Covers a broad overview of how to use AWS for building a scalable web app. Covers some of the AWS services in depth, and also gives recommendations on many services.
8. About Me
Josh Padnick
josh.padnick@gmail.com
602.432.3789
http://JoshPadnick.com
• Founded healthcare IT company where we used AWS for 5+ years.
• Built three major products for hundreds of thousands of users on AWS.
• Hosted 150+ websites on AWS.
• Professional AWS Consultant.
10. It’s what Amazon built internally to
power their own site.
They architected it so abstractly that it
wasn’t even specific to Amazon!
11. AWS is a suite of IT services used
to build or manage software
faster, cheaper, and at scale.
12. • Compute Services give you on-demand virtual machines.
• Storage Services let you store large blocks of unstructured content.
• Database Services allow you to store structured and unstructured data in a variety of ways.
• Networking Services provide technologies for identifying (DNS) resources and connecting
resources to on-premises assets.
• Messaging Services enable rich communication scenarios between systems or components.
• Content Delivery Services provide edge locations for frequently accessed content.
• Deployment and Management Services enable packaging, securing, and monitoring AWS
applications.
• Big Data Services include tools for ingesting, processing, and storing huge amounts of data.
• Mobile Services include tools for sending push notifications, and streamlining app
development.
SOURCE: “AWS Developer Fundamentals” by Richard Seroter. Pluralsight.
31. For the scalable web app,
80%+ of your work will be in just three services.
32. If you want to explore more
about any use case, check out
http://aws.amazon.com/solutions/
I listed just 5 use cases and AWS lists 18! Think of my 5 as the major forests.
AWS is just being extra helpful with every tree it can think of.
33. We’ll go into detail on that shortly.
First, let’s talk about:
Key Ideas in AWS
34. Key Idea #1
Make your app resilient by using
global regions & availability zones
INSPIRATION: “AWS Developer Fundamentals” by Richard Seroter. Pluralsight.
38. Key Idea #1
• Building across regions is very challenging.
• Building across availability zones is straightforward.
• You can basically purchase (in time and money) the
amount of resilience you want!
41. Key Idea #2
• There are almost never upfront fees in AWS.
• You pay only for what you use.
• EC2 Instances per hour
• S3 files per GB stored / transferred
• etc.
• You can stop and start instances as you need them
before you launch your app.
• You can start with small (or even burstable!) instances,
and easily change your instance type later.
44. Key Idea #3
• Early versions of the AWS docs just stopped short of telling you
instances would fail on a periodic basis.
• Instances are now very reliable, but you should still assume they
could fail at any time.
• When they inevitably do, this is not “something unexpected”, it’s
just another state you expect your infrastructure may enter.
• On the other hand, all AWS services have built in reliability /
fault tolerance.
• Note that there have been isolated stories of businesses going
under when their AWS account was hijacked. So, it’s always a
good idea to keep your most important data on a different
AWS account or location.
45. Key Idea #4
Everything’s an API call away.
Sometimes exclusively.
46.
47. Key Idea #4
• AWS builds their APIs first.
• Then they upgrade their AWS Console.
• Sometimes the console only implements a subset of the
API!
• It would be possible to build a complete AWS console
on your own using only their APIs. Often used for cloud
management providers, other partner vendors.
49. Key Idea #5
• AWS does give you many ways to “scale up”.
• In the short-term, “scale up” is definitely easier.
• But it’s best if you build your architecture to “scale out”
• This is most challenging at the database level. Which is
why AWS offers RDS and DynamoDB.
• Even if you can’t build perfectly “horizontally scaling”
architectures, you should have that in mind as the ideal.
69. Instance
Type
vCPU Memory
(GiB)
Storage
(GB)
Network
ing
Physical
Process
Clock
Speed
Intel®
AES-NI
Intel®
AV
Intel®
Turbo
EBS
OPT
Enhance
t2.micro 1 1 EBS d
Only
Low to
Moderat
Intel
Xeon
2.5 Yes Yes Yes - -
t2.small 1 2 EBS
Only
Low to
Moderat
Intel
Xeon
2.5 Yes Yes Yes - -
t2.mediu
m
2 4 EBS
Only
Low to
Moderat
Intel
Xeon
2.5 Yes Yes Yes - -
m3.medi
um
1 3.75 1 x 4
SSD
Moderat
e
Intel
Xeon
2.5 Yes Yes Yes - -
m3.large 2 7.5 1 x 32
SSD
Moderat
e
Intel
Xeon
2.5 Yes Yes Yes - -
m3.xlarg
e
4 15 2 x 40
SSD
High Intel
Xeon
2.5 Yes Yes Yes Yes -
m3.2xlar
ge
8 30 2 x 80
SSD
High Intel
Xeon
2.5 Yes Yes Yes Yes -
c3.large 2 3.75 2 x 16
SSD
Moderat
e
Intel
Xeon
2.8 Yes Yes Yes - Yes
c3.xlarge 4 7.5 2 x 40
SSD
Moderat
e
Intel
Xeon
2.8 Yes Yes Yes Yes Yes
c3.2xlarg
e
8 15 2 x 80
SSD
High Intel
Xeon
2.8 Yes Yes Yes Yes Yes
c3.4xlarg
e
16 30 2 x 160
SSD
High Intel
Xeon
2.8 Yes Yes Yes Yes Yes
c3.8xlarg
e
32 60 2 x 320
SSD
10
Gigabit
Intel
Xeon
2.8 Yes Yes Yes - Yes
g2.2xlarg
e
8 15 1 x 60
SSD
High Intel
Xeon
2.6 Yes - - Yes -
r3.large 2 15.25 1 x 32
SSD
Moderat
e
Intel
Xeon
2.5 Yes Yes Yes - Yes
r3.xlarge 4 30.5 1 x 80
SSD
Moderat
e
Intel
Xeon
2.5 Yes Yes Yes Yes Yes
r3.2xlarg
e
8 61 1 x 160
SSD
High Intel
Xeon
2.5 Yes Yes Yes Yes Yes
r3.4xlarg
e
16 122 1 x 320
SSD
High Intel
Xeon
2.5 Yes Yes Yes Yes Yes
r3.8xlarg
e
32 244 2 x 320
SSD
10
Gigabit
Intel
Xeon
2.5 Yes Yes Yes - Yes
i2.xlarge 4 30.5 1 x 800
SSD
Moderat
e
Intel
Xeon
2.5 Yes Yes Yes Yes Yes
i2.2xlarg
e
8 61 2 x 800
SSD
High Intel
Xeon
2.5 Yes Yes Yes Yes Yes
i2.4xlarg
e
16 122 4 x 800
SSD
High Intel
Xeon
2.5 Yes Yes Yes Yes Yes
i2.8xlarg
e
32 244 8 x 800
SSD
10
Gigabit
Intel
Xeon
2.5 Yes Yes Yes - Yes
hs1.8xlar
ge
16 117 24 x
2,000
10
Gigabit
Intel
Xeon
2 Yes - - - -
70. CATEGORY INSTANCE TYPES
General
Purpose
T2, M3
• When your’e starting out, you can just use the general
purpose line.
• The T2 line is especially good for servers that often sit idle,
but then need a burst of performance (e.g. low-traffic web
servers, build servers, etc.)
71. Instance Type vCPU Memory (GiB) Storage (GB) Networking
Performance
Physical
Processor
Clock Speed
(GHz)
t2.micro 1 1 EBS Only Low to Moderate Intel Xeon family 2.5
t2.small 1 2 EBS Only Low to Moderate Intel Xeon family 2.5
t2.medium 2 4 EBS Only Low to Moderate Intel Xeon family 2.5
m3.medium 1 3.75 1 x 4 SSD Moderate
Intel Xeon
E5-2670 v2* 2.5
m3.large 2 7.5 1 x 32 SSD Moderate
Intel Xeon
E5-2670 v2*
2.5
m3.xlarge 4 15 2 x 40 SSD High
Intel Xeon
E5-2670 v2* 2.5
m3.2xlarge 8 30 2 x 80 SSD High
Intel Xeon
E5-2670 v2* 2.5
73. EBS Volumes are basically
“virtual hard drives”
• EBS = Elastic Block Store
• You can provision hard drives at the block level,
which means AWS doesn’t care which file system
you format it with (e.g. EXT4, ZFX, NTFS)
• You can even create RAID arrays.
• If you need extra performance, you can pay for
higher IOPS.
74.
75. You can create EBS volumes
directly. But usually, you create
them as part of your EC2 instance.
76. But you may want to attach
multiple EBS volumes to the
same EC2 instance.
78. A key pair is just an SSH private key
+ its corresponding public key.
79. • You can upload your own keys.
• Or AWS creates them for you.
• Linux
• Use your key to SSH into the instance
• Windows
• Use your key to get the RDP password of the instance
80.
81. • Best practice is to use a bastion host.
• This means you have one instance that is accessible
via SSH from the outside (locked down only to
specific IP addresses).
• Once in the bastion host, then you can SSH into
other instances.
86. • Create one security group for each “tier” in your app.
• You should have a single security group for allowing
“outside access” from specific IPs (the bastion host
security group)
• Be paranoid and restrictive. There are lots of bots
out there!
92. • This means you can re-assign an elastic IP address
from a failed instance to a working one.
• Basically, your server and your IP address are no
longer bound to each other.
99. EBS Volumes are basically
“virtual hard drives”
• We can take snapshots of an EBS volume.
• This means we can instantly clone the EBS volume
and attach it to another instance.
100. EC2 Instances are “backed” by
EBS Volumes
• We can take snapshots of these EBS volumes, too.
• When we take a snapshot of EBS volumes as part
of an EC2 instance, we wind up creating an
Amazon Machine Image.
102. AWS has prepared useful AMIs for us.
• Windows Server 2008 / 2012
• With or without paid Microsoft software
• Multiple Linux distros
• Ubuntu
• Suse
• Amazon Linux
103.
104.
105.
106.
107.
108.
109.
110.
111. Reserved Instances
• Use Reserved Instances to save money. These
are a billing concept only; they have no effect on
anything else.
• If you can prepay for 1 year, save 40%.
• If you can prepay for 3 years, save 60%
119. VPC
Network ACL Network ACL
Subnet B
Subnet A
Instance Instance
120.
121. VPC Recommendations
• VPCs are a great way to logically group your instances into
different “clusters”, both for security and management.
• If you can, setup one public (exposed to Internet) subnet
each in two different Availability Zones (AZ’s), and one
private subnet each two different AZ’s.
• Use Network ACLs for high-level filtering rules (e.g.
connecting Subnet A to Subnet B). Instance-level rules have
an additional management overhead.
127. S3 Buckets
• Buckets are “holding tanks” for files and folders.
• Bucket names must be globally unique across an AWS
region. For example, you can’t have two buckets
named “A” in the us-west-2 region.
• Buckets have properties which govern all files stored
in them (examples shortly)
129. Cool Things About
S3 Buckets
• If enabled, you can preserve, retrieve, and
restore every version of every object stored in
this bucket.
• Of course, you also pay to store every version of
every object, so tread carefully here.
130. Neat Things About
S3 Buckets
• You can setup “Rules” for a bucket which take effect
on all files or only certain folders in that bucket.
• Example: auto-delete all files X days after they’re created
• Example: automatically move all files to Glacier X days
after they’re created.
• Example: first delete, then archive.
131. Helpful Things About
S3 Buckets
• You can limit permissions to buckets by IAM
Roles.
• More on IAM in a bit. But for now, note that you can
allow only certain instances or certain logged in users
to your AWS console to access certain S3 folders.
133. us-west-2 region us-east-1 region
Files and Folders
S3 Bucket “A” S3 Bucket “A”
S3 Bucket “B” S3 Bucket “B”
134. Files and Folders in S3
• Basically works like a standard file system.
• Files can have granular access permission
• Files can have public read permissions or not.
• Files can be accessed with a temporary token so that
when a user downloads one in your app, he can’t take
that URL and use it again the next day.
135. Helpful Things About
Files and Folders in S3
• Files can be encrypted server-side by AWS
• You basically check a box indicating you want encryption.
• Then you trust that Amazon actually encrypts it. AWS handles
all encryption on their end. You don’t change anything on yours.
• Costs nothing.
• If you want to supply the encryption keys, AWS will support that,
too.
136. S3 Recommendations
• Namespace your buckets (e.g. “padnick-dcc14”)
• Intelligently use auto-delete rules to save on cost. If you’re
paranoid about needing the files, then archive to Glacier.
• Use very thoughtful folder names in your buckets, then you can
apply folder-specific rules. e.g. “builds”, “backup”, “temp”, etc.
• S3 is a great place for key storage (but obviously doesn’t
provide key management).
138. • Use IAM to give each member of your team a
unique login.
• Never share your root password among
everyone!
• You can also use IAM to give permissions to
individual EC2 instances for other AWS
resources (e.g. S3 buckets)
139. IAM Recommendations
• Setup your master account, and then put that
user/pass in a vault and never give it to anyone!
• Each engineer should have his own IAM login.
• Consequences of a bad actor accessing your AWS
account are catastrophic, so please use MFA.
• Even if you don’t plan on using IAM roles, create
them and assign them to instances at launch time.
144. • Pick your AWS use case, then dive in.
• EC2, VPC, and S3 are the most popular
services.
• Take the time to learn about IAM. It’s not
difficult, and will dramatically improve your
security posture.
• The best way to learn is by doing!
145. Thank you,
Now go build something cool!
Josh Padnick
josh.padnick@gmail.com
602.432.3789
http://JoshPadnick.com