Introduction to AWS
AWS Introduction, Global Infra, EC2, VPC, Storage, DB, Security, Monitoring & Migration
Hitesh Sahu
AWS Introduction
AWS Offering:
- Compute
- Storage
- Network Security
- Block Chain ML & AI
- Robot
- Video Production
- Satellite Minutes
Certification Paths
| Certificate | Full form | Labs |
|---|---|---|
| CLF-C01 | Cloud practitioner | |
| SAA-C02 | Solution Arch Associate | |
| SOA-C02 | Sysops Admin Associate | 20 minutes X 3 Lab |
| DVA-C01 | Developer Associate | |
| DOP-C01 | DevOps Engineer Pro | |
| SAP-C01 | Solutions Arch Pro |
Useful Links:
-
**SOA Course **: https://thoughtworks.udemy.com/course/ultimate-aws-certified-sysops-administrator-associate/learn/lecture/13231674#overview
-
**SAP Course **: https://thoughtworks.udemy.com/course/aws-solutions-architect-professional/learn/lecture/18400090#overview
-
**DevOps Pro Hands on **: https://thoughtworks.udemy.com/course/aws-certified-devops-engineer-professional-hands-on/learn/lecture/16350020#overview
-
**DevOps Pro Exam **: https://thoughtworks.udemy.com/course/aws-certified-devops-engineer-professional-practice-exam-dop/
-
**Cloud practitioner **: https://explore.skillbuilder.aws/learn/course/134/play/31418/aws-cloud-practitioner-essentials-all-modules;lp=82
-
**DVA C01 Course **: https://thoughtworks.udemy.com/course/aws-certified-developer-associate-dva-c01/learn/lecture/26100856#overview
Everything in AWS is API
ACCESS KEY
- SDK & CLI need to access AWS cloud using ACCESS key
1. AWS Management Console
Browser Based tool used for testing & learning
2. SDK (Software Development Kit)
Developer can use API in various languages - JS, C++, Java, .NET, NodeJS, PHP - Use Case: Embed within App & IOT - Default region:
use-east-1
3. CLI (Command Line Interface)
Direct access to AWS Public API from Command Line - Open source - CLI use
Python SDKinternally - Use Case: Automation script in Windows, Mac & Linux.
Credential Preference
AWS CloudShell
- Execute Command directly on cloud
- Free to use
- Come with 1GB storage to persist Script
- Not available in all regions
Acceptable Use Policy
policy describes prohibited uses of the web services offered by Amazon Web Services
AMAZON ELASTIC COMPUTE CLOUD (EC2)
Server that help to communicate with Servers on Amazon Data Center
- ES2 Instance spin off a virtual machine in AWS Server
- EC2 can use Windows or Linux OS
- User can control what run on top of OS
- Scale Vertically by allocate more resource
- Scale Horizontally by starting more instances
Multitenancy: Sharing underlying hardware between virtual machine
Types of EC2 = Instance Family
- General Purpose: Web Service, Code Repository
- Compute Optimized: Gaming, Scientific modelling, HPC(High Performance COmputing)
- Accelerate Computing: Floating Point, Graphics, Date pattern matching
- Memory Optimized:: Redis DB
- Storage Optimized: Locally Stored Data, Data Warehouse
Auto Scaling Service
Availability and scaling on demand is critical for business
Work With:-
-
EC2 Instance
-
EC2 Spot Fleet
-
ECS Services
-
Dynamo DB
-
Amazon Aurora
-
Free of Cost
-
Dynamic Scaling: changing demand based scaling
-
Predictive Scaling: prediction based scaling
Scaling Policy
Use Matrices to define scaling policy.
Scale Based on: - Availability: 40 % usage - Cost: 70% usage - Both: 50 % usage - Custom
Auto Scaling group
- Minimum- Instances launch immediately as group created
- Desired- Default = Minimum,
- Maximum- instances scale as needed
ELASTIC LOAD BALANCER(ELB) Service
Direct traffic to different EC2 Instance based on work load
- Work on Region level in multiple AVZ
- Manged Load Balancer by AWS. Maintained by AWS.
- Switch EC2 Instances dynamically based on load and health of EC2 instance
- Scale wrt incoming traffic
- We need to create a Security Group with EC2 instances which need to be assigned to a load balancer
- If one EC2 instance fail than Load Balancer automatically route traffic to healthy instance
- Each EC2 instance have won public IP. With Load Balancer we can use DNS name to access EC2 instances.
Types:
1. Application Load Balancer:
- HTTP/HTTPS only
- Layer 7
2. Network Load Balancer:
- TCP, Ulta High Performance: Gaming, Millions of request
- Layer 4
3. Classic Load Balancer
- Retiring
- Layer 4, 7
4. Gateway Load Balancer
- Balance Load with Third party application
AWS Global Infrastructure
Global Infrastructure insure High availability in case one Data Center die
-
Available in 245 Countries
-
Availability Zone: 84 Group of Data Center with redundant compute power and data in a Region.
-
Regions: 26 Group of AVZ near high traffic demands in a geographic isolated location
-
Regions are connected using fiber optics with each other so AVZ should not be far apart more than 10 Miles.
-
Redundant deploy app in 2 AVZ in a Region for disaster planning
Factors for choosing Regions
- Data Compliance: Data can't move between data center without explicit permission to export data
- Pricing: AWS cost less in USA than Brazil due to tax structure.
- Feature: Some feature might not be available in few region eg Quantum computing.
- Proximity:Close to customer = low latency
AMAZON CLOUDFRONT (Amazon CDN)
Cached Data closer to customer
- Can server Data, Video etc at low latency
- Edge location Store Data in near by location to reduce latency
ROUTE 53
highly available and scalable cloud Domain Name System (DNS) web service
- Translate website name with IP address of site
- Buy and manage domain in AWS
Direct traffic to end points based on:
- Geolocation DNS
- GeoProximity
- Latency
- Weighted round robin
AWS OUTPOST
- Private Mini Region for private customer in a building
- Isolated AWS Instance for specific use cases
Provision Tools
1. AWS ELASTIC BEANSTALK
- Platform as Service
- Application code + configuration to auto deploy
- We can jump start using pre configured loader
2. AWS CLOUDFORMATION
- Infrastructure as Code
- Use JSON or Yaml template to define process
- Cloud Formation provision resources automatically
Reference
Networking
AWS VIRTUAL PRIVATE CLOUD (VPC)
Private Network in AWS help with isolation of resources.
Subnets: Chunk of IP address in VPC for grouping of resources.
- Public: Connect with Internet via Internet Gateway(IGW)
- Private: No Internet for private resources provide a VPN via Virtual Private Gateway.
AWS DIRECT CONNECT
Private Direct Data Connection from Data Center to AWS.
- Private Subnet can slow down due to shared bandwidth of internet.
- Direct provide highest speed with highest security.
NETWORK ACCESS CONTROL LIST (Network ACL)
- Stateless
- Subnet Level Security
- Block request entering or exiting subnet
- By default allows all traffic in & out
- Custom ACL deny all traffic until specified which traffic to allow
SECURITY GROUP
- Stateful
- EC2 Instance level Security operate at Network Level
- Outbound traffic allowed by default inbound traffic allowed after check.
- All EC2 Instance are assign to security group
- By Default Security Group block all requests
- Security rules must modify to allow specific type of traffic eg HTTPS
Reference:
Storage Services
Block Level Storage
Place to store file as memory blocks eg HDD
INSTANCE STORE VOLUME:
- EC2 local storage
- Physical HDD attached to Host
- Do not persist Data
ELASTIC BLOCK STORAGE Volume (EBS)
- Virtual HDD (16TB SSD)
- HDD Called as EBS Volume
- Separate HDD not tied directly to Host
- Persist Data over lifecycle
- Available in same AVZ
- Does not scale up
EBS snapshot: incremental backup. First backup all the data & subsequent backups backup the blocks of data that have changed since last time.
Object Storage
Place to store file as Objects(Key, METADATA, DATA)
Amazon Simple Storage Service(S3)
- Store/ Retrieve Unlimited Data
- Store Data as Object(5TB)
- Version Objects
- Create Multiple Bucket
- Access Rights
Tier 1: Amazon S3 Standard
- 99% Durability after 1 year
- High availability: Concurrent losses of data in 2 location can be recover out of 3 (3 Location Backup)
- Frequent Used Data
- High Cost than other 2 Tier
- Amazon S3 Static Website Hosting: Use bucket to host static website/ blogs
Tier 2: S3 Standard Infrequent Access (S3 IA)
- Used for less frequent Access Data
- Less frequent data but access fast
- Backup/ long term storage
- Same Level of Availability as S3 Standard (3 Location Backup)
- Lower storage price and higher retrieval price
S3 One Zone-Infrequent Access (S3 One Zone-IA)
- Stores data in a single Availability Zone
- Has a lower storage price than S3 Standard-IA
Tier 3: S3 Glacier
- Retain data long time but slow retrieval
- Retrieve objects within few Hours
- low-cost storage class
- Archive Data/ Audit Data
- Vault Lock: Write once Read Many(WORM)
S3 Glacier Deep Archive
- Retrieve objects within 12 hours
- Lowest-cost object storage class ideal for archiving
S3 Intelligent-Tiering
- Ideal for data with unknown or changing access patterns
- Requires a small monthly monitoring and automation fee per object
- Automatically Assign Data to Tier based on usage
Lifecycle policies: Automatically move data between 3 Tiers
ELASTIC FILE SYSTEM (EFS)
- Managed file system
- Can be scale & replicate Data
- Concurrent Access of Data
- Shared File System
- Linux File System
- Region Level Availability
- Can be connected using AWS Direct Connect
AWS Snow Family
Collection of physical devices that help to physically transport up to exabytes of data into and out of AWS.
- All Data is encrypted using 256 bit encryption handled by customer
AWS Snow cone
- 8 TB Data, Edge Computing
- Analytics, Video, Backup, Tape Data
- Backup to S3
AWS Snowball Edge
- Ship to remote location
- Image compression, IOT, Video Transcoding
SnowBall Types
1. Snowball Edge Compute Optimized
- 40 TB HDD for S3
- 7.68 TB SSD for EBS
- 52 vCPUs
- 208 GiB RAM
- NVIDIA Tesla V100 GPU(Optional)
2. Snowball Edge Storage Optimized
- 80 TB HDD for S3
- 1TB SSD for EBS
- 40 vCPUs
- 80 GiB RAM
AWS Snowmobile
- Shipping Container on Truck
- 100 petabytes per snowmobile
- Exabyte-scale data transfer service used to move large amounts of data to AWS.
- Video Surveillance, escort vehicle, water proof, fire proof
Reference
Database Service
AWS DB MIGRATION SERVICE(DMS)
- Lift & Shift: Migrate DB to EC2 securely & easily between Source & Target DB.
- Source can remain operation to reduce down time
- Migration can be Homogeneous (between same & target type eg SQL to SQL) or Heterogeneous (between different source & target type eg. SQL to non SQL) .
Use cases
- Develop & test DB Migration
- Consolidate: combine several DB into one DB
- Continuos Replication: ongoing copies
Amazon Relational Database Service (Amazon RDS)
- Allows to run & manage relational databases in the AWS Cloud.
- Store major RDBMS(Relational DBMS)
- Amazon Aurora
- PostgreSQL
- MySQL
- MariaDB
- Oracle Database
- Microsoft SQL Server
Benefits:
- Automated patching
- Continuos Backups to S3
- 6 Replicated copies with over 15 read replicas
- Failover
- Point & Time Recovery:Disaster Recovery
- Data is encrypted when stored & transit(sent/ received)
Amazon Arora:
- Fast & cost effective RDBMS Built for cloud
- MySQL & PostgreSQL compatible
- Fast: 5X MySQL & 3X PostgreSQL
- Scale up to 128TB
- Backed by benefic of RDS
Amazon Dynamo DB
- Serverless DB
- NoSQL DB with key values pair
- Stored as
<item<attributes>> - More Flexible than SQL DB
- MilliSecond Response Time
- Automatic Scaling up to 10 Trillion request per day
- Fully Managed
Amazon Red Shift
- Used for Data Analysis in Data Warehouse
- Work well with Huge Volume & Variety of data
- Useful for Data Mining
Other DB Services
- Amazon DocumentDB: database service for MongoDB.
- Amazon Neptune: graph database service.
- Ledger
- Amazon Quantum Ledger Database (Amazon QLDB): ledger database service. Review a complete history of all the changes that have been made to your application data.
- Amazon Managed Blockchain: service to create and manage blockchain networks with open-source frameworks. distributed ledger system
- Caches & Accelerator
- Amazon ElastiCache: service to add caching layers to help improve the read times of common requests.
- Amazon DynamoDB Accelerator (DAX): is an in-memory cache for DynamoDB.
DB by Use Cases
| Database Type | Use Cases | AWS Service |
|---|---|---|
| Relational | Traditional applications, ERP, CRM, e-commerce | Amazon Aurora , Amazon RDS , Amazon Redshift |
| Key-value | High-traffic web apps, e-commerce systems, gaming applications | Amazon DynamoDB |
| In-memory | Caching, session management, gaming leader boards, geospatial applications | Amazon ElastiCache , Amazon MemoryDB for Redis |
| Document | Content management, catalogs, user profiles | Amazon DocumentDB (with MongoDB compatibility) |
| Wide-column | High scale industrial apps for equipment maintenance, fleet management, and route optimization | Amazon Key spaces |
| Graph | Fraud detection, social networking, recommendation engines | Amazon Neptune |
| Time series | IoT applications, DevOps, industrial telemetry | Amazon Time stream |
| Ledger | Systems of record, supply chain, registrations, banking transactions | Amazon Quantum Ledger Database (QLDB) |
Security
Shared Responsibility Model
- AWS responsible for Security of the Cloud
- Customer responsible for Security in the Cloud
AWS Responsibility: responsible for security of the cloud.
- Physical Layer
- Network Layer
- HyperVisor Layer
Customer Responsibility: responsible for the security of everything that they create and put in the AWS Cloud.
- OS Root Access & Security Patch for OS
- Application Layer Security
- Data Security
AWS Identity and Access Management (IAM)
Root user
- Owner of AWS Account
- Full control of AWS Account
- Access and Control any Resource you want
- Multi Factor Authentication (MFA) must be used to login
Principle of least privilege: Granting only the permissions that are needed to perform specific tasks
IAM users
- 0 permission by default. Can't even login to AWS until given permission
- Grant permission to AWS service by IAM Policy
- Explicitly give permission for each Action
IAM policies
- Effect: Allow/ Deny
- Action: List of AWS API calls
- Resource: AWS Resource
- JSON state which AWS services IAM user can access
IAM Group
- Assign IAM Policy to a Group of IAM Users
IAM Role
- Associated Permission
- Allow/ Deny Permission
- No username or password ´, access key is assigned dynamically
- Temporary grant access to resource, users, apps, other aws services
AWS Organization
- Group accounts into Organization unit(OU)
- Center Location to Manage all accounts
- Combine billing for all accounts and get discount
- Hierarchical group accounts for security and compliance
- Service control policies (SCPs): centrally put restrictions on the AWS services, resources, and individual API actions that users and roles in each account & OU can access.
Compliance
- AWS Artifact Agreements: Service provide access to compliance report
- AWS Artifact Reports: compliance reports of AWS audited by from third-party auditors.
DDOS (Distributed Denial of Service)
flood a website or application with excessive network traffic until the targeted website or application becomes overloaded and is no longer able to respond.
AWS Shield with Web Application Firewall (WAF)
- Protect against DDOS
AWS Shield Standard
- Protects all AWS customers at no cost
- Protect from most common, frequently occurring types of DDoS attacks.
- Real time automatic mitigation
AWS Shield Advanced
- Detect and mitigate sophisticated DDoS attacks
- Paid Service
AWS Key Management Service(AWS KMS)
- Create keys to Encrypt data in transit and rest
Monitoring
Observing systems, collecting metrics, evaluating those metrics over time, and then using them to make decisions or take action
Amazon CloudWatch
Web service to monitor and manage various metrics and configure alarm actions based on data from those metrics.
- AWS services send Metrics to CloudWatch
- CloudWatch then uses these metrics to create graphs on CloudWatch dashboard
- CloudWatch alarms: automatically perform actions if the value of your metric has gone above or below a predefined threshold.
- Metrics are data about the performance of your systems.
AWS CloudTrail
API Auditing tool record each API call log.
- Near real time Analysis fof state of system
- Every action is recorded as Event within 15 Minute
- CloudTrail Insights. optional feature allows CloudTrail to automatically detect unusual API activities AWS account.
Migration to AWS
AWS Cloud Adoption Framework (CAF)
Guide with migration of organization to cloud
6 Perspective for CAF
Business Capabilities
1.Business Perspective
- create a strong business case for cloud adoption and prioritize cloud adoption
- Decide why we want to move to cloud
2. People Perspective
- evaluate organizational structures and roles, new skill and process requirements, and identify gaps. This helps prioritize training, staffing, and organizational changes.
- Check if we have skillset in people
3. Governance Perspective
- how to update the staff skills and processes necessary to ensure business governance in the cloud.
- Train people and team
Technical Capabilities
4. Platform Perspective
- Describe the architecture of the target state environment in detail.
- Define Architecture for the cloud
5. Security Perspective
- structure the selection and implementation of security controls that meet the organization’s needs.
- Look from the security point of view
6. Operations Perspective
- Define how day-to-day, quarter-to-quarter, and year-to-year business is conducted.
- Look how we will operate on daily basis after migration
AWS Cloud Adoption Framework Action Plan
- Input from perspectives used to create plan for migration
6 strategies for Migration (6R)
Option for Migration to CLoud
1. Rehosting(Lift & Shift)
- Move app as is directly to Cloud without App Change
- App can be optimized later in Cloud
2. Replatforming(lift, tinker, and shift)
- Lift and shift with slight Optimization
- Few Cloud Optimization without changing App Change
Don't end up in AWS
3. Retiring
- Kill the end of life apps
- Save cost & effort by not migrating API
4. Retaining
- Deprecated App which require lot of work
- They can keep on working on Legacy System before Retire
End up in AWS
5. Repurchasing
- Abandon Legacy system and have a fresh start
6. Refactoring/re-architecture
- Change to Architecture
- re-imagining app for cloud
- replacing an existing application with a cloud-based version