Aws Web Services PDF

12/15/15
Linux Academy
Amazon Web Services

Certified Solutions Architect – Professional Level
Linux Academy AWS CSA - PRO

About this course
§ I’m Anthony, Your CSA Professional
LinuxCertified
I nstructor
Academy
§ Only students who have received the AWS Certified S olutions Architect
– Associate level are encouraged to take this c ourse. Prior k nowledge
from the CSA Associate level course on L inuxAcademy.com is assumed.
§ This course will include all knowledge required in order to prepare for
the AWS CSA – Pro c ertification.
About this course
§ This course will start off by focusing

LinuxoAcademy
n “ assumed” AWS and prior
“general” I T k nowledge for review. These c oncepts are extremely
important in order to be able to understand and pass the AWS CSA Pro.
§ The c ourse will then m ove to c over individual services and how cost,
design principles, performance, and security apply to each.
§ Finally, this course will focus on scenario based training, and
comprehensive application deployments.
§ Due to the c omplexity and skill set required for the c ertification, please
do not skip any of the training m aterial.
1
12/15/15
About this course

§ Labs will be provided when pLinux ossible. At
this point, if y ou are preparing
Academy
for the AWS CSA PRO, it is assumed you have substantial prior I T
experience, the ability to run Linux on local m achine, and an AWS
account. While labs are used when available to reiterate important
concepts, they are not a replacement for practice on this level of
training.
§ DO NOT register for the CSA pro exam until the c ourse is c ompleted and
you’ve c ompleted the best practices for studying listed at the bottom of
this course.
Linux Academy
Amazon Web Services

AWS Knowledge
Linux Academy
Amazon Web Services

Security features that AWS provides and best practices
2
12/15/15
Network Security F eatures

§ Secure network acces s Linux Academy
§ AW S endpoints are s ecured with HTTPS/ TLS for s ecure communication
§ Built-‐in firewalls
§ Egres s and ingres s filtering of network traffic through VPC network ACLs
§ Ins tances utiliz e s ecurity groups as built-‐in firewalls
§ Private s ubnets
§ Private s ubnets for is olated private res ources
§ Ability to add IPSec VPN tunnel between on-‐premis e and cloud VPC
§ End-‐to-‐end encrypted trans mis s ion
§ Ability to add SSL/ TLS endpoints on s elf-‐managed res ources s uch as ELB
§ Dedicated connection option
§ AW S Direct Connect provides a dedicated connection from on-‐premis e to AW S. Both
public and private IP acces s c an be configured with AW S direct connect
§ Advanced cipher s uites
§ Available with s ervices like ELB or CloudFront and als o utiliz e Perfect Forward Secrecy
to ens ure data is not compromis ed even if the long term keys are
Access Control
§ API reques t authentication Linux Academy
§ Every API reques t is digitally s igned us ing c ryptographic has h function and the API
us ers s ecrete acces s k ey
§ SSH acces s to ins tances
§ Acces s to Linux ins tances have pas s word authentication dis abled by default and
require the us e of RSA key pair for acces s ing the ins tance
§ U nique us ers
§ IAM allows each AW S us er to have unique s etup, API keys , and pas s word policy. This
ens ures that us ers do not need to s hare pas s words to acces s AW S res ources and eas y
to maintain log trail of w ho performs certain API calls
§ Multi-‐factor authentication (MFA)
§ Available for root and IAM us ers w hen us ed w ith CloudTrail, CloudW atch, and SN S
Access Control
§ Linux Academy
Fine-‐grained permis s ions for S3 buckets and objects
§ ACLs to grant S3 bucket and object acces s to s pecific groups of us ers within other AW S
accounts .
§ IAM is us ed to grant permis s ions to bucket or object acces s to us ers within the s ame
AW S account
§ Res tricted viewer acces s to private CloudFront content
§ G eo-‐res triction allows CloudFront to res trict acces s to reques ts originating from
certain IP addres s es
§ Signed U RLs c reate a temporary unique U RL that expires at a s pecific time
§ Temporary IAM s ecurity credentials
§ G rant temporary acces s to us ers and/ or s ervices that do not have normal AW S acces s .
Credentials las t from 1 to 12 hours and cannot be reus ed after expiration
3
12/15/15
Monitoring and L ogging

§ As s et identification and configuration Linux Academy
§ AW S CloudConfig monitors AW S res ource configuration and changes
§ Integrates with SN S to s end notifications of res ource changes
§ Does not s upport every AW S res ource
§ Security logs
§ U tiliz e CloudTrail s ervice to monitor ALL api reques ts and the us er/ api keys that made
the reques t
§ Res ource and application monitoring
§ CloudW atch integration with SN S allows for the monitoring of application logs on EC2
ins tances and the health of AW S res ources
§ Fine-‐grained acces s logging for S3 buckets
§ W hen configured, acces s logs for each object and acces s reques t will be provided
§ Logs include reques t type, reques ted res ource, reques ter’s IP, and time/ date of the
reques t
Monitoring and L ogging

§ Automated identification of s ecurity gaps Linux Academy
§ Trus ted advis or is only for higher level accounts and is not available to all accounts
§ Trus ted advis or provides ins ights s uch as :
Security
§ Tes ting of opened reports
§ U nres tricted acces s
§ S3 Bucket permis s ions
§ MFA on Root account
§ IAM pas s word policy
§ RDS Security G roup Acces s Ris k
§ CloudTrail logging
§ Route 53 MX and SPF Res ource Record Sets
§ ELB Lis tener Security
§ ELB Security groups
Backup and Replication

§ EBS data backups Linux Academy
§ EBS backups are s tored automatically in multiple phys ical locations to create
redundancy. EBS (s naps hots ) data backups will be encrypted if the EBS volume is
encrypted
§ Automatic s naps hots of Reds hift data
§ Reds hift s naps hots are backed/ s tored by Amaz on S3
§ RDS databas e ins tance replication
§ Multi-‐AZ failover, when enabled, provides s ynchronous replication to a s tandby in
another AZ
§ Object vers ioning in S 3
§ Automated and c ontinuous archiving to G lacier
§ Protection from accidental deletion of S3 objects
§ Enabled S3 v ers ioning MFA delete feature
§ Each vers ion to be deleted mus t be verified with MFA
§ Seamles s , s ecure backups for on-‐premis e data
§ AW S S torage G ateway
4
12/15/15
Data Encryption
§ Encrypted data s torage Linux Academy
§ The following s ervices allow data to be encrypted: EBS, S3, G lacier, Reds hift,
SQLServer, and MySQL s erver
§ Centraliz ed key management
§ AW S Key Management Service provides a management feature for adminis trating keys
for AW S s ervices that utiliz e encryption at res t
§ Dedicated, hardware-‐bas ed crypto key s torage
§ CloudHSM, higher s ecurity on dedicated key s torage hardware.
Best Practices (high level)

§ Keep the number of ports open on a s ecurity group limited and limit who can acces s them
Linux Academy
when available (for example limited for SSH port 22)
§ Ens ure that us ers are us ing IAM
§ U tiliz e “ leas t privilege” permis s ion des ign and grant the leas t amount of privileges required
§ Enforce pas s word policy for IAM us ers
§ Ens ure RDS s ecurity groups are locked down and any data not being s ent within the s ame
region is utiliz ing HTTPS endpoints
§ Enable CloudTrail logging in order to log all API calls and the accounts that make them
§ Ens ure proper ELB s ecurity permis s ions and take advantage of HTTPS/ TLS when encryption is
required
§ As w e progres s on each s ervice w e’ll have a different look at applying s ecurity
Best Practices (high level)

§ U s e IAM roles on EC2 ins tances Linux Academy
§ U s e policy conditions for extra s ecurity
§ Rotate API keys no les s than once a y ear
5
12/15/15
Linux Academy
Amazon Web Services

Design and implement for elasticity and scalability
Review from A WS CSA A ssociate

§ Linux Academy
Scalability allows the application to expand and s cale to increas e in demand with minimal
effort
§ Elas ticity is the ability of an application to expand and contract bas ed off of utiliz ation
requirements and needs
§ Time/ proactive bas ed s caling
§ Load/ Performance bas ed s caling
Review from A WS CSA A ssociate

§ Linux Academy
Scalable applications include the following characteris tics :
§ Increas ing AW S res ources will res ult in a proportional increas e in performance
§ A s calable s ervice is c apable of handling and working with many different

vendor applications in the environment (heterogeneity)
§ Is operationally efficient
§ Is res ilient
§ Should become more cos t effective as it grows
6
12/15/15
Amazon S3 (Simple Storage Service)

S3 is s calable and elas tic by des ign Linux Academy
Principles of elas ticity and s calability include:
• Supports virtually unlimited number of files in any bucket

• Can s tore virtually unlimited number of bytes w ithout partitioning or file s ys tem
management
• S3 automatically manages the s caling and dis tribution of redundant copies of objects s tored
in S 3
• S3 as ynchronous ly replicates the information to all availability z ones within a region
• S3 bandwidth can s cale to virtually any load given which makes it perfect for integration
with CloudFront, us ing as a s tatic webhos ting s olution, and s erving s tatic objects .
Amazon Glacier
Linux Academy
Amaz on G lacier w hich is us ed for long term s torage archive purpos es is als o has the following
s calability and elas ticity principles :
• Each archive can have up to 4TBs of data s tored

• U nlimited amount of data that can be s tored when us ed with multiple archives
• Amaz on G lacier automatically s cales bas ed off of demand without need to provis ion more
dis k s pace
Amazon Elastic Block Store (EBS)

Linux Academy
Amaz on EBS is a block s torage device that can be attached to s ingle ins tances . EBS volumes are
network-‐attached s torage that pers is ts independently of an EC2 ins tance. The following are
s calability and elas ticity principles of EBS volumes :
• Quickly provis ion additional capacity by adding new EBS volumes
• Res iz e an exis ting volume by creating a s naps hot and launching a new volume from the
s naps hot
• N ice to know:

• EBS volumes are redundantly replicated on different hardware within the s ame
availability z one of a EBS volume
7
12/15/15
AWS I mport/Export
Import/ Export Linux Academy
is a s ervice that takes phys ical s torage devices s ent to AW S and imports them
onto EBS v olumes , G lacier S torage, or Amaz on S3. The s ervice is us ed to help data migrations
from on-‐premis e s torage to the cloud. Elas tic and s calability principles of Import/ Export
include:
• U pload unlimited amounts of data (Only limitation is the phys ical hardware s ent to AW S)
• S3 file s iz es c an be up to 5 terabytes in s iz e
• G lacier archives are limited to 4 terabytes in s iz e
AWS Storage Gateway

Linux Academy
AW S S torage G ateway connects on-‐premis e hardware to AW S cloud bas ed s torage s uch as
Amaz on S3. It is us ed in dis as ter recovery as w ell as increas ing the amount of available s torage
acces s ible on-‐premis e. Elas tic and s calability principles of Storage G ateway include:
• G ateway-‐c ached/ gateway-‐s tored volume configurations allow for virtually unlimited files
s tored in Amaz on S3
Amazon CloudFront
Linux Academy
CloudFront is a Content Delivery N etwork (CDN ) us ed for dis tributing cached s tatic files from
EDG E locations around the world. Elas tic and s calability principles of CloudFront include:
• Eas ily grow the number of items in a CloudFront dis tributions that are being s erved by us ing
Amaz on S3 as an origin
• AW S EDG E locations are des igned to handle increas ed connections automatically bas ed off
of demand
• CloudFront us es multiple layers of caching on EDG E locations to reduce the load on origin
s ervers s uch as EC2 ins tances . This will allow for accepting a growing number of incoming
connections without having to s cale backend s ervers .
8
12/15/15
Amazon SQS (Simple Queue Service)

Linux Academy
SQS is a hos ted mes s age queue s ervice. Mes s ages are produced within an application and us ed
to “glue” together components of an infras tructure to create decoupled and fault tolerant
components . Elas tic and s calability principles of S QS include:
• Accepts virtually unlimited number of s ervers (EC2 ins tances or even on promis e s ervers )
writing/ reading from a queue at any given time
• Allows for parallel proces s ing of mes s ages due to the ability of accepting read/ write
reques ts from unlimited number of VM’s
Amazon RDS (Relational Database Service)

Linux Academy
RDS is a hos ted relational databas e s ervice w hich provides acces s to the databas e s erver but
not the underlying hos ted operating s ys tem. Elas tic and s calability principles of RDS include:
• Scale I/ O performance by increas ing the number of IOPS to the Databas e s torage
• Scale by s pecifying the ins tance s iz e w hich will c hange without downtime if Multi-‐az is
enabled
• U tiliz e read replicas by offloading read only reques ts from the primary databas e to an
as ynchronous ly replicated read replica
• Advanced configurations include partitioning or s harding to dis tribute the workload over
multiple databas e ins tances
Amazon ElastiCache
Linux Academy
Elas tiCache is a hos ted Memcache or Redis caching engine that allows for in-‐memory cache of
databas es in the cloud. Elas tic and s calability principles of Elas tiCache include:
• Ability to add or delete nodes from a c aching c lus ter on demand

• The more available nodes the more cache that can be s tored
9
12/15/15
Amazon Redshift
Linux Academy
Reds hift is a fully managed petabyte-‐s cale data warehous e that integrates with exis ting
bus ines s intelligence tools . Elas tic and s calability principles of Reds hift include:
• Eas ily s cale the number of nodes within the Reds hift s ervice
• Additional nodes can be added to the clus ter as read only w hile the exis ting clus ter is
working
Linux Academy
Amazon Web Services

Network Technologies
DNS
Linux Academy
Domain N ame Sys tem (DN S) s erves as a directory of network hos ts and res ources . DN S res ources can be
public or private. Private res ources rely only on local internal DN S s ervers to res olve on the local network
only. Public DN S w orks with the directory of network hos ts to provide domains s uch as linuxacademy.com.
Authoritative name s ervers are name s ervers that are res pons ible for as s igning domain names to a s pecific
IP addres s . Slave/ caching name s ervers only exis t to replicate information from Authoritative s ervers and
rely on the domain record TTL to determine how often to update the cached name record.
A domain is made up of a hierarchy which are delineated by the . c haracter. A domain repres ents a
collection of res ources that make up a s ubtree of the DN S name s pace i.e linuxacademy.com
The .com is c ons idered the “top level” linuxacademy.com is c ons idered the root of the domain and
aws .linuxacademy.com is c ons idered a “s ub domain” of linuxacademy.com.
10
12/15/15
DNS
Authoritative Linux Academy
name s ervers contain DN S records which maps the domain name to the IP addres s . Every
domain name internal or public is mapped to an IP addres s . A “z one” is a record in w hich the name s erver is
res pons ible for.
W ithin a z one res ource records exis ts as bas ic information for the domain name s ys tem.
Common types of res ource records :
A – Addres s record whis h is us ed to map hos tnames (domain names ) to IPv4 addres s es
cname – Alias of one name to another (one hos tname to another hos tname)
AAAA – Addres s record which is us ed to map hos tnames (domain names ) to IPv6 addres s es
N S – N ame s erver record delegates a DN S z one to us e the given authoritative name s ervers
MX – Mail exchange record which maps a domain name to a MTA (mes s age/ mail trans fer agent)
DNS
Linux Academy
Traditional DN S s ervers include the BIN D DN S s erver and unbound. However, AW S provides a hos ted DN S
s olution and options to integrate with external DN S s ervers as part of the VPC. The hos ted s olution is c alled
Route 53 and is us ed as an authoritative name s erver for both public and internal DN S.
Examples of Route 53 us age as an authoritative DN S s ervice:

• Hos t public domain names for external web applications
• Configure for failover, geo-‐bas ed routing, weighted bas ed routing, and latency bas ed routing to
res ources
• Configure res ource records for internal DN S hos tnames
TTL (Time To L ive) c an be c onfigured for each res ource record within a z one. The TTL s pecifies how long that
s pecific record s hould be c ached by DN S res olvers .
DNS
Linux Academy
Authoritative name s ervers provide information recording the mapping of hos tnames / domain names to IP
addres s es . However, your ins tances need to have acces s to local DN S s ervers in order to lookup the res ource
records . In other words a c onfiguration or s ervice w ithin your environment needs to know how to lookup
what IP addres s a hos tname s hould map to. You could als o manually configure external DN S s ervers on each
ins tance. However, configuring this for a VPC is much eas ier and s calable. An individual ins tance can be
configured in / etc/ res olv.conf or DN S s ettings can be configured s pecifically on the VPC. As part of AW S you
can s pecify a new DN S s erver rather than us ing AW S built-‐in DN S for lookups . An EC2 ins tance automatically
inherits its / etc/ res olv.conf s ettings from the VPC configuration. If you want to us e Route53 as an internal
DN S provider you mus t maintain us age of the AW SDN S record in the VPC.
By s pecifying an on-‐premis e DN S s erver that is c onnected over VPN to your VPC you c an extend your
internal DN S configuration into the cloud and add res ource records to your internal EC2 ins tances . DN S
s ervers that ins tances utiliz e ins ide of a VPC can be s pecified within the “DHCP options s et” w ithin VPC. The
option s et mus t then be as s ociated to the VPC. Only one option s et can be as s ociated to a VPC at a time.
11
12/15/15
DNS
§ example Linux Academy
Load Balancing
Load balancing is the process of Linux Academy
distributing workloads across c omputing
resources such as EC2 instances, VMs, or physical servers. L oad balancing c an be
used in multi-‐tier application environments to serve internal data to m ultiple
computing resources.
Within AWS the EC2 Elastic L oad Balancer is used to distribute work loads across
EC2 instances. I t uses “ round robin” load balancing.
Stickiness when applied to a load balancer determines if an existing session
(cookie based or ELB based) is to go back to the specific instance they were on.
Stateless webservers where sessions are m anaged by databases ( DynamoDB is a
good example) do not require this. This also has performance issues when scaling.
Load Balancing
Linux
To reduce CPU usage and additional Academy
c onfiguration S SL/TLS c ertificates should
always be c onfigured on the Elastic L oad Balancer. This way any instance
associated with the ELB c an utilize the S SL/TLS c ertificate over port 443.
12
12/15/15
Virtual Private Cloud

Linux set oAcademy
The VPC is used to c reate an isolated f resources within the AWS c loud. VPC
features allow for extending y our private on-‐premise network to the c loud as well
as having public resources available on the c loud. Resources utilize subnets which
can either be private or public (internet gateway attached or not attached). Private
subnets provide an additional layer of isolation and security.
To extend on-‐premise network to the c loud a VPG/VPN needs to be configured to
an on-‐premise router such as cisco. You also have the option of using AWS D irect
Connect for a m ore secure and efficient c onnection.

VPCs within the same region c an Linux
also be “Academy
peered” to each other to extend other
account resources to y our VPC. S ervice providers m ight extend a specific subnet to
another c ustomers account VPC within the same region. A service provider m ight
require resources from another AWS account access instances from within their
VPC. Peering the VPC creates a “ private” extension of one VPC to another.
Scenarios for peering:

• One VPC P eered With Two V PCs
• One VPC P eered w ith Multiple V PCs
• Two V PCs P eered t o Two Subnets in One V PC
• One VPC P eered t o Specific Subnets in Two V PCs
• One VPC P eered With Two V PCs u sing Longest p refix match
AWS D irect Connect

Direct Connect c reates a dedicated Linux link fAcademy
rom on-‐premise private networks to an
AWS region. I n order to use direct c onnect y ou m ust have on-‐premise servers
located on a D irect Connect provider. D irect Connect uses a dedicated line to the
AWS regions. 1gigabit or 10gigabit networking is required. Once established direct
connect will work with VPN/VPG inside of the VPC in order to create the secure
communication.
Direct c onnect has the following benefits:

• Increase bandwidth t hroughput t o AWS
• More consistent n etwork experience
• Uses industry standard 8 02.1q V LANs
• Use the same connection t o access public r esources and o bjects stored in Amazon S3
using t he p ublic IP address space.
13
12/15/15
Linux Academy
Amazon Web Services

Storage And Archival Options
Storage A nd A rchival Options

Amaz on S3 Linux Academy
• RRS (99.99% durability)
• Standard s torage (Eleven nines durability)
• Vers ioning
• Lifecycle policies
• Maximum 5TB files
Amaz on G lacier
• 4TB archive limit but allows unlimited archives
• W orks w ith S3 L ifecycle policies
Amaz on Storage G ateway
• G ateway-‐c ached
• G ateway-‐s tored
Amaz on EBS
• Single network attached volumes attached to one ins tance at a time
• Has redundancy built-‐in only for the s ame AW S availability z one
• To migrate an EBS v olume to another region you mus t firs t create a s naps hot and then copy the
s naps hot and c reate a v olume from the copied s naps hot
• You can encrypt a s naps hot during the copy proces s even if the underlying volume is not encrypted
Linux Academy
Amazon Web Services

State Management
14
12/15/15
State Management
Linux Academy
Maintaining the “ state” of an application c an be v ery important. F or example
when a user arrives at y our website if a session is created on an instance is that
session associated with the instance?
• Stickiness
• Database sessions
• DynamoDB (Popular solution for m anaging sessions for applications to m aintain
session state)
State Management
LinuxcAcademy
Maintaining the “ state” and m onitoring hanges in y our environment is also
important.
AWS Config
AWS CloudTrail
Linux Academy
Amazon Web Services

Database And Replication Methodologies
15
12/15/15
Replication
Replication c onsiderations Linux Academy
• Dis tance between locations
• Available bandwidth
• Data rate required by the application
• Replication technology
Types of replication:

• Synchronous replication -‐ Automatically updated in multiple locations means good network
cons is tency is important.
• As ynchronous replication -‐ Data is trans ferred as network performance and availability allows . If
throughput is down then replication will w ait.
Database A nd Replication Methodologies

• Replication c an be used to scale
Linux workloads
Academy with high I /O requests by offloading
the reads to a read replica.
• If the “ source” or “ primary” D B becomes unavailable the read replica c an act as
a backup to serve traffic while the source D B is being repaired. Only read data is
available during this time.
• Read replicas utilize built-‐in MySQL asynchronous replication technology.
• Multi-‐AZ failover utilizes synchronous replication.
• MySQL instances c an launch read replicas in other regions to help assist with
disaster recovery and m aking read requests c loser to end users located c lose to
another region.
• Always use SSL/TLS c ertificates on RDS when using c ross region replication. The
reason for this is because m ost of the data goes over the open internet.
Replication as a disaster recover or data migration mechanism

Replication with MySQL c an be uLinux
sed to eAcademy
xport data to an on-‐premise network
• Configure the RDS MySQL instance
• Configure the MySQL D B instance on RDS to be the replication source
• Use m ysqldump and transfer the database from RDS to the on-‐premise MySQL
• Start replication to the instance running external to RDS ( it is set as the slave)
• After the export is completed stop replication
16
12/15/15

Linux
Replication for MySQL c an also be Academy
c onfigured from on-‐premise to RDS
• Set the source MySQL instance to read-‐only
• Determine the binlog location
• Use m ysqldump to c opy existing database to RDS
• Make the source writeable again
• Configure the security group to allow for y our external I P address to
communicate with the instance
• Create the MySQL replication user and grant permissions
• Configure the RDS instance to be a replica by using the
mysql.rds_set_external_master command at the c ommand line of the RDS
instance
• Issue the m ysql.rds_start_replication command on the replication RDS instance

• Linux AWS Academy
On-‐premise to RDS backup (using as a failover)
• RDS MySQL to another region with read replicas
• Multi-‐AZ failover for synchronous replication
• MySQL replication for importing data to the c loud ( also use
mysqldump/mysqlimport)
Linux Academy
Amazon Web Services

Self-Healing Techniques And Fault-Tolerant Services
17
12/15/15
Self-‐Healing
Linux Academy
Many different ways to c reate self-‐healing
application architectures
• Utilize SQS
• Utilize CloudWatch and assign a “ terminate” function to instances that have
failed status c hecks
• Utilize Auto S caling which will automatically start new instances
• Use c loud-‐init to boot strap new instances to easily assign “roles” or job
“functions” to instances
SQS Self-‐Healing
When using SQS to decouple y our Linux Academy
application architecture then each c omponent
is operated on its own. This m eans each c omponent c an operate without relying
on the previous c omponent or the after c omponent.
Fault tolerant services

Linux
have Academy
Fault tolerant services are those that built-‐in tolerance to issues that c an
occur in y our environment. F or example the loss of an AZ or an unhealthy
instance. I f parts of y our infrastructure break then it is not c ompletely taken down.
Fault tolerance with EC2:
• Utilize multiple availability zones and the ELB to serve traffic to the instances
• Utilize Auto S caling and CloudWatch alarms to terminate instances that have
failed status c hecks
• Utilize EBS v olumes and snapshots for backups and redundancy
18
12/15/15
Fault tolerant services

Linux Academy
Many AW S s ervices have built-‐in fault tolerance by working acros s availability z ones
• DynamoDB
• SW F
• SQS
• S3
• Etc..
N ote: AW S Releas es new s ervices almos t quarterly. Pleas e make s ure to review the FAQ for each s ervice as
part of the s tudy prep. As w e go through the required s ervices for AW S PRO w e will dis cus s more about
des ign for fault tolerance. However, this s hould be already familiar from the CSA as s ociate exam.
Linux Academy
Amazon Web Services

Disaster Recovery And Fail-Over Strategies
Disaster Recovery and F ailover

Linux Academy
RTO (Recovery Time Objective) – The acceptable amount of time it takes to res tore applications to the
bus ines s proces s s ervice level.
RPO (Recovery Point Objective) – The acceptable amount of data that can be los t due to failure as it is
meas ured in time.
19
12/15/15

Services that can be us ed for backup and dis as ter recovery
Linux Academy
Amaz on S3
• Lifecycle policies , vers ioning, MFA, and eleven nines durability make this a perfect backup solution
Amaz on G lacier
• Amaz on G lacier provides low c ost s torage for long term archival
Amaz on Elas tic Block Store
• Durable point-‐in-‐time s naps hots s tored on the S 3 s tandard s torage type
• Ability to c opy a s naps hot to a new region and launch a new v olume (good for preparing your dis aster recovery
methods )
• EBS v olumes are replicated acros s multiple s ervers in the s ame availability zone for durability
AWS Import/Export
• Copy large amount of data to AW S to prepare for a dis as ter recovery s olution
• Send phys ical s torage devices for archival/s torage as a backup solution
AWS Storage G ateway
• G ateway-‐c ached v olumes
• Store the data on S 3 w ith v ers ioning enabled as a backup and c ache frequently acces sed objects on-‐
premis e
• G ateway-‐s tored v olumes
• Inexpens ive offs ite backups by c reating point-‐in-‐time s naps hots of data on the s torage gateway to
Amaz on S 3

Linux Academy
Amaz on EC2
• Copy AMIs to different AW S regions w hich c an be spun up in the event of a disas ter
• U s e multiple availability zones to design for fault-‐tolerance and failure
• Route53 to failover to backup environments in another region
EC2 VM Import Connector

• Important tool us ed to import v irtual machine images from an exis ting on-‐premis e environment to Amaz on EC2
ins tances
• Als o us ed to export EC2 ins tances to go back to on-‐premis e
• Allows for the duplicating environments as a disas ter recovery s olution either on AWS or on-‐premis e
• Als o us ed for migrating exis ting applications to AW S
• Supported hypervis ors
• VMware (ESX/ W orks tation)
• Micros oft Hyper-‐V
• Citrix Xen virtualiz ation (this is actually what AW S is based off of)
• Can als o c opy an entire VM Image Catalogs to EC2 as AMIs

Linux Academy
Route 53
• Can be us ed to failover from on-‐premis e to AW S or from one AW S region to another
• Failover routing and w eighted routing (for migrating applications )
• Allocate DN S ahead of time to prepare for potential failover
Elas tic L oad Balancer
• Pre-‐allocate the load balancer for the backup environment to receive the c name (DN S name) this allows for
s etting up Route 53 record s ets in anticipation of a failover/ dis as ter recovery situation
VPC
• Configure VPN or direct c onnect to extend y our on-‐premis e network to the c loud to allow for s eamless and secure
failover of applications including internal applications that might be available to intranet only
D irect Connect
• Cons ider us ing for extremely large w orkloads that rely on reduced latency and increase bandwidth throughput
• VPN to s ecure direct c onnect data
RD S
• AW S to AW S failover by c reating snaps hots and c opying them to another region
• Create a read replica in another region that c an be promoted in the event of a dis aster (when promoting y ou need
to enable multi-‐AZ as w ell as backups and a read replica cannot be promoted unles s auto backup is enabled)
20
12/15/15

Linux Academy
D ynamoD B
• AW S to AW S dis as ter recovery w ith DynamoDB
• Ability to c opy data to S 3 or replicate it to another region (replication is now built into the DynamoDB s ervice).
However, us ing Data Pipeline w hich s tarts an EMR c luster to c opy data is s till a w idely us ed method.
• Eas ily s cale up y our backup region w ithin minutes by an API c all to increas e throughput (Developer c ours e focuses
on throughput).
Amaz on Reds hift
• Reds hift s naps hots c an be c opied to other regions .
CloudFormation
• Build a template of y our environment that c an be us ed in multiple regions and only requires inputs s uch as region
s pecific AMI IDs , IP addres s es , or Hos tnames. Allows for quick deployment, v ers ion control of y our backup
infras tructure, and a backup of y our backup!
Ops Works
• W hen c ombined w ith CloudFormation the ability to eas ily deploy new s tacks in additional regions is available.
Backup and D isaster Recovery Methods

Linux Academy
Pilot Light -‐ A minimal vers ion of an environment that is always running in the AW S cloud. In the event of a
failover it takes only a few minutes for a s cripted s olution to “turn on the furnace” and deploy the dis as ter
recovery s olution. Examples include s mall RDS ins tances for replication, data being replicated to EBS
volumes with s maller s iz e ins tances . In the event of failover the application will launch larger ins tances
and/ or increas e the number of ins tances in the auto s caling group to meet demand. Have pre-‐c onfigured
AMIs with bus ines s roles (boots trap s cripts ) to eas ily deploy in the event of a failover. Only “ minimal”
components us ed for replication of data are running in the AW S Cloud environment.
Bas ic Principles :
1. Replicate data from on-‐premis e to EC2
2. U pdate packages on AW S to ens ure all s oftware configurations are in place
3. Maintain proper AMIs with updated configurations
4. Tes t on a regular bas is
5. U s e CloudFormation or s cripts to automate the recovery proces s

Linux Academy
Warm Standby -‐ A s caled down vers ion of a fully functional duplicate application in the cloud. In the event
of failover auto s cale to handle full production load.
In the event of a failover:

1. Scale up with auto s caling to handle the load and us e the ELB
2. Increas e the s iz e of the EC2 ins tances if required (have an additional auto s caling policy)
3. Change DN S to cutover from primary to backup s olution
4. Ens ure the databas e has multi-‐AZ enabled and has enough capacity to handle increas e in load. Read
replicas or changing ins tance s iz e w ill as s is t in the s caling proces s .
21
12/15/15

Linux Academy
Multi-‐Site Solution – An exact operating duplicate of your primary application. In fact, DN S s hould be able
to “load balance” or us e w eighted bas ed routing to s erve traffic from both application environments . One
on premis e and one in the AW S c loud. In the event of a failover it auto s witches to the backup s olution. In
this s ituation you generally will only have one “writing” databas e. In the event of failover ens ure that the
backup application is w riting to the correct databas e or in this c as e it would be an RDS ins tance.
AWS To AWS multi-‐region failover and dis as ter recovery – Copy s naps hots of EBS/ RDS/ Reds hift to another
region, utiliz e read replicas , and Route 53 for eas y failover to des ign cros s region dis as ter recovery.
Reminder: Replication les s on about replication options
Linux Academy
Amazon Web Services

Application Migration Plans To AWS
Application Migration Plans

• Linux Academy
Determine if all s oftware licens es from on-‐premis e are eligible for us e on the cloud
• Determine the as s ets that need to be moved
• Configure replication, ins tances , and proof of concept on the cloud
• Determine required res ources
• U s e AW S Import/ Export to as s is t in large data migrations
• To integrate with legacy on-‐premis e applications create a hybrid cloud by c onfiguring a VPN tunnel to
the on-‐premis e location
• W rite a w eb wrapper around the legacy application which expos es a developer API to the new
application. U tiliz e SQS queues to glue the application together (this is a hybrid environment). Cons ider
this only if the application is running externally and not internally only. U s e VPN tunnel if internal only.
22
12/15/15
Linux Academy
Amazon Web Services

Network Connectivity Options
Network Connectivity Options ( on-‐premise to Amazon VPC)

Linux Academy
Hardware VPN – Cisco R outer, P alo Alto, Sonicwall, Watch Guard, and o ther h ardware V PNs are
used t o connect d irectly t o AWS. Limitations are the internet connection f rom t he d ata center t o
the V PC. R equires t he customer h ardware d evice to support single-‐hop B GP and f ailover o n t he
customer end if it is leveraging dynamic routing. ISP h as t o support B GP connections.
• BGP connections w ith Hardware V PN ( dynamic r outing vs static)
• IPSec connection f rom o n-‐premise t o AWS cloud.

• AWS managed VPN endpoints p rovide automated multi-‐data center r edundancy and f ailover
on t he AWS cloud side of t he configuration.
• VPG supports multiple u ser gateway connections t o enable r edundancy o n t he o n-‐premise
(client side) o f t he V PN connection.
• BGP p eering is u sed t o exchange routing information b etween AWS and t he o n-‐premise.
• When BGP is configured t he h ardware d evice must b e capable of t erminating b oth IPSec and
BGP connections.
Network Connectivity Options ( on-‐premise to Amazon VPC)

AWS Direct C onnect
Linux Academy
• 1Gigabit o r 1 0 Gigabit d irect connections t o AWS r egion
• Industry standard V LANs
• Reduced latency and more r eliable internet connections
Software V PN
• Useful if you h ave to manage both ends o f t he V PN software f or compliance r easons
• Useful if you h ave a gateway device that is n ot currently supported b y AWS V PN/VPG
• Single point o f f ailure ( OpenVPN)
Note: With V PNs you n eed t o b e sure t o u se d ifferent C IDR b locks o n-‐premise/aws as t hey cannot
overlap
23
12/15/15
Linux Academy
Amazon Web Services

Deployment And Management On AWS
Deployment And Management On AWS

AWS Elastic Beanstalk
Linux Academy
• Quickly deploy out w eb b ased environments u sing EC2/RDS/Auto Scaling/CloudWatch/ELB
and containers
AWS OpsWorks
• Write custom chef r ecipes, u tilizes self-‐healing, and w orks w ith layers
AWS C loudFormation
• Version control t he infrastructure and make d eploying o ut environments easily and r epeatable
Linux Academy
Amazon Web Services

Enterprise Account Management With IAM
24
12/15/15
Enterprise Account Management

Linux Academy
Big Cloud Jumbo Corp is a large scale c ompany that needs to provide
access to developers, third party auditors, accounting staff, and system
administrators. Big Cloud Jump Corp also has several of their own AWS
accounts that are used for dev, staging, and prod in order to easily
manage budgets.
In this section we are going to describe strategies for m anaging this
account information, budget information, and m anaging application
level budgeting.

Linux Academy
Part of Big Cloud Jumbo Corp services is to provide m anagement of
customers AWS accounts and implementation of c loud services and
products based around AWS. Managing hundreds of c ustomers AWS
accounts so a c ustomer c ould take their account and leave if required.
Solution:
• Add each c ustomer account as a “ consolidated billing” account
• Big Cloud Jumbo Corp will be responsible for all billing
• Bulk/Volume discounts will span across all accounts
• AWS c ombines the usage from ALL accounts to determine which
volume pricing tiers to apply, giving a lower over all price whenever
possible. This will either provide a source of profit margin or a c ost
savings for Big Cloud Jumbo Corp customers
Linux Academy
25
12/15/15

Linux Academy
Consolidated billing best practice is to never have resources fired up in
the “ payee account” only in the c onsolidated billing accounts. The
payee account should only be used for accounting and c onsolidated
billing purposes.
Important note: AWS L imits work on the account level only and aws
support is a per account only

Linux Academy
Consolidated Billing Method: Using one master account and m any sub accounts
Pros:
• Volume benefits on services that allow
• Ability to v iew costs based off of tagged resources as well as accounts
• Easier architecture v isibility and c onfiguration
• Use roles for I AM account simplicity across m ultiple AWS linked accounts
Cons:
• Requires strict and sometimes c omplex tagging across accounts

Linux Academy
Consolidated Billing Method: Use one account but m ultiple VPCs to break out
environments
Pros:
• Simple billing and insights into the environment
• Easy governance
Cons:
• Requires more c omplex setups for resource level permissions
• Requires more c omplex setups with m ultiple VPCs
26
12/15/15
Linux Academy
Amazon Web Services

Consolidated Billing and EC2 Reserved Instances

Linux Academy
BCJC (Big Cloud Jumbo Corp) has 3 c onsolidated billing accounts; dev, staging, and
production. The dev account has purchased 2 reserved instances with instance type
of m 4.large in Availability Z one 1a. H owever, no instances are running in the dev
account but a m 4.large is running in the staging account inside of availability zone
1a. Who c an receive the pricing?
• Like “ volume discounts” reserved instances will work across all accounts that are
connected to c onsolidated billing
• Since billing is at the payee level, c onsolidated billing does not c are which
account purchases or uses a reserved instance.
• This is a c onsideration if BCJC wants to host customer accounts as part of
their c onsolidated billing
Linux Academy
Amazon Web Services

Budgets And CloudWatch Alarms
27
12/15/15
Budgets
Linux Academy
• Budgets are used t o t rack h ow close your current costs are t o exceeding the set “budget” for a
given billing period.
• Budgets are updated every 24 h ours
• Budgets d o n ot show r efunds
• Budgets are not automatically created by AWS
• Budgets can b e compared against AWS “estimated” costs t o see how much b udget is left o ver
• Budgets can w ork w ith SNS/CloudWatch for b illing alerts t o r eceive notifications if you h ave gone
over your d esignated budget o r even if you are “close” to going o ver
• AWS Credits currently “skew” Forecasts provided b y AWS
Linux Academy
Amazon Web Services

IAM Cross Account Users

Linux Academy
Scenario: BCJC m anagers need administrative access to the test, dev, and production
accounts
PROD DEV TEST
Ro le Ro le
User/Gro u p
STS Servi ce
Assu meR o l e
28
12/15/15

Linux Academy
Scenario: BCJC managers need adminis trative acces s to the tes t, dev, and production accounts to
“s tart/ s top” ins tances , exercis e “ leas t privilege” s ecurity des ign method.
1. Create the role with “s top/ s tart” only permis s ions in both the dev/ tes t account named “manager”
{
"Vers ion": "2012-‐10-‐17",
"Statement": [
{
"Sid": "Stmt1441397689000",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopIns tances"
],
"Resource": [
"*"
]
}
]
}

2. Create an IAM us er account in the “mas ter/ production” Linux Academy
environment
3. Add permis s ions for the IAM us er to “s ts :As s umeRole” on the role ARN s for the Dev/ Tes t accounts
{
"Versi o n ": "2 0 1 2 -‐1 0 -‐17 ",
"Statemen t": [
{
"Si d ": "Stmt1 4 4 1 39 3 42 00 0 0",
"Effect": "Al l o w",
"Acti o n": [
"sts:Assu meR o l e"
],
"R eso u rce": [
"arn :aws:i am::acco u n t-‐i d -‐fo r-‐d ev:ro l e/man ager”
]
}
]
}
No te: Du p l i ca te th e p o l i cy sta temen t to a d d a no th er AR N o n e ARN p er p ol i cy sta temen t o r * fo r “a l l ” a rns b ut th i s op en s secu ri ty i ssu es a n d do es n o t use
th e l ea st p ri vi l eg e secu ri ty stra teg y

Linux Academy
Scenario: Developers need acces s to “view” EC2 res ources within the production account and developers
IAM accounts are built on the developer AW S account.
N otes :
• The IAM accounts for the developer on the dev account only need a permis s ions policy to “ As s umeRole”
on the production role ARN
• Once they as s ume the role in the production account the permis s ion policies as s ociated with the role
ins ide of production is w hat determines the permis s ions for the developers who as s ume the role
• This is a great method for granting read only acces s to an auditor when you have multiple AW S accounts
• Third party cros s -‐account role option will required the “external” account id
• Roles us e S TS permis s ions to as s ume a role and each role as a temporary unique s ecurity acces s k ey and
s ecret acces s k ey as s ociated with it when as s umed
29
12/15/15

Linux Academy
Scenario: Auditor needs read only access to all AWS accounts owned by y our c ompany
PROD DEV TEST
Ro le Ro le
User/Gro u p
STS Servi ce
Assu meR o l e
Linux Academy
Amazon Web Services

Temporary Access Using Roles and STS
Temporary Access Using Roles and S TS ( Security Token S ervice)
• Linux Academy
The endpoint is h ttps://sts.amazonaws.com.
• STS is enabled b y default in all r egions (this w as changed o n 1 1-‐11-‐15)
• Roles is of t he configurations u tilized w ith STS t o gain t emporary security credentials
• Temporary credentials require the “token” as well as the access key and secret access key in
order t o make API calls
30
12/15/15

Linux Academy
• EC2 Instance R oles: Any r ole u sed, such as an EC2 instance role, w ill receive “temporary”
security access key and secret access key
• SDKs automatically use the t emporary credentials with t he r ole, h owever, you can view and
access the temporary credentials using t he f ollowing command:
• curl h ttp://169.254.169.254/latest/meta-‐data/iam/security-‐credentials/role-‐name

• Linux Academy
An AW S s ervice can “as s ume” a role by reques ting temporary s ecurity credentials for a role (we have an
example in the EC2 s ection)
• IAM us ers c an temporarily s witch to a role to us e the permis s ions of the role
• Mobile applications : You have a mobile application which needs acces s to DynamoDB tables , do not
embed IAM credentials in the application, ins tead us e roles that allow a w eb identity federated us er to
as s ume a role that allows acces s to the DynamoDB table by providing temporary credentials . Again, the
SDK will us e thos e credentials automatically.
• Single Sign-‐on (SSO): Identity Federation (next les s on)
Linux Academy
Amazon Web Services

Federated Access Using SAML
31
12/15/15
Federated Access Using S AML

Linux Academy
• AWS IAM Supports SAML 2 .0-‐based Federation
• Pre b uilt services such as Active Directory n eed to w ork w ith SAML 2 .0 o r a custom Identity
broker w ill n eed to b e created
• Federation allows an identity p rovider t o enable single sign-‐on so u sers can login t o an AWS
Management Console o r u se t he AWS APIs
• When working w ith SAML t o assume a role, t he AssumeRoleWithSAML call is u sed
Steps to c onfigure S AML
1.
Linux Academy
On the identity provider, regis ter AW S as a s ervice provider us ing the SAML metadata located at
https :/ / s ignin.aws .amaz on.com/ s tatic/ s aml-‐m eta data.x ml
2. W ith the identity provider, generate the proper metadata XML file which des cribes the identify provider
to AW S
3. U pload the XML document from s tep 2 into IAM when “creating a S AML Identity” provider
4. Create one or more roles and, as part of the roles trus t policy, s et the SAML provider as the principle the
permis s ions policy es tablis hes which us ers from your identity provider are able to perform what tas ks
5. U s e “ as s ertions ” to map what us ers / groups will map to which AW S roles
6. Call As s umeRoleW ithSAML API call and pas s the roles ARN to be as s umed and the SAML as s ertion
about the current authenticated us er from the identity provider
7. If s ucces s ful, the API will return a s et of API acces s k eys and a s es s ion token

Linux Academy
Web-‐based single sign-‐on ( WebSSO) t o t he AWS Console f rom an o rganization w ith Active Directory
Federation Services using SAML 2.0:
1. The “web-‐bas ed” login portal is not part of AW S but rather provided by the Identity provider (ADFS)
2. The portal verifies credentials on your organiz ation’s AD
3. Once v erified, the portal generates a SAML authentication res pons e that includes as s ertions which identify the
us er and includes information about the us er and s ends res pons e to brows er
4. Once res pons e is received, the client’s brows er is redirected to the AW S s ingle s ign-‐on endpoint, the brows er
is redirected to the s ingle s ign-‐on endpoint and pos ts SAML as s ertion (https :/ / s ignin.aws .amaz on.com/ s aml)
but is a U RL generated in IAM. The endpoint calls As umeRoleW ithSAML API to reques t temporary credentials
from STS and creates a s ign-‐in U RL that us es thos e temporarily credentials
5. AW S s ends the role s ign-‐on U RL back to the client brows er with a “ redirect”
• Roles which are c onfigured to work with SAML will have a “ s aml:group”: “groupname”
32
12/15/15

Linux Academy
Scenario: Providing S 3 home directories to users in your organization which access the
directories by using a S AML based S SO c onfiguration and not allow each user to see each
others folders.
Problem: What if y our I dentity Provider does not support SAML 2.0?
Linux Academy
Solution: Write a c ustom identity broker application
• Uses the AssumeRole or GetFederationtoken API calls to gain t emporary access credentials
• The Identity B roker Application h as p ermission t o access STS to create temporary credentials
• Identity b roker application verifies the o n-‐premise employees within t he existing auth system
• Users are able to get a t emporary URL o r API keys to access AWS
Linux Academy AWS Se rv i c e s
Cu s tom ID Brok e r
AWS M a n a ge m e n t
Con s ol e
Auth us er Te m p Cre ds
Em pl oy e e Ide n ti ti es
c orpora te da a
t ce n e
tr
STS
33
12/15/15
Linux Academy
Amazon Web Services

Web Identity Federation
Web I dentity F ederation

• Linux Academy
Let us ers s ign in to an app us ing a third party identity provider like Amaz on, Facebook, G oogle or any
OpenID 2.0 c ompatible provider.
• Once a us er authenticates , you c an allow the authenticated us er acces s to S TS to gain temporary role
bas ed acces s to an AW S s ervice s uch as DynamoDB
• The app s hould cache the STS credentials until they are expired s o only one call is made each time the
us er logs in and by default the credentials are good for one hour but can be changed in the reques t
• As s umeRoleW ithW ebIdenti ty is the API call us ed w hen us ing W eb Identity federation
Linux Academy
Amazon Web Services

Monitoring And Security With CloudTrail
34
12/15/15
What is CloudTrail?

Linux Academy
Every action that occurs on AWS is the result of a single API c all
Working in an agile environment m eans m any people c ould have

access to y our environment each m aking requests using CLI, S DK’s or,
the c onsole
It audits and c ertain c ompliance c ertifications require that y ou log and

report every event that occurs in y our environment
• Time of the event
• Who m ade the event c all
• The source of the c all
• Etc.
CloudTrail Use Cases

Linux Academy
Security Analysis
• Activity pattern m atching (similar to m onitoring network traffic)
Track and Monitor Changes to AWS Resources

• Know who, what, how, and where from c hanges were m ade to AWS resources
Compliance Aid
• Compliance requirements for source and logs of c hanges to environments
• PCI/HIPAA Compliance etc.
Troubleshoot Operational I ssues

• Identify recently c hanged resources to time an issue occurs
CloudTrail Concepts
Linux Academy
Once c onfigured CloudTrail logs all API events and delivers the log to
an S 3 bucket
CloudTrails are c onfigured on a per region basis and a region c an

include global services
CloudTrails log files from different regions c an be sent to the same S 3
buckets
CloudTrail can integrate into S NS, CloudWatch, and CloudWatch logs to
send notifications when specific API events occur
35
12/15/15
Logging Best Practices

Linux Academy
Limit and c ontrol access to CloudTrail and CloudTrail logs
Configure logs to notify in the event of m isconfiguration
Integrate with lifecycle policies to store for industry standard time
frames
• HIPAA and PCI c ompliance are examples of requiring 6 y ears of log
storage
Linux Academy
Amazon Web Services

AWS KMS (Key Management Service)
AWS KMS
Linux Academy
Key Management S ervice is a region specific hosted service that m akes it easy to c reate
and c ontrol encryption k eys on AWS which are used to encrypt data.
KMS uses Hardware S ecurity Modules ( HSMs) to protected the security and integrity of
keys.
KMS not only integrates with other AWS services to automatically m anage k eys for
protection but also allows you to generate and store y our own k eys within the KMS.
To ensure c ompliance and security m onitoring requirements KMS integrates with k ey

based permission policies, IAM policies and CloudTrail.
36
12/15/15
AWS KMS – Encryption Concepts

Linux Academy
Key encryption is a class of encryption b ased o n specific algorithms t hat create
two d ifferent keys w hich are n eeded for a single encryption/decryption p rocess
also known as Asymmetric encryption w hich is w hat is supported b y K MS.
Plaintext -‐ Refers t o t he d ata t hat is n ot encrypted, f or example a password.
Ciphertext – Refers t o t he encrypted p laintext
AWS KMS – KMS Concepts

Linux Academy
KMS is used on a per region basis and is managed out of the I AM
console
AWS KMS
Linux Academy
Customer Master K ey ( CMK) – A logical key that r epresents t he t op o f a
customer’s key hierarchy and is also assigned an alias (which can b e u sed in
place of t he key ID) and an ARN ( which includes t he u nique key ID)
• If another key is not s pecified then by default the CMK is us ed to encrypt the
res ources .
• CMK s ettings cannot be modified
• IAM permis s ion can be granted to IAM us ers to “ adminis trate” a k ey.
• Key policies can be c reated which s tate the us ers that can us e the key
• The ciphertext includes information about what key us ed to encrypt the data
• Additional AW S accounts can be granted acces s to us e a k ey
37
12/15/15
AWS KMS – Use y our own keys but store them on KMS
Linux Academy
You can u se a CMK t o encrypt a key of your o wn creation. That key can b e
stored o n AWS and d oesn’t h ave to b e stored o n a local environment. The key
will b e secure and can b e accessed programmatically using t he API. Decrypt t he
additional key for u sage.
Benefits:
• Secure storage
• Central location and easy audit t rail
• Easy key rotation
AWS KMS – Key rotation

Linux Academy
If k ey rotation is enabled for a specific CMK
• KMS will create a new version o f t he b acking key for each r otation
• The backing key is u sed t o p erform cryptographic o perations.
• KMS will automatically use t he latest version o f t he b acking key to p erform

data encryption.
• To d ecrypt d ata K MS will d etermine which key (the o ld o r n ew) t hat t he d ata
was encrypted w ith and it w ill automatically decrypt it w ith t hat correct
CMK.
• To start f resh t hen change t he C MK t hat your d ata encrypted t ool p oints t o.
AWS KMS – Core service design features

Linux Academy
Durability -‐ Designed to equal t he h ighest durability services in AWS. Data
encrypted u nder a key becomes irretrievable if t hey key is lost.
Quorum-‐based access -‐ No single amazon employee can gain access to a

customers master keys.
Access control -‐ Access t o keys is p rotected u sing existing policies in IAM.
Low-‐latency and h igh t hroughput -‐ KMS w ill p rovide cryptographic o perations
at t hroughput suitable f or u se b y o ther AWS services.
Regional Independence -‐ AWS p rovides r egional independence f or customer

data, in o ther w ords t he key u sage is isolated w ithin an AWS region.
38
12/15/15
Linux Academy
Amazon Web Services

Kinesis
AWS Kinesis – What is Kinesis?

Linux Academy
Kinesis is a r eal-‐time data processing service that continuously captures and stores large
amount o f d ata t o p ower r eal t ime streaming dash b oards o f incoming d ata streams.
Kinesis d ashboards can b e creating using t he AWS provided SDKs and can create real-‐time
dashboards, integrate d ynamic pricing strategies, and also allows you t o export d ata f rom
Kinesis t o o ther AWS services for storage. Including EMR, S3, RedShift, and Lambda.
Build d ashboards o r applications t hat r eact t o t he incoming d ata.
AWS Kinesis – Benefits

Linux Academy
Real-‐time p rocessing – Continuously collect and b uild applications t hat analyze t he d ata as it’s
generated
Parallel Processing – Multiple Kinesis applications can be p rocessing t he same incoming data
streaming concurrently
Durable – Kinesis synchronously r eplicates t he streaming data across t hree data centers within a
single AWS region and p reserves the d ata f or u p t o 2 4 h ours
Scales – Can stream f rom as little as a few megabytes to several terabytes per h our
39
12/15/15
AWS Kinesis – When would you use Kinesis?

Linux Academy
Gaming – Collect gaming data such as p layer actions and f eed the d ata into t he gaming platform, for
example a r eactive environment b ased o ff o f r eal-‐time actions o f t he p layer
Real-‐time analytics – Collect IOT (sensors) f rom many sources and h igh amounts o f f requency and
process it u sing K inesis t o gain insights as d ata arrives in your environment
Application alerts – Build a K inesis application t hat monitors incoming application logs in r eal-‐time
and t rigger events based o ff t he d ata
Log / Event Data collection -‐ Log d ata f rom any n umber o f d evices and u se K inesis application t o
continuously p rocess t he incoming d ata, p ower r eal-‐time d ashboards and store t he d ata in S3 w hen
completed
Mobile d ata capture -‐ Mobile applications can p ush d ata t o K inesis f rom countless n umber o f
devices which makes t he data available as soon as it is p roduced.
AWS Kinesis – Workflow
Create a stream
Linux Academy
Build p roducers t o continuously input d ata into t he stream
• Sensors
• Mobile devices
• Literally thousands o f d ifferent inputs (more shards is h ow you scale)
Consumers consume t he stream ( concurrently)

• Real-‐time dashboards
• S3
• Any application can consume t he incoming d ata
• Redshift ( data w arehouse)
• EMR
Kinesis keeps 24 h ours o f streaming d ata stored b y d efault, b ut can b e configured t o store u p t o 7
days.
Linux Academy
Amazon Web Services

Kinesis Mobile IOT Scenario Example
40
12/15/15
AWS Kinesis – IOT S cenario

Dy n a m oDB
Linux Academy
Cu s tom e r
Am a zon S3
Am a zon Cl ou dSe a rc h
IOT Se n s ors
Am a zon Ki n e s i s
Ki n e s i s -e n a bl e d app
Am a zon SNS
Am a zon Re ds hi ft
Re a l -ti m e Da s h boa rd
Linux Academy
Amazon Web Services

EC2 Section
Linux Academy
Amazon Web Services

Protecting Production Resources
41
12/15/15
Protecting Production Resources I n EC2

Linux Academy
In an AWS account which has several teams and applications available, there is a need
to protect c ertain resources or allow access to only c ertain EC2 instances depending
on the developer’s team or the type of environment such as staging, dev, or
production.
How c an we best protect those resources?
How c an we add additional layers of protection to those resources?
Protecting Production Resources I n EC2

Linux Academy
Ensure that proper tagging strategies have been implemented that identify production
resources or at least the “ type” of resource y ou are wanting to add an extra layer of
protection to
Methods:
• Explicit deny on the “action/ api” permis s ions not allowed on the tagged res ource
• G rant allow on the “action/ api” permis s ions allowed on the tagged res ource
"Action": [
"ec2:StartIns tances ",
"ec2:StopIns tances ",
"ec2:RebootIns tances ",
"ec2:TerminateIns tances "
],
Specify the c ondition that should occur when this specific policy declaration should
be enforced Linux Academy
“Condition” : {
“StringEquals ” : {
“ec2:Res ourceTag/ env”:”production”
}
}
42
12/15/15
Specify the resource type that the policy should apply on
"Res ource": [
Linux Academy
"arn:aws :ec2:region:aws -‐account -‐nu mb er:i ns tanc e/ *"
],
Additional policies for adding extra layer of protection
•
Linux Academy
Add an IpAddres s condition which s pecifies that the reques t s hould come from a s pecific IP
addres s or CIDR block range
• Require that MFA has occurred recently (number of s econds s ince)
Scenario: H ow c ould we prevent developers who need access to terminate
development instances from terminating
Linux pAcademy
roduction instances?
Hands-‐on example
43
12/15/15
Study Note: Remember not all “ actions” are supported on resource level
permissions. Because of this it is easier
Linux to uAcademy
se “deny” permissions such as deny
starting, stopping, terminating instances that have a production resource tag.
Linux Academy
Amazon Web Services

Migrating Resources To Another Region
Migrating Resources To Another Region

Linux Academy
• Part of having m ulti-‐region failover is understanding how to c opy and replicate data
from one region to another
• Part of designing properly is ensuring y our resources are c losest to their end users
Data that needs to be m igrated:

• Databases running on EC2
• EC2 I nstances / AMIs
• Auto Scaling Configurations
• EBS Volume D ata
• Instance S SH Keys
• VPC and I nternal I P address c onsiderations
• Reserved I nstances
44
12/15/15
Migrating Resources To Another Region: EC2 Configurations

Linux Academy
Considerations:
• PEM k eys are unique per region when you c opy an AMI the authorized k ey will c opy
with it, to use y our existing PEM k ey ensure y ou launch the AMI in the secondary region
with the same PEM name but use existing PEM k ey name
• Use the CLI to export c urrent Auto S caling c onfigurations and c reate new ones in the
new region
• Launch a new ELB in the desired region which will be used during the D NS c utover
• Existing S SL c ertificates c an be used on the new ELB since I AM stores the S SL c ertificates
and is a global service
• Sell existing reserved instances in source region and/or purchase new reserved instances
in the destination region
• Reserved instances c annot be m igrated to another region or even AZ
Migrating Resources To Another Region: AMIs and EBS Volumes

Linux Academy
Considerations:
• Some snapshots require the suspension of I /O operation on the v olume
• Multiple snapshots and EBS c opy events c an run in parallel reducing
• Snapshots only work on EBS backed instances/volumes
• Use AMIs to copy the EC2 instance, especially if it is backed by instance-‐store ephemeral
• Use “ AMI c opy” to c opy the AMI from region1 to region2
• Not all AZ's support EBS optimized instance types ensure which ones do before
migrating
Procedure:
• Snapshot v olumes and use the snapshot c opy feature to c opy the snapshot to another
region then launch the v olume from the snapshot
• Use c opy AMI feature to c opy the AMI from c urrent region to destination region
Migrating Resources To Another Region: D atabases Running On EC2

Linux Academy • Create an AMI of the ins tance
• U s e AMI Copy to region2
• Enable Replication region1 to 2
• Cutover DN S and application s o that
writes begin to occur on region2
Replication
DB DB
45
12/15/15
Migrating Resources To Another Region: Route53 S trategies

Linux Academy • If replicating data the Route 53
W eighted DN S record s ets w ould the
be preferred method
• Start w ith low w eighted s ets on the
des tination region to ens ure all
configurations are place and gradually
change the w eighted load
• Ens ure that DB w rites s till occur on the
mas ter ins tance
• After weights are increas ed c utover
primary DB to des tination region and
cutoff the s ource region by removing
the extra Route 53 record s et
Replication
DB DB
Migrating Resources To Another Region: Route53 S trategies

Linux Academy • If replicating data the Route 53
W eighted DN S record s ets w ould the
be preferred method
• Start w ith low w eighted s ets on the
des tination region to ens ure all
configurations are place and gradually
change the w eighted load
• Ens ure that DB w rites s till occur on the
mas ter ins tance
• After weights are increas ed c utover
primary DB to des tination region and
cutoff the s ource region by removing
the extra Route 53 record s et
Replication
DB DB
Migrating Resources To Another Region: D atabases Running On EC2

Linux Academy • Create an AMI of the ins tance
• U s e AMI Copy to region2
• Enable Replication region1 to 2
• Cutover DN S and application s o that
writes begin to occur on region2
DB DB
46
12/15/15
Linux Academy
Amazon Web Services

EC2 Backup Strategies
EC2 Backup S trategies: AMIs

Linux Academy
Instance-‐Store AMIs: I nstance-‐Store AMIs rely on ephemeral storage; all software
configurations and packages installed need to either be bootstrapped or stored on the AMI.
To backup these instances it is acceptable to c reate AMIs frequently. I f the data c hanges
and needs to be stored, consider switching to EBS v olumes.
Note: I n EC2 y ou are generally backing up c onfigurations with AMIs
EBS Backed AMIs: EBS backed AMIs c an be backed up in one of two ways
1. EBS v olume snapshots: D epending on the workload, suspension of I /O m ight be
required. An AMI c an be c reated from a “ root” EBS v olume
2. AMIs: An AMI will create a snapshot of the attached EBS v olumes if c onfigured c orrectly
and the v olumes will be restored upon launching the AMI
EC2 Backup S trategies: F ile L evel Restore

Linux Academy
1. Take frequent EBS snapshots ( incremental)
2. To restore a file c reate an EBS v olume from the desired snapshot
3. Attach the EBS v olume to the EC2 instance at a different m ount location
4. Browse the file system to the files needing to be restored
5. Copy from the v olume to the regular production v olume
47
12/15/15
Linux Academy
Amazon Web Services

Architecting For Performance
Instance Type Usage

Storage Optimized LargeLinux Academy
Data S tores
Memory Optimized Applications that require m ore m emory –
DB – Qlikview (In memory) -‐ Caching
Compute Optimized Applications that require larger CPU
processing such as Video Encoding – Batch
Processing
General Purpose Common applications that need an even
mix of resources
GPU Graphic m anipulation – Game S treaming
https://aws.amazon.com/ec2/instance-‐types/
GPU instances are great for high parallel processing c apability

Examples: Linux Academy
• Scientific c alculations
• Engineering m odeling
• Rendering applications
• Graphics applications
• Game streaming
• 3-‐D application streaming
• Other graphic work loads
• Remember G PU instances do not support S R-‐IOV
h ttp ://d o cs.aws.amazo n.co m/AWSEC 2/l atest/UserGuid e/usi ng_cl u ster_co mputi ng.html #gp u-‐in stance-‐cu rrent-‐li mi tatio ns
48
12/15/15
Architecting F or Performance: Burstable CPU Credits

Linux Academy
What if y ou have a legacy application that c annot scale with auto scaling but has peak
performance 10% of the time? H ow c an we reduce c osts while still being able to handle any
increase in temporary load?
What about applications that are dev/test/staging environments that do not frequently run
large amounts of data? H ow c an we reduce c osts but still have the required performance?
Burstable instances are perfect for workloads that do not use the full CPU often but
casually need to burst.
Architecting F or Performance: Burstable CPU Credits

Linux Academy
• T2 instance types have “ burstable” CPU performance
• Each instance has a “ base line” performance but c an “ burst” to greater CPU usage if
credits allow
• One CPU “ credit” is equal to one v CPU running at 100% utilization for one m inute
• One CPU “ credit” is equal to one v CPU running at 50% utilization for two m inutes, etc
• “Credits” are accrued when the instance uses L ESS than it’s base level performance
Architecting F or Performance: S torage

Linux Academy
Instance store instances have storage that is physically attached to the host m achine.
Instance store instances have faster i/o operations because of this. H owever, instance store
data is ephemeral and will be deleted if the instance is stopped or terminated.
49
12/15/15

Linux Academy
Volume Type Use Cases
General Purpose Root/boot volumes, desktops, smaller

databases, and non-‐prod workloads
Provisioned IOPS Production work loads and databases
Magnetic Infrequently accessed workloads and low

cost requirements

Linux Academy
Volume Type Limits
General Purpose 1GiB – 16TiB, 160MiB/s, baseline

performance of 3 I OPS/GiB with burstable
“credits”
Provisioned IOPS 4GiB – 16TiB, 320MiB/s, Up to 20,000 I OPS
per v olume
Magnetic 1GiB – 1TiB, 40-‐90MiB/s, 100 I OPS with
burstable to hundreds of I OPS
Architecting F or Performance: Performance D esign Patterns, Understand Bottlenecks

Linux Academy
BCJC has a v ideo transcoding application which accepts v ideos, processes the v ideos, and
applies certain filters to the v ideos. The process includes uploading the v ideo through an
ELB to the web facing servers. When c ompleted the web servers upload the v ideo to the
external location ( or S 3) through the NAT instance.
• Web facing servers do not have a public I P address but receive traffic from a public load
balancer
• Use a NAT instance to upload the videos to the external location
50
12/15/15

Linux Academy
W EB W EB NAT
W EB W EB
Auto Scaling group

Pu bl i c Su bn et Pu bl i c Su bn et
AP P AP P AP P AP P
Auto Scaling group Auto Scaling group

Pri v a te s u bn e t Pri v a te s u bn e t

Linux Academy
W EB W EB NAT
W EB W EB
Auto Scaling group

Pu bl i c Su bn et Pu bl i c Su bn et
AP P AP P AP P AP P
Auto Scaling group Auto Scaling group


Linux Academy
Solution:
• Add a public subnet layer to the ELB and enable auto scaling to assign public I P
addresses so each instance c an send the traffic rather than going through the NAT
instance
• You c an also c reate m ultiple NAT instances and assign one to each subnet but this also
begins creating H A issues
• Increasing the instance size increases the bandwidth throughput
51
12/15/15
Linux Academy
Amazon Web Services

Increasing Performance With RAID Configurations
RAID: RAID Configurations
Configuration Linux
Issues Academy
/ Benefits
RAID 0 Need more I /O performance – Performance of
the stripe is limited to the worst performing
volume – Does not provide redundancy
RAID 1 Provides volume fault tolerance but no

additional I/O
With RAID 0 y ou will get whatever additional throughput y ou provision on

attached EBS v olumes. S triping together two 20,000 v olumes in RAID 0
will result in 40,000 I OPS I /O
RAID: S cenario
Linux Academy
Problem: BCJC has an application with a need for 120,000 I OPS of write performance.
However, EBS v olumes c an only provision a m aximum of up to 20,000 I OPS each. H ow
would you solve this situation?
52
12/15/15
RAID: S cenario
Linux Academy
Problem: BCJC has an application with a need for 120,000 I OPS of write performance.
However, EBS v olumes c an only provision a m aximum of up to 20,000 I OPS. H ow would y ou
solve this situation?
Solution: S tripe m ultiple EBS v olumes together with RAID! F or example, y ou c an c reate a
RAID 0 c onfiguration for 6 20,000 I OPS v olumes for 120,000 I OPS. Keep in m ind y our
limitation will be bandwidth so EBS optimized and/or network optimized instances m ight
be required.
Consider using RAID for storage services (NFS/CIFS) on AWS if S 3 is not an acceptable
solution
RAID: Needing higher I /O throughput

Linux Academy
• Create durability by applying EBS
snapshots
• What about high availability?
Sto rage
In stance
AZ 1
Striped Volumes
RAID: Needing higher I /O throughput

Linux Academy
https://en.wikipedia.org/wiki/Distributed_Replicated_Block_Device
DRBD Replication
Sto rage Sto rage
In stance In stance
EB S EB S EB S EB S EB S EB S
AZ 1 AZ 2
Striped Volumes Striped Volumes
53
12/15/15
RAID: Problem
Linux Academy
Problem: After 8-‐10 EBS v olumes striped together y our bottleneck becomes instance
bandwidth. H ow c an y ou get m ore throughput?
Solution: Use Instance-‐store b acked instances, stripe t he ephemeral storage d evices attached f or
several hundred t housand IOPS d epending o n instance size
RAID: I nstance S tore I nstances With Ephemeral S torage

Linux Academy
Sto rage Sto rage

In stance DRBD Synchronous Replication In stance
TEM P TEM P TEM P TEM P TEM P TEM P
AZ 1 AZ 2
DRBD As ynchronous Replication
Striped Volumes
EB S EB S EB S
Persistent, fast, and durable storage!

Striped Volumes
Linux Academy
Amazon Web Services

Multi-Region Architectures
54
12/15/15
Multi-‐Region Architectures
Linux Academy
Multi-‐Region Architectures generally m ake use of Route 53 policies and c omplex policies to
route traffic
• Active – Active m ulti-‐region designs

• Latency based routing
• Weighted based routing
• GEO based routing
• Active – Passive m ulti-‐region designs (acceptable RTO/RPO)
• Failover routing
Note: All policies should make use of health c hecks and for m ulti-‐region design y ou
can often think Route 53 as a type of load balancer. I ts job is to distribute traffic based
off of some sort of “criteria” such as latency or weights.
Multi-‐Region Architectures: F irst, c opy the data
Create Linux
Copy Academy Restore
EC2 AMI AMI EC2

Snapshot Copy Restore
EBS EBS S naps hot EBS S naps hot EBS

Snapshot Copy Restore
RDS S naps hot

RDS S naps hot
DynamoDB Data Pipeline DynamoDB

Region 1 Region 2
N ote Cros s Replication is now available for DynamoDB
Multi-‐Region Architectures: S econd, design the architecture for the region

Linux Academy
DB DB
55
12/15/15
Multi-‐Region Architectures: Third, Configure the routing policies

Latency Based Routing Linux Academy
• Route 5 3 w ill r espond w ith DNS q ueries w ith r esources t hat p rovide t he b est latency
• Used on EC2 instances o r ELB
• Also w orks o n p rivate h osted zones
Geo Based Routing
• Respond with queries based off of users geographic location
Failover Routing
• Active-‐passive: I f primary resource is not healthy then failover to secondary
resource
Weighted Routing
• Send requests to record sets based off of weights
Weight for a given resource r ecord set / sum o f t he w eights f or t he r esource r ecord sets)
Multi-‐Region Architectures: Third, Configure the routing policies

Latency Based Routing Linux Academy
• Route 5 3 w ill r espond w ith DNS q ueries w ith r esources t hat p rovide t he b est latency
• Used on EC2 instances o r ELB
• Also w orks o n p rivate h osted zones
Geo Based Routing
• Respond with queries based off of users geographic location
Failover Routing
• Active-‐passive: I f primary resource is not healthy then failover to secondary
resource
Weighted Routing
• Send requests to record sets based off of weights
Weight for a given resource r ecord set / sum o f t he w eights f or t he r esource r ecord sets)
Note: Hands-‐on examples in t he video after t his
Multi-‐Region Architectures: Complex routing – Nested record sets!

Linux Academy
Problem: H ow c an y ou send users to a geographic location or region based off of latency
based routing or geographic based routing and then use weighted based routing among
resources within that region?
56
12/15/15
Latency Bas ed Routing Record Latency Bas ed Routing Record

N ame: domain.com
Linux Academy
N ame: domain.com
Region: eu-‐w es t-‐1 Region: us -‐eas t-‐1
Set ID: 1 Set ID: 2
Evaluate target = yes Evaluate target = yes
We igh te d R e so u rce R e co rd Se t We igh te d R e so u rce R e co rd Se t We igh te d R e so u rce R e co rd Se t We igh te d R e so u rce R e co rd Se t

Name: eu -‐west-‐1 -‐www.d o mai n .co m Name: eu -‐west-‐1 -‐www.d o mai n .co m Name: u s-‐east-‐1 -‐www.d o mai n .co m Name: u s-‐east-‐1 -‐www.d o mai n .co m
R eco rd Typ e : A R eco rd Typ e : A R eco rd Typ e : A R eco rd Typ e : A
Val u e: 1 0 .0 .0 .1 Val u e: 1 0 .0 .0 .2 Val u e: 1 0 .0 .0 .1 Val u e: 1 0 .0 .0 .2
Set ID: 1 Set ID: 2 Set ID: 1 Set ID: 2
W ei gh t: 1 5 W ei gh t: 2 0 W ei gh t: 1 0 W ei gh t: 2 0
He alth C h e ck He alth C h e ck He alth C h e ck He alth C h e ck

R e so u rce IP : 1 0 .0 .0.1 R e so u rce IP : 1 0 .0 .0.2 R e so u rce IP : 1 0 .0 .0.1 R e so u rce IP : 1 0 .0 .0.2
Linux Academy Domain.com AWS CSA - PRO

N ame: domain.com
Linux Academy
N ame: domain.com
Set ID: 1 Set ID: 2


FAIL HEALTHY HEALTHY HEALTHY
Linux Academy Domain.com AWS CSA - PRO

N ame: domain.com
Linux Academy
N ame: domain.com
Set ID: 1 Set ID: 2


FAIL FAIL HEALTHY HEALTHY
57
12/15/15
Linux Academy
Amazon Web Services

High Performance Computing (HPC)
What is HPC?

Linux Academy
HPC is the Aggregation of c omputing power to c reate m uch higher
performance c lusters and m achines to perform large scientific,
mathematical, and algorithmic based c omputations on data quickly.
• Financial c omputations
• Weather forecasting
• Anything that requires large amounts of c ompute usage
HPC On AWS – Instances

Linux Academy
Specific instance types provide different types of c ompute power and networking
speed. D epending on the amount of data needing to transfer in and out between
nodes and the types of analysis required.
C4 instances – For c ompute heavy work loads

• Xeon E5-‐2666 v 3 and up to 36 vCPUs of c omputing power
• EBS optimized by default for 500Mbps to 4,000 Mbps throughput to EBS
GPU I nstances
• Used for 3D m odeling and simulation ( graphical heavy)
• NVIDIA G PUs
58
12/15/15
HPC On AWS

Linux Academy
Placement groups:
• A placement group is a logical grouping of instances within a single Availability
Zone. When using a placement group the application c an take advantage of low-‐
latency, 10Gbps network.
HPC On AWS

Linux Academy
Placement groups: H igh throughput c omputing c lusters using EC2 instances
• Instances launched as part of the group have high throughput network ability to
each other
• AWS, when instances are launched at the same time, will attempt to locate the
instances as physically close to each other as possible usually on the same host
• An already running instance c annot be added to a placement group
• Use the same instance type to help ensure the instances are located as c lose as
possbile. AWS groups physical hardware based off of instance type.
• If y ou receive a c apacity error when launching an instance in a placement group,
stop and restart the instances in the placement group, and then try the launch
again.
HPC On AWS

Linux Academy
Important: Auto S caling can be used to launch instances in placement groups based of
of CloudWatch metrics
59
12/15/15
HPC On AWS: S R-‐IOV ( Enhanced Networking)

Linux Academy
What is SR-‐IOV? S R-‐IOV is S ingle Root I /O Virtualization that c reates enhanced
networking abilities on instances which results in higher performance of packets per
second, lower latency, and reduced jitter (jitter = noise on the wire)
Supported I nstance Types:

• C3, C4, D 2, I2, M4, R3 (notice G PU) instances are not listed!
Supports only HVM v irtualization and Amazon L inux has it on by default and in order
to enable it the k ernel m odule ixgbevf is required
Modinfo ixgbevf
Ethtool –I eth(n) to v erify the k ernel driver is being used will return driver: ixgbevf
X`
Linux Academy
Amazon Web Services

HPC Scenarios
HPC S cenarios
Linux Academy
• Grid Computing (high throughput computing htc):
• Locality is not a primary requirement
• Works loads are m ore distributed
• The size of the c luster c an grow and shrink (auto scaling)
• Often used with spot instances
• Servers c an be utilized over a wide area and even types of instances
• Grid clusters should be designed for resilience
• Are m ore often scaled horizontally
• Loosely Coupled (Does not require tight communication between nodes)
Examples of G rid Computing:

• SETI@home
• 3D rendering jobs such as CAD or other G PU heavy work loads
60
12/15/15
HPC S cenarios
Linux Academy
• Cluster Computing: Two or m ore instances c onnected together to support an
application
• Usually requires high node to node throughput
• Most c ommonly assembled using the same type of instances
• Usually uses placement groups or enhanced networking to satisfy the high
network throughput requirement
Examples of G rid Computing:

• Weather computations and m odeling
• Electromagnetic simulations
• Applications that require multiple nodes and low latency communication
between the nodes
HPC S cenarios
Linux Academy
Challenge: Knowing when to use specific architectures depending on the workload
• Does the workload require tight inter-‐communication between the nodes?
• Can a workload complete on a single node and benefit from auto scaling to
handle increase in capacity?
• If a workload needs EC2 placement groups and S R-‐IOV enabled enhanced

networking, then auto scaling and G PU instances are not a great solution and
GPU instances c annot utilize SR-‐IOV enhanced networking
• Auto Scaling can be used to launch instances into placement groups
HPC S cenarios
Linux Academy
• Grid computing workloads can benefit from high availability and resilience using
tools such as auto scaling but a trade off is enhanced networking
61
12/15/15
Linux Academy
Amazon Web Services

Mitigating DDoS Attacks
DDoS Mitigation S trategies

Linux Academy
Types of attacks:
• UDP F loods
• HTTP F loods (application attacks)
• SYN F lood (protocol attack)
Methods to Mitigate D DoS Attacks:

• Minimize The Attack S urface Area
• Scale to absorb the attack
• Safeguard exposed resources
• Learn normal behavior (IDS/WAFS)
• Create a plan for attacks
DDoS Mitigation S trategies: UDP Attacks

Linux Academy
A UDP Attack occurs when UDP packets are sent to random ports on a host system or
host systems. The hosts will attempt to look for applications listening on the UDP ports
and, if no port is listening, it will respond with host unreachable. I ncreased number of
requests will cause the system into forcing m any ICMP packets which will eventually lead
to the host being unreachable.
https://en.wikipedia.org/wiki/UDP_flood_attack
62
12/15/15
DDoS Mitigation S trategies: S YN F lood

Linux Academy “SYN F lood” occurs when
Three-‐w ay TCP hands hake: the initiating client does
1. Client reques ts a c onnection by s ending
a s ynchroniz ed mes s age to the s erver
not respond with an ACK
(SYN ) (acknowledgement),
2. Server acknowledges the reques t by
s ending S YN -‐ACK back to the c lient
causing the server to wait
3. The c lient res ponds w ith an ACK and for an ACK leaving half-‐
connection is then es tablis hed
open c onnections on the
server side reducing the
available c onnecting
SYN: S ynchronized packet resources.
SYN-‐ACK: S ynchronized Acknowledgement
ACK: Acknowledgement
DDoS Mitigation S trategies: Application F loods

Linux Academy
Application floods us ing G ET/ POST reques ts occur agains t attacks on the layer 7 (application layer) of the
network, often s ending large amounts of HTTP G ET/ POST reques ts to overwhelm the application s ervers .

Linux Academy
Minimize The Attack Surface Area
• Use ELB/CloudFront to d istribute load t o your applications
• Multi-‐Tier application architectures o ften p rovide layered protection against attacks
Scale to absorb t he attack

• Enable Auto Scaling to h andle increase load w hile you w ork t o identify t he source o f attack
Safeguard exposed r esources

• Use Route53 and aliases t o h ide t he source IP o f your r esources
Learn normal b ehavior ( IDS/WAFS)

Create a p lan f or attacks
63
12/15/15

CloudFront: Linux Academy

• CloudFront has built in abilities to absorb and deter DDoS attacks while still serving
traffic to legit users. This is done as part of the CloudFront service and requires no
additional configuration.
• CloudFront can scale to handle any increase in traffic which helps absorb attacks
• CloudFront uses filtering techniques to ensure that only valid TCP c onnections and
HTTP requests are successful in passing through the edge locations
• Solves UDP and S YN flood D DoS attacks
WAF ( Web Application Firewall) c ontrols input and shows what the traffic is doing and
where it is coming from. Many WAFs Linux Academy
have
built in I DS ( Intrusion D etection Systems)
which analyze traffic data and looks for suspicious activity.
• Filters traffic and c an identify/prevent injection attacks

• DDoS mitigation
• Malware protection
• Dataloss prevention (identifies and traces data leaving your application)
• Detect suspicious activity and block/report the logging
• Used for greater insights into traffic flow for regulator reasons
WAFs can be part of the web server itself or it can sit in front of the webserver/ELB to
filter the traffic and then foward to the application.

VPC networking
IGW ELB also ensures TCP c onnections
Linux Academy
W AF W AF W AF W AF
Aut o Scal i ng gr oup

AP P AP P AP P AP P

Avai l abi l i t y Zone #1
Avai l abi l i t y Zone #2
64
12/15/15

Monitor all incoming/outgoing traffic
IGW
Linux Academy
W AF W AF W AF W AF
Aut o Scal i ng gr oup Aut o Scal i ng gr oup
Avai l abi l i t y Zone #1 Avai l abi l i t y Zone #1
Linux Academy
Amazon Web Services

ELB Considerations
Elastic L oad Balancer Considerations:

Linux Academy
Scenerio: BCJC’s web application is m ulti-‐device c ompatible. D epending on the type of
device, different ELB stickiness sessions and even S SL c ertificates are required. What is
the best design pattern for presenting the different options to the arriving devices?
Example: Mobile devices being taken to a different ELB with different stickiness
settings or desktop users going to different S SL c ertificates.
65
12/15/15
Elastic L oad Balancer Considerations

Linux Academy
Advantages:
• Different ELB behavior depending on the device
• Different S SL c ertificates for the same application
h ttp ://en .cl ou ddesi gn pattern .o rg/in dex.ph p/C DP:Mu tl i _Load _B alan cer_P attern
Understanding ELB L ayer 3 v s. L ayer 7 listeners

Linux Academy
HTTP – Layer 7 request
HTTPS – Layer 7 request
TCP (Ports 1-‐ 65535) – Layer 3 request
SSL (Secure TCP) L ayer 3 request
When a request is m ade to a load balancer, the load balancer intercepts the request
and c reates a new request on behalf of the c lient.

Linux Academy
HTTP/HTTPS are layer 7 application requests. The ELB parses the header information
when TCP termination occurs between the c lient and the ELB. I t c reates a new request
and forwards it to the EC2 instances as if it was making the request itself. The ELB is
configuered so that if a layer 7 ( http/https) request does not c ome back with 200 OK
response then the ELB c onsiders the EC2 instance unhealthy and stops sending traffic.
Problem: What if y our application does not use port 80/443 AND/OR is not sending a
200 OK response back even when it is in fact healthy?
66
12/15/15

Linux Academy
HTTP/HTTPS are layer 7 application requests. The ELB parses the header information
when TCP termination occurs between the c lient and the ELB. I t c reates a new request
and forwards it to the EC2 instances as if it was making the request itself. The ELB is
configuered so that if a layer 7 ( http/https) request does not c ome back with 200 OK
response then the ELB c onsiders the EC2 instance unhealthy and stops sending traffic.
Problem: What if y our application does not use port 80/443 AND/OR is not sending a
200 OK response back even when it is in fact healthy?
Solution: Use TCP ports which c an accept traffic on all available TCP ports 1 – 65535
SSL and port 443 for secure requests that do not respond with 200 OK.

Linux Academy
Forwarding Client IP Addresses To The EC2 I nstances Behind The ELB
Linux Academy
• When the ELB uses TCP to m ake the request to the EC2 instance on behalf of the
client, the ELBs I P address will be sent to the EC2 instances and logged instead of
the c lients (think H TTP access logs)
• How c an we forward the c lients I P address?
ELB I P
67
12/15/15
Linux Academy
• When the ELB m akes the request to the EC2 instance on behalf of the c lient the
ELBs I P address will be sent to the EC2 instances and logged instead of the c lients
(think H TTP access logs)
• How c an we forward the c lients I P address?
• Use the CLI to c onfigure proxy Protocol on the ELB; proxy protocol is used to c arry
connection information from the c lient m aking the request to the destination EC2
instances
Note: This only works with TCP configurations-‐ NOT H TTP/HTTPS listeners
Linux Academy
Problem: H ow do y ou get the c lient I P address when using the layer 7 H TTP/HTTPS
listener on the load balancer since Proxy Protocol is only supported on TCP listener
setup?
Solution: Modify y our application c ode to send another header along with the request
to the load balancer. The header needs to be X-‐Forwarded-‐For request header and will
be passed through the ELB to the server with the clients I P address (if y ou add the
clients I P address to the header in the code)
Linux Academy
Amazon Web Services

Supporting Legacy Applications
68
12/15/15
Supporting Legacy Applications: F loating IP
Linux Academy
El asti c IP 5 8.58.58 .5 8
P ri vate IP 1 0.0.1 1
. P ri vate IP 1 0.0.1 2
.
Standby
Av ailability Zone Av ailability Zone
Linux Academy
El asti c IP 5 8.58.58 .5 8
Standby
• Same concepts apply if y ou use Linux

an ENI tAcademy
o assign a static Private IP address
• In the event of failover disassociate the ENI and assign it to another instance
• Floating IP is also a solution if y our software is licensed by MAC address
69
12/15/15
Supporting Legacy Applications: Multicast applications

Linux Academy
What is multicast? Multiple networks over the same network
Broadcast Multicast Unicast
So u rce: h ttp s://en .wiki ped ia.o rg/wiki /Mu lti cast
Supporting Legacy Applications:

Linux Academy
BCJC has an application that is built to work only on the same subnet using multicast
type setup. H ow c an BCJC design this application to be highly available across
availablility zones?
Multicast is NOT supported on AWS, why?
1. You c annot manage m ultiple subnets on a single interface on AWS

2. A subnet can only belong to one availability zone
How would you deploy legacy applications that require multicast?

Linux Academy
• Create a Virtual overlay network that runs on the OS level of the instances
• VPC is unaware of what is happening
• Tunnel and a v irtual network on the Operating S ystem level of the EC2 instances
• The Virtual network CIDR ranges MUST be different than that of the VPC and the
subnets are independent of the VPC
• Tunnels are typically created using different software applications such as

• GRE or L 2TP tunnel types
• OpenVPN or Ntop’s N2N application software to c reate the tunnel types
70
12/15/15
Linux Academy
Tu n n el : Tu n n el :
1 7 2 .16.10.2 Tunnel: 172.16.10.0 1 7 2 .16.10.1
VPC Su bn et: VPC Su bn et:

1 0 .0 .1 .1 1 0 .0 .3 .1
Tu n n el :
1 7 2 .16.10.3
VPC Su bn et: VPC Su bn et:

1 0 .0 .1 .2 1 0 .0 .3 .2
Linux Academy
Amazon Web Services

Linux Academy
Amazon Web Services

Network Monitoring
71
12/15/15

VPC Network Monitoring Protecting Data I ntegrity
Linux
BCJC has hired third party c ontractors Academy
to work
on applications that integrate with existing
regulatory requirement ( credit c ard data) data in BCJC’s environment. While BCJC trusts
the developers, there is an audit requirement to k now what data, activity and the source
for each is occurring in y our environment or what data is leaving. The developers need full
access to the AWS environment in order to perform the development tasks appropriately.
What is best m ethod and design to implement this type of security?
• Basically, how to k now if a c ontractor is stealing the data, what the data is, and
when/where it occurred
• Also know what c ommands are being issued in y our environment and filter out bad
potentially dangerous activity before it occurs in y our environment.
• Allow developers “ admin” access to the AWS tools

VPC Network Monitoring Protecting Data I ntegrity
• Create TWO AWS accounts Linux Academy

• Create a proxy for all data incoming/outgoing of the developer AWS account to the
primary AWS account that c an m onitor or block the traffic

VPC Network Monitoring: I ntrusion D etection Systems / I ntrusion Prevention Systems
Linux
• Understand the limitations traditional Academy
intrusion detection systems allow y ou to put
the system into promiscuous m ode which allows for “ sniffing” of traffic on y our
network that is intended for other m achines/instances. This is a limitation of AWS
and the hypervisor has it disabled so it will not deliver any traffic to instances that is
not specifically addressed to the instances. Thus, promiscuous mode is not allowed.
• Intrusion detection c an work inline or by m onitoring logs. There are a lot of log
capabilities in AWS that we can use and then analyze for intrusion detection such as
CloudTrail and S 3 logs.
• Intrusion prevention actually identifies and “ drops” suspect packets and this type of
setup requires inline configuration
72
12/15/15

VPC Network Monitoring: I PS / I DS
• Place an I DS inside of y our c luster Linux Academy

and allow your EC2 instances to send “copies” of
of the traffic to the instances for “ monitoring” only.
• Place I DS software on y our EC2 instances that deliver y our primary “ front end”
application
• Place an I DS/IPS inline that automatically blocks/allows traffic to the destination
instances.
• Use y our own inline monitoring in your AWS environment
• Use a third party service to send traffic to an I DS/IPS provider that then
redirects the traffic back to y our application architecture

VPC Network Monitoring: I nline Intrusion D etection / Prevention
Linux Academy
IDS IDS IDS IDS
Pu bl i c s u bne t Pu bl i c s u bne t
Data Data
Data Data
Av ailability Zone A Av ailability Zone A

VPC Network Monitoring
Linux Academy
W eb W eb W eb W eb IDS
Pu bl i c s u bne t Pu bl i c s u bne t
An agent installed on the EC2 instances will send copies of the network traffic
received on the EC2 instance to the I DS system.
73
12/15/15
Linux Academy
Amazon Web Services

Extending On-Premise Networks With VPN
Creating VPN Connections

Linux
VPN (Virtual Private Network) c onnections are uAcademy
sed to extend on-‐premise data c enters to
AWS. Other uses include providing secure I PSec connections from on-‐premise
computers/servers to AWS.
VPN c onnections c reate private connections to a VPC, giving on-‐premise machines access to
internal VPC resources such as private I P addresses and I nternal load balancers.
Key is to understand how to c reate VPN c onnections and how networking occurs with VPN
connections
• Most c orporate c ompanies have hardware routers that are used to c reate VPN
connections to the VPC and c urrently only hardware routers are supported by the VPC
VPN option
• Software VPN such as OpenVPN can be c onfigured on an EC2 instance
Creating VPN Connections: Key k nowledge
LinuxVPN c Academy
• Understand how to c reate a hardware onnection
• Understand how to c onfigure subnet route discovery between on-‐premise and VPC CIDR
blocks
74
12/15/15
Creating VPN Connections: S teps For Configuring a hardware VPN

Linux
1. Create a VPG (Virtual Private Gateway) This Academy
is AWS side of the VPN connection
• Create the VPG and attach it to the VPC; only one can be attached at a time
Creating VPN Connections: S teps F or Configuring a hardware VPN

Linux
2. Create a c ustomer gateway, this is the Academy
physical device or software on the c lient side of the
connection
• Requires a public I P address to the on-‐premise router and an ASN number I F y our
enabling dynamic routing
• Dynamic routing used with BGP will automatically discover on-‐premise and
VPC CIDR blocks and c reate routes for the traffic to c ommunicate between
them
• Static routes are required if BGP is not enable and requires a m anual
configuration
3. Create a VPN c onnection in the VPC Linux Academy

• VPN c onnection is where the c onfiguration for either static or dynamic routes is
configured
75
12/15/15

Linux Academy
Vi rtu a l Pri vate Ga e
t way
Cu s tom er Gatewa y VPN c on ne cti on
Defi n es: Defi n es: rou te r

P u b l i c IP ad dress of Vi rtu al P rivate Gateway
ro u ter/fi rewal l C u sto mer gateway
An d ASN numb er i f d ynami c R o u ti n g pol i cies (dyn amic/static) Su b n et
ro u ti n g
Creating redundancy Linux Academy

• Each VPN has two tunnels associated with it that c an be c onfigured on the c ustomer
router
• The single point of failure then becomes the single c ustomer router
• Create a second c ustomer gateway and a second on-‐premise router for
configuration
Linux Academy
Amazon Web Services

Security Zones
76
12/15/15
Security Z ones
Linux in an Academy
What if y our running multiple applications AWS environment?
• Separate by c reating m ultiple VPCs one for each zone (if this high level separation is
allowed and the apps do not need to c ommunicate)
• For apps/instances that need c ommunication, use segmentation tools available to ensure
only traffic required is flowing in and out of zones
• Security G roups
• NACLs
• Segment environments based off of CIDR block ranges and c reate NACL rules that allow
traffic to specific subnets/security groups based off of those CIDR block ranges; this
ensures inter-‐zone c ommunication is allowed from only specific locations
Linux Academy
Amazon Web Services

AWS Direct Connect
Why Direct Connect?

Linux Academy
Reduce network c osts
• Reduce bandwidth commitment to c orporate ISP over public internet
• Data transferred over direct c onnect is billed at a lower rate
Increase network c onsistency

• Dedicated private connections reduce latency rather than sending the traffic via public
routing
Dedicated private network c onnection to on-‐premise

• Connect the direct c onnect connection to a VGW in y our VPC for a dedicated private
connection from on-‐premise to VPC
• Use Multiple VIF ( Virtual Interfaces) to c onnect to m ultiple VPCs
77
12/15/15
Linux Academy
c orpora te da a
t ce n e
tr
Linux Academy
c orpora te da a
t ce n e
tr
Does not require hosting any router/hardware at the D irect

Connect Partner location, only requires a D irect Connect location
and a participating backbone provider.
Using the D irect Connect service to c onnect to AWS y ou provision:

Linux Academy
Private Virtual I nterfaces: I nterfaces with an Amazon Virtual Private Cloud ( VPC) with
automatic route discovery using BGP and requires a public or private ASN number
• Can only communicate with internal IP addresses inside of EC2
• Cannot access public I P addresses as Direct Connect is NOT an internet provider
• This is a dedicated private connection which works like a VPN
• Use two Direct Connect connections for active-‐active or active-‐failover availability
• Can also use VPN as a backup to direct c onnect connections
• Create multiple private VIFs to m ultiple VPC’s at a time
78
12/15/15
Using the D irect Connect service to c onnect to AWS y ou provision:

Linux Academy
Public Virtual Interfaces: Use D irect Connections to AWS and c onnects to public AWS
endpoints for any AWS service such as D ynamoDB or Amazon S 3
• Requires public CIDR block range
• Still has c onsistent traffic as it is sent over y our dedicated network to the D irect Connect
partner at the partners connection to AWS
Cross-‐network Connection (Cross Connect)

Linux – Physical
Academy c onnection between your network
and the D irect Connect authorized partner which then handles the routes and c onnections
to AWS networks.
An AWS D irect Connect location provides access to the AWS region it is associated with. I t
does not provide access to other AWS regions. H owever, there are m ethods to c onnect to
additional AWS regions discussed in the next lesson.
Linux Academy
Amazon Web Services

AWS Direct Connect Accessing A Remote AWS Region
79
12/15/15
A Direct Connect into an AWS Partner D irect Connect provider will only connect to the
closest region or associated AWS region Linux to the Academy
provider.
What if y our creating multi-‐region design and have a need for a m ore reliable network
connection?
• Create a public v irtual interface to the remote regions public endpoints and use VPN
over the public v irtual interface to protect the data
Note: While you will not have a private direct c onnect connection your data will still utilize
AWS backbone networks for a better connection to the remote region. By c reating a VPN
you are c reating your own private network to internal AWS VPC resources.
Linux Academy
Amazon Web Services

Hybrid Data Center With Directory Service
• Different than temporary c redentials

• This is giving apps access to active directory in the AWS environment or on-‐premise
environment Linux Academy
• As your applications m igrate to amazon, y ou m ight want those apps to access the AD
roles/accounts
• BCJC wants to c onnect on-‐premise to the c loud using existing c redentials; in other words
expose existing AD to the c loud
• AWS D irectory S ervice
• Ad connector ( essentially a hosted proxy service, no c aching) instances on AWS
that need access to on-‐premise AD will proxy through the AD c onnector down
to the on-‐premise AD server; nothing is stored on the c onnector
• Simple AD – a fully hosted AD on amazon; y ou would setup another m aster
controller and « sync » to on-‐premise and then m aybe eventually m ove fully
on-‐premise
80
12/15/15
Linux Academy
Pas s through
On Pre m AD
c orpora te da a
t ce n e
tr
AWS AD
In s ta n c e
Con n e c tor
s ecurity group
AD Connector: Acts as a proxy VPC s u bn e t
and pas s es the information through Av ailability Zone

to the on-‐premis e AD.
Linux Academy
Sync
On Pre m AD
c orpora te da a
t ce n e
tr
SIM PL E AD
In s ta n c e
s ecurity group
VPC s u bn e t
Av ailability Zone
Simple AD: A full Active Directory Service which, in order to us e on-‐premis e credentials , you w ould s etup active
directory s ync
Linux Academy
Sync
On Pre m AD
c orpora te da a
t ce n e
tr
SIM PL E AD
In s ta n c e
s ecurity group
VPC s u bn e t
Av ailability Zone
Simple AD: Remove the AD sync to on premise and instead use simple AD as y our AD on
premise as well
81
12/15/15
Linux Academy
Amazon Web Services

Amazon ElastiCache
Amazon ElastiCache
Linux
ElastiCache is an in-‐memory h osted caching Academy
solution p rovided b y AWS.
ElastiCache supports t wo t ypes o f caching engines at t his t ime.
Memcached – Common caching appliance which u ses a DB source such as

mariaDB/MySQL as t he p ersistent storage and f ills f requently accessed objects
inside o f in-‐memory memcache.
Redis – Redis acts more like a replacement for t he DB server and instead
maintains its o wn p ersistence and is used f or certain t ypes o f application
functions.
Note: Each caching engine p rovides d ifferent methods f or h igh a vailability,

backup, u sage, a nd migration.
Amazon ElastiCache: When to c ache?

Linux Academy
Cache data t hat is “static” and is also f requently accessed
• Profile d ata
Storing infrequently accessed data d oesn’t equate to cost savings o r much p erformance savings
but w ill f ill u p your available cache memory
Cache expensive queries or slow q ueries w ith joins t hat r un across multiple t ables, t hese are
considered h ardware intensive and expensive.
Cache data is “stale” it d oesn’t change frequently and w ould r equire f lushing f or n ew d ata t o
appear.
• Redis caching engine is a little different as it u ses t he in-‐memory storage for actual d ata
storage and o nly w rites p ersistence t o snapshots o r d ata f iles f requently
82
12/15/15
Amazon ElastiCache: When to c ache?

Linux Academy
Is the query being m ade against the database slow or expensive?
• Large join showing the results of c omments on a wordpress thread
Is the resulting data frequently accessed?

• Social m edia profile or even a c ourse listing
Is the data “ static” or does it c hange frequently?

• Video count on L inux Academy front page
Amazon ElastiCache: Caching S trategies

Linux Academy
Lazy L oading
• Application attempts to receive data from the c ache nodes
• If no data is available then the cache nodes return null
• Application receives the data from the database (disk based db)
• Application then updates the c ache
• Only requested data is cache, so the c ache is not filling up the m emory with non-‐
requested data and taking resources
• Node failures aren’t a huge issue because if a node fails the request just goes to the
DB
Laz y loading can be expens ive if there is a c ache mis s . This is is important in determining if an item is infrequently
acces s ed and s hould be cache or not. If it is infrequently acces s ed it will be les s expens ive to jus t read from the
DB and bypas s c ache.

Linux Academy
I
• Ensures data is never stale and is always up to date ( does not require expiration)
• Each D B write involves two steps, write to db and write to c ache c an become
expensive by increasing latency
• Good strategy for applications that do not have a lot of writes
• Downsides:
• Lots of data is stored in m emory that m ay not be frequently accessed
• If a node is spinning up it could m iss writing and c ause m issing data
83
12/15/15

Linux Academy
Adding TTL: Essentially, c ache expires after the TTL (Time To L ive) which c an be applied
to both lazy loading and write through to m anage c ache resources.
• Number of seconds until a k ey expires ( caching is a k ey:value store)
Note: Anytime y ou access data from in-‐memory storage, it is ephemeral but is MUCH
faster than reading from a disk. Remember, the type of data y ou c ache depends on the
caching engine y our using, the use case, and what it takes to load the data into c ache.
Linux Academy
Amazon Web Services

Amazon ElastiCache: Memcached
Memcached is a m ore traditional c aching Linux Academy

m echanism
which is placed in front of a D B source.
• Does not m anage it’s own persistence
• Can be run in a cluster of nodes
• Does not have backup abilities
• Scales by adding m ore nodes to the c luster
Populate c ache:
• Write through
• Lazy loading
84
12/15/15

Amazon ElastiCache: Memcache Lazy loading example
Linux Academy
We b We b
Node Node
Ca c h e Ca c h e Ca c h e Ca c h e
Node Node Node Node
M u l ti -AZ
Sta n dby

Amazon ElastiCache: Memcache
Linux Academy
We b We b
Node Node
Node Node Node Node
M u l ti -AZ
Sta n dby

Linux Academy
We b We b
Node Node
Node Node Node Node
M u l ti -AZ
Sta n dby
85
12/15/15

Linux Academy
We b We b
Node Node
No d e th en
p o p ul ates the cache
Node Node Node Node
M u l ti -AZ
Sta n dby

Linux up Academy
• If y ou need to scale the nodes in a c luster or down to a different instance type, y ou
must c reate a new c luster with the new node instance type
• Purchase reserved nodes to reduce c osts -‐> not good for spot
• Can scale by adding on-‐demand noes for times of increase in demand
• Every node in the c luster is the same instance type
• Memcached supports auto discovery, c lient programs automatically identify all nodes in a
cache c luster
• Improve fault tolerance by locating nodes in m ultiple availability zones
• Memecached is a region only service Linux

there is Academy
no m ethod for “ migrating” ElastiCache
clusters to another region other than firing up a new c luster and letting it populate in
another region
NODE
• In a m ulti-‐region design, have an ElastiCache cluster in each region populating data from
the local/regional D B server
• Memecached is a great solution for storing “ session” state in applications this will make
web servers stateless which allows for easily scaling
86
12/15/15
Amazon ElastiCache: Memcached Backups
Memecached uses a database as its pLinux ersistent Academy

storage in the event of a node failure cache
misses will make requests to the backend D B to populate the c ache engine.
Note: This c an c ause an increase load on y our S QL server to m itigate this load use m ore
nodes in a c luster so a loss of a node does not equate to a substantial increase in database
load on your backend database store.
When “ events” occur to c lusters notifications c an be c onfigured to be sent to S NS topics for
automation and notification
Linux Academy
Amazon Web Services

Amazon ElastiCache: Redis
Redis caching engine is substantially dLinux ifferent Academy

than m emcached. Redis provides persistent
storage options instead of using a D B such as MySQL or MariaDB.
Redis uses: NODE
• Small enough data sets that c an be stored in-‐memory

• Need a persistent k ey store or c aching engine that provides persistence
• Automatic failover to a backup node in c ase of node failure
• Backup and restore c apabilities
• Leader boards
• Data with intense c alculations and frequent c hanging data
87
12/15/15
Amazon ElastiCache: Redis persistence
Redis is often used as a replacement oLinux

f some Academy
D B servers which in a memcached cluster are
what allows for persistence. To apply persistence to a c luster in the event of a reboot,
enable Redis Append Only F iles (AOF)
• Disabled by default
• Will write all commands that c hange c ache to an “ append-‐only” file
• If a node is rebooted and the m emory is c leared then when Redis caching engine starts
the AOF is loaded through the commands in the AOF file and the c ache is available
again.
Scaling Redis Linux Academy

• Scales similar to RDS scaling to increase c apacity for writes y ou need to increase instance
size
• Redis also supports clusters of read replica groups
• To increase the size of a Redis node
• Take a snapshot of the node
• Launch a new instance with instance type based off of the snapshot
• Can also launch a new c luster and “ seed” it from a snapshot
Amazon ElastiCache: Redis backups

Linux
Redis is the o nly caching engine “currently” Academy
t hat supports b ackups o n ElastiCache.
Automatic Snapshots – Backups are taken o n a daily b asis, select a snapshot w indow and t ime limit, if
failure o ccurs o n a cluster t hen t he cluster can be r esorted f rom t he most r ecent snapshot
Manual Snapshots – Can b e t aken at anytime and are not subject t o t he “retention limit” o f automatic
backups
Snapshots can b e exported into an EC2 managed environment
Redis snapshots can be c opied but c annot be c opied to another region they c an only be
“copied”
88
12/15/15
Amazon ElastiCache: Use c ases
• Leader boards Linux Academy

• Session state data
• Recommendation data
• Hootsuite session state example and why it’s good for failover
Linux Academy
Amazon Web Services

Amazon Redshift
Amazon Redshift: Overview
Linux Academy
Fully m anaged petabyte scale data warehouse
used for storing large amounts of data for
business intelligence applications.
Redshift runs in a single AZ I F the AZ supports Redshift c lusters
Redshift nodes are c ontinuously backed up to Amazon s3 and in the event of a failed drive
in the c luster redshift will re-‐replicate the data from the failed drive and replaces the nodes
as needed
Redshift nodes are all within the same availability zone and c luster is not available in
multiple availability zones at one time
89
12/15/15
Amazon Redshift: Overview
Linux
Redshift distributes the query from the Academy
“ leader”
node in parallel across all the c luster’s
compute nodes.
The c ompute nodes work together to execute the queries and return the data back to the
leader node which then organizes the results and sends it back to the c lient requesting the
data from the c luster.
Amazon Redshift: S caling
Small single node c lusters and scale up Linux Academy

to larger
m ulti-‐node c lusters as demand c hanges
Change instance type of the c luster node

• Type of instance determines the total storage
Adding additional nodes

• Queries are sent in parallel to the replica nodes from the primary node from within a
cluster so the data is distributed across all available nodes within a c luster
• To scale it is as simple as adding m ore nodes to c luster as long as the instance type of
the c luster is still within operation requirements
• When adding nodes Redshift manages all the data distribution and load balancing of the
data from within the c luster to the new nodes
Amazon Redshift: Changing the node type of a c luster
Considerations: Any c hange m ade to tLinux Academy

he c luster
requires that enough resources be
provisioned to m anaged the amount of c urrent storage on the c luster or the process will
fail
• Multi-‐node to single-‐node | single-‐node to m ulti-‐node
• Adding nodes
• Changing node type
Resizing a c luster:
• All connections are terminated and the c luster is restarted in read-‐only m ode, any
transaction that was not c ompleted will be rolled back
• A new c luster is started ( by Redshift) and uses the original ( source) c luster as a data
source to populate the new cluster
• The new c luster is in read-‐only m ode until the resize is completed
• End point is updated and old c luster terminates all connections
90
12/15/15
Amazon Redshift: Costing

Linux Academy
Storage is provisioned as part of the node as long as a c luster is running AWS will charge
the nodes. S pot instances are not on option when working with Amazon Redshift due to
the nature of the type of application
On-‐demand: on-‐demand instances c an be added for scaling a node or temporary redshift
clusters c an also rely on on-‐demand
Reserved instances: To reduce c osts for nodes that will maintain a c ontinuous running state
then purchase reserved instances to reduce the c ost of the nodes
• Must be proper instance type
• Must be in the proper region/availability zone for the reserved pricing to apply
Amazon Redshift: Costing
BCJC is running a Redshift c luster for a Linux Academy

petabyte
scale data warehouse application. BCJC
anticipates the c luster running 6 nodes of the ds1.xlarge instance type 24x7x365. Currently
BCJC has purchased 9 reserved instances that m atch the proper availability zones and
instance type.
• BCJC will will be c harged the discounted rate for the 6 running nodes
• BCJC will also pay the discounted rate for the additional 3 nodes reserved even though
the c luster is only running 6 nodes
Amazon Redshift: Backups
Linux
Data on Amazon Redshift needs to be backed uAcademy
p with Redshift data snapshots
• Point-‐in-‐time snapshots are stored on Amazon S 3 for durability (done by Redshift)
• Automatic and m anual snapshots are available
• Redshift can restore data from a snapshot by launching a new c luster and importing the
data from the snapshot
91
12/15/15
Amazon Redshift: S napshot Region Copy
Linux
Snapshots c an be c opied from one region Academy
to another
region (if the region supports
Redshift)
• Manual Copy: Manually c opy a snapshot from one region to another
• Automatic Copy: Redshift will automatically c opy a snapshot from one region to another
retention period for the destination region c an also be c onfigured so automated
snapshots can be removed after the retention period
Note: S napshot c opying does incur data transfer c osts from one region to another
Amazon Redshift: Restoring From a S napshot
A restore from a snapshot will contain Linux Academy

the following information
• Number of nodes
• Type of nodes
• Cluster configuration
• Data included in the D B’s of the c luster
Linux Academy
Amazon Web Services

CloudFront Key Concepts And Overview
92
12/15/15
CloudFront Key Concepts And Overview

Linux Academy
Dynamic Content & Whole S ite CDN – CloudFront is not just a “ static files only” CDN
anymore. When y ou enable “ forward query strings” these will now be forwarded to the origin
(if the origin supports it S 3 does not) which allows the CDN to c ache static pages such as word
press posts that pull from a database. We’ll learn in whole site CDN how to c onfigure this to
ensure if the dynamic c ontent c hanges it doesn’t stay c ached.
Media S treaming – CloudFront allows you to stream m edia on-‐demand, Adobe RTMP
streaming distributions as well as streaming origins such as WOWZA EC2 instances.
Invalidation – CloudFront will cache the last requested item until either the TTL on the item
expires, the object is invalidated, OR the
LinuxTTL is Academy
set to zero and the last m odified header has
not c hanged
Custom S SL – By default CloudFront provides a x xxx.cloudfront.net URL. With this c omes an
SSL c ertificate associated with the c loudfront.net domain. If there is a requirement to use a
custom domain i.e linuxacademy.com you m ust provision and c onfigure y our own S SL
certificate in I AM and associate it to y our CloudFront distribution.
Custom Error Messages – CloudFront allows you to respond back with c ustom error
message/pages. I .E 404 not found page.
HTTP Methods: Core benefits are allowing you to use CloudFront for all website actions
DELETE – no c aching Linux Academy

GET -‐ caching
HEAD -‐ caching
OPTIONS -‐ caching
PATCH – no c aching
POST – no c aching
PUT – no c aching
What does this m ean?

1. If you u pload an o ption u sing P UT it is n ot cached o n t he o rigin even t hough t he u pload p rocess u ses
the closest origin. The origin acts o nly as a p roxy b ack to AWS w hich d oes in f act r educe latency and
speeds up t he u pload p rocess.
2. Delete request w ill d elete the object b ut n ot r emove it f rom cache, invalidating the cache is still
required.
93
12/15/15
Linux Academy
Amazon Web Services

Dynamic Content With CloudFront

Linux Academy
• Use one CDN for an entire website rather than one for just static files.
• Use c ustom origins and origin rules to determine what part of the website requests go to
an origin. F or example, images to go S 3 but dynamic c ontent goes to a specific EC2
instance.
• Whole site CDN works with uploads as well, up to 20GB. The edge location acts as a
proxy for the uploaded object to the origin with the speed of an AWS backed network
rather than open internet. This will increase site performance even with uploads!
• Use 0 TTL for dynamic c ontent

Linux
Scenario: BCJC is c onsulting for a c ompany Academy
that runs their c urrent application entirely all on-‐
premise. H owever, they are expecting a big boost in traffic tomorrow and need to figure out
a way to decrease the load in order to handle the scale. Unfortunately, they c annot m igrate
their application to AWS in the time period required. What c ould they do to their c urrent
on-‐premise application to help offload some of the traffic and scale to m eet the demand
expected in 24 hours?
Whole site CDN! CloudFront allows you to specify c ustom origins including on-‐premise
servers and sources. Configure static resources in the CDN as well as dynamic c ontent and
enable query string forwarding.
94
12/15/15

Linux Academy
How does dynamic c aching work? What if the dynamic content has c hanged?!
• Create a c ustom origin for y our dynamic c ontent

• Enable forwarding of query strings
• Set the TTL to 0 I MPORTANT! What does a TTL of 0 do?
• It will cache the c ontent even though the TTL is set to zero
• When a request is m ade it will make a G ET request to the origin with an “ If-‐
Modified-‐Since” header to determine if there is new data in the origin if there is
then the new data is requested and c ached else the c urrent data is served from the
origin

Linux Academy
Device D etection: S end users different c ontent based on the type of device that m akes the
request to the CloudFront origin which is based off of the User Agent header.
Geo Targeting: S erve c ontent specific to an individual c ountry by using CloudFront Geo
targeting; URL stays the same c ontent sent is different.
How it works: Essentially AWS now records this information and sends it as part of the
request. Your c ode on the application server c an process the data and return c ustomized
content based off of the information.
Query S trings / URL parameter forwarding
i.E http://domain.com/videodownloads?current=5 (forwards c urrent = 5 to the server)
Linux Academy
Amazon Web Services

CloudFront Reporting
95
12/15/15
CloudFront Reporting
Linux Academy
Access L ogs: S hows details of every request m ade to y our CloudFront origin. Can integrate
with EMR for log analysis.
Log data:
• Object requested
• Date and time of request
• Edge location serving the request
• Client IP address
• HTTP Referrer
• HTTP User Agent
Access logs are sent to and stored in Amazon S 3 buckets
CloudFront Reporting: Cache S tatistics

Linux Academy
CloudFront Reporting: Additional Reports & Analytics

Linux Academy
Popular Objects: S hows the m ost requested objects from the CDN distribution
Top Referrers: S hows the URL that m ade the m ost requests to the CDN distribution
Usage: Number of H TTP / H TTPS requests, D ata transferred By Protocol, D ata Transferred By
Destination ( From CloudFront To The Users / F rom CloudFront To The Origin)
Viewers:
• Devices
• Browsers
• Operating S ystems
• Locations
96
12/15/15
Linux Academy
Amazon Web Services

CloudFront Security
CloudFront Security
Private Content
Linux Academy
• Signed URLs: Provide URLs with expire dates to limit access to c ontent
• Signed Cookies: S igned c ookies are new and are an extremely flexible
tool in terms of limiting content. You c an limit c ontent without limiting
access to the URL. F or example: if a user is logged into a site, you c an
issue a signed cookie that v erifies they have permission to access
certain parts of the site. I f streaming H LS files from CloudFront you c an
also create signed c ookies that will be v alidated each time an H TTP
request is made to an H LS c hunk. Essentially, providing secure
streaming!
CloudFront Security
Geo Restriction: A CloudFront setting Linux Academy

that allows you to specify which
countries y our CDN will deliver to
97
12/15/15
Linux Academy
Amazon Web Services

CloudFront Security: Forcing HTTPS To The Origin
CloudFront Security: Forcing H TTPS To The Origin

Linux Academy
If the origin is S3 then requests made to the CloudFront distribution will
forward as the protocol that was originally made. I .E if the c lient request
was H TTPS it will forward to the origin as HTTPS
Custom Origins: Custom origins have the

option to forward as H TTP only or
“Match Viewer” which m eans if the
client request is HTTPS then the request
is made from CloudFront to the c ustom
origin as H TTPS.
Linux Academy
Amazon Web Services

CloudFront Performance
98
12/15/15
CloudFront Performance Considerations
• Increase performance by increasing Linux Academy

the number
of requests that are c ache hits instead
of c ache m isses
• Use CloudFront to upload objects, the edge location will proxy the data back to the
origin location going over the AWS backend network
• Increase m inimum TTL and m aximum TTL so items are c ached longer ( if they are not
frequently c hanging)
How does Cloud F ront React in the event of high load and m ultiple simultaneous requests?
In c ase of increase in simultaneous requests CloudFront, will wait for the first request to
finish before processing the second request.
Linux Academy
Amazon Web Services

CloudFront Video Streaming
Video streaming on CloudFront is a v ery Linux

useful tAcademy
ool as y ou c an use the CDN to stream v ideo
around the world. The k ey is understanding how to stream different types of v ideo and
how to secure access to the v ideo if required.
On-‐Demand S treaming
Pre-‐Recorded Media S treaming
Live S treaming
99
12/15/15
Video streaming on CloudFront is a v ery Linux

useful tAcademy
ool as y ou c an use the CDN to stream v ideo
around the world. The k ey is understanding how to stream different types of v ideo and
how to secure access to the v ideo if required.
On-‐Demand S treaming: On-‐Demand streaming is c onfigured on web CloudFront

distributions.
Smooth: To enable Microsoft smooth streaming, c reate a web distribution and on the
custom origin select “ Enable smooth streaming”
Progressive D ownloads: Progressive download is the process of transferring digital m edia
files (HLS/MP4) from a CloudFront origin to a c lient over H TTP/HTTPS
Linux
Streaming of pre-‐recorded m edia, usually MP4 Academy
files over the Adobe Streaming RTMP
protocol. This is actual v ideo streaming and not v ideo download and requires a v ideo
streaming distribution when c reating a new CloudFront distribution.
Live S treaming: Use CloudFront CDN with a streaming server origin such as WOWZA m edia
server to stream live events. L ive event streams will send c hunks of data that c an be c ached
in a “ delay” by the CDN so live requests are being served v ia CloudFront and limited
streams are being sent to the streaming origin such as WOWZA EC2 instances. To c onfigure
this setup y ou would use a web CDN and NOT an RTMP CDN.
Note: Keep in m ind there is no “streaming switch” other than enabling smooth streaming
on CloudFront distributions. This means understanding what type of m edia should be
streaming from what type of CloudFront distribution is important.
Linux Academy
Amazon Web Services

Amazon Elastic Transcoder
100
12/15/15

Elastic Transcoder is a fully m anaged Linux
AWS application
Academy service that works out of specific
regions
Elastic Transcoder is used to convert m edia files stored on AWS S 3
• Different formats ( mobile available, I .E H LS)
• Different Quality levels
• Different Resolutions
• Apply Captions
• Create MP3 files from v ideo files
• Add watermarks to v ideos
Linux Academy
Linux Academy
The result S3 bucket that receives the transcoded

file is a prime example of when y ou c an use RRS.
The transcoded files are easily reproduced from the
“source” v ideo bucket.
101
12/15/15
Amazon Elastic Transcoder: Components of Elastic Transcoder
Linux
Jobs: A job is called v ia the API when you Academy
specify
the type of encoding, v ideo settings, and
pre-‐sets for v ideos you want to c reate. A single job c an c reate up to 30 output v ideo types.
Pipelines: Pipelines are where the jobs are submitted. Pipelines handle each job in the
order in which they are submitted to the pipeline. The pipeline is where the destination
and source buckets are c onfigured for the outputted files. All jobs in a pipeline can be
temporarily stopped just by “ pausing” the entire pipeline.
Presets: Pre-‐built templates for transcoding files into one format or another.
Notifications: I ntegrate into S NS for automation and job updates
Linux Academy
Amazon Elastic Transcoder: Components of Elastic Transcoder
Jobs Linux Academy
Pipelines
Presets
Notifications
102
12/15/15
Linux Academy
Linux Academy
Amazon Web Services

Streaming With S3, CloudFront, And Transcoder
On-‐demand / Pre-‐recorded v ideo streaming

Linux Academy
CloudFront
Streaming/ Download
Trans coder Pipeline/ Job dis tribution
Trans coder S ource
Trans coder des tination

and CloudFront origin
103
12/15/15
N otice this : N o EC2 ins tances required for s treaming, an entire highly available
and infinitely s caleable s olution
Linux Academy
CloudFront
Streaming/ Download
Trans coder Pipeline/ Job dis tribution
Trans coder S ource
Trans coder des tination

and CloudFront origin
Remember: Download dis tribution for non adobe RTMP s treaming protocols s treaming
dis tribution for only adobe RTMP
Live S treaming
Linux Academy
CloudFront
Streaming/ Download
dis tribution
Source feed W OW ZA Streaming

EC2 Ins tances
Securing Your On-‐Demand Videos

Linux Academy
Encryption at rest
• Use AWS KMS to decrypt source data and encrypt resulting output
• Use origin access identity on y our CloudFront distribution so content is only able to be
served v ia CloudFront, NOT S 3 URLs
104
12/15/15
Securing Your On-‐Demand Videos
What about streaming protection?

Linux Academy
Signed URLs:
• Streaming RTMP data from a streaming distribution (Signed c ookies are not supported)
• Signed URLs for progressive download, security hole because it m akes the file available
for download for as long as the v ideo is available
• If a c lient does not support c ookies
Signed Cookies
• Providing access to m ultiple files, for example, c hunk files of H LS, the signed c ookies
will be “checked” for each served chunk
• Does not require “custom signed” URLs the URL link c an stay the same
Linux Academy
Amazon Web Services

AWS Data Pipeline
AWS D ata Pipeline

Linux Academy
AWS D ata Pipeline is used for automating the transfer and/or transformation of data
Examples:
• Migrating D ynamoDB tables to another region ( can also do this with DynamoDB
streams) also k nown as importing/exporting D ynamoDB data
• Exporting RDS tables
• Taking data from an S 3 bucket, for forming ETL ( extract transform and load), and
uploading to another resource such as RDS, D ynamoDB, Elastic Map Reduce, etc.
• Processing data using EMR with Hadoop streaming
105
12/15/15
Data pipeline k ey benefits:

Linux Academy
• Automate the m ovement of data between services
• Move data to and from services and transform data
• Set preconditions to “ tasks” before the pipeline starts
• I.E Wait until log files are delivered to S3 before starting the pipeline that sends
them to EMR for processing
• Can run a pipeline:
• Once
• Defined number of times
• Run on activation
• Run indefinitely
• Run repeatedly within a date range
Data pipeline use case examples

Linux Academy
Export and I mport D ynamodDB tables for backup/restore across regions
Data pipeline use case examples

Linux Academy
Importing data to Redshift:
• Bulk c opy data from D ynamoDB or S 3 to a new or existing Redshift table.
• To move data from RDS to Redshift first m ove it to S 3 as part of the pipeline
• Run SQL queries on the data that is stored within Redshift data and those query results
can be stored in a new table or modified in the existing table
106
12/15/15
Data pipeline use case examples: Clickstream analysis ( diagram)

Linux Academy
AWS Da ta
Pi pe l i n e
Cl i c k Stre a m EM R for S3 Bu c k e t Wi th
Pe rform SQL
l ogs (Pu s h e d c l e a n i n g of l ogs Form a tte d L ogs
qu e ri e s a ga i n st
from s om e th i ng
th e da ta a n d
l i k e Ke n s i s )
l on g te rm
s tora ge
Technical Overview:
Linux Academy
Task Runners: An application “ polling” the pipeline for tasks to perform and performs that
task
• Can be launched by pre-‐built data pipeline templates
• Can be added to EC2 instances or an on-‐premise server!
Data Nodes: The location and type of data the pipeline uses as input and output
• DynamoDBDataNode
• MySqlDataNode
• RedshiftDataNode
• S3DataNode
Technical Overview:
Linux Academy
Activities: This defines what is suppose to be done by the pipeline. Pre-‐built activities are
available in data pipeline but you c an also write c ustom scripts to perform c ustom tasks
• Copy data from one location to another

• Run an EMR Cluster
• Run a H ive query within an EMR c luster
• Run a Pig script on EMR c luster
• Copy data to and from Redshift tables
• Run custom shell c ommands
• Run a S QL query on a supported database
107
12/15/15
Technical Overview:
Linux Academy
Databases: S upported databases
• JDBC database
• RDS D atabase
• Redshift database
Technical Overview:
Linux Academy
Preconditions: An assertion that m ust be true in order for the pipeline to run.
You c an c reate a c ustom pre-‐condition with a script or use a data pipeline precondition
• DynamodDBDataExists: Checks for data within a specific D ynamoDB table
• DynamoDBTable Exists: Checks to see if a D ynamoDB table exists
• S3KeyExists: S ee if an S 3 k ey exists (object)
• S3PrefixNotEmpty
User Preconditions
Exists: Checks to see if a data node exists
ShellComandPrecondition: Executes a L inux bash c ommand
Technical Overview:
Linux Academy
Resources: Computational resources which performs the specified pipeline activity.
• Ec2Resource
• EmrCluster
108
12/15/15
Data pipeline Cost Considerations:

Linux Academy
Data pipeline utilizes EC2 instances for both EC2 based resources and EMR based resources
• Purchase reserved instances to reduce the c ost of EC2 based on usage
• Use spot instances for the “ task” EMR nodes
• The data is persistent because the c ore nodes in an EMR c luster on on-‐demand so
risk of them being terminated due to being out bid is eliminated
Trade offs of reduced c osts with spot instances:

• If y our using spot nodes, then it c an take longer for the pipeline to start due to
waiting on successful bidding
• A pipeline can fail and have to be retried if spot instances are outbid at anytime
Linux Academy
Amazon Web Services

RDS Overview + Security
AWS RDS
AWS Professional Requirements: Linux Academy

• Understand security design
• Understand m ulti-‐region RDS environments and architectures
• Understand hybrid on-‐premise to AWS architectures
• Understand how to scale RDS instances
This lesson focuses on security for RDS
109
12/15/15
AWS RDS: S ecurity
Encryption (data at rest): Can be enabled Linux Academy

on RDS instances to encrypt the underlying storage.
By default, this will also encrypt snapshots as they are c reated and no additional c onfiguration
needs to be m ade on the c lient side for this to work.
If encryption is enabled:

• Keys are managed by AWS KMS
• Logs are encrypted
• Snapshots are encrypted
• Backups are encrypted
• Read replicas are encrypted
• Once created, the key used cannot b e changed
• If t he key is lost, t hen t he DB can o nly b e r estored f rom a b ackup
• Encryption can o nly b e specified at instance creation t ime
• Cross r egion r eplicas and snapshot copy d oes n ot w ork since t he key is o nly available in a single region
AWS RDS: S ecurity

Linux Academy
RDS D atabases that support at rest encryption
on RDS:
• MySQL
• Oracle
• SQL S erver
• PosgreSQL
• MariaDB
AWS RDS: S ecurity

Linux Academy
Transparent D ata Encryption ( TDE): Automatically encrypts the data before it is written to the
underlying storage device and decrypts when it is read from the storage device.
This is a native feature of:

• Oracle: Requires k ey storage outside of KMS and integrates with CloudHSM for this
• SQL S erver: Requires a k ey but is m anaged by RDS after enabling TDE
110
12/15/15
AWS RDS: S ecurity
Encrypted Connections (SSL): S SL end Linux Academy

points c an
be used (and should be used) to c onnect from
the S QL c lient ( the app m aking the S QL c onnection) to the RDS instance.
An SSL c ertificate is c reated when the RDS instance is c reated.
Linux Academy
Amazon Web Services

MySQL / MariaDB on RDS
AWS RDS: MySQL + MariaDB

MariaDB is a fork of MySQL
111
12/15/15

Linux in aAcademy
Read replicas: Read replicas c an be c reated ny region supporting RDS. D ata c an be
asynchronously replicated using the MySQL native replication features from the m aster
instance to any read replica ( slave) instance within any region.
• Improves disaster recovery ( reduces the RTO and RPO of an application)
• Helps with data m igration from one region to another
• Allows RDS “ reads” to scale out globally (writes still need to happen on the m aster)
• Reduces load against the “ master” database by sending read traffic to read replicas
• Still best practice to use c aching in front of the read replicas depending on y our update
requirements

Database queries
Linux Academy
Av ailability Zone Av ailability Zone Av ailability Zone Av ailability Zone
us -eas t-1 eu-wes t-1

Replication with MySQL c an be uLinux
sed to eAcademy
xport data to an on-‐premise network
• Configure the RDS MySQL instance
• Configure the MySQL D B instance on RDS to be the replication source
• Use m ysqldump and transfer the database from RDS to the on-‐premise MySQL
• Start replication to the instance running external to RDS ( it is set as the slave)
• After the export is completed stop replication
112
12/15/15

Replication for MySQL c an also be
c onfigured
Linux Academy from on-‐premise to RDS
• Set the source MySQL instance to read-‐only
• Determine the binlog location
• Use m ysqldump to c opy existing database to RDS
• Make the source writeable again
• Configure the security group to allow for y our external I P address to
communicate with the instance
• Create the MySQL replication user and grant permissions
• Configure the RDS instance to be a replica by using the
mysql.rds_set_external_master command at the c ommand line of the RDS
instance
• Issue the m ysql.rds_start_replication command on the replication RDS instance

• On-‐premise to RDS backup (using
Linux AWS Academy
as a failover)
• RDS MySQL to another region with read replicas
• Multi-‐AZ failover for synchronous replication
• MySQL replication for importing data to the c loud ( also use
mysqldump/mysqlimport)
Note: Replication for MySQL server only works on MySQL 5.6.13 or later
Linux Academy
Amazon Web Services

RDS: Oracle DB
113
12/15/15
AWS RDS: Oracle D B

AWS RDS: Oracle D B
Available Oracle D B’s on RDS: Linux Academy

• Oracle EE: Oracle Enterprise Edition
• Oracle S E: Oracle S tandard Edition
• Oracle S E One: Oracle S tandard Edition One
Databases not supported:

• Oracle RAC: A c luster database with shared c ache architecture
Oracle RAC: This c an run on EC2 instances even though m ulticast is required; y ou c an use VPN
(Ntop N2n) to c reate at tunnel between the nodes. Placement groups would be required since
it is a c luster service. D ata guard service c an be used to extend high availability to the RAC
design.
AWS RDS: Oracle D B

Linux Academy
Importing databases into RDS Oracle instances:
• Import small databases with Oracle S QL D eveloper
• Import large databases with Oracle D ata D ump
• Import data from an Oracle EC2 to RDS Oracle D B instance
• Import from database on Oracle D B instance to another Oracle D B instance
• Import data from a local on-‐premise DB to an RDS Oracle D B instance
Oracle does not support:

• Cross region replication on RDS
114
12/15/15
AWS RDS: Backing Up Oracle D B Using RMAN and AWS

Linux Academy
RMAN (Recovery Manage) is a backup and recovery m anager included in all Oracle v ersions
from Oracle 8 on.
• With on-‐premise Oracle servers, use RMAN to backup data to Amazon S 3 as part of a hybrid
environment
• With RDS based Oracle servers, use D BS snapshots for point-‐in-‐time snapshots
• RMAN c an also be used with Oracle EC2 instances
Linux Academy
Amazon Web Services

RDS: MSSQL
AWS RDS: MSSQL

115
12/15/15
AWS RDS: MSSQL
• Supports point-‐in-‐time automatic bLinux ackups aAcademy

nd m anual snapshot backups
• Supports Multi-‐AZ deployment options which uses the S QL S erver Mirroring native to
SQL server for high-‐availability and failover
• Read replicas are NOT supported on S QL server -‐> scaling will require increasing instance
size
• Multi-‐region disaster recovery and backups will require using import/export tools
provided by S QL server
• In order to have m ulti-‐region disaster recovery y ou c an c opy a snapshot from RDS to
another region
AWS RDS: I mporting MSSQL data
NOT as easy as the other open source tLinux Academy
echnologies
since MSSQL server is not supported on
RDS.
1. Turn off all applications talking to the database

2. Disable k ey c onstraints
3. Disable backups
4. Create an empty table for each table being imported from on-‐premise to RDS
5. Export y our tables and databases into “ flat files” it’s a built in function as part of MSSQL
server studio (on-‐premise)
6. Import those flat files into the new MSSSQL RDS instance
Note supported MSSQL functions:

• Restore data from file
• FILESTREAM
Linux Academy
Amazon Web Services

AWS CloudSearch
116
12/15/15
AWS CloudSearch
Linux
AWS CloudSearch is a fully h osted solution Academy
p rovided b y AWS. C loudSearch is u sed f or indexing
documents and information contained w ithin t he d ocuments f or search w ithin an application.
CloudSearch provides search features similar to Apache SOLR and C loudSearch is p owered b y SOLR.
Search features include:

• Full text s earch
• Boolean s earch
• Prefix s earch
• Range Search
• Term boos ting (as s ign higher importance to s pecific k ey words )
• Faceting (es s entially “drill down” and “ filter” s earches )
• Highlighting (highlights all items found on a page bas ed off of the s earch)
• Autocomplete Sugges tions
AWS CloudSearch
Linux by CAcademy
Document types that c an be indexed loudSearch
• CSV
• PDF
• HTML
• Excel
• PowerPoint
• Word
• Regular Text
AWS CloudSearch
Linux Academy
CloudSearch can be used to search D ynamoDB tables
• When updates to DynamoDB data occurs send the updates to CloudSearch
• Periodically send the updates to CloudSearch
Note: The CloudSearch data is indexed within c loud search. I f c hanges occur to indexed
items they will need to be re-‐uploaded to CloudSearch for indexing.
117
12/15/15
AWS CloudSearch
Scaling: Linux Academy

• CloudSearch will automatically scale based off of the increase in data and search load
on the nodes
• You c an m anually scale out to additional nodes in the interface if there is an
anticipation of increase in search traffic
• Multi-‐az is available by the “ click of a button” to automatically add high availability
• The c ore of CloudSearch is just running software on EC2 instances so there are c osts
associated with those nodes which is the c ost of CloudSearch
Linux Academy
Amazon Web Services

Deployment Concepts On AWS
Linux Academy
Amazon Web Services

CloudFormation Templates
118
12/15/15
CloudFormation
Talk about diffferent “sections” Linux Academy
Talk about c onfiguration for ultipel ec2 instances

Talk about the prersve delete peroperties
Example ec2 launch c onfiguration, example of network team m anaging network
resources on m ultiple stacks
Nested stack example?
Talk about deletion policies
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-‐attribute-‐
deletionpolicy.html
Recorded example of a network item, and then a dev item.
Linux Academy
Amazon Web Services

OpsWorks Deployment And Concepts
CloudFormation
Linux Academy
Blue Green D eploymnet
https://d0.awsstatic.com/whitepapers/managing-‐m ulti-‐tiered-‐web-‐applications-‐with-‐
opsworks.pdf
119
12/15/15
Linux Academy
Amazon Web Services

SQS Message Priority
AWS S QS: S QS Message Priority

Linux Academy
SQS is used for c reating distributed architectures
and is c ommonly used for batch
processing architectures.
If y our app has a “ free tier” which processing “ jobs” but y ou offer a premium service so
those jobs are processed faster. H ow c an y ou design a m essage priority queue so that
premium jobs are c ompleted first?
AWS S QS: S QS Message Priority

Linux Academy
In stan ce d etermi n es message
p ri o ri ty an d submits to associ ated
q u eu e
Th e h i gh er p rio rity qu eue has mo re p rocessi ng
reso u rces al l o cated so those jobs comp lete fi rst
Use Del a ySeco n d sto turn thi s i nto a del ay qu eue so messages d o not
ap p ear after N n umb er of seco nd s o nce pu shed to the qu eue
Hi gh Pri ori ty Lo w P ri ority
120
12/15/15
Linux Academy
Amazon Web Services

SQS Job Observer Pattern
AWS S QS: Job Observer Pattern
Linux Academy
Cl ou dWa c
t h + Auto Scali ng
h ttp ://en .cl ou ddesi gn pattern .o rg/in dex.ph p/C DP:Pri ori ty_Queu e_P attern
AWS S QS: Job Observer Pattern
Linux Academy
Cl ou dWa c
t h + Auto Scali ng
h ttp ://en .cl ou ddesi gn pattern .o rg/in dex.ph p/C DP:Pri ori ty_Queu e_P attern
121
12/15/15
Linux Academy
Amazon Web Services

DynamoDB Use Cases
AWS S QS: Massive Available Voting app
BCJC c ontracts with NBC to handle votes Linux Academy

for the
v oice! The v oice final show and v ote is
occurring in two days and BCJC has to build an entire application and architecture that
will handle hundreds of m illions of v otes without failing. The v oters will open up a web
application to v ote y es or no on each c andidate. A single v ote c annot be m issed
What m ight be a way to architect this application?
Think “ zero down time”

Think “ AWS S ervices”
AWS S QS: Massive Available Voting app • JavaScri p t i s a cl i en t si d e l an gu age th at h as AP Is i n to AW S

• B u i l t th e JavaScri p t ap p an d h o st i t o n S3 (n o server

req u i red )
Linux Academy • Fo r each vo te ad d a message to th e q u eu e SQS; gu aran tees
message d el i very
• P ro cessi n g messages wi th th e jo b o b server d esi gn p attern
• Sto re th e resu l ts fo r read i n g i n Dyn amo DB
JavaS cript
Cl ou dWac t
h + Au to
Sc a l i n g
S tore results in DynamoDB
122
12/15/15
DynamoDB
Linux
Problem: Thousands of objects that need Academy
to be
easily retrieved based off of attribute
information.
Solution using just S3: S 3 allows y ou to list objects based off of “ key search” basically
searching the prefix of the object. The list search is limited to just 1,000 objects.
DynamoDB
Linux
Problem: Thousands of objects that need Academy
to be
easily retrieved based off of attribute
information.
Solution using just S3: S 3 allows y ou to list objects based off of “ key search” basically
searching the prefix of the object. The list search is limited to just 1,000 objects.
Correct S olution: Build an additional index that is easily searchable and stores specific
attributes about the object. These attributes c an be searched and are linked back to the
correct object. Easily searchable solutions like D ynamoDB which are require no servers,
will reduce c ost, and increase effienceny when searching for objects.
DynamoDB
What we already k now: Linux Academy

• DynamodDB is m ade up by provisioning tables and throughput c an be increased on
each table
• DynamoDB is highly available and scalable
• ElastiCache can be used in front of D ynamoDB in order to offload high amounts of
reads for non-‐frequently c hanged data
• A table is just a collection of items and items are m ade up of attributes
• Each table requires a primary k ey and needs to be unique as possible to provision
against m ultiple partitions
• Data is indexed by the primary k ey
• Hash k ey: Now k nown as Partition Primary Key or Composite k ey
• Hash + Range: Range is now known as S ort Key
123
12/15/15
DynamoDB
Linux Academy
Table Name Primary Key Type Partition Key Sort Key Name
Name
Course Simple Name
Lesson Composite CourseName LessonName
Notes Composite Id CreateDate
An index is created on the Partition Key name and for c omposite table
types the data is stored in sorted order based off of S ort Key Name
DynamoDB
Linux Academy
Two ways to search data within a table
1. Using “ query” API c all:
• Query will be performed against the primary k ey and a v alue for the sort
key c an be passed with a c omparison operator.
• Query is the fastest lookup m ethod as it is performed against a stored
“index” in the table
• Query an “ indexed” itemed is the fastest m ethod of looking up data in the
DynamoDB table
2. Using “ Scan” API c all
• Scan will read every item in the table and search every possible attribute
rather than only indexed attributes.
• This is the m ost taxing available and c auses performance issues
Linux Academy
Amazon Web Services

DynamoDB Secondary Indexes
124
12/15/15
DynamodDB Secondary I ndexes
Scan operations occur against the index Linux Academy

partition k ey. H owever, what if the table has
multiple fields that need to be searched by? S can API c alls are v ery taxing on
performance and are slow. H ow m ight y ou solve this issue?
Secondary indexes: L ets y ou query the data within a table using a secondary k ey instead
of just the primary partition k ey.
• Global S econdary I ndex: An index on a new partition k ey and sort k ey that are
different than that of the defined table
• Local S econdary I ndex: An index that has the same partition k ey but a different sort
key
Linux Academy
Amazon Web Services

DynamoDB Multi-Region
DynamoDB Multi-‐Region D esign

Linux Academy
Problem: Need to m igrate data over to a secondary region as part of a “ daily” backup
operation.
Solution: You c an use D ata Pipeline to schedule a pipeline that daily m igrates data to a
DynamoDB table in another region.
125
12/15/15
DynamoDB Multi-‐Region D esign

Linux Academy
Problem: Need to offload requests that are m ade in other regions so the data lives close
to the end user requesting the data which will reduce latency for reading data from the
DynamoDB table.
Solution: D ynamoDB streams; S treams are essentially an exact order of m odifications to
a table put inside a log stream (powered by Kensis).
Many different use c ases for this type of feature:

• Stream data to m ultiple regions in near real-‐time replication of data
• Secondary applications c an listen for c hanges to data and send notifications to end
users
Linux Academy
Amazon Web Services

Preparing For The Exam
Linux Academy
Amazon Web Services

Study Methods After Completing The Course
126
12/15/15
Preparing F or The Exam: H ow To S tudy After Completing The Course
• Linux Academy
DO N OT regis ter for the exam until you have completed the cours e and met thes e s tudy bes t practices .
Scheduling the exam firs t and then s tudying is a s ure w ay to not be prepared and to rus h learning.
• Download the s lides for memoriz ation and s tudy.
• Download the “Exam S tudy G uide” from the “Required Reading” part of the cours e s yllabus . Be s ure to follow
the s tudy guide as w ell.
• U s e the practice exam s ys tem to help get a feel for how much time to s pend on each ques tion in the exam.
• Do N OT s tudy the incorrect/ correct ans wers on the res ults page firs t. Firs t s ee w hat ques tions you got wrong
and res earch “why”. This helps with unders tanding the concepts and becoming a qualified CSA profes s ional,
rather than jus t memoriz ing ans wers .
• W atching the videos and taking the labs s hould only be 40% of your s tudying. You mus t continue to review the
s lides and take the s elf-‐paced labs in order to ens ure you unders tand and are qualified for the exam.
Preparing F or The Exam: H ow To S tudy After Completing The Course
• Linux Academy
At leas t read the “required” white pages in the s tudy guide and it is s ugges ted that you als o read the
“s ugges ted” white papers in the s tudy guide.
• You s hould s pend at leas t two weeks s tudying, going back and reviewing videos , as king ques tions , and reading
the s lides .
• N ever hurts to take an AW S practice exam by AW S or to read AW S s ervices FAQ.
• If y ou s pend time s tudying and reviewing the cours e for 1 to 2 w eeks after completing the cours e on
linuxacademy.com, your odds of s ucces s go up to 90%+ .
• Rus hing to pas s is the bes t way to fail the exam.
• Before you take the exam, take three days off of s tudying then go back and try the practice exam for your third
and las t time. If y ou pas s then s chedule the exam.
Linux Academy
Amazon Web Services

Test Taking Best Practices
127
12/15/15
Preparing F or The Exam: Test Taking Best Practices

Linux
The test is 80 questions in 170 m inutes. Academy
Practice time m anagement with our practice
exam system!
1. Start f rom t he b eginning.

2. Answer each question o ne b y o ne. If you h ave n o idea about t he q uestion, mark it f or “review
later” and DO NOT select an answer, t hen move o n. Other q uestions at t imes h elp answer
previous q uestions!
3. Read all t he potential answers. Do n ot select o ne even if you t hink o ne is “obviously correct”,
until you r ead all the p otential answers.
4. Take turns r eading t he answers f rom t op d own and b ottom u p.
5. Understand WHAT t he q uestion is asking.
• A cost savings a rchitecture is n ot a lways t he same a s a FULL h ighly a vailable a rchitecture
6. Demo – How t o answer q uestions even if you ARE SURE you know t he answer.
128

Aws Web Services PDF

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Aws Web Services PDF

Diunggah oleh

Hak Cipta:

Format Tersedia

12/15/15

Amazon Web Services

Linux Academy AWS CSA - PRO

Linux Academy AWS CSA - PRO

About this course

§ This course will start off by focusing

Linux Academy AWS CSA - PRO

About this course

Amazon Web Services

Amazon Web Services

Linux Academy AWS CSA - PRO

Network Security F eatures

Linux Academy AWS CSA - PRO

Linux Academy AWS CSA - PRO

Linux Academy AWS CSA - PRO

Monitoring and L ogging

Linux Academy AWS CSA - PRO

Monitoring and L ogging

Linux Academy AWS CSA - PRO

Backup and Replication

Linux Academy AWS CSA - PRO

Linux Academy AWS CSA - PRO

Best Practices (high level)

§ Ens ure that us ers are us ing IAM

§ Enforce pas s word policy for IAM us ers

Linux Academy AWS CSA - PRO

Best Practices (high level)

§ Rotate API keys no les s than once a y ear

Amazon Web Services

Linux Academy AWS CSA - PRO

Review from A WS CSA A ssociate

§ Time/ proactive bas ed s caling

§ Load/ Performance bas ed s caling

Linux Academy AWS CSA - PRO

Review from A WS CSA A ssociate

§ A s calable s ervice is c apable of handling and working with many different

§ Should become more cos t effective as it grows

Linux Academy AWS CSA - PRO

Amazon S3 (Simple Storage Service)

• Supports virtually unlimited number of files in any bucket

Linux Academy AWS CSA - PRO

• Each archive can have up to 4TBs of data s tored

Linux Academy AWS CSA - PRO

Amazon Elastic Block Store (EBS)

• N ice to know:

Linux Academy AWS CSA - PRO

Linux Academy AWS CSA - PRO

AWS Storage Gateway

Linux Academy AWS CSA - PRO

Linux Academy AWS CSA - PRO

Amazon SQS (Simple Queue Service)

Linux Academy AWS CSA - PRO

Amazon RDS (Relational Database Service)

Linux Academy AWS CSA - PRO

• Ability to add or delete nodes from a c aching c lus ter on demand

Linux Academy AWS CSA - PRO

Amazon Web Services

Linux Academy AWS CSA - PRO

Linux Academy AWS CSA - PRO

Common types of res ource records :

Linux Academy AWS CSA - PRO

Examples of Route 53 us age as an authoritative DN S s ervice:

Linux Academy AWS CSA - PRO

Network Connectivity Options ( on-‐premise to Amazon VPC)

• IPSec connection f rom o n-‐premise t o AWS cloud.

Network Connectivity Options ( on-‐premise to Amazon VPC)