Instructor email:

Ralph Parisi: Pop me an email: ralph..parisi@gmail.com

Module 1

Enable Scalability

  1. Goal: ensure that your architecture can handle changes in demand
  2. problem – on-prem over purchase; low utilization
  3. autoscaling – doesn’t turn on/off machines. it creates/terminates. Vertically Scale
    1. ec2/nodes should be stateless (no data); application should be stateless if possible; loosely coupled is within the scope of stateless

Automate Your Environment

  1. Goal: where possible, automate the provisioning, termination and configuration of resources
  2. automation in AWS is made possible:
    1. everything is API enabled
    2. software-defined-network
  3. automation ensures best practices – security, cost, reliability, performance, operational excellence

Use Disposable Resources

  1. Goal: Take advantage of the dynamically provisioned nature of cloud computing
  2. Anti-pattern
    1. over time, different servers end up in different configs
    2. resources run when not needed
    3. hardcoded ip addresses prevent flexibility
    4. difficult/inconvenient to test new updates on hardware that’s in use
  3. Best practices
    1. automate deployment of new resources with identical config
    2. terminate resources not in use (make use of DNS)
    3. switch to new ip addresses automatically
    4. test updates on new resources and then replace old resources with updated ones (test environment)
  4. housekeeping – unused resources – EBS volume, snapshots, EC2; Ensure Tagging is required.
  5. tool – Simian Army, Conformity Monkey (Netflix)

Loosely Couple Your Components


  1. Goal: design architectures with independent components
  2. components – SNS, RDS, DynamoDB, S3,
  3. anti-pattern –

Design Services, Not Servers

  1. Leverage the breadth of AWS Services; don’t limit your infrastructure to servers
  2. anti-pattern
    1. simple app run on persistent servers
    2. apps communicate directly with one another
    3. static web assets are stored locally on instances (vs. s3 or custom origin)
    4. back-end servers handle user authentication and user state storage
  3. best practices
    1. serverless solution is provisioned at the time of need
    2. message queues handle communication between apps
    3. static web assets are stored externally such as S3
    4. user authentication and user state storage are handled by managed AWS services

Choose the right database solutions

  1. Goal – Match the technology to the workload, not the way around
  2. look at elastic cache
  3. things to consider


Avoid Single Point of Failure

  1. Mindset – Assume everything fails and design backwards
  2. implement redundancy where possible in order to prevent single failures from bringing down an entire system
  3. Best Practice


Optimize for Cost

  1. Take advantage of AWS flexible platform to increase your cost efficiency
  2. things to consider


Use Caching

  1. AWS wants us to cache everything
  2. Use caching to minimize redundant data retrieval operations


Secure your Infrastructure Everywhere

  1. Build security into every layer of your infrastructure
  2. Things to consider


Well-Architected Design Principles

The Well-Architected Framework identifies a set of general design principles to facilitate good design in the cloud:

  1. stop guessing your capacity needs
  2. test systems at production scale (RDS doesn’t have auto-scaling)
  3. lower the risk of architectural change
  4. automate to make experimentation easier
  5. allow for evolutionary architectures

Pillars of the Well-Architected Framework

  1. Security – apply security at all layers, enable traceability, automate responses to security events, focus on securing your system, automate security best practices
  2. Reliability
    1. test recovery procedures
    2. automatically recover from failure
  3. Performance Efficiency
  4. Cost Optimization – transparently attribute expenditure (tagging), use managed service to reduce cost of ownership, trade capital expense for Opex, benefit from economies (bulk discount) of scale, stop spending money on data center operations.
    1. cloudwatch – reserved bandwidth, caching, CDN
    2. S3 bulk discount
    3. consolidated billing

Module 2: AWS Account Management

Managing Multiple AWS Accounts

  1. Reasons companies may use multiple AWS accounts:
    1. some departments have their own AWS account for security purposes (HR data, PHI, PII data)
    2. Each environment has its own AWS account
    3. the org may have acquired other businesses, and those acquisitions already have their own accounts
    4. the org may operate in multiple geographic areas with different legal requirements, and may want to provide logical isolation of environments accordingly.
  2. boundaries – VPC, Region
  3. when to create multiple accounts
  4. multi-accounts.png
  5. Blast Zone – strong isolation of recovery
  6. AWS service limits work at the individual account level.
    1. every account that requests an increase in the service limit is provided one
    2. soft and hard limits – 400 kb/DynamoDB record or 5TB max file size in S3
  7. AWS support is per AWS account

Governing Multiple Accounts: Consolidated Billing

  1. enables you to consolidate payment for multiple AWS accounts within your company by designating a single paying account
  2. best practices – empty account for consolidated billing
  3. see a combined view of AWS costs incurred by all accounts
  4. benefits of consolidated billing: volume pricing discount

Consolidated Billing Best Practice – Resource Tagging


Having a Tagging Strategy


security tag – data has to be encrypted

Use Tags to ensure your environments Meet your standards



Billing Alerts


Billing Reports

  1. search for 3rd Party billing tool (mostly AMI from market place)

AWS Cost and Usage Reports

AWS Redshift manifest for usage report


Cost Explorer

uses the same detailed data set that is used to generate detailed biling reports with resources and tags.

AWS Budgets and Forecasts

  1. AWS Budgets allow you to define monthly budgets for your AWS costs.
    1. budgets can be an aggregate of all costs or only costs related to specific dimensions (e.g. Account, tag, Az)
    2. you can be notified via email when current or forecasted costs exceed a specified amount

Managing Security for multiple accounts

Governance For Service Access: Cross-Account Roles


Common AWS Security Structures

There are 10 of them

Identity Account Structure

  1. users and groups are stored in one account (assume the role)
  2. federated access
  3. roles created in indvidual account

Logging Account Structure


Publishing Account Structure


Independent Multi-Account Pattern

consideration – security/compliance but overhead involved

independent multi account

Centrally-controlled Multi-Account Pattern

  1. based on business unit
  2. based on projects (project or workload) – sandbox here
  3. based on environments
  4. Multiple Payer Multi-Account Pattern

Common Multiple Pyaer Multi-Account Structure

  1. Hybrid Account Structures

Multiple Account Best Practices

  1. Use group aliases for account email addresses
    1. ensure continuity of access when people leave companies
    2. allow easier to attribute account ownership
  2. Create and enforce resource tagging standards
  3. Leverage AWS APIs and scripts to automatically and consistently apply your company’s baseline config across all AWS accounts

AWS Directory Service

what we have -we used shared service account for okta integration and ‘identity providers’ if you go to ‘shared service account’, you can see ‘Okta’,  which is ‘SAML Provider’.


AD Authentication with AWS

pain point – companies want to connect their on-prem environment to the cloud so that apps can use their existing credentials.

options – Tivoli TAm, webseal, Okta

AWS Directory Service

  1. Simple AD
  2. Directory Service for AD Enterprise Edition
  3. AD Connector

Simple AD


  • Daily automatic snapshot
  • Schema – specification of objects; simple AD cannot extend that
  • cheap option when you don’t need advanced AD features

AWS Directory Service for Microsoft Active Directory (enterprise edition)

  1. managed Microsoft AD hosted on AWS
  2. provides much of the functionality offered by MS AD plus integration with AWS apps
  3. Is the best choice if you have more than 5000 users and need a trust relationship between an AWS hosted directory and on-prem directory

AD Connector

  1. connects to your on-prem AD via existing VPN or Direct Connect
    1. does not require the creation of new users or groups because identity is stored in your on-prem AD
    2. there is no federation
    3. best choice when you want to use existing on-prem AD with AWS services

Solution – Using AWS Directory Service

directory service.png

directory service-multiple account.png

rules for VPC peering – has to be in the same region for the use case above.  solution – vpn or corporate backbone

AWS Directory Service – Benefits

  1. Simple – you can use the management console or simple API calls to set up withinminutes
  2. Secure
    1. accessible via your security groups within VPC only
    2. simple AD is powered by same 4 AD – compatible servers
    3. continue using what you have
  3. Reliable
  4. Versatile

MODULE 3 – Advanced Network Architectures – network throughput, HPC, shared services and VPN (part A)

Using One VPC

  1. limited use cases where one VPC could be appropriate
    1. high-performance computing (HPC)
    2. small, single apps managed by one person or very small team
  2. For most use cases, there are two primary patterns for organizing your infrastructure

Infrastructure Patterns

infrastructure pattern.png

Multi-VPC Pattern

vpc-peering share services.png

Proxy in front of Services VPC – no transitive traffic

Other Important Considerations


S3, DynamoDB now have VPC endpoints.

Maximum Network Performance on EC2

  1. EC2 limitation – AWS will throttle the network bandwidth on lower tier
  2. so use EC2 tier that support enhanced networking – http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking.html
    • ENI – enhanced network interface

enhanced networking

enhanced networking-2.png

enhanced networking-3.png

max net performance

Jumbo frames – up to 9000 MTU (limited to 1500 MTU by default)

Leveraging Maximum Network Performance with HPC Workloads

  1. HPC – distributed architectural approach for computational and data-intensive workloads
  2. common HPC workloads
    1. engineering and safety simulations
    2. financial risk analyses
    3. computational science
    4. large equipment design
    5. energy exploration
    6. 2D/3D rendering (2000 computers, 24000 cores – Monster University in 2013)
  3. Characteristics
    1. high CPU, mem, storage I/O and network throughput
    2. high numbers of servers run in parallel in clusters or grids
    3. additional accelerators (GPUs)
    4. commodity hardware components
    5. automatic failure recovery
  4. Cluster vs Grid (cluster is harder, grid doesn’t require same hardware)
    1. cluster and grid.png
  5. HPC applications Categories
    1. Loosely coupled grid computing apps
      1. typically used for monte Carlo simulations for financial risk and material science for proteomics
      2. designed to be distributed
      3. do not depend on high performance node-to-node connections
      4. ideally suited for?
    2. Tightly coupled
  6. HPC case study – human genome Sequencing
    1. genome.png
    2. hpc-genome-arch.png

VPN Connection Over VPC

VPN Connection – IPsec

  1. Internet Protocol Security is a protocol suite for securing IP (internet protocol) communications by authenticating and encrypting each IP packet of a communication session
  2. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session of negotiation of cryptographics keys to be used during the session
  3. protection from DDOS

Static and Dynamic VPN Connections

  1. static rquires all routes (IP prefixes) to be specified
  2. dynamic VPN (BGP) supports max prefixes of 100
  3. BGP over VPN supports 2-byte autonomous system numbers (ASN)

What is BGP (Border Gateway Protocol)




Static VPN

Dynamic VPN

Path Selection Inside the VGW

iBGP and eBGP

VPN billing

  • data transfer charge
  • vpn cost per hour

Additional VPN Features

  1. NAT Traversal (NAT-T)
  2. Re-usable Customer Gateway
    1. same customer gateway (CGW) IP
    2. Create a new VGW and VPN then attach to your VPC
    3. Only one VGW can be attached to a VPC at one time
  3. Additional Encryption Options
    1. phase 1 can now use Diffie-Hellman groups 2, 14-18, 22,23 and 24
    2. phase 2 can now use Diffie-Hellman groups 1, 2, 5 14-18

Software VPNs on AWS


To Avoid being a single point of failure, AWS recommends HA architecture. To do this, host two software VPNs on Amazon EC2 instances in separate AZ and use a third Amazon EC2 instance to monitor the heath of the VPN connections.



Lab Notes

  1. create vpg (virtual private gateway)
  2. attach vpc
  3. create cgw (customer gateway)
  4. create vpn connection













Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: