A new day will dawn 🌄… For those who stand long”
Happy National Avocado🥑 Day!
Our journey 🚞 this week takes us back to our humble beginnings. Well, sort of… If you recall we began our magical✨ mystery tour of learnings back in March with AWS EC2. Then the last 2 weeks we re-routed course back to AWS, concentrating on AWS’s data services. So, we thought it might make sense to take one step 👣 back in order to take two steps 👣 👣 forward by focusing this week’s enlightenments on the fundamentals of the AWS Cloud☁️ and its Key🔑 concepts, core services, security🔐, architecture, pricing 💶, and support.
Fortunately, we knew the right place to load up on such knowledge. Where of course you ask? But to no other than the fine folks at AWS Training through their free online course AWS Cloud☁️ Practitioner Essentials (Second Edition). AWS spared no expense💰 by putting together an all-star🌟 lineup of AWS-er’s led by Kirsten Dupart, an old familiar friend, Blaine Sundrud ,Mike Blackmer,Raf Lopes, Heiwad Osman, Kent Rademacher , Russell Sayers ,Seph Robinson , Andy Cummings , Ian Falconer ,Wilson Santana ,Wes Gruver, Tipu Qureshi, and Alex Buell
The objective of the course was to highlight the following main areas:
- AWS Cloud☁️ global infrastructure
- AWS Cloud☁️ architectural principles
- AWS Cloud☁️ value proposition
- AWS Cloud☁️ overview of security🔐 and compliance
- AWS Cloud☁️ overview of billing, account management, and pricing 💶 models
The course beings with introduction to the concept of “Cloud☁️ Computing” which of course is the on-demand availability of computing system resources, data Storage 🗄 and computing power⚡️, without direct active management by the user. Instead of having to design and build traditional data centers, Cloud☁️ computing enables us to access a data center and all of its resources, via the Internet or Cloud☁️.
Amazon Web Services (AWS) is a secure🔐 Cloud☁️ services platform, offering compute power⚡️, database Storage 🗄, content delivery and other functionality to help businesses to scale⚖️ up or scale⚖️ down based on actual needs. There are 5 main areas that AWS Cloud☁️ emphases Scalability ⚖️, Agility, Elasticity🧘♂️, Reliability and Security🔐.
- Scalability ⚖️ is the ability to resize your resources as necessary. AWS Cloud☁️ provides a scalable computing platform designed for high availability and dependability through tools and solutions.
- Agility is the ability to increase speed🏃🏻, offer an ease of experimentation and promoting innovation. AWS empowers the user to seamlessly spin up servers in minutes, shut down servers when not needed or allow unused resources to be allocated for other purposes
- Elasticity🧘♂️ is the ability to scale ⚖️ computing resources up or down easily. AWS makes it easy to quickly deploy new applications, scale⚖️ up as the workloads increase and shut down resources that are no longer required
- Reliability is the ability of a system to recover from infrastructure or service failure. AWS provides reliability by hosting your instances and resources across multiple locations utilizing regions, availability zones and edge locations.
- Security 🔐 is the ability to retain complete control and ownership over your data and meet regional compliance and data residency requirements. AWS provides highly secure 🔐 data centers, continuous monitoring 🎛 and industry-leading capabilities across facilities, networks, software, and business processes
There are three methods in which you can access AWS resources:
- AWS management console which provides a graphical user interface (GUI) to access AWS services
- AWS command line interface (CLI) which allows you to control AWS services from the command line
- AWS Software Development kits (SDK) enables you to access AWS using a variety of programming languages
Next the course provides us with some brief vignettes covering the AWS core services, AWS Global Infrastructure, and AWS Integrated Services.
AWS Core Services
Elastic Compute Cloud☁️ (EC2) is a web service that provides secure, resizable compute capacity in the Cloud☁️. EC2 instances are “pay as go”. You only pay for the capacity you use, and you have the ability to have different Storage 🗄 requirements.
Key🔑 components of EC2 are:
- Amazon machine image (AMI) which is an OS image used to build an instance
- Instance Type refers to hardware capabilities (CPU, Memory)
- Network – Public and Private IP addresses
- Storage 🗄 – SSDs, Provisioned IOPs SSD, Magnetic disks
- Keypairs🔑 (Secure) allow you to connect to instances after they are launched
- Tags 🏷 provide a friendly name to identify resources in an AWS.
Elastic block store (EBS) provides persistent block level Storage🗄 volumes for your EC2 instances
- EBS volumes are designed for being durable and available volumes that are automatically replicated across multiple servers running in the availability zones.
- EBS Volumes must be in the same AZ as the instances they are attached to
- EBS gives you the ability to create point in time⏰ snapshots of your volumes and allows AWS to create a new volumes from a snapshot at any time⏰.
- EBS volumes have the ability to increase capacity and change to different types
- Multiple EBS volumes can be attached to an instance
Simple Storage🗄 Service (S3) is a fully managed Storage🗄 service that provides a simple API for storing and retrieving data. S3 uses buckets🗑 to store data. S3 buckets🗑 are associated with a particular AWS region When you store data in a bucket🗑 it’s redundantly stored across multiple AWS availability zones within a given region
- Data stored in S3 is serverless. So, you do not need to manage any infrastructure.
- S3 supports objects as large as several terabytes.
- S3 also provides low latency access to data over HTTP or HTTPS
AWS Global Infrastructure
The AWS Global Infrastructure consists of Regions, Availability Zones, and Edge locations providing highly available, fault tolerant, and scalable infrastructures.
AWS regions are multiple geographical 🌎 areas that host two or more availability zones and are the organizing level for AWS services.
Availability zones are a collection of data centers within a specific region. Each availability zone is physically isolated from one another but connected together through low latency, high throughput, and highly redundant networking. AWS recommends provisioning your data across multiple availability zones.
As of April 2020, AWS spans 70 Availability Zones within 22 Regions around the globe 🌎.
Edge locations are where end users access services located at AWS. They are located in most of the major cities 🏙 around the world 🌎 and are specifically used by Amazon CloudFront🌩 which is a content delivery network (CDN) that distributes content to end user to reduce latency.
Amazon Virtual Private Cloud⛅️ (VPC) is a private network within the AWS Cloud☁️ that adheres to networking best practices as well as regulatory and organizational requirements. VPC is an AWS foundational service that integrates with many of the AWS services. VPC leverages the AWS global infrastructure of regions and availability zones. So, it easily takes advantage of high availability provided by AWS. VPC exists within regions and can span across multiple availability zones. You can create multiple subnets in a VPC. Although fewer is recommended to limit the complexity of the network.
Security🔐 Groups acts as a virtual 🔥 firewall for your virtual servers to control incoming and outgoing traffic🚦. It’s another method to filter traffic🚦 to your instances. It provides you control on what traffic🚦 to allow or to deny. To determine who has access to your instances you would configure a Security🔐 group rule.
AWS CloudFormation🌨 “Infrastructure as Code” allows you to use programming languages, JSON files, or simple text files; to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts.
“Every AWS service that you learned about is another tool 🛠to build solutions. The more tools⚒ you can bring to the table, the more powerful 💪 you become.” -Andy Cummings
AWS Integrated Services
AWS offers a variety of services from A-Z. So, it would impossible to review every service in a six-hour course. Below are some of the services highlighted in the course:
Elastic Load Balancing 🏋🏻♀️ distributes incoming application traffic🚦across multiple AWS services like EC2 instances, containers, IP addresses, and Lambda functions automatically. There are 3 kinds of load balancers Network Load Balancer🏋🏻♂️, Classic Load Balancer 🏋🏻♂️ (ELB) and Application Load Balancer🏋🏻♂️(ALB).
- Network Load Balancer 🏋🏻♀️ is best suited for load balancing of TCP, UDP and TLS traffic🚦 where extreme performance is required.
- Classic Load Balancer 🏋🏻♀️ provides basic load balancing across multiple Amazon EC2 instances and operates at both the request level and connection level.
- Application Load Balancer 🏋🏻♀️ offers most of the features provided by the classic load Balancer 🏋🏻♀️ and adds some important features and enhancements. Its best suited for load balancing of HTTP and HTTPS traffic🚦
AWS Autoscaling⚖️ monitors 🎛 your applications and automatically adjusts capacity to maintain steady, predictable performance at the lowest possible cost. Autoscaling⚖️ removes the guesswork of how many EC2 instances you need at a point in time⏰ to meet your workload requirements. Their are three core components that are need at launch configuration, “the what to deploy”; An Autoscaling⚖️ group (“the where to deploy”) and an Autoscaling⚖️ policy (“when to deploy”).
- Dynamic auto scaling⚖️ is a common configuration used with AWS CloudWatch⌚️alarms based on performance information from your EC2 instance or load balancer🏋🏻♂️.
Autoscaling⚖️ and Elastic load balancing 🏋🏻♀️ automatically scale⚖️ up or down based on demands backed by Amazon’s massive infrastructure you have access to compute and Storage 🗄 resources whenever you need them
Amazon route 53👮is a global, highly available DNS service that allows you to easily register and resolve DNS names, providing a managed service of reliable and highly scalable ⚖️ way to route 👮♀️ end users to Internet applications. Route 53 offers multiple ways to route👮♀️ your traffic🚦 enabling you to optimize latency for your applications and users.
Amazon Relational Database Service (RDS🛢) is a database as a service (DBaaS) that makes provisioning, operating and scaling⚖️ either up or out seamless. In addition, RDS🛢makes other time-consuming administrative tasks such as patching, and backups a thing of the past. Amazon RDS🛢provides high availability and durability through the use of Multi-AZ deployments. It also lets you run your database instances an Amazon VPC, which provides you the control and security🔐.
AWS Lambda is a compute service that lets you run code without provisioning or managing servers. AWS Lambda executes your code only when needed and scales⚖️ automatically to thousands of requests per second.
AWS Elastic Beanstalk🌱 is an easy-to-use service for deploying and scaling web applications and services developed with Java☕️ , NET, PHP, Node.js, Python🐍, Ruby💎, Go, and Docker🐳 on familiar servers such as Apache, Nginx, Passenger, and IIS. Elastic Beanstalk🌱 employs Auto Scaling⚖️ and Elastic Load Balancing🏋🏻♂️ to scale⚖️ and balance workloads. It provides tools🛠 in the form of Amazon CloudWatch⌚️ to monitor 🎛 the health❤️ of deployed applications. It also provides capacity provisioning due to its reliance on AWS S3 and EC2.
Amazon Simple Notification Service (SNS) 📨 is a highly available, durable, secure🔐, fully managed pub/sub messaging service like Google’s pub/sub that enables you to decouple microservices, distributed systems, and serverless applications. Additionally, SNS📨 can be used to fan out notifications to end users using mobile push, SMS, and email✉️.
Amazon CloudWatch⌚️ is a monitoring 🎛 service that allows you to monitor 🎛 AWS resources and the applications you run 🏃🏻 on them in real time. Amazon CloudWatch⌚️ features include collecting and tracking metrics like CPU utilization, data transfer, as well as disk I/O and utilization. Some of the components that make up Amazon CloudWatch⌚️ include metrics, alarms, events, logs and dashboards
Amazon CloudFront🌩 uses a global 🌎network of more than 80 locations and more than 10 regional edge caches for content delivery (CDN). It’s integrated with the AWS services such as AWS web application🔥 firewall, certificate manager, route 53, and S3 as well as other AWS services.
AWS CloudFormation🌨 is a fully managed service which acts as an engine 🚂 to automate the provisioning of AWS resources. CloudFormation🌨 reads template files which specify the resources to deploy. Provision resources are known as the stack. Stacks 📚 can be created updated or deleted through CloudFormation🌨.
When one refers to AWS Architecture one need to refer to no further than to the AWS Well-Architected Framework. The AWS Well-Architected Framework originally began as a single whitepaper but expanded into more of a doctrine focused on Key🔑 concepts, design principles, and architectural best practices for designing secure, high-performing, resilient, and efficient infrastructure and running 🏃🏻 workloads in the AWS Cloud☁️ .
The AWS Well-Architected Framework is based on five pillars; operational excellence, security🔐 , reliability, performance efficiency, and cost optimization.
- Operational excellence focuses on running 🏃🏻 and monitoring 🎛 systems and continually improving processes and procedures.
- Security🔐 centers on protecting information and systems.
- Reliability highlights that workload performs consistently as intended and could quickly recover from failure
- Performance efficiency concentrates on efficiently using computing resources.
- Cost optimization emphasis on cost avoidance.
Reference Architecture – Fault Tolerance and High Availability
Both Fault Tolerance and High Availability are cornerstones of infrastructure design strategies to keep critical applications and data up and running 🏃🏻
Fault Tolerance refers to the ability of a system (computer, network, Cloud☁️ cluster, etc.) to continue operating without interruption when one or more of its components fail.
High availability refers to systems that are durable and likely to operate continuously functioning and accessible and that downtime is minimized as much as possible, without the need for human intervention.
AWS provides services and infrastructure to build reliable, fault-tolerant, and highly available systems in the Cloud☁️.
Some AWS services that can assist in providing high availability:
- Elastic load balancers🏋🏻♀️
- Elastic IP addresses
- Route 53 👮♀️
- Auto scaling⚖️
Some AWS services that provide fault tolerant tools are:
- S3 🗄
Amazon Web Services offers Cloud☁️ web 🕸 hosting solutions that provide businesses, non-profits, and governmental organizations with low-cost ways to deliver their websites and web 🕸 applications.
When it comes to security🔐 AWS doesn’t take this lightly. So much so that when you are a newbie to AWS it could be quite challenging just to connect to your Cloud☁️ environment. AWS global infrastructure is built with the highest standards to ensure privacy🤫 and data security🔐. AWS infrastructure has strong 💪 safeguards in place to protect customers privacy 🤫. AWS continuously improves and innovates security🔐 incorporating customer feedback and changing requirements. AWS provides security🔐 specific tools🛠 and features across network security🔐, configuration management, access control, and data security🔐. AWS provides monitoring 🎛 and logging tools🛠 to provide full visibility👀 into what is happening in your environment. AWS provides several security🔐 capabilities and services like built-in firewalls🔥 to increase privacy🤫 and control network access. In addition, AWS offers Encryption of data both in transit and data at rest in the Cloud☁️. AWS offers you capabilities to define, enforce, and manage user👤 access policies across AWS services.
The shared👫responsibility model
AWS believes Security🔐 and Compliance is a shared👫responsibility between AWS and the customer. The shared👫responsibility model alleviates the operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security🔐 of the facilities in which the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security🔐 patches), other associated application software as well as the configuration of the AWS provided security🔐 group🔥 firewalls.
Security🔐 “of” the Cloud☁️ vs Security🔐 “in” the Cloud☁️
- “Security🔐 of the Cloud☁️” – AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud☁️.
- “Security🔐 in the Cloud☁️” – Customer responsibility will be determined by the AWS Cloud☁️ services that a customer selects.
Inherited Controls are controls that the customer fully inherits from AWS.
Shared👫Controls are controls which apply to both the infrastructure layer and the customer layers, but in completely separate contexts or perspectives. Examples include:
- Patch Management – AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications.
- Configuration Management – AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications.
- Awareness & Training – AWS trains AWS employees, but a customer must train their own employees.
Customer Specific – Controls which are solely the responsibility of the customer based on the application they are deploying within AWS services. Examples include:
AWS Cloud☁️ Security🔐 Infrastructure and services
AWS Identity and Access Management (IAM) is one of the core secure services (at no additional charge) to enforce security🔐 across all AWS Service offerings. IAM provides Authentication, Authorization, User Management and Central User Repository. In IAM, you can create and manage users, groups, and roles to either allow or deny access to specific AWS resources.
- Users👤 are permanent named Operator (can be either human or machine)
- Groups 👥 are collections of users (can be either human or machine)
- Roles – are an authentication method. The Key🔑 part is the credentials with the role are temporary.
As for permissions, it is enforced by a separate object known as a policy document 📜.
A Policy document📜 is JSON document📜 that attaches either directly to a user👤 or a group👥 or it can be attached directly to a role.
AWS CloudTrail 🌨 is a service that enables governance, compliance, operational auditing, and risk auditing CloudTrail🌨 records all successful or declined authentication and authorization.
Amazon Inspector 🕵️♂️ is an automated security🔐 and vulnerability assessment service that assesses applications for exposure, vulnerabilities, and deviations from best practices. Amazon Inspector produces a detailed list of security🔐 findings prioritized by level of severity in the following areas:
- Identify Application Security🔐 Issues
- Integrate Security🔐 into DevOps
- Increase Development Agility
- Leverage AWS Security🔐 Expertise
- Streamline Security🔐 Compliance
- Enforce Security🔐 Standards
AWS Shield🛡 is a managed Distributed Denial of Service (DDoS) protection service. There are two tiers of AWS Shield🛡 Standard and Advanced.
- AWS Shield🛡Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications.
- AWS Shield🛡Advanced provides additional detection against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS web 🕸application 🔥 firewall (WAF).
Pricing and Support
AWS offers a wide range of Cloud☁️ computing services. For each service, you pay for exactly the amount of resources you actually use.
- Pay as you go.
- Payless then when you reserve.
- Pay even less per unit by using more
- Pay even less as your AWS Cloud☁️ grows
There are three fundamental characteristics you pay for with AWS:
- Compute 💻
- Storage 🗄
- Data transfer out ➡️
Although you are charged for data transfer out, there is no charge for inbound data transfer or for data transfer between other services with the same region.
AWS Trusted Advisor is an online tool🔧 that optimizes your AWS infrastructure, increase reliability, security🔐 and performance, reduce your overall costs, and monitoring 🎛. AWS Trusted Advisor enforces AWS best practices in five categories:
- Cost optimization
- Fault tolerance
- Service limits
AWS offers 4 levels of Support
- Basic support plan (Included with all AWS Services)
- Developer support plan
- Business support plan
- Enterprise support plan
Obviously, there was a lot to digest😋 but now we have a great overall understanding of the AWS Cloud☁️ concepts, some of the AWS services, security🔐, architecture, pricing 💶, and support and feel confident to continue our journey in the AWS Cloud☁️. 😊
“This is the end, Beautiful friend.. This is the end, My only friend, the end”?
Below are some areas I am considering for my travels next week:
- Neo4J and Cypher
- More with Google Cloud Path
- ONTAP Cluster Fundamentals
- Data Visualization Tools (i.e. Looker)
- Additional ETL Solutions (Stitch, FiveTran)
- Process and Transforming data/Explore data through ML (i.e. Databricks)