AWS Immersion Day - maculcommunity.org · or distributed in whole or in part without the express...
Transcript of AWS Immersion Day - maculcommunity.org · or distributed in whole or in part without the express...
AWS Immersion Day
©2017AmazonWebServices,Inc.anditsaffiliates.Allrightsserved.Maynotbecopied,modified,ordistributedinwholeorinpartwithouttheexpressconsentofAmazonWebServices,Inc.
Joseph Colangelo, AWS Account ManagerVarun Pole, AWS Solutions Architect
What we’ll cover today
©2017AmazonWebServices,Inc.anditsaffiliates.Allrightsserved.Maynotbecopied,modified,ordistributedinwholeorinpartwithouttheexpressconsentofAmazonWebServices,Inc.
Ø IntroductionsØ Intro to AWS and EC2 OverviewØ Amazon EC2 LabØ BreakØ Cloud Storage with AWS Ø Amazon S3 LabØ Networking and Security in AWSØ LunchØ Database on AWSØ RDS Lab(optional)Ø Workspaces DemoØ Analytics Services with AWS/ Parking Lot ItemsØ Closing and Next Steps
Introduction to Amazon Cloud &EC2 Overview
©2017AmazonWebServices,Inc.anditsaffiliates.Allrightsserved.Maynotbecopied,modified,ordistributedinwholeorinpartwithouttheexpressconsentofAmazonWebServices,Inc.
Overview
Introduction to AWS Cloud Overview of AWS most used service: EC2EC2 Security Details
What is AWS?
• AWS provides a highly reliable, scalable, low-cost infrastructure platform in the cloud that powers hundreds of thousands of businesses in 190 countries around the world.
• Benefits– Low Cost– Elasticity & Agility– Open & Flexible– Secure– Global Reach
What sets AWS apart?
*as of July 31, 2014
Building and managing cloud since 2006
90+ services to support any cloud workload
History of rapid, customer-driven releases
16 regions, 42 availability zones, 73 edge locations
59 proactive price reductions to date
Experience
Service Breadth & Depth
Pace of Innovation
Global Footprint
Pricing Philosophy
Ecosystem Thousands of consulting/system integrator & technology partners
Experience with Operational Reliability
• We have spent over a decade building the world’s most reliable, secure, scalable, and cost-effective infrastructure.
• Service SLAs between 99.9% and 100% availability. Amazon S3 is designed for 99.999999999% durability.
• Availability Zones exist on isolated fault lines, flood plains, and electrical grids to substantially reduce the chance of simultaneous failure.
• The AWS Service Health Dashboard provides 24/7 visibility in the real-time operational status of all services around the globe.
Wearedriventoremoveanyallcausesoffailure.Ourgoalistomakeouroperationalperformanceindistinguishablefromperfect.
Pricing Philosophy
High volume / low margin businesses are in our core DNA
Trade CapEX for variable expense
Our economies of scale provide us with lower costs
53 price reductions since 2006
Pricing model choice to support
variable and stable workloads
On-demand
Reserved Instances
Spot
Save more money as you grow bigger
Tiered pricing
Volume discounts
Custom pricing
AWSPositionedasaLeaderintheGartnerMagicQuadrantforCloudInfrastructureasaService,Worldwide*
AWSispositionedhighestinexecutionandfurthestinvisionwithintheLeaders
Quadrant
*Gartner,MagicQuadrantforCloudInfrastructureasaService,Worldwide,Leong,Lydia,Petri,Gregor,Gill,Bob,Dorosh,Mike,August32016ThisgraphicwaspublishedbyGartner,Inc.aspartofalargerresearchdocumentandshouldbeevaluatedinthecontextoftheentiredocument.TheGartnerdocumentisavailableuponrequestfromAWS:http://www.gartner.com/doc/reprints?id=1-2G2O5FC&ct=150519&st=sbGartnerdoesnotendorseanyvendor,productorservicedepictedinitsresearchpublications,anddoesnotadvisetechnology userstoselectonlythosevendorswiththehighestratingsorotherdesignation.GartnerresearchpublicationsconsistoftheopinionsofGartner'sresearchorganizationandshouldnotbeconstruedasstatementsoffact.Gartnerdisclaimsallwarranties,expressedorimplied,withrespecttothisresearch,includinganywarrantiesofmerchantabilityorfitnessforaparticularpurpose.
1Introduction to AWS
AWS Global Infrastructure
16 Regions42 Availability Zones73 Edge Locations
AZ A AZ B
Asia Pacific (Singapore)
US West (OR)
AZ A AZ B
AZ C
GovCloud (US)
AZ A AZ B
US EAST (OH)
AZ A AZ B
AZ C
US East (VA)
AZ A AZ B
AZ C AZ D
AZ E
*The China (Beijing) Region is available to a select group of China-based and multinational companies with customers in China. These customers are required to create a AWS Account, with a set of credentials that are distinct and separate from other global AWS Accounts.
EU (Ireland)
AZ A AZ B
AZ C
Asia Pacific (Tokyo)
AZ A AZ B
AZ C
EU (Frankfurt)
AZ A AZ B
AWS Regions
AWS Regions and Availability Zones
China (Beijing)*
AZ A AZ B
China (Bejing)
AZ A AZ B
Asia Pacific (Seoul)
AZ A AZ B
AZ C
AZ A AZ B
AZ C
S. America(Sao Paulo)
Asia Pacific (Sydney)
Asia Pacific (Mumbai)
AZ A AZ B
US West (CA)
AZ A AZ B
AZ C
EU(London)
AZ A AZ B
Canada
AZ A AZ B
Service Breadth & DepthTECHNICAL&BUSINESSSUPPORT
AccountManagement
Support
ProfessionalServices
SolutionsArchitects
Training&Certification
Security&PricingReports
PartnerEcosystem
AWSMARKETPLACE
Backup
BigData&HPC
BusinessApps
Databases
Development
IndustrySolutions
Security
MANAGEMENTTOOLS
Queuing
Notifications
Search
Orchestration
ENTERPRISEAPPS
VirtualDesktops
StorageGateway
Sharing&Collaboration
Email&Calendaring
Directories
HYBRIDCLOUDMANAGEMENT
Backups
Deployment
DirectConnect
IdentityFederation
IntegratedManagement
SECURITY&MANAGEMENT
VirtualPrivateNetworks
Identity&Access
EncryptionKeys Configuration Monitoring Dedicated
INFRASTRUCTURESERVICES
Regions AvailabilityZones Compute
StorageO b j e c t s, B l o c k s , F i l e s
DatabasesSQL,NoSQL,Caching
CDNNetworking
PLATFORMSERVICES
App
Mobile&WebFront-end
Functions
Identity
DataStore
Real-time
Development
Containers
SourceCode
BuildTools
Deployment
DevOps
Mobile
Sync
Identity
PushNotifications
MobileAnalytics
MobileBackend
Analytics
DataWarehousing
Hadoop
Streaming
DataPipelines
MachineLearning
Any Questions?
2EC2 Overview
EC2 Terminology
AMI
Virtual Machine Configuration
Instance
Running or Stopped VM
VPC
AZ Availability Zone
Amazon S3
EBS EBS EBS
VPC
EBS EBS EBS
EBS Snapshots S3 Buckets
Region
EC2 Network Environment
Virtual Private Cloud• Bring your own network• Customer-managed subnets and routing• Additional network controls (Security Groups, NACLs, routing)• Hardware VPN options between corporate networks• Instances have Security Group−controlled private IPs (dynamic
public IPs or EIPs optional
Default VPC• Automatically assigned network and subnets (can now include NAT)
VPC
Broad Set of Compute Instance Types
M4
General purpose
Computeoptimized
C4
C3
Storage and IOoptimized
I2 P2
GPUenabled
Memoryoptimized
R3
D2
M3
X1
Purchasing options at a glanceReservedInstances
Pay a low upfront price
Reserve an instance slot
Secure a low hourly rate
Sell & modify reservations if your needs change
On-DemandInstances
Pay as you go
Flat hourly rate
No commitment
SpotInstances
Bid what you like—your Spot instances run while your bid > the Spot price
Save up to 90% off of On-Demand
Run 1,000s of instances10:00
10:05
10:10
EC2 Operating Systems Supported
• Windows 2003R2/2008/2008R2/2012/2012R2/2016• Amazon Linux• Debian• Suse• CentOS• Red Hat Enterprise Linux• Ubuntu
Layer your options
3EC2 Security and
Design
Details of a Virtual Machine
EBS Amazon S3
Hypervisor
VM WorkspaceOne or more ephemeral (temporary)
drives
One or more EBS (persistent)
drives
Network I/O
EBS SnapshotEBS
SnapshotEBS Snapshot
EBS AMI First Time Boot
EBS Amazon S3
Hypervisor
VM Workspace
Network I/O
EBS SnapshotEBS
SnapshotEBS Snapshot
Drive attaches to hypervisor & boots
EBS AMI Restart
EBS Amazon S3
Hypervisor
VM Workspace
Network I/O
EBS SnapshotEBS
SnapshotEBS Snapshot
Drive reattached
EBS AMI Terminate (Default behavior)
EBS Amazon S3
Hypervisor
VM Workspace
Network I/O
EBS SnapshotEBS
SnapshotEBS Snapshot
Default behavior:Drive deleted
EC2 Host Virtualization
FirewallPhysical Interfaces
Hypervisor
Large Small…
…Virtual InterfacesSecurity Groups Security Groups Security Groups
SmallCustomerInstances
Physical Host
EC2 Security Groups
• Security Group Rules– Name– Description– Protocol– Port range– IP address, IP range,
Security Group name
Tiered EC2 Security Groups
• Hierarchical Security Group Rules– Dynamically created rules– Based on Security Group membership– Create tiered network architectures
“Web”SecurityGroup:TCP 80 0.0.0.0/0TCP 22 “Mgmt”
“App”SecurityGroup:TCP 8080 “Web”TCP 22 “Mgmt”
“DB”SecurityGroup:TCP 3306 “App”TCP 22 “Mgmt”
“Mgmt”SecurityGroup:TCP 22 163.128.25.32/32
EC2 IP Addressing
Default VPC Virtual Private CloudDynamic Private IP Dynamic or Static Private IP Address
Dynamic Public IP None by default (can be created with publicIP=true)
Optional Static Public IP (EIP) Optional Static Public IP (EIP)
AWS-provided DNS names• Private DNS name• Public DNS name
AWS-provided public DNS lookupAWS-provided private DNS namesCustomer-controlled DNS options
EC2-Specific Credentials
• EC2 key pairs– Linux – SSH key pair for first-time host login– Windows – Retrieve Administrator password
• Standard SSH RSA key pair– Public/Private Keys– Private keys are not stored by AWS
• AWS approach for providing initial access to a generic OS
– Secure– Personalized– Non-generic (NIST, PCI DSS)
“Public Half” inserted by Amazon into each EC2 instance that you launch
“Private Half” downloaded to your
desktop
EC2 Instance access and Key Pairs
• Linux launch (first boot)– Public key made available through metadata– Public key inserted into ~/.ssh/authorized_keys– User connects with SSH using their private key
Instance metadata
RSA public key
Instance
EC2 Instance access and Key Pairs
• Linux launch (first boot)– Public key made available through metadata– Public key inserted into ~/.ssh/authorized_keys– User connects with SSH using their private key
• Windows launch (first boot sequence)– Public key made available through metadata– Sysprep– Random Administrator password– Password encrypted with public key– User decrypts password with their private key
Instance metadata
RSA public key
Instance
System log<Password>
aGIhplGOqrJQmBJW…
K9gTD31Q== </Password>
Instance Metadata
• ami-id• ami-launch-index• ami-manifest-path• block-device-mapping/• hostname• instance-action• instance-id• instance-type• kernel-id
• local-hostname• local-ipv4• mac• network/• placement/availability-zone• profile• public-hostname• public-ipv4• public-keys/
http://169.254.169.254/latest/meta-data/ contains a wealth of info
Any Questions?
What AWS Marketplace Offers Customers
• Vast selection of software solutions optimized for AWS
• Flexible Pricing: Hourly, Monthly and Annually
• No cost trials• 1-Click deployment• Easy provisioning• One invoice that includes AWS
usage and AWS Marketplace Software
Large partner ecosystem
Any Questions?