© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Ben Potter, Professional Services Consultant, Amazon Web Services

Richard Paul, Technical Lead, Orion Health

Introducing Well-Architected

For Developers

Technical 101

Business

101 Technical

201 Technical

301 Technical

401 Technical

Session Depth

What We Will Cover

• The Well-Architected Framework

• Key Best Practices

• How to Get Started

• Resources

Main Pillars

Security Reliability Performance

Efficiency

Cost

Optimisation

Account

Access Keys

Network

Services

High Availability

Load Balancing

Backup and DR

Auto Scaling

Right-Sizing

Benchmarking

Load Testing

Monitoring

Managed-

Services

Cost Awareness

Tagging

General Design Principles

• Secure from the Start

• Stop Guessing your Capacity Needs

• Test Systems at Production Scale

• Lower the Risk of Architecture Change

• Automate to make Architectural Experimentation Easier

• Allow for Evolutionary Architectures

SDK’s

• PHP

• Python

• .NET

• Node.js

• JavaScript

• Java

• Ruby

• Andriod and IOS

• Go

Building Blocks

EC2 instance

Server

Subnet

Availability Zone A Availability Zone B

Region

Amazon

S3

Amazon

CloudWatch

Security

Security Reliability Performance

Efficiency

Cost

Optimisation

Security

The ability to protect information, systems and assets while

delivering business value through risk assessments and

mitigation strategies.

• Data Protection

• Privilege Management

• Infrastructure Protection

• Detective Controls

Security: Shared Responsibility

AWS Foundation Services

Compute Storage Database Networking

AWS Global

InfrastructureRegions

Availability ZonesEdge

Locations

Client-side Data

Encryption

Server-side Data

EncryptionNetwork Traffic

Protection

Platform, Applications, Identity & Access Management

Operating System, Network, and Firewall Configuration

Customer applications & contentC

usto

mers

Security: Credentials

• As soon as you Create a new AWS Account Enable MFA

• Use Identity and Access Management Service (IAM) to

Create Users, even if its only 1

• Protect all of your Credentials

• DO NOT place Access Keys in Code…EVER!

'key' => '1111-2222-3333-4444-5555’,'secret' => 'aaaa-bbbb-cccc-dddd-eeee',

Security: EC2 Role

1: Create EC2 roleCreate role in IAM service with

limited policy2: Launch EC2 instanceLaunch instance with role

3: App retrieves credentialsUsing AWS SDK application

retrieves temporary credentials

4: App accesses AWS resource(s)Using AWS SDK application uses

credentials to access resource(s)

Instance

Security: EC2 Role – PHP SDK

• PHP SDK: Using an Instance Profile (EC2 role)

use Aws\Credentials\CredentialProvider;

use Aws\S3\S3Client;

$provider = CredentialProvider::instanceProfile();

// Be sure to memoize the credentials

$memoizedProvider = CredentialProvider::memoize($provider);

$client = new S3Client([

‘region' => ’ap-southeast-2',

'version' => '2006-03-01',

'credentials' => $memoizedProvider

]);

Security: Cognito

Identity

Providers

Unique

Identities

Any Device

Any Platform

Any AWS

Service

Helps implement Security Best PracticesSecurely access any AWS Service from mobile

device. It simplifies the interaction with AWS

Identity and Access Management

Support Multiple Login ProvidersEasily integrate with major login providers for

authentication.

Unique Users vs. DevicesManage unique identities. Automatically

recognise unique user across devices and

platforms.

Mobile Analytics S3 DynamoDB Kinesis

Joe Anna Bob

Security: Network and Boundary

• Security Groups are Built-in Stateful Firewalls

• Divide Layers of the Stack into Subnets

• Use a Bastion Host for Access

• Implement Host Based Controls

Two Layers with Security Groups

Availability Zone A

User

Availability Zone B

WEB

Server

RDS DB Instance

Web Subnet A

DB Subnet A

WEB

Security Group

DB

Security Group

Security: Instance, Monitoring and Auditing

• Configure Encryption Everywhere Possible

• Configure CloudTrail Service

• Configure VPC Flow Logs

• Collect all Logs Centrally and Alert

Virtual Private

Cloud

Identity &

Access

Manager

Key

Management

Service

CloudTrail AWS

Config

Security: Instance, Monitoring and Auditing

• VPC Flow Logs – Developers Best Friend

Reliability

Security Reliability Performance

Efficiency

Cost

Optimisation

Reliability

The ability of a system to recover from infrastructure or

service failures, dynamically acquire computing resources

to meet demand and mitigate disruptions such as

misconfigurations or transient network issues.

• Foundations

• Change Management

• Failure Management

Reliability: High Availability

• No Single Point of Failure

• Multiple Availability Zones

• Load Balancing

• Auto Scaling and Healing

Multi AZ, Load Balanced, Auto Scaled

Availability Zone A

Amazon

Route 53User

Availability Zone B

Elastic Load

Balancing

WEB

ServerWEB

Server

WEB

Server

WEB

ServerWEB

Server

WEB

Server

RDS DB Instance

StandbyRDS DB Instance

Active

Auto Scaling

Group

Web Subnet A Web Subnet B

DB Subnet A DB Subnet A

Reliability: Monitoring and Alerting

• Monitoring

• Notification

• Automated Response

• Review

Amazon

CloudWatch

CloudWatch

Alarm

Amazon

SNS

Amazon

CloudWatch

Logs

AWS

Lambda

Reliability: Backup and DR

• Define Objectives

• Backup Strategy

• Periodic Recovery Testing

• Automated Recovery

• Periodic Reviews

Performance Efficiency

Security Reliability Performance

Efficiency

Cost

Optimisation

Performance Efficiency

The ability to use computing resources efficiently to meet

system requirements and to maintain that efficiency as

demand changes and technologies evolve.

• Compute

• Storage

• Database

Performance Efficiency: Right Sizing

• Reference Architecture

• Quick Start Reference Deployments

• Benchmarking

• Load Testing

• Cost / Budget

• Monitoring and Notification

Performance Efficiency: Proximity and Caching

• Content Delivery Network (CDN)

• Database Caching

• Reduce Latency

• Pro-active Monitoring and Notification

Amazon

CloudFront

Amazon

ElastiCache

RDS DB

instance read

replica

Performance Efficiency: Proximity and Caching

• Session State in ElastiCache (Redis) for .NET:

<sessionState mode="Custom" customProvider="MySessionStateStore">

<providers>

<add name="MySessionStateStore" type="Microsoft.Web.Redis.RedisSessionStateProvider" host="aspnet.k30h8n.0001.use1.cache.amazonaws.com"

accessKey="" ssl="false" />

</providers>

</sessionState>

Multi AZ, Load Balanced, Auto Scaled, Caching

Availability Zone A

Amazon

Route 53User

Amazon S3

Amazon

CloudFront

Availability Zone B

Elastic Load

Balancing

RDS DB Instance

Read Replica

WEB

ServerWEB

Server

WEB

Server

ElastiCache RDS DB Instance

Read Replica

WEB

ServerWEB

Server

WEB

Server

ElastiCacheRDS DB Instance

StandbyRDS DB Instance

Active

Auto Scaling

Group

Web Subnet A Web Subnet B

Web Subnet A

AWS WAF

Authenticate Users

Authorise Access

Analyse User Behavior

Store and Share Media

Synchronise Data

AWS Mobile SDK

Amazon Mobile

Analytics

Deliver Media

Amazon Cognito

(Sync)

AWS Identity and

Access Management

Amazon Cognito

(Identity Broker)Amazon S3

Transfer Manager

Amazon CloudFront

(Device Detection)

Store Shared Data

Amazon DynamoDB

(Object Mapper)

Stream Real-time Data

Amazon Kinesis

(Recorder)

Send Push Notifications

Amazon SNS

Mobile Push

Your

Mobile

App

Run Business Logic

AWS Lambda

Cost Optimisation

Security Reliability Performance

Efficiency

Cost

Optimisation

Cost Optimisation

The ability to avoid or eliminate unneeded cost or

suboptimal resources.

• Matching Capacity and Demand

• Cost-effective Resources

• Expenditure Awareness

• Optimising Over Time

Cost Optimisation: Capacity Matching

• Demand Based

• Queue Based

• Schedule Based

• Appropriately Provisioned

• Instance Matching

• Pro-active Monitoring and Action

Amazon

SQS

Optimised

instance

Amazon

SWF

Cost Optimisation: Pricing Model

• On Demand

• Reserved

• Spot

• Automated Turn Off

Cost Optimisation: Managed Services

• Analyse Available Services

• Appropriate Databases

• Consider Application Level Services

• Automation: CloudFormation, Elastic Beanstalk

Amazon

RDS

Amazon

DynamoDB

Amazon

Redshift

Amazon

ElastiCache

AWS

CloudFormation

AWS

Elastic

Beanstalk

Amazon

Elasticsearch

Service

Cost Optimisation: Manage Expenditure

• Tag Resources

• Track Project Lifecycle and Profile Applications

• Monitor Usage and Spend

• Cost Explorer

• Partner Tools

Introducing Richard from

Who am I

Technical Lead for Delivery Engineering tribe

We provide efficient delivery pipelines (services and

tooling) for teams across Orion Health

Organiser of the Auckland Continuous Delivery Meetup

group.

What we Value

• Robots not Monkeys

• Cattle not Pets

• DRY – Don't repeat yourself

EC2

CFN

EBS IAMELB S3 RDS

Tied together with...

CapistranoPuppet

Self Service Environments

● Anyone can deploy our products

○ Developers adding new features

○ Implementation consultants configuration

○ Demos to customers

git clone <repo>

graviton deploy -p ec2 (or Capistrano, Bamboo)

Self Service Environments

$$$

• Automation = easy to create new environments

• AWS loves you, your boss might not :D

• Cost Engineering required to keep your shiny toys

Measure – Cost Explorer

Lights Out – Automate with EC2-Operator

Simple python script, runs in Lambda every 10 minutes.

auto: stop=0 6 * * *

auto: expiry=2016-12-31;

stop=0 6 * * *

auto: expiry=persistent

stop=0 8 * * *;start=0 18 * * *

Clean Up – Automate with Janitor Monkey!

Open sourced by Netflix

We use it to automatically clean up:

Emails warnings to Owner tag for AWS resources

EC2 EBS S3 RDS

Summary – Cost Saving Tips

● Make use of APIs

● Understand your highest costs (cost explorer)

● Start simple, for us that was

○ lights out

○ EC2 instance clean up

● Terminate whenever possible (cattle)

● EBS volumes for stopped instance still have a cost

● Iterate

● Make use of APIs ;)

Elastic Beanstalk

Trusted Advisor

Trusted Advisor

Developer Support

The Developer Support plan offers resources for customers

testing or developing on AWS, as well as any customers

who:

• Want Access to Guidance and Technical Support

• Are Exploring how to Quickly put AWS to Work

• Use AWS for Non-production Workloads or Applications

• Trusted Advisor – Core Checks

• Architecture Support – Developer

Get Started

Architecture Centre: https://aws.amazon.com/architecture/

AWS Well-Architected Framework

https://aws.amazon.com/whitepapers/

10m Tutorials: https://aws.amazon.com/getting-started/

Additional Resources

All The Links:

https://github.com/benjipotter/aws-well-architected

AWS Training & Certification

Intro Videos & Labs

Free videos and labs to

help you learn to work

with 30+ AWS services

– in minutes!

Training Classes

In-person and online

courses to build

technical skills –

taught by accredited

AWS instructors

Online Labs

Practice working with

AWS services in live

environment –

Learn how related

services work

together

AWS Certification

Validate technical

skills and expertise –

identify qualified IT

talent or show you

are AWS cloud ready

Learn more: aws.amazon.com/training

Your Training Next Steps:

Visit the AWS Training & Certification pod to discuss your

training plan & AWS Summit training offer

Register & attend AWS instructor led training

Get Certified

AWS Certified? Visit the AWS Summit Certification Lounge to pick up your swag

Learn more: aws.amazon.com/training

Thank You!