AWS Certified Developer Slides v34.pdf

Full Transcript

NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com AWS Certified Developer Associate By Stéphane Maarek...

NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com AWS Certified Developer Associate By Stéphane Maarek https://links.data cumulus.com/aw s-certified-dev- https://links.da coupon https://links.dat tacumulus.com acumulus.com/ /aws-certified- aws-certified- dev-coupon dev-pt-coupon https://links.datacumulus.com/aw COURSE https://links.datacumulus.com/aws EXTRA PRACTICE EXAMS s-certified-dev-coupon -certified-dev-pt-coupon © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Disclaimer: These slides are copyrighted and strictly for personal use only This document is reserved for people enrolled into the AWS Certified Developer course by Stephane Maarek Please do not share this document, it is intended for personal use and exam preparation only, thank you. If you’ve obtained these slides for free on a website that is not the course’s website, please reach out to [email protected]. Thanks! Best of luck for the exam and happy learning! © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Table of Contents Getting Started with AWS AWS Identity & Access Management (AWS IAM) Amazon EC2 – Basics Amazon EC2 – Instance Storage High Availability & Scalability RDS, Aurora, & ElastiCache Amazon Route 53 Amazon VPC – Basics Amazon S3 AWS CLI, SDK, IAM Roles & Policies © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Table of Contents Amazon S3 – Advanced Amazon S3 – Security Amazon CloudFront Containers on AWS AWS Elastic Beanstalk AWS CloudFormation AWS Integration & Messaging AWS Monitoring, Troubleshooting & Audit AWS Lambda Amazon DynamoDB © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Table of Contents Amazon API Gateway AWS CICD AWS Serverless Application Model (SAM) AWS Cloud Development Kit (CDK) Amazon Cognito Other Serverless Advanced Identity in AWS AWS Security & Encryption Other Services Exam Preparation Congratulations © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com AWS Certified Developer Associate Course DVA-C02 © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Welcome! We’re starting in 5 minutes We’re going to prepare for the Certified Developer exam – DVA-C02 It’s a challenging certification, so this course will be long and interesting We will cover over 30 AWS services AWS / IT Beginners welcome! (but take your time, it’s not a race) You don’t need to be a developer to pass this exam Even if you’ve done AWS Cer tified Solutions Architect, don’t skip lectures. © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com What’s AWS? AWS (Amazon Web Services) is a Cloud Provider They provide you with servers and services that you can use on demand and scale easily AWS has revolutionized IT over time AWS powers some of the biggest websites in the world Amazon.com Netflix © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com What we’ll learn in this course Amazon Amazon ECR Amazon ECS AWS Elastic AWS Elastic Load Amazon Amazon Amazon Amazon EC2 Beanstalk Lambda Balancing CloudFront Kinesis Route 53 S3 Amazon Amazon Amazon Amazon Amazon Amazon AWS Step Functions Auto Scaling Amazon API Amazon Amazon RDS Aurora DynamoDB ElastiCache SQS SNS Gateway SES Cognito IAM Amazon Amazon EC2 AWS AWS AWS AWS AWS AWS AWS AWS KMS CloudWatch Systems Manager CloudFormation CloudTrail CodeCommit CodeBuild CodeDeploy CodePipeline X-Ray © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Navigating the AWS spaghetti bowl © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Getting started with AWS © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com AWS Cloud History 2002: 2004: 2007: Internally Launched publicly Launched in launched with SQS Europe 2003: 2006: Amazon infrastructure is Re-launched one of their core strength. publicly with Idea to market SQS, S3 & EC2 © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com AWS Cloud Number Facts In 2019, AWS had $35.02 billion in annual revenue AWS accounts for 47% of the market in 2019 (Microsoft is 2nd with 22%) Pioneer and Leader of the AWS Cloud Market for the 9th consecutive year Over 1,000,000 active users Gartner Magic Quadrant © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com AWS Cloud Use Cases AWS enables you to build sophisticated, scalable applications Applicable to a diverse set of industries Use cases include Enterprise IT, Backup & Storage, Big Data analytics Website hosting, Mobile & Social Apps Gaming © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com AWS Global Infrastructure AWS Regions AWS Availability Zones AWS Data Centers AWS Edge Locations / Points of Presence https://infrastructure.aws/ © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com AWS Regions AWS has Regions all around the world Names can be us-east-1, eu-west-3… A region is a cluster of data centers Most AWS services are region-scoped https://aws.amazon.com/about-aws/global-infrastructure/ © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com How to choose an AWS Region? If you need to launch a new application, where should you do it? Compliance with data governance and legal requirements: data never leaves a region without your explicit permission ? ? Proximity to customers: reduced latency Available services within a Region: new services ? ? and new features aren’t available in every Region Pricing: pricing varies region to region and is transparent in the service pricing page © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com AWS Availability Zones Each region has many availability zones AWS Region (usually 3, min is 3, max is 6). Example: Sydney: ap-southeast-2 ap-southeast-2a ap-southeast-2b ap-southeast-2a ap-southeast-2c Each availability zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity They’re separate from each other, so that ap-southeast-2b ap-southeast-2c they’re isolated from disasters They’re connected with high bandwidth, ultra-low latency networking © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com AWS Points of Presence (Edge Locations) Amazon has 400+ Points of Presence (400+ Edge Locations & 10+ Regional Caches) in 90+ cities across 40+ countries Content is delivered to end users with lower latency https://aws.amazon.com/cloudfront/features/ © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Tour of the AWS Console AWS has Global Services: Identity and Access Management (IAM) Route 53 (DNS service) CloudFront (Content Delivery Network) WAF (Web Application Firewall) Most AWS services are Region-scoped: Amazon EC2 (Infrastructure as a Service) Elastic Beanstalk (Platform as a Service) Lambda (Function as a Service) Rekognition (Software as a Service) Region Table: https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com AWS Identity & Access Management (AWS IAM) © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com IAM: Users & Groups IAM = Identity and Access Management, Global service Root account created by default, shouldn’t be used or shared Users are people within your organization, and can be grouped Groups only contain users, not other groups Users don’t have to belong to a group, and user can belong to multiple groups Group: Developers Group: Operations Group Audit Team Alice Bob Charles David Edward Fred © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com IAM: Permissions { "Version": "2012-10-17", Users or Groups can be "Statement": [ { assigned JSON documents "Effect": "Allow", "Action": "ec2:Describe*", called policies }, "Resource": "*" These policies define the { "Effect": "Allow", permissions of the users "Action": "elasticloadbalancing:Describe*", "Resource": "*" In AWS you apply the least }, { privilege principle: don’t give "Effect": "Allow", "Action": [ more permissions than a user "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", needs ], "cloudwatch:Describe*" "Resource": "*" } ] } © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com IAM Policies inheritance Audit Team Developers Operations inline Alice Bob Charles David Edward Fred © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com IAM Policies Structure Consists of Version: policy language version, always include “2012-10- 17” Id: an identifier for the policy (optional) Statement: one or more individual statements (required) Statements consists of Sid: an identifier for the statement (optional) Effect: whether the statement allows or denies access (Allow, Deny) Principal: account/user/role to which this policy applied to Action: list of actions this policy allows or denies Resource: list of resources to which the actions applied to Condition: conditions for when this policy is in effect (optional) © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com IAM – Password Policy Strong passwords = higher security for your account In AWS, you can setup a password policy: Set a minimum password length Require specific character types: including uppercase letters lowercase letters numbers non-alphanumeric characters Allow all IAM users to change their own passwords Require users to change their password after some time (password expiration) Prevent password re-use © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Multi Factor Authentication - MFA Users have access to your account and can possibly change configurations or delete resources in your AWS account You want to protect your Root Accounts and IAM users MFA = password you know + security device you own Password + => Successful login Alice Main benefit of MFA: if a password is stolen or hacked, the account is not compromised © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com MFA devices options in AWS Virtual MFA device Universal 2nd Factor (U2F) Security Key Google Authenticator Authy YubiKey by Yubico (3rd party) (phone only) (phone only) Support for multiple root and IAM users Support for multiple tokens on a single device. using a single security key © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com MFA devices options in AWS Hardware Key Fob MFA Device Hardware Key Fob MFA Device for AWS GovCloud (US) Provided by Gemalto (3rd party) Provided by SurePassID (3rd party) © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com How can users access AWS ? To access AWS, you have three options: AWS Management Console (protected by password + MFA) AWS Command Line Interface (CLI): protected by access keys AWS Software Developer Kit (SDK) - for code: protected by access keys Access Keys are generated through the AWS Console Users manage their own access keys Access Keys are secret, just like a password. Don’t share them Access Key ID ~= username Secret Access Key ~= password © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Example (Fake) Access Keys Access key ID: AKIASK4E37PV4983d6C Secret Access Key: AZPN3zojWozWCndIjhB0Unh8239a1bzbzO5fqqkZq Remember : don’t share your access keys © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com What’s the AWS CLI? A tool that enables you to interact with AWS services using commands in your command-line shell Direct access to the public APIs of AWS services You can develop scripts to manage your resources It’s open-source https://github.com/aws/aws-cli Alternative to using AWS Management Console © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com What’s the AWS SDK? AWS Software Development Kit (AWS SDK) Language-specific APIs (set of libraries) Enables you to access and manage AWS services programmatically AWS SDK Embedded within your application Supports SDKs (JavaScript, Python, PHP,.NET, Ruby, Java, Go, Node.js, C++) Mobile SDKs (Android, iOS, …) Your Application IoT Device SDKs (Embedded C, Arduino, …) Example: AWS CLI is built on AWS SDK for Python © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com IAM Roles for Services IAM Role Some AWS service will need to perform actions on your behalf To do so, we will assign EC2 Instance permissions to AWS services (virtual server) with IAM Roles Common roles: EC2 Instance Roles Access AWS Lambda Function Roles Roles for CloudFormation © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com IAM Security Tools IAM Credentials Repor t (account-level) a report that lists all your account's users and the status of their various credentials IAM Access Advisor (user-level) Access advisor shows the service permissions granted to a user and when those services were last accessed. You can use this information to revise your policies. © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com IAM Guidelines & Best Practices Don’t use the root account except for AWS account setup One physical user = One AWS user Assign users to groups and assign permissions to groups Create a strong password policy Use and enforce the use of Multi Factor Authentication (MFA) Create and use Roles for giving permissions to AWS services Use Access Keys for Programmatic Access (CLI / SDK) Audit permissions of your account using IAM Credentials Report & IAM Access Advisor Never share IAM users & Access Keys © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Shared Responsibility Model for IAM You Infrastructure (global Users, Groups, Roles, Policies management and monitoring network security) Enable MFA on all accounts Configuration and Rotate all your keys often vulnerability analysis Use IAM tools to apply Compliance validation appropriate permissions Analyze access patterns & review permissions © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com IAM Section – Summary Users: mapped to a physical user, has a password for AWS Console Groups: contains users only Policies: JSON document that outlines permissions for users or groups Roles: for EC2 instances or AWS services Security: MFA + Password Policy AWS CLI: manage your AWS services using the command-line AWS SDK: manage your AWS services using a programming language Access Keys: access AWS using the CLI or SDK Audit: IAM Credential Reports & IAM Access Advisor © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Amazon EC2 – Basics © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Amazon EC2 EC2 is one of the most popular of AWS’ offering EC2 = Elastic Compute Cloud = Infrastructure as a Service It mainly consists in the capability of : Renting virtual machines (EC2) Storing data on virtual drives (EBS) Distributing load across machines (ELB) Scaling the services using an auto-scaling group (ASG) Knowing EC2 is fundamental to understand how the Cloud works © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EC2 sizing & configuration options Operating System (OS): Linux, Windows or Mac OS How much compute power & cores (CPU) How much random-access memory (RAM) How much storage space: Network-attached (EBS & EFS) hardware (EC2 Instance Store) Network card: speed of the card, Public IP address Firewall rules: security group Bootstrap script (configure at first launch): EC2 User Data © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EC2 User Data It is possible to bootstrap our instances using an EC2 User data script. bootstrapping means launching commands when a machine starts That script is only run once at the instance first start EC2 user data is used to automate boot tasks such as: Installing updates Installing software Downloading common files from the internet Anything you can think of The EC2 User Data Script runs with the root user © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Hands-On: Launching an EC2 Instance running Linux We’ll be launching our first virtual server using the AWS Console We’ll get a first high-level approach to the various parameters We’ll see that our web server is launched using EC2 user data We’ll learn how to start / stop / terminate our instance. © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EC2 Instance Types - Overview You can use different types of EC2 instances that are optimised for different use cases (https://aws.amazon.com/ec2/instance-types/) AWS has the following naming convention: m5.2xlarge m: instance class 5: generation (AWS improves them over time) 2xlarge: size within the instance class © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EC2 Instance Types – General Purpose Great for a diversity of workloads such as web servers or code repositories Balance between: Compute Memory Networking In the course, we will be using the t2.micro which is a General Purpose EC2 instance * this list will evolve over time, please check the AWS website for the latest information © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EC2 Instance Types – Compute Optimized Great for compute-intensive tasks that require high performance processors: Batch processing workloads Media transcoding High performance web servers High performance computing (HPC) Scientific modeling & machine learning Dedicated gaming servers * this list will evolve over time, please check the AWS website for the latest information © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EC2 Instance Types – Memory Optimized Fast performance for workloads that process large data sets in memory Use cases: High performance, relational/non-relational databases Distributed web scale cache stores In-memory databases optimized for BI (business intelligence) Applications performing real-time processing of big unstructured data * this list will evolve over time, please check the AWS website for the latest information © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EC2 Instance Types – Storage Optimized Great for storage-intensive tasks that require high, sequential read and write access to large data sets on local storage Use cases: High frequency online transaction processing (OLTP) systems Relational & NoSQL databases Cache for in-memory databases (for example, Redis) Data warehousing applications Distributed file systems * this list will evolve over time, please check the AWS website for the latest information © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EC2 Instance Types: example Storage Network EBS Bandwidth Instance vCPU Mem (GiB) Performance (Mbps) t2.micro 1 1 EBS-Only Low to Moderate t2.xlarge 4 16 EBS-Only Moderate c5d.4xlarge 16 32 1 x 400 NVMe SSD Up to 10 Gbps 4,750 r5.16xlarge 64 512 EBS Only 20 Gbps 13,600 m5.8xlarge 32 128 EBS Only 10 Gbps 6,800 t2.micro is part of the AWS free tier (up to 750 hours per month) Great website: https://instances.vantage.sh © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Introduction to Security Groups Security Groups are the fundamental of network security in AWS They control how traffic is allowed into or out of our EC2 Instances. Inbound traffic Security Group WWW Outbound traffic EC2 Instance Security groups only contain rules Security groups rules can reference by IP or by security group © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Security Groups Deeper Dive Security groups are acting as a “firewall” on EC2 instances They regulate: Access to Ports Authorised IP ranges – IPv4 and IPv6 Control of inbound network (from other to the instance) Control of outbound network (from the instance to other) © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Security Groups Diagram Your Computer - IP XX.XX.XX.XX Security Group 1 Port 22 (authorised port 22) Inbound Filter IP / Port with Rules Port 22 Other computer (not authorised port 22) EC2 Instance IP XX.XX.XX.XX Security Group 1 WWW Outbound Any Port Any IP – Any Port Filter IP / Port with Rules © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Security Groups Good to know Can be attached to multiple instances Locked down to a region / VPC combination Does live “outside” the EC2 – if traffic is blocked the EC2 instance won’t see it It’s good to maintain one separate security group for SSH access If your application is not accessible (time out), then it’s a security group issue If your application gives a “connection refused“ error, then it’s an application error or it’s not launched All inbound traffic is blocked by default All outbound traffic is authorised by default © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Referencing other security groups Diagram Security Port 123 Group 2 EC2 Instance (attached) IP XX.XX.XX.XX Security Group 1 EC2 Instance Security Inbound EC2 Instance IP XX.XX.XX.XX Port 123 Group 1 Authorising Security Group 1 IP XX.XX.XX.XX (attached) Authorising Security Group 2 Security Port 123 Group 3 EC2 Instance IP XX.XX.XX.XX (attached) © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Classic Ports to know 22 = SSH (Secure Shell) - log into a Linux instance 21 = FTP (File Transfer Protocol) – upload files into a file share 22 = SFTP (Secure File Transfer Protocol) – upload files using SSH 80 = HTTP – access unsecured websites 443 = HTTPS – access secured websites 3389 = RDP (Remote Desktop Protocol) – log into a Windows instance © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com SSH Summary Table EC2 Instance SSH Putty Connect Mac Linux Windows < 10 Windows >= 10 © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Which Lectures to watch Mac / Linux: SSH on Mac/Linux lecture Windows: Putty Lecture If Windows 10: SSH on Windows 10 lecture All: EC2 Instance Connect lecture © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com SSH troubleshooting Students have the most problems with SSH If things don’t work… 1. Re-watch the lecture. You may have missed something 2. Read the troubleshooting guide 3. Try EC2 Instance Connect If one method works (SSH, Putty or EC2 Instance Connect) you’re good If no method works, that’s okay, the course won’t use SSH much © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com How to SSH into your EC2 Instance Linux / Mac OS X We’ll learn how to SSH into your EC2 instance using Linux / Mac SSH is one of the most important function. It allows you to control a remote machine, all using the command line. SSH – Port 22 WWW EC2 Instance Linux Public IP We will see how we can configure OpenSSH ~/.ssh/config to facilitate the SSH into our EC2 instances © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com How to SSH into your EC2 Instance Windows We’ll learn how to SSH into your EC2 instance using Windows SSH is one of the most important function. It allows you to control a remote machine, all using the command line. SSH – Port 22 WWW EC2 Instance Linux Public IP We will configure all the required parameters necessary for doing SSH on Windows using the free tool Putty. © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EC2 Instance Connect Connect to your EC2 instance within your browser No need to use your key file that was downloaded The “magic” is that a temporary key is uploaded onto EC2 by AWS Works only out-of-the-box with Amazon Linux 2 Need to make sure the port 22 is still opened! © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EC2 Instances Purchasing Options On-Demand Instances – short workload, predictable pricing, pay by second Reserved (1 & 3 years) Reserved Instances – long workloads Conver tible Reserved Instances – long workloads with flexible instances Savings Plans (1 & 3 years) –commitment to an amount of usage, long workload Spot Instances – short workloads, cheap, can lose instances (less reliable) Dedicated Hosts – book an entire physical server, control instance placement Dedicated Instances – no other customers will share your hardware Capacity Reservations – reserve capacity in a specific AZ for any duration © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EC2 On Demand Pay for what you use: Linux or Windows - billing per second, after the first minute All other operating systems - billing per hour Has the highest cost but no upfront payment No long-term commitment Recommended for shor t-term and un-interrupted workloads, where you can't predict how the application will behave © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EC2 Reserved Instances Up to 72% discount compared to On-demand You reserve a specific instance attributes (Instance Type, Region, Tenancy, OS) Reservation Period – 1 year (+discount) or 3 years (+++discount) Payment Options – No Upfront (+), Par tial Upfront (++), All Upfront (+++) Reserved Instance’s Scope – Regional or Zonal (reserve capacity in an AZ) Recommended for steady-state usage applications (think database) You can buy and sell in the Reserved Instance Marketplace Conver tible Reserved Instance Can change the EC2 instance type, instance family, OS, scope and tenancy Up to 66% discount Note: the % discounts are different from the video as AWS change them over time – the exact numbers are not needed for the exam. This is just for illustrative purposes J © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EC2 Savings Plans Get a discount based on long-term usage (up to 72% - same as RIs) Commit to a certain type of usage ($10/hour for 1 or 3 years) Usage beyond EC2 Savings Plans is billed at the On-Demand price Locked to a specific instance family & AWS region (e.g., M5 in us-east-1) Flexible across: Instance Size (e.g., m5.xlarge, m5.2xlarge) OS (e.g., Linux, Windows) Tenancy (Host, Dedicated, Default) © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EC2 Spot Instances Can get a discount of up to 90% compared to On-demand Instances that you can “lose” at any point of time if your max price is less than the current spot price The MOST cost-efficient instances in AWS Useful for workloads that are resilient to failure Batch jobs Data analysis Image processing Any distributed workloads Workloads with a flexible start and end time Not suitable for critical jobs or databases © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EC2 Dedicated Hosts A physical server with EC2 instance capacity fully dedicated to your use Allows you address compliance requirements and use your existing server- bound software licenses (per-socket, per-core, pe—VM software licenses) Purchasing Options: On-demand – pay per second for active Dedicated Host Reserved - 1 or 3 years (No Upfront, Partial Upfront, All Upfront) The most expensive option Useful for software that have complicated licensing model (BYOL – Bring Your Own License) Or for companies that have strong regulatory or compliance needs © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EC2 Dedicated Instances Instances run on hardware that’s dedicated to you May share hardware with other instances in same account No control over instance placement (can move hardware after Stop / Start) © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EC2 Capacity Reservations Reserve On-Demand instances capacity in a specific AZ for any duration You always have access to EC2 capacity when you need it No time commitment (create/cancel anytime), no billing discounts Combine with Regional Reserved Instances and Savings Plans to benefit from billing discounts You’re charged at On-Demand rate whether you run instances or not Suitable for short-term, uninterrupted workloads that needs to be in a specific AZ © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Which purchasing option is right for me? On demand: coming and staying in resort whenever we like, we pay the full price Reserved: like planning ahead and if we plan to stay for a long time, we may get a good discount. Savings Plans: pay a certain amount per hour for certain period and stay in any room type (e.g., King, Suite, Sea View, …) Spot instances: the hotel allows people to bid for the empty rooms and the highest bidder keeps the rooms. You can get kicked out at any time Dedicated Hosts: We book an entire building of the resort Capacity Reservations: you book a room for a period with full price even you don’t stay in it © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Price Comparison Example – m4.large – us-east-1 Price Type Price (per hour) On-Demand $0.10 Spot Instance (Spot Price) $0.038 - $0.039 (up to 61% off) Reserved Instance (1 year) $0.062 (No Upfront) - $0.058 (All Upfront) Reserved Instance (3 years) $0.043 (No Upfront) - $0.037 (All Upfront) EC2 Savings Plan (1 year) $0.062 (No Upfront) - $0.058 (All Upfront) Reserved Convertible Instance (1 year) $0.071 (No Upfront) - $0.066 (All Upfront) Dedicated Host On-Demand Price Dedicated Host Reservation Up to 70% off Capacity Reservations On-Demand Price © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Amazon EC2 – Instance Storage © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com What’s an EBS Volume? An EBS (Elastic Block Store) Volume is a network drive you can attach to your instances while they run It allows your instances to persist data, even after their termination They can only be mounted to one instance at a time (at the CCP level) They are bound to a specific availability zone Analogy: Think of them as a “network USB stick” Free tier: 30 GB of free EBS storage of type General Purpose (SSD) or Magnetic per month © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EBS Volume It’s a network drive (i.e. not a physical drive) It uses the network to communicate the instance, which means there might be a bit of latency It can be detached from an EC2 instance and attached to another one quickly It’s locked to an Availability Zone (AZ) An EBS Volume in us-east-1a cannot be attached to us-east-1b To move a volume across, you first need to snapshot it Have a provisioned capacity (size in GBs, and IOPS) You get billed for all the provisioned capacity You can increase the capacity of the drive over time © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EBS Volume - Example US-EAST-1A US-EAST-1B EBS EBS EBS EBS EBS (10 GB) (100 GB) (50 GB) (50 GB) (10 GB) unattached © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EBS – Delete on Termination attribute Controls the EBS behaviour when an EC2 instance terminates By default, the root EBS volume is deleted (attribute enabled) By default, any other attached EBS volume is not deleted (attribute disabled) This can be controlled by the AWS console / AWS CLI Use case: preserve root volume when instance is terminated © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EBS Snapshots Make a backup (snapshot) of your EBS volume at a point in time Not necessary to detach volume to do snapshot, but recommended Can copy snapshots across AZ or Region US-EAST-1A US-EAST-1B EBS Snapshot EBS snapshot restore EBS (50 GB) (50 GB) © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EBS Snapshots Features EBS Snapshot EBS Snapshot Archive EBS Snapshot Archive Move a Snapshot to an ”archive tier” that is archive 75% cheaper Takes within 24 to 72 hours for restoring the archive Recycle Bin for EBS Snapshots EBS Snapshot Recycle Bin Setup rules to retain deleted snapshots so you can recover them after an accidental deletion delete Specify retention (from 1 day to 1 year) Fast Snapshot Restore (FSR) Force full initialization of snapshot to have no latency on the first use ($$$) © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com AMI Overview AMI = Amazon Machine Image AMI are a customization of an EC2 instance You add your own software, configuration, operating system, monitoring… Faster boot / configuration time because all your software is pre-packaged AMI are built for a specific region (and can be copied across regions) You can launch EC2 instances from: A Public AMI: AWS provided Your own AMI: you make and maintain them yourself An AWS Marketplace AMI: an AMI someone else made (and potentially sells) © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com AMI Process (from an EC2 instance) Start an EC2 instance and customize it Stop the instance (for data integrity) Build an AMI – this will also create EBS snapshots Launch instances from other AMIs Custom AMI US-EAST-1A US-EAST-1B Launch Create AMI from AMI © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EC2 Instance Store EBS volumes are network drives with good but “limited” performance If you need a high-performance hardware disk, use EC2 Instance Store Better I/O performance EC2 Instance Store lose their storage if they’re stopped (ephemeral) Good for buffer / cache / scratch data / temporary content Risk of data loss if hardware fails Backups and Replication are your responsibility © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Very high IOPS Local EC2 Instance Store © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EBS Volume Types EBS Volumes come in 6 types gp2 / gp3 (SSD): General purpose SSD volume that balances price and performance for a wide variety of workloads io1 / io2 Block Express (SSD): Highest-performance SSD volume for mission-critical low-latency or high-throughput workloads st1 (HDD): Low cost HDD volume designed for frequently accessed, throughput- intensive workloads sc1 (HDD): Lowest cost HDD volume designed for less frequently accessed workloads EBS Volumes are characterized in Size | Throughput | IOPS (I/O Ops Per Sec) When in doubt always consult the AWS documentation – it’s good! Only gp2/gp3 and io1/io2 Block Express can be used as boot volumes © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EBS Volume Types Use cases General Purpose SSD Cost effective storage, low-latency System boot volumes, Virtual desktops, Development and test environments 1 GiB - 16 TiB gp3: Baseline of 3,000 IOPS and throughput of 125 MiB/s Can increase IOPS up to 16,000 and throughput up to 1000 MiB/s independently gp2: Small gp2 volumes can burst IOPS to 3,000 Size of the volume and IOPS are linked, max IOPS is 16,000 3 IOPS per GB, means at 5,334 GB we are at the max IOPS © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EBS Volume Types Use cases Provisioned IOPS (PIOPS) SSD Critical business applications with sustained IOPS performance Or applications that need more than 16,000 IOPS Great for databases workloads (sensitive to storage perf and consistency) io1 (4 GiB - 16 TiB): Max PIOPS: 64,000 for Nitro EC2 instances & 32,000 for other Can increase PIOPS independently from storage size io2 Block Express (4 GiB – 64 TiB): Sub-millisecond latency Max PIOPS: 256,000 with an IOPS:GiB ratio of 1,000:1 Supports EBS Multi-attach © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EBS Volume Types Use cases Hard Disk Drives (HDD) Cannot be a boot volume 125 GiB to 16 TiB Throughput Optimized HDD (st1) Big Data, Data Warehouses, Log Processing Max throughput 500 MiB/s – max IOPS 500 Cold HDD (sc1): For data that is infrequently accessed Scenarios where lowest cost is important Max throughput 250 MiB/s – max IOPS 250 © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EBS – Volume Types Summary https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html#solid-state-drives © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EBS Multi-Attach – io1/io2 family Attach the same EBS volume to multiple EC2 instances in the same AZ Availability Zone 1 Each instance has full read & write permissions to the high-performance volume Use case: Achieve higher application availability in clustered Linux applications (ex: Teradata) Applications must manage concurrent write operations Up to 16 EC2 Instances at a time Must use a file system that’s cluster-aware (not io2 volume with Multi-Attach XFS, EXT4, etc…) © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Amazon EFS – Elastic File System Managed NFS (network file system) that can be mounted on many EC2 EFS works with EC2 instances in multi-AZ Highly available, scalable, expensive (3x gp2), pay per use us-east-1a us-east-1b us-east-1c EC2 Instances EC2 Instances EC2 Instances Security Group EFS FileSystem © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Amazon EFS – Elastic File System Use cases: content management, web serving, data sharing, Wordpress Uses NFSv4.1 protocol Uses security group to control access to EFS Compatible with Linux based AMI (not Windows) Encryption at rest using KMS POSIX file system (~Linux) that has a standard file API File system scales automatically, pay-per-use, no capacity planning! © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EFS – Performance & Storage Classes EFS Scale 1000s of concurrent NFS clients, 10 GB+ /s throughput Grow to Petabyte-scale network file system, automatically Performance Mode (set at EFS creation time) General Purpose (default) – latency-sensitive use cases (web server, CMS, etc…) Max I/O – higher latency, throughput, highly parallel (big data, media processing) Throughput Mode Bursting – 1 TB = 50MiB/s + burst of up to 100MiB/s Provisioned – set your throughput regardless of storage size, ex: 1 GiB/s for 1 TB storage Elastic – automatically scales throughput up or down based on your workloads Up to 3GiB/s for reads and 1GiB/s for writes Used for unpredictable workloads © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EFS – Storage Classes Storage Tiers (lifecycle management feature – move file after N days) Standard: for frequently accessed files Infrequent access (EFS-IA): cost to retrieve files, lower price to store. Archive: rarely accessed data (few times each year), 50% cheaper no access for 60 days Implement lifecycle policies to move files between storage tiers EFS Standard Availability and durability move Lifecycle Policy Standard: Multi-AZ, great for prod One Zone: One AZ, great for dev, backup enabled by default, compatible with IA (EFS One Zone-IA) Over 90% in cost savings EFS IA Amazon EFS File System © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EBS vs EFS – Elastic Block Storage EBS volumes… Availability Zone 1 Availability Zone 2 one instance (except multi-attach io1/io2) are locked at the Availability Zone (AZ) level gp2: IO increases if the disk size increases gp3 & io1: can increase IO independently To migrate an EBS volume across AZ Take a snapshot Restore the snapshot to another AZ EBS EBS EBS backups use IO and you shouldn’t run them while your application is handling a lot of traffic snapshot restore Root EBS Volumes of instances get terminated by default if the EC2 instance gets terminated. (you can disable that) EBS Snapshot © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com EBS vs EFS – Elastic File System Mounting 100s of instances across AZ Availability Zone 1 Availability Zone 2 EFS share website files (WordPress) Linux Linux Only for Linux Instances (POSIX) EFS has a higher price point than EBS EFS EFS Can leverage Storage Tiers for cost savings Mount Mount Target Target Remember: EFS vs EBS vs Instance Store EFS © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com High Availability & Scalability © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Scalability & High Availability Scalability means that an application / system can handle greater loads by adapting. There are two kinds of scalability: Vertical Scalability Horizontal Scalability (= elasticity) Scalability is linked but different to High Availability Let’s deep dive into the distinction, using a call center as an example © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Vertical Scalability Vertically scalability means increasing the size of the instance For example, your application runs on a t2.micro Scaling that application vertically means running it on a t2.large Vertical scalability is very common for non distributed systems, such as a database. RDS, ElastiCache are services that can scale vertically. There’s usually a limit to how much you can vertically scale (hardware limit) junior operator senior operator © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Horizontal Scalability operator operator operator Horizontal Scalability means increasing the number of instances / systems for your application Horizontal scaling implies distributed systems. This is very common for web applications / modern applications It’s easy to horizontally scale thanks the cloud offerings such as Amazon EC2 operator operator operator © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com High Availability first building in New York High Availability usually goes hand in hand with horizontal scaling High availability means running your application / system in at least 2 data centers (== Availability Zones) The goal of high availability is to survive a data center loss second building in San Francisco The high availability can be passive (for RDS Multi AZ for example) The high availability can be active (for horizontal scaling) © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com High Availability & Scalability For EC2 Vertical Scaling: Increase instance size (= scale up / down) From: t2.nano - 0.5G of RAM, 1 vCPU To: u-12tb1.metal – 12.3 TB of RAM, 448 vCPUs Horizontal Scaling: Increase number of instances (= scale out / in) Auto Scaling Group Load Balancer High Availability: Run instances for the same application across multi AZ Auto Scaling Group multi AZ Load Balancer multi AZ © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com What is load balancing? Load Balances are servers that forward traffic to multiple servers (e.g., EC2 instances) downstream Elastic Load Balancer EC2 Instance EC2 Instance EC2 Instance © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Why use a load balancer? Spread load across multiple downstream instances Expose a single point of access (DNS) to your application Seamlessly handle failures of downstream instances Do regular health checks to your instances Provide SSL termination (HTTPS) for your websites Enforce stickiness with cookies High availability across zones Separate public traffic from private traffic © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Why use an Elastic Load Balancer? An Elastic Load Balancer is a managed load balancer AWS guarantees that it will be working AWS takes care of upgrades, maintenance, high availability AWS provides only a few configuration knobs It costs less to setup your own load balancer but it will be a lot more effort on your end It is integrated with many AWS offerings / services EC2, EC2 Auto Scaling Groups, Amazon ECS AWS Certificate Manager (ACM), CloudWatch Route 53, AWS WAF, AWS Global Accelerator © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Health Checks Health Checks are crucial for Load Balancers They enable the load balancer to know if instances it forwards traffic to are available to reply to requests The health check is done on a port and a route (/health is common) If the response is not 200 (OK), then the instance is unhealthy Protocol: HTTP Port: 4567 Health Checks Endpoint: /health Elastic Load Balancer EC2 Instance © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Types of load balancer on AWS AWS has 4 kinds of managed Load Balancers Classic Load Balancer (v1 - old generation) – 2009 – CLB HTTP, HTTPS, TCP, SSL (secure TCP) Application Load Balancer (v2 - new generation) – 2016 – ALB HTTP, HTTPS, WebSocket Network Load Balancer (v2 - new generation) – 2017 – NLB TCP, TLS (secure TCP), UDP Gateway Load Balancer – 2020 – GWLB Operates at layer 3 (Network layer) – IP Protocol Overall, it is recommended to use the newer generation load balancers as they provide more features Some load balancers can be setup as internal (private) or external (public) ELBs © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Load Balancer Security Groups LOAD BALANCER HTTPS / HTTP HTTP Restricted From anywhere to Load balancer Users EC2 Load Balancer Security Group: Application Security Group: Allow traffic only from Load Balancer © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Classic Load Balancers (v1) Supports TCP (Layer 4), HTTP & HTTPS (Layer 7) listener internal Health checks are TCP or HTTP based Fixed hostname Client CLB EC2 XXX.region.elb.amazonaws.com © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Application Load Balancer (v2) Application load balancers is Layer 7 (HTTP) Load balancing to multiple HTTP applications across machines (target groups) Load balancing to multiple applications on the same machine (ex: containers) Support for HTTP/2 and WebSocket Support redirects (from HTTP to HTTPS for example) © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Application Load Balancer (v2) Routing tables to different target groups: Routing based on path in URL (example.com/users & example.com/posts) Routing based on hostname in URL (one.example.com & other.example.com) Routing based on Query String, Headers (example.com/users?id=123&order=false) ALB are a great fit for micro services & container-based application (example: Docker & Amazon ECS) Has a port mapping feature to redirect to a dynamic port in ECS In comparison, we’d need multiple Classic Load Balancer per application © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Application Load Balancer (v2) HTTP Based Traffic Target Group Health Check application for Users Route /user HTTP WWW External Application Load Balancer (v2) Target Group Health Check application for Search Route /search HTTP WWW © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Application Load Balancer (v2) Target Groups EC2 instances (can be managed by an Auto Scaling Group) – HTTP ECS tasks (managed by ECS itself) – HTTP Lambda functions – HTTP request is translated into a JSON event IP Addresses – must be private IPs ALB can route to multiple target groups Health checks are at the target group level © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Application Load Balancer (v2) Query Strings/Parameters Routing Target Group 1 ?Platform=Mobile AWS – EC2 based Requests External WWW Application Load Balancer (v2) Target Group 2 ?Platform=Desktop On-premises – Private IP routing © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Application Load Balancer (v2) Good to Know Fixed hostname (XXX.region.elb.amazonaws.com) The application servers don’t see the IP of the client directly The true IP of the client is inserted in the header X-Forwarded-For We can also get Port (X-Forwarded-Port) and proto (X-Forwarded-Proto) Load Balancer IP Client IP (Private IP) EC2 12.34.56.78 Instance Connection termination © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Network Load Balancer (v2) Network load balancers (Layer 4) allow to: Forward TCP & UDP traffic to your instances Handle millions of request per seconds Less latency ~100 ms (vs 400 ms for ALB) NLB has one static IP per AZ, and suppor ts assigning Elastic IP (helpful for whitelisting specific IP) NLB are used for extreme performance, TCP or UDP traffic Not included in the AWS free tier © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Network Load Balancer (v2) TCP (Layer 4) Based Traffic Target Group Health Check application for Users TCP + Rules TCP WWW External Network Load Balancer (v2) Target Group Health Check application for Search TCP + Rules HTTP WWW © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Network Load Balancer – Target Groups EC2 instances IP Addresses – must be private IPs Application Load Balancer Health Checks support the TCP, HTTP and HTTPS Protocols Network Network Network Load Balancer Load Balancer Load Balancer i-1234567890abcdef0 i-1234567890abcdef0 192.168.1.118 10.0.4.21 Target Group Target Group Target Group (EC2 Instances) (IP Addresses) (Application Load Balancer) © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Gateway Load Balancer Route Deploy, scale, and manage a fleet of 3rd party Table network virtual appliances in AWS Example: Firewalls, Intrusion Detection and Users Application Prevention Systems, Deep Packet Inspection (source) (destination) Systems, payload manipulation, … traffic traffic Operates at Layer 3 (Network Layer) – IP Gateway Packets Load Balancer Combines the following functions: Transparent Network Gateway – single entry/exit for all traffic Load Balancer – distributes traffic to your virtual appliances Target Group Uses the GENEVE protocol on port 6081 3rd Party Security Virtual Appliances © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Gateway Load Balancer – Target Groups EC2 instances IP Addresses – must be private IPs Gateway Gateway Load Balancer Load Balancer i-1234567890abcdef0 i-1234567890abcdef0 192.168.1.118 10.0.4.21 Target Group Target Group (EC2 Instances) (IP Addresses) © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Sticky Sessions (Session Affinity) It is possible to implement stickiness so that the same client is always redirected to the same instance behind a load balancer Client 1 Client 2 Client 3 This works for Classic Load Balancer, Application Load Balancer, and Network Load Balancer For both CLB & ALB, the “cookie” used for stickiness has an expiration date you control Use case: make sure the user doesn’t lose his session data Enabling stickiness may bring imbalance to the load over the backend EC2 instances EC2 Instance EC2 Instance © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Sticky Sessions – Cookie Names Application-based Cookies Custom cookie Generated by the target Can include any custom attributes required by the application Cookie name must be specified individually for each target group Don’t use AWSALB, AWSALBAPP, or AWSALBTG (reserved for use by the ELB) Application cookie Generated by the load balancer Cookie name is AWSALBAPP Duration-based Cookies Cookie generated by the load balancer Cookie name is AWSALB for ALB, AWSELB for CLB © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Cross-Zone Load Balancing With Cross Zone Load Balancing: Without Cross Zone Load Balancing: each load balancer instance distributes evenly Requests are distributed in the instances of the across all registered instances in all AZ node of the Elastic Load Balancer 50 50 50 50 10 10 10 10 6.25 6.25 6.25 6.25 10 10 25 25 10 10 10 10 6.25 6.25 6.25 6.25 Availability Zone 1 Availability Zone 2 Availability Zone 1 Availability Zone 2 © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Cross-Zone Load Balancing Application Load Balancer Enabled by default (can be disabled at the Target Group level) No charges for inter AZ data Network Load Balancer & Gateway Load Balancer Disabled by default You pay charges ($) for inter AZ data if enabled Classic Load Balancer Disabled by default No charges for inter AZ data if enabled © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com SSL/TLS - Basics An SSL Certificate allows traffic between your clients and your load balancer to be encrypted in transit (in-flight encryption) SSL refers to Secure Sockets Layer, used to encrypt connections TLS refers to Transport Layer Security, which is a newer version Nowadays, TLS cer tificates are mainly used, but people still refer as SSL Public SSL certificates are issued by Certificate Authorities (CA) Comodo, Symantec, GoDaddy, GlobalSign, Digicert, Letsencrypt, etc… SSL certificates have an expiration date (you set) and must be renewed © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Load Balancer - SSL Certificates LOAD BALANCER HTTPS (encrypted) HTTP Over www Over private VPC EC2 Users Instance The load balancer uses an X.509 certificate (SSL/TLS server certificate) You can manage certificates using ACM (AWS Certificate Manager) You can create upload your own certificates alternatively HTTPS listener: You must specify a default certificate You can add an optional list of certs to support multiple domains Clients can use SNI (Server Name Indication) to specify the hostname they reach Ability to specify a security policy to support older versions of SSL / TLS (legacy clients) © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com SSL – Server Name Indication (SNI) SNI solves the problem of loading multiple Target group for SSL cer tificates onto one web server (to www.mycorp.com serve multiple websites) It’s a “newer” protocol, and requires the client to indicate the hostname of the target server in the initial SSL handshake Target group for Domain1.example.com The server will then find the correct I would like www.mycorp.com certificate, or return the default one Client ALB Note: SSL Cert: Only works for ALB & NLB (newer Use the correct Domain1.example.com generation), CloudFront SSL cert SSL Cert: Does not work for CLB (older gen) www.mycorp.com …. © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Elastic Load Balancers – SSL Certificates Classic Load Balancer (v1) Support only one SSL certificate Must use multiple CLB for multiple hostname with multiple SSL certificates Application Load Balancer (v2) Supports multiple listeners with multiple SSL certificates Uses Server Name Indication (SNI) to make it work Network Load Balancer (v2) Supports multiple listeners with multiple SSL certificates Uses Server Name Indication (SNI) to make it work © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Connection Draining Feature naming Connection Draining – for CLB waiting for existing Deregistration Delay – for ALB & NLB connections to complete EC2 Instance Time to complete “in-flight requests” while the DRAINING instance is de-registering or unhealthy Stops sending new requests to the EC2 instance which is de-registering Users EC2 Instance Between 1 to 3600 seconds (default: 300 ELB seconds) Can be disabled (set value to 0) new connections established to all other instances Set to a low value if your requests are short EC2 Instance © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com What’s an Auto Scaling Group? In real-life, the load on your websites and application can change In the cloud, you can create and get rid of servers very quickly The goal of an Auto Scaling Group (ASG) is to: Scale out (add EC2 instances) to match an increased load Scale in (remove EC2 instances) to match a decreased load Ensure we have a minimum and a maximum number of EC2 instances running Automatically register new instances to a load balancer Re-create an EC2 instance in case a previous one is terminated (ex: if unhealthy) ASG are free (you only pay for the underlying EC2 instances) © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Auto Scaling Group in AWS Auto Scaling Group EC2 EC2 EC2 EC2 EC2 EC2 EC2 Instance Instance Instance Instance Instance Instance Instance Minimum Capacity Scale Out as Needed Desired Capacity Maximum Capacity © Stephane Maarek NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com Auto Scaling Group in AWS With Load Balancer Users Elastic Load Balancer ELB can check the health of your EC2 instances! Auto Scaling Group EC2 EC2 EC2 EC

Use Quizgecko on...
Browser
Browser