Introduction to AWS EC2 and VPC

advertisement
Forrest C. Shields II
SysOps Engineer
PGi
http://aws.amazon.com/what-is-cloud-computing/
Virginia
Oregon
N. California
Ireland
Frankfurt
Singapore
Tokyo
Sydney
São Paulo
Beijing
GovCloud
http://aws.amazon.com/about-aws/global-infrastructure/
Region
Availability Zone
Data Center
Subnet
A Virtual Private Cloud (VPC) is a
logical grouping of one or more
subnets that may span across
availability zones in the same
region.
Virtual Machines
Machine Images
Storage
Storage Snapshots
Firewall (Security Groups)
Public IPs
Load Balancing
Auto Scaling
Basic Performance Metrics
http://aws.amazon.com/ec2/
Networks
Subnets
Route Tables
DHCP
Basic DNS
Internet Gateways
VPN Connections
Network ACLs
Enhanced Firewall (Security Groups)
http://aws.amazon.com/vpc/
Instance Families
Instance Sizes
General Purpose
M3 – standard, T2 - burstable
Compute Optimized
C3 – up to 32 cores
Memory Optimized
R3 – up to 244 GB RAM
GPU
G2 – NVIDIA GPU w/ 1,536 CUDA cores
Storage Optimized
Micro
Small
Medium
Large
xLarge
2xLarge
4xLarge
8xLarge
I2 – up to 8 local 800 GB SSD drives
HS1 – 24 local 2 TB SSD drives
http://aws.amazon.com/ec2/instance-types/
Burstable Performance (CPU credits)
Enhanced Networking (SR-IOV)
Graphics Processing Unit (GPU)
Elastic Block Storage Optimized
Cluster Networking
Dedicated Instance
Detailed Monitoring
Based on:
Instance Type
Region
Operating System
Storage
Optional Features
Pricing models:
On-demand
Reserved (3 types)
Spot pricing
Dedicated
Examples:
t2.micro Linux instance in Virginia = $0.013 per hour
c3.xlarge Windows instance in São Paulo = $0.210 per hour
http://aws.amazon.com/ec2/pricing/
http://calculator.s3.amazonaws.com/calc5.html
Amazon-provided
Amazon Linux
RHEL derived like CentOS
Microsoft Windows
Server 2003 R2, 2008, 2008 R2, 2012, & 2012 R2
Base OS or with SQL Server: Express, Web, or Standard
Community AMIs
AWS Marketplace
My AMIs (imported or customized)
http://aws.amazon.com/amis/
http://aws.amazon.com/windows/amis/
Instance Store (ephemeral local storage)
Elastic Block Storage (EBS)
Types
Magnetic
General Purpose (SSD)
Provisioned IOPS (SSD)
Size: 1 GB to 1 TB
Encryption option
Snapshots
http://aws.amazon.com/ebs/
Security Groups
A named set of allowed network connections for an instance. Each security group
consists of a list of protocols, ports, and IP address ranges. A security group can
apply to multiple instances, and multiple groups can regulate a single instance.
Acts like a per-machine virtual firewall
Very flexible (better than ACLs)
Eliminates requirements to know IP addresses
Protocols: TCP, UDP, ICMP, Custom
Associate with a CIDR block or other security
group
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
Elastic IP Addresses (EIP)
A fixed (static) IP address that you have allocated in Amazon EC2 or Amazon VPC
and then attached to an instance. Elastic IP addresses are associated with your
account, not a specific instance. They are elastic because you can easily allocate,
attach, detach, and free them as your needs change. Unlike traditional static IP
addresses, Elastic IP addresses allow you to mask instance or Availability Zone
failures by rapidly remapping your public IP addresses to another instance.
You “own” (rent) the public IP address
Can be easily moved from one instance to
another, or held in reserve
Enables creation of DNS “A” records
Can only be applied to instances in a public
subnet
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html
Placement Groups
A placement group is a logical grouping of instances within a single Availability
Zone. Using placement groups enables applications to participate in a lowlatency, 10 Gbps network. Placement groups are recommended for applications
that benefit from low network latency, high network throughput, or both.
Fastest inter-machine network available
Some limitations:
All servers need to be in the same availability zone
Servers should be all the same instance type
Adding servers later can be problematic
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html
Elastic Load Balancing (ELB)
Elastic Load Balancing automatically distributes incoming application traffic
across multiple instances in the cloud. It enables you to achieve greater levels of
fault tolerance in your applications, seamlessly providing the required amount of
load balancing capacity needed to distribute application traffic.
Increased availability (spans availability zones)
Easy elasticity when combined with Auto Scaling
Types: Public (Internet-facing) or Private
Listeners: HTTP, HTTPS, TCP, SSL (Secure TCP)
Utilizes Health Checks
Provides SSL offloading
http://aws.amazon.com/elasticloadbalancing/
Key Pairs
A set of security credentials you use to prove your identity electronically. A key
pair consists of a private key and a public key.
Used directly by Linux instances for SSH
authentication
Used to “unlock” the auto assigned Windows
Administrator password for viewing
Safer than username/password combinations
Region-specific, but can be copied to other
regions
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
Elastic Network Interfaces (ENI)
A network interface that can be attached to an instance. ENIs include a primary
private IP address, one or more secondary private IP addresses, a MAC address,
and membership in specified security groups. You can create an ENI, attach it to
an instance, detach it from an instance, and attach it to another instance.
This is how you get multiple private IPs
Allows an instance to span subnets within the
same availability zone
You can bind multiple EIPs to ENIs with multiple
private IPs
Primary EIP created by default with 1 IP address
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
A service designed to launch or terminate instances automatically based on userdefined policies, schedules, and health checks.
Increases availability
Reduces costs
Self-healing (if you have a good health check)
Scheduled spin-up/spin-down, or based upon
any load metric you desire
http://aws.amazon.com/autoscaling/
Basic metrics included at 5 minute intervals:
CPU Utilization
Disk Reads/Writes
Disk Read/Write Ops
Network In/Out
Detailed Monitoring checks the same metrics at
1 minute intervals ($)
Keeps metrics for two weeks
Ship your own metrics to CloudWatch ($)
http://aws.amazon.com/cloudwatch/
Amazon Virtual Private Cloud (Amazon VPC) lets
you provision a logically isolated section of the
Amazon Web Services (AWS) Cloud where you can
launch AWS resources in a virtual network that
you define. You have complete control over your
virtual networking environment, including
selection of your own IP address range, creation of
subnets, and configuration of route tables and
network gateways.*
* Description “borrowed” from the AWS website
http://aws.amazon.com/vpc/
You can easily customize the network
configuration for your Amazon Virtual Private
Cloud. For example, you can create a public-facing
subnet for your webservers that has access to the
Internet, and place your backend systems such as
databases or application servers in a private-facing
subnet with no Internet access. You can leverage
multiple layers of security, including security
groups and network access control lists, to help
control access to Amazon EC2 instances in each
subnet.*
* Description “borrowed” from the AWS website
http://aws.amazon.com/vpc/
Additionally, you can create a Hardware Virtual
Private Network (VPN) connection between your
corporate datacenter and your VPC and leverage
the AWS cloud as an extension of your corporate
datacenter.*
Your own private slice of the “cloud”
* Description “borrowed” from the AWS website
http://aws.amazon.com/vpc/
VPC Name
CIDR block
DNS Settings
Default Route Table
DHCP and DNS resolution are provided
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html
Subnet Name
CIDR block (size /28 or larger)
Availability Zone
Route Table
Network ACL
Route Table determines if the subnet is public or private
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html
Route Types:
Local (within the VPC)
Internet Gateway
Virtual Private Gateway (for VPN)
Instance (for NAT or software VPN)
VPC Peering
Associated with one or more subnets
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html
Must have one to use EIPs
One per VPC
Works with Route Table
If a subnet has a route table whose default route
(0.0.0.0/0) points to an Internet Gateway, then that
subnet is considered “public” and you can use EIPs.
However, instances in that same subnet that do not
utilize EIPs, will not be reachable from the Internet
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html
Controls the DHCP options that are sent to each instance.
You can set the following values:
Domain name
Domain name servers
NTP servers
NetBIOS name servers
NetBIOS node type
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_DHCP_Options.html
A VPC peering connection is a networking connection between two VPCs that
enables you to route traffic between them using private IP addresses. Instances
in either VPC can communicate with each other as if they are within the same
network. You can create a VPC peering connection between your own VPCs, or
with a VPC in another AWS account within a single region.
Works within your account or cross-account
Limitations:
Cannot route “thru” a peering connection
Not cross-region
Address space must not collide
Can’t reference Security Groups in other VPC
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html
A network access control list (ACL) is an optional layer of security that acts as a
firewall for controlling traffic in and out of a subnet. You might set up network
ACLs with rules similar to your security groups in order to add an additional layer
of security to your VPC.
Kind of old fashioned, but sometimes necessary
Not stateful (must open return port as well)
Can be confusing to combine with Security
Groups
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
Security Group
Network ACL
Operates at the instance level (first
layer of defense)
Supports allow rules only
Is stateful: Return traffic is
automatically allowed, regardless of
any rules
All rules are evaluated before
deciding whether to allow traffic
Applies to an instance only if
someone specifies the security
group when launching the instance,
or associates the security group with
the instance later on
Operates at the subnet level (second
layer of defense)
Supports allow rules and deny rules
Is stateless: Return traffic must be
explicitly allowed by rules
Processes rules in number order
when deciding whether to allow
traffic
Automatically applies to all instances
in the subnets it's associated with
(backup layer of defense, so you
don't have to rely on someone
specifying the security group)
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html
Primary use is to connect you VPC to your
corporate network or datacenter.
Only works with hardware VPN devices
(sorry, no software VPN)
IPSec-based
Supports static or BGP routing
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html
750 hours of Linux t2.micro instance usage and
750 hours of Microsoft Windows Server
t2.micro instance usage (1 GB of memory and
32-bit and 64-bit platform support) – enough
hours to run both continuously each month
750 hours of an Elastic Load Balancer plus 15 GB
data processing
30 GB of Elastic Block Storage: any combination
of General Purpose (SSD) or Magnetic, and 1 GB
of snapshot storage
Much more at aws.amazon.com/free/
http://aws.amazon.com/free/
Download