are you well architected?
TRANSCRIPT
Are You Well Architected?
Joe Gardner@joehack3r
@joehack3r
Disclaimer
• Any views or opinions represented are my own and do not necessarily represent those of people, institutions or organizations that I am or have been associated with in any professional or personal capacity.
@joehack3r
What is Well-Architected?
My Simplest Definition:Designing a product or service in a
manner to meet the customer's needs while balancing trade-offs.
@joehack3r
What is Well-Architected?
@joehack3r
What is Well-Architected?
@joehack3r
What is Well-Architected?
@joehack3r
What is Well-Architected?
@joehack3r
What is Well-Architected?
@joehack3r
What is Well-Architected?
@joehack3r
Where to start?
@joehack3r
AWS Well-Architected Framework
• Blog Announcement
http://bit.ly/aws-well-architected
http://bit.ly/aws-well-architected-pdf
@joehack3r
AWS Well-Architected Framework
• Principles
• Guidance
• Strategies
• Best Practices
@joehack3r
AWS Well-Architected Framework
• Based on AWS experts working with thousands of customers
• Learn about new or different ways of thinking
• Evaluate your environment against AWS best practices
@joehack3r
Four Pillars
• Security
• Reliability
• Performance Efficiency
• Cost Optimization
@joehack3r
Security Pillar• Encrypt everything in transit and at rest
• Log everything (CloudTrail, VPC Flow, S3, Config, etc.)
• Security groups (firewall) and NACL at all layers
• Principle of least privilege
@joehack3r
Security Pillar• Control the network (VPC)
• Create your own VPC
• Restrict access
• Bastion Host
• VPN (e.g., OpenVPN)
@joehack3r
Security Pillar
• Remove root account API keys
• MFA root account
• Everybody uses IAM
• Rotate API keys
@joehack3r
Security Pillar (Me)
• Monitor for root account usage
• Monitor for other region activity
• Monitor for non-MFA logins
@joehack3r
Security Pillar (Me)• CloudTrail
(this command used to create trails is now moot with “Apply trail to all regions option” in console)
myS3LogBucket=my-test-bucket-2718
aws ec2 describe-regions --output json | grep RegionName | awk -F"\"" {'print $4'} | while read region; do aws cloudtrail create-subscription --name "Default" --s3-use-bucket $myS3LogBucket --region $region; done
@joehack3r
Reliability Pillar
• Monitor your AWS limits
• AutoScaling Group
• Multi-AZ, Multi-Region
• Monitor all the things!
@joehack3r
Reliability Pillar
• Backups
• Practice recovery
• Change management
@joehack3r
Reliability Pillar (Me)
• Monitoring script checks usage vs. AWS limits
• Chaos Monkey
• Automated recovery
• Automated deployments (apps and infra)
@joehack3r
Performance Efficiency Pillar
• Review instance types
• Review new services
• Monitor system load (CPU, RAM, network, disk I/O)
• AutoScaling
• CloudFront and multi-region
@joehack3r
Performance Efficiency Pillar
• m3.large ($0.133/hour Linux on-demand)
• 7.5 GB, 6.5 ECU (Intel Xeon E5-2670), 32 GB SSD
• No EBS optimized, VPC & non-VPC
• m4.large ($0.120/hour Linux on-demand)
• 8.0 GB, 6.5 ECU (Intel Xeon E5-2676 v3), EBS-Only
• EBS optimized, VPC-only
@joehack3r
Performance Efficiency Pillar (Me)
• DataDog
@joehack3r
Cost Optimization Pillar
• Reserved Instances (EC2, RDS)
• Newer instance types
• Tag resources and add to billing report
• Billing alerts
• Turn off unused resources
@joehack3r
Cost Optimization Pillar• m3.large ($0.133/hour Linux on-demand)
• 7.5 GB, 6.5 ECU (Intel Xeon E5-2670), 32 GB SSD
• No EBS optimized, VPC & non-VPC
• m4.large ($0.120/hour Linux on-demand)
• 8.0 GB, 6.5 ECU (Intel Xeon E5-2676 v3), EBS-Only
• EBS optimized, VPC-only
@joehack3r
Cost Optimization Pillar (Me)
• Multiple Billing alerts
• Tags in billing report
• Janitor Monkey with Edda
• Made it easy to use Spot instances
@joehack3r
My Practices• Lots of CloudFormation
• Parameterize AMI, Instance Type, AZs, etc.
• CI/CD Application Software and Infrastructure
• VPC
• ELB and ASG everything
@joehack3r
My Practices
• Work closely with our Solutions Architect
• Research and demo new AWS services
• Attend DevOpsDays, hackathons, re:Invent
• Follow Netflix Tech Blog and others
@joehack3r
Suggested Next Steps
• Read the announcement and PDFhttp://bit.ly/aws-well-architected
• Read AWS Architectures and White Papershttps://aws.amazon.com/architecture/https://aws.amazon.com/whitepapers/
• Review with SA, TAM, consulting partner, etc.