Amazon Web Services (AWS)
- Extensive set of cloud services available via the Internet
- On-demand, virtually endless, elastic resources
- Pay-per-use with no up-front costs (with optional commitment)
- Self-serviced and programmable
Elastic Compute Cloud (EC2)
- One of the core services of AWS
- Virtual machines (or instances) as a service
- Dozens of instance types that vary in performance and cost
- Instance is created from an Amazon Machine Image (AMI), which in turn can be created again from instances
Regions and Availability Zones (AZ)
Notes: We will only use Ireland (eu-west-1) region in this workshop. See also A Rare Peek Into The Massive Scale of AWS.
—
Networking in AWS
- Regions and availability zones
- Security groups provide port-level firewalls to instances
- More detailed IP subnetting with Virtual Private Cloud (VPC)
—
Exercise: Launch an EC2 instance
- Log-in to gofore-crew.signin.aws.amazon.com/console
- Switch to Ireland region and go to EC2 dashboard
- Launch a new EC2 instance according instructor guidance
- In “Configure Instance Details”, pass a User Data script under Advanced
- In “Configure Security Group”, use a recognizable, unique name
#!/bin/sh
# When passed as User Data, this script will be run on boot
touch /new_empty_file_we_created.txt
echo "It works!" > /it_works.txt
—
Exercise: SSH into the instance
SSH into the instance (find the IP address in the EC2 console)
# Windows Putty users must convert key to .ppk (see notes)
ssh -i your_ssh_key.pem ubuntu@instance_ip_address
View instance metadata
curl http://169.254.169.254/latest/meta-data/
View your User Data and find the changes your script made
curl http://169.254.169.254/latest/user-data/
ls -la /
Notes: You will have to reduce keyfile permissions chmod og-xrw mykeyfile.pem. If you are on Windows and use Putty, you will have to convert the .pem key to .ppk key using puttygen (Conversions -> Import key -> *.pem file -> Save private key. Now you can use your *.ppk key with Putty: Connection -> SSH -> Auth -> Private key file)
—
Exercise: Security groups
Setup a web server that hosts the id of the instance
mkdir ~/webserver && cd ~/webserver
curl http://169.254.169.254/latest/meta-data/instance-id > index.html
python -m SimpleHTTPServer
Configure the security group of your instance to allow inbound requests to your web server from anywhere. Check that you can access the page with your browser.
—
Exercise: Security groups
Delete the previous rule. Ask a neighbor for the name of their security group, and allow requests to your server from your neighbor’s security group.
Have your neighbor access your web server from his/her instance.
# Private IP address of the web server (this should work)
curl 172.31.???.???:8000
# Public IP address of the web server (how about this one?)
curl 52.??.???.???:8000
—
Speaking of IP addresses, there is also Elastic IP Address. Later on, we will see use cases for this, as well as better alternatives.
Also, notice the monitoring metrics. These come from CloudWatch. Later on, we will create alarms based on the metrics.
—
Elastic Block Store (EBS)
- Block storage service (virtual hard drives) with speed and encryption options
- Disks (or volumes) are attached to EC2 instances
- Snapshots can be taken from volumes
- Alternative to EBS is ephemeral instance store
—
EC2 cost
- Instances are billed every starting instance-hour
- Purchasing options of On-Demand Instances, Reserved Instances, Spot Instances
- Storage costs for volumes, snapshots and images
- Traffic costs (more the further the traffic is towards the Internet)
Identity and Access Management
—
Identity and Access Management (IAM)
- Manage AWS user credentials for Web console and API access
- Fine-grained access policies to services and resources
- Roles allow applications and external services to access resources
- Also Multi-Factor Authentication (MFA) and Security Token Service (STS)
Notes: Always use roles inside instances (do not store credentials there), or something bad might happen.
—
Quiz: Users on many levels
Imagine running a content management system, discussion board or blog web application in EC2. How many different typesof user accounts you might have?
Virtual Private Cloud
—
Virtual Private Cloud (VPC)
- Heavy-weight virtual IP networking for EC2 and RDS instances. Integral part of modern AWS, all instances are launched into VPCs (not true for EC2-classic)
- An AWS root account can have many VPCs, each in a specific region
- Each VPC is divided into subnets, each bound to an availability zone
- Each instance connects to a subnet with a Elastic Network Interface
VPC with Public and Private Subnets
—
Access Control Lists
- Network Access Control List (ACL) provide a second layer of security
- See Comparison of Security Groups and Network ACLs
Auto Scaling
Provisioning capacity as needed
—
- Changing the instance type is vertical scaling (scale up, scale down)
- Adding or removing instances is horizontal scaling (scale out, scale in)
- 1 instance 10 hours = 10 instances 1 hour
—
Auto Scaling instances
- Launch Configuration describes the configuration of the instance. Having a good AMI and bootstrapping is crucial.
- Auto Scaling Group contains instances whose lifecycles are automatically managed by CloudWatch alarms or schedule
- Scaling Plan refers when scaling happens and what triggers it.
—
Scaling Plans
- Maintain current number of instances
- Manual scaling by user interaction or via API
- Scheduled scaling
- Dynamic Auto Scaling. A scaling policy describes how the group scales in or out. You should always have policies for both directions. Policy cooldowns control the rate in which scaling happens.
—
—
Elastic Load Balancer
- Route traffic to an Auto Scaling Group (ASG)
- Runs health checks to instances to decide whether to route traffic to them
- Spread instances over multiple AZs for higher availability
- ELB scales itself. Never use ELB IP address. Pre-warm before flash traffic.
—
Public networking
—
Route 53
- Domain Name System (DNS)
- Manage DNS records of hosted zones
- Round Robin, Weighted Round Robin and Latency-based routing
—
CloudFront
- Content Delivery Network (CDN)
- Replicate static content from S3 to edge locations
- Also supports dynamic and streaming content
Recent Comments