aws - devops school · •aws reserves 5 ips in each subnet (1st 4 and last one). • reserved ips...
TRANSCRIPT
AWSFundamentals and Beyond
– Sir Albert Einstein
“Imagination is more Important then Knowledge”
What is Cloud ?
Different Cloud models
• SaaS • PaaS • IaaS • SAAS • CAAS • NAAS • etc…
Confused ???
SaaS vs PaaS vs IaaS
Abstraction Ease of usage
Agenda
AWS Overview
Console Overview IAM EC2 Route 53
Regions Vs Availability
CentresScalability RDS S3 R53 Routing
Policies
EBS High Availability Aroura Security
Groups(SG) VPC
EFS What is Load Balancing ? ELB AMI SubNets
Elastic Cache ASG Placement Groups*
Encryption on AWS And More ….
Elastic Compute Cloud - EC2 Security Group - SG
Identity Access Management - IAMSection 1
Section Agenda
• IAM Introduction • What is EC2 ? • Hands On : EC2, User Data, SG • EC2 Launch Types
• On Demand • Reserved Instance • Convertible Reserved Instance • Scheduled Reserved Instance • Spot Instance • Dedicated Instance • Dedicated Hosts
• EC2 Instance Types • R - Ram Optimised • C - CPU Optimised • M - Balanced (Medium) • I - I/O Optimised • G - GPU Optimised
IAM Introduction
• IAM (Identity Access Management) • Divided into :
• Users • Roles • Groups
• Root Account should never be used • Users must be created with proper permissions • IAM has a global view - not Region scoped, is at the
centre of AWS • Policies are written in JSON
IAM Introduction
Users A physical user
Roles Internal usage
inside AWS
POLICIES (JSON Docs) Defines what all above can do
Groups Functions, Teams,
Task
What is EC2 ?
• One of the most Important AWS offering. • Flavours or Capabilities of EC2
• Renting VMs ie EC2 • Storing on on Virtual Drives i.e EBS • Distributing Load Across VMs i.e ELB • Scaling the services with ASG
Demo - Launching an EC2 instance, SSH and installing
apache server.
How to secure this EC2 instance ?
Introduction to Security Group (SG)
• Fundamental block of security unit in AWS • Controls traffic to/from EC2 instance(s) • Monitors inbound/outbound traffics and allows,denies
based on rules.
SG
Internet
Outbound
Inbound
SG - Continued• Controls
• Ports access • Authorised IP ranges • Controls Inbound traffic • Controls Outbound traffic
• Acts as FIREWALL
• By default ALL Inbound traffic is blocked.
• By default ALL Outbound traffic is allowed.
• SG are stateful, NACL is stateless.
Demo - SG rules affects on EC2
Boot Strapping EC2: User Data
• Bootstrapping ? Executing commands when machine is launched first time only !
• Different tasks which can be automated at boot time • Package updates • Installing Softwares • Downloading files • Etc ….
• Permission against which script runs ? Root User !
Demo - User Data, Let’s automate the world.
EC2 Launch Types : Which one I should use ?
• EC2 - On Demand • Pay for what you use • Billing starts after 1st minute of VMs Instantiation. • Costliest but not commitment and no upfront
payment. • Will not be interrupted ?
EC2 Launch Type 2• EC2 Reserved Instance
• 75% cheeper then On-Demand. • But upfront payment with Commitment. • Can be blocked for 1 to 3 years. • Reservation is done against a particular instance
type ! ? What is instance type now ?? • Good for predictable scenarios.
• Sub Categories • Convertible Reserved Instances • Scheduled Reserved Instances - Day, Time, Week
EC2 Launch Types 3• EC2 Spot Instances
• Have to bid for the instance • Distributed on price and availability ratio. • Can be as cheap as 90% of On-Demand. • Could be reclaimed any time as price of the instance
goes above bidding price with 2 mins of warming. • Once reclaimed, you won’t be able to get the data
back which was stored in the instance. • Good for Data processing and big data queries, not
good for important or critical applications.
EC2 Launch Types 4• EC2 Dedicated Hosts
• Expensive • Companies or Scenarios which have strong
Compliance or Data regulations. • Gets Physical Dedicated EC2 servers • Access to Different connections and sockets of the
server.
Elastic Load Balancer (ELB)
Section Agenda• Scalability
• Vertical • Horizontal
• High Availability • Taking EC2 into consideration
• Scalability • ASG • Load Balancer
• High Availability • LB multi AZ • ASG multi AZ
Load Balancer• Single point for DNS • Handles failure • Health checks • SSL termination over https • Stickiness over cookies • High availability across zones • Spreads load across zones
Kinds of ELBs• AWS offers 3 kinds of ELBs
• Application Load Balancer • Network Load balancer • Classic Load Balancer
• Classic Load balancer is deprecated and its use is discouraged.
ALB• Layer 7 Load balancer
• Load balancing to multiple HTTP endpoints • Containers load balancing • LB based on route eg. /home,/newhome,/oldhome • LB based on hostname
• Best for Docker based application and ECS
• Port mapping can be used to redirect to Dynamic port • Supports HTTPS/HTTP and web sockets protocol as
well
• Stickiness • Consider User 1 has items in his shopping cart and
shopping cart is persisted on EC2-A, next time when it request comes It goes to EC2-B where we don’t have any info about shopping cart of User 1.
DEMO - ELB/ALB + SG
Auto Scaling Group - ASG• What will you do if Load increases on your
Application? • Will you create instances of the application by yourself
? • Or Schedule a job to do so ? • What If application scales all by itself ? • Magic ?
Demo - ASG
Virtual Private Cloud - VPC The cloud enabler
A Picture worth thousand words !
VPC• Subnets
• Public • Private
• IGW • Route Tables • NACL • SG - Revisite • NAT Gateways • Bastion Host
IP• Public IP - Unique across over the whole internet. • Private IP - Not the case with them. • CIDR Representation • Default VPC • Create one VPC from ground up.
Classless Inter-Domain Representation - CIDR
• Base IP - an IP from the range, mostly the first one • Subnet Mask - the bits which can change in the IP • x.x.x.x/32 = 2^0 = 1 IP • x.x.x.x/30 = 2^2 = 4 IP • x.x.x.x/26 = 2^6 = 64 IP • x.x.x.x/20 = 2^12 = … • Available Private IP Ranges
• 10.0.0.0 to 10.255.255.255 -> 10.0.0.0/8 • 172.16.0.0 to 172.31.255.255 -> 172.16.0.0/12 • 192.168.0.0 to 192.168.255.255 -> 192.168.0.0/16
123.234.567.012/32
Subnets
• AWS reserves 5 IPs in each subnet (1st 4 and last one). • Reserved IPs are not available for use in the subnet • CIDR - 192.168.0.0/16 • Reserved IPs would be:
• 192.168.0.0 - network address • 192.168.0.1 - VPC router • 192.168.0.2 - DNS resolution • 192.168.0.3 - for later use • 192.168.255.255 - broadcast, although its not
supported on AWS VPC network
IG
• Provides Internet connectivity to the Subnet instances/resources.
• Its highly available and scales automatically(AWS managed).
• Not created on VPC creation. • 1 VPC <=> 1 IG
Route Table
NAT Gateway
NACL + SG
Incoming Request
Outgoing Request
• NACL Are subnet level. • 1 NACL 1 Subnet. • Default NACL - ALL TRAFFIC ALLOWED. • When NEWLY created NO traffic allowed. • Uses rules to allow/deny traffic. • Rules have a number associated with them. • The lower the number associated the higher the
precedence. • Fall back/Last rule is * which denies everything when
nothing matches the above rule.
NACL vs SG
Simple Storage Service - S3
S3
• Buckets & Objects • Versioning • Security and Encryption • Consistency models • Lets build our website • CORS
• S3 is an object based storage. • OS can’t be installed ! • Objects live inside Buckets ! • Buckets name are Unique in the whole AWS universe • Buckets are defined as region level • Naming Convention
• NO UPPERCASE • NO _Score • Min 3 characters Max 63 • Start with lowercase or number
Demo - S3
• It’s a Key and Value store • There are no directories !!! Yeah no folders • Whats Max size of Object ? 5TB but can be stored
more then that using multipart upload • URL to the file name acts as the key
Versioning
• S3 objects can be versioned • Its enabled at bucket level • What is null version ? • What is delete marker ? • Versioning Protects against Unintended deletes
Security-S3
• Resource Based • Bucket Access Control List • Object Access Control List • Bucket Policy Document
• IAM Rules
S3 Bucket Policy
• JSON based policy document contains • Recourse - buckets n objects • Actions - Set of API’s to Allow or deny • Effect - Allow/Deny • Principal - The account or user against which the policy
be applied • Buckets policy be used for -
• Public access to bucket • Force Encryption at upload time • Cross account access
S3 - Static Website