在 AWS 上運行任務關鍵工作負載

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
James Chiang( ), Solutions Architect, AWS
Running Mission Critical Workloads on
AWS
Oct 2018

Sponsor

What to Expect from the Session
• Walkthrough the best practice for deploying business critical
applications
• Dive deep into secure, highly available and scalable architectures
• Learn about AWS tools that will make you successful in
deployment and management

Why are customers running critical
workloads on AWS?

On-premises
capacity
constraints
for resources
Reduce
operational/
maintenance costs
while increasing
service availability
Elasticity—
scale out,
scale in when
needed
Building a disaster
recovery service—
no on-premises-
only environment
Faster
application
deployments,
updates, and
patching
Business agility
improvements
Application
Migration to
Cloud: Drivers

Why run critical workload on AWS
Security in layers approach
Extensive VM and network performance options
Building and managing cloud since 2006
18 regions, 55 availability zones, 100+ edge locations
Thousands of partners; 2,500+ Marketplace products
Security & Reliability
Performance
Experience
Scale & Reliability
Ecosystem

What is a Business Critical
Application?

Anatomy of a critical workload
Holds sensitive data, liability if breached or deleted
Large scale customer impact if not available
Loss of data, destruction of IP, productivity penalty
> 100 users, > $10K per minute, Contractual Liability
Secure
Available
Resilient
Material Impact

Business Applications on AWS
Today AWS customers run a wide array of business applications
Vendor Applications
SAP Business Suite, Netweaver, BusinessObjects, B1, HANA
Oracle eBusiness, PeopleSoft, Siebel, JDE, Database 11g/12c
Microsoft SharePoint, Exchange, Dynamics, SQL Server
IBM Websphere, DataStage
Infor LN, M3, Syteline, Lawson
Companies of all sizes run business applications

The Global Infrastructure

Resiliency starts with the core infrastructure
REGION
An independent collection of AWS
resources in a defined geography
A solid foundation for meeting
location-dependent privacy and
compliance requirements

Availability Zones
Low latency
ensures real data
replication
Distance
ensures high
availability
REGION
AZ A AZ B
AZ C

Availability Zones
Low latency
ensures real data
replication
Distance
ensures high
availability
REGION
AZ A AZ B
AZ C
Availability Zone
Designed as independent failure
zones. Physically separated within a
typical metropolitan region

AZ – Availability Zone
Network
multiple tier‐1 transit providers
Power
isolated electrical grids, UPS, onsite backup generator
Geo
isolated fault lines flood plains
Network
Power
Geo
Zone A Zone B
Each availability zone runs on its sown physically distinct, independent infrastructure

AWS Global Infrastructure
Edge Locations
98 Edge Locations (As of October 2017)
Region
Edge POP

Most Robust, Fully Featured Technology Infrastructure Platform
Integrated Networking
Rules Engine
Device Shadows
Device SDKs
Device Gateway
Registry
Local Compute
Custom Model
Training & Hosting
Conversational
Chatbots
Virtual Desktops
App Streaming
Schema
Conversion
Image & Scene
Recognition
Sharing &
Collaboration
Exabyte-Scale
Data Migration
Facial Recognition
& Analysis
Corporate Email
Application
Migration
Database
Migration
Regions
Availability Zones
Edge Location
Data Warehousing
Business Intelligence
Elasticsearch
Hadoop/Spark
Data Pipelines
Streaming Data
Collection
ETL
Streaming Data
Analysis
Interactive SQL
Queries
Queuing & Notifications
Workflow
Email
Transcoding
Deep Learning
(Apache MXNet,
TensorFlow, &
others)
Server MigrationCommunications
Business Apps
Business
Intelligence
DevOps Tools Security Networking StorageDatabases
API Gateway
Single Integrated
Console
Identity
Sync
Mobile Analytics
Mobile App
Testing
Targeted Push
Notifications
One-click App
Deployment
DevOps Resource
Management
Application Lifecycle
Management
Containers
Triggers
Resource Templates
Build and Test
Analyze and Debug
Compute
VMs, Auto-scaling,
Load Balancing,
Containers, Virtual
Private Servers,
Batch Computing,
Cloud Functions,
Elastic GPUs,
Edge Computing
Storage
Object, Blocks, File,
Archivals,
Import/Export,
Exabyte-scale data
transfer
CDN
Databases
Relational,
NoSQL, Caching,
Migration,
PostgreSQL
compatible
Networking
VPC, DX, DNS
Identity
Management
Key Management
& Storage
Monitoring
& Logs
Configuration
Compliance
Web Application
Firewall
Assessment
& Reporting
Resource &
Usage Auditing
Access Control
Account
Grouping
DDOS Protection
Support Professional
Services
Optimization
Guidance
Partner
Ecosystem
Training &
Certification Solutions Management
Account
Management
Security & Billing
Reports
Personalized
Dashboard
TECHNICAL & BUSINESS SUPPORT
MARKETPLACE
Monitoring
Manage
Resources
Data Integration
Integrated Identity &
Access
Integrated Resource &
Deployment Management
Integrated Devices
& Edge Systems
Resource
Templates
Configuration
Tracking
Server
Management
Service
Catalogue
Search
HYBRID ARCHITECTUREANALYTICS MOBILE SERVICESDEV/OPS IoT MACHINE LEARNING ENTERPRISE APPS MIGRATION
APP SERVICES
INFRASTRUCTURE CORE SERVICES SECURITY & COMPLIANCE MANAGEMENT TOOLS
Text to Speech
Facial Search
Patching
Contact Center

Availability

Multi-AZ Deployment
10.1.0.0/16
10.1.1.0/24
10.1.2.0/24
10.1.3.0/24
10.1.4.0/24
10.1.5.0/24
10.1.6.0/24
Availability Zone - A
Availability Zone - B
Private SubnetPrivate SubnetPublic Subnet

AZ – Availability Zone
Zone A Zone B
Network
Power
Geo
Network
Power
Geo
Web
DB Master
Load
Balancer
DB Slave
Web
Storage StorageSingle
digit ms

Multi-AZ Deployment
TCP 80
Users
DB
DB
WEB /
App
WEB /
App
Load Balancer

Options for Deploying SQL Server on AWS
Amazon RDS Databases on Amazon EC2
Versions Supported: MSSQL, Oracle, MySQL, Postgres, MariaDB Any DBs
High Availability: Self-managed; AlwaysOn, Mirror, Log ShipAWS-managed, Multi-AZ
Encrypted storage using AWS KMS (all editions); TDE supportEncryption:
Maintenance plans & third-party toolsManaged automated backupsBackups:
DB Install / Maintenance / PatchingDB Install / Maintenance / PatchingDatabase
OS Install / Maintenance / PatchingOS Install / Maintenance / PatchingOperating System:
Customer-
managed
AWS-managed
1 2

What does it look like after RDS is up?
Availability Zone A
AWS Region
10.1.0.0/16
10.1.1.0/24
Availability Zone B
10.1.2.0/24
Synchronous replication
Same
instance
type as
master
• Managed high availability across
multiple datacenters
• No application code change
• 60-120 seconds failover time
• RPO = zero
Automatic failover
Synchronous replication
dbinstancename.1234567890.us-west-2.rds.amazonaws.com:3006
Application

Multi-AZ Deployment
TCP 80
Users
WEB /
App
WEB /
App
Load Balancer
ü Improved high availability
across multiple availability
zones
ü Offload operation tasks to
AWS
ü AWS deals with licenses
Benefits:

Scalability & Performance

M2
2nd Generation
Compute
M4
4th Generation
Compute
Upgrade Your Compute

Increase your server farms capacity
Vertical Scaling
CPU, Disk Read/Write,
Network In/Out
Horizontal Scaling
m4.large m4.large
m4.large
2 vCPU, 8GB RAM
m4.xlarge
4 vCPU, 16GB RAM
m4.large m4.large m4.large m4.large m4.large m4.large m4.large m4.large

Web/App tier - Auto-Scaling
TCP 80
Users
Auto-
Scaling
Group
WEB /
App
WEB /
App
Load Balancer
Auto-scaling based
on different metrics,
e.g. CPU, memory,
network, number of
requests, etc

Database tier – scale up
TCP 80
Users
Auto-
Scaling
Group
WEB /
App
WEB /
App
Load Balancer
• for commercial
database like Oracle
and SQL, only
vertical scaling is
supported
• offload the
database by caching

Scalability & Performance
TCP 80
Users
Auto-
Scaling
Group
WEB /
App
WEB /
App
Load Balancer
zones
AWS
ü Improved scalability &
performance
Benefits:

Security

AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
AWS Shared Responsibility Model
Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud

Inherit global security and compliance controls
https://aws.amazon.com/compliance/programs/
https://aws.amazon.com/artifact/

Auto-
Scaling
Group
VPC firewall - Security Groups
TCP 80
Users
WEB /
App
WEB /
App
Load Balancer
Web Security Group
Accept Port 80 from LB
SQL Security Group
Accept Port 1433 from
Web
Inbound Security Group SG-WebTier
Traffic from Protocol L4 Port Action
SG-WebELB HTTP TCP 80 Allow
* * * * Deny
• Security Groups
• Built-in feature of VPC
• Restrict in/out traffic of
EC2 instances based on
source, port, protocol

Data Encryption with AWS (in-transit)
Between your network and VPC
• IPSec VPN
• AWS virtual private gateway, fully
managed and highly redundant, allows you
to establish redundant tunnels
• Direct Connect (optional): private
connectivity
Between your apps and your app’s end users
• TLS certificates
• secure network communication over the
Internet
• Uses X.509 certificate to authenticate both
the client and the back-end application
Customer VPC
10.0.0.0/16
IPSec VPN tunnels
Customer DC
192.168.1.0/16
HTTPS
CloudFront ELB Web/App
HTTP(s) HTTP(s)

Auto-
Scaling
Group
Secure Hybrid Connectivity
TCP 80
Users
WEB /
App
WEB /
App
Load Balancer
Web Security Group
SQL Security Group
Web
Corporate
Office
IPSec VPN /
Direct Connect
• IPSec VPN between AWS VPC
and on-premises DC network
• AWS Direct Connect – private
connectivity for workload
with high data sensitivity

Data Encryption with AWS (at-rest)
• Data encryption of server and
database storage
• Centralized key management
(create, delete, view, set policies)
• Import your own keys
• Enforced, automatic key rotation
• Fully auditable
• Option for dedicated, hardware-
based cryptographic key storage
using AWS CloudHSM
Encrypted in transit
AWS CloudTrail
AWS IAM
EBS
RDS
Amazon
Redshift
S3
Glacier
and at rest
Fully auditable
Fully managed
keys
Restricted access
KMS
PCI DSS 3.1

Encryption
Encryption at rest: EBS w/ KMS, RDS w/KMS
Simply check a box!
EBS Volume RDS

Encrypting Data At Rest
Auto-
Scaling
Group
HTTPS
Users
WEB /
App
WEB /
App
Load Balancer
Web Security Group
SQL Security Group
Web
Corporate
Office
IPSec VPN /
Direct Connect
• VM volume encryption
• Database encryption
• VM volume encryption
• Database encryption

AWS CloudTrail
• Simplify your compliance audits by automatically recording and storing
activity logs for your AWS accounts
• Provide visibility into your user and resource activity
WhoWhat
Where from
Where to
When

AWS Services can automate Regulatory Compliance to
Increase Pace of Innovation
Changes
Compliance
Engine
Automated
Response

Out of the box...
• HTTP and HTTPs requests logged with ELB Logging
• API and Console calls logged with CloudTrail Logs
• Network traffic logged with VPC Flow Logs
• VPC change history logged with AWS Config
• IAM Policy and user changed logged with AWS Config
• Application level metrics logged with CloudWatch Logs

Ubiquitous logging for forensics analysis
Auto-
Scaling
Group
HTTPS
Users
WEB /
App
WEB /
App
Load Balancer
Web Security Group
SQL Security Group
Web
Corporate
Office
IPSec VPN /
Direct Connect
S3 buckets
log
analytics

Security
Auto-
Scaling
Group
HTTPS
Users
WEB /
App
WEB /
App
Load Balancer
Web Security Group
SQL Security Group
Web
zones
AWS
ü Improved scalability &
performance
ü Improved security posture
with cloud-native approach
in a cost effective way
Benefits:
S3 buckets
log
analytics

Disaster Recovery

AWS offers four levels of DR support across a
spectrum of complexity and time
Backup &
Restore Pilot light
Warm standby
in AWS
Hot standby
(with multi-site)
§ Lower priority use
cases
§ Solutions: S3, Elastic
Block Store
§ Cost: $
§ Meeting lower RTO &
RPO requirements
§ Core services
§ Scale AWS resources in
response to a DR event
§ Cost: $$
§ Solutions that require
RTO & RPO in
minutes
§ Business critical
services
§ Cost: $$$
§ Auto-failover of your
environment in AWS
§ Cost: $$$$
Low High
RPO/RTO:
Hours
RPO/RTO:
Minutes
RPO/RTO:
Seconds
RPO/RTO:
Real-time

Backup & Recovery
§ Suitable for:
‒ Services that can sustain higher technical debt
‒ Lower priority use cases
§ Low cost DR option that leverages existing
investments in:
‒ De-duplication
‒ Compression
‒ WAN acceleration

AWS Storage Services for DR
Simple Storage Service (S3)
Highly scalable object storage
1 byte to 5TB in size
99.999999999% durability
Elastic Block Store
High performance block storage device
Volumes from 1GB to 16TB in size
Snapshot/cloning functionalities

Pilot Light
§ Suitable for:
‒ Meeting lower RTO & RPO requirements
‒ Business critical services
‒ Mid-range cost option for DR
§ Mid-range cost option for DR
§ Third-party options: CloudEndure, Racemi
and others

Pilot Light Architecture
Build resources around
replicated dataset
Scale AWS resources in
response to a DR event
§ Keep ‘pilot light’ on by replicating
core databases
§ Build AWS resources around
dataset and leave in stopped state
§ Start up pool of resources in AWS
when events dictate
§ Match required production capacity
through auto-scaling policies
Cut over to the system in AWS

Stopped
instances
Pilot Light

Running
instances
Pilot Light

Warm Standby
§ Replication of data and services in the cloud
ensure full failover if needed during a disaster
§ Suitable for:
‒ Solutions that require RTO & RPO in minutes
‒ Core business-critical functions
§ Higher cost option for DR

Warm Standby
ELB
On-premises
Active Production
Route 53
Web
Servers
AWS
Active Production
App
Servers
CloudFormation
Data Replication
Direct Connect
Web
Servers
App
Servers
1TB
Data
Volume
DB
Server
DB
Server
1 TB Data
Volume
AWS Region

Do we hit our objectives?
Encrypting data at rest, IP Sec VPN, Security Groups, visibility
Multiple Availability Zones, Auto-scaling, Elastic Load Balancing
Multi-AZ Database, cross-region DR design
Multi-AZ deployment, No Data Loss, Encryption, Auto-Healing
Secure
Available
Resilient
Material Impact
https://aws.amazon.com/architecture/well-architected/

What’s Next

24%39% 20%
IT
19%

DevOps and Serverless Time Breakdown
6%68% 17%
IT
9%

IT
•
•
•
•
•
• 100
• AWS Lambda
Apple/Android
Msg push
AWS Lambda
Amazon
API Gateway
Apple Pay
Android Pay
Payment
Gateway

Manage…
Hardware
Security Automation
$$$: T2.Medium
$250
( of OSs) $56
$150
$30
$14

65 30M
Type Hourly
T2.Medium 0.052
T2.Medium RHEL 0.112
T2.Medium Windows 0.072
Average 0.078666667
Server Average Monthly 56.64
Automation 12
ELB Monthly 15
Management Monthly $150
Security Monthly 21.6
Total Monthly Per Server 255.24
Number of servers 2
Cluster Annually 6125.76
Number of environments 3
Turn off discount 30
Total Annually 12864.10
$12,864/yr
Lambda
$4,490/yr
Calls per month 30,000,000
Calls per day 1000000
Calls per sec 11.57
Lambda Memory 1536
Duration ms 0.5
GB S per call 0.75
GB S per month 22500000
Free Tier GB S 400000
Adjusted GB
S/mo 22100000
Cost per G/S 0.00001667
Cost for GB S 368.407
Request cost/mo 5.8
Total Monthly 374.207
Total Annually 4490.484
80M
100
99
6 T2.M 30M hits/mo

Amazon SQS (queue) messaging $0.60 per MM
Amazon SES (email) email providers $0.10 per 1000
Amazon SNS (notif.) mobile provider $0.50 per MM SMS
Amazon DynamoDB big databases $180/mo for 36K writes per sec
Amazon RDS (DB) EC2 DBs vary based on capacity
API Gateway apigee, mashery $3.50 per MM calls + data
AWS
Lambda EC2 $0.00001667 per GB-s
Managed NAT Amazon EC2 $0.045 per hour

AWS Facebook Taiwan Page

Remember to complete
your evaluations!Remember to complete
your evaluations!

Thank you!
tzungen@amazon.com

在 AWS 上運行任務關鍵工作負載

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a 在 AWS 上運行任務關鍵工作負載

Semelhante a 在 AWS 上運行任務關鍵工作負載 (20)

Mais de Amazon Web Services

Mais de Amazon Web Services (20)

在 AWS 上運行任務關鍵工作負載