Post on 16-Apr-2017
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ben Potter, Professional Services Consultant, Amazon Web Services
Richard Paul, Technical Lead, Orion Health
Introducing Well-Architected
For Developers
Technical 101
Business
101 Technical
201 Technical
301 Technical
401 Technical
Session Depth
What We Will Cover
• The Well-Architected Framework
• Key Best Practices
• How to Get Started
• Resources
Main Pillars
Security Reliability Performance
Efficiency
Cost
Optimisation
Account
Access Keys
Network
Services
High Availability
Load Balancing
Backup and DR
Auto Scaling
Right-Sizing
Benchmarking
Load Testing
Monitoring
Managed-
Services
Cost Awareness
Tagging
General Design Principles
• Secure from the Start
• Stop Guessing your Capacity Needs
• Test Systems at Production Scale
• Lower the Risk of Architecture Change
• Automate to make Architectural Experimentation Easier
• Allow for Evolutionary Architectures
SDK’s
• PHP
• Python
• .NET
• Node.js
• JavaScript
• Java
• Ruby
• Andriod and IOS
• Go
Building Blocks
EC2 instance
Server
Subnet
Availability Zone A Availability Zone B
Region
Amazon
S3
Amazon
CloudWatch
Security
Security Reliability Performance
Efficiency
Cost
Optimisation
Security
The ability to protect information, systems and assets while
delivering business value through risk assessments and
mitigation strategies.
• Data Protection
• Privilege Management
• Infrastructure Protection
• Detective Controls
Security: Shared Responsibility
AWS Foundation Services
Compute Storage Database Networking
AWS Global
InfrastructureRegions
Availability ZonesEdge
Locations
Client-side Data
Encryption
Server-side Data
EncryptionNetwork Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network, and Firewall Configuration
Customer applications & contentC
usto
mers
Security: Credentials
• As soon as you Create a new AWS Account Enable MFA
• Use Identity and Access Management Service (IAM) to
Create Users, even if its only 1
• Protect all of your Credentials
• DO NOT place Access Keys in Code…EVER!
'key' => '1111-2222-3333-4444-5555’,'secret' => 'aaaa-bbbb-cccc-dddd-eeee',
Security: EC2 Role
1: Create EC2 roleCreate role in IAM service with
limited policy2: Launch EC2 instanceLaunch instance with role
3: App retrieves credentialsUsing AWS SDK application
retrieves temporary credentials
4: App accesses AWS resource(s)Using AWS SDK application uses
credentials to access resource(s)
Instance
Security: EC2 Role – PHP SDK
• PHP SDK: Using an Instance Profile (EC2 role)
use Aws\Credentials\CredentialProvider;
use Aws\S3\S3Client;
$provider = CredentialProvider::instanceProfile();
// Be sure to memoize the credentials
$memoizedProvider = CredentialProvider::memoize($provider);
$client = new S3Client([
‘region' => ’ap-southeast-2',
'version' => '2006-03-01',
'credentials' => $memoizedProvider
]);
Security: Cognito
Identity
Providers
Unique
Identities
Any Device
Any Platform
Any AWS
Service
Helps implement Security Best PracticesSecurely access any AWS Service from mobile
device. It simplifies the interaction with AWS
Identity and Access Management
Support Multiple Login ProvidersEasily integrate with major login providers for
authentication.
Unique Users vs. DevicesManage unique identities. Automatically
recognise unique user across devices and
platforms.
Mobile Analytics S3 DynamoDB Kinesis
Joe Anna Bob
Security: Network and Boundary
• Security Groups are Built-in Stateful Firewalls
• Divide Layers of the Stack into Subnets
• Use a Bastion Host for Access
• Implement Host Based Controls
Two Layers with Security Groups
Availability Zone A
User
Availability Zone B
WEB
Server
RDS DB Instance
Web Subnet A
DB Subnet A
WEB
Security Group
DB
Security Group
Security: Instance, Monitoring and Auditing
• Configure Encryption Everywhere Possible
• Configure CloudTrail Service
• Configure VPC Flow Logs
• Collect all Logs Centrally and Alert
Virtual Private
Cloud
Identity &
Access
Manager
Key
Management
Service
CloudTrail AWS
Config
Security: Instance, Monitoring and Auditing
• VPC Flow Logs – Developers Best Friend
Reliability
Security Reliability Performance
Efficiency
Cost
Optimisation
Reliability
The ability of a system to recover from infrastructure or
service failures, dynamically acquire computing resources
to meet demand and mitigate disruptions such as
misconfigurations or transient network issues.
• Foundations
• Change Management
• Failure Management
Reliability: High Availability
• No Single Point of Failure
• Multiple Availability Zones
• Load Balancing
• Auto Scaling and Healing
Multi AZ, Load Balanced, Auto Scaled
Availability Zone A
Amazon
Route 53User
Availability Zone B
Elastic Load
Balancing
WEB
ServerWEB
Server
WEB
Server
WEB
ServerWEB
Server
WEB
Server
RDS DB Instance
StandbyRDS DB Instance
Active
Auto Scaling
Group
Web Subnet A Web Subnet B
DB Subnet A DB Subnet A
Reliability: Monitoring and Alerting
• Monitoring
• Notification
• Automated Response
• Review
Amazon
CloudWatch
CloudWatch
Alarm
Amazon
SNS
Amazon
CloudWatch
Logs
AWS
Lambda
Reliability: Backup and DR
• Define Objectives
• Backup Strategy
• Periodic Recovery Testing
• Automated Recovery
• Periodic Reviews
Performance Efficiency
Security Reliability Performance
Efficiency
Cost
Optimisation
Performance Efficiency
The ability to use computing resources efficiently to meet
system requirements and to maintain that efficiency as
demand changes and technologies evolve.
• Compute
• Storage
• Database
Performance Efficiency: Right Sizing
• Reference Architecture
• Quick Start Reference Deployments
• Benchmarking
• Load Testing
• Cost / Budget
• Monitoring and Notification
Performance Efficiency: Proximity and Caching
• Content Delivery Network (CDN)
• Database Caching
• Reduce Latency
• Pro-active Monitoring and Notification
Amazon
CloudFront
Amazon
ElastiCache
RDS DB
instance read
replica
Performance Efficiency: Proximity and Caching
• Session State in ElastiCache (Redis) for .NET:
<sessionState mode="Custom" customProvider="MySessionStateStore">
<providers>
<add name="MySessionStateStore" type="Microsoft.Web.Redis.RedisSessionStateProvider" host="aspnet.k30h8n.0001.use1.cache.amazonaws.com"
accessKey="" ssl="false" />
</providers>
</sessionState>
Multi AZ, Load Balanced, Auto Scaled, Caching
Availability Zone A
Amazon
Route 53User
Amazon S3
Amazon
CloudFront
Availability Zone B
Elastic Load
Balancing
RDS DB Instance
Read Replica
WEB
ServerWEB
Server
WEB
Server
ElastiCache RDS DB Instance
Read Replica
WEB
ServerWEB
Server
WEB
Server
ElastiCacheRDS DB Instance
StandbyRDS DB Instance
Active
Auto Scaling
Group
Web Subnet A Web Subnet B
Web Subnet A
AWS WAF
Authenticate Users
Authorise Access
Analyse User Behavior
Store and Share Media
Synchronise Data
AWS Mobile SDK
Amazon Mobile
Analytics
Deliver Media
Amazon Cognito
(Sync)
AWS Identity and
Access Management
Amazon Cognito
(Identity Broker)Amazon S3
Transfer Manager
Amazon CloudFront
(Device Detection)
Store Shared Data
Amazon DynamoDB
(Object Mapper)
Stream Real-time Data
Amazon Kinesis
(Recorder)
Send Push Notifications
Amazon SNS
Mobile Push
Your
Mobile
App
Run Business Logic
AWS Lambda
Cost Optimisation
Security Reliability Performance
Efficiency
Cost
Optimisation
Cost Optimisation
The ability to avoid or eliminate unneeded cost or
suboptimal resources.
• Matching Capacity and Demand
• Cost-effective Resources
• Expenditure Awareness
• Optimising Over Time
Cost Optimisation: Capacity Matching
• Demand Based
• Queue Based
• Schedule Based
• Appropriately Provisioned
• Instance Matching
• Pro-active Monitoring and Action
Amazon
SQS
Optimised
instance
Amazon
SWF
Cost Optimisation: Pricing Model
• On Demand
• Reserved
• Spot
• Automated Turn Off
Cost Optimisation: Managed Services
• Analyse Available Services
• Appropriate Databases
• Consider Application Level Services
• Automation: CloudFormation, Elastic Beanstalk
Amazon
RDS
Amazon
DynamoDB
Amazon
Redshift
Amazon
ElastiCache
AWS
CloudFormation
AWS
Elastic
Beanstalk
Amazon
Elasticsearch
Service
Cost Optimisation: Manage Expenditure
• Tag Resources
• Track Project Lifecycle and Profile Applications
• Monitor Usage and Spend
• Cost Explorer
• Partner Tools
Introducing Richard from
Who am I
Technical Lead for Delivery Engineering tribe
We provide efficient delivery pipelines (services and
tooling) for teams across Orion Health
Organiser of the Auckland Continuous Delivery Meetup
group.
What we Value
• Robots not Monkeys
• Cattle not Pets
• DRY – Don't repeat yourself
EC2
CFN
EBS IAMELB S3 RDS
Tied together with...
CapistranoPuppet
Self Service Environments
● Anyone can deploy our products
○ Developers adding new features
○ Implementation consultants configuration
○ Demos to customers
git clone <repo>
graviton deploy -p ec2 (or Capistrano, Bamboo)
Self Service Environments
$$$
• Automation = easy to create new environments
• AWS loves you, your boss might not :D
• Cost Engineering required to keep your shiny toys
Measure – Cost Explorer
Lights Out – Automate with EC2-Operator
Simple python script, runs in Lambda every 10 minutes.
auto: stop=0 6 * * *
auto: expiry=2016-12-31;
stop=0 6 * * *
auto: expiry=persistent
stop=0 8 * * *;start=0 18 * * *
Clean Up – Automate with Janitor Monkey!
Open sourced by Netflix
We use it to automatically clean up:
Emails warnings to Owner tag for AWS resources
EC2 EBS S3 RDS
Summary – Cost Saving Tips
● Make use of APIs
● Understand your highest costs (cost explorer)
● Start simple, for us that was
○ lights out
○ EC2 instance clean up
● Terminate whenever possible (cattle)
● EBS volumes for stopped instance still have a cost
● Iterate
● Make use of APIs ;)
Elastic Beanstalk
Trusted Advisor
Trusted Advisor
Developer Support
The Developer Support plan offers resources for customers
testing or developing on AWS, as well as any customers
who:
• Want Access to Guidance and Technical Support
• Are Exploring how to Quickly put AWS to Work
• Use AWS for Non-production Workloads or Applications
• Trusted Advisor – Core Checks
• Architecture Support – Developer
Get Started
Architecture Centre: https://aws.amazon.com/architecture/
AWS Well-Architected Framework
https://aws.amazon.com/whitepapers/
10m Tutorials: https://aws.amazon.com/getting-started/
Additional Resources
All The Links:
https://github.com/benjipotter/aws-well-architected
AWS Training & Certification
Intro Videos & Labs
Free videos and labs to
help you learn to work
with 30+ AWS services
– in minutes!
Training Classes
In-person and online
courses to build
technical skills –
taught by accredited
AWS instructors
Online Labs
Practice working with
AWS services in live
environment –
Learn how related
services work
together
AWS Certification
Validate technical
skills and expertise –
identify qualified IT
talent or show you
are AWS cloud ready
Learn more: aws.amazon.com/training
Your Training Next Steps:
Visit the AWS Training & Certification pod to discuss your
training plan & AWS Summit training offer
Register & attend AWS instructor led training
Get Certified
AWS Certified? Visit the AWS Summit Certification Lounge to pick up your swag
Learn more: aws.amazon.com/training
Thank You!