AWS Startup 2020 - AMIS

Slide 1

Slide 1 text

Slide 2

Slide 2 text

@k2r2bai © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. About Me ⽩凱仁(Kyle Bai) • SRE at AMIS/MaiCoin. • AWS Container Hero. • OSS Contributor. • Co-organizer of Cloud Native Taiwan User Group. • Interested in emerging technologies. GitHub: kairen(k2r2.bai@gmail.com) Blog: https://k2r2bai.com

Slide 3

Slide 3 text

@k2r2bai © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AMIS 帳聯網路科技 Driving The Decentralized Future AMIS is a financial technology company creating bonds between traditional and decentralized worlds. We provide security and accessibility for blockchains as well as crypto currencies. With us, our customers are able to adopt blockchain technology with ease and confidence. Building bonds between traditional and decentralized ﬁnances https://www.am.is/

Slide 4

Slide 4 text

@k2r2bai © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AMIS + MaiCoin Group Relationship MAX Digital Asset Exchange MaiCoin AMIS Provide blockchain tech and Digital asset custody

Slide 5

Slide 5 text

Slide 6

Slide 6 text

@k2r2bai © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AMIS Quick Summary • Integrated Fintech Product Development, Financial Services & Advisory Company. • Sister Company of MaiCoin. (Taiwan’s longest running digital asset platform & brokerage service since 2014) • Developed technology for the MAX Digital Asset Exchange. (launched 2018 as leading full-function, global exchange w/ crypto-crypto & NTD-crypto trading). (asset custody) • Core Blockchain Tech Developer for corporations and major institutions. (JP Morgan’s Ethereum blockchain platform ‘Quorum’ adopted AMIS developed IBFT / Fault Tolerance Consensus Algorithm in 2017) • Founding member of the Ethereum Enterprise Alliance.

Slide 7

Slide 7 text

Slide 8

Slide 8 text

Slide 9

Slide 9 text

Slide 10

Slide 10 text

Slide 11

Slide 11 text

Slide 12

Slide 12 text

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Slide 15

Slide 15 text

@k2r2bai © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Vishwakarma: Self-Hosted on AWS • Terraform modules to setup self-hosting Kubernetes cluster on AWS. • Can customize anything. • Align company compliance. • Cost: Clusters have different topology. • Infrastructure-as-code (IaC). • Versioning infrastructure. • Reusable modules. • With default and customized ASG. • YOU NEED TO MAINTAIN ANYTHING. • Github: https://github.com/getamis/vishwakarma • https://github.com/getamis/terraform-ignition-kubernetes • https://github.com/getamis/terraform-ignition-etcd

Slide 16

Slide 16 text

@k2r2bai © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Elastic Kubernetes Service(EKS) • Easier to create and manage. • No Control Plane to manage. • Auto Repairing / Patching of Control Plane Nodes. • Some reduction of user management requirements during node version patching/ upgrades by draining nodes of pods and replacing them. • Kubernetes assets can integrate seamlessly with AWS services using EKS. • ... AWS Managed (Control Plane) Customer Account (Worker Nodes)

Slide 17

Slide 17 text

@k2r2bai © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS EKS Amazon EC2 Auto Scaling Availability Zone 1 NAT gateway Auto Scaling group Worker Node Worker Node Availability Zone 1 NAT gateway Auto Scaling group Worker Node Worker Node AWS Fargate

Slide 18

Slide 18 text

Slide 19

Slide 19 text

Slide 20

Slide 20 text

@k2r2bai © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. ALB Ingress Controller Kubernetes Cluster kube-apiserver Update status Watch changes ALB Ingress Controller Pod B Pod A Pod B Pod A Pod C Pod D Pod B Pod A Pod C Pod D NP: A NP: B NP: A NP: B NP: A NP: B NP: Node Port Target Group: Service A (mode instance) Target Group: Service B (mode instance) Target Group: Service C (mode IP) Application Load Balancer Rule: /* Rule: /products Rule: /accounts Listener: HTTP Listener: HTTPS AWS Resources

Slide 21

Slide 21 text

@k2r2bai © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS VPC CNI ec.associatedAddress() CNI VPC Subnet: 10.0.0.0/24 instance 1 instance 2 Nginx Pod (Veth IP: 10.0.0.1) Java Pod (Veth IP: 10.0.0.2) ENI Secondary IPs: 10.0.0.1 10.0.02 Secondary IPs: 10.0.0.20 10.0.021 ENI CNI Nginx Pod (Veth IP: 10.0.0.20) Java Pod (Veth IP: 10.0.0.21) VPC

Slide 22

Slide 22 text

@k2r2bai © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Authenticator 1: Generate signed STS URL 2: Pass AWS identity 3: Verity AWS identity 4: Kubernetes action allowed / denied Kubernetes Master API Role Base Access Control(RBAC)

Slide 23

Slide 23 text

@k2r2bai © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Roles for Service Accounts(IRSA) Pod Identity Webhook kube-apiserver Apps IAM Roles (Apps roles) inject call pull AWS Resources S3 bucket (Discovery endpoint) ECR OpenID Connect Provider assume Kubernetes

Slide 24

Slide 24 text