aws - devops school · •aws reserves 5 ips in each subnet (1st 4 and last one). • reserved ips...

AWSFundamentals and Beyond

– Sir Albert Einstein

“Imagination is more Important then Knowledge”

What is Cloud ?

Different Cloud models

• SaaS • PaaS • IaaS • SAAS • CAAS • NAAS • etc…

Confused ???

SaaS vs PaaS vs IaaS

Abstraction Ease of usage

Agenda

AWS Overview

Console Overview IAM EC2 Route 53

Regions Vs Availability

CentresScalability RDS S3 R53 Routing

Policies

EBS High Availability Aroura Security

Groups(SG) VPC

EFS What is Load Balancing ? ELB AMI SubNets

Elastic Cache ASG Placement Groups*

Encryption on AWS And More ….

Elastic Compute Cloud - EC2 Security Group - SG

Identity Access Management - IAMSection 1

Section Agenda

• IAM Introduction • What is EC2 ? • Hands On : EC2, User Data, SG • EC2 Launch Types

• On Demand • Reserved Instance • Convertible Reserved Instance • Scheduled Reserved Instance • Spot Instance • Dedicated Instance • Dedicated Hosts

• EC2 Instance Types • R - Ram Optimised • C - CPU Optimised • M - Balanced (Medium) • I - I/O Optimised • G - GPU Optimised

IAM Introduction

• IAM (Identity Access Management) • Divided into :

• Users • Roles • Groups

• Root Account should never be used • Users must be created with proper permissions • IAM has a global view - not Region scoped, is at the

centre of AWS • Policies are written in JSON

IAM Introduction

Users A physical user

Roles Internal usage

inside AWS

POLICIES (JSON Docs) Defines what all above can do

Groups Functions, Teams,

Task

What is EC2 ?

• One of the most Important AWS offering. • Flavours or Capabilities of EC2

• Renting VMs ie EC2 • Storing on on Virtual Drives i.e EBS • Distributing Load Across VMs i.e ELB • Scaling the services with ASG

Demo - Launching an EC2 instance, SSH and installing

apache server.

How to secure this EC2 instance ?

Introduction to Security Group (SG)

• Fundamental block of security unit in AWS • Controls traffic to/from EC2 instance(s) • Monitors inbound/outbound traffics and allows,denies

based on rules.

SG

Internet

Outbound

Inbound

SG - Continued• Controls

• Ports access • Authorised IP ranges • Controls Inbound traffic • Controls Outbound traffic

• Acts as FIREWALL

• By default ALL Inbound traffic is blocked.

• By default ALL Outbound traffic is allowed.

• SG are stateful, NACL is stateless.

Demo - SG rules affects on EC2

Boot Strapping EC2: User Data

• Bootstrapping ? Executing commands when machine is launched first time only !

• Different tasks which can be automated at boot time • Package updates • Installing Softwares • Downloading files • Etc ….

• Permission against which script runs ? Root User !

Demo - User Data, Let’s automate the world.

EC2 Launch Types : Which one I should use ?

• EC2 - On Demand • Pay for what you use • Billing starts after 1st minute of VMs Instantiation. • Costliest but not commitment and no upfront

payment. • Will not be interrupted ?

EC2 Launch Type 2• EC2 Reserved Instance

• 75% cheeper then On-Demand. • But upfront payment with Commitment. • Can be blocked for 1 to 3 years. • Reservation is done against a particular instance

type ! ? What is instance type now ?? • Good for predictable scenarios.

• Sub Categories • Convertible Reserved Instances • Scheduled Reserved Instances - Day, Time, Week

EC2 Launch Types 3• EC2 Spot Instances

• Have to bid for the instance • Distributed on price and availability ratio. • Can be as cheap as 90% of On-Demand. • Could be reclaimed any time as price of the instance

goes above bidding price with 2 mins of warming. • Once reclaimed, you won’t be able to get the data

back which was stored in the instance. • Good for Data processing and big data queries, not

good for important or critical applications.

EC2 Launch Types 4• EC2 Dedicated Hosts

• Expensive • Companies or Scenarios which have strong

Compliance or Data regulations. • Gets Physical Dedicated EC2 servers • Access to Different connections and sockets of the

server.

Elastic Load Balancer (ELB)

Section Agenda• Scalability

• Vertical • Horizontal

• High Availability • Taking EC2 into consideration

• Scalability • ASG • Load Balancer

• High Availability • LB multi AZ • ASG multi AZ

Load Balancer• Single point for DNS • Handles failure • Health checks • SSL termination over https • Stickiness over cookies • High availability across zones • Spreads load across zones

Kinds of ELBs• AWS offers 3 kinds of ELBs

• Application Load Balancer • Network Load balancer • Classic Load Balancer

• Classic Load balancer is deprecated and its use is discouraged.

ALB• Layer 7 Load balancer

• Load balancing to multiple HTTP endpoints • Containers load balancing • LB based on route eg. /home,/newhome,/oldhome • LB based on hostname

• Best for Docker based application and ECS

• Port mapping can be used to redirect to Dynamic port • Supports HTTPS/HTTP and web sockets protocol as

well

• Stickiness • Consider User 1 has items in his shopping cart and

shopping cart is persisted on EC2-A, next time when it request comes It goes to EC2-B where we don’t have any info about shopping cart of User 1.

DEMO - ELB/ALB + SG

Auto Scaling Group - ASG• What will you do if Load increases on your

Application? • Will you create instances of the application by yourself

? • Or Schedule a job to do so ? • What If application scales all by itself ? • Magic ?

Demo - ASG

Virtual Private Cloud - VPC The cloud enabler

A Picture worth thousand words !

VPC• Subnets

• Public • Private

• IGW • Route Tables • NACL • SG - Revisite • NAT Gateways • Bastion Host

IP• Public IP - Unique across over the whole internet. • Private IP - Not the case with them. • CIDR Representation • Default VPC • Create one VPC from ground up.

Classless Inter-Domain Representation - CIDR

• Base IP - an IP from the range, mostly the first one • Subnet Mask - the bits which can change in the IP • x.x.x.x/32 = 2^0 = 1 IP • x.x.x.x/30 = 2^2 = 4 IP • x.x.x.x/26 = 2^6 = 64 IP • x.x.x.x/20 = 2^12 = … • Available Private IP Ranges

• 10.0.0.0 to 10.255.255.255 -> 10.0.0.0/8 • 172.16.0.0 to 172.31.255.255 -> 172.16.0.0/12 • 192.168.0.0 to 192.168.255.255 -> 192.168.0.0/16

123.234.567.012/32

Subnets

• AWS reserves 5 IPs in each subnet (1st 4 and last one). • Reserved IPs are not available for use in the subnet • CIDR - 192.168.0.0/16 • Reserved IPs would be:

• 192.168.0.0 - network address • 192.168.0.1 - VPC router • 192.168.0.2 - DNS resolution • 192.168.0.3 - for later use • 192.168.255.255 - broadcast, although its not

supported on AWS VPC network

IG

• Provides Internet connectivity to the Subnet instances/resources.

• Its highly available and scales automatically(AWS managed).

• Not created on VPC creation. • 1 VPC <=> 1 IG

Route Table

NAT Gateway

NACL + SG

Incoming Request

Outgoing Request

• NACL Are subnet level. • 1 NACL 1 Subnet. • Default NACL - ALL TRAFFIC ALLOWED. • When NEWLY created NO traffic allowed. • Uses rules to allow/deny traffic. • Rules have a number associated with them. • The lower the number associated the higher the

precedence. • Fall back/Last rule is * which denies everything when

nothing matches the above rule.

NACL vs SG

Simple Storage Service - S3

S3

• Buckets & Objects • Versioning • Security and Encryption • Consistency models • Lets build our website • CORS

• S3 is an object based storage. • OS can’t be installed ! • Objects live inside Buckets ! • Buckets name are Unique in the whole AWS universe • Buckets are defined as region level • Naming Convention

• NO UPPERCASE • NO _Score • Min 3 characters Max 63 • Start with lowercase or number

Demo - S3

• It’s a Key and Value store • There are no directories !!! Yeah no folders • Whats Max size of Object ? 5TB but can be stored

more then that using multipart upload • URL to the file name acts as the key

Versioning

• S3 objects can be versioned • Its enabled at bucket level • What is null version ? • What is delete marker ? • Versioning Protects against Unintended deletes

Security-S3

• Resource Based • Bucket Access Control List • Object Access Control List • Bucket Policy Document

• IAM Rules

S3 Bucket Policy

• JSON based policy document contains • Recourse - buckets n objects • Actions - Set of API’s to Allow or deny • Effect - Allow/Deny • Principal - The account or user against which the policy

be applied • Buckets policy be used for -

• Public access to bucket • Force Encryption at upload time • Cross account access

S3 - Static Website