This session will feature best practices in the real world for deploying AWS cloud services. You will hear about cloud use cases, governance, security, cloud architecture, optimizing costs, and leveraging appropriate support offerings. The session will provide insight into experience from hundreds of government customers’ AWS adoption and highlight lessons learned along the way.
Automating Google Workspace (GWS) & more with Apps Script
AWS Deployment Best Practices
1. AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
AWS Deployment Best Practices
Steven Bryen
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
2. 1
Choose your use
case well
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
3. AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Dev & Test
Spin environments up and
down on demand
Decouple development and test
environments from operations
constraints
Explore elasticity in a
sandboxed environment
Backup & DR
Take part of your data or
business applications step-by-
step into non-production
DR use
Understand cloud dynamics
and test during controlled
failovers
Greenfield
Project
Embody best practice of cloud
computing in unconstrained
greenfield projects
Self contained web projects,
document archiving etc
Low hanging fruit can be easiest to pick
Pain point
Move specific service aspects
causing undue cost or
management burden
Workflows, search indexing,
media streaming, document
archiving, constrained
databases
Choose appropriate use cases
4. AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Enterprise Apps
Launch enterprise software
solutions from Microsoft, Oracle,
SAP and others on demand
Customize environments to meet
your specific security and
operational requirements
Deploy repeatable and consistent
deployments in minutes
Big Data & HPC
Solve challenge of increasing
volume, variety, and velocity
of digital information
Deploy large scale compute
clusters in minutes
Accelerate innovation, enable
deep analytics, and scale
without limits
Virtual Desktops
Workspaces fully managed
desktop accessed from choice
of device – laptop computer
(Mac OS or Windows), iPad,
Kindle Fire, or Android tablet.
No-upfront investment, secure
data storage, corp. directory
integration and PCoIP
technology from Teradici
Low hanging fruit can be easiest to pick
Web, Mobile &
Social Apps
Deliver on scalable web and
application servers, storage,
databases, content delivery,
cache, search, and other
application services that make it
easier to build and run apps that
deliver a great customer
experience.
Choose appropriate use cases
Common Government and Education workloads
5. PoC Production Automation
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Understand services
Test performance
Architect for scale
Build cross functional team
capabilities
Implement monitoring
Change control and management
Security management
Scalability
Automate corrective measures
Auto-scaling
Zero downtime deployments
System backup and recovery
Examples
Plan evolution & set goals
6. PoC Production Automation
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Understand services
Test performance
Architect for scale
Build cross functional team
capabilities
Implement monitoring
Change control and management
Security management
Scalability
Automate corrective measures
Auto-scaling
Zero downtime deployments
System backup and recovery
Examples
Plan evolution & set goals
Amazon Beanstalk
AWS Test Drive
AWS Free Usage Tier
Amazon Beanstalk
Amazon OpsWorks
Amazon Cloud Formation
Amazon Cloud Watch
Amazon IAM
APIs
CLI
Amazon Auto Scaling
7. Easy Deployments via AWS Marketplace
AWS app store for business/IT software
• Broad selection
• Instant fulfillment, support of 1-Click and
CloudFormation
• Integrated AWS procurement and payments
• Seamless license management and
‘compliance by default’
Software for Testing, PoC and Production
• IT and business titles for Enterprise
production workloads
• Free, limited, and enterprise versions of
titles – customer can perform a low cost
pilot, then migrate seamlessly to production
• Customers of all sizes – F500 and SMB
• No overprovisioning, use only what you
need
http://aws.amazon.com/partners/aws-marketplace/
8. AWS Architecture Center
Reference Architectures
Web Application Hosting
Content and Media Serving
Batch Processing
Fault tolerance and High Availability
Large Scale Processing and Huge Data sets
Ad Serving
Disaster Recovery for Local Applications
File Synchronization
Media Sharing
Online Games
Log Analysis
Financial Services Grid Computing
E-Commerce Websites
Time Series Processing
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
http://aws.amazon.com/architecture
9. 2
Govern deployments
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
10. Govern deployments
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Accounts
Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g.
Dev Sandboxes
Test Environments
Business Units
Products & Services
11. Govern deployments
Accounts Billing
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g.
Dev Sandboxes
Test Environments
Business Units
Products & Services
Control access to billing
information
Use Amazon IAM users to keep
billing information in the master
account
Consolidate billing into a
single account
Let one account pick up the bill for
multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get Amazon CloudWatch
notifications when billing reaches a
point and output csv reports to
Amazon S3 for analysis
12. Enable CSV &
Programmatic Access
Billing settings
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Billing
Preferences
13. AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Dev 1
Dev 2
Test Master Account
Consolidated Billing
Data labeled by
source in Amazon S3
Production
Internal
Systems
Billing Alerts
Bill reached $x
Cost accounting in
favorite package
Billing settings
14. AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Dev 1
Dev 2
Test Master Account
Production
Internal
Systems
Dev 1 reached $100
Dev 2 reached $250
Test reached $1,000
Prod reached $1,200
Internal reached $400
Billing settings
15. Accounts Billing Access Keys
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g.
Dev Sandboxes
Test Environments
Business Units
Products & Services
Decide upon a key
management strategy
Control access to Amazon EC2
instances via SSH and embedded
public key:
e.g. Amazon EC2 Key Pair per group
of instances, Amazon EC2 Key Pair
per account
Consider SSH key rotation &
automation
Limit exposure to private key
compromise by rotating keys and
replacing authorized_keys listings on
running instances
Consider bootstrap automation to
grant developer access with
developer unique keypairs
Govern deployments
Control access to billing
information
Use Amazon IAM users to keep
billing information in the master
account
Consolidate billing into a
single account
Let one account pick up the bill for
multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get Amazon CloudWatch
notifications when billing reaches a
point and output csv reports to
Amazon S3 for analysis
16. Groups & Roles
Use Amazon IAM Groups to
manage console users and API
access
Provide developers with Amazon IAM
user login and unique API access
credentials
Control & restrict what Amazon IAM
users can do by placing them in groups
with policies
Assign Amazon EC2 Instances
Amazon IAM Roles
Let AWS manage API access credentials
on running instances by assigning a
system entitlement to an instance
e.g. instance can only read Amazon S3
bucket
Govern deployments
Accounts Billing Access Keys
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g.
Dev Sandboxes
Test Environments
Business Units
Products & Services
Decide upon a key
management strategy
Control access to Amazon EC2
instances via SSH and embedded
public key:
e.g. Amazon EC2 Key Pair per group
of instances, Amazon EC2 Key Pair
per account
Consider SSH key rotation &
automation
Limit exposure to private key
compromise by rotating keys and
replacing authorized_keys listings on
running instances
Consider bootstrap automation to
grant developer access with
developer unique keypairs
Control access to billing
information
Use Amazon IAM users to keep
billing information in the master
account
Consolidate billing into a
single account
Let one account pick up the bill for
multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get Amazon CloudWatch
notifications when billing reaches a
point and output csv reports to
Amazon S3 for analysis
17. Identity & access management
Account
Administrators Developers Applications
Jim Brad
Bob
Mark
Susan
Kevin
Reporting
Console
Tomcat
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
18. Identity & access management
Account
Groups
Administrators Developers Applications
Jim Brad
Bob
Mark
Susan
Kevin
Reporting
Console
Tomcat
Multi-factor authentication
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
19. Account Roles
Identity & access management
Groups
Administrators Developers Applications
Reporting
Console
Tomcat
AWS system entitlements
Jim Brad
Bob
Mark
Susan
Kevin
Multi-factor authentication
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
20. IAM policies
{
"Statement": [
{
"Allow",
"Action": [
"elasticbeanstalk:*",
"ec2:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*"
],
"Resource": "*"
}
]
}
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Policy driven
Declarative definition of rights for groups
Policies control access to AWS APIs
21. 3
Ensure security
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
22. Security is a Shared Responsibility
Customer/Partner
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
AuthN & acct management
Authorization policies
+ =
• Re-focus your security professionals on a subset of the problem
• Take advantage of high levels of uniformity and automation
23. • Apply Your Information Management Program -
that integrates Information Assurance
• Standardize Machine Images – create gold copy
images for production deployment/to launch new
instances
• Build and test in a sandbox environment – work
out the bugs, figure out how to break it, architect to
be resilient
• Do the same stuff you do in-house – quarterly
patch management, IDS/IPS, logging, tripwire, etc.
• Conduct a Risk Assessment - to determine level of
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
security controls you require
• Role Based Access Controls – restrict access to
system components based upon need to know
• Use Encryption – for data in transit, for data at rest,
filesystem
• Key Management – rotate keys used to access your
resources (AWS does not hold these…you do)
• Setup Monitoring/Alerting – collect metrics and
enable alerting for when events occur
• Vulnerability Scans – allowed via a permission
process (else we will kill/block the source of scans)
• Prepare for Failure – create backups, store data in
more than one location, test backups, have a
contingency system ready
Examples of Customer Responsibilities
24. Leverage shared security model
Engage with security assessors early in adoption cycle
• Don’t fear assessment – AWS meets high standards
(FedRAMP, DoD CSM, PCI, ISO27001, SOC1…)
• As with any infrastructure provider, security assessments
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
take time
• Derive value from architecture reviews early in
deployment cycle
25. Leverage shared security model
Engage with security assessors early in adoption cycle
Use comprehensive materials and certifications provided by AWS
http://aws.amazon.com/security/
Risk and compliance paper
AWS security processes paper
CSA consensus assessments initiative
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
questionnaire
26. Leverage shared security model
Engage with security assessors early in adoption cycle
Use comprehensive materials and certifications provided by AWS
Build upon features of AWS and implement a ‘security by design’ environment
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
27. Build upon AWS features
Tiered Access Security Groups Amazon VPC
Amazon IAM
Control users and allow AWS to
manage credentials in running
instances for service access
(allocation, rotation)
APIs vs. Instance
Provide developer API credentials
and control access to SSH keys
Temporary Credentials
Provide developer API credentials
and control access to SSH keys
Instance firewalls
Firewall control on instances via
Security Groups
CLIs and APIs
Instantly audit your entire AWS
infrastructure from scriptable APIs –
generate an on-demand IT inventory
enabled by programmatic nature of
AWS
Subnet control
Create low level networking
constraints for resource access, such
as public and private subnets,
internet gateways and NATs
Bastion hosts
Only allow access for management
of production resources from a
bastion host. Turn off when not
needed
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
28. Build upon AWS features
Amazon CloudHSM
Store your cryptographic keys
Use your most sensitive and
regulated data on Amazon EC2
without giving applications direct
access to your data's encryption
keys.
Migrate cryptographic
applications
Use AWS CloudHSM in conjunction
with your compatible on-premise
HSMs to replicate keys among on-premise
HSMs and CloudHSMs.
Amazon Direct Connect &
VPN
Private connections to
Amazon VPC
Secured access to resources in AWS
over software or hardware VPN and
dedicated network links
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
29. 4
Architect to use
cloud strengths
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
30. Architect to use cloud strengths
Review application architectures early – assess fit for cloud
e.g. variable capacity requirements, ‘standard’ technology stacks, reference architectures*
Can cloud benefits be leveraged with minimum effort outlay?
e.g. Application performance improvement by migration of static content to Amazon S3/CloudFront
Will cloud yield cost savings & agility improvements?
Can automation lead to a more agile & secure service?
*http://aws.amazon.com/architecture
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
?
?
?
?
e.g. Faster development cycles for dev/test, reduced cap-ex for application environments
e.g. fully scripted deployments, Amazon IAM & EC2 instance roles, rolling deployments
31. Architect to use cloud strengths
Design systems that can suffer
instance loss
Dispose of compute when it is not
required
✓
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Disposable compute
✓
✓ ✓
32. Architect to use cloud strengths
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Disposable compute
Flexible capacity
Design for systems that potentially
scale from zero instances to hundreds
Use Auto-scaling (events, schedules
etc) to drive capacity availability
✓
✓ ✓
✓
✓
✓
33. Architect to use cloud strengths
Utilize 99.999999999% durability of
objects in S3
Scale databases with RDS and use
DynamoDB for high throughput NoSQL
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Disposable compute
Flexible capacity
Cost effective & reliable storage
✓
✓ ✓
✓
✓
✓
34. Architect to use cloud strengths
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Disposable compute
Flexible capacity
Cost effective storage
Automation and control
Automate everything from scaling to
instance recovery from failure
✓ ✓ ✓
35. Bootstrapping – custom AMIs
AMI
Custom machine
1 Create instance of your OS choice
image
2 Configure environment
3 Install software
4 Create Amazon Machine Image (AMI) from instance
5 Launch fully configured instances from AMI
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Instance
Auto-scaling
Manual deployments
Programmatic deployments
36. Bootstrapping – metadata service
Metadata service contains wealth of information about an instance
http://169.254.169.254/latest/meta-data
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
ami-id
ami-launch-index
ami-manifest-path
block-device-mapping
hostname
instance-action
instance-id
Instance-type
kernel-id
local-hostname
local-ipv4
mac
network
placement
profile
public-hostname
public-ipv4
public-keys
reservation-id
AMI
Custom or standard
machine image
Instance
Metadata
Service
Receive custom
data to drive
bootstrapping
37. Metadata service contains wealth of information about an instance
http://169.254.169.254/latest/meta-data
+ user data
Scripts in user-data field of metadata will be executed on launch
e.g.
#!/bin/sh
yum -y install httpd
chkconfig httpd on
/etc/init.d/httpd start
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
<powershell>
…
</powershell>
Or:
AMI
Custom or standard
machine image
Instance
Metadata
Service
Receive custom
data to drive
bootstrapping
Bootstrapping – metadata service
38. Metadata service contains wealth of information about an instance AMI
http://169.254.169.254/latest/meta-data
+ user data
Scripts in user-data field of metadata will be executed on launch
Custom or standard
machine image
Instance
Metadata
Service
Receive custom
data to drive
bootstrapping
Bootstrapping – metadata service
Install software e.g. web server, app server, proxy
Pull data and application packages from Amazon S3
Publish metadata for instance to other systems e.g. monitoring systems
Setup security profile of instance based upon intended use e.g. pull latest config
39. 1. Use Multiple
Availability Zones
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
40. 2. Use Amazon RDS with
Replicas and Standby
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
41. 3. Use Amazon Auto
Scaling groups
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
42. 4. Use Amazon Elastic
Load Balancing
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
43. 5. Use Amazon Route53
to host DNS zones
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
44. Three Services: Better Together
Amazon CloudWatch
Amazon Auto Scaling
Amazon Elastic Load
Balancer
45. Amazon Auto Scaling
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Use at regional level
Combined with Amazon Auto Scaling
Amazon ELB will balance requests
and resource capacity across
Availability Zones
Within Amazon VPC
Use to loadbalance between
application tiers within an
Availability Zone
Instance migrations
Easily move instances from dev
environments to test environments
by moving between Amazon ELBs
Leverage SLA
Improve application reliability with
Amazon Route 53’s SLA on requests
served
Weighted routing
Perform A/B analysis, and staged
application roll-outs by moving a
portion of traffic to new
infrastructure
Health checks
DNS health checks and
health-based failover
Latency Based Routing
Route end users to lowest-latency
endpoints
Scale databases without
admin overhead
Choose instance size for databases
and scale up over time
Add high availability from
management console
Create Multi-AZ deployments and
Read-Replicas. AWS takes care of
the failover and recreation of a new
standby in event of master DB loss
Amazon Elastic Load
Balancing
Amazon Route 53 Amazon RDS
Dynamically scale resources
& control costs
Only provision the resources that
are required with scale up and cool
down policies that match demand
Easy setup for developers and
administrators via the AWS
Management Console.
Architect to use cloud strengths
46. 5
Be elastic and cost
optimized
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
47. PRICING &
COST OPTIMIZATION
(Amazon EC2)
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
48. Many pricing models to support different workloads
Reserved
Make a low, one-time
payment and receive
a significant discount
on the hourly charge
For committed
utilization
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Free Tier
Get Started on AWS
with free usage &
no commitment
For POCs and
getting started
On-Demand
Pay for compute
capacity by the hour
with no long-term
commitments
For spiky workloads,
or to define needs
Spot
Bid for unused
capacity, charged at
a Spot Price which
fluctuates based on
supply and demand
For time-insensitive
or transient
workloads
Dedicated
Launch instances
within Amazon VPC
that run on hardware
dedicated to a single
customer
For highly sensitive or
compliance related
workloads
49. Amazon Auto Scaling policies
Manually
Send an API call or use CLI to
launch/terminate instances –
Only need to specify capacity
change (+/-)
By Schedule
Scale up/down based on date
and time
By Policy
Scale in response to changing
conditions, based on user
configured real-time monitoring
and alerts
Auto-Rebalance
Instances are automatically
launched/terminated to ensure
the application is balanced
across multiple AZs
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
50. Optimizing Costs With RIs
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
14
12
10
8
6
4
2
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
On Demand
Light Utilization RI
Medium Utilization RI
Heavy utilization RI
Hours
Instances
51. Instance types
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Start
Choose instance that
meets your basic
requirements best
Match memory &
virtual cores
52. AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Start
Choose instance that
meets your basic
requirements best
Match memory &
virtual cores
Tune
Change instance size
up or down based
upon monitoring
Use trusted advisor to
assess
Instance types
53. AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Start
Choose instance that
meets your basic
requirements best
Match memory &
virtual cores
Tune
Change instance size
up or down based
upon monitoring
Use trusted advisor to
assess
Scale
Run instances across
multiple availability
zones
Smaller sizes equals
greater granularity
Purchase RIs after the application
has been tuned and utilization
patterns are established
Instance types
54. AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Cost Explorer
Monthly Spend by Service
AWS Monthly Spend
AWS Cost Explorer
55. AWS SUPPORT
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
56. AWS Support is a Global Organization
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
57. AWS Support Plans
• Basic Support - Free
Contact Customer Service for account and billing questions and receive technical support for resources that don’t pass system
health checks.
• Developer-level Support – Starting at $49/month
Get started on AWS – ask technical questions and get a response to your web case within 12 hours during local business hours.
• Business-level Support – Starting at $100/month
24/7/365 real-time assistance by phone and chat, a 1 hour response to web cases, and help with 3rd party software. Access
Trusted Advisor to increase performance, fault tolerance, security, and potentially save money.
• Enterprise-level Support – Starting at $15,000/month
15 minute response to web cases, an assigned technical account manager (TAM) who is an expert in your use case, and white-glove
case handling that notifies your TAM and the service engineering team of a critical issue.
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
58. AWS Trusted Advisor
• Since the beginning of the year, customers have viewed over 700K
Trusted Advisor recommendations, and have reduced their AWS
spend by over $140M
• 31 Checks in four categories (Cost Optimizing, Security, Fault
Tolerance, and Performance)
• Recommendations are accessible via the Support API
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
59. BOTTOM LINE
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
60. Your
Mission
70%
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
On-Premise
Infrastructure
30%
Managing All of the
“Undifferentiated Heavy Lifting”
Cloud computing bottom line
61. AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
AWS
Cloud-Based
Infrastructure
Your
Mission
More Time to Focus on
Your Mission
Configuring Your
Cloud Assets
70%
70% 30%
On-Premise
Infrastructure
30%
Managing All of the
“Undifferentiated Heavy Lifting”
Cloud computing bottom line
63. AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014
Thank You
STEVEN BRYEN
sbryen@amazon.com
@steven_bryen
AWS Government, Education, and Nonprofits Symposium
London | October 21, 2014