2013 AWS Worldwide Public Sector Summit Washington, D.C.

Transcription

1 2013 AWS Worldwide Public Sector Summit Washington, D.C. AWS Best Practices Tim Bixler Sr. Manager, Federal Solutions Architecture

2 1 Choose your use case well

3 Choose appropriate use cases Dev & Test Backup & DR Greenfield Pain point Spin environments up and down on demand Decouple development and test environments from operations constraints Explore elasticity in a sandboxed environment Take part of your data or business applications stepby-step into non-production DR use Understand cloud dynamics and test during controlled failovers Project Embody best practice of cloud computing in unconstrained greenfield projects Self contained web projects, document archiving etc Move specific service aspects causing undue cost or management burden Workflows, search indexing, media streaming, document archiving, constrained databases Low hanging fruit can be easiest to pick

4 Examples Plan evolution & set goals PoC Production Automation Understand services Implement monitoring Automate corrective measures Test performance Change control and management Auto-scaling Architect for scale Security management Zero downtime deployments Build cross functional team capabilities Scalability System backup and recovery

5 Examples Plan evolution & set goals PoC Production Automation Understand services Implement monitoring Automate corrective measures Test performance Change control and management Auto-scaling Architect for scale Security management Zero downtime deployments Build cross functional team capabilities Scalability System backup and recovery Amazon Beanstalk Amazon Beanstalk Amazon OpsWorks Amazon Cloud Formation Amazon Cloud Watch Amazon IAM APIs CLI Amazon Auto Scaling

6 2 Govern deployments

7 Govern deployments Accounts Create an account structure that makes sense Use accounts like environments where you need separation and control e.g. Dev Sandboxes Test Environments Business Units Products & Services

8 Govern deployments Accounts Billing Create an account structure that makes sense Use accounts like environments where you need separation and control e.g. Dev Sandboxes Test Environments Business Units Products & Services Control access to billing information Use Amazon IAM users to keep billing information in the master account Consolidate billing into a single account Let one account pick up the bill for multiple sub accounts Setup billing alerts and automated bill reporting Get Amazon CloudWatch notifications when billing reaches a point and output csv reports to Amazon S3 for analysis

9 Billing settings Enable CSV & Programmatic Access Billing Preferences

10 Billing settings Dev 1 Billing Alerts Bill reached $x Cost accounting in favorite package Dev 2 Test Master Account Production Internal Systems Consolidated Billing Data labeled by source in Amazon S3

11 Billing settings Dev 1 Dev 1 reached $100 Dev 2 Dev 2 reached $250 Test Master Account Test reached $1,000 Production Prod reached $1,200 Internal Systems Internal reached $400

12 Govern deployments Accounts Billing Access Keys Create an account structure that makes sense Use accounts like environments where you need separation and control e.g. Dev Sandboxes Test Environments Business Units Products & Services Control access to billing information Use Amazon IAM users to keep billing information in the master account Consolidate billing into a single account Let one account pick up the bill for multiple sub accounts Setup billing alerts and automated bill reporting Get Amazon CloudWatch notifications when billing reaches a point and output csv reports to Amazon S3 for analysis Decide upon a key management strategy Control access to Amazon EC2 instances via SSH and embedded public key: e.g. Amazon EC2 Key Pair per group of instances, Amazon EC2 Key Pair per account Consider SSH key rotation & automation Limit exposure to private key compromise by rotating keys and replacing authorized_keys listings on running instances Consider bootstrap automation to grant developer access with developer unique keypairs

13 Govern deployments Accounts Billing Access Keys Groups & Roles Create an account structure that makes sense Use accounts like environments where you need separation and control e.g. Dev Sandboxes Test Environments Business Units Products & Services Control access to billing information Use Amazon IAM users to keep billing information in the master account Consolidate billing into a single account Let one account pick up the bill for multiple sub accounts Setup billing alerts and automated bill reporting Get Amazon CloudWatch notifications when billing reaches a point and output csv reports to Amazon S3 for analysis Decide upon a key management strategy Control access to Amazon EC2 instances via SSH and embedded public key: e.g. Amazon EC2 Key Pair per group of instances, Amazon EC2 Key Pair per account Consider SSH key rotation & automation Limit exposure to private key compromise by rotating keys and replacing authorized_keys listings on running instances Consider bootstrap automation to grant developer access with developer unique keypairs Use Amazon IAM Groups to manage console users and API access Provide developers with Amazon IAM user login and unique API access credentials Control & restrict what Amazon IAM users can do by placing them in groups with policies Assign Amazon EC2 Instances Amazon IAM Roles Let AWS manage API access credentials on running instances by assigning a system entitlement to an instance e.g. instance can only read Amazon S3 bucket

14 Identity & access management Account Administrators Developers Applications Jim Brad Reporting Bob Mark Console Susan Tomcat Kevin

15 Identity & access management Groups Account Administrators Developers Applications Jim Brad Reporting Bob Mark Console Susan Tomcat Multi-factor authentication Kevin

16 Identity & access management Groups Account Roles Administrators Developers Applications Jim Brad Reporting Bob Mark Console Susan Tomcat Multi-factor authentication Kevin AWS system entitlements

17 IAM policies Policy driven Declarative definition of rights for groups Policies control access to AWS APIs { } "Statement": [ { "Effect": "Allow", "Action": [ "elasticbeanstalk:*", "ec2:*", "elasticloadbalancing:*", "autoscaling:*", "cloudwatch:*", "s3:*", "sns:*" ], "Resource": "*" } ]

18 3 Ensure security

19 Amazon Customer Shared responsibility Customer Data Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customers implement their own set of controls Multiple customers with FISMA Low and Moderate ATOs Client-side Data Encryption & Data Integrity Authentication Server-side Encryption (File System and/or Data) Network Traffic Protection (Encryption/Integrity/Identity) Foundation Services Compute Storage Database Networking AWS Global Infrastructure Availability Zones Regions Edge Locations SOC 1/SSAE 16/ISAE 3402 SOC 2 ISO 27001/ 2 Certification Payment Card Industry (PCI) Data Security Standard (DSS) NIST Compliant Controls DoD Compliant Controls FedRAMP HIPAA and ITAR Compliant

20 Leverage shared security model Engage with security assessors early in adoption cycle Don t fear assessment AWS meets high standards (PCI, ISO27001, SOC1 ) As with any infrastructure provider, security assessments take time Derive value from architecture reviews early in deployment cycle

21 Leverage shared security model Engage with security assessors early in adoption cycle Use comprehensive materials and certifications provided by AWS Risk and compliance paper AWS security processes paper CSA consensus assessments initiative questionnaire

22 Leverage shared security model Engage with security assessors early in adoption cycle Use comprehensive materials and certifications provided by AWS Build upon features of AWS and implement a security by design environment

23 Build upon AWS features Tiered Access Security Groups Amazon VPC Amazon IAM Control users and allow AWS to manage credentials in running instances for service access (allocation, rotation) APIs vs. Instance Provide developer API credentials and control access to SSH keys Temporary Credentials Provide developer API credentials and control access to SSH keys Instance firewalls Firewall control on instances via Security Groups CLIs and APIs Instantly audit your entire AWS infrastructure from scriptable APIs generate an on-demand IT inventory enabled by programmatic nature of AWS Subnet control Create low level networking constraints for resource access, such as public and private subnets, internet gateways and NATs Bastion hosts Only allow access for management of production resources from a bastion host. Turn off when not needed

24 Build upon AWS features Amazon CloudHSM Store your cryptographic keys Use your most sensitive and regulated data on Amazon EC2 without giving applications direct access to your data's encryption keys. Amazon Direct Connect & VPN Private connections to Amazon VPC Secured access to resources in AWS over software or hardware VPN and dedicated network links Migrate cryptographic applications Use AWS CloudHSM in conjunction with your compatible on-premise HSMs to replicate keys among on-premise HSMs and CloudHSMs.

25 4 Architect to use cloud strengths

26 Architect to use cloud strengths? Review application architectures early assess fit for cloud e.g. variable capacity requirements, standard technology stacks, reference architectures*? Can cloud benefits be leveraged with minimum effort outlay? e.g. Application performance improvement by migration of static content to Amazon S3/CloudFront? Will cloud yield cost savings & agility improvements? e.g. Faster development cycles for dev/test, reduced cap-ex for application environments? Can automation lead to a more agile & secure service? e.g. fully scripted deployments, Amazon IAM & EC2 instance roles, rolling deployments *

27 Architect to use cloud strengths Disposable compute Design systems that can suffer instance loss Dispose of compute when it is not required

28 Architect to use cloud strengths Disposable compute Flexible capacity Design for systems that potentially scale from zero instances to hundreds Use Auto-scaling (events, schedules etc) to drive capacity availability

29 Architect to use cloud strengths Disposable compute Flexible capacity Utilize % durability of objects in S3 Cost effective & reliable storage Scale databases with RDS and use DynamoDB for high throughput NoSQL

30 Architect to use cloud strengths Disposable compute Flexible capacity Automate everything from scaling to instance recovery from failure Cost effective storage Automation and control

31 Bootstrapping custom AMIs Instance AMI 1 Create instance of your OS choice 2 Configure environment 3 Install software Custom machine image Auto-scaling Manual deployments Programmatic deployments 4 Create Amazon Machine Image (AMI) from instance 5 Launch fully configured instances from AMI

32 Bootstrapping metadata service Metadata service contains wealth of information about an instance ami-id local-hostname ami-launch-index local-ipv4 ami-manifest-path mac block-device-mapping network hostname placement instance-action profile instance-id public-hostname Instance-type public-ipv4 kernel-id public-keys reservation-id AMI Custom or standard machine image Receive custom data to drive bootstrapping Instance Metadata Service

33 Bootstrapping metadata service Metadata service contains wealth of information about an instance + user data Scripts in user-data field of metadata will be executed on launch e.g. #!/bin/sh yum -y install httpd chkconfig httpd on /etc/init.d/httpd start AMI Custom or standard machine image Receive custom data to drive bootstrapping Instance Metadata Service Or: <powershell> </powershell>

34 Bootstrapping metadata service Metadata service contains wealth of information about an instance + user data Scripts in user-data field of metadata will be executed on launch Install software e.g. web server, app server, proxy Pull data and application packages from Amazon S3 AMI Custom or standard machine image Receive custom data to drive bootstrapping Instance Metadata Service Publish metadata for instance to other systems e.g. monitoring systems Setup security profile of instance based upon intended use e.g. pull latest config

35 1. Use Multiple Availability Zones

36 2. Use Amazon RDS with Replicas and Standby

37 3. Use Amazon Auto Scaling groups

38 4. Use Amazon Elastic Load Balancing

39 5. Use Amazon Route53 to host DNS zones

40 Three Services: Better Together Amazon CloudWatch Amazon Auto Scaling Amazon Elastic Load Balancer

41 Architect to use cloud strengths Amazon Elastic Load Balancing Amazon Route 53 Amazon RDS Amazon Auto Scaling Use at regional level Combined with Amazon Auto Scaling Amazon ELB will balance requests and resource capacity across Availability Zones Within Amazon VPC Use to loadbalance between application tiers within an Availability Zone Instance migrations Leverage SLA Improve application reliability with Amazon Route 53 s SLA on requests served Weighted routing Perform A/B analysis, and staged application roll-outs by moving a portion of traffic to new infrastructure Health checks Scale databases without admin overhead Choose instance size for databases and scale up over time Add high availability from management console Create Multi-AZ deployments and Read-Replicas. AWS takes care of the failover and recreation of a new standby in event of master DB loss Dynamically scale resources & control costs Only provision the resources that are required with scale up and cool down policies that match demand Easily move instances from dev environments to test environments by moving between Amazon ELBs DNS health checks and health-based failover Latency Based Routing Route end users to lowestlatency endpoints

42 5 Be elastic and cost optimized

43 PRICING (Amazon EC2)

44 On-demand instances Reserved instances Spot instances Unix/Linux instances start at $0.02/hour Pay as you go for compute power Low cost and flexibility Pay only for what you use, no up-front commitments or long-term contracts Use Cases: Applications with short term, spiky, or unpredictable workloads; Application development or testing 1 or 3 year terms Pay low up-front fee, receive significant hourly discount Low Cost / Predictability Helps ensure compute capacity is available when needed Use Cases: Applications with steady state or predictable usage Applications that require reserved capacity, including disaster recovery Bid on unused Amazon EC2 capacity Spot Price based on supply/demand, determined automatically Cost / Large Scale, dynamic workload handling Use Cases: Applications with flexible start and end times Applications only feasible at very low compute prices

45 Heavy utilization RI On-demand instances Unix/Linux instances start at $0.02/hour Pay as you go for compute power Low cost and flexibility Pay only for what you use, no up-front commitments or long-term contracts Use Cases: Applications with short term, spiky, or unpredictable workloads; Application development or testing Reserved instances 1 or 3 year terms Pay low up-front fee, receive significant hourly discount Low Cost / Predictability Helps ensure compute capacity is available when needed Use Cases: Applications with steady state or predictable usage Applications that require reserved capacity, including disaster recovery > 80% utilization Lower costs up to 58% Use Cases: Databases, Large Scale HPC, Always-on infrastructure, Baseline Medium utilization RI 41-79% utilization Lower costs up to 49% Use Cases: Web applications, many heavy processing tasks, running much of the time Light utilization RI 15-40% utilization Lower costs up to 34% Use Cases: Disaster Recovery, Weekly / Monthly reporting, Elastic Map Reduce

46 100% AWS Spot Market Achieving economies of scale Spot On On-demand Reserved capacity 0% Capacity Over Time

47 COST OPTIMIZE (ELASTIC CAPACITY)

48 Amazon Auto Scaling policies Manually Send an API call or use CLI to launch/terminate instances Only need to specify capacity change (+/-) By Schedule Scale up/down based on date and time By Policy Scale in response to changing conditions, based on user configured real-time monitoring and alerts Auto-Rebalance Instances are automatically launched/terminated to ensure the application is balanced across multiple AZs

49 Instances Optimizing Costs With RIs On Demand Light Utilization RI Medium Utilization RI Heavy utilization RI AWS Worldwide Public Sector Summit Hours

50 COST OPTIMIZE (INSTANCE TYPES)

51 Instance types Start Choose instance that meets your basic requirements best Match memory & virtual cores

52 Instance types Start Choose instance that meets your basic requirements best Match memory & virtual cores Tune Change instance size up or down based upon monitoring Use trusted advisor to assess

53 Instance types Start Choose instance that meets your basic requirements best Match memory & virtual cores Tune Change instance size up or down based upon monitoring Use trusted advisor to assess Scale Run instances across multiple availability zones Smaller sizes equals greater granularity Purchase RIs after the application has been tuned and utilization patterns are established

54 COST OPTIMIZE (SOFWARE vs. SERVICES)

55 Software vs. Services Leverage Scalable, On-demand Services Amazon EC2 can run almost anything but there are cases where there are more cost effective options AWS offers many scalable and cost-effective options for common application needs: Amazon ELB instead of a software load balancer on Amazon EC2 Amazon SQS instead of a queue on Amazon EC2

56 Software vs. Services Amazon ELB $0.025 per hour DNS Amazon ELB Web Servers Availability Zone vs. $0.06 per hour (small instance) DNS Amazon EC2 instance + software LB Web Servers Availability Zone

57 Software vs. Services Amazon SQS Producer Amazon SQS queue Consumers $0.50 per 1,000,000 Requests ($ per Request) vs. $0.06 per hour (small instance) Producer Amazon EC2 instance + software queue Consumers

58 Software vs. Services Software on Amazon EC2 Pros: Use custom features Cons: Requires an instance SPOF Limited to one AZ DIY administration AWS Services Amazon ELB, Amazon SNS, Amazon SQS, Amazon SES, Amazon SWF, Amazon DynamoDB etc. Pros: Pay as you go Scalability Availability High performance

59 SUPPORT

60 Support Basic Developer Business Enterprise Included $49/month Greater of $100 - or - 10% of monthly AWS usage for the first $0-$10K 7% of monthly AWS usage from $10K-$80K 5% of monthly AWS usage from $80K-$250K 3% of monthly AWS usage from $250K+ Greater of $15,000 - or - 10% of monthly AWS usage for the first $0- $150K 7% of monthly AWS usage from $150K- $500K 5% of monthly AWS usage from $500K- $1M 3% of monthly AWS usage from $1M+

61 BOTTOM LINE

62 Cloud computing bottom line 30% 70% On-Premise Infrastructure Your Mission Managing All of the Undifferentiated Heavy Lifting

63 Cloud computing bottom line 30% 70% On-Premise Infrastructure Your Mission Managing All of the Undifferentiated Heavy Lifting AWS Cloud-Based Infrastructure More Time to Focus on Your Mission 70% Configuring Your Cloud Assets 30%

64 AWS Best Practices Thank you!