Are You Well Architected?

Joe Gardner@joehack3r

@joehack3r

Disclaimer

• Any views or opinions represented are my own and do not necessarily represent those of people, institutions or organizations that I am or have been associated with in any professional or personal capacity.

@joehack3r

What is Well-Architected?

My Simplest Definition:Designing a product or service in a

manner to meet the customer's needs while balancing trade-offs.

@joehack3r

What is Well-Architected?

@joehack3r

What is Well-Architected?

@joehack3r

What is Well-Architected?

@joehack3r

What is Well-Architected?

@joehack3r

What is Well-Architected?

@joehack3r

What is Well-Architected?

@joehack3r

Where to start?

@joehack3r

AWS Well-Architected Framework

• Blog Announcement

http://bit.ly/aws-well-architected

• PDF

http://bit.ly/aws-well-architected-pdf

@joehack3r

AWS Well-Architected Framework

• Principles

• Guidance

• Strategies

• Best Practices

@joehack3r

AWS Well-Architected Framework

• Based on AWS experts working with thousands of customers

• Learn about new or different ways of thinking

• Evaluate your environment against AWS best practices

@joehack3r

Four Pillars

• Security

• Reliability

• Performance Efficiency

• Cost Optimization

@joehack3r

Security Pillar• Encrypt everything in transit and at rest

• Log everything (CloudTrail, VPC Flow, S3, Config, etc.)

• Security groups (firewall) and NACL at all layers

• Principle of least privilege

@joehack3r

Security Pillar• Control the network (VPC)

• Create your own VPC

• Restrict access

• Bastion Host

• VPN (e.g., OpenVPN)

@joehack3r

Security Pillar

• Remove root account API keys

• MFA root account

• Everybody uses IAM

• Rotate API keys

@joehack3r

Security Pillar (Me)

• Monitor for root account usage

• Monitor for other region activity

• Monitor for non-MFA logins

@joehack3r

Security Pillar (Me)• CloudTrail

(this command used to create trails is now moot with “Apply trail to all regions option” in console)

myS3LogBucket=my-test-bucket-2718

aws ec2 describe-regions --output json | grep RegionName | awk -F"\"" {'print $4'} | while read region; do aws cloudtrail create-subscription --name "Default" --s3-use-bucket $myS3LogBucket --region $region; done

@joehack3r

Reliability Pillar

• Monitor your AWS limits

• AutoScaling Group

• Multi-AZ, Multi-Region

• Monitor all the things!

@joehack3r

Reliability Pillar

• Backups

• Practice recovery

• Change management

@joehack3r

Reliability Pillar (Me)

• Monitoring script checks usage vs. AWS limits

• Chaos Monkey

• Automated recovery

• Automated deployments (apps and infra)

@joehack3r

Performance Efficiency Pillar

• Review instance types

• Review new services

• Monitor system load (CPU, RAM, network, disk I/O)

• AutoScaling

• CloudFront and multi-region

@joehack3r

Performance Efficiency Pillar

• m3.large ($0.133/hour Linux on-demand)

• 7.5 GB, 6.5 ECU (Intel Xeon E5-2670), 32 GB SSD

• No EBS optimized, VPC & non-VPC

• m4.large ($0.120/hour Linux on-demand)

• 8.0 GB, 6.5 ECU (Intel Xeon E5-2676 v3), EBS-Only

• EBS optimized, VPC-only

@joehack3r

Performance Efficiency Pillar (Me)

• DataDog

@joehack3r

Cost Optimization Pillar

• Reserved Instances (EC2, RDS)

• Newer instance types

• Tag resources and add to billing report

• Billing alerts

• Turn off unused resources

@joehack3r

Cost Optimization Pillar• m3.large ($0.133/hour Linux on-demand)

• 7.5 GB, 6.5 ECU (Intel Xeon E5-2670), 32 GB SSD

• No EBS optimized, VPC & non-VPC

• m4.large ($0.120/hour Linux on-demand)

• 8.0 GB, 6.5 ECU (Intel Xeon E5-2676 v3), EBS-Only

• EBS optimized, VPC-only

@joehack3r

Cost Optimization Pillar (Me)

• Multiple Billing alerts

• Tags in billing report

• Janitor Monkey with Edda

• Made it easy to use Spot instances

@joehack3r

My Practices• Lots of CloudFormation

• Parameterize AMI, Instance Type, AZs, etc.

• CI/CD Application Software and Infrastructure

• VPC

• ELB and ASG everything

@joehack3r

My Practices

• Work closely with our Solutions Architect

• Research and demo new AWS services

• Attend DevOpsDays, hackathons, re:Invent

• Follow Netflix Tech Blog and others

@joehack3r

Suggested Next Steps

• Read the announcement and PDFhttp://bit.ly/aws-well-architected

• Read AWS Architectures and White Papershttps://aws.amazon.com/architecture/https://aws.amazon.com/whitepapers/

• Review with SA, TAM, consulting partner, etc.