Todays Agenda
• Background and Value proposition of AWS
• Global infrastructure and the Sydney Region
• AWS services
• Drupal example
• Q&A
No Up-Front Capital Expense
Pay Only for What You Use
Self-Service Infrastructure
Easily Scale Up and Down
Improve Agility & Time to Market
Low Cost
Cloud Computing Benefits
Deploy
Each day AWS adds the equivalent server
capacity to power Amazon when it was a
global, $5B enterprise
$5.2B retail business
7,800 employees
A whole lot of servers
2003
EMR Jobs
0
500,000
1,000,000
1,500,000
2,000,000
2,500,000
3,000,000
3,500,000
4,000,000
3.7 M clusters launched since May 2010
US REGIONS GLOBAL REGIONS
Availability
Zone A
Availability
Zone B
Availability
Zone C
EU (Ireland)
Availability
Zone A
Availability
Zone B
South America (Sao Paulo)
Availability
Zone A
Availability
Zone B
Asia Pacific (Sydney)
Availability
Zone A
Availability
Zone B
GovCloud (OR)
Availability
Zone A
Availability
Zone B
Availability
Zone C
Availability
Zone D
US East (VA)
Availability
Zone A
Availability
Zone B
US West (CA)
Availability
Zone A
Availability
Zone B
Asia Pacific (Singapore)
Availability
Zone A
Availability
Zone B
Availability
Zone C
Asia Pacific (Tokyo)
Availability
Zone A
Availability
Zone B
Availability
Zone C
US West (OR)
AWS Regions & Availability Zones
Customer Decides Where Applications and Data ResideNote: Conceptual drawing only. The number of Availability Zones may vary.
Security is Our #1 Priority
People &
Procedures
Network
Security
Physical
Security
Platform
Security
ITAR
FIPS 140-2
ISO 27001
SOC 2 ISAE 3402 PCI DSS
HIPAA
FISMA Moderate
Many Customers’ Security Posture Improves In
the Cloud
“The improved computer security
includes, but is not limited to,
greater protection against
network attacks and real time
detection of system tampering.”
Earl E. Devaney, Chairman
Recovery.gov
“You basically turn yourself into a
polymorphic surface to which the
attack guy has a much tougher
time getting at. That, ultimately, is
the real key advantage to drive
security and make things much
better for us across the board.”
Gus Hunt, CTO
Central Intelligence Agency
Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data Encryption & Data
Integrity Authentication
Server-side Encryption
(File System and/or Data)Network Traffic Protection
(Encryption/Integrity/Identity)
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer DataA
ma
zo
nC
usto
mer
• SAS-70 Type II
• ISO 27001/ 2 Certification
• Payment Card Industry (PCI)
• Data Security Standard (DSS)
• NIST Compliant Controls
• DoD Compliant Controls
• FedRAMP Compliant Controls
• HIPAA and ITAR Compliant
• Customers implement their
own set of controls
• Multiple customers with
FISMA Low and Moderate
ATOs
AWS Platform
Your Applications
Foundation Services
ComputeAmazon EC2
Auto Scale
StorageAmazon S3
Amazon EBS
Amazon StorageGateway
DatabaseAmazon RDS
Amazon SimpleDB
Amazon ElastiCache
Amazon DynamoDB
NetworkingAmazon VPC
Elastic Load Balancing
Amazon Route 53
AWS Direct Connect
Management & Administration
Application Platform Services
Content DistributionAmazon CloudFront
Application SvcsSimple Workflow Service
CloudSearch
Amazon SNS, SQS, SES
Parallel ProcessingElastic MapReduce
Libraries & SDKsJava, PHP, Python,
Ruby, .NET
Identity & AccessAWS IAM
Identity Federation
Consolidated Billing
Web InterfaceManagement Console
MonitoringAmazon CloudWatch
Deployment & AutomationAWS Elastic Beanstalk
AWS CloudFormation
AWS Global InfrastructureRegions
Availability ZonesEdge Locations
AWS Platform
Your Applications
Foundation Services
ComputeAmazon EC2
Auto Scale
StorageAmazon S3
Amazon EBS
Amazon StorageGateway
DatabaseAmazon RDS
Amazon SimpleDB
Amazon ElastiCache
Amazon DynamoDB
NetworkingAmazon VPC
Elastic Load Balancing
Amazon Route 53
AWS Direct Connect
Management & Administration
Application Platform Services
Content DistributionAmazon CloudFront
Application SvcsSimple Workflow Service
CloudSearch
Amazon SNS, SQS, SES
Parallel ProcessingElastic MapReduce
Libraries & SDKsJava, PHP, Python,
Ruby, .NET
Identity & AccessAWS IAM
Identity Federation
Consolidated Billing
Web InterfaceManagement Console
MonitoringAmazon CloudWatch
Deployment & AutomationAWS Elastic Beanstalk
AWS CloudFormation
AWS Global InfrastructureRegions
Availability ZonesEdge Locations
Built to Enterprise & Gov Standards
Security & Compliance Resources
• Security & Compliance Center:
http://aws.amazon.com/security
• Security Overview & Best Practices
• AWS Risk & Compliance Whitepaper
• Creating HIPAA Compliant Applications
Hardware, Software & Network
• Systematic change management
• Phased updates deployment
• Safe storage decommission
• Automated monitoring and self-audit
• Advanced network protection systems
Certifications and Accreditations
• ISO 27001
• SSAE 16 / ISAE 3402 / SOC1 (formerly U.S.
standard SAS-70 Type II)
• FISMA Moderate & DIACAP Controls; ITAR region
• HIPAA applications certified on AWS
• Payment Card Industry (PCI) Data Security
Standard (DSS) Level 1
Physical
• Datacenters in nondescript facilities
• Physical access strictly controlled
• Must pass two-factor authentication at least
twice for floor access
• Physical access logged and audited
Foundation Services
Your Applications
Foundation Services
ComputeAmazon EC2
Auto Scale
StorageAmazon S3
Amazon EBS
Amazon StorageGateway
DatabaseAmazon RDS
Amazon SimpleDB
Amazon ElastiCache
Amazon DynamoDB
NetworkingAmazon VPC
Elastic Load Balancing
Amazon Route 53
AWS Direct Connect
Management & Administration
Application Platform Services
Content DistributionAmazon CloudFront
Application SvcsSimple Workflow Service
CloudSearch
Amazon SNS, SQS, SES
Parallel ProcessingElastic MapReduce
Libraries & SDKsJava, PHP, Python,
Ruby, .NET
Identity & AccessAWS IAM
Identity Federation
Consolidated Billing
Web InterfaceManagement Console
MonitoringAmazon CloudWatch
Deployment & AutomationAWS Elastic Beanstalk
AWS CloudFormation
AWS Global InfrastructureRegions
Availability ZonesEdge Locations
Compute
EC2 Instances = Virtual Servers
• Resizable compute capacity in 16 instance types
• Reduces the time required to obtain and boot new server instances to minutes or seconds
• Scale capacity as your computing requirements change
• Pay only for capacity that you actually use
• Choose Linux or Windows
• Deploy across Regions and Availability Zones for reliability
• Flexible networking (NAT/classic, VPC, Elastic IPs)
• Support for virtual network interfaces that can be attached to EC2 instances in your VPC
Amazon Elastic Compute Cloud (Amazon EC2)
Compute
• Building blocks of EC2 instances
• An AMI is like a template of a computer's root volume.
• Can be public or private
• Create hardened or gold “Images” of your EC2 infrastructure
Amazon Machine Image
Compute
• Client Defined Business Rules
• Scale your Amazon EC2 capacity automatically once you define the conditions (may be
1000’s of servers)
• Can scale up just a little…doesn’t need to be massive number of servers (may be simply 2
servers)
• Well suited for applications that experience variability in usage
• Set minimum and maximum scaling policies
• Alternate Use is for Fault Tolerance
Auto Scaling
"WebServerGroup" : {"Type" : "AWS::AutoScaling::AutoScalingGroup","Properties" : {"AvailabilityZones" : { "Fn::GetAZs" : "" },"LaunchConfigurationName" : { "Ref" : "LaunchConfig" },"MinSize" : "1","MaxSize" : "5","DesiredCapacity" : { "Ref" : "WebServerCapacity" },"LoadBalancerNames" : [ { "Ref" : "ElasticLoadBalancer" } ]
}},
Storage
Web-scale Internet Storage
• A “Bucket” is equivalent to a “folder”
• Able to store unlimited number of Objects in a Bucket
• Objects from 1B-5 TB; no bucket size limit
• Highly available storage for the Internet (object store)
• HTTP/S endpoint to store and retrieve any amount of data, at any time, from anywhere on the web
• Highly scalable, reliable, fast, and inexpensive
• Over 2 trillion objects stored
• Peak requests 1M+ per second
• Ideal Use Cases:
• Static web content – often used with CloudFront CDN
• Source and output storage for large-scale “Big Data” analytics
• Backup, archival, and DR storage that is always “live”
Simple Storage Service (S3)
Storage
EBS Volumes = Virtual Disks
• Use for persistent storage
• Can use to create RAID configuration for a server
• Off-instance block storage that persists independently
• Storage volumes for use with Amazon EC2 instances – create, attach, backup, restore and
delete
• Can be attached to a running Amazon EC2 instance and exposed as a block device for raw
or formatted (filesystem) access
• Volumes behave like unformatted block devices for Linux or Windows instances
• Ideas use cases:
• OS Boot device / root file system; secondary volumes/filesystems
• Typical basis for database storage
• Raw block devices for RAID, some databases
Elastic Block Store (EBS)
RDS
Database
• Fully-managed, tuned MySQL, Oracle 11g, or MS SQL databases
• Cost-efficient and resizable capacity
• Manages time-consuming database admin tasks
• Code, applications, and tools you already use today work seamlessly
• Automatically patches the database software and backs up your database
• Flexible Licensing: BYOL or License Include
Amazon Relational Database Service (RDS)
"DBInstance" : {"Type": "AWS::RDS::DBInstance","Properties": {
"DBName" : { "Ref" : "DBName" },"Engine" : "MySQL","MultiAZ" : { "Ref": "MultiAZDatabase" },"MasterUsername" : { "Ref" : "DBUsername" },"DBInstanceClass" : { "Ref" : "DBClass" },"DBSecurityGroups" : [{ "Ref" : "DBSecurityGroup" }],"AllocatedStorage" : { "Ref" : "DBAllocatedStorage" },"MasterUserPassword": { "Ref" : "DBPassword" }
}},
Networking
• Supports the routing and load balancing of HTTP, HTTPS and generic TCP traffic to EC2
instances
• Supports health checks to ensure detect and remove failing instances
• Dynamically grows and shrinks required resources based on traffic
• Seamlessly integrates with Auto-scaling to add and remove instances based on scaling
activities
• Single CNAME provides stable entry point for DNS configuration
Amazon Elastic Load Balancing
Networking
• Secure and seamless bridge between a company’s existing private network and the AWS
cloud
• Connect existing infrastructure to a set of isolated AWS compute resources via a Virtual
Private Network (VPN) connection
• Bring your own address space and extend existing management capabilities
Amazon Virtual Private Cloud (VPC)
Application Platform Services
Your Applications
Foundation Services
ComputeAmazon EC2
Auto Scale
StorageAmazon S3
Amazon EBS
Amazon StorageGateway
DatabaseAmazon RDS
Amazon SimpleDB
Amazon ElastiCache
Amazon DynamoDB
NetworkingAmazon VPC
Elastic Load Balancing
Amazon Route 53
AWS Direct Connect
Management & Administration
Application Platform Services
Content DistributionAmazon CloudFront
Application SvcsSimple Workflow Service
CloudSearch
Amazon SNS, SQS, SES
Parallel ProcessingElastic MapReduce
Libraries & SDKsJava, PHP, Python,
Ruby, .NET
Identity & AccessAWS IAM
Identity Federation
Consolidated Billing
Web InterfaceManagement Console
MonitoringAmazon CloudWatch
Deployment & AutomationAWS Elastic Beanstalk
AWS CloudFormation
AWS Global InfrastructureRegions
Availability ZonesEdge Locations
Management & Administration
Your Applications
Foundation Services
ComputeAmazon EC2
Auto Scale
StorageAmazon S3
Amazon EBS
Amazon StorageGateway
DatabaseAmazon RDS
Amazon SimpleDB
Amazon ElastiCache
Amazon DynamoDB
NetworkingAmazon VPC
Elastic Load Balancing
Amazon Route 53
AWS Direct Connect
Management & Administration
Application Platform Services
Content DistributionAmazon CloudFront
Application SvcsSimple Workflow Service
CloudSearch
Amazon SNS, SQS, SES
Parallel ProcessingElastic MapReduce
Libraries & SDKsJava, PHP, Python,
Ruby, .NET
Identity & AccessAWS IAM
Identity Federation
Consolidated Billing
Web InterfaceManagement Console
MonitoringAmazon CloudWatch
Deployment & AutomationAWS Elastic Beanstalk
AWS CloudFormation
AWS Global InfrastructureRegions
Availability ZonesEdge Locations
Identity & Access Management
• IAM enables customers to create and manage users in AWS’s
identity system
• Identity Federation with local directory is an option for
enterprises
• Very familiar security model
• Users, groups, permissions
• Allows customers to
• Create users
• Assign individual passwords, access keys, multi-factor
authentication devices
• Grant fine-grained permissions
• Optionally grant them access to the AWS Console
• Organize users in groups
Deployment and Management
• Visibility into resource utilization, operational performance, and overall demand patterns
• Metrics such as CPU utilization, disk reads and writes, and network traffic
• Accessible via the AWS Management Console, web service APIs or Command Line Tools
• Add custom metrics of your own
• Alarms (which tie into auto-scaling, SNS, SQS, etc.)
• Billing Alerts to help manage charges on AWS bill
Amazon CloudWatch
Deployment and Management
• Create templates of stack of resources
• Deploy stack from template with runtime parameters
• Templates are simple JSON formatted text files
• CloudFormer supports generating templates from running environments
AWS CloudFormation
"Resources" : {
"Ec2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"SecurityGroups" : [ { "Ref" : "InstanceSecurityGroup" } ],
"ImageId" : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "AMI" ]},
"Tags" : [{
"Key" : "MyTag",
"Value" : "TagValue"
}]
}
},
aGov Drupal HA Script
• Based on sample at:
– https://s3-ap-southeast-2.amazonaws.com/cloudformation-templates-ap-southeast-2/Drupal_Multi_AZ.template
• Leveraged aGov Drupal 7 distribution:
– http://agov.com.au/download
Availability Zone #2Availability Zone #1
S3 StaticContent:.jpg, .css, .js
User
Web Auto Scaling Group
WebServer
WebServer
SiteContent
SiteContentSlave
Useful Resources & Links
• Architecture Center: http://aws.amazon.com/architecture
• Security Center: http://aws.amazon.com/security
• Whitepapers: http://aws.amazon.com/whitepapers
• Resources: http://aws.amazon.com/resources
• Case Studies: http://aws.amazon.com/solutions/case-studies
• Solution Providers: http://aws.amazon.com/solutions/global-solution-providers/
• Calculator: http://calculator.s3.amazonaws.com/calc5.html
• TCO Calculator: http://aws.amazon.com/tco-calculator/
• AWS Blog: http://aws.typepad.com/
• The Power of 60: http://www.powerof60.com/