- Server maintenance and energy footprint
- Software install and pathces
- Database backups and high availability
- Limits on scalability
- Data security
- OS install and patches
RDS is a managed service that sets up and operates a relational database in the cloud
You manage:
- Application optimization
AWS manages:
- OS installation and patches
- Database software install and patches
- Database backups
- High availability
- Scaling
- Power and rack & stack
- Server maintenance
Creates a standby instance in new availability zone, if the main one goes down the application uses the standby
Read Replicas:
Summary: Highly Scalable High performance Easy to administer Available and durable Secure and compliant
AWS LAMBDA
- Fully-managed serverless compute
- Event-driven execution
- Sub-second metering
- Multiple langauges supported
AWS Elastic Beanstalk How can I quickly get my application into the cloud? -> AWS Elastic Beanstalk
- Platform as a Service
- Allows quick deployment of your applications
- Reduces management complexity
- Keeps control in your hands
- Choose you instance type
- Choose your database
- Set and adjust Auto Scaling
- Update your application
- Access server log files
- Enable HTTPS on load balanver
- Supports a large range of platforms
- Packer Builder
- Single Container, Multicontainer, or Preconfigured Docker
- Go
- Python
- PHP
- Ruby
- Node.js
- …
- Components
- Update your application as easily as you deploy it
Simple Notification Service (SNS)
- Flexible, fully managed pub/sub messaging and mobile communications service
- Coordinates the delivery of messages to subscribing endpoints and clients
- easy to setup, operate and send reliable communications
- Decouple and scale microservices, distributed systems and serverless applications
Cloudwatch Monitors your AWS resources and the applications you run on AWS in real time
Features:
Collect and track metrics
-> collect and monitor log files
-> set alarms
-> automatically react to changes
Use Cases:
- Respond to state changes in your AWS resources
- Automatically invoke an AWS Lambda function to update DNS entries when an event notifies that Amazon EC2 instance neters the Running state
- Direct specific API records from Cloud Trail to a Kinesis stream for detailed analysis of potential secuirty or availability risks
- Take a snapshot of an Amazon EBS volume on a schedule
- Log S3 Object Level Operations Using CloudWatch Events
Components: Metrics
- Data about the performance of the systems
- Represents a time-ordered set of data points that are published to CloudWatch
- By default, server services provide free metrics for resources
- Such as ec2 instances, ebs values and RDS DB instances
- Publish your own application metrics
- Load all the metrics in you account for search, graphing, and alarms. Alarms
- Watches a single metric
- Performs one or more actions
- Based on the value of the metric relative to a threshold over a number of time periods
- The action can be
- EC2 action
- An auto scaling action
- A notification sent to an SNS topic
- Invokes actions for sustained state changes only
Events
- Near real-time stream of system events that describe changes in AWS resources
- Use simple rules to match events and route them to one or more target functions or streams
- Aware of operational changes as they occur
- Responses to these operational changes and takes corrective action as necessary
- Schedule automated actions that self-trigger at certain times using Cron or rate expressions Logs
- Monitor and troubleshoot systems and applications using existing log giles
- Monitor logs for specific phrases, values or patterns
- Retrieve the associated log data from CloudWatch Logs
- Includes an installable agent for Ubuntu, Amazon Linux, and Windows at no additional charge
CloudWatch Logs Features
- Monitor Logs from Amazon EC2 Instances in REal-time
- Monitor AWS CloudTrail Logged Events
- Archive Log Data
Dashboards
- Customizable home pages in the CloudWatch console to monitor your resources in a single view
- Even those resources that are spread across different regions
- Create customized views of the metrics and alarms for your AWS resources
- Each dashboard can display multiple metrics, and can be accessorized with text and images
- Create dashboards by using the console, the was cli, or by using the PutDashboard API
CloudFront Overview:
- Global, Growing Network
- Secure Content at the Edge
- Deep integration with key AWS services
- High Performance
- Cost effective
- Easy to use
CloudFormation CloudFormation simplifies the task of repeatedly and predictably creating groups of related resources that power your applications
- Fully-managed service
- Create, update and delete resources in stacks
VERY SIMILAR TO TERRAFORM
Template Files
- Resources to provision
- Text file
- Json or YAML format
- Self-documenting environment
Architecture
The AWS Well-Architected Framework
- Assess and improve architectures
- Understand how design decisions impact business
- Learn the five pillars and design principles
- Security
- Identity and access management (IAM)
- Detective controls
- Infrastructure protection
- Data protection
- Incident response
- DESIGN PRINCIPLES:
- Implement security at all layers
- Enable traceability
- Apply principle of least privilege
- Focus on securing your system
- Automate
- Reliability
- Recover from issues/failures
- Apply best practices in :
- Foundations
- Change management
- Failure management
- Anticipate, response, and prevent failures
- DESIGN PRINCIPLES:
- Test recovery procedures
- Automatically recover
- Scale horizontally
- Stop guessing capacity
- Manage change in automation
- Performance efficiency
- Select customizable solutions
- Review to continually innovate
- Monitor aws services
- Consider the trade-offs
- DESIGN PRINCIPLES:
- Democratize advanced technologies
- Go global in minutes
- Use a serverless architectures
- Experiment more often
- Have mechanical sympathy
- Cost optimization
- Use cost-effective resources
- Matching supply with demand
- Increase expenditure awareness
- Optimize over time
- DESIGN PRINCIPLES:
- Adopt a consumption model
- Measure overall efficiency
- Reduce spending on data center operations
- Analyze and attribute expenditure
- Use managed services
- Operational Excelence
- Manage and automate changes
- Respond to events
- Define the standards
Fault Tolerance and High Availability Fault Tolerance:
- Ability of a system to remain operational
- Built-in redundancy of an application’s components High Availability:
- Systems are generally functioning and accessible
- Downtime is minimal
- Minimal human intervention is required
- Minimal up-front financial investment
High Availability: On Premises vs AWS
- Traditional (on premises)
- Expensive
- Only mission-critical applications
- AWS
- Multiple servers
- Availability zones
- Regions
- Fault-tolerant services
High Availability Service Tools
- Elastic load balancers
- Distributes incoming traffic (loads)
- Sends metrics to amazon cloud watch
- Triggers/notifies
- High latency
- Over utilization
- Elastic Ip addresses
- Are static ip addresses
- Mask failures (if they were to occur)
- Continues to access applications if an instance fails
- Amazon route 53
- Authoritative DNS service
- Translates domain names into ip addresses
- Supports
- Simple routing
- Latency-based routing
- Health checks
- DNS failovers
- GEo-location routing
- Authoritative DNS service
- Auto scaling
- Terminates and launches instances based on conditions
- Assists with adjusting or modifying capacity
- Creates new resources on demand
- Amazon cloud watch
- Distributed statistics gathering system
- Tracks your metrics of your infrastructure
- Create and use your own custom metrics
- Used with auto scaling
Fault Tolerant Tools
- Amazon Simple Queue Service (SQS)
- Amazon Simple Storage Service (S3)
- Amazon Relational Database SERvice (RDS)
Security
Introduction to AWS Security Security is of the utmost importance to AWS
- Approach to security
- AWS environment controls
- AWS offerings and features
Network Security
- Built-in firewalls
- Encryption in transit
- Private/dedicated connections
- Distributed denial of service (DDoS) mitigation
Inventory and Configuration Management
- Deployment tools
- Inventory and configuration tools
- Template definition and management tools
Data Encryption
- Encryption capabilities
- Key management options
- AWS Key Management Service
- Hardware-based cryptographic key storage options
- AWS CloudHSM
Access Control and Management
- Identity and access management (IAM)
- Multi-factor authentication (MFA)
- Integration and federation with corporate directories
- Amazon Cognito
- AWS SSO
Monitoring and Logging
- Tools and features to reduce your risk profile:
- Deep visibility into API calls
- Log aggregation and options
- Alert notifications
The Shared Responsibility Model Application Stack:
- Physical - AWS buildings and servers
- Network - AWS locks it down
- Hypervisor - AWS (uses zen?)
- EC2 (if running!) fits between these two groups - above and below
- AWS cannot see the below elements in the stack
- Guest OS
- Application
- User Data
Identity and Access Management IAM - we want to be extremely specific what each ‘word’ means
USER
- A permanent named operator (could be human could be machine)
- Credentials are permanent and stay with that user
GROUP
- A collection of USERS
- Users can belong to many groups, groups can contain many users
ROLE
- A Role is NOT your permissions
- It is an authentication method
- IT IS TEMPORARY
- Authentication method for your user (or operator)
Policy DOCS
- Attaches to a USER, GROUP or directly to a ROLE
- Lists the specific APIs that I am allowing against which resources
USER/GROUP/ROLE - Authentication POLICY DOCS - Authorization
Also solves the issue of compromised credentials. EX: Someone gets in with username and password - Security manager can execute a single API that removes policy docs from all users, group, and roles.
Amazon Inspector IT security matters and securing IT infrastructure is:
- complex
- expensive
- Time consuming - build/configure/maintain
- Difficult to track all the changes in IT environment
- Hard to do effectively
Amazon Inspector
- Asses Applications for:
- vulnerabilities
- Deviations from best practices
- Produces a detailed report with :
- Security findings
- Prioritize steps for remediation
Amazon Inspector enables you to
- Quickly and easily assess your AWS resources
- Offload security assessments so you can focus on more complex security issues
- Gain a deeper understanding of your AWS resources
AWS Shield AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.
A DoS - Denial of Service attack: A deliberate attempt to make your website or application unavailable to users
A DDoS - Distributed Denial of Service Multiple sources are used to attack target; infrastructure and application layers can be affected
DDoS mitigation challenges
- Complex setup and implementation
- Bandwidth limitations
- Manual intervention
- Time consuming
- Degraded performance
- expensive
AWS Shield tiers
- Standard
- Automatic protection available for all AWS customers, at no additional charge
- Any AWS resource
- Any AWS region
- Quick detection - Always-On
- Online attack mitigation
- Built-in automated mitigation techniques
- Avoids latency impact
- Self service
- Not need to engage AWS support
- Automatic protection available for all AWS customers, at no additional charge
- Advanced
- Paid service for higher levels of protection, features, and benefits
- Specialized support
- Advanced attack mitigation
- Visibility and attack notification
- Always-On monitoring
- Amazon Route 53, CloudFront, Elastic Load Balancer, Elastic IP
- Enhanced detection
- DDoS cost protection
Benefits
- Cost efficient
- Seamless integration and deployment
- Customizable protection
AWS Shield provides:
- Built-in protection against DDoS attacks
- Access to tools, services and expertise to help you protect your AWS applications
Security Compliance
AWS shares security information by:
- Obtaining industry certifications
- Publishing security and control practices
- Compliance reports
Control evnironment
- Includes policies, processes, and control activities to secure the delivery of AWS service offerings
- Supports the operating effectiveness of AWS control framework
- Integrates cloud-specific controls
- Applies leading industry practices
AWS security compliance programs help customers:
- Understand robust controls in place
- Establish and operate in an AWS security control environment
Pricing and Support
Similar to paying for utilities - only pay for services you use
For each service, you pay for what you use
“Pay as you go”
Cost fundamentals
- Pay for:
- Compute capacity
- Storage
- Outbound data transfer (aggregated)
- No charge for:
- Inbound data transfer
Offerings
- EC2
- Web service that:
- Provides resizable compute capacity in the cloud
- Allows the configuration of capacity with minimal friction
- Provides complete control
- Charges only for capacity used
- Cost Factors:
- Clock-second/hourly billing:
- Resources incur charges only when running
- Instance configuration:
- Physical capacity of the instance
- Pricing varies with:
- AWS region
- OS
- Instance type
- Instance size
- Clock-second/hourly billing:
- Purchase types
- On-demand instance:
- Compute capacity by the hour and second
- Min of 60 seconds
- Reserved instances:
- Low or no up-front payment instances reserved
- Discount on hourly charge for that instance
- Spot instances:
- Bid for unused amazon EC2 capacity
- On-demand instance:
- Other considerations
- Number of instances: provision multiple instances to handle peak loads
- Load Balancing: use ELB to distribute traffic. Monthly cost based on
- Hours load balancer runs
- Data load balancer processes
- Product options
- Monitoring:
- Use Amazon CloudWatch to monitor instances
- Basic monitoring (default)
- Detailed monitoring (fixed rate; prorated partial months)
- Auto Scaling:
- Automatically adjusts number of instance
- No additional charge
- Elastic IP addresses:
- No charge when associated with a running instance
- Monitoring:
- Os and software
- OS prices included in instance prices
- software:
- Partnership with other vendors
- Vendor licenses required
- Existing licenses accepted through specific vendor programs
- Web service that:
- S3
- What is S3?
- Object storage built to store and retrieve any amount of data from anywhere
- Provides:
- Durability, availability and scalability
- Comprehensive security and compliance capabilities
- Query in place
- Flexible management and data transfer
- Compatibility - supported by partners, vendors, and AWS services
- Storage Classes
- Standard Storage:
- 99.999999999% durability
- 99.99% availability
- Standard-Infrequent Access (S-IA):
- 99.999999999% durability
- 99.9% availability
- Storage cost:
- Number and size of objects
- Type of storage
- Standard Storage:
- Pricing based on:
- Requests:
- Number of requests
- Type of requests - different rates for GET requests
- Data transfer:
- Amount of data transferred out of the Amazon S3 region
- Requests:
- What is S3?
- EBS
- What is EBS?
- Block-level storage for instances
- Volumes persist independently from the instance
- Analogous to virtual disks in the cloud
- 3 Volume types:
- General Purpose (SSD)
- Provisioned IOPS (SSD)
- Magnetic
- Cost Factors
- Volumes: All types charged by the amount provisioned per month
- IOPS:
- General Purpose (SSD): Included in price
- Magnetic: Charged by the number of requests
- Provision IOPS (SSD): Charged by the amount you provision in IOPS
- Snapshots: Added cost per GB-month of data stored
- Data transfer:
- Inbound data transfer has no charge
- Outbound data transfer charges are tiered
- What is EBS?
- RDS
- What is RDS?
- Relational database in the cloud
- Cost-efficient and resizable capacity
- Management of time-consuming administrative tasks
- Cost Factors
- Clock-hour billing: Resources incur charges when running.
- Database characteristics: engine, size, and memory class impacts cost
- DB purchase type:
- On-demand database instances are charged by the hour
- Reserved database instances require up-front payment for database instances reserved
- Provision multiple db instances to hand peak loads
- Provisioned storage:
- No charge for backup storage of up to 100% of database storage
- Backup storage for terminated DB instance billed at GB/month
- Additional storage: Backup storage in addition to provisioned storage billed at GB/Month
- Deployment type:
- Storage and I/O charges variable
- Single availability zones
- Multiple availability zones
- Data transfer
- No charge for inbound data transfer
- Tiered charges for outbound data transfer
- What is RDS?
- CloudFront
- What is CloudFront?
- Web service for content delivery
- Integration with other AWS services
- Low latency
- High data transfer speeds
- No minimum commitments
- Cost factors
- Pricing varies across geographic regions
- Based on:
- Requests
- Data transfer out
- What is CloudFront?
Trusted Advisor Provides best practices (or checks in 4 categories):
- Cost optimization
- Performance
- Security
- Fault tolerance
Support plans
- basic
- developer
- business
- enterprise