Topics Discussed:
- AWS Global infrastructure
- Starting on AWS and IAM
- EC2, ELB and ASG
- Some important Cloud terminologies
- Virtual Private Cloud
- AWS Global infrastructure
The AWS Global Cloud Infrastructure is the most secure, extensive, and reliable cloud platform, offering over 200 fully featured services from data centers globally. Whether you need to deploy your application workloads across the globe in a single click, or you want to build and deploy specific applications closer to your end-users with single-digit millisecond latency, AWS provides you the cloud infrastructure where and when you need it.
AWS Regions
AWS has Regions all around the world
• Names can be us-east-1, eu-west-3…
• A region is a cluster of Availability Zones (data centers)
• Most AWS services are region-scoped
• Two AWS GovCloud regions exclusively for US government customers and their partners
AWS Availability Zones
Each region has many availability zones (usually 3, min is 2, max is 6).
Example:
• ap-southeast-2a
• ap-southeast-2b
• ap-southeast-2c
• Each availability zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity
• They’re separate from each other, so that they’re isolated from disasters
• They’re connected with high bandwidth, ultra-low latency networking
AWS Points of Presence (Edge Locations)
•Amazon CloudFront uses Edge network to deliver content to end users with lower latency
Starting on AWS and IAM
Steps for creating a aws free tier account
Step 1: Go to aws.amazon.com and click Create a Free Account
Step 2: Enter your email address. You may use an existing Amazon account (i.e. an account you use for shopping at amazon.com) if you have one or select I am a new user.
Step 3: Enter the requested information and click Create Account.
Step 4: Select Personal Account, enter your contact information, and complete the security check. Click Create Account and Continue when finished.
Step 5: Enter payment information and click Continue. Your credit/debit card will not be charged until you begin using services above and beyond the Free Tier (if applicable) and any AWS credit codes entered into your account.You may use your HigherOne account card.
Step 6: Provide a phone number for Identity Verification and click Call Me Now. You must be able to receive a voice call from Amazon’s automated identity verification system. A PIN will be displayed on your screen. Enter the PIN number when prompted by the identity verification system.
Step 7: Select a Support Plan and click Continue. Most students will use the Basic (free) level. Support fees are not eligible for coverage by AWS credits.
Step 8: You will be returned to the AWS login screen. Click Sign in to the Console.You are all set and ready to use the aws services.you can view the billing dashboard for budget analysis.
IAM: Users & Groups
IAM = Identity and Access Management, Global service
• Root account created by default, shouldn’t be used or shared
• Users are people within your organization, and can be grouped
• Groups only contain users, not other groups
• Users don’t have to belong to a group, and user can belong to multiple groups
IAM Permissions
Users or Groups can be assigned JSON documents called policies
•These policies define the permissions of the users
•In AWS you apply the least privilege principle: don’t give more permissions than a user needs
IAM Strong password + MFA(Multifactor authentication)
•In AWS, you can setup a password policy:
• Set a minimum password length • Require specific character types: (including uppercase letters, lowercase letters, numbers, non-alphanumeric characters)
• Allow password reset and prompts password rotation Multi Factor Authentication You want to protect your Root Accounts and IAM users
•MFA = password you know + security device you own
How to access Aws directly for users
• To access AWS, you have three options:
• AWS Management Console (protected by password + MFA)
• AWS Command Line Interface (CLI): protected by access keys
• AWS Software Developer Kit (SDK) – for code: protected by access keys
Access keys for accessing
Access Keys are generated through Console. (Download the .csv file at the time of creation)
Users manage their own access keys.
Eg
•Access key ID: AKIASK4E37PV4983d6C
• Secret Access Key: AZPN3zojWozWCndIjhB0Unh8239a1bzbzO5fqqkZq AWS CLI
•A tool that enables you to interact with AWS services using commands in your command-line shell
• Direct access to the public APIs of AWS services
•You can develop scripts to manage your resources
•It’s open-source https://github.com/aws/aws-cli
•Alternative to using AWS Management Console AWS SDK
•AWS Software Development Kit (AWS SDK)
• Enables you to access and manage AWS services programmatically
IAM roles for services
Some AWS service will need to perform actions on your behalf
•To do so, we will assign permissions to AWS services with IAM Roles
• Common roles:
• EC2 Instance Roles
• Lambda Function Roles
• Roles for CloudFormation etc.
IAM Guidelines for best practices
•Don’t use the root account except for AWS account setup
• One physical user = One AWS user
•Assign users to groups and assign permissions to groups
• Create a strong password policy
• Use and enforce the use of Multi Factor Authentication (MFA)
• Create and use Roles for giving permissions to AWS services
• Use Access Keys for Programmatic Access (CLI / SDK)
•Rotate credentials regularly – applies to all users in the account
•Audit permissions of your account with the IAM Credentials Report – lists account’s users and status of their credentials
•Never share IAM users & Access Keys
Amazon EC2
• EC2 = Elastic Compute Cloud = Infrastructure as a Service
•EC2 instance is a virtual compute server
•Comes with an attached virtual drives (EBS) for storing data
•EC2 instances can be used to distribute load evenly (ELB)
•By adding EC2 instances using an auto-scaling group (ASG) we can scale the services
For selecting an EC2 instance
• Operating System (OS):Linux, Windows or Mac OS
•How much compute power & cores (CPU)
•How much random-access memory (RAM)
• How much storage space
AMI – Amazon Machine Image
An AMI is a template that contains the software configuration required to launch your instance.
• It includes the operating system, application server, and applications.
• Faster boot / configuration time because all your software is pre-packaged.
• AMI are built for a specific region (and can be copied across regions)
• You can launch EC2 instances from:
• A Public AMI: AWS provided
• Your own AMI: you make and maintain them yourself
• An AWS Marketplace AMI: an AMI someone else made (and potentially sells) Security Groups Security groups are acting as a “firewall” on EC2 instances
• They control how traffic is allowed into or out of our EC2 Instances.
• They regulate:
Access to Ports
Authorised IP ranges– IPv4 and IPv6
• All inbound traffic is blocked by default [we can add an ALLOW rule to unblock]
• All outbound traffic is authorised by default [we cannot add any DENY rule to block] EC2 instance metadata AWS EC2 Instance Metadata is the data about the instance.
• Like – ami-id, hostname, instance-id, instance-type, security-groups and more….
• curl http://169.254.169.254/latest/meta-data to retrieve the details.
Metadata = Info about the EC2 instance
Userdata = launch script of the EC2 instance
EC2 purchasing options
On-Demand Instances: short workload, predictable pricing
• Reserved: (1 year-3 years)
• Reserved Instances: long workloads
• Convertible Reserved Instances: long workloads; exchange option available.
• Scheduled Reserved Instances: eg: every Thursday between 3 and 6 pm
• Spot Instances: short workloads, cheap, can lose instances (less reliable)
• Dedicated Hosts: book an entire physical server, control instance placement
• Dedicated Instances: no other customers will share your hardware
EBS Volume
An EBS (Elastic Block Store) Volume is a network drive you can attach to your instances while they run; to store data even after terminating the instance.
• It allows your instances to persist data, even after their termination
• Every EC2 instance has a root volume which is EBS attached.
• We can add additional EBS volumes to an EC2 instance.
• But one EBS volume can only be mounted to one instance at a time. (Provisioned IOPS EBS is an exception)
• They are bound to a specific availability zone (An EBS Volume in us-east-1a cannot be attached to an instance in us-east-1 b)
Some important Cloud terminologies
Scalability & Availability.
Scalability means that an application / system can handle greater loads by adapting. There are two kinds of scalability:
• Vertical Scalability
• Horizontal Scalability (= elasticity)
(TLDR) High Scalability means High Performance.
Vertical scalability
Vertical Scalability means increasing/decreasing the size of the instance
• For example, your application runs on a t2.micro
• Scaling that application vertically means running it on a t2.large
• Vertical scalability is very common for non distributed systems, such as a database.
Horizontal Scalability
Horizontal Scalability means increasing/decreasing the number of instances / systems for your application
• Horizontal scaling implies distributed systems.
• This is very common for web applications / modern applications
• It’s easy to horizontally scale thanks the cloud offerings such as Amazon EC2 High availability
High availability means running your application / system in at least 2 Availability Zones.
• The goal of high availability is to survive a data center loss (disaster) (TLDR) – HA means no downtime; no data loss.
High availability & scalability For EC2
Vertical Scaling: Increase instance size (= scale up / down)
• From: t2.nano – 0.5 G of RAM, 1 vCPU
• To: u-12tb1.metal – 12.3 TB of RAM, 448 vCPUs
• Horizontal Scaling: Increase number of instances (= scale out / in)
• If the number of instances are added across AZ’s then it gives High Availability as well.
Elastic load balancing
Spread load across multiple downstream instances
• Expose a single point of access (DNS) to your application
• Seamlessly handle failures of downstream instances
• Do regular health checks to your instances
• Provide SSL termination (HTTPS) for your websites
• An ELB (Elastic Load Balancer) is a managed load balancer – AWS takes care of upgrades, maintenance, high availability
4 kinds of load balancers offered by AWS :
• Application Load Balancer (HTTP / HTTPS only) – Layer 7
• Network Load Balancer (ultra-high performance, allows for TCP/UDP) – Layer 4
• Gateway Load Balancer (IP) – when third party security appliances like firewall, DDoS protection systems are part of your system – Layer 3
• Classic Load Balancer (retiring) – Layer 4 & 7
Auto scaling group in AWS
Scale out (add EC2 instances) to match an increased load
• Scale in (remove EC2 instances) to match a decreased load
• Ensure we have a minimum and a maximum number of machines running. Replace unhealthy instances – uses EC2 health check or uses the ELB health check.
• There is no additional charges for ASG; charges only for the EC2’s. Amazon cloudwatch CloudWatch is the native monitoring platform of AWS. It provides metrics for every services in AWS
• Can create CloudWatch dashboards, alarms of metrics With CloudWatch, you gain system-wide visibility into resource utilization, application performance, and operational health. Provides governance, compliance and audit for your AWS Account
• CloudTrail is enabled by default!