Linux Academy
§ This
course
will
include
all
knowledge
required
in
order
to
prepare
for
the
AWS
CSA
– Pro
c ertification.
§ The
c ourse
will
then
m ove
to
c over
individual
services
and
how
cost,
design
principles,
performance,
and
security
apply
to
each.
§ Finally,
this
course
will
focus
on
scenario
based
training,
and
comprehensive
application
deployments.
§ Due
to
the
c omplexity
and
skill
set
required
for
the
c ertification,
please
do
not
skip
any
of
the
training
m aterial.
1
12/15/15
§ DO
NOT
register
for
the
CSA
pro
exam
until
the
c ourse
is
c ompleted
and
you’ve
c ompleted
the
best
practices
for
studying
listed
at
the
bottom
of
this
course.
Linux Academy
Linux Academy
2
12/15/15
Access
Control
§ API
reques t
authentication Linux Academy
§ Every
API
reques t
is
digitally
s igned
us ing
c ryptographic
has h
function
and
the
API
us ers
s ecrete
acces s
k ey
§ SSH
acces s
to
ins tances
§ Acces s
to
Linux
ins tances
have
pas s word
authentication
dis abled
by
default
and
require
the
us e
of
RSA
key
pair
for
acces s ing
the
ins tance
§ U nique
us ers
§ IAM
allows
each
AW S
us er
to
have
unique
s etup,
API
keys ,
and
pas s word
policy.
This
ens ures
that
us ers
do
not
need
to
s hare
pas s words
to
acces s
AW S
res ources
and
eas y
to
maintain
log
trail
of
w ho
performs
certain
API
calls
§ Multi-‐factor
authentication
(MFA)
§ Available
for
root
and
IAM
us ers
w hen
us ed
w ith
CloudTrail,
CloudW atch,
and
SN S
Access
Control
§ Linux Academy
Fine-‐grained
permis s ions
for
S3
buckets
and
objects
§ ACLs
to
grant
S3
bucket
and
object
acces s
to
s pecific
groups
of
us ers
within
other
AW S
accounts .
§ IAM
is
us ed
to
grant
permis s ions
to
bucket
or
object
acces s
to
us ers
within
the
s ame
AW S
account
§ Res tricted
viewer
acces s
to
private
CloudFront content
§ G eo-‐res triction
allows
CloudFront to
res trict
acces s
to
reques ts
originating
from
certain
IP
addres s es
§ Signed
U RLs
c reate
a
temporary
unique
U RL
that
expires
at
a
s pecific
time
§ Temporary
IAM
s ecurity
credentials
§ G rant
temporary
acces s
to
us ers
and/ or
s ervices
that
do
not
have
normal
AW S
acces s .
Credentials
las t
from
1
to
12
hours
and
cannot
be
reus ed
after
expiration
3
12/15/15
4
12/15/15
Data
Encryption
§ Encrypted
data
s torage Linux Academy
§ The
following
s ervices
allow
data
to
be
encrypted:
EBS,
S3,
G lacier,
Reds hift,
SQLServer,
and
MySQL
s erver
§ Centraliz ed
key
management
§ AW S
Key
Management
Service
provides
a
management
feature
for
adminis trating
keys
for
AW S
s ervices
that
utiliz e
encryption
at
res t
§ Dedicated,
hardware-‐bas ed
crypto
key
s torage
§ CloudHSM,
higher
s ecurity
on
dedicated
key
s torage
hardware.
§ U tiliz e “ leas t privilege” permis s ion des ign and grant the leas t amount of privileges required
§ Ens ure
RDS
s ecurity
groups
are
locked
down
and
any
data
not
being
s ent
within
the
s ame
region
is
utiliz ing
HTTPS
endpoints
§ Enable CloudTrail logging in order to log all API calls and the accounts that make them
§ Ens ure
proper
ELB
s ecurity
permis s ions
and
take
advantage
of
HTTPS/ TLS
when
encryption
is
required
§ As w e progres s on each s ervice w e’ll have a different look at applying s ecurity
5
12/15/15
Linux Academy
§ Elas ticity
is
the
ability
of
an
application
to
expand
and
contract
bas ed
off
of
utiliz ation
requirements
and
needs
§ Increas ing AW S res ources will res ult in a proportional increas e in performance
§ Is operationally efficient
§ Is res ilient
6
12/15/15
Amazon
Glacier
Linux Academy
Amaz on
G lacier
w hich
is
us ed
for
long
term
s torage
archive
purpos es
is
als o
has
the
following
s calability
and
elas ticity
principles :
• Quickly
provis ion
additional
capacity
by
adding
new
EBS
volumes
• Res iz e
an
exis ting
volume
by
creating
a
s naps hot
and
launching
a
new
volume
from
the
s naps hot
7
12/15/15
AWS
I mport/Export
Import/ Export
Linux Academy
is
a
s ervice
that
takes
phys ical
s torage
devices
s ent
to
AW S
and
imports
them
onto
EBS
v olumes ,
G lacier
S torage,
or
Amaz on
S3.
The
s ervice
is
us ed
to
help
data
migrations
from
on-‐premis e
s torage
to
the
cloud.
Elas tic
and
s calability
principles
of
Import/ Export
include:
• U pload
unlimited
amounts
of
data
(Only
limitation
is
the
phys ical
hardware
s ent
to
AW S)
• S3
file
s iz es
c an
be
up
to
5
terabytes
in
s iz e
• G lacier
archives
are
limited
to
4
terabytes
in
s iz e
• G ateway-‐c ached/ gateway-‐s tored
volume
configurations
allow
for
virtually
unlimited
files
s tored
in
Amaz on
S3
Amazon
CloudFront
Linux Academy
CloudFront is
a
Content
Delivery
N etwork
(CDN )
us ed
for
dis tributing
cached
s tatic
files
from
EDG E
locations
around
the
world.
Elas tic
and
s calability
principles
of
CloudFront include:
• Eas ily
grow
the
number
of
items
in
a
CloudFront dis tributions
that
are
being
s erved
by
us ing
Amaz on
S3
as
an
origin
• AW S
EDG E
locations
are
des igned
to
handle
increas ed
connections
automatically
bas ed
off
of
demand
• CloudFront us es
multiple
layers
of
caching
on
EDG E
locations
to
reduce
the
load
on
origin
s ervers
s uch
as
EC2
ins tances .
This
will
allow
for
accepting
a
growing
number
of
incoming
connections
without
having
to
s cale
backend
s ervers .
8
12/15/15
• Accepts
virtually
unlimited
number
of
s ervers
(EC2
ins tances
or
even
on
promis e
s ervers )
writing/ reading
from
a
queue
at
any
given
time
• Allows
for
parallel
proces s ing
of
mes s ages
due
to
the
ability
of
accepting
read/ write
reques ts
from
unlimited
number
of
VM’s
• Scale
I/ O
performance
by
increas ing
the
number
of
IOPS
to
the
Databas e
s torage
• Scale
by
s pecifying
the
ins tance
s iz e
w hich
will
c hange
without
downtime
if
Multi-‐az is
enabled
• U tiliz e
read
replicas
by
offloading
read
only
reques ts
from
the
primary
databas e to
an
as ynchronous ly
replicated
read
replica
• Advanced
configurations
include
partitioning
or
s harding to
dis tribute
the
workload
over
multiple
databas e
ins tances
Amazon
ElastiCache
Linux Academy
Elas tiCache is
a
hos ted
Memcache or
Redis caching
engine
that
allows
for
in-‐memory
cache
of
databas es
in
the
cloud.
Elas tic
and
s calability
principles
of
Elas tiCache include:
9
12/15/15
Amazon
Redshift
Linux Academy
Reds hift
is
a
fully
managed
petabyte-‐s cale
data
warehous e
that
integrates
with
exis ting
bus ines s
intelligence
tools .
Elas tic
and
s calability
principles
of
Reds hift
include:
• Eas ily
s cale
the
number
of
nodes
within
the
Reds hift
s ervice
• Additional
nodes
can
be
added
to
the
clus ter
as
read
only
w hile
the
exis ting
clus ter
is
working
Linux Academy
DNS
Linux Academy
Domain
N ame
Sys tem
(DN S)
s erves
as
a
directory
of
network
hos ts
and
res ources .
DN S
res ources
can
be
public
or
private.
Private
res ources
rely
only
on
local
internal
DN S
s ervers
to
res olve
on
the
local
network
only.
Public
DN S
w orks
with
the
directory
of
network
hos ts
to
provide
domains
s uch
as
linuxacademy.com.
Authoritative
name
s ervers
are
name
s ervers
that
are
res pons ible
for
as s igning
domain
names
to
a
s pecific
IP
addres s .
Slave/ caching
name
s ervers
only
exis t
to
replicate
information
from
Authoritative s ervers
and
rely
on
the
domain
record
TTL
to
determine
how
often
to
update
the
cached
name
record.
A
domain
is
made
up
of
a
hierarchy
which
are
delineated
by
the
.
c haracter.
A
domain
repres ents
a
collection
of
res ources
that
make
up
a
s ubtree of
the
DN S
name
s pace
i.e linuxacademy.com
The
.com
is
c ons idered
the
“top
level”
linuxacademy.com is
c ons idered
the
root
of
the
domain
and
aws .linuxacademy.com is
c ons idered
a
“s ub
domain”
of
linuxacademy.com.
10
12/15/15
DNS
Authoritative
Linux Academy
name
s ervers
contain
DN S
records
which
maps
the
domain
name
to
the
IP
addres s .
Every
domain
name
internal
or
public
is
mapped
to
an
IP
addres s .
A
“z one”
is
a
record
in
w hich
the
name
s erver
is
res pons ible
for.
W ithin a z one res ource records exis ts as bas ic information for the domain name s ys tem.
A
– Addres s
record
whis h
is
us ed
to
map
hos tnames
(domain
names )
to
IPv4
addres s es
cname – Alias
of
one
name
to
another
(one
hos tname
to
another
hos tname)
AAAA
– Addres s
record
which
is
us ed
to
map
hos tnames
(domain
names )
to
IPv6
addres s es
N S
– N ame
s erver
record
delegates
a
DN S
z one
to
us e
the
given
authoritative
name
s ervers
MX
– Mail
exchange
record
which
maps
a
domain
name
to
a
MTA
(mes s age/ mail
trans fer
agent)
DNS
Linux Academy
Traditional
DN S
s ervers
include
the
BIN D
DN S
s erver
and
unbound.
However,
AW S
provides
a
hos ted
DN S
s olution
and
options
to
integrate
with
external
DN S
s ervers
as
part
of
the
VPC.
The
hos ted
s olution
is
c alled
Route
53
and
is
us ed
as
an
authoritative
name
s erver
for
both
public
and
internal
DN S.
TTL
(Time
To
L ive)
c an
be
c onfigured
for
each
res ource
record
within
a
z one.
The
TTL
s pecifies
how
long
that
s pecific
record
s hould
be
c ached
by
DN S
res olvers .
DNS
Linux Academy
Authoritative
name
s ervers
provide
information
recording
the
mapping
of
hos tnames / domain
names
to
IP
addres s es .
However,
your
ins tances
need
to
have
acces s
to
local
DN S
s ervers
in
order
to
lookup
the
res ource
records .
In
other
words
a
c onfiguration
or
s ervice
w ithin
your
environment
needs
to
know
how
to
lookup
what
IP
addres s
a
hos tname
s hould
map
to.
You
could
als o
manually
configure
external
DN S
s ervers
on
each
ins tance.
However,
configuring
this
for
a
VPC
is
much
eas ier
and
s calable.
An
individual
ins tance
can
be
configured
in
/ etc/ res olv.conf or
DN S
s ettings
can
be
configured
s pecifically
on
the
VPC.
As
part
of
AW S
you
can
s pecify
a
new
DN S
s erver
rather
than
us ing
AW S
built-‐in
DN S
for
lookups .
An
EC2
ins tance
automatically
inherits
its
/ etc/ res olv.conf s ettings
from
the
VPC
configuration.
If
you
want
to
us e
Route53
as
an
internal
DN S
provider
you
mus t
maintain
us age
of
the
AW SDN S
record
in
the
VPC.
By
s pecifying
an
on-‐premis e
DN S
s erver
that
is
c onnected
over
VPN
to
your
VPC
you
c an
extend
your
internal
DN S
configuration
into
the
cloud
and
add
res ource
records
to
your
internal
EC2
ins tances .
DN S
s ervers
that
ins tances
utiliz e
ins ide
of
a
VPC
can
be
s pecified
within
the
“DHCP
options
s et”
w ithin
VPC.
The
option
s et
mus t
then
be
as s ociated
to
the
VPC.
Only
one
option
s et
can
be
as s ociated
to
a
VPC
at
a
time.
11
12/15/15
DNS
§ example Linux Academy
Load
Balancing
Load
balancing
is
the
process
of
Linux Academy
distributing
workloads
across
c omputing
resources
such
as
EC2
instances,
VMs,
or
physical
servers.
L oad
balancing
c an
be
used
in
multi-‐tier
application
environments
to
serve
internal
data
to
m ultiple
computing
resources.
Within
AWS
the
EC2
Elastic
L oad
Balancer
is
used
to
distribute
work
loads
across
EC2
instances.
I t
uses
“ round
robin”
load
balancing.
Stickiness
when
applied
to
a
load
balancer
determines
if
an
existing
session
(cookie
based
or
ELB
based)
is
to
go
back
to
the
specific
instance
they
were
on.
Stateless
webservers
where
sessions
are
m anaged
by
databases
( DynamoDB is
a
good
example)
do
not
require
this.
This
also
has
performance
issues
when
scaling.
Load
Balancing
Linux
To
reduce
CPU
usage
and
additional
Academy
c onfiguration
S SL/TLS
c ertificates
should
always
be
c onfigured
on
the
Elastic
L oad
Balancer.
This
way
any
instance
associated
with
the
ELB
c an
utilize
the
S SL/TLS
c ertificate
over
port
443.
12
12/15/15
To
extend
on-‐premise
network
to
the
c loud
a
VPG/VPN
needs
to
be
configured
to
an
on-‐premise
router
such
as
cisco.
You
also
have
the
option
of
using
AWS
D irect
Connect
for
a
m ore
secure
and
efficient
c onnection.
13
12/15/15
Linux Academy
Linux Academy
14
12/15/15
State
Management
Linux Academy
Maintaining
the
“ state”
of
an
application
c an
be
v ery
important.
F or
example
when
a
user
arrives
at
y our
website
if
a
session
is
created
on
an
instance
is
that
session
associated
with
the
instance?
• Stickiness
• Database
sessions
• DynamoDB (Popular
solution
for
m anaging
sessions
for
applications
to
m aintain
session
state)
State
Management
LinuxcAcademy
Maintaining
the
“ state”
and
m onitoring
hanges
in
y our
environment
is
also
important.
AWS
Config
AWS
CloudTrail
Linux Academy
15
12/15/15
Replication
Replication
c onsiderations Linux Academy
• Dis tance
between
locations
• Available
bandwidth
• Data
rate
required
by
the
application
• Replication
technology
• As ynchronous
replication
-‐ Data
is
trans ferred
as
network
performance
and
availability
allows .
If
throughput
is
down
then
replication
will
w ait.
16
12/15/15
Linux Academy
17
12/15/15
Self-‐Healing
Linux Academy
Many
different
ways
to
c reate
self-‐healing
application
architectures
• Utilize
SQS
• Utilize
CloudWatch and
assign
a
“ terminate”
function
to
instances
that
have
failed
status
c hecks
• Utilize
Auto
S caling
which
will
automatically
start
new
instances
• Use
c loud-‐init to
boot
strap
new
instances
to
easily
assign
“roles”
or
job
“functions”
to
instances
SQS
Self-‐Healing
When
using
SQS
to
decouple
y our
Linux Academy
application
architecture
then
each
c omponent
is
operated
on
its
own.
This
m eans
each
c omponent
c an
operate
without
relying
on
the
previous
c omponent
or
the
after
c omponent.
• Utilize
multiple
availability
zones
and
the
ELB
to
serve
traffic
to
the
instances
• Utilize
Auto
S caling
and
CloudWatch alarms
to
terminate
instances
that
have
failed
status
c hecks
• Utilize
EBS
v olumes
and
snapshots
for
backups
and
redundancy
18
12/15/15
N ote:
AW S
Releas es
new
s ervices
almos t
quarterly.
Pleas e
make
s ure
to
review
the
FAQ
for
each
s ervice
as
part
of
the
s tudy
prep.
As
w e
go
through
the
required
s ervices
for
AW S
PRO
w e
will
dis cus s
more
about
des ign
for
fault
tolerance.
However,
this
s hould
be
already
familiar
from
the
CSA
as s ociate
exam.
Linux Academy
RPO
(Recovery
Point
Objective)
– The
acceptable
amount
of
data
that
can
be
los t
due
to
failure
as
it
is
meas ured
in
time.
19
12/15/15
Amaz on
EC2
• Copy
AMIs
to
different
AW S
regions
w hich
c an
be
spun
up
in
the
event
of
a
disas ter
• U s e
multiple
availability
zones
to
design
for
fault-‐tolerance
and
failure
• Route53
to
failover
to
backup
environments
in
another
region
Route
53
• Can
be
us ed
to
failover
from
on-‐premis e
to
AW S
or
from
one
AW S
region
to
another
• Failover
routing and
w eighted
routing
(for
migrating
applications )
• Allocate
DN S
ahead
of
time
to
prepare
for
potential
failover
Elas tic
L oad
Balancer
• Pre-‐allocate
the
load
balancer
for
the
backup
environment
to
receive
the
c name (DN S
name)
this
allows
for
s etting
up
Route
53
record
s ets
in
anticipation
of
a
failover/ dis as ter
recovery
situation
VPC
• Configure
VPN
or
direct
c onnect
to
extend
y our
on-‐premis e
network
to
the
c loud
to
allow
for
s eamless
and
secure
failover
of
applications
including
internal
applications
that
might
be
available
to
intranet
only
D irect
Connect
• Cons ider
us ing
for
extremely
large
w orkloads
that
rely
on
reduced
latency
and
increase
bandwidth
throughput
• VPN
to
s ecure
direct
c onnect
data
RD S
• AW S
to
AW S
failover
by
c reating
snaps hots
and
c opying
them
to
another
region
• Create
a
read
replica
in
another
region
that
c an
be
promoted
in
the
event
of
a
dis aster
(when
promoting
y ou
need
to
enable
multi-‐AZ
as
w ell
as
backups
and
a
read
replica
cannot
be
promoted
unles s
auto
backup
is
enabled)
20
12/15/15
D ynamoD B
• AW S
to
AW S
dis as ter
recovery
w ith
DynamoDB
• Ability
to
c opy
data
to
S 3
or
replicate
it
to
another
region
(replication
is
now
built
into
the
DynamoDB s ervice).
However,
us ing
Data
Pipeline
w hich
s tarts
an
EMR
c luster
to
c opy
data
is
s till
a
w idely
us ed
method.
• Eas ily
s cale
up
y our
backup
region
w ithin
minutes
by
an
API
c all
to
increas e
throughput
(Developer
c ours e
focuses
on
throughput).
Amaz on
Reds hift
• Reds hift
s naps hots
c an
be
c opied
to
other
regions .
CloudFormation
• Build
a
template
of
y our
environment
that
c an
be
us ed
in
multiple
regions
and
only
requires
inputs
s uch
as
region
s pecific
AMI
IDs ,
IP
addres s es ,
or
Hos tnames.
Allows
for
quick
deployment,
v ers ion
control
of
y our
backup
infras tructure,
and
a
backup
of
y our
backup!
Ops Works
• W hen
c ombined
w ith
CloudFormation the
ability
to
eas ily
deploy
new
s tacks
in
additional
regions
is
available.
Bas ic
Principles :
1. Replicate
data
from
on-‐premis e
to
EC2
2. U pdate
packages
on
AW S
to
ens ure
all
s oftware
configurations
are
in
place
3. Maintain
proper
AMIs
with
updated
configurations
4. Tes t
on
a
regular
bas is
5. U s e
CloudFormation or
s cripts
to
automate
the
recovery
proces s
21
12/15/15
AWS
To
AWS
multi-‐region
failover
and
dis as ter
recovery
– Copy
s naps hots
of
EBS/ RDS/ Reds hift
to
another
region,
utiliz e
read
replicas ,
and
Route
53
for
eas y
failover
to
des ign
cros s
region
dis as ter
recovery.
Linux Academy
• To
integrate
with
legacy
on-‐premis e
applications
create
a
hybrid
cloud
by
c onfiguring
a
VPN
tunnel
to
the
on-‐premis e
location
• W rite
a
w eb
wrapper
around
the
legacy
application
which
expos es
a
developer
API
to
the
new
application.
U tiliz e
SQS
queues
to
glue
the
application
together
(this
is
a
hybrid
environment).
Cons ider
this
only
if
the
application
is
running
externally
and
not
internally
only.
U s e
VPN
tunnel
if
internal
only.
22
12/15/15
Linux Academy
Software
V PN
• Useful
if
you
h ave
to
manage
both
ends
o f
t he
V PN
software
f or
compliance
r easons
• Useful
if
you
h ave
a
gateway
device
that
is
n ot
currently
supported
b y
AWS
V PN/VPG
• Single
point
o f
f ailure
( OpenVPN)
Note:
With
V PNs
you
n eed
t o
b e
sure
t o
u se
d ifferent
C IDR
b locks
o n-‐premise/aws as
t hey
cannot
overlap
23
12/15/15
Linux Academy
AWS
OpsWorks
• Write
custom
chef
r ecipes,
u tilizes
self-‐healing,
and
w orks
w ith
layers
AWS
C loudFormation
• Version
control
t he
infrastructure
and
make
d eploying
o ut
environments
easily
and
r epeatable
Linux Academy
24
12/15/15
In
this
section
we
are
going
to
describe
strategies
for
m anaging
this
account
information,
budget
information,
and
m anaging
application
level
budgeting.
Solution:
• Add
each
c ustomer
account
as
a
“ consolidated
billing”
account
• Big
Cloud
Jumbo
Corp
will
be
responsible
for
all
billing
• Bulk/Volume
discounts
will
span
across
all
accounts
• AWS
c ombines
the
usage
from
ALL
accounts
to
determine
which
volume
pricing
tiers
to
apply,
giving
a
lower
over
all
price
whenever
possible.
This
will
either
provide
a
source
of
profit
margin
or
a
c ost
savings
for
Big
Cloud
Jumbo
Corp
customers
Linux Academy
25
12/15/15
Important
note:
AWS
L imits
work
on
the
account
level
only
and
aws
support
is
a
per
account
only
Pros:
• Volume
benefits
on
services
that
allow
• Ability
to
v iew
costs
based
off
of
tagged
resources
as
well
as
accounts
• Easier
architecture
v isibility
and
c onfiguration
• Use
roles
for
I AM
account
simplicity
across
m ultiple
AWS
linked
accounts
Cons:
• Requires
strict
and
sometimes
c omplex
tagging
across
accounts
Pros:
• Simple
billing
and
insights
into
the
environment
• Easy
governance
Cons:
• Requires
more
c omplex
setups
for
resource
level
permissions
• Requires
more
c omplex
setups
with
m ultiple
VPCs
26
12/15/15
Linux Academy
• Like
“ volume
discounts”
reserved
instances
will
work
across
all
accounts
that
are
connected
to
c onsolidated
billing
• Since
billing
is
at
the
payee
level,
c onsolidated
billing
does
not
c are
which
account
purchases
or
uses
a
reserved
instance.
• This
is
a
c onsideration
if
BCJC
wants
to
host
customer
accounts
as
part
of
their
c onsolidated
billing
Linux Academy
27
12/15/15
Budgets
Linux Academy
• Budgets
are
used
t o
t rack
h ow
close
your
current
costs
are
t o
exceeding
the
set
“budget”
for
a
given
billing
period.
• Budgets can b e compared against AWS “estimated” costs t o see how much b udget is left o ver
• Budgets
can
w ork
w ith
SNS/CloudWatch for
b illing
alerts
t o
r eceive
notifications
if
you
h ave
gone
over
your
d esignated
budget
o r
even
if
you
are
“close”
to
going
o ver
Linux Academy
Ro le Ro le
User/Gro u p
STS
Servi ce
Assu meR o l e
28
12/15/15
1. Create the role with “s top/ s tart” only permis s ions in both the dev/ tes t account named “manager”
{
"Vers ion":
"2012-‐10-‐17",
"Statement":
[
{
"Sid":
"Stmt1441397689000",
"Effect":
"Allow",
"Action":
[
"ec2:StartInstances",
"ec2:StopIns tances"
],
"Resource":
[
"*"
]
}
]
}
3. Add permis s ions for the IAM us er to “s ts :As s umeRole” on the role ARN s for the Dev/ Tes t accounts
{
"Versi o n ":
"2 0 1 2 -‐1 0 -‐17 ",
"Statemen t":
[
{
"Si d ":
"Stmt1 4 4 1 39 3 42 00 0 0",
"Effect":
"Al l o w",
"Acti o n":
[
"sts:Assu meR o l e"
],
"R eso u rce":
[
"arn :aws:i am::acco u n t-‐i d -‐fo r-‐d ev:ro l e/man ager”
]
}
]
}
No te:
Du p l i ca te
th e
p o l i cy
sta temen t
to
a d d
a no th er
AR N
o n e
ARN
p er
p ol i cy
sta temen t
o r
*
fo r
“a l l ”
a rns b ut
th i s
op en s
secu ri ty
i ssu es
a n d
do es
n o t
use
th e
l ea st
p ri vi l eg e
secu ri ty
stra teg y
N otes :
• The
IAM
accounts
for
the
developer
on
the
dev account
only
need
a
permis s ions
policy
to
“ As s umeRole”
on
the
production
role
ARN
• Once
they
as s ume
the
role
in
the
production
account
the
permis s ion
policies
as s ociated
with
the
role
ins ide
of
production
is
w hat
determines
the
permis s ions
for
the
developers
who
as s ume
the
role
• This
is
a
great
method
for
granting
read
only
acces s
to
an
auditor
when
you
have
multiple
AW S
accounts
• Third
party
cros s -‐account
role
option
will
required
the
“external”
account
id
• Roles
us e
S TS
permis s ions
to
as s ume
a
role
and
each
role
as
a
temporary
unique
s ecurity
acces s
k ey
and
s ecret
acces s
k ey
as s ociated
with
it
when
as s umed
29
12/15/15
Ro le Ro le
User/Gro u p
STS
Servi ce
Assu meR o l e
Linux Academy
• Linux Academy
The
endpoint
is
h ttps://sts.amazonaws.com.
• Roles is of t he configurations u tilized w ith STS t o gain t emporary security credentials
• Temporary
credentials
require
the
“token”
as
well
as
the
access
key
and
secret
access
key
in
order
t o
make
API
calls
30
12/15/15
• IAM us ers c an temporarily s witch to a role to us e the permis s ions of the role
• Mobile
applications :
You
have
a
mobile
application
which
needs
acces s
to
DynamoDB tables ,
do
not
embed
IAM
credentials
in
the
application,
ins tead
us e
roles
that
allow
a
w eb
identity
federated
us er
to
as s ume
a
role
that
allows
acces s
to
the
DynamoDB table
by
providing
temporary
credentials .
Again,
the
SDK
will
us e
thos e
credentials
automatically.
Linux Academy
31
12/15/15
• Pre
b uilt
services
such
as
Active
Directory
n eed
to
w ork
w ith
SAML
2 .0
o r
a
custom
Identity
broker
w ill
n eed
to
b e
created
• Federation
allows
an
identity
p rovider
t o
enable
single
sign-‐on
so
u sers
can
login
t o
an
AWS
Management
Console
o r
u se
t he
AWS
APIs
1.
Linux Academy
On
the
identity
provider,
regis ter
AW S
as
a
s ervice
provider
us ing
the
SAML
metadata
located
at
https :/ / s ignin.aws .amaz on.com/ s tatic/ s aml-‐m eta data.x ml
2. W ith
the
identity
provider,
generate
the
proper
metadata
XML
file
which
des cribes
the
identify
provider
to
AW S
3. U pload
the
XML
document
from
s tep
2
into
IAM
when
“creating
a
S AML
Identity”
provider
4. Create
one
or
more
roles
and,
as
part
of
the
roles
trus t
policy,
s et
the
SAML
provider
as
the
principle
the
permis s ions
policy
es tablis hes
which
us ers
from
your
identity
provider
are
able
to
perform
what
tas ks
5. U s e
“ as s ertions ”
to
map
what
us ers / groups
will
map
to
which
AW S
roles
6. Call
As s umeRoleW ithSAML API
call
and
pas s
the
roles
ARN
to
be
as s umed
and
the
SAML
as s ertion
about
the
current
authenticated
us er
from
the
identity
provider
7. If
s ucces s ful,
the
API
will
return
a
s et
of
API
acces s
k eys
and
a
s es s ion
token
1. The
“web-‐bas ed”
login
portal
is
not
part
of
AW S
but
rather
provided
by
the
Identity
provider
(ADFS)
2. The
portal
verifies
credentials
on
your
organiz ation’s
AD
3. Once
v erified,
the
portal
generates
a
SAML
authentication
res pons e
that
includes
as s ertions
which
identify
the
us er
and
includes
information
about
the
us er
and
s ends
res pons e
to
brows er
4. Once
res pons e
is
received,
the
client’s
brows er
is
redirected
to
the
AW S
s ingle
s ign-‐on
endpoint,
the
brows er
is
redirected
to
the
s ingle
s ign-‐on
endpoint
and
pos ts
SAML
as s ertion
(https :/ / s ignin.aws .amaz on.com/ s aml)
but
is
a
U RL
generated
in
IAM.
The
endpoint
calls
As umeRoleW ithSAML API
to
reques t
temporary
credentials
from
STS
and
creates
a
s ign-‐in
U RL
that
us es
thos e
temporarily
credentials
5. AW S
s ends
the
role
s ign-‐on
U RL
back
to
the
client
brows er
with
a
“ redirect”
• Roles which are c onfigured to work with SAML will have a “ s aml:group”: “groupname”
32
12/15/15
Problem:
What
if
y our
I dentity
Provider
does
not
support
SAML
2.0?
Linux Academy
Solution:
Write
a
c ustom
identity
broker
application
• Uses the AssumeRole or GetFederationtoken API calls to gain t emporary access credentials
• The Identity B roker Application h as p ermission t o access STS to create temporary credentials
• Identity b roker application verifies the o n-‐premise employees within t he existing auth system
• Users are able to get a t emporary URL o r API keys to access AWS
Cu s tom ID Brok e r
AWS M a n a ge m e n t
Con s ol e
Auth us er Te m p Cre ds
Em pl oy e e Ide n ti ti es
c orpora te da a
t ce n e
tr
STS
33
12/15/15
Linux Academy
• Once
a
us er
authenticates ,
you
c an
allow
the
authenticated
us er
acces s
to
S TS
to
gain
temporary
role
bas ed
acces s
to
an
AW S
s ervice
s uch
as
DynamoDB
• The
app
s hould
cache
the
STS
credentials
until
they
are
expired
s o
only
one
call
is
made
each
time
the
us er
logs
in
and
by
default
the
credentials
are
good
for
one
hour
but
can
be
changed
in
the
reques t
• As s umeRoleW ithW ebIdenti ty is the API call us ed w hen us ing W eb Identity federation
Linux Academy
34
12/15/15
Compliance
Aid
• Compliance
requirements
for
source
and
logs
of
c hanges
to
environments
• PCI/HIPAA
Compliance
etc.
CloudTrail Concepts
Linux Academy
Once
c onfigured
CloudTrail logs
all
API
events
and
delivers
the
log
to
an
S 3
bucket
CloudTrails log
files
from
different
regions
c an
be
sent
to
the
same
S 3
buckets
CloudTrail can
integrate
into
S NS,
CloudWatch,
and
CloudWatch logs
to
send
notifications
when
specific
API
events
occur
35
12/15/15
Integrate
with
lifecycle
policies
to
store
for
industry
standard
time
frames
• HIPAA
and
PCI
c ompliance
are
examples
of
requiring
6
y ears
of
log
storage
Linux Academy
AWS
KMS
Linux Academy
Key
Management
S ervice
is
a
region
specific
hosted
service
that
m akes
it
easy
to
c reate
and
c ontrol
encryption
k eys
on
AWS which
are
used
to
encrypt
data.
KMS
uses
Hardware
S ecurity
Modules
( HSMs)
to
protected
the
security
and
integrity
of
keys.
KMS
not
only
integrates
with
other
AWS
services
to
automatically
m anage
k eys
for
protection
but
also
allows
you
to
generate
and
store
y our
own
k eys
within
the
KMS.
36
12/15/15
AWS
KMS
Linux Academy
Customer
Master
K ey
( CMK) – A
logical
key
that
r epresents
t he
t op
o f
a
customer’s
key
hierarchy
and
is
also
assigned
an
alias
(which
can
b e
u sed
in
place
of
t he
key
ID)
and
an
ARN
( which
includes
t he
u nique
key
ID)
• If
another
key
is
not
s pecified
then
by
default
the
CMK
is
us ed
to
encrypt
the
res ources .
• CMK
s ettings
cannot
be
modified
• IAM
permis s ion
can
be
granted
to
IAM
us ers
to
“ adminis trate”
a
k ey.
• Key
policies
can
be
c reated
which
s tate
the
us ers
that
can
us e
the
key
• The
ciphertext includes
information
about
what
key
us ed
to
encrypt
the
data
• Additional
AW S
accounts
can
be
granted
acces s
to
us e
a
k ey
37
12/15/15
AWS
KMS
– Use
y our
own
keys
but
store
them
on
KMS
Linux Academy
You
can
u se
a
CMK
t o
encrypt
a
key
of
your
o wn
creation.
That
key
can
b e
stored
o n
AWS
and
d oesn’t
h ave
to
b e
stored
o n
a
local
environment.
The
key
will
b e
secure
and
can
b e
accessed
programmatically
using
t he
API.
Decrypt
t he
additional
key
for
u sage.
Benefits:
• Secure
storage
• Central
location
and
easy
audit
t rail
• Easy
key
rotation
• To
d ecrypt
d ata
K MS
will
d etermine
which
key
(the
o ld
o r
n ew)
t hat
t he
d ata
was
encrypted
w ith
and
it
w ill
automatically
decrypt
it
w ith
t hat
correct
CMK.
• To start f resh t hen change t he C MK t hat your d ata encrypted t ool p oints t o.
Access control -‐ Access t o keys is p rotected u sing existing policies in IAM.
Low-‐latency
and
h igh
t hroughput -‐ KMS
w ill
p rovide
cryptographic
o perations
at
t hroughput
suitable
f or
u se
b y
o ther
AWS
services.
38
12/15/15
Linux Academy
Kinesis
d ashboards
can
b e
creating
using
t he
AWS
provided
SDKs
and
can
create
real-‐time
dashboards,
integrate
d ynamic
pricing
strategies,
and
also
allows
you
t o
export
d ata
f rom
Kinesis
t o
o ther
AWS
services
for
storage.
Including
EMR,
S3,
RedShift,
and
Lambda.
Parallel
Processing
– Multiple
Kinesis
applications
can
be
p rocessing
t he
same
incoming
data
streaming
concurrently
Durable – Kinesis
synchronously
r eplicates
t he
streaming
data
across
t hree
data
centers
within
a
single
AWS
region
and
p reserves
the
d ata
f or
u p
t o
2 4
h ours
Scales – Can stream f rom as little as a few megabytes to several terabytes per h our
39
12/15/15
Real-‐time
analytics
– Collect
IOT
(sensors)
f rom
many
sources
and
h igh
amounts
o f
f requency
and
process
it
u sing
K inesis
t o
gain
insights
as
d ata
arrives
in
your
environment
Application
alerts
– Build
a
K inesis
application
t hat
monitors
incoming
application
logs
in
r eal-‐time
and
t rigger
events
based
o ff
t he
d ata
Log
/
Event
Data
collection
-‐ Log
d ata
f rom
any
n umber
o f
d evices
and
u se
K inesis
application
t o
continuously
p rocess
t he
incoming
d ata,
p ower
r eal-‐time
d ashboards
and
store
t he
d ata
in
S3
w hen
completed
Mobile
d ata
capture
-‐ Mobile
applications
can
p ush
d ata
t o
K inesis
f rom
countless
n umber
o f
devices
which
makes
t he
data
available
as
soon
as
it
is
p roduced.
Create
a
stream
Linux Academy
Build
p roducers
t o
continuously
input
d ata
into
t he
stream
• Sensors
• Mobile
devices
• Literally
thousands
o f
d ifferent
inputs
(more
shards
is
h ow
you
scale)
Linux Academy
40
12/15/15
Am a zon Cl ou dSe a rc h
IOT Se n s ors
Am a zon Ki n e s i s
Ki n e s i s -e n a bl e d app
Am a zon SNS
Am a zon Re ds hi ft
Re a l -ti m e Da s h boa rd
Linux Academy
Linux Academy
41
12/15/15
How c an we add additional layers of protection to those resources?
Methods:
• Explicit
deny
on
the
“action/ api”
permis s ions
not
allowed
on
the
tagged
res ource
• G rant
allow
on
the
“action/ api”
permis s ions
allowed
on
the
tagged
res ource
"Action":
[
"ec2:StartIns tances ",
"ec2:StopIns tances ",
"ec2:RebootIns tances ",
"ec2:TerminateIns tances "
],
Specify
the
c ondition
that
should
occur
when
this
specific
policy
declaration
should
be
enforced Linux Academy
“Condition”
:
{
“StringEquals ”
:
{
“ec2:Res ourceTag/ env”:”production”
}
}
42
12/15/15
Specify the resource type that the policy should apply on
"Res ource":
[
Linux Academy
"arn:aws :ec2:region:aws -‐account -‐nu mb er:i ns tanc e/ *"
],
•
Linux Academy
Add
an
IpAddres s condition
which
s pecifies
that
the
reques t
s hould
come
from
a
s pecific
IP
addres s
or
CIDR
block
range
Scenario:
H ow
c ould
we
prevent
developers
who
need
access
to
terminate
development
instances
from
terminating
Linux pAcademy
roduction
instances?
Hands-‐on example
43
12/15/15
Study
Note:
Remember
not
all
“ actions”
are
supported
on
resource
level
permissions.
Because
of
this
it
is
easier
Linux to
uAcademy
se
“deny”
permissions
such
as
deny
starting,
stopping,
terminating
instances
that
have
a
production
resource
tag.
Linux Academy
• Part of designing properly is ensuring y our resources are c losest to their end users
44
12/15/15
Procedure:
• Snapshot
v olumes
and
use
the
snapshot
c opy
feature
to
c opy
the
snapshot
to
another
region
then
launch
the
v olume
from
the
snapshot
• Use
c opy
AMI
feature
to
c opy
the
AMI
from
c urrent
region
to
destination
region
Replication
DB DB
45
12/15/15
Replication
DB DB
Replication
DB DB
DB DB
46
12/15/15
Linux Academy
EBS
Backed
AMIs:
EBS
backed
AMIs
c an
be
backed
up
in
one
of
two
ways
1. EBS
v olume
snapshots:
D epending
on
the
workload,
suspension
of
I /O
m ight
be
required.
An
AMI
c an
be
c reated
from
a
“ root”
EBS
v olume
2. AMIs:
An
AMI
will
create
a
snapshot
of
the
attached
EBS
v olumes
if
c onfigured
c orrectly
and
the
v olumes
will
be
restored
upon
launching
the
AMI
47
12/15/15
Linux Academy
https://aws.amazon.com/ec2/instance-‐types/
48
12/15/15
What
about
applications
that
are
dev/test/staging
environments
that
do
not
frequently
run
large
amounts
of
data?
H ow
c an
we
reduce
c osts
but
still
have
the
required
performance?
Burstable
instances
are
perfect
for
workloads
that
do
not
use
the
full
CPU
often
but
casually
need
to
burst.
49
12/15/15
• Web
facing
servers
do
not
have
a
public
I P
address
but
receive
traffic
from
a
public
load
balancer
• Use
a
NAT
instance
to
upload
the
videos
to
the
external
location
50
12/15/15
W EB W EB NAT
W EB W EB
AP P AP P AP P AP P
W EB W EB NAT
W EB W EB
AP P AP P AP P AP P
• Add
a
public
subnet
layer
to
the
ELB
and
enable
auto
scaling
to
assign
public
I P
addresses
so
each
instance
c an
send
the
traffic
rather
than
going
through
the
NAT
instance
• You
c an
also
c reate
m ultiple
NAT
instances
and
assign
one
to
each
subnet
but
this
also
begins
creating
H A
issues
51
12/15/15
Linux Academy
Configuration Linux
Issues Academy
/
Benefits
RAID
0 Need more
I /O
performance
– Performance
of
the
stripe
is
limited
to
the
worst
performing
volume
– Does
not
provide
redundancy
RAID:
S cenario
Linux Academy
Problem:
BCJC
has
an
application
with
a
need
for
120,000
I OPS
of
write
performance.
However,
EBS
v olumes
c an
only
provision
a
m aximum
of
up
to
20,000
I OPS
each.
H ow
would
you
solve
this
situation?
52
12/15/15
RAID:
S cenario
Linux Academy
Problem:
BCJC
has
an
application
with
a
need
for
120,000
I OPS
of
write
performance.
However,
EBS
v olumes
c an
only
provision
a
m aximum
of
up
to
20,000
I OPS.
H ow
would
y ou
solve
this
situation?
Solution:
S tripe
m ultiple
EBS
v olumes
together
with
RAID!
F or
example,
y ou
c an
c reate
a
RAID
0
c onfiguration
for
6
20,000
I OPS
v olumes
for
120,000
I OPS.
Keep
in
m ind
y our
limitation
will
be
bandwidth
so
EBS
optimized
and/or
network
optimized
instances
m ight
be
required.
Consider
using
RAID
for
storage
services
(NFS/CIFS)
on
AWS
if
S 3
is
not
an
acceptable
solution
AZ 1
Striped Volumes
DRBD
Replication
Sto rage
Sto rage
In stance In stance
EB S EB S EB S EB S EB S EB S
AZ 1 AZ 2
53
12/15/15
RAID:
Problem
Linux Academy
Problem:
After
8-‐10
EBS
v olumes
striped
together
y our
bottleneck
becomes
instance
bandwidth.
H ow
c an
y ou
get
m ore
throughput?
Solution:
Use
Instance-‐store
b acked
instances,
stripe
t he
ephemeral
storage
d evices
attached
f or
several
hundred
t housand
IOPS
d epending
o n
instance
size
AZ 1 AZ 2
DRBD
As ynchronous
Replication
Striped
Volumes
EB S EB S EB S
Linux Academy
54
12/15/15
Multi-‐Region
Architectures
Linux Academy
Multi-‐Region
Architectures
generally
m ake
use
of
Route
53
policies
and
c omplex
policies
to
route
traffic
Note:
All
policies
should
make
use
of
health
c hecks
and
for
m ulti-‐region
design
y ou
can
often
think
Route
53
as
a
type
of
load
balancer.
I ts
job
is
to
distribute
traffic
based
off
of
some
sort
of
“criteria”
such
as
latency
or
weights.
Create Linux
Copy Academy Restore
DB DB
55
12/15/15
Weight for a given resource r ecord set / sum o f t he w eights f or t he r esource r ecord sets)
Weight for a given resource r ecord set / sum o f t he w eights f or t he r esource r ecord sets)
56
12/15/15
57
12/15/15
Linux Academy
• Financial
c omputations
• Weather
forecasting
• Anything
that
requires
large
amounts
of
c ompute
usage
GPU
I nstances
• Used for
3D
m odeling and
simulation
( graphical heavy)
• NVIDIA
G PUs
58
12/15/15
59
12/15/15
Supports
only
HVM
v irtualization
and
Amazon
L inux
has
it
on
by
default
and
in
order
to
enable
it
the
k ernel
m odule
ixgbevf is
required
Modinfo ixgbevf
Ethtool –I
eth(n)
to
v erify
the
k ernel
driver
is
being
used
will
return
driver:
ixgbevf
X`
Linux Academy
HPC
S cenarios
Linux Academy
• Grid Computing (high
throughput computing htc):
• Locality is not
a
primary requirement
• Works
loads are
m ore
distributed
• The
size
of
the
c luster
c an grow and
shrink (auto
scaling)
• Often used with spot
instances
• Servers
c an be utilized over
a
wide area
and
even types
of
instances
• Grid clusters
should be designed for
resilience
• Are
m ore
often scaled horizontally
• Loosely Coupled (Does not
require tight communication
between nodes)
60
12/15/15
HPC
S cenarios
Linux Academy
• Cluster
Computing:
Two or
m ore
instances
c onnected together to
support
an
application
• Usually requires high
node to
node throughput
• Most
c ommonly assembled using the
same type
of
instances
• Usually uses
placement
groups
or
enhanced networking
to
satisfy the
high
network
throughput requirement
HPC
S cenarios
Linux Academy
Challenge:
Knowing when to
use
specific architectures
depending on
the
workload
• Can
a
workload complete on
a
single
node and
benefit from auto
scaling to
handle increase in
capacity?
HPC
S cenarios
Linux Academy
• Grid computing workloads can benefit from high
availability and
resilience using
tools such as
auto
scaling but
a
trade off
is enhanced networking
61
12/15/15
Linux Academy
https://en.wikipedia.org/wiki/UDP_flood_attack
62
12/15/15
63
12/15/15
• CloudFront can scale to handle any increase in traffic which helps absorb attacks
• CloudFront uses
filtering techniques
to
ensure that only valid TCP
c onnections
and
HTTP
requests are
successful in
passing
through the
edge locations
WAF
( Web
Application
Firewall)
c ontrols input
and
shows
what the
traffic is doing and
where it is coming from.
Many WAFs Linux Academy
have
built in
I DS
( Intrusion
D etection Systems)
which analyze traffic data
and
looks
for
suspicious activity.
WAFs can be part
of
the
web
server
itself or
it can sit in
front
of
the
webserver/ELB
to
filter the
traffic and
then foward to
the
application.
W AF W AF W AF W AF
AP P AP P AP P AP P
64
12/15/15
W AF W AF W AF W AF
Linux Academy
Example:
Mobile
devices
being
taken
to
a
different
ELB
with
different
stickiness
settings
or
desktop
users
going
to
different
S SL
c ertificates.
65
12/15/15
h ttp ://en .cl ou ddesi gn pattern .o rg/in dex.ph p/C DP:Mu tl i _Load _B alan cer_P attern
When
a
request
is
m ade
to
a
load
balancer,
the
load
balancer
intercepts
the
request
and
c reates
a
new
request
on
behalf
of
the
c lient.
Problem:
What
if
y our
application
does
not
use
port
80/443
AND/OR
is
not
sending
a
200
OK
response
back
even
when
it
is
in
fact
healthy?
66
12/15/15
Problem:
What
if
y our
application
does
not
use
port
80/443
AND/OR
is
not
sending
a
200
OK
response
back
even
when
it
is
in
fact
healthy?
Solution:
Use
TCP
ports
which
c an
accept
traffic
on
all
available
TCP
ports
1
– 65535
SSL
and
port
443
for
secure
requests
that
do
not
respond
with
200
OK.
Forwarding
Client
IP
Addresses
To
The
EC2
I nstances
Behind
The
ELB
Linux Academy
• When
the
ELB
uses
TCP
to
m ake
the
request
to
the
EC2
instance
on
behalf
of
the
client,
the
ELBs
I P
address
will
be
sent
to
the
EC2
instances
and
logged
instead
of
the
c lients
(think
H TTP
access
logs)
• How
c an
we
forward
the
c lients
I P
address?
ELB I P
67
12/15/15
Forwarding
Client
IP
Addresses
To
The
EC2
I nstances
Behind
The
ELB
Linux Academy
• When
the
ELB
m akes
the
request
to
the
EC2
instance
on
behalf
of
the
c lient
the
ELBs
I P
address
will
be
sent
to
the
EC2
instances
and
logged
instead
of
the
c lients
(think
H TTP
access
logs)
• How
c an
we
forward
the
c lients
I P
address?
• Use
the
CLI
to
c onfigure
proxy
Protocol
on
the
ELB;
proxy
protocol
is
used
to
c arry
connection
information
from
the
c lient
m aking
the
request
to
the
destination
EC2
instances
Note: This only works with TCP configurations-‐ NOT H TTP/HTTPS listeners
Forwarding
Client
IP
Addresses
To
The
EC2
I nstances
Behind
The
ELB
Linux Academy
Problem:
H ow
do
y ou
get
the
c lient
I P
address
when
using
the
layer
7
H TTP/HTTPS
listener
on
the
load
balancer
since
Proxy
Protocol
is
only
supported
on
TCP
listener
setup?
Solution:
Modify
y our
application
c ode
to
send
another
header
along
with
the
request
to
the
load
balancer.
The
header
needs
to
be
X-‐Forwarded-‐For
request
header
and
will
be
passed
through
the
ELB
to
the
server
with
the
clients
I P
address
(if
y ou
add
the
clients
I P
address
to
the
header
in
the
code)
Linux Academy
68
12/15/15
Linux Academy
El asti c IP 5 8.58.58 .5 8
P ri vate
IP
1 0.0.1 1
. P ri vate
IP
1 0.0.1 2
.
Standby
Linux Academy
El asti c IP 5 8.58.58 .5 8
Standby
• In the event of failover disassociate the ENI and assign it to another instance
• Floating IP is also a solution if y our software is licensed by MAC address
69
12/15/15
So u rce: h ttp s://en .wiki ped ia.o rg/wiki /Mu lti cast
• Tunnel and a v irtual network on the Operating S ystem level of the EC2 instances
• The
Virtual
network
CIDR
ranges
MUST
be different than that of
the
VPC
and
the
subnets are
independent of
the
VPC
70
12/15/15
Linux Academy
Tu n n el :
Tu n n el :
1 7 2 .16.10.2 Tunnel:
172.16.10.0 1 7 2 .16.10.1
Tu n n el :
1 7 2 .16.10.3
Linux Academy
Linux Academy
71
12/15/15
Linux
BCJC
has
hired
third
party
c ontractors
Academy
to
work
on
applications
that
integrate
with
existing
regulatory
requirement
( credit
c ard
data)
data
in
BCJC’s
environment.
While
BCJC
trusts
the
developers,
there
is
an
audit
requirement
to
k now
what
data,
activity
and
the
source
for
each
is
occurring
in
y our
environment
or
what
data
is
leaving.
The
developers
need
full
access
to
the
AWS
environment
in
order
to
perform
the
development
tasks
appropriately.
What
is
best
m ethod
and
design
to
implement
this
type
of
security?
• Basically,
how
to
k now
if
a
c ontractor
is
stealing
the
data,
what
the
data
is,
and
when/where
it
occurred
• Also
know
what
c ommands
are
being
issued
in
y our
environment
and
filter
out
bad
potentially
dangerous
activity
before
it
occurs
in
y our
environment.
• Allow
developers
“ admin”
access
to
the
AWS
tools
Linux
• Understand
the
limitations
traditional
Academy
intrusion
detection
systems
allow
y ou
to
put
the
system
into
promiscuous
m ode
which
allows
for
“ sniffing”
of
traffic
on
y our
network
that
is
intended
for
other
m achines/instances.
This
is
a
limitation
of
AWS
and
the
hypervisor
has
it
disabled
so
it
will
not
deliver
any
traffic
to
instances
that
is
not
specifically
addressed
to
the
instances.
Thus,
promiscuous
mode
is
not
allowed.
• Intrusion
detection
c an
work
inline
or
by
m onitoring
logs.
There
are
a
lot
of
log
capabilities
in
AWS
that
we
can
use
and
then
analyze
for
intrusion
detection
such
as
CloudTrail and
S 3
logs.
• Intrusion
prevention
actually
identifies
and
“ drops”
suspect
packets
and
this
type
of
setup
requires
inline
configuration
72
12/15/15
• Place
I DS
software
on
y our
EC2
instances
that
deliver
y our
primary
“ front
end”
application
• Place
an
I DS/IPS
inline
that
automatically
blocks/allows
traffic
to
the
destination
instances.
• Use
y our
own
inline
monitoring
in
your
AWS
environment
• Use
a
third
party
service
to
send
traffic
to
an
I DS/IPS
provider
that
then
redirects
the
traffic
back
to
y our
application
architecture
Linux Academy
Pu bl i c s u bne t Pu bl i c s u bne t
Data Data
Data Data
Pri v a te s u bn e t Pri v a te s u bn e t
Linux Academy
W eb W eb W eb W eb IDS
Pu bl i c s u bne t Pu bl i c s u bne t
An
agent
installed
on
the
EC2
instances
will
send
copies
of
the
network
traffic
received
on
the
EC2
instance
to
the
I DS
system.
73
12/15/15
Linux Academy
VPN
c onnections
c reate
private connections
to
a
VPC,
giving
on-‐premise machines
access
to
internal
VPC
resources
such
as
private
I P
addresses
and
I nternal
load
balancers.
Key
is
to
understand
how
to
c reate
VPN
c onnections
and
how
networking
occurs
with
VPN
connections
• Most
c orporate
c ompanies
have
hardware
routers
that
are
used
to
c reate
VPN
connections
to
the
VPC
and
c urrently
only
hardware
routers
are
supported
by
the
VPC
VPN
option
• Software
VPN
such
as
OpenVPN can
be
c onfigured
on
an
EC2
instance
LinuxVPN
c Academy
• Understand
how
to
c reate
a
hardware
onnection
• Understand
how
to
c onfigure
subnet
route
discovery
between
on-‐premise and
VPC
CIDR
blocks
74
12/15/15
75
12/15/15
Linux Academy
76
12/15/15
Security
Z ones
Linux in
an
Academy
What
if
y our
running
multiple
applications
AWS
environment?
• Separate
by
c reating
m ultiple
VPCs
one
for
each
zone
(if
this
high
level
separation
is
allowed
and
the
apps
do
not
need
to
c ommunicate)
• For
apps/instances
that
need
c ommunication,
use
segmentation
tools
available
to
ensure
only
traffic
required
is
flowing
in
and
out
of
zones
• Security
G roups
• NACLs
• Segment
environments
based
off
of
CIDR
block
ranges
and
c reate
NACL
rules
that
allow
traffic
to
specific
subnets/security
groups
based
off
of
those
CIDR
block
ranges;
this
ensures
inter-‐zone
c ommunication
is
allowed
from
only
specific
locations
Linux Academy
77
12/15/15
Linux Academy
c orpora te da a
t ce n e
tr
Linux Academy
c orpora te da a
t ce n e
tr
78
12/15/15
An
AWS
D irect
Connect location
provides access to
the
AWS
region it is associated with.
I t
does not
provide access to
other AWS
regions.
H owever,
there are
m ethods to
c onnect to
additional AWS
regions discussed in
the
next lesson.
Linux Academy
79
12/15/15
A
Direct
Connect into an
AWS
Partner
D irect
Connect provider
will only connect to
the
closest region or
associated AWS
region Linux to
the
Academy
provider.
What if
y our creating multi-‐region design
and
have
a
need for
a
m ore
reliable network
connection?
• Create a
public
v irtual interface
to
the
remote regions public
endpoints and
use
VPN
over
the
public
v irtual interface
to
protect the
data
Note:
While you will not
have
a
private direct
c onnect connection your data
will still utilize
AWS
backbone networks
for
a
better connection to
the
remote region.
By
c reating a
VPN
you are
c reating your own private network
to
internal AWS
VPC
resources.
Linux Academy
• BCJC
wants
to
c onnect
on-‐premise to
the
c loud
using
existing
c redentials;
in
other
words
expose
existing
AD
to
the
c loud
• AWS
D irectory
S ervice
• Ad
connector
( essentially
a
hosted
proxy
service,
no
c aching)
instances
on
AWS
that
need
access
to
on-‐premise AD
will
proxy
through
the
AD
c onnector
down
to
the
on-‐premise AD
server;
nothing
is
stored
on
the
c onnector
• Simple
AD
– a
fully
hosted
AD
on
amazon;
y ou
would
setup
another
m aster
controller
and
« sync »
to
on-‐premise and
then
m aybe
eventually
m ove
fully
on-‐premise
80
12/15/15
Linux Academy
Pas s
through
On Pre m AD
c orpora te da a
t ce n e
tr
AWS AD
In s ta n c e
Con n e c tor
s ecurity group
Linux Academy
Sync
On Pre m AD
c orpora te da a
t ce n e
tr
SIM PL E AD
In s ta n c e
s ecurity group
VPC s u bn e t
Av ailability Zone
Simple
AD:
A
full
Active
Directory
Service
which,
in
order
to
us e
on-‐premis e credentials ,
you
w ould
s etup
active
directory
s ync
Linux Academy
Sync
On Pre m AD
c orpora te da a
t ce n e
tr
SIM PL E AD
In s ta n c e
s ecurity group
VPC s u bn e t
Av ailability Zone
Simple
AD:
Remove
the
AD
sync
to
on
premise
and
instead
use
simple
AD
as
y our
AD
on
premise
as
well
81
12/15/15
Linux Academy
Amazon
ElastiCache
Linux
ElastiCache is
an
in-‐memory
h osted
caching
Academy
solution
p rovided
b y
AWS.
ElastiCache supports
t wo
t ypes
o f
caching
engines
at
t his
t ime.
Redis – Redis acts
more
like
a
replacement
for
t he
DB
server
and
instead
maintains
its
o wn
p ersistence
and
is
used
f or
certain
t ypes
o f
application
functions.
Storing
infrequently
accessed
data
d oesn’t
equate
to
cost
savings
o r
much
p erformance
savings
but
w ill
f ill
u p
your
available
cache
memory
Cache
expensive
queries
or
slow
q ueries
w ith
joins
t hat
r un
across
multiple
t ables,
t hese
are
considered
h ardware
intensive
and
expensive.
Cache
data
is
“stale”
it
d oesn’t
change
frequently
and
w ould
r equire
f lushing
f or
n ew
d ata
t o
appear.
• Redis caching
engine
is
a
little
different
as
it
u ses
t he
in-‐memory
storage
for
actual
d ata
storage
and
o nly
w rites
p ersistence
t o
snapshots
o r
d ata
f iles
f requently
82
12/15/15
Laz y
loading
can
be
expens ive
if
there
is
a
c ache
mis s .
This
is
is
important
in
determining
if
an
item
is
infrequently
acces s ed
and
s hould
be
cache
or
not.
If
it
is
infrequently
acces s ed
it
will
be
les s
expens ive
to
jus t
read
from
the
DB
and
bypas s
c ache.
• Downsides:
• Lots
of
data
is
stored
in
m emory
that
m ay
not
be
frequently
accessed
• If
a
node
is
spinning
up
it
could
m iss
writing
and
c ause
m issing
data
83
12/15/15
Note:
Anytime
y ou
access
data
from
in-‐memory
storage,
it
is
ephemeral
but
is
MUCH
faster
than
reading
from
a
disk.
Remember,
the
type
of
data
y ou
c ache
depends
on
the
caching
engine
y our
using,
the
use
case,
and
what
it
takes
to
load
the
data
into
c ache.
Linux Academy
Populate
c ache:
• Write
through
• Lazy
loading
84
12/15/15
Linux Academy
We b We b
Node Node
Ca c h e Ca c h e Ca c h e Ca c h e
Node Node Node Node
M u l ti -AZ
Sta n dby
Linux Academy
We b We b
Node Node
Ca c h e Ca c h e Ca c h e Ca c h e
Node Node Node Node
M u l ti -AZ
Sta n dby
Linux Academy
We b We b
Node Node
Ca c h e Ca c h e Ca c h e Ca c h e
Node Node Node Node
M u l ti -AZ
Sta n dby
85
12/15/15
Linux Academy
We b We b
Node Node
No d e
th en
p o p ul ates
the
cache
Ca c h e Ca c h e Ca c h e Ca c h e
Node Node Node Node
M u l ti -AZ
Sta n dby
• Purchase reserved nodes to reduce c osts -‐> not good for spot
• Can scale by adding on-‐demand noes for times of increase in demand
• Every node in the c luster is the same instance type
• Memcached supports
auto
discovery,
c lient
programs
automatically
identify
all
nodes
in
a
cache
c luster
• Improve fault tolerance by locating nodes in m ultiple availability zones
• In
a
m ulti-‐region
design,
have
an
ElastiCache cluster
in
each
region
populating
data
from
the
local/regional
D B
server
• Memecached is
a
great
solution
for
storing
“ session”
state
in
applications
this
will
make
web
servers
stateless
which
allows
for
easily
scaling
86
12/15/15
Note:
This
c an
c ause
an
increase
load
on
y our
S QL
server
to
m itigate
this
load
use
m ore
nodes
in
a
c luster
so
a
loss
of
a
node
does
not
equate
to
a
substantial
increase
in
database
load
on
your
backend
database
store.
When
“ events”
occur
to
c lusters
notifications
c an
be
c onfigured
to
be
sent
to
S NS
topics
for
automation
and
notification
Linux Academy
87
12/15/15
Automatic
Snapshots
– Backups
are
taken
o n
a
daily
b asis,
select
a
snapshot
w indow
and
t ime
limit,
if
failure
o ccurs
o n
a
cluster
t hen
t he
cluster
can
be
r esorted
f rom
t he
most
r ecent
snapshot
Manual
Snapshots
– Can
b e
t aken
at
anytime
and
are
not
subject
t o
t he
“retention
limit”
o f
automatic
backups
Redis snapshots
can
be
c opied
but
c annot
be
c opied
to
another
region
they
c an
only
be
“copied”
88
12/15/15
Linux Academy
Linux Academy
Fully
m anaged
petabyte
scale
data
warehouse
used
for
storing
large
amounts
of
data
for
business
intelligence
applications.
Redshift
nodes
are
c ontinuously
backed
up
to
Amazon
s3
and
in
the
event
of
a
failed
drive
in
the
c luster
redshift
will
re-‐replicate
the
data
from
the
failed
drive
and
replaces
the
nodes
as
needed
Redshift
nodes
are
all
within
the
same
availability
zone
and
c luster
is
not
available
in
multiple
availability
zones
at
one
time
89
12/15/15
Linux
Redshift
distributes
the
query
from
the
Academy
“ leader”
node
in
parallel
across
all
the
c luster’s
compute
nodes.
The
c ompute
nodes
work
together
to
execute
the
queries
and
return
the
data
back
to
the
leader
node
which
then
organizes
the
results
and
sends
it
back
to
the
c lient
requesting
the
data
from
the
c luster.
Resizing
a
c luster:
• All
connections
are
terminated
and
the
c luster
is
restarted
in
read-‐only
m ode,
any
transaction
that
was
not
c ompleted
will
be
rolled
back
• A
new
c luster
is
started
( by
Redshift)
and
uses
the
original
( source)
c luster
as
a
data
source
to
populate
the
new
cluster
• The
new
c luster
is
in
read-‐only
m ode
until
the
resize
is
completed
• End
point
is
updated
and
old
c luster
terminates
all
connections
90
12/15/15
On-‐demand:
on-‐demand
instances
c an
be
added
for
scaling
a
node
or
temporary
redshift
clusters
c an
also
rely
on
on-‐demand
Reserved
instances:
To
reduce
c osts
for
nodes
that
will
maintain
a
c ontinuous
running
state
then
purchase
reserved
instances
to
reduce
the
c ost
of
the
nodes
• Must
be
proper
instance
type
• Must
be
in
the
proper
region/availability
zone
for
the
reserved
pricing
to
apply
• BCJC
will
will
be
c harged
the
discounted
rate
for
the
6
running
nodes
• BCJC
will
also
pay
the
discounted
rate
for
the
additional
3
nodes
reserved
even
though
the
c luster
is
only
running
6
nodes
Linux
Data
on
Amazon
Redshift
needs
to
be
backed
uAcademy
p
with
Redshift
data
snapshots
• Point-‐in-‐time
snapshots
are
stored
on
Amazon
S 3
for
durability
(done
by
Redshift)
• Redshift
can
restore
data
from
a
snapshot
by
launching
a
new
c luster
and
importing
the
data
from
the
snapshot
91
12/15/15
Linux
Snapshots
c an
be
c opied
from
one
region
Academy
to
another
region
(if
the
region
supports
Redshift)
• Manual
Copy:
Manually
c opy
a
snapshot
from
one
region
to
another
• Automatic
Copy:
Redshift
will
automatically
c opy
a
snapshot
from
one
region
to
another
retention
period
for
the
destination
region
c an
also
be
c onfigured
so
automated
snapshots
can
be
removed
after
the
retention
period
Note: S napshot c opying does incur data transfer c osts from one region to another
Linux Academy
92
12/15/15
Media
S treaming
– CloudFront allows
you
to
stream
m edia
on-‐demand,
Adobe
RTMP
streaming
distributions
as
well
as
streaming
origins
such
as
WOWZA
EC2
instances.
Invalidation
– CloudFront will
cache
the
last
requested
item
until
either
the
TTL
on
the
item
expires,
the
object
is
invalidated,
OR
the
LinuxTTL
is
Academy
set
to
zero
and
the
last
m odified
header
has
not
c hanged
Custom
S SL
– By
default
CloudFront provides
a
x xxx.cloudfront.net URL.
With
this
c omes
an
SSL
c ertificate
associated
with
the
c loudfront.net domain.
If
there
is
a
requirement
to
use
a
custom
domain
i.e linuxacademy.com you
m ust
provision
and
c onfigure
y our
own
S SL
certificate
in
I AM
and
associate
it
to
y our
CloudFront distribution.
Custom
Error
Messages
– CloudFront allows
you
to
respond
back
with
c ustom
error
message/pages.
I .E
404
not
found
page.
HTTP Methods: Core benefits are allowing you to use CloudFront for all website actions
93
12/15/15
Linux Academy
Whole
site
CDN!
CloudFront allows
you
to
specify
c ustom
origins
including
on-‐premise
servers
and
sources.
Configure
static
resources
in
the
CDN
as
well
as
dynamic
c ontent
and
enable
query
string
forwarding.
94
12/15/15
Geo
Targeting:
S erve
c ontent
specific
to
an
individual
c ountry
by
using
CloudFront Geo
targeting;
URL
stays
the
same
c ontent
sent
is
different.
How
it
works:
Essentially
AWS
now
records
this
information
and
sends
it
as
part
of
the
request.
Your
c ode
on
the
application
server
c an
process
the
data
and
return
c ustomized
content
based
off
of
the
information.
Linux Academy
95
12/15/15
CloudFront Reporting
Linux Academy
Access
L ogs:
S hows
details
of
every
request
m ade
to
y our
CloudFront origin.
Can
integrate
with
EMR
for
log
analysis.
Log
data:
• Object
requested
• Date
and
time
of
request
• Edge
location
serving
the
request
• Client
IP
address
• HTTP
Referrer
• HTTP
User
Agent
Top Referrers: S hows the URL that m ade the m ost requests to the CDN distribution
Usage:
Number
of
H TTP
/
H TTPS
requests,
D ata
transferred
By
Protocol,
D ata
Transferred
By
Destination
( From
CloudFront To
The
Users
/
F rom
CloudFront To
The
Origin)
Viewers:
• Devices
• Browsers
• Operating
S ystems
• Locations
96
12/15/15
Linux Academy
CloudFront Security
Private
Content
Linux Academy
• Signed
URLs:
Provide
URLs
with
expire
dates
to
limit
access
to
c ontent
• Signed
Cookies:
S igned
c ookies
are
new
and
are
an
extremely
flexible
tool
in
terms
of
limiting
content.
You
c an
limit
c ontent
without
limiting
access
to
the
URL.
F or
example:
if
a
user
is
logged
into
a
site,
you
c an
issue
a
signed
cookie
that
v erifies
they
have
permission
to
access
certain
parts
of
the
site.
I f
streaming
H LS
files
from
CloudFront you
c an
also
create
signed
c ookies
that
will
be
v alidated
each
time
an
H TTP
request
is
made
to
an
H LS
c hunk.
Essentially,
providing
secure
streaming!
CloudFront Security
97
12/15/15
Linux Academy
Linux Academy
98
12/15/15
• Use
CloudFront to
upload
objects,
the
edge
location
will
proxy
the
data
back
to
the
origin
location
going
over
the
AWS
backend
network
• Increase
m inimum
TTL
and
m aximum
TTL
so
items
are
c ached
longer
( if
they
are
not
frequently
c hanging)
How does Cloud F ront React in the event of high load and m ultiple simultaneous requests?
In
c ase
of
increase
in
simultaneous
requests
CloudFront,
will
wait
for
the
first
request
to
finish
before
processing
the
second
request.
Linux Academy
On-‐Demand S treaming
Live S treaming
99
12/15/15
Smooth:
To
enable
Microsoft
smooth
streaming,
c reate
a
web
distribution
and
on
the
custom
origin
select
“ Enable
smooth
streaming”
Progressive
D ownloads:
Progressive
download
is
the
process
of
transferring
digital
m edia
files
(HLS/MP4)
from
a
CloudFront origin
to
a
c lient
over
H TTP/HTTPS
Linux
Streaming
of
pre-‐recorded
m edia,
usually
MP4
Academy
files
over
the
Adobe
Streaming
RTMP
protocol.
This
is
actual
v ideo
streaming
and
not
v ideo
download
and
requires
a
v ideo
streaming
distribution
when
c reating
a
new
CloudFront distribution.
Live
S treaming:
Use
CloudFront CDN
with
a
streaming
server
origin
such
as
WOWZA
m edia
server
to
stream
live
events.
L ive
event
streams
will
send
c hunks
of
data
that
c an
be
c ached
in
a
“ delay”
by
the
CDN
so
live
requests
are
being
served
v ia
CloudFront and
limited
streams
are
being
sent
to
the
streaming
origin
such
as
WOWZA
EC2
instances.
To
c onfigure
this
setup
y ou
would
use
a
web
CDN
and
NOT
an
RTMP
CDN.
Note:
Keep
in
m ind
there
is
no
“streaming
switch”
other
than
enabling
smooth
streaming
on
CloudFront distributions.
This
means
understanding
what
type
of
m edia
should
be
streaming
from
what
type
of
CloudFront distribution
is
important.
Linux Academy
100
12/15/15
Elastic
Transcoder
is
used
to
convert
m edia
files
stored
on
AWS
S 3
• Different
formats
( mobile
available,
I .E
H LS)
• Different
Quality
levels
• Different
Resolutions
• Apply
Captions
• Create
MP3
files
from
v ideo
files
• Add
watermarks
to
v ideos
Linux Academy
Linux Academy
101
12/15/15
Linux
Jobs:
A
job
is
called
v ia
the
API
when
you
Academy
specify
the
type
of
encoding,
v ideo
settings,
and
pre-‐sets
for
v ideos
you
want
to
c reate.
A
single
job
c an
c reate
up
to
30
output
v ideo
types.
Pipelines:
Pipelines
are
where
the
jobs
are
submitted.
Pipelines
handle
each
job
in
the
order
in
which
they
are
submitted
to
the
pipeline.
The
pipeline
is
where
the
destination
and
source
buckets
are
c onfigured
for
the
outputted
files.
All
jobs
in
a
pipeline
can
be
temporarily
stopped
just
by
“ pausing”
the
entire
pipeline.
Presets: Pre-‐built templates for transcoding files into one format or another.
Linux Academy
Pipelines
Presets
Notifications
102
12/15/15
Linux Academy
Linux Academy
103
12/15/15
N otice
this :
N o
EC2
ins tances
required
for
s treaming,
an
entire
highly
available
and
infinitely
s caleable s olution
Linux Academy
CloudFront
Streaming/ Download
Trans coder
Pipeline/ Job dis tribution
Remember:
Download
dis tribution
for
non
adobe
RTMP
s treaming
protocols
s treaming
dis tribution
for
only
adobe
RTMP
Live
S treaming
Linux Academy
CloudFront
Streaming/ Download
dis tribution
104
12/15/15
Signed
URLs:
• Streaming
RTMP
data
from
a
streaming
distribution
(Signed
c ookies
are
not
supported)
• Signed
URLs
for
progressive
download,
security
hole
because
it
m akes
the
file
available
for
download
for
as
long
as
the
v ideo
is
available
• If
a
c lient
does
not
support
c ookies
Signed
Cookies
• Providing
access
to
m ultiple
files,
for
example,
c hunk
files
of
H LS,
the
signed
c ookies
will
be
“checked”
for
each
served
chunk
• Does
not
require
“custom
signed”
URLs
the
URL
link
c an
stay
the
same
Linux Academy
Examples:
• Migrating
D ynamoDB tables
to
another
region
( can
also
do
this
with
DynamoDB
streams)
also
k nown
as
importing/exporting
D ynamoDB data
• Taking
data
from
an
S 3
bucket,
for
forming
ETL
( extract
transform
and
load),
and
uploading
to
another
resource
such
as
RDS,
D ynamoDB,
Elastic
Map
Reduce,
etc.
105
12/15/15
• Run
SQL
queries
on
the
data
that
is
stored
within
Redshift
data
and
those
query
results
can
be
stored
in
a
new
table
or
modified
in
the
existing
table
106
12/15/15
Cl i c k Stre a m EM R for S3 Bu c k e t Wi th
Pe rform SQL
l ogs (Pu s h e d c l e a n i n g of l ogs Form a tte d L ogs
qu e ri e s a ga i n st
from s om e th i ng
th e da ta a n d
l i k e Ke n s i s )
l on g te rm
s tora ge
Technical
Overview:
Linux Academy
Task
Runners:
An
application
“ polling”
the
pipeline
for
tasks
to
perform
and
performs
that
task
• Can
be
launched
by
pre-‐built
data
pipeline
templates
• Can
be
added
to
EC2
instances
or
an
on-‐premise server!
Data
Nodes:
The
location
and
type
of
data
the
pipeline
uses
as
input
and
output
• DynamoDBDataNode
• MySqlDataNode
• RedshiftDataNode
• S3DataNode
Technical
Overview:
Linux Academy
Activities:
This
defines
what
is
suppose
to
be
done
by
the
pipeline.
Pre-‐built
activities
are
available
in
data
pipeline
but
you
c an
also
write
c ustom
scripts
to
perform
c ustom
tasks
107
12/15/15
Technical
Overview:
Linux Academy
Databases:
S upported
databases
• JDBC
database
• RDS
D atabase
• Redshift
database
Technical
Overview:
Linux Academy
Preconditions:
An
assertion
that
m ust
be
true
in
order
for
the
pipeline
to
run.
You
c an
c reate
a
c ustom
pre-‐condition
with
a
script
or
use
a
data
pipeline
precondition
• DynamodDBDataExists:
Checks
for
data
within
a
specific
D ynamoDB table
• DynamoDBTable Exists:
Checks
to
see
if
a
D ynamoDB table
exists
• S3KeyExists:
S ee
if
an
S 3
k ey
exists
(object)
• S3PrefixNotEmpty
User
Preconditions
Exists:
Checks
to
see
if
a
data
node
exists
ShellComandPrecondition:
Executes
a
L inux
bash
c ommand
Technical
Overview:
Linux Academy
Resources:
Computational
resources
which
performs
the
specified
pipeline
activity.
• Ec2Resource
• EmrCluster
108
12/15/15
• Purchase
reserved
instances
to
reduce
the
c ost
of
EC2
based
on
usage
• Use
spot
instances
for
the
“ task”
EMR
nodes
• The
data
is
persistent
because
the
c ore
nodes
in
an
EMR
c luster
on
on-‐demand
so
risk
of
them
being
terminated
due
to
being
out
bid
is
eliminated
Linux Academy
AWS RDS
109
12/15/15
110
12/15/15
An SSL c ertificate is c reated when the RDS instance is c reated.
Linux Academy
111
12/15/15
• Improves
disaster
recovery
( reduces
the
RTO
and
RPO
of
an
application)
• Helps
with
data
m igration
from
one
region
to
another
• Allows
RDS
“ reads”
to
scale
out
globally
(writes
still
need
to
happen
on
the
m aster)
• Reduces
load
against
the
“ master”
database
by
sending
read
traffic
to
read
replicas
• Still
best
practice
to
use
c aching
in
front
of
the
read
replicas
depending
on
y our
update
requirements
112
12/15/15
Note: Replication for MySQL server only works on MySQL 5.6.13 or later
Linux Academy
113
12/15/15
Oracle
RAC:
This
c an
run
on
EC2
instances
even
though
m ulticast
is
required;
y ou
c an
use
VPN
(Ntop N2n)
to
c reate
at
tunnel
between
the
nodes.
Placement
groups
would
be
required
since
it
is
a
c luster
service.
D ata
guard
service
c an
be
used
to
extend
high
availability
to
the
RAC
design.
114
12/15/15
• With
on-‐premise Oracle
servers,
use
RMAN
to
backup
data
to
Amazon
S 3
as
part
of
a
hybrid
environment
• With RDS based Oracle servers, use D BS snapshots for point-‐in-‐time snapshots
Linux Academy
115
12/15/15
NOT
as
easy
as
the
other
open
source
tLinux Academy
echnologies
since
MSSQL
server
is
not
supported
on
RDS.
Linux Academy
116
12/15/15
AWS CloudSearch
Linux
AWS
CloudSearch is
a
fully
h osted
solution
Academy
p rovided
b y
AWS.
C loudSearch is
u sed
f or
indexing
documents
and
information
contained
w ithin
t he
d ocuments
f or
search
w ithin
an
application.
CloudSearch provides search features similar to Apache SOLR and C loudSearch is p owered b y SOLR.
AWS CloudSearch
Linux by
CAcademy
Document
types
that
c an
be
indexed
loudSearch
• CSV
• PDF
• HTML
• Excel
• PowerPoint
• Word
• Regular
Text
AWS
CloudSearch
Linux Academy
CloudSearch can
be
used
to
search
D ynamoDB tables
• When
updates
to
DynamoDB data
occurs
send
the
updates
to
CloudSearch
• Periodically
send
the
updates
to
CloudSearch
Note:
The
CloudSearch data
is
indexed
within
c loud
search.
I f
c hanges
occur
to
indexed
items
they
will
need
to
be
re-‐uploaded
to
CloudSearch for
indexing.
117
12/15/15
AWS CloudSearch
Linux Academy
Linux Academy
118
12/15/15
CloudFormation
Example
ec2
launch
c onfiguration,
example
of
network
team
m anaging
network
resources
on
m ultiple
stacks
Nested
stack
example?
Talk
about
deletion
policies
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-‐attribute-‐
deletionpolicy.html
Recorded
example
of
a
network
item,
and
then
a
dev item.
Linux Academy
CloudFormation
Linux Academy
Blue
Green
D eploymnet
https://d0.awsstatic.com/whitepapers/managing-‐m ulti-‐tiered-‐web-‐applications-‐with-‐
opsworks.pdf
119
12/15/15
Linux Academy
If
y our
app
has
a
“ free
tier”
which
processing
“ jobs”
but
y ou
offer
a
premium
service
so
those
jobs
are
processed
faster.
H ow
c an
y ou
design
a
m essage
priority
queue
so
that
premium
jobs
are
c ompleted
first?
120
12/15/15
Linux Academy
Linux Academy
Cl ou dWa c
t h + Auto Scali ng
h ttp ://en .cl ou ddesi gn pattern .o rg/in dex.ph p/C DP:Pri ori ty_Queu e_P attern
Linux Academy
Cl ou dWa c
t h + Auto Scali ng
h ttp ://en .cl ou ddesi gn pattern .o rg/in dex.ph p/C DP:Pri ori ty_Queu e_P attern
121
12/15/15
Linux Academy
JavaS cript
Cl ou dWac t
h + Au to
Sc a l i n g
122
12/15/15
DynamoDB
Linux
Problem:
Thousands
of
objects
that
need
Academy
to
be
easily
retrieved
based
off
of
attribute
information.
Solution
using
just
S3:
S 3
allows
y ou
to
list
objects
based
off
of
“ key
search”
basically
searching
the
prefix
of
the
object.
The
list
search
is
limited
to
just
1,000
objects.
DynamoDB
Linux
Problem:
Thousands
of
objects
that
need
Academy
to
be
easily
retrieved
based
off
of
attribute
information.
Solution
using
just
S3:
S 3
allows
y ou
to
list
objects
based
off
of
“ key
search”
basically
searching
the
prefix
of
the
object.
The
list
search
is
limited
to
just
1,000
objects.
Correct
S olution:
Build
an
additional
index
that
is
easily
searchable
and
stores
specific
attributes
about
the
object.
These
attributes
c an
be
searched
and
are
linked
back
to
the
correct
object.
Easily
searchable
solutions
like
D ynamoDB which
are
require
no
servers,
will
reduce
c ost,
and
increase
effienceny when
searching
for
objects.
DynamoDB
123
12/15/15
DynamoDB
Linux Academy
Table Name Primary
Key
Type Partition Key
Sort Key
Name
Name
Course Simple Name
Lesson Composite CourseName LessonName
Notes Composite Id
CreateDate
An
index
is
created
on
the
Partition
Key
name
and
for
c omposite
table
types
the
data
is
stored
in
sorted
order
based
off
of
S ort
Key
Name
DynamoDB
Linux Academy
Two
ways
to
search
data
within
a
table
1. Using
“ query”
API
c all:
• Query
will
be
performed
against
the
primary
k ey
and
a
v alue
for
the
sort
key
c an
be
passed
with
a
c omparison
operator.
• Query
is
the
fastest
lookup
m ethod
as
it
is
performed
against
a
stored
“index”
in
the
table
• Query
an
“ indexed”
itemed
is
the
fastest
m ethod
of
looking
up
data
in
the
DynamoDB table
2. Using
“ Scan”
API
c all
• Scan
will
read
every
item
in
the
table
and
search
every
possible
attribute
rather
than
only
indexed
attributes.
• This
is
the
m ost
taxing
available
and
c auses
performance
issues
Linux Academy
124
12/15/15
Secondary
indexes:
L ets
y ou
query
the
data
within
a
table
using
a
secondary
k ey
instead
of
just
the
primary
partition
k ey.
• Global
S econdary
I ndex:
An
index
on
a
new
partition
k ey
and
sort
k ey
that
are
different
than
that
of
the
defined
table
• Local
S econdary
I ndex:
An
index
that
has
the
same
partition
k ey
but
a
different
sort
key
Linux Academy
Solution:
You
c an
use
D ata
Pipeline
to
schedule
a
pipeline
that
daily
m igrates
data
to
a
DynamoDB table
in
another
region.
125
12/15/15
Solution:
D ynamoDB streams;
S treams
are
essentially
an
exact
order
of
m odifications
to
a
table
put
inside
a
log
stream
(powered
by
Kensis).
Linux Academy
Linux Academy
126
12/15/15
• Linux Academy
DO
N OT
regis ter
for
the
exam
until
you
have
completed
the
cours e
and
met
thes e
s tudy
bes t
practices .
Scheduling
the
exam
firs t
and
then
s tudying
is
a
s ure
w ay
to
not
be
prepared
and
to
rus h
learning.
• Download
the
“Exam
S tudy
G uide”
from
the
“Required
Reading”
part
of
the
cours e
s yllabus .
Be
s ure
to
follow
the
s tudy
guide
as
w ell.
• U s e the practice exam s ys tem to help get a feel for how much time to s pend on each ques tion in the exam.
• Do
N OT
s tudy
the
incorrect/ correct
ans wers
on
the
res ults
page
firs t.
Firs t
s ee
w hat
ques tions
you
got
wrong
and
res earch
“why”.
This
helps
with
unders tanding
the
concepts
and
becoming
a
qualified
CSA
profes s ional,
rather
than
jus t
memoriz ing
ans wers .
• W atching
the
videos
and
taking
the
labs
s hould
only
be
40%
of
your
s tudying.
You
mus t
continue
to
review
the
s lides
and
take
the
s elf-‐paced
labs
in
order
to
ens ure
you
unders tand
and
are
qualified
for
the
exam.
• Linux Academy
At
leas t
read
the
“required”
white
pages
in
the
s tudy
guide
and
it
is
s ugges ted
that
you
als o
read
the
“s ugges ted”
white
papers
in
the
s tudy
guide.
• You
s hould
s pend
at
leas t
two
weeks
s tudying,
going
back
and
reviewing
videos ,
as king
ques tions ,
and
reading
the
s lides .
• If
y ou
s pend
time
s tudying
and
reviewing
the
cours e
for
1
to
2
w eeks
after
completing
the
cours e
on
linuxacademy.com,
your
odds
of
s ucces s
go
up
to
90%+
.
• Rus hing to pas s is the bes t way to fail the exam.
• Before
you
take
the
exam,
take
three
days
off
of
s tudying
then
go
back
and
try
the
practice
exam
for
your
third
and
las t
time.
If
y ou
pas s
then
s chedule
the
exam.
Linux Academy
127
12/15/15
128