AWS Solution Architect A deep dive in to traditional vs AWS cloud Traditional A traditional approach would have the below steps setting up data center racks internet (connect to multiple provides - blend) Equipments configure it move to different datacenter for redundancy AWS approach is much simpler than traditional Select region availability zone provision configure expand to other zones other region Basic comparison cost pas as you go elastic computing (add server on need basis and remove after use - automatic) scalable sucrity complaince are offered(PCI,HIPAA). Understand the below topics before starting AWS Vertical vs horizontal scaling web server vs application server http://javarevisited.blogspot.com/2012/05/5-difference-between-application-server.html http://www.diffen.com/difference/Application_Server_vs_Web_Server Core AWS services Traditionional to AWS mapping to understand AWS architecture Technology stack on-premises AWS Network VPN,MPLS,VLAN, Routing tables Amazon VPC,VPN,AWS Direct connect,routing tables Security Firewalls,SSL,user groups etc AWS security groups, Cloud HSM, s3 SSE, cloudtrial etc Storage DAS,SAN,NAS,SSD Amazon EBS, s3, EC2 Instance storage (SSD) Computer Hardware, virtualization EC2 Content Delivery CDN (http://searchaws.techtarget.com/definition/content-deliverynetwork-CDN) Cloud Front Data base DB2,MS SQL Server,My SQL, Mongo DB, Couchbase etc Amazon RDS,Dynamo DB,MS SQL Server,MySQL,Postgres SQL etc
Load balancing Hardware and software balancing, HA proxy (https:// www.digitalocean.com/community/tutorials/an-introduction-to-haproxy-and-load-balancingconcepts) Elastic load balancing,software and hardware balancing,HA proxy Scaling Clustering,Zookeeper Auto scaling,software clustering DNS DNS providersAmazon route 53 Analytics Hadoop, Cassandra,spark Amazon elastic map reduce Data warehousing Specialized HW/SW Amazon redshift Messaging and workflow Messaaging and workflow software Amazon SQS,SNS,SWF Caching memcached,SAP Hana (http://en.wikipedia.org/wiki/SAP_HANA),(http:// memcached.org/) Amazon Elastic Cache Archiving Tape Library,tape storage Amazon Glacier Email Email software Amazon simple Email Storage Identity Management LDAP AWS IAM,LDAP Deployment Chef,Puppet AMIs,CloudFormation,OpsWorks,Elastic Beanstalk Management and Monitoring CA,BMC,Rightscale AWS cloudwatch,cloudtrial The security model in AWS Amazon Web Services (AWS) delivers a scalable cloud computing platform with high availability and dependability, providing the tools that enable customers to run a wide range of applications. Helping to protect the confidentiality, integrity, and availability of our customers’ systems and data is of the utmost importance to AWS, as is maintaining customer trust and confidence. Shared Security Responsibility Model http://d0.awsstatic.com/whitepapers/Security/AWS%20Security%20Whitepaper.pdf http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf http://aws.amazon.com/compliance/ AWS products that fall into the well-understood category of Infrastructure as a Service (IaaS)— such as Amazon EC2, Amazon VPC, and Amazon S3—are completely under your control and require you to perform all of the necessary security configuration and management tasks AWS managed services like Amazon RDS or Amazon Redshift provide all of the resources you need in order to perform a specific task—but without the configuration work that can come with them. With managed services, you don’t have to worry about launching and maintaining instances, patching the guest OS or database, or replicating databases—AWS handles that for you. AWS Account Security Features AWS Credentials Passwords AWS Multi-Factor Authentication (AWS MFA) Access Keys Key Pairs X.509 Certificates Individual User Accounts Secure HTTPS Access Points Security Logs AWS Trusted Advisor Security Checks
Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge. However, Amazon EBS replication is stored within the same availability zone, not across multiple zones; therefore, it is highly recommended that you conduct regular snapshots to Amazon S3 for long-term data durability. AWS Global Infrastructure Deciding between Regions Latency Cost Features Legal Regions and availability zones Region level services and AZ level services Region level AZ level Global S3 EC2 IAM Dynamo DB EBS Route 53 Auto Scaling CloudFront Cloud search Highly available Not highly available Managed by AWS managed by user Services
Managed by AWS
Elastic Load Balancing Auto scale group (based on time , metric, load) S3 (span across AZs) Dynamo DB (stored in SDD) Amazon Machine image (basic unit of deployment) RDS (back up, patch mgmt,native access to mySQL) EC2 Accessing AWS AWS is API driven Can do much more than 'management console' using API calls REST API Identity and Access Management (IAM) IAM is not applicable for application management Dont use 'root' account Enable MFA as a best practice with IAM IAM roles can be assigned for shot span of time Two policies while creating roles - trust policy (principal) - access (what actions) Accessing AWS through Mgmt Console(username/password), AWS CLI(access key + secret key), SDK,APIs (access key + secret key). Policies are stored in JSON
Create policies using template,policy generator, custom, check with simulator Role based Access management AWS Security Token Service using Federation http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html STS lightweight web service can request temp credentials for IAM users federated user STS identity broker with federation user To access by a third party , using their AWS account id and external id we define a truested entitly for the role. After creating the role, we can share Amazon resource Name (ARN) with the 3rd party. SSO Federation Using SAML 2.0 Single sign-on Use existing identity management software to manage access to AWS resources open standard one username and password Assume Role with SAML API AWS Directory Service Active Directory to AWS AD connector Simple AD powered by Samba 4 Web Identity Federation temporary access to AWS support for Amazon,google,facebook IAM templates Administrative access Power User access Read only access Automated policy consolidated billing MFA API access with roles VPC Its like on premise private data centers NAT is way to connect to private network load balancing and auto scaling possible extend current private network to AWS Regular VPC and default VPC no more classic EC2, atleast default VPC public IP only for default VPC can access only through elastic IP,VPN or gateway instance VPC Peering VPC Scenarios
VPC with public subnet only (default) - single tier - just a web server VPC with public and private subnet - database instance and web server VPC with public and private subnet with hardware VPN VPC with private subnet with hardware access (AD in cloud) gateway = no of VPC even if you have a gateway setup, still EC2 instances needs either load balancer or elastic IP to access internet Network Access control List IGW (Internet Gateway) provides access to internet Virtual Gateway - access to datacenter NAT (Network Address translation) server provides internet to your private instance Subnet maps to availability zones Network Access Control Lists Network ACLs vs Security groups NACL stateless,subnet based, both allow and deny. Security groups only whitelist AWS Direct between datacenter and AWS by using VPN (for big data transfers)- extending on premise connection to AWS As NAT is a single point of failure, we can use HA NAT (Auto scaling as well) EC2 Virtualization of physical server Amazon Machine Image Different AMIs available Basic AMi by Amazon AWS market place Community AMI our own AMI VM import EC2 instance types - General Purpose T2 and M3 - Compute Optimize C3 - Memory Optimize R3 - GPU G2 - Storage I2,HS1 (Hadoop,map reduce) Isolation via Xen hypervisior epheremal disks are directly attached to hypervisor Ec2 classic EBS(Elastic Block storage - Network Attached), we can specify IOPS 1GD to 1TB Snapshots are the best User data/cloud init (will take longer than from AMI) User data will run the script which is specified