AWS Deployment Mechanics

by Philipp Krenn

Slide 1

Slide 1 text

Java$Vienna,$JSUG AWS Deployment*Mechanics Philipp&Krenn&@xeraa

Slide 2

Slide 2 text

ViennaDB Papers'We'Love'Vienna

Slide 3

Slide 3 text

Electronic*Data*Interchange!EDI Automated)exchange)of)B2B)documents

Slide 4

Slide 4 text

Outline Basics&&&Overview&&&Demo !!" Hands&On Our$Setup

Slide 5

Slide 5 text

It's%the%future... Everybody's+using+it...

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

Region'+'Availability'Zone eu#central#1 eu#central#1a+and+eu#central#1b AZ#diﬀerent#per#account

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

$ ec2-describe-availability-zones --region us-east-1 AVAILABILITYZONE us-east-1a available us-east-1 AVAILABILITYZONE us-east-1b available us-east-1 AVAILABILITYZONE us-east-1c available us-east-1 AVAILABILITYZONE us-east-1d available us-east-1 AVAILABILITYZONE us-east-1e available us-east-1

Slide 13

Slide 13 text

SLA:%Up(me More%than%one%AZ Reboots,(failed(instances,...(not(covered h"p:/ /aws.amazon.com/ec2/sla/

Slide 14

Slide 14 text

AWS$Management$Console:$Demo h"ps:/ /console.aws.amazon.com1root1account h"ps:/ /.signin.aws.amazon.com/console7IAM7user

Slide 15

Slide 15 text

EC2 Elas%c'Compute'Cloud

Slide 16

Slide 16 text

Features Xen:%Host%server%+%Hypervisor%+%Guests Linux,'Windows Intel&only,&now&custom&built

Slide 17

Slide 17 text

Every&day,&AWS&adds&enough&new& server&capacity&to&support&all&of& Amazon's&global&infrastructure&when& it&was&a&$7B&enterprise. —"h$p://www.slideshare.net/AmazonWebServices/intro

Slide 18

Slide 18 text

Instance(type:(c4.large c:"Instance"family 4:"Instance"genera,on large:"Instance"size

Slide 19

Slide 19 text

Families(&(Genera-ons General'purpose:'M3,'M4 Compute(op)mized:(C3,(C4 Memory'op)mized:'R3 Dense%storage:%D2 I/O$op'mize:$I2

Slide 20

Slide 20 text

Families(&(Genera-ons GPU:%G2 Bursty:(T2 Old$instances:$T1,$M1,$C1,$CC2,$M2,$CR1,$ CG1,$HS1,$HI1 h"ps:/ /aws.amazon.com/ec2/instance3types/

Slide 21

Slide 21 text

Storage Instance(storage((locally(a/ached) Elas%c'Block'Storage'(EBS):'General'purpose' (SSD),'Provisioned'IOPS'(SSD),'Magne%c Elas%c'File'System'(EFS)

Slide 22

Slide 22 text

Demo

Slide 23

Slide 23 text

EBS$Limita*ons Single'instance'usage Data$on$mul*ple$instances$but$single$AZ Main%cause%of%outages%in%the%past

Slide 24

Slide 24 text

EBS$Tip If#it#doesn't#boot,#a/ach#it#to#a#working# instance

Slide 25

Slide 25 text

Volumes Snapshots Amazon'Machine'Image'(AMI)

Slide 26

Slide 26 text

On#Demand:*per*hour Reserved:(no(/(par.al(/(all(upfront,(1( or(3(years,(low(/(medium(/(high( u.liza.on Spot:&bidding

Slide 27

Slide 27 text

Auto%Scaling%Group%(ASG) Start%/%stop%instances%based%on%0me%or%load Very%expensive%mistakes

Slide 28

Slide 28 text

ASG$Limita*ons Not$instant Does%your%database,%cache,...%scale%as%well?

Slide 29

Slide 29 text

ASG$Usage Deﬁne%AMI Fetch&current&build&on&boot Also%used%for%single%instances?

Slide 30

Slide 30 text

Elas%c'Load'Balancers'(ELB) Load%distribu,on Detects&available&instances SSL#termina+on

Slide 31

Slide 31 text

ELB$Internals Round&Robin&or&Session&S-ckiness TCP$ports:$25,$80,$443,$and$1024665535

Slide 32

Slide 32 text

ELB$Limita)ons No#sta'c#IP Single'region Single'Cer*ﬁcates'<=2KB No#500#pages

Slide 33

Slide 33 text

ELB$Tips Support'can'conﬁgure'.meouts Conﬁgure)logs)(S3) Warm%up Prefer%Round%Robin

Slide 34

Slide 34 text

ELB$Tips SSL#conﬁgura,on h"ps:/ /wiki.mozilla.org/Security/Server_Side_TLS

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

Elas%c'IPs'(EIP) Quicker(to(switch(than(DNS Firewall(rules

Slide 37

Slide 37 text

EIP$Limita*ons Default(5(per(region Bound&to&a&region&and&EC20classic&/&VPC No#tags Too#easy#to#release

Slide 38

Slide 38 text

Tip m1.large)!=)m1.large)—)genera.ons)ma1er $ grep ‘model name’ /proc/cpuinfo

Slide 39

Slide 39 text

Experience Instances(get(stuck((mostly(bad(hardware) Instances(break Noisy&neighbors

Slide 40

Slide 40 text

No content

Slide 41

Slide 41 text

No content

Slide 42

Slide 42 text

VPC Virtual(Private(Cloud

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

Features Custom'route'table'(private'subnet) Internet&Gateway&(public&subnet) NAT$instance$/$bas.on$host$(private$subnet) Network(ACL Subnet,(allow(/(deny,(stateless

Slide 45

Slide 45 text

10.0.0.0/16 - Production 10.0.0.0/18 — AZ A 10.0.0.0/20 — Private (4094 addresses) 10.0.16.0/20 — Public 10.0.32.0/20 - Spare 10.0.48.0/20 — Spare 10.0.64.0/18 — AZ B 10.0.64.0/20 — Private 10.0.80.0/20 - Public 10.0.96.0/20 — Spare 10.0.112.0/20 - Spare 10.0.128.0/18 — Spare 10.0.192.0/18 - Spare 10.1.0.0/16 - Development 10.2.0.0/16 - Stage

Slide 46

Slide 46 text

Limita&ons VPC$IP$rangs$cannot$be$changed Networks)can)be)/16)to)/28

Slide 47

Slide 47 text

Route53

Slide 48

Slide 48 text

Features DNS Loca%on'awareness Health'checks API$(Boto)

Slide 49

Slide 49 text

Use Instances(update(their(CNAME(on(start #!/bin/bash # Add to /etc/rc.local # Requires Boto DNS_ADDRESS="`ec2metadata | grep 'public-hostname:' | cut -d ' ' -f 2`" /usr/local/bin/route53 change_record xxx.ecosio.com. CNAME $DNS_ADDRESS 300

Slide 50

Slide 50 text

ELB$Alterna,ve TCP$+$UDP,$any$port,$direct$resolu7on (Weighted)*Round*Robin Failover)health)checks Cheaper No#SSL#termina-on

Slide 51

Slide 51 text

S3 Simple'Storage'Service

Slide 52

Slide 52 text

Concepts Bucket Object

Slide 53

Slide 53 text

Guarantees 99.999999999%$durability 99.99%$availability/year

Slide 54

Slide 54 text

Features Higly&reliable: Rela%vely(cheap Host%sta'c%sites%(XML%schema) Reduced&Redundancy&S3 Logging

Slide 55

Slide 55 text

Demo

Slide 56

Slide 56 text

Tip It's%not%a%good%(private)%Maven%repo Parent'POM'/'plugin,'access'control,'snapshot'cleanup,...

Slide 57

Slide 57 text

Misc%Services

Slide 58

Slide 58 text

RDS Rela%onal(Database(Service

Slide 59

Slide 59 text

Features MySQL&,(Oracle&,(SQL(Server&,(or(PostgreSQL Replica(on Read%Replicas

Slide 60

Slide 60 text

Limita&ons Some%permissions%not%available No#ﬁlesystem#opera.ons#(XtraBackup) Backups(are(totally(opaque

Slide 61

Slide 61 text

Tip Point&in&'me*recovery

Slide 62

Slide 62 text

Tip Failover)via)DNS)—)up)to)5min c3p0 Hard%to%test

Slide 63

Slide 63 text

Aurora

Slide 64

Slide 64 text

Elas%Cache

Slide 65

Slide 65 text

Features memcached'and'Redis 213MB&to&237GB

Slide 66

Slide 66 text

Limita&ons No#authen*ca*on Custom'memcached'client Fork%of%Spymemcached%maintained%by%@daschl

Slide 67

Slide 67 text

SQS Simple'Queue'Service

Slide 68

Slide 68 text

Features Powerful)queue)(DLQ,)batches) Not$JMS

Slide 69

Slide 69 text

Limita&ons At#last#once Messages&<256KB

Slide 70

Slide 70 text

Monitoring

Slide 71

Slide 71 text

CloudWatch

Slide 72

Slide 72 text

Features EC2$(CPU,$network,...) RDS$(replica$lag,$free$disk$space,...) ELB$(>=$1$healthy$instance)

Slide 73

Slide 73 text

Limita&ons No#RAM#on#EC2 Some%mes'bogus'alerts

Slide 74

Slide 74 text

Usage EC2:%CPU%>%70%,%incoming%network%>%5Mbit/ s,%any%failure RDS:%Free%disk,%replica%lag,%connec5ons ELB:%Healthy%instances%>=%1

Slide 75

Slide 75 text

NewRelic

Slide 76

Slide 76 text

Features Middle&'er&free&on&AWS Many%programming%languages%and% infrastructure

Slide 77

Slide 77 text

Limita&ons Web$applica*on$centric Bogus&alerts Plugins(are(useless

Slide 78

Slide 78 text

Usage Pinger Pingdom(for(important(services Disk%space%monitor

Slide 79

Slide 79 text

LogEntries

Slide 80

Slide 80 text

Features Logback(appender Instance(monitoring Analy&cs)of)AWS)logs Alerts

Slide 81

Slide 81 text

Limita&ons No#aggregated#reports#(Papertrail)

Slide 82

Slide 82 text

OpsGenie

Slide 83

Slide 83 text

Features Cheaper'than'PagerDuty Reliable Many%integra+ons

Slide 84

Slide 84 text

Usage CloudWatch:,Any,EC2,instance,failure,on, produc8on CloudWatch:,All,RDS,produc3on,metrics Pingdom(integra-on

Slide 85

Slide 85 text

Security

Slide 86

Slide 86 text

No content

Slide 87

Slide 87 text

No content

Slide 88

Slide 88 text

[...]$our$data,$backups,$machine$ conﬁgura8ons$and$oﬀsite$backups$ were$either$par8ally$or$completely$ deleted. —"h$p://www.codespaces.com

Slide 89

Slide 89 text

No content

Slide 90

Slide 90 text

The$person(s)$used$our$account$to$ order$hundreds$of$expensive$ servers,$likely$to$mine$Bitcoin$or$ other$cryptocurrencies. —"h$p://blog.drawquest.com

Slide 91

Slide 91 text

No content

Slide 92

Slide 92 text

This%outage%was%the%result%of%an% a1ack%on%our%systems%using%a% compromised%API%key. —"h$p://status.bonsai.io/incidents/qt70mqtjbf0s

Slide 93

Slide 93 text

No content

Slide 94

Slide 94 text

Lock%away%your%root%account%and% never%use%it

Slide 95

Slide 95 text

Always'use'IAM Iden%ty(and(Access(Management

Slide 96

Slide 96 text

Create&an&IAM&user&for&every&service& or&ac3on

Slide 97

Slide 97 text

Use$groups$to$manage$permissions$ for$users

Slide 98

Slide 98 text

Lock%users%and%groups%down%as% much%as%possible

Slide 99

Slide 99 text

{ "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket" ], "Resource": "arn:aws:s3:::*" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::com.example.backup/*" } ] }

Slide 100

Slide 100 text

Strong'password

Slide 101

Slide 101 text

h"p:/ /xkcd.com/936/

Slide 102

Slide 102 text

2"Factor"Authen.ca.on"(2FA)

Slide 103

Slide 103 text

No content

Slide 104

Slide 104 text

Do#not#lose#your#root#account's#2FA# codes#and#backup#ques7ons#—#this# requires#a#notary

Slide 105

Slide 105 text

Never%commit%your%creden/als

Slide 106

Slide 106 text

Enable'IP'restric/ons

Slide 107

Slide 107 text

{ "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": ["10.0.0.0/24", "10.10.0.0/24"] } } } ] }

Slide 108

Slide 108 text

No content

Slide 109

Slide 109 text

Enable'billing'alerts

Slide 110

Slide 110 text

No content

Slide 111

Slide 111 text

Enable'CloudTrail

Slide 112

Slide 112 text

{ "Records": [ { "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-09-09T19:01:59Z", "eventSource": "ec2.amazonaws.com", "eventName": "StopInstances", "awsRegion": "eu-west-1", "sourceIPAddress": "205.251.233.176", "userAgent": "ec2-api-tools 1.6.12.2", "requestParameters": { "instancesSet": { "items": [ { "instanceId": "i-ebeaf9e2" } ] }, "force": false }, ... }, ... ] }

Slide 113

Slide 113 text

Check&Your&Security&Status

Slide 114

Slide 114 text

No content

Slide 115

Slide 115 text

Trusted(Advisor(Security

Slide 116

Slide 116 text

140$servers$running$on$my$AWS$ account?$What?$How?$I$only$had$S3$ keys$on$my$GitHub$and$they$where$ gone$within$5$minutes! —"h$p://www.devfactor.net/2014/12/30/2375;amazon;mistake/

Slide 117

Slide 117 text

No content

Slide 118

Slide 118 text

Automate Automate Automate

Slide 119

Slide 119 text

Pets%vs%Ca)le?

Slide 120

Slide 120 text

Puppet&vs&Chef&vs&Ansible&vs&Salt?

Slide 121

Slide 121 text

Ansible(demo

Slide 122

Slide 122 text

Conclusion &"Discussion

Slide 123

Slide 123 text

No content

Slide 124

Slide 124 text

No content

Slide 125

Slide 125 text

Main%diﬀerence%of%data%center%and% cloud:%in%data%center%you%are%need%2% of%everything,%in%cloud%you%are%need% 20%of%everything. —"@DEVOPS_BORAT, h1ps://twi1er.com/DEVOPS_BORAT/status/274366602252804096

Slide 126

Slide 126 text

No content

Slide 127

Slide 127 text

#1#Tip Paid%support And$try$to$get$a$contact$person

Slide 128

Slide 128 text

#2#Tip Know%the%service%limits h"p:/ /docs.aws.amazon.com/general/latest/gr/ aws_service_limits.html

Slide 129

Slide 129 text

Try$it$out$—$free$,er!