Difference between revisions of "AWS"

AWS Global Infrastructure

AWS Global infrastructure can be brooked down into three elements:

• Regions
• Availability zones
• Edge Locations

• AWS Regions:

An AWS Region is a geographical area. Each Region is made up of two or more Availability Zones.

AWS has 18 Regions worldwide.

You enable and control data replication across Regions.

Communication between Regions uses AWS backbone network connections infrastructure.

• AWS Availability Zones:

Each Availability Zone is:

Made up of one or more data centers.

Designed for fault isolation.

Interconnected with other Availability Zones using high-speed private links.

You choose your availability zones. AWS recommends replicating across Availability Zones for resiliency.

• AWS Edge Locations:

An Edge Location is where users access AWS services.

It is a global network of 114 points of presence (103 Edge Locations and 11 regional Edge Caches) in 56 cities across 24 countries.

Specifically used with Amazon CloudFront, a Global Content Delivery Network (CDN), to deliver content to end users with reduced latency.

Regional edge caches used for content with infrequent access.

• AWS Infrastructure Features:

• Elastic and Scalable:

Elastic infrastructure; dynamic adaption of capacity.

Scalable infrastructure; adapts to accommodate growth.

• Fault-tolerant:

Continues operating properly in the presence of a failure.

Built-in redundancy of components.

• High availability:

High level of operational performance

Minimized downtime

No human intervention

AWS Core Services

AWS Foundational/Core Services

https://www.slideshare.net/AmazonWebServices/aws-core-services-overview-immersion-day-huntsville-2019

AWS has a lot of services, but some of them, provides the foundation for all solutions; we refer to those as the Core Services.

Module 0 - AWS in Review

• VitalSource link: https://aws-academy-cctcollegedublin.vstbridge.com/#/reader/200-ACACAD-11-EN-M0SG?context_token=b32272e0-5a1f-0138-3176-6eaf1e728f01

Module 1 - Welcome to Academy Cloud Architecting

Module 2 - Designing Your Environment

Slides 4-18, 30-75,94-96

• VitalSource link: https://aws-academy-cctcollegedublin.vstbridge.com/#/reader/200-ACACAD-11-EN-M2SG?context_token=728fb310-5a1f-0138-5c79-62a35fcfb0e5

Module 3 - Designing for High Availability - Part 1

Slides 4-50, 56-69

• VitalSource link: https://aws-academy-cctcollegedublin.vstbridge.com/#/reader/200-ACACAD-11-EN-M3SG?context_token=49938f30-5a1e-0138-466b-46285ee08913

High availability is about ensuring that your application's downtime is minimized as mucho as posssible.

Availability refers to the amount of time your system is in a functioning condition. In general terms, your availability is referred to as 100% minus your system's downtime.

Module 4 - Designing for High Availability - Part 2

Slides 4-45, 49-68

• VitalSource link: https://aws-academy-cctcollegedublin.vstbridge.com/#/reader/200-ACACAD-11-EN-M4SG?context_token=df6c04a0-5a1e-0138-3176-6eaf1e728f01

Module 5 - Automating Your Infrastructure

Slides: 4-21

• VitalSource link: https://aws-academy-cctcollegedublin.vstbridge.com/#/reader/200-ACACAD-11-EN-M5SG?context_token=ef667a70-5a1e-0138-d9f2-7210a2c4c62a

Module 6 - Decoupling Your Infrastructure

Slides 4-27, 28-34, 38-43

Slides 4-27, 35-43, 47-52

• VitalSource link: https://aws-academy-cctcollegedublin.vstbridge.com/#/reader/200-ACACAD-11-EN-M6SG?context_token=059b22a0-5a1f-0138-0cca-0e37da064d4d

Module 7 - Designing Web Scale Media

Slides: 4-14,20-41,51-63

• VitalSource link: https://aws-academy-cctcollegedublin.vstbridge.com/#/reader/200-ACACAD-11-EN-M7SG?context_token=3291a610-5a1f-0138-d9f2-7210a2c4c62a

Web-based applications must be available, and they shouldn't take long to load. If your applications are unavailable, it could lead to revenue loss. It could also affect customer loyalty and brand image.

Let’s take a moment to review Amazon.com and consider where we might deliver content:

• In the address bar, you can note that the application is transported over https://, or port 443. This tells you that Amazon.com uses Secure Sockets Layer or SSL.

• You can then note that the application content is dynamic because it's personalized for Chris, which tells you that it has zero time to live or TTL.

Time To Live (TTL) serves to tell the recursive server or local resolver how long it should keep the record in its cache. The longer the TTL, the longer the resolver holds that information in its cache. The shorter the TTL, the shorter amount of time the resolver holds that information in its cache.

• You can also search for items by entering user input. The static images can be cached and stored in Amazon S3.

• With the caching and acceleration technology of Amazon CloudFront, we can deliver all of your content, including static images, videos, and content based on user input.

• How should web-accessible content be stored? Let’s discuss how to store content in Amazon S3.

Part 1 - Storing Web-Accessible Content with Amazon S3

Static assets-content that isn't going change, such as text, images, and video content can be stored in Amazon S3.

Problems: Let’s consider a pattern where an Amazon EC2 instance is being used to serve static images and videos, which is not a proper use for that Amazon EC2 instance. Some of the problems are:

• Delivery of large files from a web server can become a problem in terms of network latency.

• User-generated content needs to be distributed across all your web servers.

Solution: You can store static asset files (images, videos, CSS) in an Amazon S3 bucket, and serve the files from there.

• You know that Amazon S3 will be durable and that it will serve content quickly.

Amazon S3 performed backups in at least three different data centers for extremely high durability.

Data that is stored in an Amazon S3 bucket is replicated across multiple data centers in a geographical region.

• When you use Amazon S3 to store static content, you don’t need to worry about scaling out an Amazon EC2 instance to serve videos and images.

• The use of Amazon S3 eliminates the need to worry about network loads and data capacity on your web servers.

• Objects that are stored in Amazon S3 can be accessed directly by users if it is enabled for public web hosting

• You can also use Amazon CloudFront, which is a content delivery network (CDN) that can be used as a global caching layer in front of Amazon S3 to accelerate content to your end-users.

Choosing a Region for Amazon S3

It is important to carefully select the AWS Region where you store an object because response latencies grow when requests have to travel long distances over the internet.

So, when choosing a region for Amazon S3 you must consider:

• Geographical proximity to your users.
• You should also collocate it with your Amazon EC2 instances, and with other AWS services that upload and download bucket objects.

• Collocating all of your relevant AWS services and Amazon S3 buckets in the same Region can help reduce costs and latencies.

Part 2 - Caching with Amazon CloudFront

Caching is the process of temporarily storing data or files in an intermediary location between the requester and the permanent storage. The purpose of caching is to make responding to future requests faster and reduce network throughput.

It is an architectural best practice is to implement caching at multiple layers of an architecture to reduce cost and latency, and to increase the performance of applications. It is more cost-effective to distribute files from CloudFront than from an Amazon S3 bucket.

CloudFront is a content delivery network (CDN) that delivers/distribute cached content (static and dynamic web content such as HTML files, CSS files, JavaScript files, and image files) through a worldwide network of data centers that are called edge locations.

Using CloudFront you can ensure that your content is close to users around the world. This geographic proximity means lower latency when you serve content to users. This makes it more cost-effective and faster for better user experience, as well as putting less stress on your core infrastructure.

CloudFront is particularly important when your application will deliver heavy static content (videos, images) to users around the world.

For instance, in the anti-pattern that is shown on the slide, your Amazon S3 bucket does not use a caching service. Three users request a file from one of your Amazon S3 buckets, one at a time. The file is delivered to each user in the same way. The result is that each request takes the same amount of time to complete. This process also incurs costs for the three separate times that the file is delivered for each request.

Let’s compare the process in the anti-pattern with a better pattern. In the best practice pattern, your infrastructure places Amazon CloudFront, which offers caching, in front of Amazon S3. In this scenario, the first request checks for the file in CloudFront. If the request does not find the file in CloudFront, it pulls the file from Amazon S3, and stores a copy of the file in CloudFront at the edge location that is closest to the user. The request then sends a copy of the file to the user who made the request. Now, when any other users request that file, it's retrieved from the closer edge location in CloudFront. The request does not have to go to Amazon S3 to get the file.

This slide shows another way to use Amazon CloudFront. In general, you only cache static content. However, dynamic or unique content affects the performance of your application. Depending on the demand, you might still get some performance gain by caching the dynamic or unique content in Amazon S3.

For example, if there’s something that needs to be personalized, the time to live is zero. A time to live of zero tells CloudFront that each and every time it sees the dynamic content, it needs to go back to its origin because it will change a lot.

At the same time, the time to live can be set to 5 minutes or 24 hours, depending on how long the content is good for. CloudFront can pull content from Amazon S3 so that it can save the load back to an on-premises data center. When you save a load, you can have smaller instances and save money, and resources can perform more efficiently.

A cloud architecture for web hosting

This architecture diagram shows how you can use CloudFront in front of your hosting architecture to decrease the number of times CloudFront must redirect requests to the load balancer, and pull content.

Let’s take a look:

• We have our Elastic Load Balancing load balancers in place with CloudFront.

• End users are directed to CloudFront via Amazon Route 53.

• The load balancers pull content and data from the Amazon S3 bucket, Amazon RDS, or Amazon ElastiCache. This can serve as a read replica if the content is cached there.

How to enable CloudFront

• First, you specify origin servers, like an Amazon S3 bucket or your own HTTP server. CloudFront gets your files from the origin servers, and the files will then be distributed from CloudFront edge locations all over the world.

• Second, you upload your files to your origin servers. Your files, which are also known as objects, typically include webpages, images, and media files.

• Third, you create a CloudFront distribution, which tells CloudFront which origin servers to get your files from when users request the files through your website or application. At the same time, you specify details, such as whether you want CloudFront to log all requests, and whether you want the distribution to be enabled as soon as it's created.

• Fourth, CloudFront assigns a domain name to your new distribution. You can see the domain name in the CloudFront console. The domain name can also be returned in the response to a programmatic request, like a request from an application programming interface, or API.

• Fifth, CloudFront sends your distribution's configuration (but not your content) to all of its edge locations.

Part 3 - Managing NoSQL databases

We'll learn about the features of managing NoSQL databases, or DBs.

Part 4 - Storing relational data in Amazon RDS

https://aws.amazon.com/rds/?nc1=h_ls

Amazon RDS is a good option for developers because it allows developers to focus on innovation, such as query construction and optimization.

Using Amazon RDS lets you offload the following operational burdens responsibilities:

• Migration
• Backup and recovery
• Patches
• Software upgrades
• Storage upgrades
• Frequent server upgrades
• And hardware crashe

What about security for Amazon RDS?:

• You can control an Amazon RDS database instance by enabling security for Amazon RDS.

• If you enable security, the backups or snapshots of your data that you create will automatically be encrypted.

• Encrypted instances are currently available for all database engines that are supported in Amazon RDS.

• Use AWS Identity and Access Management (IAM) to control which Amazon RDS operations each individual user can call.

• You can encrypt connections between your application and your DB instance by using SSL/TLS.

• Transparent Data Encryption (TDE) is supported for SQL Server and Oracle.

• You can receive notifications of important events that occur on your Amazon RDS instance.

Amazon RDS database engines

• Amazon Aurora

https://aws.amazon.com/rds/aurora/

• Amazon RDS for PostgreSQL

https://aws.amazon.com/rds/postgresql/

• Amazon RDS for MySQL

https://aws.amazon.com/rds/mysql/

• Amazon RDS for MariaDB

https://aws.amazon.com/rds/mariadb/

• Amazon RDS for Oracle

https://aws.amazon.com/rds/oracle/

• Amazon RDS for Microsoft SQL Server

https://aws.amazon.com/rds/sqlserver/

Amazon Aurora

https://aws.amazon.com/rds/aurora/?nc1=h_ls

Amazon Aurora is a relational database that is delivered by using service-oriented architectures.

• It is similar to how Amazon DynamoDB is a managed version of an Amazon EC2-hosted NoSQL engine.

• It is scalable and highly available, and it uses Amazon S3.

• It has drop-in compatibility with MySQL v5.6.

• Existing applications "just work."

• Amazon RDS customers that use MySQL can select options for migration.

• Amazon EC2 or on-premises MySQL users can import their data file.

• And it is compatible with PostgreSQL.

Module 7 - Designing Web Scale Media - Assessment

Module 14 - Troubleshooting

Slides 4-14

Module 15 - Design Patterns and Sample Architectures

Slides 4-11

Key Services for Security

Exercise - How to improve an architecture

• GoGreen purchased a small company that was running a hybrid cloud architecture.
• As their cloud expert, you were asked to review their design and determine how to improve the application in accordance with the Well-Architected Framework.
• Next, you will review a sample diagram and ask questions to identify where improvements can be made to the security of the system.
• You should consider the recommended security enhancements that you would make in accordance with the Security pillar of the Well-Architected Framework.

Take some time to review this sample diagram and ask questions that will help you identify where improvements can be made to the security of the system.

A few items to consider regarding security include:

• Moving to a private subnet.
• Implementing AWS Direct Connect instead of using internet routing.
• Verify the principles of least privilege on users.
• Ensure separation of duties through IAM.
• Ensure that Amazon CloudWatch has monitors for utilization, abnormal traffic, and AWS CloudTrail Logs.
• Enable AWS CloudTrail.
• Verify access control list policies and bucket policies for Amazon S3.
• Verify Amazon S3-SSE usage.
• Ensure users do not have delete privileges for Amazon Glacier.
• Consider using security groups for the web and Amazon RDS.
• And ensure that SSH requests come from only the administrator IP address.

Original design

Improved design

Some security pillar questions

• How are you encrypting and protecting your data at rest?

• Use AWS service-specific controls, such as:

• Amazon S3 SSE
• Amazon EBS Encrypted Volumes
• Amazon RDS Transparent Data Encryption (TDE)

• Use client-side techniques, such as:

• SDK-supported
• OS-supported
• Windows BitLocker
• dm-crypt

• Use solution from the AWS Marketplace or APN Partner

• How are you encrypting and protecting your data in transit?

• SSL/TLS enabled AWS APIs
• SSL/TLS or equivalent is used for communication
• VPN based solution
• Private connectivity (AWS Direct Connect).
• AWS Marketplace solution

• How are you protecting access to and use of the AWS root account credentials?

• Only use AWS root account credentials for minimal required activities
• Associate an MFA hardware device with the AWS root account.
• Use an AWS Marketplace solution

• How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and API?

• IAM users and groups
• SAML integration
• Web Identity Federation
• AWS Security Token Service (STS)
• IAM roles for cross-account access
• AWS Marketplace solution
• Define and enforce employees life-cycle policies
• Clearly define users, groups, and roles
• Grants only the minimum privileges needed to accomplish business requirements.

• How are you managing keys and credentials?

• Anti-pattern

• Hard-code secret keys and credentials into scripts and source code

• Best practices:

• Use:

• An appropriate key and credential rotation policy
• AWS CloudHSM
• AWS server-side techniques with AWS managed keys
• AWS Marketplace solutions

• How are you limiting automated access to AWS resources (e.g. applications, scripts, and third-party tools or services)?

• Anti-pattern:

• Hard-code the credential into scripts and source code

• Best practices:

• IAM roles for Amazon EC2
• IAM user credential
• SAML Integration
• AWS Security Token Services (STS)
• OS-specific controls for EC2 instances
• AWS Marketplace solutions

• How are you enforcing network and host-level boundary protection?

• Enforce role-based access using security groups with minimal authorizations
• Run the system in one or more VMCs
• Trusted VPC access via a private mechanism, such as:

• Virtual private network (VMN)
• IPsec tunnel
• AWS Direct Connect
• AWS Marketplace solution

• Define and enforce employee lif-cycle policies
• Clearly define users, groups, and roles
• Grants only the minimum privileges needed to accomplish business requirements,

• How are you enforcing AWS service level protection?

• Configure credential with least privilege.
• Have separation of duties
• Audit permissions periodically
• Define and use service-specific requirements.
• Define resources requirements for sensitive API calls, such as requiring:

• MFA authentication
• Encryption

• Use an AWS Marketplace solution

• How are you protecting the integrity of the operating system on your Amazon EC2 instances?

• Use controls for Amazon EC2 instances:

• File integrity
• Host-based intrusion detection

• Use a solution from:

• The AWS Marketplace
• An APN partner

• Use custom Amazon Machine Images (AMIs) or configurations management tools (i.e., Puppet or Chef) that are secured by default.

• Hoa are you capturing and analyzing AWS logs?

• Capture logs using:

• AWS CloudTril
• Amazon CloudWatch logs
• Elastic Load Balancing (ELB) logs
• Amazon Virtual Private Cloud (VPC) flow logs
• Amazon S3 bucket logs
• Other AWS service-specific log sources
• Operating system or third-party application logs
• Solutions from the AWS Marketplace

Additional resources

• Documentation

https://aws.amazon.com/security/

https://aws.amazon.com/compliance/

https://aws.amazon.com/blogs/security/

• Whitepapers

https://d0.awsstatic.com/whitepapers/Security/AWS%20Security%20Whitepaper.pdf

https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf

https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf

• Videos

https://www.youtube.com/watch?feature=player_embedded&v=OEK7mHn4JLs

https://www.youtube.com/watch?list=PLhr1KZpdzukeYKFGZtFZehwnR5rzeICoo&v=U632-ND7dKQ&feature=player_detailpage

Making your infrastructure more reliable - Disaster recovery on AWS

Cloud_Computing#Disaster Recovery

Example architectural patterns for Disaster Recovery on AWS:

• Backup and Restore
• Pilot Light
• Fully working Low-Capacity Standby
• Multi-Site Active-Active

Reliability pillar questions

• How are you managing AWS service limits for your account?:

• Monitor and manage limits by evaluating your potential usage on AWS, increase your regional limits appropriately, and allow planned growth in usage.
• Set up automated monitoring by implementing tools such as SDKs to alert you when thresholds are being approached
• Be aware of fixed service limits that are unchangeable and architect around those

• How are you planning your network topology on AWS?:

• Use highly available connectivity to AWS with

• Multiple AWS Direct connect circuits
• Multiple VPN tunnels
• AWS Marketplace appliances

• Size your IP subnet allocation to be large enough to accommodate future expansion

• Use highly available connectivity to the system with:

• Highly available load balancing and/or proxy
• DNS-based solutions
• AWS Marketplace appliances

• Use non-overlapping private IP ranges between all of your environments in and out of the cloud.

• Do you have an escalation path to deal with technical issues?:

• Plan ahead with an ongoing engagement or relationship with AWS support or an APN partner
• Use AWS Support APIs by integrating them with your internal monitoring and ticketing systems.

• How woes your system adapt to changes in demand?:

• Use automated scaling features from services such as:

• Amazon S3
• Amazon CloudFront
• Auto Scaling
• Amazon DynamoDB
• AWS Elastic Beanstalk

• Adopt a load testing methodology to measure if the scaling activity will meet your application requirements

• How are you monitoring AWS resources?:

• Monitor your application switch:

• Amazon CloudWatch
• Third-party tools

• Configure notifications for when significant events occur.

• Use automation to take action when failure is detected

• Perform frequent reviews of the system based on significant events to evaluate the architecture

• How are you executing change management? :

• Perform automated change management for deployments and patching

• How are you backing up your data?:

• Back up data that is important with a required RPO using:

• Amazon S3
• Amazon EBS snapshots
• Third-party software

• Secure and/or encrypt backups

• Automate backups using:

• AWS features
• AWS Marketplace solutions
• Third-party software

• Validate that the backup process implementation meets RTO and RPO through periodic recovery testing.

• How are you planning for recovery?:

• Define RTO and RPO objectives
• Establish a disaster recovery strategy
• Avoid configuration drift by ensuring that AMIs are up-to-date at the DR site or region.
• Request an increase of service limits with the DR site to accommodate failover.
• Regularly test and validate disaster recovery scenarios to ensure RTO and RPO are met.
• Automate system recovery using AWS and/or third-party tools.

Infrastructure efficiency impovements

Storage Comparation:

Database Comparation:

Amazon ElastiCache: is a web service that simplifies deploying, operating, and scaling an in-memory cache in the clod.

• Improves the performance of web applications by allowing you to retrieve information from fast, managed, in-memory caches, instead of relying entirely on slower disk-based databases.

• Simplifies and offloads the management, monitoring, and operation of in-memory cache environments.

• Support Memcached and Redis open-source in-memory caching engines.

Amazon Kinesis Streams: enables you to build custom applications that process or analyze streaming data. You can continuously capture and store terabytes of data per hour from hundreds of thousands of sources.

Performance efficiency exercise

Your small business website has been experiencing intermittent page load issues where users report significant load times. Consider performance efficiency enhancement in accordance with the well-architected performance efficiency pillar.

• Is your NAT (t2.micro) the bottleneck? consider a bigger EC2 instance or use a managed NAT

• Should you consider Elastic Load Balancing and Auto Scaling groups?

• By offloading static content to S3, can you relieve the processing burden from the EC2 instances?

• Are your computer resources the right combination of CPU and memory?

• Is the page load issue due to throughput or database latency? Should you consider provisioned IOPS for your RDS instance to get consistent performance? Should you consider offloading some of the databases reads to a dedicated read-replica?

• What's the geographic location and latency form the region to the user? Have you considered using a content distribution network, like CloudFront, to bring the content closer to your users?

Performance questions

• How do you select the appropriate instance type, storage solution, database solution, and proximity and caching solution for your system?:

• Select solutions based on:

• Predicted resource needs
• Required internal governance standards
• Cost or budget
• Benchmarking results
• Load testing results
• Guidance from AWS or form a member of the AWS partner network (APN)

• How do you ensure that you continue to have the most appropriate instance types, storage solution, database solutions, and proximity and coaching solution as new services and features are launched?:

• Review cyclically, and reselect new services and features based on predicted resource needs.

• Benchmark and load test after each new service or feature is released, and use that information to make the best selection based on a calculation of performance/cost.

• How do yo monitor your instances, storage solutions, databases, and proximity and caching solutions to ensure they are performing as expected?:

• Monitor instance with

• Amazon CloudWatch
• Third-party tools

• Perform a periodic review of your monitoring dashboards.

• Use alarm-based notification to automatically alert you if metrics are out of safe bounds (CloudWatch).

• Use trigger-based actions to cause automated actions to remediate or escalate issues.

• How do you ensure that the capacity and throughput of your instances, storage solutions, databases and proximity and caching solution match demand?:

• React based on manually reviewing metrics
• Plan future capacity and throughput based on metrics and/or planned events.
• Automate against metrics.
• Perform a periodic review of cache usage and demand over time.
• Monitor usage and demand over time
• Use the following for automatic management:

• Scripting and tools
• Auto Scaling

Task 1 - Inspect Your environment

This lab begins with an environment already deployed via AWS CloudFormation including:

• An Amazon VPC
• A public subnet and a private subnet in one Availability Zone
• An Internet Gateway associated with the public subnet
• A NAT Gateway in the public subnet
• An Amazon EC2 instance in the public subnet

Task 2 - Login to your Amazon EC2 instance

• En este lab se descargó el archivo «labsuser.pem» de una forma particular debido a que el la genera la VPC and Instances de forma automática. Sabemos que este archivo «labsuser.pem» se optiene cuando se crea la Instance, podemos descargarlo y contiene la ssh key que permite autenticar la conexión entre nuestra computadora y la instance.

• Change the permissions on the key to be read only, by running this command:

chmod 400 labsuser.pem

• Luego para conectarnos desde el terminal:

ssh -i labsuser.pem ec2-user@<public-ip>

Task 3 - Install and Launch Your Web Server PHP Application

sudo yum -y update

This command installs an Apache web server (httpd) and the PHP language interpreter:

sudo yum -y install httpd php

This configures the Apache web server to automatically start when the instance starts:

sudo chkconfig httpd on

This downloads a zip file containing the PHP web application:

wget https://aws-tc-largeobjects.s3-us-west-2.amazonaws.com/CUR-TF-200-ACACAD/studentdownload/phpapp.zip

sudo unzip phpapp.zip -d /var/www/html/

This starts the Apache web server:

sudo service httpd start

Open a new web browser tab, paste the Public IP address for your instance in the address bar and hit Enter. The web application should appear and will display information about your location (actually, the location of your Amazon EC2 instance). This information is obtained from freegeoip.app.

Task 4 - Create an Amazon Machine Image - AMI

Now that your web application is configured on your instance, you will create an Amazon Machine Image (AMI) of it. An AMI is a copy of the disk volumes attached to an Amazon EC2 instance. When a new instance is launched from an AMI, the disk volumes will contain exactly the same data as the original instance.

This is an excellent way to clone instances to run an application on multiple instances, even across multiple Availability Zones.

In this task, you will create an AMI from your Amazon EC2 instance. You will later use this image to launch additional, fully-configured instances to provide a Highly Available solution.

• Return to the web browser tab showing the EC2 Management Console.

• Ensure that your Configuration Server is selected, and click Actions > Image > Create Image.

You will see that a Root Volume is currently associated with the instance. This volume will be copied into the AMI.

• For Image name, type: Web application

• Leave other values at their default settings and click Create Image.

• Click Close.

The AMI will be created in the background and you will use it in a later step. There is no need to wait while it is being created.

Task 5 - Configure a Second Availability Zone

To build a highly available application, it is a best practice to launch resources in multiple Availability Zones. Availability Zones are physically separate data centers (or groups of data centers) within the same Region. Running your applications across multiple Availability Zones will provide greater availability in case of failure within a data center.

In this task, you will duplicate your network environment into a second Availability Zone. You will create:

• A second public subnet
• A second private subnet
• A second NAT Gateway
• A second private Route Table

Task 6 - Create an Application Load Balancer

In this task, you will create an Application Load Balancer that distributes requests across multiple Amazon EC2 instances. This is a critical component of a Highly Available architecture because the Load Balancer performs health checks on instances and only sends requests to healthy instances.

You do not have any instances yet -- they will be created by the Auto Scaling group in the next task.

• On the Services menu, click EC2.

• In the left navigation pane, click Load Balancers (you might need to scroll down to find it).

• Click Create Load Balancer.

Several types of Load Balancers are displayed. Read the descriptions of each type to understand their capabilities.

• Under Application Load Balancer, click Create.

• For Name, type: LB1

• Scroll down to the Availability Zones section.

• For VPC, select Lab VPC.

You will now specify which subnets the Load Balancer should use. It will be an Internet-facing load balancer, so you will select both Public Subnets.

• Click the first displayed Availability Zone, then click the Public Subnet displayed underneath.

• Click the second displayed Availability Zone, then click the Public Subnet displayed underneath.

You should now have two subnets selected: Public Subnet 1 and Public Subnet 2. (If not, go back and try the configuration again.)

• Click Next: Configure Security Settings.

A warning is displayed, which recommends using HTTPS for improved security. This is good advice, but is not necessary for this lab.

• Click Next: Configure Security Groups.

• Select the Security Group with a Description of Security group for the web servers (and deselect any other security group).

Note: This Security Group permits only HTTP incoming traffic, so it can be used on both the Load Balancer and the web servers.

• Click Next: Configure Routing.

Target Groups define where to send traffic that comes into the Load Balancer. The Application Load Balancer can send traffic to multiple Target Groups based upon the URL of the incoming request. Your web application will use only one Target Group.

• For Name, type: Group1

• Click Advanced health check settings to expand it.

The Application Load Balancer automatically performs Health Checks on all instances to ensure that they are healthy and are responding to requests. The default settings are recommended, but you will make them slightly faster for use in this lab.

• For Healthy threshold, type: 2

• For Interval, type: 10

This means that the Health Check will be performed every 10 seconds and if the instance responds correctly twice in a row, it will be considered healthy.

• Click Next: Register Targets.

Targets are instances that will respond to requests from the Load Balancer. You do not have any web application instances yet, so you can skip this step.

• Click Next: Review.

• Review the settings and click Create.

• Click Close.

You can now create an Auto Scaling group to launch your Amazon EC2 instances.

Task 7 - Create an Auto Scaling Group

Auto Scaling is a service designed to launch or terminate Amazon EC2 instances automatically based on user-defined policies, schedules, and health checks. It also automatically distributes instances across multiple Availability Zones to make applications Highly Available.

In this task, you will create an Auto Scaling group that deploys Amazon EC2 instances across your Private Subnets. This is best practice security for deploying applications because instances in a private subnet cannot be accessed from the Internet. Instead, users will send requests to the Load Balancer, which will forward the requests to Amazon EC2 instances in the private subnets.

• In the left navigation pane, click Auto Scaling Groups (you might need to scroll down to find it).

• Click Create Auto Scaling group.

• Click Get started.

A Launch Configuration defines what type of instances should be launched by Auto Scaling. The interface looks similar to launching an Amazon EC2 instance, but rather than launching an instance it stores the configuration for later use.

You will configure the Launch Configuration to use the AMI that you created earlier. It contains a copy of the software that you installed on the Configuration Server.

• In the left navigation pane, click My AMIs.

• In the row for Web application, click Select.

• Accept the default (t2.micro) instance type and click Next: Configure details .

• For Name, type: Web-Configuration

• Click Next: Add Storage.

You do not require additional storage on this instance, so keep the default settings.

• Click Next: Configure Security Group.

• Click Select an existing security group.

• Select the Security Group with a Description of Security group for the web servers.

• Click Review.

You may receive a warning that you will not be able to connect to the instance via SSH. This is acceptable because the server configuration is already defined on the AMI and there is no need to login to the instance.

• Click Continue to dismiss the warning.

• Review the settings, then click Create launch configuration.

• When prompted, accept the vockey keypair, select the acknowledgement check box, then click Create launch configuration.

You will now be prompted to create the Auto Scaling group. This includes defining the number of instances and where they should be launched.

• In the Create Auto Scaling Group page, configure the following settings:

• Group Name: Web application
• Group Size: Start with 2 instances
• Network: Lab VPC
• Subnet: Click in the box and select both Private Subnet 1 and Private Subnet 2

Auto Scaling will automatically distribute the instances amongst the selected Subnets, with each Subnet in a different Availability Zone. This is excellent for maintaining High Availability because the application will survive the failure of an Availability Zone.

• Click the Advanced Details heading to expand it.

• Select (tick) the Load Balancing checkbox.

• Click in Target Groups, then select Group1.

• Click Next: Configure scaling policies.

• Ensure Keep this group at its initial size is selected.

This configuration tells Auto Scaling to always maintain two instances in the Auto Scaling group. This is ideal for a Highly Available application because the application will continue to operate even if one instance fails. In such an event, Auto Scaling will automatically launch a replacement instance.

• Click Next: Configure Notifications.

You will not be configuring any notifications.

• Click Next: Configure Tags.

Tags placed on the Auto Scaling group can also automatically propagate to the instances launched by Auto Scaling.

• For Key, type: Name

• For Value, type: Web application

• Click Review.

• Review the settings, then click Create Auto Scaling group.

• Click Close.

Your Auto Scaling group will initially show zero instances. This should soon update to two instances. (Click the refresh icon in the top-right to update the display.)

Your application will soon be running across two Availability Zones and Auto Scaling will maintain that configuration even if an instance or Availability Zone fails.

Task 8 - Test the Application

In this task, you will confirm that your web application is running and you will test that it is highly available.

• In the left navigation pane, select Target Groups.

• Click the Targets tab in the lower half of the window.

You should see two Registered instances. The Status column shows the results of the Load Balancer Health Check that is performed against the instances.

• Occasionally click the refresh icon in the top-right until the Status for both instances appears as healthy.

If the status does not eventually change to healthy, ask your instructor for assistance in diagnosing the configuration. Hovering over the icon in the Status column will provide more information about the status.

You will be testing the application by connecting to the Load Balancer, which will then send your request to one of the Amazon EC2 instances. You will need to retrieve the DNS Name of the Load Balancer.

• In the left navigation pane, click Load Balancers.

• In the Description tab in the lower half of the window, copy the DNS Name to your clipboard, but do not copy "(A Record)". It should be similar to: LB1-xxxx.elb.amazonaws.com

• Open a new web browser tab, paste the DNS Name from your clipboard and hit Enter.

The Load Balancer forwarded your request to one of the Amazon EC2 instances. The Instance ID and Availability Zone are shown at the bottom of the web application.

• Reload the page in your web browser. You should notice that the Instance ID and Availability Zone sometimes changes between the two instances.

The flow of information when displaying this web application is:

• You sent the request to the Load Balancer, which resides in the public subnets that are connected to the Internet.
• The Load Balancer chose one of the Amazon EC2 instances that reside in the private subnets and forwarded the request to it.
• The Amazon EC2 instance requested geographic information from freegeoip.app. This request went out to the Internet through the NAT Gateway in the same Availability Zone as the instance.
• The Amazon EC2 instance then returned the web page to the Load Balancer, which returned it to your web browser.

Task 9 - Test High Availability

Your application has been configured to be Highly Available. This can be proven by stopping one of the Amazon EC2 instances.

• Return to the EC2 Management Console tab in your web browser (but do not close the web application tab - you will return to it soon).

• In the left navigation pane, click Instances.

First, you do not require the Configuration Server any longer, so it can be terminated.

• Select the Configuration Server.

• Click Actions > Instance State > Terminate, then click Yes, Terminate.

Next, stop one of the Web application instances to simulate a failure.

• Select one of the instances named Web application (it does not matter which one you select).

• Click Actions > Instance State > Stop, then click Yes, Stop.

In a short time, the Load Balancer will notice that the instance is not responding and will automatically route all requests to the remaining instance.

• Return to the Web application tab in your web browser and reload the page several times.

You should notice that the Availability Zone shown at the bottom of the page stays the same. Even though an instance has failed, your application remains available.

After a few minutes, Auto Scaling will also notice the instance failure. It has been configured to keep two instances running, so Auto Scaling will automatically launch a replacement instance.

• Return to the EC2 Management Console tab in your web browser. Click the refresh icon in the top-right occasionally until a new Amazon EC2 instance appears.

After a few minutes, the Health Check for the new instance should become healthy and the Load Balancer will continue sending traffic between two Availability Zones. You can reload your Web application tab to see this happening.

This demonstrates that your application is now Highly Available.

Task 1 - Store a Publicly Accessible Image File in an Amazon S3 Bucket

In this task, you will store the file that you wish to distribute using Amazon CloudFront in a publicly accessible location. You will store the image file in a publically accessible Amazon S3 bucket.

• In the AWS Management Console, on the Services menu, click S3.

• In the Amazon S3 console, click «Create bucket» then configure:

• Bucket name: cfBUCKET
• Replace BUCKET with a random number
• Click Create

Note: If you receive an error saying that your bucket name is not available, try a different bucket name. For your bucket to work with CloudFront, the name must conform to DNS naming requirements. For more information, go to Bucket Restrictions and Limitations in the Amazon Simple Storage Service Developer Guide.

• Click on the S3 bucket you created and then click the Permissions tab.

• With «Block public access» selected, click «Edit» and Uncheck the «Block all public access». All five boxes should now be unchecked. Click «Save».

• In the Edit public access settings for this bucket dialog box, type confirm and click Confirm to update the settings.

• Click Overview tab.

• Click «Upload»

• Click «Add files»

• Select a file that you would like to upload.

• Click Next then configure:

• Under Manage public permissions, select Grant public read access to this object(s)

• Click Upload

• Copy the name of your file to your text editor for later use. e.g. The name of your file could be myimage.png

• Click the file that you uploaded.

• Under S3 Object URL, copy the link to your clipboard.

• Paste the link in a new browser tab, then press Enter.

This will display your image. It also proves that your content is publicly accessible. However, this is not the URL you will use when you are ready to distribute your content.

Task 2 - Create an Amazon CloudFront Web Distribution

In this task, you will create an Amazon CloudFront web distribution that distributes the file stored in the publicly accessible Amazon S3 bucket.

• In the AWS Management Console, on the Services menu, click CloudFront.

• Click Create Distribution

• On the Select a delivery method for your content page, in the Web section, click «Get Started» then configure:

• Origin Domain Name: Select the S3 bucket you created
• Scroll to the bottom of the page, then click «Create Distribution»

The Status column shows In Progress for your distribution. After Amazon CloudFront has created your distribution, the value of the Status column for your distribution will change to Deployed. At this point, it will be ready to process requests. This should take around 15-20 minutes. The domain name that Amazon CloudFront assigns to your distribution appears in the list of distributions. It will look similar to dm2afjy05tegj.cloudfront.net

Amazon CloudFront now knows where your Amazon S3 origin server is, and you know the domain name associated with the distribution. You can create a link to your Amazon S3 bucket content with that domain name, and have Amazon CloudFront serve it.

Task 3 - Create a Link to Your Object

• Copy the following HTML into a new text file:

<html>
<head>My CloudFront Test</head>
<body>
<p>My text content goes here.</p>
<p><img src="http://DOMAIN/OBJECT" alt="my test image" /></p>
</body>
</html>

• In your text file:

• Replace DOMAIN with your Amazon CloudFront Domain Name for your distribution. You should see this on the CloudFront Distributions page.

• Replace OBJECT with the name of the file that you uploaded to your Amazon S3 bucket

• Save the text file to your computer as myimage.html

• Open the web page you just created in a browser to ensure that you can see your content.

The browser returns your page with the embedded image file, served from the edge location that Amazon CloudFront determined was appropriate to serve the object.

Task 4 - Delete Your Amazon CloudFront Distribution

Task 5 - Delete Your Amazon S3 Bucket

Task 1 - Inspect Your Environment

Resources have already been deployed for you in two regions. You will start by inspecting the resources in your Primary region.

• the AWS Management Console, on the Services menu, click EC2.

• In the navigation pane, click Instances.

• Click on the instance named Web-Application-1.

• Copy the IPv4 Public IP (shown in the bottom-right) and paste it into a text document for future reference.

This is the IP address of your Primary web server. You will configure your domain to point to this instance by default.

• Make a note of your Region, displayed in the top-right corner of the screen. This is the Region of your Primary web server.

Next, you will look at your resources in your Secondary region:

• If your primary region is US East (N. Virginia) then your Secondary region will be US West (Oregon)

• If your primary region is any other then your Secondary region will be US East (N. Virginia)

• Select your Secondary Region from the Region pull-down menu in the top-right of the screen.

• Click on the instance named Web-Application-2.

• Copy the IPv4 Public IP (shown in the bottom-right) and paste it into a text document for future reference.

This is the IP address of your Secondary web server. You will configure your domain to point to this instance if the Primary web server fails.

Task 2 - Configure a Health Check

this task, you will create a Health Check that will test the health of your Primary web server. AWS has health checkers located in multiple locations around the world that can test whether your website is accessible.

• On the Services menu, click Route 53.

If you see any error messages, you can safely ignore them. They will not impact your lab.

• In the navigation pane, click Health checks.

• Click Create health check.

• Click Create health check.

• In the Configure health check page, configure the following settings (and ignore any settings that aren't listed):

Name: check-1

IP address: Enter the IP address of the Primary web server that you copied earlier (the first one you copied)

• Expand Advanced configuration and then configure the following settings (and ignore any settings that aren't listed):

Request interval: fast (10 seconds)

Failure threshold: 2

• Click Next.

• Click Create health check.

The health check will now start monitoring your primary web server.

Task 3 - Configure your Domain in Route 53

In this task, you will configure your domain to point to your primary and secondary web servers.

• In the navigation pane, click Hosted zones.

A random domain name has been created for you. It has a name similar to: XXXXXX_XXXXXXXXXX.training

• Click the name of your domain.

• Click Create Record Set.

You will now create a DNS A-record to point to your Primary web server. An A-record resolves a domain name by returning an IP address. You will also associate this Record Set with the Health Check you created earlier so that traffic will only be sent to your Primary web server if the Health Check indicates that the server is healthy.

• In Create Record Set, configure the following settings (and ignore any settings that aren't listed):

Name: www

Type: A-IPv4 address

TTL (Seconds) 60

Value: Enter the IP address of the Prrimary web server that you copied earlier (the same one you used in the Helth Check)

Routing policy: Failover

Failover Record type: Primary

Associate with Helth check: Yes

Health check to associate: check-1

• Click Create.

An A-record should be listed. If the newly created record does not immediately appear in the table, periodically click the refresh icon to update the table until it appears.

You will now create another A-record to point to the Secondary web server. It will be used as the failover server if the Primary web server fails its Health Check.

• Click Create Record Set again.

• In Create Record Set, configure the following settings (and ignore any settings that aren't listed):

Name: www

Type: A-IPv4 address

TTL (Seconds): 60

Value: Enter the IP address of the Secondary web server that you copied earlier (this is different from the value you just used)

Routing policy: Failover

Failover Record Type: Secondary

Associate with Health Check: No

• Click Create.

You are not associating this record with a Health Check because there is no third site available.

You can now check the status of your Health Check.

• In the navigation pane, click Health checks.

• Select check-1.

• Click the Health checkers tab at the bottom of the page.

The health check is performed independently from multiple locations around the world, with each location requesting the page every 10 seconds.

• Confirm that check-1 has a status of Healthy. If it is not showing as Healthy after a few minutes, ask your instructor for assistance in debugging the configuration.

You have now configured your web application to failover across two regions.

Task 4 - Check the DNS Resolution

In this task, you will query DNS (Domain Name Service) to verify that Amazon Route 53 is correctly sending traffic to your Primary web server.

• In the navigation pane, click Hosted zones.

• Click the name of your domain (starting with vocareum).

Cl* ick Test Record Set.

If the Test Record Set button is not visible, try making your window wider so that it appears.

• In Check response from Route 53, configure the following settings (and ignore any settings that aren't listed):

Record name: www

Type: A

• Clic Get response

The DNS response will be tested, with the results appearing on the right side of the window.

• Look at the Response returned by Route 53 value. Confirm that it is the same IP address as your Primary web server.

If correct IP address is not displayed, ask your instructor for assistance in debugging the configuration.

The fact that your Domain resolved to the IP address of your Primary web server means that requests to your domain will be routed by default to that web server.

Task 5 - Test Your Failover

In this task, you will verify that Amazon Route 53 correctly fails over to your Secondary web server if your Primary web server fails. You will simulate a failure by manually stopping the instance in your primary region.

• On the Services menu, click EC2.

• Select your primary region from the region drop-down list in the top-right. (That is the region where you started the lab.)

• In the navigation pane, click Instances.

• Right-click Web-Application-1, click Instance State, and click Stop.

• In the Stop Instances dialog box, click Yes, Stop.

• Wait until the instance state changes to stopped.

• On the Services menu, click Route 53.

• In the navigation pane, click Health checks.

• Select check-1 and click the Health checkers tab in the lower pane.

• Wait until the status of check-1 is Unhealthy. If necessary, periodically click the refresh icon in the top-right corner.

The Health Check has now detected that your Primary web server has stopped responding. It should now be directing DNS requests to the Secondary web server.

• In the navigation pane, click Hosted zones.

• Click your domain name.

• Click Test Record Set.

• In Check response from Route 53, configure the following settings (and ignore any settings that aren't listed):

Record name: www

Type: A

• Click Get response.

• Look at the Response returned by Route 53 value. Confirm that it is the same IP address as your Secondary web server.

You have now successfully confirmed that your application environment can fail over from a primary region to a secondary region if the server in the primary region fails.

• Optional: Start your Primary web server again, wait for the Health Check to become Healthy and confirm that the DNS resolution now points back to your Primary web server. This demonstrates the ability to failover to a Secondary web server and then to failback to Primary web server when it becomes healthy again.

Recommended Security Groups for a Web Server

Recommended_security_groups_for_a_Web_Server-inbound.png Recommended_security_groups_for_a_Web_Server-outbound.png

Inbound for only IPv4 traffic:

Inbound for bouth IPv4 and IPv6 traffic:

Outbound when the server requires HTTP and HTTPS outbound traffic:

Web Apps usually requires HTTP and HTTPS outbound traffic. For example, web applications usually need to fetch an external service using HTTP or HTTPS.

Outbound when the server doesn't require HTTP and HTTPS outbound traffic:

Recommended Security Groups for a Database

Recommended_security_groups_for_a_Database-inbound.png Recommended_security_groups_for_a_Database-outbound.png