AWS - Bare minimum knowledge

Generalities


The NIST definition: “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing that can be rapidly provisioned and released with minimal management effort or service provider interaction” (Mell and Grance 2011)  

Cloud basic types:
- SaaS: provides both the server hardware and software to an organization without any of the complications of managing an IT system.
Criterion to choose a cloud provider: uptime metric

- PaaS: system is provisioned with platforms & tools. It allows the customer bto work and build desired applications.
Criterion to choose a cloud provider: uptime metric
• Does the platform support multi-tenancy in architecture and applications?
• What Application Lifecycle Management applications are supported?
• What Application Programming Interfaces (APIs) are supported?
• Does the platform facilitate scalability?
• What types of log data would be available for the user?
• What programming languages are supported by the platforms?

multi-tenancy : allows distributed users to work concurrently on various aspects of their application and assign
different users different levels of access.

- IaaS : for pure computing power, which would be hardware and software.
IaaS is also used by organizations for a specific purpose such as storage, security, or networking

Cloud deployment models:
1- Public cloud: provides hardware / software resources owned by the provider.
"Public" means that these resources are shared between customers (using multi tenancy & virtualization)

Concerns:
# Lack of control over the hardware, combined with the possibility of someone else accessing their data is a cause for concern.
# Since access to the public cloud is via an internet connection, customers are limited to the speed that they get through their ISP


2- Private cloud: four types.
- Typical private cloud: the organization hosts the cloud in one of their data centers behind the corporate firewall. Access is limited to the employees of the organization and much automation is provided in the form of enabling virtual
servers on their physical servers.
- Managed private cloud: the organization still owns the infrastructure in one of their data centers but management of the facility is with a third party.
- Hosted private cloud: a cloud provider provides and manages the infrastructure. The servers are not shared with other organizations (physical isolation)
- Virtual private cloud: same as hosted cloud, but logical isolation (multi tenancy)

Remark: public cloud +  hosted & virtual cloud require "a cloud provider"

3- The hybrid model uses both proprietary computing resources that the organization manages directly and the public cloud for some of  computing requirements, especially the ones with varying demands on resources

 

Amazon Web Services

Vocabulary:
  • Region: Geographical area (composed of multiple Available zones)
  • Avaliable Zone: typically, a data center
  • CloudFront: Amazon CDN
  • Edge locations: is the nearest point to the consumer (user) who is consuming the aws service. It is basically a CDN to make the response faster by providing the response from edge location rather than actual physical location of servers.
  • Elastic (ip, load balancer ..) meaning logical. e.g A machine could change, and ip stay the same
IAM:
Identity access management: security component which is responsible to control access to your AWS account. IAM belongs to Global region. On IAM you can:
  • Customize your account link (add alias to it)
  • Activate Multi-Factor Authentication (MFA). It aims to enforce security of your account
  • Create individual users with specific permissions (called also policies). A user account can be either:
    • Programmatic access: enables an access key ID and secret access key for the AWS API, CLI, SDK, and other development tools.
    • AWS Management Console access: enables a password that allows users to sign-in to the AWS Management Console.
You can access AWS platforms either:
- Aws Management Console
- Programatically (Aws CLI, or via SDK)

Permissions are assigned to a user via its groups.
Like  groups, roles can be used to assign permissions. Roles are vital when yo desire to assign permissions to an aws instance (which is not a user after all) 

S3:
Simple storage service: object based storage, "objects" (files) are grouped as part of "buckets" (folders).
Object {
key (name of the object),
value (data),
versionID,
metadata (content type ..),
subresource (e.g. ACL)
}
Data model consistency:
- "Writes" of new objects are in-time propagated (Read-after-write consistency)
- Overwrites and deletes take time to be propagated (Eventual consistency)
 









CloudFront:
2 types of distributions:
  • Web distribution (for static resources ..)
  • RTMP for media streaming.

EC 2:
Amazon Elastic Compute Cloud: provide the possibility to create, provision and shut down instances (scalability concerns).
EC2 supports the following platforms where you can launch instances:
Classic: Your instances run in a single, flat network that you share with other customers.
VPC -Virtual private cloud- : (default), Your instances run in a virtual private cloud (VPC) that's logically isolated to your AWS account.

Use case to create an instance: 
  1. Go to EC2
  2. Lunch instance
  3. Choose Amazon machine image AMI (kind of VM image)
  4. Choose Instance type (that fits your memory, cpu, storage needs)
  5. Configure the instance (number of instances, subnet, ips, monitoring,...)
  6. Add storage (attach a volume device)
  7. Add tags (tracking purposes)
  8. Add security group (firewall rules controlling traffic for your instances)
  9. Specify a key pair (to be used to remotely access your instances)
  10. Launch machines.
An instance could be started, stopped or terminated (deleted).
It is possible to create an instance template, which is a shortcut to create instances.
Note: make the difference between EC2 versus Lambda (amazon serverless)

EBS
Stands for elastic block storage. It's a virtual disk. 4 volume types:
  •  General Purpose SSD
  • Provisioned IOPS SSD
  • Throughput optimized HDD
  • Cold Hard Disk HDD


Aws CLI
Install Aws CLI in your local environment. e.g. For Ubuntu:
install pip (if not already done):
apt install python-pip

then:
pip install awscli --upgrade
aws --version 
Configure aws CLI to know your aws account (public and secret keys of the account):
aws configure 

Elastic Load Balancing supports three types of load balancers:
  • Application Load Balancers (HTTP/S request level), 
  • Network Load Balancers (TCP connection level),
  • Classic Load Balancers (both application and transport layer).

Aws database models
-  RDS (Relational): Amazon Aurora. Amazon provide features like:
  • Disaster recovery by mean of Multi AZ (multiple data base availability)
  • High performance by mean of Read Replicats (Read request are spread over multiple read-only slaves)
- Document based: AWS DynamoDB, AWS DocumentDB
- Graph based: AWS Neptune
- Data warehousing: AWS Redshift


Labs
Create an EC2 instance with  key pair certificate (all ec2 instance are created with "ec2-user" as default user).
Add security group to your EC2 to allow tcp access (e.g add ssh inbound rule)
connect to your instance: ssh -i "myKeyPair.pem" ec2-user@instance_IP
Note: EC2 key pair is different for IAM user access key
EC2 key pair: a private key that serves as a credential to connect to the instance
User access key: is a public/private key assigned to a user, to allow him access to his aws account/console (e.g via aws cli).

Create and RDS instance (e.g MySQL).
To allow access from your EC2 to the RDS instance, add a security group on RDS:
protocol=tcp, source=<the security group of your EC2 instance>

Autoscaling:
  • Create Ec2 Instance to be used for autoscaling (know also as "launch configuration")
  •  Create autoscaling group with desired number of instances to start with (choose different subnets, for availability reasons)
  • Create autoscaling policy (where to scale ...e.g when 80 cpu is reached)
Amazon Route 53
Network management (define/change domain names, customize traffic routing to ec2 instances ...)


Elastic Beanstalk
Automate deployment on EC2 (devops tool). e.g one-click approach to create load balancer + ec2 instances - provision instances with desired platform (php, java .NET ..) + autoscaling + RDS ...

CloudFormation
Used to script (json / yaml) then deploy your end2end infrastructure (devops tool).


Cloud architecture principles
  • Design your architecture to scale with your business.
  • Disposal resources instead of fixed servers.
  • Infrastructure as Code
  • Automation
  • Loose coupling
  • Services, not servers
  • Remove single point of failure
  • Optimize for cost (resize scaling)
Aws whitepaper best practices

Other info:
  • The three types of cloud deployments are Public, Hybrid, and Private (also called 'on-prem').
  • Availability Zones are distinct locations from within an AWS region that are engineered to be isolated from failures.
  • Lightsail is AWS' Platform-as-a-Service offering (a platform for developers and coders).
  • A Policy is the document used to grant permissions to users, groups, and roles.
  • CloudFront content is cached in Edge Location.
  • A Region is a distinct location within a geographic area designed to provide high availability to a specific geography.
  • S3 Transfer Acceleration uses AWS' network of Edge Locations to more quickly get your data into AWS
  • The number of Edge Locations is greater than the number of Availability Zones, which is greater than the number of Regions.
  • Reserved instances (EC2 option plan) are the most economical option for long-term workloads with predictable usage patterns.
  • To restrict access to an entire bucket, you use bucket policies; and to restrict access to an individual object, you use access control lists.
  • The AWS Support levels are Basic, Developer, Business, and Enterprise
  • A CloudFront Origin can be an S3 bucket, an EC2 instance, an Elastic Load Balancer, or Route 53.
  • The collection of a CDN's Edge Locations is called a Distribution.
  • An EBS volume is best described as a virtual hard-disk in the cloud
  • There are at least 2 Availability Zones per AWS Region.
  • On-Demand and Reserved are the valid EC2 pricing options
  • A resource group is a collection of resources that share one or more tags (or portions of tags.)
  • In AWS, data-in is always free-of-charge.
  • The default maximum is 20 linked accounts. This soft limit can be increased by contacting AWS.
  • Free services are VPC, Elastic Beanstalk, CloudFormation, IAM, and Auto-Scaling. Please keep in mind that with VPC, Elastic Beanstalk, CloudFormation, and Auto-Scaling, the underlying provisioned resources will incur charges.
  • EC2 and Lambda are AWS Compute Services.
  • Aurora is AWS' managed database service that is up to 5X faster than a traditional MySQL database.
  • With AWS Organizations, you can use either just the Consolidated Billing feature, or all the offered features.
  • Amazon EMR is a web service that makes it easy to process large amounts of data efficiently.
  • A CloudWatch alarm can be set to monitor spending on your AWS Account.
AWS security:
  • Shared Model Responsibility: Amazon is responsible of provided  infrastructure (security OF the cloud). You are responsible of the stuff what you put on it (security IN the cloud).
  • AWS WAF protect from common exploits that could affect app availability, compromise security, or consume excessive resources.
  • WAF operates down to Layer 7 (OSI).
  • AWS Shield provides expanded DDoS attack protection for your AWS resources
  • AWS Inspector: an agent installed on EC2, and generates a report about security issues.
  • AWS Trusted Advisor: service monitors and provides recommendation regarding your resources performances and utilization.
  • AWS Trusted Advisor can help you assess the fault-tolerance of your AWS environment.

AWS Offering


Case Study : Video Streaming


On Premise - Cloud integration


No comments: