The Getting Started on AWS deck serves to introduce Amazon users and prospective customers to the Amazon VPC, EC2 and the concepts and components that are necessary building Fault Tolerant & High Available environments on AWS. It also serves to introduce services like Direct Connect, Router53 (Amazon DNS Service) and one of our new additions, the Amazon
Application Load Balancer (ALB). After perusing this deck, users should have a better understanding of what these services are and their propose benefits.
4. What is AWS?
• AWS provides a highly reliable, scalable, low-cost infrastructure
platform in the cloud that powers hundreds of thousands of
businesses in 190 countries around the world.
• Benefits
– Low Cost
– Elasticity & Agility
– Open & Flexible
– Secure
– Global Reach
5. What sets AWS apart?
*as of July 31, 2014
Building and managing cloud since 2006
50+ services to support any cloud workload
History of rapid, customer-driven releases
12 regions, 32 availability zones, 54 edge locations
51 proactive price reductions to date
Thousands of partners; 2,100+ Marketplace products
Experience
Service Breadth & Depth
Pace of Innovation
Global Footprint
Pricing Philosophy
Ecosystem
7. US West
(OR)
AZ A AZ B
AZ C
GovCloud
(US)
AZ A AZ B
US West
(CA)
AZ A AZ B
AZ C
US East (VA)
AZ A AZ B
AZ C AZ D
AZ E
*A limited preview of the China (Beijing) Region is available to a select group of China-based and multinational companies with customers in China.
These customers are required to create a AWS Account, with a set of credentials that are distinct and separate from other global AWS Accounts.
EU (Ireland)
AZ A AZ B
AZ C
AZ A AZ B
S. America
(Sao Paulo)
Asia Pacific
(Tokyo)
AZ A AZ B
AZ C
AZ A AZ B
Asia Pacific
(Singapore)
China (Bejing)Asia Pacific
(Sydney)
AZ A AZ B
EU (Frankfurt)
AZ A AZ B
AWS Regions and Availability Zones
China
(Beijing)*
AZ A AZ B
Asia Pacific
Mumbai
AZ A AZ B
Asia Pacific
Seoul
AZ A AZ B
8. Service Breadth & Depth
TECHNICAL &
BUSINESS
SUPPORT
Account
Management
Support
Professional
Services
Solutions
Architects
Training &
Certification
Security &
Pricing
Reports
Partner
Ecosystem
AWS
MARKETPLACE
Backup
Big Data
& HPC
Business
Apps
Databases
Development
Industry
Solutions
Security
MANAGEMENT
TOOLS
Queuing
Notifications
Search
Orchestration
Email
ENTERPRISE
APPS
Virtual
Desktops
Storage
Gateway
Sharing &
Collaboration
Email &
Calendaring
Directories
HYBRID CLOUD
MANAGEMENT
Backups
Deployment
Direct
Connect
Identity
Federation
Integrated
Management
SECURITY &
MANAGEMENT
Virtual Private
Networks
Identity &
Access
Encryption
Keys
Configuration Monitoring Dedicated
INFRASTRUCTURE
SERVICES
Regions
Availability
Zones
Compute
Storage
O b j e c t s
,
B l o c k s ,
F i l e s
Databases
SQL, NoSQL,
Caching
CDNNetworking
PLATFORM
SERVICES
App
Mobile
& Web
Front-end
Functions
Identity
Data Store
Real-time
Development
Containers
Source
Code
Build
Tools
Deployment
DevOps
Mobile
Sync
Identity
Push
Notifications
Mobile
Analytics
Mobile
Backend
Analytics
Data
Warehousing
Hadoop
Streaming
Data
Pipelines
Machine
Learning
11. Amazon Networking Components
VPC – Extend your network into a virtual private cloud
Direct Connect – Physical cross connect into AWS
Route53 – Managed DNS service
13. What is The Amazon VPC
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically
isolated section of the Amazon Web Services (AWS) cloud where you can
launch AWS resources in a virtual network that you define.
• Extend Your LAN into AWS
• Tightly Control Packet Flow
• Implement High Availability & Fault Tolerance that
spans Availability Zones
14. Amazon VPC Components
• VPC CIDR Definition
• Private & Public Subnet
• Route Tables
• Internet Gateway
• Virtual Private Gateway (WAN Gateway)
• Security Groups (Stateful Firewall)
• Network Access Control List (Stateless Firewall)
15. The Amazon VPC IP Space
Plan, Design, Create
• Consider future AWS region expansion
• Consider future connectivity to corporate networks
• Consider subnet design
• VPC can be /16 between and /28
• CIDR cannot be modified once created
• Overlapping IP spaces = future headache
16. VPC Security Building Blocks:
Security Group Firewall
Load
Balancer
Security Group Firewall
Security Group Firewall
DB
Server
Web
(HTTP)
8080
Web
Server
Web
Server
17. VPC Security Building Blocks: NACLS
o Separate inbound & outbound rules, and each rule can either allow or deny
18. The Amazon VPC Route Tables
o Your VPC has an implicit router.
o Each VPC comes with a main route table that you
can modify.
o You can create additional custom route tables for
your VPC.
o Each subnet must be associated with a route table,
o You cannot delete the main route table
o Each route in a table specifies a destination CIDR
and a target
19. • An Internet gateway is a :
o horizontally scaled
o Redundant & highly available VPC component
• Allows communication between instances in your VPC and the Internet.
• Imposes no availability risks or bandwidth constraints on your network
traffic
• Serves two purposes
• Provides a target in your VPC route tables for Internet-routable traffic
• Perform network address translation (NAT) for instances that have been assigned public IP addresses.
• By default you can only create 5 Internet Gateway per Region
20. • EC2 Instance is located in a Public Subnet
• Has a Public IP Address
• It’s route table has a default route to the
inter
• The VPC Router passes internet bound traffic
to the internet Gateway
21. • VPN Concentrator that sits on the edge of your network
• Allows you to
• Establish Static or Dynamic IPsec VPN Connections between your VPC & a customer’s
gateway
• Establish a point to point low latency WAN connection between your DC/LAN and your
AWS VPC
• Create Up to 5 Per Region
22. Enabling Access to the Internet
To enable access to or from the Internet for instances in a VPC subnet,
you must do the following:
•Attach an Internet gateway to your VPC.
•Ensure that
o Your subnet's route table points to the Internet gateway.
o Instances in your subnet have public IP addresses or Elastic IP addresses.
o Your network access control and security group rules allow the relevant
traffic to flow to and from your instance.
23. Enabling Private Subnets to Access to the Internet
Resources in your private subnets only have private ipv4 addresses
• Create a NAT Instance/NAT Gateway in a Public Subnet in the route table
• Ensure that
o Your private subnet's route table sends all Internet bound traffic to the NAT Instance
/NAT Gateway
o Your network access control and security group rules allow the relevant traffic to
flow to and from your instance.
25. The Amazon VPC NAT Instances
• Enable instances in the private subnet to initiate
outbound traffic to the Internet
• No built-in redundancy / High availability by
Default
• Bandwidth depends on the instance type
• Managed by You
• Used in a public subnet
• Prevents Instances from receiving inbound
traffic initiated by someone on the Internet.
26. The Amazon VPC NAT Gateway
Nat
Gateway
• High availability – built-in redundancy
• High bandwidth – up to 10Gbps
• Managed by Amazon
• View NAT gateways’ traffic using Flow
Logs
• NAT gateways support TCP, UDP, and
ICMP protocols
• Network ACLs apply to NAT gateway’s
traffic
Private Route Table
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 IGW
Private Route Table
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 NGW
27. The Amazon VPC Endpoints
• No IGW
• No NAT
• No Public IP Address Needed
• No Added Infrastructure Cost
• Robust Access Control
Amazon
S3
28. Amazon VPC Peering Connections
• Networking connection between two VPCs
• Enables you to route traffic between VPC using private IP
addresses.
• Instances in either VPC can communicate with each
other as if they are within the same network.
• VPC peering connection can be created between your
own VPCs, or with a VPC in another AWS account within
the same region
• There is no single point of failure for communication or a
bandwidth bottleneck.
VPC A VPC B
VPC C
29. Connecting to other VPCs - VPC peering
VPC Peering
172.31.0.0/16 10.55.0.0/1610.0.0.0/16
Private Route Table
Destination Target
10.0.0.0/16 Local
172.31.0.0/16 VPC Peer
Private Route Table
Destination Target
171.31.0.0/16 Local
10.0.0.0/16 VPC Peer
30. Default VPCs
Default VPC
• Simplicity and Convenience
• Automatically assigned network and subnets
Security of VPC
• Customer may create additional subnets and change routing rules
• Additional network controls (Security Groups, NACLs, routing)
• Hardware VPN options between corporate networks
• Instances in default subnets have Security Group−controlled public and
private IPs
31. IP Addressing
Default VPC Virtual Private Cloud
Dynamic Private IP Dynamic or Static Private IP Address
Dynamic Public IP None by default (can be created with publicIP=true)
Optional Static Public IP (EIP) Optional Static Public IP (EIP)
AWS-provided DNS names
• Private DNS name
• Public DNS name
AWS-provided public DNS lookup
AWS-provided private DNS names
Customer-controlled DNS options
37. AWS Direct Connect
• Decide on an AWS DX location and port size
• Use AWS Management Console to create connection request(s)
• Sends Letter of Authorization – Connecting Facility Assignment (LOA-CFA) via email
• Establish WAN connectivity to DX location*
• APN Partner or a network carrier of your choice
• Provide LOA-CFA to an APN Partner or your service provider to establish the connection at the
DX location
• Use AWS Management Console to configure one or more virtual interfaces
AWS DX Locations
* Can be done in parallel with remaining steps once the AWS DX location has been selected
38. Today’s VPC Lab Outline
1. Create VPC
2. Create Private & Public Subnets Across Two AZ’s
3. Configure Private & Public Route Tables
4. Create An Internet Gateway
5. Configure Security Group
6. Create A VPC Endpoint
7. Create A NAT Gateway
• https://events-aws.qwiklab.com/classrooms/6660
• https://events-aws.qwiklab.com
42. EC2 Network Environment
Virtual Private Cloud
• Bring your own network
• Customer-managed subnets and routing
• Additional network controls (Security Groups, NACLs, routing)
• Hardware VPN options between corporate networks
• Instances have Security Group−controlled private IPs (dynamic
public IPs or EIPs optional)
VPC
43. Default VPCs
Default VPC
• Automatically assigned network and subnets (can now include
NAT)
Security of VPC
• Customer may create additional subnets and change routing rules
• Additional network controls (Security Groups, NACLs, routing)
• Additional networking features like enhanced networking and
multiple IPs
• Hardware VPN options between corporate networks
• Instances in default subnets have Security Group−controlled public
and private IPs
VPC
44. Broad Set of Compute Instance Types
M4
General
purpose
Compute
optimized
C4
C3
Storage and IO
optimized
I2 G2
GPU
enabled
Memory
optimized
R3D2
M3
46. Purchasing options at a glance
Reserved
Instances
Pay a low upfront price
Reserve an instance slot
Secure a low hourly rate
Sell & modify reservations if
your needs change
On-Demand
Instances
Pay as you go
Flat hourly rate
No commitment
Spot
Instances
Bid what you like—your Spot
instances run while your bid >
the Spot price
Save up to 90% off of On-
Demand
Run 1,000s of instances
10:00
10:05
10:10
49. Details of a Virtual Machine
EBS Amazon S3
Hypervisor
VM Workspace
One or more
ephemeral
(temporary)
drives
One or more
EBS (persistent)
drives
Network I/O
EBS
SnapshotEBS
SnapshotEBS
Snapshot
50. EBS AMI First Time Boot
EBS Amazon S3
Hypervisor
VM Workspace
Network I/O
EBS
SnapshotEBS
SnapshotEBS
Snapshot
Drive attaches to
hypervisor & boots
51. EBS AMI Restart
EBS Amazon S3
Hypervisor
VM Workspace
Network I/O
EBS
SnapshotEBS
SnapshotEBS
Snapshot
Drive reattached
53. EC2 Host Virtualization
Firewall
Physical Interfaces
Hypervisor
Large Small…
…Virtual Interfaces
Security Groups Security Groups Security Groups
Small
Customer
Instances
Physical Host
54. EC2 Security Groups
• Security Group Rules
– Name
– Description
– Protocol
– Port range
– IP address, IP range,
Security Group name
55. Tiered EC2 Security Groups
• Hierarchical Security Group Rules
– Dynamically created rules
– Based on Security Group membership
– Create tiered network architectures
“Web” Security Group:
TCP 80 0.0.0.0/0
TCP 22 “Mgmt”
“App” Security Group:
TCP 8080 “Web”
TCP 22 “Mgmt”
“DB” Security Group:
TCP 3306 “App”
TCP 22 “Mgmt”
“Mgmt” Security Group:
TCP 22 163.128.25.32/32
56. EC2 IP Addressing
Default VPC Virtual Private Cloud
Dynamic Private IP Dynamic or Static Private IP Address
Dynamic Public IP None by default (can be created with
publicIP=true)
Optional Static Public IP (EIP) Optional Static Public IP (EIP)
AWS-provided DNS names
• Private DNS name
• Public DNS name
AWS-provided public DNS lookup
AWS-provided private DNS names
Customer-controlled DNS options
57. EC2-Specific Credentials
• EC2 key pairs
– Linux – SSH key pair for first-time host login
– Windows – Retrieve Administrator password
• Standard SSH RSA key pair
– Public/Private Keys
– Private keys are not stored by AWS
• AWS approach for providing initial access to
a generic OS
– Secure
– Personalized
– Non-generic (NIST, PCI DSS)
“Public Half” inserted by
Amazon into each EC2
instance that you launch
“Private Half”
downloaded to your
desktop
58. EC2 Instance access and Key Pairs
• Linux launch (first boot)
– Public key made available through metadata
– Public key inserted into ~/.ssh/authorized_keys
– User connects with SSH using their private key
Instance
metadata
RSA
public key
Instance
59. EC2 Instance access and Key Pairs
• Linux launch (first boot)
– Public key made available through metadata
– Public key inserted into ~/.ssh/authorized_keys
– User connects with SSH using their private key
• Windows launch (first boot sequence)
– Public key made available through metadata
– Sysprep
– Random Administrator password
– Password encrypted with public key
– User decrypts password with their private key
Instance
metadata
RSA
public key
Instance
System log
<Password>
aGIhplGOqrJQmBJW
…
K9gTD31Q==
</Password>
62. Load Balancing Traffic in AWS
• Load Balancing distributes incoming application traffic across
o multiple EC2 instances
o In multiple Availability Zones.
• Increases the fault tolerance of your applications
• Serves as a single point of contact for clients
– Increases the availability of your application.
• Add/Remove instances from your load balancer as your needs change,
o without disrupting the overall flow of requests to your application
• Scales your load balancer as traffic to your application changes over time
o can scale to the vast majority of workloads automatically
• Two Types Available
o Application Load Balancer (Layer 7)
o Classic Load Balancer (Layer 4)
63. Elastic Load Balancing (ELB) - Classic
• In-Region Load Balancing Service
• Distributes traffic across multiple Availability Zones
– HTTP/S, TCP/S
• Built-in Health Check
• Fully fault-tolerant
– Can span multiple AZs
Web
Server
AZ-3
Web
Server
Web
Server
AZ-2
Web
Server
Region
Elastic Load
Balancer
Web
Server
AZ-1
Web
Server
64. ELB Considerations
• ELB is a service, but runs on EC2
• The IP Addresses will change over time
• Use CNAME records in DNS or Route 53 “Alias”
records
• Never use an A record
• SSL is supported
• Client SSL Termination
• Backend ELB-to-Server mutual SSL
• Cross-Zone Load Balancing
• Sticky sessions
65. • Functions at the application layer, the seventh layer of the Open Systems
Interconnection (OSI) model.
• The load balancer makes routing decisions based on the content of the
application traffic in the HTTP messages.
Amazon Application Load Balancing
66. Amazon Application Load Balancing
• Layer 7 Load Balancer
• Content Based Routing
• Supports Container Based Applications
• Supports Web Sockets & HTTP/2
– Supports ws:// & wss:// protocols
• Deeper Health Checks & Better Metrics
67. The Application Load Balancing Listener
• Listeners support the following protocols and ports:
– Protocols: HTTP, HTTPS
– Ports: 1-65535
• Use HTTPS listener to offload the work of encryption
and decryption to your ALB
• Use WebSockets with both HTTP and HTTPS listeners.
• Use HTTP/2 with HTTPS listeners.
– You can send up to 128 requests in parallel using one HTTP/2 connection.
Because HTTP/2 uses connections more efficiently, you might notice fewer
connections between clients and the load balancer.
68. ELB Classic vs. Application ELB
Application ELB
Protocols HTTP, HTTPS
Platforms EC2-VPC
Sticky sessions (cookies) load balancer generated
Back-end server
authentication
Back-end server
encryption
✔
Idle connection timeout ✔
Connection draining ✔
Cross-zone load balancing
†
Always enabled
Path-based routing ✔
Route to multiple ports on
a single instance
✔
HTTP/2 support ✔
Websockets support ✔
Load balancer deletion
protection
✔
Classic ELB
Protocols HTTP, HTTPS, TCP, SSL
Platforms EC2-Classic, EC2-VPC
Sticky sessions (cookies) ✔
Back-end server
authentication
✔
Back-end server encryption ✔
Idle connection timeout ✔
Connection draining ✔
Cross-zone load balancing
†
✔
Path-based routing
Route to multiple ports on a
single instance
HTTP/2 support
Websockets support
Load balancer deletion
protection
69. Amazon Auto Scaling & Application Availability
“Auto Scaling helps you maintain application availability and
allows you to scale your Amazon EC2 capacity up or down
automatically according to conditions you define.”
70. Amazon Auto Scaling Benefits
• Maintain your Amazon EC2 instance availability
– Use Auto Scaling to detect impaired EC2 instances and unhealthy applications, and replace the
instances without your intervention
– Ensures that your application is getting the compute capacity that you expect
• Automatically Scale Your Amazon EC2 Fleet
– Enables you to follow the demand curve for your applications closely, reducing the need to
manually provision Amazon EC2 capacity in advance.
71. Amazon Auto Scaling Functionality
With Amazon Auto Scaling, you can:
– set a condition to add new Amazon EC2 instances in increments to the Auto Scaling group when the
average utilization of your Amazon EC2 fleet is high
– Similarly, you can set a condition to remove instances in the same increments when CPU utilization is low.
If you have predictable load changes, you can:
– Set a schedule through Auto Scaling to plan your scaling activities.
– Use Amazon CloudWatch to send alarms to trigger scaling activities and Elastic Load Balancing to help
distribute traffic to your instances within Auto Scaling groups.
Auto Scaling enables you to run your Amazon EC2 fleet at optimal utilization.
72. Today’s Load Balancing (ELB) Lab Outline
1. Create a Public Facing Amazon Elastic Load Balancing
2. Attached EC2 Instance/s to ELB
• https://events-aws.qwiklab.com/classrooms/6660
• https://events-aws.qwiklab.com
73. Today’s Auto Scaling Lab Outline
1. Create Launch Configuration
2. Create Amazon AutoScaling Group
• https://events-aws.qwiklab.com/classrooms/6660
• https://events-aws.qwiklab.com