forge - devcon 2016: developing & deploying secure, scalable applications on amazon web services
TRANSCRIPT
Tom Jones
Solution Architect, Amazon Web Services
Developing and Deploying Secure, Scalable Applications on Amazon Web Services
Services
ScaleSecurity
Development
Introduction
Solution Architect, Amazon Web Services
Tom Jones
Technology Partners Consulting Partners AWS MarketplaceEcosystem
Elastic Beanstalk OpsWorks CloudFormation
Deployment
& Management
Administration
& Security IAM CloudWatch CloudTrailAPIs and SDKsManagement Console Command Line Interface
Direct Connect Route 53VPCNetworking
Analytics
Data PipelineRedshiftEMR Kinesis SWFSQS CloudSearchSESAppStream
Application Services
CloudFrontS3 EBS Glacier DynamoDB ElastiCache
Storage & Content DeliveryCompute Databases
RDSElastic Load BalancerEC2 Auto Scaling
Virtual Server
Load BalancerAutomaticElasticity
ObjectStorage
BlockStorage
ArchiveStorage
CDN RDB NoSQL Caching
Isolated Cloud
Resources
Dedicated Network
DNS
Hadoop Framework
PB scale DW
Real-timeDate
stream
Data-Driven Workflow
Elastic Transcoder
Queueing WorkflowApp
StreamingTranscoding Emailing Search
AdministrationAccess Control
MonitoringLog
Tracking
Application Container Resource Management Resource Template
Development Commend
Support Professional Services Training Certification
AWS provides broad & deep services
Amazon S3
Highly durable object storage for all types of data
Internet-scale storage
Grow without limits
Built-in redundancy
Designed for
99.999999999%
durability
Flexibility & Reliability• Pay as you go
• No upfront investment
No commitment
• No risky capacity planning
• No need to provision
for redundancy
or overhead
Compute Services
Elastic Compute Cloud (EC2)
c3.8xlarge
g2.medium
m3.large
Basic unit of compute capacity, virtual machines
Range of CPU, memory & local disk options
Choice of instance types, from micro to cluster compute
Auto Scaling
Automatic re-sizing of compute clusters based upon
demand and policies
AWS Global Scale
AWS Availability Zones (AZ)
AZ A AZ B
AZ C
Sample Region
AWS Global Scale
2009
48
280
722
82
2011 2013 2015
AWS Pace of Innovation
Strengthen your security posture
Get native functionality and tools
Over 30 global compliancecertifications and accreditations
Leverage security enhancements gleaned from 1M+ customer experiences
Benefit from AWS industry leading security teams 24/7, 365 days a year
Security infrastructure built to satisfy military, global banks, and other
high-sensitivity organizations
Focus on your core mission
Lower the time spent
on infrastructure
Dedicate more
resources to
innovation
Concentrate on
new business
initiatives
“Our goal is to move at the speed of business. Our customers’ needs change
constantly, and we need to be able to adapt to that.”
Keith Homewood – Cloud Product Owner, Nordstrom
Developing and Deploying Secure, Scalable Applications
MonitorProvisionDeployTestBuildCode
Elastic Beanstalk
OpsWorks
Cloud
Watch
Cloud
Formation
Code
Deploy
Code
Commit
Code
Pipeline
AWS DevOps Services
AWS CodeCommit
git pull/push CodeCommit
Git objects inAmazon S3
Git index inAmazon DynamoDB
Encryption keyin AWS KMS
SSH or HTTPS
Secure, scalable, and managed Git source control
Source control in the cloud
Secure Fullymanaged
High availability
Storeanything
$ git clone https://git-codecommit.us-east-1.amazonaws.com/v1/repos/aws-cli
Cloning into 'aws-cli'...
Receiving objects: 100% (16032/16032), 5.55 MiB | 1.25 MiB/s, done.
Resolving deltas: 100% (9900/9900), done.
Checking connectivity... done.
$
AWS CodePipelineContinuous delivery and release automation
Build1) Build
2) Unit test
1) Deploy
2) UI test
Source Beta Production1) Deploy
2) Perf test
Gamma1) Deploy canary
2) Deploy region 1
3) Deploy region 2
1) Pull
AWS CodePipeline
AWS Code partners
AWS CodeDeployApplication Deployment to any target
AWS CodeDeploy is a service that automates code deployments to any instance
appspec.yml version: 0.0os: linuxfiles:- source: /
destination:/var/www/htmlpermissions:- object: /var/www/html
pattern: “*.html”owner: rootgroup: rootmode: 755
hooks:
*Gray events are non-scriptable
Lifecycle Hooks
Choose deployment speed & group
v2 v2 v2 v2 v2 v2
one at a time
half at a time
all at once
v2 v2 v2 v1 v1 v1
v2 v1 v1 v1 v1 v1 Agent Agent
Dev Deployment group
ORProd Deployment group
Agent
AgentAgent
Agent Agent
Agent
Deploy!
Deploy!
aws deploy create-deployment \
--application-name MyApp \
--deployment-group-name TargetGroup \
--s3-location bucket=MyBucket,key=MyApp.zip
allOfThis == $Code
https ://secure.flickr.com/photos/wscullin/3770015991
AWS Cloudformation
“AWS CloudFormation provides an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion.”
Infrastructure as code & resource provisioning
Template CloudFormation Stack
JSON formatted file
Parameter definition
Resource creation
Configuration actions
Configured AWS
services
Comprehensive service support
Service event aware
Customizable
Framework
Stack creation
Stack updates
Error detection and rollback
CloudFormation – Components & Technology
Demo
AWS Elastic BeanstalkFocus on your code
Information required to deploy application
01
02
03
04
Region
Stack (container) type
Single InstanceLoad Balanced with
auto-scalingOR
Database (RDS) Optional
Your codeSupported Platforms
Security Services and Features
Shared security responsibility
Security Shared Responsibility Model
AWS is responsible
for the security OFthe cloud
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer contentC
ust
om
ers
AWS Shared Responsibility Model
Customers are responsible for their security and compliance IN the Cloud
AWS is responsible for the security OFthe Cloud
Conf igCloudTrail
Compliance
Serv ice
Catalog
IdentityEncryptionNetworking
IA M A c tive Direc tory
Integration
Key Management
Serv ice
CloudHSM SERV ER-SIDE
ENCRY PTION
V ir tual Pr ivate
Cloud
Web A pplication
FIREWA LL
SA ML
Federation
VPC Public Subnet 10.10.1.0/24 VPC Public Subnet 10.10.2.0/24
VPC CIDR 10.10.0.0/16
VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24
VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24
AZ A AZ B
Public ELB
Internal ELB
RDSMaster
AutoscalingWeb Tier
AutoscalingApplication Tier
InternetGateway
RDSStandby
Snapshots
Multi-AZ RDSData Tier
ExistingDatacenter
VirtualPrivate
Gateway
CustomerGateway
VPN Connection
Direct Connect
NetworkPartnerLocation
Administrators &Corporate Users
Amazon Virtual Private Cloud
Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Public subnet
Private subnet
ELB
Web
Back end
VPC CIDR 10.1.0.0/16
ELB
Web
Back end
VPC
sg_ELB_FrontEnd (ELB Security Group)
sg_Web_Frontend (Web Security Group)
Security Groups
sg_Backend (Backend Security Group)
Cryptographic Services
Amazon CloudHSM
Deep integration with AWS Services CloudTrail AWS SDK for application encryption
Dedicated HSM Integrate with on-premises HSMs Hybrid Architectures
AWS KMS
AWS regions are geographically isolated by design
Customer chooses where to place data
Data is not replicated to other AWS regions and doesn’t move unless you choose to move it
Data Locality
AWS Identity & Access Management
IAM Users IAM Groups IAM Roles IAM Policies
AWS Certifications and Attestations
aws.amazon.com/compliance
What this means
You benefit from an environment built for the most security sensitive organizationsAWS manages 1,800+ security controls so you don’t have toYou always have full ownership and control of your dataYou get to define the right security controls for your workload sensitivity
Getting Started
https://aws.amazon.com
Interacting with AWS: Management Console
Interacting with AWS: SDKs
Ruby
iOS
Python (boto)
Android Node.js
AWS Toolkit
for Visual Studio
.NET
AWS Toolkit
for Eclipse
PHP
AWS Tools
for Windows PowerShell
AWS Simple Icons: SDKs
AWS CLI
JavaScriptJava
Xamarin
Interacting with AWS: AWS CLI
aws ec2 describe-instances
aws ec2 start-instances –instance-ids <value>
aws ec2 stop-instances –instance-ids <value>
aws s3 cp object.file s3://mybucket/object.file
aws s3 sync s3://mybucket ./localfolder/
AWS and Autodesk
Lots of stuffAWS Services are tools
https://flic.kr/p/c4QJzC
Forge.Autodesk.com
@AutodeskForge
Autodesk and Amazon Web Services
We are here to help
• Online tutorials
• Training classes
• Certifications
• AWS Summits• Santa Clara: July 12-13
• NYC Summit: August 10-11
• AWS re:Invent: November 28 – December 2, 2016
AWS Pop-up Loft
http://aws.amazon.com/start-ups/loft/sf-loft/
925 Market Street, San Francisco, CA
Open Monday - Friday, 10:00am - 6:00pm.
Example Applications
Elastic Beanstalk:
http://amzn.to/1pyLzDH
Code Pipeline + Code Deploy: http://amzn.to/1SzT3h0
?https://secure.flickr.com/photos/dullhunk/202872717/
Forge.Autodesk.com
@AutodeskForge
Contact Us
AWS.Amazon.com
@awscloud
Thank you!