2016 Utah Cloud Summit: Architecting on AWS - Best Practices
Post on 07-Jan-2017
Embed Size (px)
Architecting on AWS:Best PracticesAsha Chakrabarty, AWS Solutions Architect
The AWS Well-Architected FrameworkIncrease awareness of architectural best practicesAddresses foundational areas that are often neglected Consistent approach to evaluating architecturesComposed of:PillarsDesign principlesQuestions
Why is it important? We understand the value in educating our customers on architectural best practices for designing reliable, secure, efficient, and cost-effective systems in the cloudAs part of this effort, we developed the AWS Well-Architected Framework, which helps you to understand the pros and cons of decisions you make while building systems on AWS. We believe that having well-architected systems greatly increases the likelihood of business success.
Pillars of Well-Architected
SecurityThe ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.
Data protectionPrivilege managementInfrastructure protectionDetective controls
Security is shared between AWS and you
AWS Foundation ServicesComputeStorageDatabaseNetworking
AWS Global InfrastructureRegionsAvailability ZonesEdge LocationsClient-side Data EncryptionServer-side Data EncryptionNetwork Traffic ProtectionPlatform, Applications, Identity & Access ManagementOperating System, Network, & Firewall ConfigurationCustomer applications & contentCustomers
Customers have their choice of security configurations IN the CloudAWS is responsible for the security OFthe Cloud
Key AWS Services for SecurityData Protection: - Elastic Load Balancer- Amazon EBS, Amazon S3, Amazon RDS, AWS KMSPrivilege Management: - AWS IAM, MFAInfrastructure Protection: - Amazon VPCDetective Controls: - AWS CloudTrail- Amazon CloudWatch- AWS Config
Data protection: Services such as Elastic Load Balancing, Amazon Elastic Block Store (EBS), Amazon Simple Storage Service (S3), and Amazon RelationalDatabase Service (RDS) include encryption capabilities to protect your data in transit and at rest. AWS Key Management Service (KMS) makes it easier forcustomers to create and control keys used for encryption.
Privilege management: IAM enables you to securely control access to AWS services and resources. Multi-factor authentication (MFA), adds an extra layer ofprotection on top of your user name and password.
Infrastructure protection: Amazon Virtual Private Cloud (VPC) lets you provision a private, isolated section of the AWS cloud where you can launch AWSresources in a virtual network.
Detective controls: AWS CloudTrail records AWS API calls, AWS Config provides a detailed inventory of your AWS resources and configuration, andAmazon CloudWatch is a monitoring service for AWS resources.6
ReliabilityThe ability of a system to recover from infrastructure or service failures, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.
FoundationsChange managementFailure management
Key AWS Services for ReliabilityFoundations: - AWS IAM- Amazon VPCChange Management: - AWS CloudTrail- AWS ConfigFailure Management: - AWS CloudFormation
Foundations: AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources. Amazon VPC lets youprovision a private, isolated section of the AWS cloud where you can launch AWS resources in a virtual network.
Change management: AWS CloudTrail records AWS API calls for your account and delivers log files to you for auditing. AWS Config provides a detailed inventory of your AWS resources and configuration, and continuously records configuration changes.
Failure management: AWS CloudFormation enables the template creation of AWS resources and provisions them in an orderly and predictable fashion.8
Performance EfficiencyThe ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve.
Key AWS Services for Performance EfficiencyCompute: Auto Scaling Storage: - Amazon EBS- Amazon S3- Amazon Glacier Database: - Amazon RDS - Amazon DynamoDB Go Global: - Global presence with regions spanning the globe- Amazon CloudFront
Compute: Auto Scaling is key to ensuring that you have enough instances to meet demand and maintain responsiveness.
Storage: Amazon EBS provides a wide range of storage options (such as SSD and PIOPS) that allow you to optimize for your use case. Amazon S3 provides reduced-redundancy storage, lifecycle policies to Amazon Glacier (archival storage), and server-less content delivery.
Database: Amazon RDS provides a wide range of database features (such as provisioned IOPS, and read replicas) that allow you to optimize for your use case. Amazon DynamoDB provides single-digit millisecond latency at any scale.
Space-time trade-off: AWS has regions across the globe, allowing you to choose the optimal location for your resources, data, and processing. Use Amazon CloudFront to cache content even closer to your users.10
Cost OptimizationThe ability to avoid or eliminate unneeded cost or suboptimal resources.
Matched supply and demand Cost-effective resources Expenditure awarenessOptimizing over time
Key AWS Services for Cost OptimizationMatched supply and demand: Auto Scaling Cost-effective resources: - Reserved Instances (RI): prepaid capacity to reduce your cost- AWS Trusted Advisor: inspect your AWS environment and find opportunities to save money. Expenditure awareness: - Amazon CloudWatch alarms - Amazon Simple Notification Service (SNS) notifications Optimizing over time: - The AWS Blog and Whats New section on the AWS website - AWS Trusted Advisor
Matched supply and demand: Auto Scaling allows you to add or remove resources to match demand without overspending.
Cost-effective resources: You can use Reserved Instances and prepaid capacity to reduce your cost. AWS Trusted Advisor can be used to inspect your AWS environment and find opportunities to save money.
Expenditure awareness: Amazon CloudWatch alarms and Amazon Simple Notification Service (SNS) notifications will warn you if you go, or are forecasted to go, over your budgeted amount.
Optimizing over time: The AWS Blog and Whats New section on the AWS website are resources for learning about newly launched features and services. AWS Trusted Advisor inspects your AWS environment and finds opportunities to save money by eliminating unused or idle resources or committing to Reserved Instance capacity. 12
Design PrinciplesThe Well-Architected Framework has identified a set of design principles to facilitate good design in the cloud:General design principlesPillar-specific design principles
Automate responses to security events: Monitor and automatically trigger responses to event-driven, or condition-driven, alerts.
QuestionsA set of questions you can use to evaluate how well an architecture is aligned to AWS best practices.
Next StepsRead the whitepaperApply it to your architecturesSchedule time for an architectural review with your Solutions Architect
The whitepaper is available on our website15