Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fundsのアーキテクチャについて

 Fundsのアーキテクチャについて

AWS Summit Tokyo 2019 内で行われた、Startup Architecture of the Year 2019 での発表資料
ログミー: https://logmi.jp/business/articles/321410
関連記事: https://codezine.jp/article/detail/11587

Yoshinobu Wakamatsu

June 13, 2019
Tweet

More Decks by Yoshinobu Wakamatsu

Other Decks in Technology

Transcript

  1. S U M M I T © 2019, Amazon Web

    Services, Inc. or its affiliates. All rights reserved. 若松 慶信 IT・業務管理部⻑/エンジニア 株式会社クラウドポート
  2. Public subnet Private subnet Private subnet VPC VPC VPC VPC

    VPC VPC Peering gateway QA stage production NAT gateway Flow logs Amazon Aurora ElastiCache (Redis) GuardDuty Amazon Route 53 Auto Scaling Group Load Balancer Internal Load Balancer AWS WAF AWS Cloud gateway VPN server
  3. AWS Cloud KMS Aurora Admin app API app SQS Worker

    app ElastiCache (Redis) internal endpoint IAM Role IAM Role Service app IAM Role ElastiCache (Redis) IAM Role admin website (funds.jp) S3 static resources Amazon CloudFront static resources
  4. AWS Cloud VPC CodePipeline CodeDeploy ECR Provisioned AMI VPC artifacts

    on S3 Spot instance Client ECS Auto Scaling Group Deployment Pipeline Build AMI Provisioning Monitoring S3 Bucket CloudWatch Athena CodeBuild
  5. 4. Well Architected な 7 つのポイント Public subnet Private subnet

    Private subnet VPC VPC VPC VPC VPC VPC Peering gateway QA stage production NAT gateway Flow logs Amazon Aurora ElastiCache (Redis) GuardDuty Amazon Route 53 Auto Scaling Group Load Balancer Internal Load Balancer AWS WAF AWS Cloud gateway VPN server 1. 3層サブネットにNACLを適⽤ + ワークロードにSecurity Groupで細かなルールを設定 トラフィックを必要⼗分に制限
  6. 4. Well Architected な 7 つのポイント 2. 本番/ステージング/QAをVPCレベルで分離 共通のGateway VPCとPeeringで接続

    Public subnet Private subnet Private subnet VPC VPC VPC VPC VPC VPC Peering gateway QA stage production NAT gateway Flow logs Amazon Aurora ElastiCache (Redis) GuardDuty Amazon Route 53 Auto Scaling Group Load Balancer Internal Load Balancer AWS WAF AWS Cloud gateway VPN server 本番環境とその他環境の間の接続を防⽌し 接続可能なルートを最⼩限に限定
  7. 4. Well Architected な 7 つのポイント Public subnet Private subnet

    Private subnet VPC VPC VPC VPC VPC VPC Peering gateway QA stage production NAT gateway Flow logs Amazon Aurora ElastiCache (Redis) GuardDuty Amazon Route 53 Auto Scaling Group Load Balancer Internal Load Balancer AWS WAF AWS Cloud gateway VPN server 3. AWS WAFとGuardDutyの利⽤ C2通信など不正なトラフィックを検出・分析
  8. 4. Well Architected な 7 つのポイント AWS Cloud KMS Aurora

    Admin app API app SQS Worker app ElastiCache (Redis) internal endpoint IAM Role IAM Role Service app IAM Role ElastiCache (Redis) IAM Role admin website (funds.jp) S3 static resources Amazon CloudFront static resources 4. IAM Roleのみで認可管理 サービスごとに必要⼗分な認可付与 &Credential管理を不要にして漏洩も防⽌
  9. 4. Well Architected な 7 つのポイント AWS Cloud KMS Aurora

    Admin app API app SQS Worker app ElastiCache (Redis) internal endpoint IAM Role IAM Role Service app IAM Role ElastiCache (Redis) IAM Role admin website (funds.jp) S3 static resources Amazon CloudFront static resources 5. ストレージレベルの暗号化と KMSによるアプリケーションレベルの暗号化を使⽤ データの保護レベルに応じた複数のデータ保護⼿段を適⽤
  10. 4. Well Architected な 7 つのポイント AWS Cloud VPC CodePipeline

    CodeDeploy ECR Provisioned AMI VPC artifacts on S3 Spot instance Client ECS Auto Scaling Group Deployment Pipeline Build AMI Provisioning Monitoring S3 Bucket CloudWatch Athena CodeBuild 6. Auto Scaling の Scheduled Action を利⽤して 定期的にインスタンス数を増減させ、古いインスタンスをdrain アドホックな設定やエクスプロイトの定着防⽌
  11. 4. Well Architected な 7 つのポイント AWS Cloud VPC CodePipeline

    CodeDeploy ECR Provisioned AMI VPC artifacts on S3 Spot instance Client ECS Auto Scaling Group Deployment Pipeline Build AMI Provisioning Monitoring S3 Bucket CloudWatch Athena CodeBuild 7. ログ・メトリクスの記録 運⽤時のデータを後から分析可能