7. Cloud Computing Benefits
No Up-Front Low Cost Pay Only for
Capital Expense What You Use
Self-Service Easily Scale Improve Agility &
Infrastructure Up and Down Time-to-Market
Depl
oy
8. Cloud Computing Fault-Tolerance Benefits
No Up-Front HA Low Cost Backups Pay for DR Only
Capital Expense When You Use it
Self-Service Easily Deliver Fault- Improve Agility &
DR Infrastructure Tolerant Applications Time-to-Recovery
Depl
oy
!
ne f i ts t r a n s l a te
Th e b e
9. AWS Building Blocks: Two Strategies
Inherently fault- Services that are fault-tolerant
tolerant services with the right architecture
S3 Amazon EC2
SimpleDB
DynamoDB
VPC
Cloudfront EBS
SWF, SQS, SNS, SES
RDS
Route53
Elastic Load Balancer
Elastic Beanstalk
ElastiCache
Elastic MapReduce
IAM
10. Resources
Deployment
The Stack: Management
Configuration
Networking
Facilities
Geographies
11. EC2 Instances
Amazon Machine Images
The Stack: CW Alarms - AutoScaling
Cloudformation - Beanstalk
Route53 – ElasticIP – ELB
Availability Zones
Regions
25. A Continuum
3 approaches to designing your AMIs
Easier to Setup
Inventory of fully baked AMIs
(Frozen/Ready made)
“Golden AMIs” with fetch on
boot
(Frozen Pizza base)
AMIs with JeOS and Puppet/
Chef (Made to Order)
More Control
Easier to maintain
26. Bootstrapping
1. Frozen Pizza Model
Apache
Tomcat
Struts
Your
Code
Log4J
Spring
Hibernat
e
JEE
Linux
Java Stack
27. Bootstrapping
1. Frozen Pizza Model
Apache
Tomcat
Struts
Your
Code
Log4J
Spring
Hibernat
e
JEE
Linux
Java AMI
Java Stack
28. Bootstrapping
1. Frozen Pizza Model
Apache
Apache
Tomcat Tomcat
Struts Struts
Your Your
Code
Code
Log4J
Log4J
Spring
Spring
Hibernat
Hibernat e
JEE
e
JEE Linux
Linux
Java AMI
Java Stack
29. Bootstrapping
1. Frozen Pizza Model
Apache
Apache
Tomcat Tomcat
Struts Struts
Your Your
Code
Code
Log4J
Log4J
Spring
Spring
Hibernat
Hibernat e
JEE Amazon EC2
e
JEE Linux
Linux
Java AMI
Java Stack
30. Bootstrapping
1. Frozen Pizza Model
Apache
Apache
Tomcat Tomcat
Struts Struts
IIS
Your Your
IIS IIS
ASP.NET MVC
IIS
Code
Your Code ASP.NET MVC
Code
Log4Net Your Code
Log4J
Log4J
Spring.NET Log4Net
nHibernate Spring.NET
.NET nHibernate
Spring
Windows .NET
Windows
Spring
Hibernat
Hibernat e
JEE Amazon EC2
e
JEE Linux
Linux
Java AMI
Java Stack
31. Bootstrapping
1. Frozen Pizza Model
Apache
Apache
Tomcat Tomcat
Struts Struts
IIS IIS
Your Your
IIS IIS IIS
ASP.NET MVC ASP.NET MVC
IIS
IIS
Code
Your Code ASP.NET MVC Your Code
IIS
Code
Log4Net Your Code Log4Net
Log4J
ASP.NET MVC
Log4J
Spring.NET Log4Net Spring.NET
Your Code
nHibernate Spring.NET nHibernate
Log4Net
.NET nHibernate .NET
Spring.NET
Spring
Windows .NET Windows
nHibernate
Windows
Spring
.NET
Windows
Hibernat
Hibernat e
JEE Amazon EC2
e
JEE Linux
Linux
Java AMI
Java Stack
32. Bootstrapping
2. Frozen Base Pizza Model
Apache
Tomcat
Struts
Your
Code
Log4J
Spring
Hibernat
e
JEE
Linux
Java Stack
33. Bootstrapping
2. Frozen Base Pizza Model
Apache
Tomcat
Struts
Your
Code
Log4J
Spring
Hibernat
e
JEE
Linux
Java Stack Golden AMI
34. Bootstrapping
2. Frozen Base Pizza Model
Apache Your
Code
Tomcat
Struts Struts
Log4J
Spring
Your
Code
Log4J
Apache
Spring Tomcat
Hibernat Hibernate
e
JEE JEE
Linux
Linux
Java Stack Golden AMI
35. Bootstrapping
2. Frozen Base Pizza Model
Apache Your
Code
Tomcat
Struts Struts
Log4J
Spring
Your
Code
Log4J
Apache
Spring Tomcat
Hibernat Hibernate
e JEE Amazon EC2
JEE
Linux
Linux
Java Stack Golden AMI
36. Bootstrapping
2. Frozen Base Pizza Model
Apache Your
Code
Source Control
Tomcat
Struts Struts
Log4J
Spring
Your
Code
Log4J
Apache
Spring Tomcat
Hibernat Hibernate
e JEE Amazon EC2
JEE
Linux
Linux
Java Stack Golden AMI
37. Bootstrapping
2. Frozen Base Pizza Model
Apache Your
Code Fetch on boot time
Source Control
Tomcat
Struts Struts
Log4J
Spring
Your IIS
Code
IIS IIS IIS
Log4J
IIS IIS IIS
.NET
IIS
.NET
Windows .NET
Apache
.NET
Windows Windows
Windows
Spring Tomcat
Hibernat Hibernate
e JEE Amazon EC2
JEE
Linux
Linux
Java Stack Golden AMI
38. Bootstrapping
3. Made to Order Pizza Model
Apache
Tomcat
Struts
Your
Code
Log4J
Spring
Hibernat
e
JEE
Linux
Java Stack
39. Bootstrapping
3. Made to Order Pizza Model
Apache
Tomcat
Struts
Your
Code
Log4J
Spring
Hibernat
Client
e
JEE Linux
Linux
Java Stack AMI (JeOS)
40. Bootstrapping
3. Made to Order Pizza Model
Apache Your
Code
Tomcat
Struts
Apac
Your Strut
Tomc
he
Code Log4J
Hiber
Log4J s
at
Sprin
Spring nate
g
Hibernat
Client
e
JEE Linux
Linux
Java Stack AMI (JeOS)
41. Bootstrapping
3. Made to Order Pizza Model
Apache Your
Tomcat
Code
Source Control Cookbook
Struts
s
Apac Chef/Puppet
Recipes
Your Strut
Tomc
he
Code Log4J
Hiber
Log4J s
at
Sprin
nate
Agent
Spring g
Linux
Hibernat
Client
e
JEE Linux
Amazon EC2
Linux
Java Stack AMI (JeOS)
43. RDS: Multi-AZ Deployments
Enterprise-grade, fault-tolerant solution for production
databases
What is Multi-AZ deployment?
• With a single API call, Amazon RDS creates and
synchronously maintains a hot standby in a different
availability zone
• In the event of an unplanned or planned outage, Amazon
RDS automatically fails over to the standby so you can
resume database writes and reads as soon as possible
44. RDS: Read Replicas
A Read Replica is a copy of a specified DB Instance
that can serve read traffic
Intended use cases
• Read scaling, business reporting
• Not intended as fault tolerance substitute for multi-AZ
Unlike Multi-AZ, uses native, asynchronous MySQL
replication and replica can lag source
Read Replica can use Multi-AZ deployment as
source
45. Test! Use a Chaos Monkey!
Prudent
Conservative
Professional
Soon to be open source…
http://techblog.netflix.com/2010/12/5-lessons-weve-learned-using-aws.html
49. AWS Identity and Access Management (IAM)
• Users and Groups within Accounts
• Unique security credentials
• Access keys – key rotation
• Login/Password
• Enforce password complexity
• optional MFA device
• Policies control access to AWS APIs
• API calls must be signed by either:
• X.509 certificate
• secret key
• Deep integration into many Services
• S3: policies on objects and buckets
• DynamoDB: tables
50. AWS Multi-Factor Authentication
Helps prevent anyone with unauthorized knowledge of your e-
mail address and password from impersonating you
Additional protection for account information
Works with
• Master Account
• IAM Users
Integrated into
• AWS Management Console
• Key pages on the AWS Portal
• S3 (Secure Delete)
A recommended opt-in security feature!
51. Multi-tier Security Approach Example
Web Tier
Application Tier
Database Tier
Ports 80 and 443
only open to the
Internet
Engineering staff have
ssh access to the App
Tier, which acts as
Sync with on-premises
Bastion Amazon EC2
database Security Group
Firewall
All other Internet ports
blocked by default
52. Networking & Security
AWS Direct Amazon Virtual Dedicated
Connect Private Cloud (VPC) Instances
Single Tenant
Compute Instance
Internet
Dedicated connection Private VPN Amazon EC2 resources
between your datacenter connection to your running on private
and AWS AWS resources hardware
53. In the Cloud, Security is a Shared Responsibility
SOC 1 Audit
Encrypt data in transit
ISO 27001/2 Certification Application Encrypt data at rest
PCI DSS 2.0 Level 1 Security Protect your AWS Credentials
HIPAA/SOX Compliance
Rotate your keys
FISMA Moderate
Secure your OS and applications
FEDRamp / GSA ATO
How we secure our How can you secure your
infrastructure application and what is your
responsibility?
Infrastructure Services
Security Security
What security options
and features are available Use MFA, VPC, Leverage S3 bucket
to you? policies, EC2 Security groups, EFS in EC2
Etc..
54. Architecture Guidance?
Where to look for Architecture Guidance?
aws.amazon.com/architecture
Reference Architectures
Best Practices
Cloud computing is a better way to run your business. The cloud helps companies of all sizes become more agile. Instead of running your applications yourself you can run them on the cloud where IT infrastructure is offered as a service like a utility. \n\nWith the cloud, your company saves money: there are no up-front capital expenses as you don’t have to buy hardware for your projects. The massive scale and fast pace of innovation of the cloud drive the costs down for you. In the cloud, you pay only for what you use just like electricity.\n\nThe cloud can also help your company save time and improve agility – it’s faster to get started: you can build new environments in minutes as you don’t need to wait for new servers to arrive. The elastic nature of the cloud makes it easy to scale up and down as needed. At the end of the day you have more resources left for innovation which allows you to focus on projects that can really impact your businesses like building and deploying more applications. \n\n“With the high growth nature of our business, we were looking for a cloud solution to enable us to scale fast. Think twice before buying your next server. Cloud computing is the way forward.” - Sami Lababidi, CTO, Playfish\n
\n
\n
Each item a\n
Each item a\n
Fault Separation \nAmazon EC2 provides customers the flexibility to place instances within multiple geographic regions as well as across multiple Availability Zones. Each Availability Zone is designed with fault separation. This means that Availability Zones are physically separated within a typical metropolitan region, on different flood plains, in seismically stable areas. In addition to discrete uninterruptable power source (UPS) and onsite backup generation facilities, they are each fed via different grids from independent utilities to further reduce single points of failure. They are all redundantly connected to multiple tier-1 transit providers. \n\nIt should be noted that although traffic flowing across the private networks between Availability Zones in a single region is on AWS-controlled infrastructure, all communications between regions is across public Internet infrastructure, so appropriate encryption methods should be used to protect sensitive data. Data are not replicated between regions unless proactively done so by the customer.\n
Distinct physical locations\nLow-latency network connections between Azs\nIndependent power, cooling, network, security\nAlways partition app stacks across 2 or more Azs\nElastic Load Balance across instances in multiple Azs\n\nDon’t confuse AZ’s with Regions!\n
\n
\n
Note, the question is not “do you need to automate your deployment” or “should I use automation when I’m using the cloud?” the answer to that is YES!\nThe question is; if you’re using fully standard PHP or Java stacks, why manage it? Beanstalk does that great, with zero lock-in. If what you need is more complex, perhaps cloudformation (note, you can do BOTH!) \n
\n
\n
\n
Three-Tier Web App has been “fork-lifted” to the cloud\nEverything in a single Availability Zone\nLoad balanced at the Web tier and App tier using software load balancers\nMaster and Standby database\nElastic IP on front end load balancer only\nS3 used as DB backup instead of tape\nHow can you use AWS features to make this app more highly available?\n
Three-Tier Web App has been “fork-lifted” to the cloud\nEverything in a single Availability Zone\nLoad balanced at the Web tier and App tier using software load balancers\nMaster and Standby database\nElastic IP on front end load balancer only\nS3 used as DB backup instead of tape\nHow can you use AWS features to make this app more highly available?\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
Examining AWS, you’ll see that the same security isolations are employed as would be found in a traditional datacenter. These include physical datacentre security, separation of the network, isolation of the server hardware, and isolation of storage. AWS customers have control over their data: they own the data, not us; they can encrypt their data at rest and in motion, just as they would in their own datacenter. \n \nAmazon Web Services provides the same, familiar approaches to security that companies have been using for decades. Importantly, it does this while also allowing the flexibility and low cost of cloud computing. There is nothing inherently at odds about providing on-demand infrastructure while also providing the security isolation companies have become accustomed to in their existing, privately-owned environments.\n\nAWS is a secure, durable technology platform with industry-recognized certifications and audits: PCI DSS Level 1, ISO 27001, FISMA Moderate, HIPAA, SAS 70 Type II. Our services and data centers have multiple layers of operational and physical security designed to protect the integrity and safety of your data. Visit our Security Center to learn more http://aws.amazon.com/security/.\n\nCertifications and Accreditations: AWS has successfully completed a SAS70 Type II Audit, and will continue to obtain the appropriate security certifications and accreditations to demonstrate the security of our infrastructure and services. \n\nPCI DSS: We finalized our 2011 PCI compliance audit, publishing our extensive Report on Controls (ROC) with an expanded scope. Our new November 30, 2011 PCI Attestation of Compliance, a document from our auditor stating we are compliant with all 12 PCI security standard domains, is available now for customers considering or working on moving PCI systems to AWS. The new Attestation of Compliance document includes some key changes this year: This year we’ve added RDS, ELB, and IAM as in-scope services. The addition of these services is fantastic news for PCI customers since they can now leverage RDS to store cardholder and transaction data, use ELB to manage card transaction traffic, and rely on IAM features as validated control mechanisms that satisfy PCI security standard requirements. Consistent with last year, EC2, S3, EBS, and VPC continue to be in scope. \n \nPhysical Security: Amazon has many years of experience in designing, constructing, and operating large scale data centers. AWS infrastructure is housed in Amazon-controlled data centers throughout the world. Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical barriers to prevent unauthorized access.\n\nSecure Services: Each of the services within the AWS cloud is architected to be secure and contains a number of capabilities that restrict unauthorized access or usage without sacrificing the flexibility that customers demand. \n\nData Privacy: AWS enables users to encrypt their personal or business data within the AWS cloud and publishes backup and redundancy procedures for services so that customers can gain greater understanding of how their data flows throughout AWS.\n\n“In essence, the security system of AWS’s platform has been added to our existing security systems. We now have a security posture consistent with that of a multi-billion dollar company.” - Jim Warren, CIO, Recovery Accountability and Transparency Board (RATB)\n
\n
AWS Identity and Access Management (AWS IAM)\nAWS Identity and Access Management (AWS IAM) enables a customer to create multiple users and manage the permissions for each of these users within their AWS Account. A user is an identity (within a customer AWS Account) with unique security credentials that can be used to access AWS Services. AWS IAM eliminates the need to share passwords or access keys, and makes it easy to enable or disable a user’s access as appropriate.\n \nAWS IAM enables customers to implement security best practices, such as least privilege, by granting unique credentials to every user within their AWS Account and only granting permission to access the AWS Services and resources required for the users to perform their job. AWS IAM is secure by default; new users have no access to AWS until permissions are explicitly granted.\n \nAWS IAM enables customers to minimize the use of their AWS Account credentials. Instead all interactions with AWS Services and resources should be with AWS IAM user security credentials. More information about AWS Identity and Access Management (AWS IAM) is available on the AWS website: http://aws.amazon.com/iam/\n
Amazon Account Security Features\nAWS provides a number of ways for customers to identify themselves and securely access their AWS Account. A complete list of credentials supported by AWS can be found on the Security Credentials page under Your Account. AWS also provides additional security options that enable customers to further protect their AWS Account and control access: AWS Identity and Access Management (AWS IAM), Multi-Factor Authentication (MFA) and Key Rotation.\n\nAWS Multi-Factor Authentication (AWS MFA)\nAWS Multi-Factor Authentication (AWS MFA) is an additional layer of security that offers enhanced control over AWS Account settings and the management of the AWS Services and resources for which the account is subscribed. When customers enable this opt-in feature, they will need to provide a six-digit single-use code in addition to their standard username and password credentials before access is granted to their AWS Account settings or AWS Services and resources. Customers get this single use code from an authentication device that they keep in their physical possession. This is called Multi-Factor Authentication because two factors are checked before access is granted: customers need to provide both their username (Amazon e-mail in the case of the AWS Account) and password (the first “factor”: something you know) and the precise code from their authentication device (the second “factor”: something you have). Customers can enable MFA devices for their AWS Account as well as for the users they have created under their AWS Account with AWS IAM.\n \nIt is easy to obtain an authentication device from a participating third party provider and to set it up for use via the AWS website. More information about Multi-Factor Authentication is available on the AWS website: http://aws.amazon.com/mfa/\n \nKey Rotation\nFor the same reasons as it is important to change passwords frequently, AWS recommends that customers rotate their access keys and certificates on a regular basis. To let customers do this without potential impact to their applications’ availability, AWS supports multiple concurrent access keys and certificates. With this feature, customers can rotate keys and certificates into and out of operation on a regular basis without any downtime to their application. This can help to mitigate risk from lost or compromised access keys or certificates. The AWS IAM APIs enables a customer to rotate the access keys of their AWS Account as well as for users created under their AWS Account using AWS IAM. \n \n
The firewall can be configured in groups permitting different classes of instances to have different rules. Consider, for example, the case of a traditional three-tiered web application. The group for the web servers would have port 80 (HTTP) and/or port 443 (HTTPS) open to the Internet. The group for the application servers would have port 8000 (application specific) accessible only to the web server group. The group for the database servers would have port 3306 (MySQL) open only to the application server group. All three groups would permit administrative access on port 22 (SSH), but only from the customer’s corporate network. Highly secure applications can be deployed using this expressive mechanism. \n \nHere is an example of the commands needed to establish multi-tier security architecture and of course customers could use the AWS Management Console to do the same:\n \n# Permit HTTP(S) access to Web Layer from the Entire Internetec2auth Web -p 80,443 -s 0.0.0.0/0# Permit ssh access to App Layer from Corp Networkec2auth App -p 22 -s 1.2.3.4/32# Permit ssh access to DB Layer from Vendor Networkec2auth DB -p 22 -s 5.6.7.8/32# Permit Application and DB Layer Access to appropriate internal layersec2auth App -p $APP_PORT -o Webec2auth DB -p $DB_PORT -o App# Permit Bastion host access for Web and DB Layers from App Layerec2auth Web -p 22 -o Appec2auth DB -p 22 -o App\n
AWS Direct Connect makes it easy to establish a dedicated network connection from your premise to AWS. Using AWS Direct Connect, you can establish private connectivity between AWS and your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections. AWS Direct Connect lets you establish a dedicated network connection between your network and one of the AWS Direct Connect locations. Using industry standard 802.1q VLANs, this dedicated connection can be partitioned into multiple logical connections. This allows you to use the same connection to access public resources such as objects stored in Amazon S3 using public IP address space, and private resources such as Amazon EC2 instances running within an Amazon Virtual Private Cloud (VPC) using private IP space, while maintaining network separation between the public and private environments. Logical connections can be reconfigured at any time to meet your changing needs. http://aws.amazon.com/directconnect/\n\nAmazon Virtual Private Cloud (Amazon VPC) lets you provision a private, isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define. With Amazon VPC, you can define a virtual network topology that closely resembles a traditional network that you might operate in your own datacenter. You have control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can easily customize the network configuration for your Amazon VPC. For example, you can create a public-facing subnet for your webservers that has access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet. Additionally, you can create a Hardware Virtual Private Network (VPN) connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter. http://aws.amazon.com/vpc/\n\nDedicated Instances are Amazon EC2 instances launched within your Amazon VPC that run hardware dedicated to a single customer. Dedicated Instances let you take full advantage of the benefits of Amazon VPC and the AWS cloud – on-demand elastic provisioning, pay only for what you use, and a private, isolated virtual network, all while ensuring that your Amazon EC2 compute instances will be isolated at the hardware level. You can easily create a VPC that contains dedicated instances only, providing physical isolation for all Amazon EC2 compute instances launched into that VPC, or you can choose to mix both dedicated instances and non-dedicated instances within the same VPC based on application-specific requirements. http://aws.amazon.com/dedicated-instances/\n
Security and Operational Excellence is the Top most priority. Its Priority 0. No exceptions allowed. We understand that Security and governance are often the top issues identified when we talk to our customers. Instead of tossing this over the fence, we really advice and highly recommend our customers to invest in security review early in the process. Get your security folks talk to our security folks and understand security and compliance. Security is really not on or off. It’s a spectrum of options that you can choose from that is right for your application.\n