Mais conteúdo relacionado Semelhante a Running Mission Critical Workloads on AWS (20) Mais de Amazon Web Services (20) Running Mission Critical Workloads on AWS1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Rebeker Choi, Solutions Architect, AWS
October-16, 2018
Running Mission Critical Workloads
on AWS
2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sponsor
3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to Expect from the Session
• Walkthrough the best practice for deploying business critical
applications
• Dive deep into secure, highly available and scalable architectures
• Learn about AWS tools that will make you successful in
deployment and management
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why are customers running critical
workloads on AWS?
5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why run critical workload on AWS
Security in layers approach
Extensive VM and network performance options
Building and managing cloud since 2006
18 regions, 55 availability zones, 100+ edge locations
Thousands of partners; 2,500+ Marketplace products
Security & Reliability
Performance
Experience
Scale & Reliability
Ecosystem
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is a Business Critical
Application?
7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a critical workload
Holds sensitive data, liability if breached or deleted
Large scale customer impact if not available
Loss of data, destruction of IP, productivity penalty
> 100 users, > $10K per minute, Contractual Liability
Secure
Available
Resilient
Material Impact
8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Business Applications on AWS
Today AWS customers run a wide array of business applications
Vendor Applications
SAP Business Suite, Netweaver, BusinessObjects, B1, HANA
Oracle eBusiness, PeopleSoft, Siebel, JDE, Database 11g/12c
Microsoft SharePoint, Exchange, Dynamics, SQL Server
IBM Websphere, DataStage
Infor LN, M3, Syteline, Lawson
Companies of all sizes run business applications
9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Global Infrastructure
10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Resiliency starts with the core infrastructure
REGION
An independent collection of AWS
resources in a defined geography
A solid foundation for meeting
location-dependent privacy and
compliance requirements
12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Resiliency starts with the core infrastructure
Availability Zones
Low latency
ensures real data
replication
Distance
ensures high
availability
REGION
AZ A AZ B
AZ C
13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Resiliency starts with the core infrastructure
Availability Zones
Low latency
ensures real data
replication
Distance
ensures high
availability
REGION
AZ A AZ B
AZ C
Availability Zone
Designed as independent failure
zones. Physically separated within a
typical metropolitan region
14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AZ – Availability Zone
Network
multiple tier‐1 transit providers
Power
isolated electrical grids, UPS, onsite backup generator
Geo
isolated fault lines flood plains
Network
multiple tier‐1 transit providers
Power
isolated electrical grids, UPS, onsite backup generator
Geo
isolated fault lines flood plains
Zone A Zone B
Each availability zone runs on its sown physically distinct, independent infrastructure
15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AZ – Availability Zone
Zone A Zone B
Network
multiple tier‐1 transit providers
Power
isolated electrical grids, UPS, onsite backup generator
Geo
isolated fault lines flood plains
Network
multiple tier‐1 transit providers
Power
isolated electrical grids, UPS, onsite backup generator
Geo
isolated fault lines flood plains
Web
DB Master
Load
Balancer
DB Slave
Web
Storage StorageSingle
digit ms
16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Availability
17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Multi-AZ Deployment
10.1.0.0/16
10.1.1.0/24
10.1.2.0/24
10.1.3.0/24
10.1.4.0/24
10.1.5.0/24
10.1.6.0/24
Availability Zone - A
Availability Zone - B
Private SubnetPrivate SubnetPublic Subnet
Private SubnetPrivate SubnetPublic Subnet
18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Multi-AZ Deployment
Availability Zone - A
Availability Zone - B
Private SubnetPrivate SubnetPublic Subnet
Private SubnetPrivate SubnetPublic Subnet
TCP 80
Users
DB
DB
WEB /
App
WEB /
App
Load Balancer
19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Options for Deploying SQL Server on AWS
Amazon RDS Databases on Amazon EC2
Versions Supported: MSSQL, Oracle, MySQL, Postgres, MariaDB Any DBs
High Availability: Self-managed; AlwaysOn, Mirror, Log ShipAWS-managed, Multi-AZ
Encrypted storage using AWS KMS (all editions); TDE supportEncryption:
Maintenance plans & third-party toolsManaged automated backupsBackups:
DB Install / Maintenance / PatchingDB Install / Maintenance / PatchingDatabase
OS Install / Maintenance / PatchingOS Install / Maintenance / PatchingOperating System:
Customer-
managed
AWS-managed
1 2
20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What does it look like after RDS is up?
Availability Zone A
AWS Region
10.1.0.0/16
10.1.1.0/24
Availability Zone B
10.1.2.0/24
Synchronous replication
Same
instance
type as
master
• Managed high availability across
multiple datacenters
• No application code change
• 60-120 seconds failover time
• RPO = zero
Automatic failover
Synchronous replication
dbinstancename.1234567890.us-west-2.rds.amazonaws.com:3006
Application
21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Multi-AZ Deployment
Availability Zone - A
Availability Zone - B
Private SubnetPrivate SubnetPublic Subnet
Private SubnetPrivate SubnetPublic Subnet
TCP 80
Users
WEB /
App
WEB /
App
Load Balancer
ü Improved high availability
across multiple availability
zones
ü Offload operation tasks to
AWS
ü AWS deals with licenses
Benefits:
22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scalability & Performance
23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
M2
2nd Generation
Compute
M4
4th Generation
Compute
Upgrade Your Compute
24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Increase your server farms capacity
Vertical Scaling
CPU, Disk Read/Write,
Network In/Out
Horizontal Scaling
m4.large m4.large
m4.large
2 vCPU, 8GB RAM
m4.xlarge
4 vCPU, 16GB RAM
m4.large m4.large m4.large m4.large m4.large m4.large m4.large m4.large
25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Web/App tier - Aut-Scaling
Availability Zone - A
Availability Zone - B
Private SubnetPrivate SubnetPublic Subnet
Private SubnetPrivate SubnetPublic Subnet
TCP 80
Users
Auto-
Scaling
Group
WEB /
App
WEB /
App
Load Balancer
Auto-scaling based
on different metrics,
e.g. CPU, memory,
network, number of
requests, etc
26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Availability Zone - A
Availability Zone - B
Private SubnetPrivate SubnetPublic Subnet
Private SubnetPrivate SubnetPublic Subnet
Database tier – scale up
TCP 80
Users
Auto-
Scaling
Group
WEB /
App
WEB /
App
Load Balancer
• for commercial
database like Oracle
and SQL, only
vertical scaling is
supported
• offload the
database by caching
27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Availability Zone - A
Availability Zone - B
Private SubnetPrivate SubnetPublic Subnet
Private SubnetPrivate SubnetPublic Subnet
Scalability & Performance
TCP 80
Users
Auto-
Scaling
Group
WEB /
App
WEB /
App
Load Balancer
ü Improved high availability
across multiple availability
zones
ü Offload operation tasks to
AWS
ü AWS deals with licenses
ü Improved scalability &
performance
Benefits:
28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security
29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
AWS Shared Responsibility Model
Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Inherit global security and compliance controls
https://aws.amazon.com/compliance/programs/
https://aws.amazon.com/artifact/
31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Availability Zone - A
Availability Zone - B
Private SubnetPrivate SubnetPublic Subnet
Private SubnetPrivate SubnetPublic Subnet
Auto-
Scaling
Group
VPC firewall - Security Groups
TCP 80
Users
WEB /
App
WEB /
App
Load Balancer
Web Security Group
Accept Port 80 from LB
SQL Security Group
Accept Port 1433 from
Web
Inbound Security Group SG-WebTier
Traffic from Protocol L4 Port Action
SG-WebELB HTTP TCP 80 Allow
* * * * Deny
• Security Groups
• Built-in feature of VPC
• Restrict in/out traffic of
EC2 instances based on
source, port, protocol
32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Data Encryption with AWS (in-transit)
Between your network and VPC
• IPSec VPN
• AWS virtual private gateway, fully
managed and highly redundant, allows you
to establish redundant tunnels
• Direct Connect (optional): private
connectivity
Between your apps and your app’s end users
• TLS certificates
• secure network communication over the
Internet
• Uses X.509 certificate to authenticate both
the client and the back-end application
Customer VPC
10.0.0.0/16
IPSec VPN tunnels
Customer DC
192.168.1.0/16
HTTPS
CloudFront ELB Web/App
HTTP(s) HTTP(s)
33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Availability Zone - A
Availability Zone - B
Private SubnetPrivate SubnetPublic Subnet
Private SubnetPrivate SubnetPublic Subnet
Auto-
Scaling
Group
Secure Hybrid Connectivity
TCP 80
Users
WEB /
App
WEB /
App
Load Balancer
Web Security Group
Accept Port 80 from LB
SQL Security Group
Accept Port 1433 from
Web
Corporate
Office
IPSec VPN /
Direct Connect
• IPSec VPN between AWS VPC
and on-premises DC network
• AWS Direct Connect – private
connectivity for workload
with high data sensitivity
34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Data Encryption with AWS (at-rest)
• Data encryption of server and
database storage
• Centralized key management
(create, delete, view, set policies)
• Import your own keys
• Enforced, automatic key rotation
• Fully auditable
• Option for dedicated, hardware-
based cryptographic key storage
using AWS CloudHSM
Encrypted in transit
AWS CloudTrail
AWS IAM
EBS
RDS
Amazon
Redshift
S3
Glacier
and at rest
Fully auditable
Fully managed
keys
Restricted access
KMS
PCI DSS 3.1
35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Encryption
Encryption at rest: EBS w/ KMS, RDS w/KMS
Simply check a box!
EBS Volume RDS
36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Encrypting Data At Rest
Availability Zone - A
Availability Zone - B
Private SubnetPrivate SubnetPublic Subnet
Private SubnetPrivate SubnetPublic Subnet
Auto-
Scaling
Group
HTTPS
Users
WEB /
App
WEB /
App
Load Balancer
Web Security Group
Accept Port 80 from LB
SQL Security Group
Accept Port 1433 from
Web
Corporate
Office
IPSec VPN /
Direct Connect
• VM volume encryption
• Database encryption
• VM volume encryption
• Database encryption
37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail
• Simplify your compliance audits by automatically recording and storing
activity logs for your AWS accounts
• Provide visibility into your user and resource activity
WhoWhat
Where from
Where to
When
38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Services can automate Regulatory Compliance to
Increase Pace of Innovation
Changes
Compliance
Engine
Automated
Response
39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Out of the box...
• HTTP and HTTPs requests logged with ELB Logging
• API and Console calls logged with CloudTrail Logs
• Network traffic logged with VPC Flow Logs
• VPC change history logged with AWS Config
• IAM Policy and user changed logged with AWS Config
• Application level metrics logged with CloudWatch Logs
40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ubiquitous logging for forensics analysis
Availability Zone - A
Availability Zone - B
Private SubnetPrivate SubnetPublic Subnet
Private SubnetPrivate SubnetPublic Subnet
Auto-
Scaling
Group
HTTPS
Users
WEB /
App
WEB /
App
Load Balancer
Web Security Group
Accept Port 80 from LB
SQL Security Group
Accept Port 1433 from
Web
Corporate
Office
IPSec VPN /
Direct Connect
S3 buckets
log
analytics
41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security
Availability Zone - A
Availability Zone - B
Private SubnetPrivate SubnetPublic Subnet
Private SubnetPrivate SubnetPublic Subnet
Auto-
Scaling
Group
HTTPS
Users
WEB /
App
WEB /
App
Load Balancer
Web Security Group
Accept Port 80 from LB
SQL Security Group
Accept Port 1433 from
Web
ü Improved high availability
across multiple availability
zones
ü Offload operation tasks to
AWS
ü AWS deals with licenses
ü Improved scalability &
performance
ü Improved security posture
with cloud-native approach
in a cost effective way
Benefits:
S3 buckets
log
analytics
42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Do we hit our objectives?
Encrypting data at rest, IP Sec VPN, Security Groups, visibility
Multiple Availability Zones, Auto-scaling, Elastic Load Balancing
Multi-AZ Database, cross-region DR design
Multi-AZ deployment, No Data Loss, Encryption, Auto-Healing
Secure
Available
Resilient
Material Impact
https://aws.amazon.com/architecture/well-architected/
43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Facebook Hong Kong Page
44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Remember to complete
your evaluations!Remember to complete
your evaluations!
45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
rebeker@amazon.com