1
AWS Foundation Service Introduction Getting Started with AWS
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved.
Module Layout
2
• Module 1: AWS Foundation Knowledge and Infrastructure • Module 2: Computing on AWS – Amazon EC2
• Module 3: Networking on AWS – Amazon VPC
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved.
Module 1 AWS Foundation Knowledge and Infrastructure
3 © 2017, eCloudValley Amazon Web Services Partner. All rights reserved.
Amazon Web Services (AWS)
Messaging
Mobile Database
Networking
Development and Management Tools
Compute App Services
Payments
On-Demand Workforce VPC
Analytics Content Delivery
Storage Enable businesses and developers to use web services to build scalable, sophisticated applications.
4 © 2017, eCloudValley Amazon Web Services Partner. All rights reserved.
AWS Rapid Pace of Innovation
2009 2011 2013 2015
722
New Features/Services Launched
159
82
48
5 © 2017, eCloudValley Amazon Web Services Partner. All rights reserved.
2,420 Connect
AWS Elastic Beanstalk
AWS CloudTrail
Amazon WorkSpaces
Amazon Kinesis
Amazon SNS
Amazon Route 53
Amazon SWF
Amazon AppStream
Amazon DynamoDB
AWS Data Pipeline
AWS Config
Amazon RDS for Aurora
Amazon WorkDocs AWS Direct
AWS Directory Service
AWS CodeCommit
AWS Service Catalog
Amazon CloudWatch Logs Amazon API
Gateway Amazon Machine
Learning
AWS Device Farm
AWS WAF
Elasticsearch Service
Amazon QuickSight
AWS Import/Export
Amazon Inspector
AWS IoT
Amazon EC2 Container Registry
AWS CodePipeline
Amazon ElastiCache
AWS CloudHSM
Amazon Mobile Analytics
AWS Import/Export
Amazon RDS for MariaDB AWS Mobile Hub AWS KMS
AWS Storage Gateway
AWS GovCloud (US)
AWS OpsWorks
Amazon SES
Amazon Elastic Transcoder
Amazon EC2 Container Service
Amazon Cognito
AWS CodeDeploy
Amazon CloudSearch Amazon Glacier
Amazon WorkMail
AWS Certificate Manager
Amazon EFS Amazon Redshift
AWS Identity and Access
Management
AWS Lambda AWS
CloudFormation
Services and Features
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 6
Advantages and Benefits of AWS Cloud Computing
Trade capital expense for variable expense. Benefit from massive economies of scale. Stop guessing capacity.
Increase speed and agility.
Stop spending money on running and maintaining data centers. Go global in minutes.
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 7
Infrastructure
Regions Availability Zones Edge Locations
Foundation Services
Compute (Virtual, Auto-scaling and Load Balancing)
Networking
Applications Virtual Desktops Collaboration and Sharing
Platform Services
AWS Cloud Computing
Databases
Relational
NoSQL
Caching
Analytics
Cluster Computing
Real-time
Data Warehouse
Data Workflows
App Services
Queuing
Orchestration
App Streaming
Transcoding
Search
Deployment and Management
Containers
Dev/ops Tools
Resource Templates
Usage Tracking
Monitoring and Logs
Mobile Services
Identity
Sync
Mobile Analytics
Notifications
Storage (Object, Block and Archive)
8 © 2017, eCloudValley Amazon Web Services Partner. All rights reserved.
Compute Network Storage Security & Identity Applications
AWS Foundation Services
Amazon EC2
AWS Lambda
Amazon EC2 Container Service
AWS Elastic
Beanstalk
Elastic Load
Balancing
Amazon VPC
AWS Direct
Connect
Amazon Route 53
Amazon S3
Amazon CloudFront
Amazon Elastic File
System
Amazon Glacier
AWS Storage Gateway
AWS Import/ Export
AWS Identity and Access Management
AWS Directory Service
AWS Cloud HSM
AWS KMS
AWS WAF
Amazon WorkDocs
Amazon WorkSpaces
Auto Scaling
Amazon WorkMail
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 9
Databases Analytics App Services Management Tools
Developer Tools
Mobile Services
Internet of Things
AWS Platform Services
Amazon RDS
Amazon DynamoDB
Amazon ElastiCache
Amazon Redshift
Amazon EMR
AWS Data Pipeline
Amazon Kinesis
Amazon Amazon Elasticsearch Machine
Service Learning
Amazon API Gateway
Amazon AppStream
Amazon CloudSearch
Amazon Elastic
Transcoder
Amazon SES
Amazon SQS
Amazon SWF
AWS CloudTrail
AWS AWS CloudFormation Config
AWS Amazon OpsWorks CloudWatch
AWS Service Catalog
AWS CodeCommit
AWS CodeDeploy
AWS CodePipeline
AWS Device Farm
Amazon Mobile
Analytics
Amazon Cognito
Amazon SNS
Mobile Hub
AWS IoT
Trusted Advisor
AWS Database Migration Service
AWS Certificate Manager
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 10
AWS Data Center
• Single data center typically more that 50,000 servers and often more than 80,000
• Up to 102 Tbps provisioned to a single data center
• AWS custom network equipment: • Multi ODM sourced
• Amazon custom network protocol stack © 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 11
AWS Availability Zone
AZ
AZ
AZ AZ AZ
Transit
Transit
• 1 of 44 AZs worldwide • Each AZ is 1 or more data center
• No data center is in two AZs
• Some AZs have as many as 6 data centers
• All regions have 2 or more AZs • DCs in AZ less than 2 milliseconds apart
• Don’t need inter AZ independence
• Don’t require low latency © 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 12
AWS Region
AZ
AZ
AZ AZ AZ
Transit
Transit
• 1 of 16 AWS world wide AWS regions • Redundant paths to transit centers • Transit centers connect to:
• Private links to other AWS regions • Internet through peering and paid
transit • AZs < 2 milliseconds apart and usually
<1 millisecond © 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 13
AWS Global Infrastructure
14
16 x AWS Regions
70+ x AWS Edge Locations(CDN/DNS)
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved.
Your and AWS share responsibility for security
AWS foundation services
compute storage database networking
AWS global infrastructure
regions
Availability Zones
edge loca8ons
network security
server security
customer applica8ons and content You get to define your controls in the cloud
AWS takes care of the security of the cloud
mission owner & partner
data security
access control
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 15
Module 2 Computing on AWS Amazon EC2
23 © 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 17
Amazon EC2 Facts
§ Resizable compute instances in the cloud § Provision 1 or many instances § Pay for what you use; no minimum
commitment § Familiar operating systems, with cloud
benefits
18
Amazon EC2
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved.
AWS EC2 Instances family
19
AWS Instance Type
High Memory
X1
Compute-‐ Op8mized
C4
Storage-‐ Op8mized
D2
General Purpose M4
Memory-‐ Op8mized
R3
IO-‐ Op8mized
I2
Graphics-‐ Op8mized
G2
Burstable Performance
T2
Intel Processor
Intel Xeon E7-‐8880 v3
Custom Intel Xeon
E5-‐2666 v3
Custom Intel Xeon
E5-‐2676 v3
Custom Intel Xeon
E5-‐2676 v3
Intel Xeon E5-‐2670 v2
Intel Xeon E5-‐2670 v2
Intel Xeon E5-‐2670
Intel Xeon Family
Intel AVX AVX 2.0 AVX 2.0 AVX 2.0 AVX 2.0 Yes Yes Yes Yes
Intel AES-‐NI Yes Yes Yes Yes Yes Yes No No
Intel Turbo Boost Yes Yes Yes Yes Yes Yes Yes Yes
Intel TSX Yes No No No No No No No
Per core P-‐ and C-‐state control
No
Yes (8xlarge only)
No No No No No No
SSD Storage
EBS OpPmized by
default
EBS OpPmized by
default No
EBS OpPmized by
default Yes Yes Yes EBS only
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved.
Completely Controlled
§ You have control of your instances § Log on as root (Linux) / Administrator (Windows) § Install the software you need § Make the configuration changes you like § Create an AMI (Amazon Machine Image) § Start/Stop and control via console or APIs
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 21
Multiple Instance Types
§ Choose the instance type that suits you § Change the instance type when you want to § Attach as much or as little storage as you need § Choose your operating system § Choose a pre-configured image (AMI)
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 24
Build Reliable Architectures
§ Easily build highly available applications § AWS Elastic Load Balancing distributes load § Auto Scaling helps ensure availability and scale § Use multiple Availability Zones (AZs)
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 26
Amazon EC2 purchasing option
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 28
On-Demand instances
On-demand instances
Unix/Linux instances start at
$0.02/hour
Pay as you go for compute power
Low cost and flexibility
Pay only for what you use, no up-‐front commitments or long-‐term contracts
Use Cases:
Applica'ons with short term, spiky, or
unpredictable workloads;
Applica'on development or tes'ng
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 29
Reserved instances
On-demand instances
Unix/Linux instances start at
$0.02/hour
Pay as you go for compute power
Low cost and flexibility
Pay only for what you use, no up-‐front commitments or long-‐term contracts
Use Cases:
Applica'ons with short term, spiky, or
unpredictable workloads;
Applica'on development or tes'ng
1-‐ or 3-‐year terms Pay low up-‐front fee, receive significant hourly
discount
Low Cost / Predictability Helps ensure compute capacity is available
when needed
Use Cases: Applica'ons with steady state or predictable
usage Applica'ons that require reserved capacity,
including disaster recovery
Reserved instances
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 30
Spot instances
On-demand instances
Unix/Linux instances start at
$0.02/hour
Pay as you go for compute power
Low cost and flexibility
Pay only for what you use, no up-‐front commitments or long-‐term contracts
Use Cases:
Applica'ons with short term, spiky, or
unpredictable workloads;
Applica'on development or tes'ng
1-‐ or 3-‐year terms Pay low up-‐front fee, receive significant hourly
discount
Low Cost / Predictability Helps ensure compute capacity is available
when needed
Use Cases: Applica'ons with steady state or predictable
usage Applica'ons that require reserved capacity,
including disaster recovery
Reserved instances
Bid on unused EC2 capacity
Spot Price based on supply/demand, determined automaPcally
Cost / Large Scale, dynamic workload handling
Use Cases: Applica'ons with flexible start and end 'mes Applica'ons only feasible at very low compute
prices
Spot instances
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 31
AWS Marketplace
§ AWS Online Software Store § Find, research and buy software § Simple pricing, aligns with the utility model § 1-Click launch products - run in minutes § Over 1300 products listed in 25 categories § Free trials and Enterprise offerings § – Move seamlessly from PoC to production
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 32
Module 3 Networking on AWS Amazon VPC
23 © 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 35
Amazon VPC Facts
§ Provision a logically isolated section of the AWS cloud § Control your virtual networking environment
§ Subnets § Route Tables § Security Groups § Network ACLs
§ Connect to your on-premises network via hw VPN § Control if and how your instances access the
Internet 36
Amazon VPC
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved.
Walkthrough: setting up an Internet-connected VPC
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 37
Creating an Internet-connected VPC: steps
Choosing an address range
Setting up subnets in Availability Zones
Creating a route to the Internet
Authorizing traffic to/from the VPC
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 38
Choosing an IP address range
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 39
CIDR notation review
CIDR range example:
172.31.0.0/16
1010 1100 0001 1111 0000 0000 0000 0000
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 40
Choosing an IP address range for your VPC
172.31.0.0/16
Recommended: RFC1918 range
Recommended: /16
(64K addresses)
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 41
VPC subnets and Availability Zones
172.31.0.0/16
VPC subnet Availability Zone
VPC subnet Availability Zone
VPC subnet Availability Zone
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 43
VPC subnet recommendations § /16 VPC (64K addresses) § /24 subnets (251 addresses) § One subnet per Availability Zone
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 44
Routing in your VPC § Route tables contain rules for which packets go
where § Your VPC has a default route table § … but you can assign different route tables to
different subnets
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 46
Traffic destined for my VPC stays in my VPC
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 47
Internet Gateway
Send packets here if you want them to reach the Internet
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 48
Everything that isn’t destined for the VPC: Send to the Internet
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 49
Network security in VPC: Network ACLs / Security Groups
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 50
Network ACLs vs. security groups
NACLs
Security Groups
51
§ Applied to subnets § Stateless § Allow and deny (blacklist) § Rules processed in order
§ Applied to instance ENI § Stateful § Allow only (whitelist) § Rules evaluated as a whole § Can reference other security
groups in the same VPC
security group
VPC subnet
Network ACL
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved.
Network ACLs: Stateless firewalls
English translation: Allow all traffic in
Can be applied on a subnet basis
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 52
Security groups example: web servers
In English: Hosts in this group are reachable from the Internet on port 80 (HTTP)
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 53
Security groups example: backends
In English: Only instances in the MyWebServers Security Group can reach instances in this Security Group
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 54
Amazon VPC Network Security Controls
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 55
Security groups in VPC: additional notes
§ Follow the Principle of Least Privilege § VPC allows creation of egress as well as ingress
Security Group rules § Many application architectures lend themselves to a 1:1
relationship between security groups (who can reach me) and IAM roles (what I can do).
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 56
Connectivity options for VPCs
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 57
Beyond Internet connectivity
Restricting Internet access Connecting to your corporate network
Connecting to other VPCs
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 58
Restricting Internet access: Routing by subnet
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 59
Routing by subnet
VPC subnet
Has route to Internet
VPC subnet Has no route to Internet
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 60
Outbound-only Internet access: NAT gateway
VPC subnet VPC subnet
0.0.
0.0/
0
Public IP: 54.161.0.39
0.0.0.0/0
NAT gateway
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 61
Inter-VPC connectivity: VPC peering
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 62
Example VPC peering use: shared services VPC Common/core services
• Authentication/directory • Monitoring • Logging • Remote administration • Scanning
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 63
Security groups across peered VPCs
VPC Peering
172.31.0.0/16 10.55.0.0/16
Orange Security Group Blue Security Group
ALLOW
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 64
Establish a VPC peering: initiate request
172.31.0.0/16 10.55.0.0/16
Step 1
Initiate peering request
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 65
Establish a VPC peering: accept request
172.31.0.0/16 10.55.0.0/16
Step 1
Initiate peering request
Step 2 Accept peering request
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 66
Establish a VPC peering: create route
172.31.0.0/16 10.55.0.0/16 Step 1
Initiate peering request
Step 2
Accept peering request
Step 3 Create routes
In English: Traffic destined for the peered VPC should go to the peering
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 67
Connecting to on-premises networks: Virtual Private Network & Direct Connect
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 68
Extend an on-premises network into your VPC
VPN
Direct Connect
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 69
AWS VPN basics
Customer Gateway
Virtual Gateway
Two IPSec tunnels
192.168.0.0/16 172.31.0.0/16
192.168/16
Your networking device
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 70
VPN and AWS Direct Connect § Both allow secure connections between
your network and your VPC § VPN is a pair of IPSec tunnels over the
Internet § DirectConnect is a dedicated line with lower
per-GB data transfer rates § For highest availability: Use both
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 71
VPC and the rest of AWS
AWS Services in Your VPC
VPC Endpoints for Amazon S3
DNS in-VPC with Amazon Route 53
Logging VPC Traffic with VPC Flow Logs
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 73
Example: Amazon RDS database in your VPC
Reachable via DNS Name: mydb-cluster-1 ….us-west-2.rds.amazonaws.com
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 75
Example: AWS Lambda function in your VPC
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 76
Best practices for in-VPC AWS services
§ Many AWS services support running in-VPC. § Use security groups for Least-Privilege network access. § For best availability, use multiple Availability Zones.
Examples: § Multi-zone RDS deployments § Use a zonal mount point for EFS access
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 77
VPC Endpoints for Amazon S3
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 78
S3 and your VPC
S3 Bucket
Your applications
Your data
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 79
AWS VPC endpoints for S3
S3 Bucket
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 80
AWS VPC endpoin ts for S3
S3 Bucket
Route S3-bound traffic to the VPCE
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 81
IAM policy for VPC endpoints
S3 Bucket
IAM Policy at VPC Endpoint: Restrict actions of VPC in S3
IAM Policy at S3 Bucket: Make accessible from
VPC Endpoint only © 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 82
Availability Zone 1a Availability Zone 1b
Internet
10.0.0.5
10.0.0.6
10.0.3.17
10.0.3.5
10.0.1.5
10.0.1.25 10.0.1.8
10.0.1.6
VPC Subnet
VPC Subnet
VPC Subnet
Virtual Private Gateway
Internet Gateway
VPN Connection Customer Gateway
Customer Data Center © 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 84
Module 4 Storage on AWS Amazon S3, EBS
23 © 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 86
Object Storage v.s Block Storage
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 87
Simple Storage Service (S3) § Storage for the Internet § Store and retrieve any amount of data, at any time,
from anywhere on the web § Highly scalable, reliable, and secure § Supports encryption § Pay only for what you use
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 89
S3 event notifications
Delivers notifications to Amazon SNS, Amazon SQS, or AWS Lambda when events occur in S3
S3
Events
SNS topic
SQS queue
Lambda function
Notifications
Notifications
Notifications
Foo() { … }
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 90
• Preserve, retrieve, and restore every version of every object stored in your bucket
• S3 automatically adds new versions and preserves deleted objects with delete markers unless an explicit versioned DELETE operation is made
• Easily control the number of versions kept by using lifecycle expiration policies
• Easy to turn on in the AWS Management Console
S3 versioning
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 91
S3 cross-region replication
Source (Ireland)
• Only replicates new PUTs. Once S3 is configured, all new uploads into a source bucket will be replicated
• Entire bucket or prefix based
• 1:1 replication between any 2 regions
• Versioning required
Automated, fast, and reliable asynchronous replication of data across AWS regions
Use cases: • Compliance—store data hundreds of miles apart • Lower latency—distribute data to regional customers • Security—create remote replicas managed by separate AWS accounts
Destination (Frankfurt)
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 92
S3 use cases
• Web-scale storage capacity and performance for web applications
• Single-origin store with delivery through Amazon CloudFront
• Staging and persistent store for Big Data applications
• Storage target for backup and active archive
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 93
Glacier Facts
§ Low cost storage for archiving and backup § Secure and durable § No limit to amount of data stored § Flexible § Pay only for what you use § Simple integration with S3
Archive Storage in the Cloud © 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 94
Amazon Glacier benefits
• Reduce cost for long-term archiving • Leverage unlimited storage capacity • Replace tape museums • Improve durability
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 95
Elastic Block Store (EBS) Facts
§ Persistent off-instance storage § SSD or magnetic disk § Durable snapshots to S3 § Encryption support § Provisioned IOPS option
Block Storage for EC2
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 97
EBS Volume Type Price Performance
Magnetic General Purpose Provisioned IOPS Use cases Infrequent data
access
Boot volumes Small to med DBs
Dev and Test
I/O intensive Relational DBs
NoSQL DBs
Storage media Magnetic disk- backed SSD-backed SSD-backed
Max IOPS 40–200 IOPS 10,000 IOPS 20,000 IOPS Latency (random
read) 20–40 ms 1–2 ms 1–2 ms
Availability Designed for 99.999% Designed for 99.999% Designed for 99.999%
Price $.05/GB-month $.05/million I/O $.10/GB-month $.125/GB-month
$.065/provisioned IOPS
© 2017, eCloudValley Amazon Web Services Partner. All rights reserved. 101