0% found this document useful (0 votes)
87 views140 pages

CCP-Rev4..1a GCF SENDV1

Uploaded by

jarg200690
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
87 views140 pages

CCP-Rev4..1a GCF SENDV1

Uploaded by

jarg200690
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 140

Solutions Training for partners

AWS Cloud Practitioner Exam


Prep for Partners
Session Start Time: 9:00 am GMT -5
Your instructor

Solutions Training for Partners:


Cloud Practitioner - Workshop

Guillermo Cabrera
AWS Partner Trainer
[email protected]

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights


2
reserved.
Bienvenidos

La sala virtual es como una


sala de clase.

• Deja tu micrófono en silencio y solo


actívalo para comentar o participar.
• Usa el CHAT, puedes preguntar
directamente al instructor.
¡Virtual no Por favor pregunta.
es impersonal! Por favor contesta las preguntas.

Tu retroalimentación es esencial

© 2020 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Imagenes have a creative commons licencing 3
Agenda

MODULE 1 - UNDERSTANDING AWS CLOUD


1 Foundations

MODULE 2 - SECURITY AND COMPLIANCE


2 You know more that you realize

MODULE 3 - AWS SERVICES


3
2 Foundations
Agenda

MODULE 4 - PRICING, TCO, COST OPTIMIZATION


4 Foundations

MODULE 5 - AWS WELL ARCHITECTING FRAMEWORK


5
2 You know more that you realize

MODULE 6 - RESOURCES
6
2 Foundations
Welcome

• Guide for the AWS Certified Cloud Practitioner.

• Should not be taken as the sole source of study to perform the exam AWS CCP.

• Consider supporting material to further your studies.

6
AWS Certified Cloud Practitioner
Multiple-answers:
• About the Exam
Which are AWS services? (choose 2)
• Exam code CLF-C01 ( • ) IAM
( • ) CloudFront
• 65 questions
( ) AWS Games
( ) ForCloud
• 90 minutes
( ) Discovery Tiers
• Score : 100 to 1000 (Minimum 700 PASS)
Single-answer:
• Immediate Result
Points of Presence which CloudFront uses to
• US$ 100,00 cache copies of your content:

• 3 yrs expiration ( • ) EdgeLocations


( ) Data Centers
( ) AWS Transceivers
• AWS Certified Cloud Practitioner Practice (CLF-P01) ( ) Cloud Content
• US$ 20,00 , 60min ( ) External DNS

7.
AWS Certified Cloud Practitioner
• Exam Topics

https://aws.amazon.com/certification/certified-cloud-practitioner/

8
How to register for the exam Select “Certification” in the top bar menu

aws.training > Sign in

9
How to add 30min (1/2)
Non-native English speaking countries are eligible to add 30min to exam time.

Standard Time: 90min

Extended Time: 120min

 Must be done before exam scheduling.


 Auto approval process.
 1 time only.

How to do this?
Go to certification portal (aws.training/Certification)

10
How to add 30min (2/2)

11
AWS Certified Cloud Practitioner Online

 English only.
 Exam supervised through a webcam.
 Use a quiet, private location with a reliable
internet connection.

 Exam times are available every 15 minutes.


 Excludes the +30min agreement.

Now You Can Take the AWS Certified Cloud


Practitioner Exam at Your Home or Office 24/7

https://aws.amazon.com/blogs/apn/now-you-can-take-the-aws-certified-cloud-practitioner-exam-at-your-home-or-office-24-7/

12
AWS Certified Cloud Practitioner - Resources of
Study
• Resources
• AWS Training (aws.amazon.com/training) aws.training/LearningLibrary

• AWS Business Professional (Digital)


• AWS Cloud Economics (Digital)

• AWS Whitepapers
• Overview of Amazon Web Services
• Architecting for the Cloud: AWS Best Practices
• How AWS Pricing Works
• Cost Management in the AWS Cloud
• AWS support plan comparison

13
AWS Certified Cloud Practitioner
To Do
• Review this material.

• Go to AWS site and read about the main services https://aws.amazon.com

• Understand Cloud AWS value proposition, principles and advantages.

• Security in the cloud: AUP, SRM, Compliance, IAM, MFA.

• Global AWS Infrastructure, multi-AZ architectures, services scope.

• Pricing models and organizational structure.

14
.
Agenda

MODULE 1 - UNDERSTANDING AWS CLOUD


1 Foundations

MODULE 2 - SECURITY AND COMPLIANCE


2 You know more that you realize

MODULE 3 - AWS SERVICES


3
2 Foundations
Module 1:
Understanding the AWS Cloud
What is Cloud Computing
• Cloud computing is the on-demand delivery of compute power,
database storage, applications, and other IT resources through a cloud
services platform via the internet with pay-as-you-go pricing.

Trade capital Benefit from Stop Increase Stop spending Go global in


expense for massive guessing speed and money on minutes
variable economies of capacity agility running and
expense scale maintaining data
centers
17
Transitioning from a Self-Managed to a Fully
Managed Service

Self-Managed • Amazon EC2 • Fully


Service Managed
Service

Database DB on EC2 DB on RDS


instance instance

Corporate data AWS Data AWS Data


center Center(s) Center(s)

18
What Sets AWS Apart?

Enterprise Leadership Service Breadth and Depth Pace of Innovation Global Presence

Building and managing the Over 165 services 1,957 Features in 2018 69 Availability Zones in 22
cloud since 2006 1,430 Features in 2017 geographic regions
around the world

Amazon Culture Security Largest Partner Ecosystem Hybrid Cloud

73 proactive price #1 Priority AWS Marketplace Broadest set of hybrid


reductions and APN capabilities of any
cloud provider

19
Amazon Global Infrastructure

20
AWS Global Infrastructure

24 76 216
Geographic Availability Edge
Regions Zones Locations

Announced Regions
3 Regions and 9 AZs in Indonesia, Japan and Spain

Region & Number of Availability Zones (AZs)


Region
Interconnected using high-
GovCloud (US) Europe
speed private links
US-East (3), US-West (3) Frankfurt (3), Ireland (3) AWS Availability Zone (AZ)
London (3), Paris (3)
US West Stockholm (3)
Oregon (4), N. California (3) AZ
US East
N. Virginia (6) , Ohio (3) Asia Pacific
Canada Singapore (3), Sydney (3),
Central (3) Tokyo (4), Osaka-Local (1)*
Seoul (3), Mumbai (3), AZ
Hon Kong (3)
South America
China Independent failure zone
São Paulo (3)
21 Beijing (2), Ningxia (3)
What is an AWS Region?
- Regions are located in separate geographic areas.
1 - Regions are isolated from each other.
- Two redundant Transit Centers
- Regions have multiple Availability Zones.
- Highly peered and connected facilities 16 (stay tuned) - Data is never moved from one Region to another by AWS.

- AZs are isolated locations (power, network, flood zone, and so forth) in Regions.
- AZs have one or more data centres (some have 8 data centers).
Each data center building has between
- AZs are designed to offer high availability of services to customers. 50,000 and 80,000 physical servers.
- AZs in one Region have submillisecond latency between them.
© 2020 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 22
Amazon CloudFront
• Content Delivery Network (CDN)

• Content close to users = less latency

• Static content (web pages, texts,


images, movies)

Edge Location = Point of presence where the content cache is performed.

23
How to build resilient architectures?

 High availability (HA)  Fault Tolerance (FT)  Disaster Recovery (DR)

Characteristic of a system Applies the redundancy principle Policies, Tools, Procedures


Uptime based (SLA) 99,999% No downtime is expected Catastrophic events
Eliminate Single point of failure Built-in redundancy of
components.
No performance degradation
Key business operations

24
AWS Platform Services
Over 175 Services

Advanced
Services
Analytics Artificial Internet of Game AWS
Intelligence Mobile Things Development Marketplace

Business Process
Services
Desktop and App Technical and
Developer Management Business Application
Streaming Business Support
Tools Tools Productivity Services

Foundational
Services
Compute Storage Databases Networking/ Hybrid Cloud Messaging
Cont. Delivery Architecture

25
Introducing Amazon Enterprise
Applications
WorkMail WorkDocs

Productivity

WorkSpaces AppStream 2.0

Desktop & Apps

Amazon Chime Amazon Connect


UC and Customer Service

26
Services Availability per Region

Region Table

• Take into account


the availability of
services in each
region.

• Service values vary


by region.
https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/
27
.
AWS Marketplace Overview

AWS Marketplace is an
online store that supports:

01 Over 1,400 participating ISVs

02 +260,000 active customers

03 +7,000 software listings

+1 million current software


04
subscriptions

28
AWS Hybrid Architecture Support
79%
Almost every AWS customer with on-premises
01. of existing Enterprise
infrastructure is running a hybrid architecture.
workloads run on VMware*

AWS offers seamless integration with existing on-


02. premises data centers - customers can leverage
existing investments

03. Easily run on VMWare workloads on AWS with


seamless deployment and management

AWS offers the only VMWare-delivered, sold and


04.
supported service available on a leading public cloud

* IDC Worldwide Cloud System Software 2015 Share Snapshot

29
Agenda

MODULE 1 - UNDERSTANDING AWS CLOUD


1 Foundations

MODULE 2 - SECURITY AND COMPLIANCE


2 You know more that you realize

MODULE 3 - AWS SERVICES


3
2 Foundations
Module 2:
Security and Compliance
Security Is Our #1 Priority

Compliance and Security at Scale on a Single Platform

Highly Automated Highly Available Highly Accredited

24/7

32
Security: The Shared Responsibility Model

Examples
Customer content Customers are • OS patching/update
responsible for their Software compliance
Customer


Platform, Applications, Identity & Access Management security and • App./Sw. licensing
compliance IN the • Sw. optimizations
Cloud • DB schema analysis
Operating System, Network & Firewall Configuration • Snap./bkup routines
• Use of encryption
Client-side Data Server-side Data Network Traffic …
Encryption Encryption Protection

AWS Foundation Services


AWS is responsible Examples
Compute Storage Database Networking for the security OF
AWS

the Cloud • Static code analysis


• PenTests
Availability Zones • Threat Modeling
AWS Global
Edge Locations • Monitoring,
Infrastructure Regions Throttling
• Firewalls, Blockings
• Host OS updates
• DC physical access
• Decomissioning
Shared Responsibility Model is not Static

• Can shift or differ based on technology, business purpose, architecture

Infrastructure Services Container Services Abstracted Services


AWS Controls and Responsibilities

Physical and Business Continuity Management AWS Access


Environmental Security Security Security

AWS
AWS Prod
Corporate
Network
Network

Design Principles Configuration AWS Service-Specific


Security Management Security Security

New way
Old way
Code

36
AWS Built-In Security
Security Focus Security Services and Features
Amazon VPC
AWS WAF
Infrastructure Security Encryption in-transit with TLS with all services
AWS Artifact
AWS Identity and Access Management (IAM)
Identity and Access Control AWS Multi-Factor Authentication
AWS Directory Service
AWS Trusted Advisor
AWS CloudTrail
Monitoring and Logging Amazon CloudWatch
Amazon Macie
Amazon Inspector
Inventory and Configuration AWS Config
AWS CloudFormation
AWS Shield
Auto Scaling
DDoS Mitigation Amazon CloudFront
Amazon Route 53

Encryption with all AWS storage and database services


Data Encryption AWS KMS
37 AWS CloudHSM
AWS Trusted Advisor

How it works

https://aws.amazon.com/premiumsupport/technology/trusted-advisor/
38
AWS Organizations

Policy Enforcement
Enforcement is based on
stakeholder roles and
responsibilities, and in accordance
with compliance regulations
(e.g.HIPAA, FedRAMP, PCI/DSS).At
each level of the hierarchy the
company can specify which AWS
Services, features, and resources are
approved for use on a
perdepartment, peruser, or
perproject basis.
39
Accounts
Amazon Inspector
• Vulnerability Assessment Service Inspector
Service

• On-Demand Pricing model Report

• CVE (common vulnerabilities and


exposures) & CIS (Center for internet
security) Rules Packages
Inspector Inspector
Agent Agent
Use Cases Network Reachability Host assessments
(access to instances) (vulnerabilities on instances) EC2 Instance EC2 Instance
Before Validate network; Check golden AMIs;
deployment Find unexpected exposure DevOps pipeline
Migration VPC configuration mistakes Check for software changes;
New (zero-day) vulnerabilities

Production Check that no exposures have Check for software changes;


opened up New (zero-day) vulnerabilities

https://aws.amazon.com/inspector/
41
Amazon Inspector
• Vulnerability Assessment Service Inspector
Service

• On-Demand Pricing model Report

• CVE (common vulnerabilities and


exposures) & CIS (Center for internet
security) Rules Packages
Inspector Inspector
Agent Agent

EC2 Instance EC2 Instance

https://aws.amazon.com/inspector/
42
Web application firewall

43
AWS Shield and AWS Shield Advanced

DDoS : Distributed Denial of Service.


Protects against Botnets, massive attacks

Standard
• Always-on Detection
• Defend against common attacks
• No Cost for Standard

Advanced
• DDos Response Team 24x7
• DDos cost protection
• Global availability

44
Benefits of AWS Shield Standard and Shield Advanced

Basic L3-4 Faster


L3-7 Protection
Protection for Mitigation for
for Your
AWS Your
Applications
Infrastructure Applications

Shield Advanced DDoS Threat 24x7 Access to


CloudWatch
Environment Shield Response
Event Notification
Dashboard Team (SRT)

Amazon Amazon AWS Global L7 Anomaly


Adaptive Health Proactive
CloudFront Route Accelerator Detection
L3-4 Based Event
53 via AWS
Protection WAF Detection Response

No Charge for Central Config Cost Protection


Elastic IP AWS WAF & Compliance for Scaling
Elastic Firewall Manager cost
Load Address For Shield Advanced included with Shield
During an
Balancing
protected resources Advanced subscription Attack
Protecting the application perimeter
Includes AWS WAF & AWS Firewall Manager at
no additional cost

AWS WAF AWS Shield Advanced AWS Firewall Manager

Protects web applications Managed threat protection Centrally configure and


by allowing you to write that blocks DDoS attacks, manage security rules
custom rules or choose vulnerability exploitation, across accounts and
managed rules from AWS and bad bots. applications
or the AWS Marketplace.
46
AWS Compliance Resources
58+ Certifications

• 203 certificações e acreditações de segurança.

• 2.600 controles auditados anualmente.

• Relatórios de auditoria e conformidade de disponíveis


para os clientes no portal de serviços da AWS - AWS
Artifact.

47
https://aws.amazon.com/compliance/
On-Demand Access to Compliance
Reports
Download Compliance Reports on Demand

AWS Artifact

48
Agenda

MODULE 1 - UNDERSTANDING AWS CLOUD


1 Foundations

MODULE 2 - SECURITY AND COMPLIANCE


2 You know more that you realize

MODULE 3 - AWS SERVICES


3
2 Foundations
Module 3:
AWS Architecture and Services
AWS Cloud Hierarchy
• Global Services > Regional > VPC > AZ > Host

Route 53 – DNS
CloudFront

Buckets S3
Region
AMI Images

Instances EC2/RDS
AZ Volumes EBS
Conteiners

Host Host applications


Anti-virus, Licenses

53
Use Multi-AZ Patterns to Increase
Reliability
Web app Web server Microsoft
proxy (IIS) SQL Server

Remote
desktop GW Application
server

Corporate Public subnet Private subnet


services
AZ A

Web app Web server Microsoft


proxy (IIS) SQL Server
Corporate
network Remote
Application
desktop GW
Server

Public subnet Private subnet

AZ B

54 Application 1
Tools for Migrations

• Server Migration
Service
VMware AWS

• Database Migration
Service
Source DB Target DB

• Secure, Fast, Offline transfer


• Snowball • Size: 50TB, 80TB, 100TB.
• Low bandwidth uplinks.
55
AWS Compute Services

Compute Storage Networking Databases Security Management

Amazon Amazon ECS Amazon Amazon EBS Elastic Load Amazon Amazon Amazon IAM AWS WAF Amazon AWS
EC2 Glacier Balancing* Route 53 RDS Aurora CloudWatch CloudTrail

Amazon
Auto Scaling AWS Amazon EFS Application Amazon Amazon Amazon AWS KMS AWS Shield AWS AWS
Lambda S3 Load VPC* DynamoDB ElastiCache CloudFormation Config
Balancer

AWS Direct VPN Amazon EC2


Amazon
Connect connection Systems Manager
Storage
Gateway

56
AWS Compute Services
• How will you deliver the application executables?
• Instances
– Amazon EC2
• Containers
– Amazon ECS, Amazon EKS
– AWS Fargate
• Serverless
– AWS Lambda

57
Amazon EC2
• Amazon Elastic Compute Cloud (Amazon EC2)
• Virtual machine instance running on an AWS hypervisor
• Support numerous distributions of Linux or Microsoft Windows
• Complete control of your host operating system with root and administrator
accounts
• Responsible for all installed applications

https://aws.amazon.com/ec2/

58
Amazon EC2
• Platform
• Virtual machine instance.
• Linux and Microsoft Windows AMI’s.
– Amazon Machine Image: is the image of the
Operating System that will be loaded in the
instance. Window Svr

• Client has full control of the Operating System


and its applications as admin.
• Multiple types and sizes of instances.
• Remote access via SSH or Remote Desktop.

https://aws.amazon.com/ec2/

59
Amazon Machine Image (AMI)
• AMI Content
• Defines which OS to use (Linux, Windows).
• Public and private AMI’s.
• Defined at instance launch process.

EC2 AMI

60
Broadest and deepest platform choice
CATEGORIES CAPABILITIES OPTIONS

Choice of processor
(AWS, Intel, AMD)
General purpose
Fast processors
(up to 4.0 GHz)
Burstable
High memory footprint MORE THAN

275
Compute intensive (up to 12 TiB)

Memory intensive Instance storage Amazon EBS


(HDD and SSD)
Storage (High I/O) Amazon Elastic Inference
Accelerated computing INSTANCE TYPES
(GPUs and FPGA)
Dense storage for virtually every
Networking workload and
GPU compute (up to 100 Gbps) business need
Bare Metal
Graphics intensive
Size
(Nano to 32xlarge)

61
AWS Instance Launch
• Amazon EC2 Instance Launch:

AWS CLI

AWS SDK

63
AWS CLI
• How to use the AWS CLI tool:

• Can be installed on : Windows, Linux, macOS, or Unix


• Requires : Python 2 version 2.6.5+ or Python 3 version 3.3+
• Easy installation method using ‘pip’

Created into an IAM user


programmatic key

IAM > Users > ‘user’ > Security Credentials > Access keys

64
Amazon EC2 –Remote Access
• At the moment of creation of the instance it is defined which key-pair will be used to access the
instance.

AWS
“A key pair consists of a public key that AWS
stores, and a private key file stored by the user.”

SSH – Command Line


TCP port 22

Private Key
Public Key
RDP – Remote Desktop
Administrator
TCP port 3389

65
Scalability aspects
• There are different ways to scale a solution

Scale up Scale out

• Larger instances • Add more instances


• Restart instance required • No instance restart
• Monolithic or session based applications • Distributed application, more resiliency
• Add more computing power • Auto-scaling
• Scale down is the reverse • Scale-in is the reverse
vCPU

EC2 EC2 EC2 EC2


EC2
Auto Scaling group
66 RAM
Auto Scaling
• Automatically launch or terminate Amazon EC2 instances
• User-defined policies driven by CloudWatch
• Health status checks
• Schedules
• Manually using set-desired-capacity in the CLI

Scale out to meet demand, scale in to reduce costs.

67
How Does Auto Scaling Work?
What Where When
Auto Scaling
AMI EC2
policy

1 2 Specifies when to increase or


3 decrease Amazon EC2
Launch Auto Scaling instances based on
configuration group CloudWatch alarms.
Auto Scaling group defines:
• Name Scheduled
• Launch configuration name
action
• Min and Max
• AZ or subnet Tells Auto Scaling to perform a
• Load balancer scaling action at a certain time
• Desired capacity
in the future (minimum,
• Etc.
maximum, and desired size for
the ASG).
68
Auto Scaling: Maximum Capacity Size

Auto Scaling group: CPU utilization triggers the alarm: capacity is doubled until
CPU utilization drops below 60% or max capacity is reached.
• Minimum = 2
• Maximum = 12

Auto Scaling policy:


• When CPU utilization is
greater than 60%
• Add 100% of group Auto Scaling group
= double the capacity
Availability Zone 1 Availability Zone 2

69
Virtual machine versus containers

VM App 2

App 1 App 2 App 3 Container

Bins/Libs Bins/Libs Bins/Libs App 1 App 2 App 3

Guest OS Guest OS Guest OS Bins/Libs Bins/Libs Bins/Libs

Hypervisor Docker

Host OS Host OS

Server (Host) Server (Host)

70
ECS

Integration with entire AWS platform


1 ALB, Auto Scaling, Step Functions, Batch,
CloudFormation, CloudTrail, CloudWatch Events,
CloudWatch Logs, CloudWatch Metrics, ECR, EC2 Spot,
IAM, NLB, Parameter Store

2 Scales to support clusters of any size

3 Service integrations (like ALB and NLB) are at


Easiest way to deploy and
manage containers container level
Amazon EKS

Kubectl mycluster.eks.amazonaws.com

AZ 1 AZ 2 AZ 3

EKS Workers

Your AWS account

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fargate

No infrastructure

Manage everything at
container level

Launch quickly
Scale easily
Containers on demand
Resource based pricing
So you want to run a (managed) container on

AMAZON CONTAINER SERVICES

1 Choose your orchestration tool ECS EKS

2 Choose your launch type EC2 Fargate EC2


AWS Lambda: Serverless Compute

No servers to manage Continuous Scaling Pay only for compute time used

AWS Lambda Video https://www.youtube.com/watch?v=eOBq__h4OJ4 (3:01)

76
AWS Lambda
• Use Cases:
• Building modular, scalable, lightweight applications
• Serverless data processing on demand
• Perform data validation, filtering, sorting, or other transformations.
• Image thumb-nailing, in-app activity, website clicks, or output from devices

77 https://aws.amazon.com/lambda/
AWS Storage Services

Compute Storage Networking Databases Security Management

Amazon Amazon ECS Amazon Amazon EBS Elastic Load Amazon Amazon Amazon IAM AWS WAF Amazon AWS
EC2 Glacier Balancing* Route 53 RDS Aurora CloudWatch CloudTrail

Amazon
Auto Scaling AWS Amazon EFS Application Amazon Amazon Amazon AWS KMS AWS Shield AWS AWS
Lambda S3 Load VPC* DynamoDB ElastiCache CloudFormation Config
Balancer

AWS Direct VPN Amazon EC2


Amazon
Connect connection Systems Manager
Storage
Gateway

78
Storage Options

Amazon EC2
Amazon EFS Amazon EBS Instance Store Amazon S3 Amazon Glacier
File Block Object

Data Transfer

AWS Direct AWS Snowball S3 Transfer Storage Amazon Kinesis ISV Connectors
Connect Acceleration Gateway Firehose
79
What is Amazon Elastic Block Storage (EBS)?

• Block storage as a service

• Create, attach volumes through an


EC2 API
instance
• Service accessed over the network

• Volume and instance must be in


the same AZ
EBS
volume
Availability Zone • Detach and attach between
instances
AWS region
EBS Volume Types

SSD HDD

gp2 io1 st1 sc1


General Purpose Provisioned IOPS Throughput Optimized Cold
SSD SSD HDD HDD

82
EBS Encryption

• Boot and data volumes can be encrypted


• Attach both encrypted and unencrypted
• No volume performance impact Encryption
• Supported by all Amazon EBS volume types
• Snapshots also encrypted

83
Amazon EBS Snapshot

• Point-in-time backup

• Stored in Amazon S3 (low cost and high


durability backup of data)

Amazon EBS • Snapshots can be used to create new volumes


volume

Amazon EBS
snapshot
84
Amazon EFS
EC2-Inst1 EC2-Inst2 EC2-Inst3

• Amazon Elastic File System

• Fully managed
• No hardware, network, file layer
• No need to provision storage in advance
• Create a scalable file system in seconds! File System
• Simple pricing = Pay for actual storage consumed as a Service
• Multiple EC2 instances accessing at the same time

85
Amazon S3 – Simple Storage Service

99.999999999% durability and 99.99% availability of objects over a given year

• Storage of any type of file (objects).

• There is no limit on the number of objects or total space.

• Redundantly store your objects on multiple devices


across a minimum of 3 Availability Zones (AZs).

• Uses a bucket concept.

86
Amazon S3 Features
• S3 Features

Event Cross-region S3 Transfer VPC endpoint


notifications replication Acceleration for Amazon S3

Amazon CloudWatch Incomplete multipart


Lifecycle policy Expired object
AWS CloudTrail support upload expiration
delete marker
87
Faster upload over long distances S3 Transfer
Acceleration

Change your endpoint, not your code

No firewall changes or client software Optimized


Throughput!
Longer distance, larger files, more benefit

Faster or free S3 Bucket


AWS Edge
Location
166 global edge locations

Try it at S3speedtest.com Uploader

88
Amazon S3 Storage Classes
Durable
“Hot” Data 99.999999999
Active and/or $0.023/GB per month %
Temporary Data
S3-Std Available
S3: 99.99%
S3-IA: 99.9%
“Warm” Data S3-IA-1Z: 99.5%
Infrequently $0.0125/GB per month $0.01/GB retrieval
Accessed Data
S3-IA Performant
Low Latency
High Throughput
“Warm” Data $0.0100/GB per month $0.01/GB retrieval
Infr. Accessed Data
Non-critical Data

S3-IA-1Zone Scalable
Elastic capacity
No preset limits
1~5min
“Cold” Data $0.03/GB
3~5hs
Archive and $0.004/GB per month $0.01/GB
Compliance Data 5~12hs
Glacier $0.0025/GB

“Cold” Data 3 – 12 Hrs


Archive and $0.00099/GB per month $0.02/GB
Compliance Data $0.025/GB
Glacier Deep Archive
90
S3 Storage Classes
Object Lifecycle Management

S3 Intelligent Tiering
S3 Standard S3 Infreq.Access

S3 One Zone-IA

Define rules to transition objects


from one storage class to another
to save on storage costs.

https://docs.aws.amazon.com/AmazonS3/latest/dev/lifecycle-transition-general-considerations.html
Amazon S3 Security

• You can control access to buckets and objects with:


– Access Control Lists (ACLs) Object permissions
– Bucket policies – cross account access, without using IAM roles.
– Identity and Access Management (IAM) policies
• You can upload or download data to Amazon S3 via SSL encrypted endpoints.
• You can encrypt data using AWS SDKs.

92
Amazon S3 Glacier
• Long term storage solution
• Long term archiving, backup.

• Low cost.

• Data are extracted by executing retrieval jobs.

Ready to download!

 Object ID 001
 Object ID 025 ID ID
ID 150
 Object ID 150 001 025
 Object ID 400 Archive retrieval job
….
 Expedited: 1~5min
ID 400
 Standard: 3~5hs
 Bulk: 5~12hs
93
99.999999999% durability of objects over a given year
Storage Gateway
File Gateway
Customer DC • Cached and Stored modes.
• EBS Snapshots of your data.
Direct Connect • Backup to cloud.
NFS/SMB • Big-Data, ML and Analytics initiatives.

Internet • High data durability.


Application AWS Storage Amazon S3 Amazon Amazon Glacier • Compliance.
Server Gateway S3-IA • Reduce the operational burden.

VPC

Volume Gateway
Tape Gateway
• Cached and Stored modes.
• Integrates using iSCSI.
• EBS snapshots of your data.
• Low-effort migration to cloud backup.
• Reduce datacenter infrastructure.

• Cached and Stored modes.


• Integrates using iSCSI.
• EBS block-based snapshots of your data.
• Integrated with AWS Backup.
AWS Networking Services

Compute Storage Networking Databases Security Management

Amazon Amazon ECS Amazon Amazon EBS Elastic Load Amazon Amazon Amazon IAM AWS WAF Amazon AWS
EC2 Glacier Balancing* Route 53 RDS Aurora CloudWatch CloudTrail

Amazon
Auto Scaling AWS Amazon EFS Application Amazon Amazon Amazon AWS KMS AWS Shield AWS AWS
Lambda S3 Load VPC* DynamoDB ElastiCache CloudFormation Config
Balancer

AWS Direct VPN Amazon EC2


AWS
Connect connection Systems Manager
Storage
Gateway

95
Amazon VPC
• Provision a logically isolated section of the AWS cloud
• Control your virtual networking environment
– Subnets
– Route tables
– Security groups
– Network ACLs
• Connect to your on-premises network via VPN or Direct
Connect
• Control if and how your instances access the Internet

Router Internet Customer Virtual VPN VPC


gateway gateway private connection peering
gateway
96
https://aws.amazon.com/vpc/
VPCs as Strategy
Quick Start Design with Test, Production, and Development VPCs

Archive S3 Lifecycle
Logs Bucket Policies to
Glacier
Users

Test VPC
us-east-1b

NAT

Bastion

Potential use
for security
appliances for
monitoring,
logging, etc.

us-east-1c

AWS Config CloudTrail CloudWatch


Rules Alarms
Security in Your VPC
• Security groups instance instance instance instance

• Virtual Firewalls / stateful


Security Security Security Security
group group group group
• Network access control
lists (ACLs)
Security Group Inbound Rules Subnet Subnet
10.0.0.0/24 10.0.1.0/24
Protocol Port Range Source
Inbound
TCP 443 <Source_IPs> Por Allow/ Network ACL Network ACL
Rule # Source IP Protocol
t Deny

100 0.0.0.0/0 All All ALLOW Route table Route table


* 0.0.0.0/0 All All DENY VPC Router
10.0.0.0/16
Outbound
Por Allow/
Rule # Dest IP Protocol
t Deny

100 0.0.0.0/0 all all ALLOW VPN Gateway Internet gateway


98 * 0.0.0.0/0 all all DENY
Application Load Balancer: How It Works
• Load balancer routes request at the Application layer (HTPP/HTTPS).

Register instances as targets in a


target group, and route traffic to a
Load balancer target group.

Rule Listener Rule Listener Rule

Target Target Target Target Target Target Target


Target Group Health Target Group /api Health Target Group /mobile Health
Check Check Check

101
Network Load Balancer

• Register instances as targets in a target


group, and route traffic to a target group.
• Load balancer routes request at the
Transport layer (TCP).
Load balancer

Rule Listener

Target Target
Target Group Health
Check

102
Amazon CloudFront

• Content delivery network (CDN) with optimization


• Distribute content to end users with low latency and high data transfer rates
• Broad, geographic presence beyond AWS Regions
• Accelerate data uploaded from end users
• Use cases:
– Accelerating web application performance
– Caching static web content and frequent database query results
– Offloading TLS termination

https://aws.amazon.com/cloudfront/
103
Amazon Route 53

• Global Domain Name System


(DNS) service
• Highly available and scalable
– 100% availability SLA
• Critical tool integrated with
many AWS services

https://aws.amazon.com/route53/

105
AWS Database Services

Compute Storage Networking Databases Security Management

Amazon Amazon ECS Amazon Amazon EBS Elastic Load Amazon Amazon Amazon IAM AWS WAF Amazon AWS
EC2 Glacier Balancing* Route 53 RDS Aurora CloudWatch CloudTrail

Amazon
Auto Scaling AWS Amazon EFS Application Amazon Amazon Amazon AWS KMS AWS Shield AWS AWS
Lambda S3 Load VPC* DynamoDB ElastiCache CloudFormation Config
Balancer

AWS Direct VPN Amazon EC2


AWS
Connect connection Systems Manager
Storage
Gateway

107
Amazon RDS

• Relational databases
• Fully managed and secure
• Fast, predictable performance
Amazon
• Simple and fast to scale
Aurora
Amazon
• Low cost, pay for what you use
RDS

https://aws.amazon.com/rds/
108
Amazon RDS
Managed relational database service with a choice of six popular database engines

Easy to Secure & Available & Performant &


administer compliant durable scalable

Easily deploy and Data encryption at rest Automatic Multi-AZ Scale compute
maintain hardware, OS and in transit; industry data replication; and storage with a few
and DB software; built- compliance and automated backup, clicks; minimal downtime
in monitoring assurance programs snapshots, failover for your application

109
Amazon RDS: Replication and Failover
RDS Multi-AZ Option – Avoid Single Point of Failure

111
Amazon RDS Read Replicas
Read scaling and disaster recovery

RDS for MySQL, PostgreSQL, MariaDB, Read/write Primary

and Oracle
• Relieve pressure on your master node with
additional read capacity
Asynchronous
• Bring data close to your applications replication
in different regions
• Promote a read replica to a master for faster Read only
recovery in the event of disaster
BI/reporting
application server Read replica

112
Amazon Aurora
Delivered as a managed service on top of RDS

 Speed and availability of high-end commercial databases

 Up to 64TiB of auto-scaling SSD storage


 Automatic Backup (1 – 35 days)
 Automatic Upgrade

 Drop-in compatibility with MySQL and PostgreSQL

 Simple pay as you go pricing


 Natively distributed - 6 copies of data across 3 AZ’s
 Up to 15 Read Replicas

114
Amazon DynamoDB

Fully managed NoSQL database


Fast, consistent performance
Highly scalable
Flexible
Event-driven programming
Fine-grained access control

115
Consistently: low latency at scale

PREDICTABLE PERFORMANCE!
Amazon ElastiCache
• A fully-managed in-memory data store or cache environment in the cloud.

• Improves performance by retrieving data from high-throughput and low-latency, in-


memory data stores.
• Use Cases:
– Gaming
– Ad-Tech
– Financial Services
– Healthcare
– IoT

https://aws.amazon.com/elasticache/

118
AWS Security Services

Compute Storage Networking Databases Security Management

Amazon Amazon ECS Amazon Amazon EBS Elastic Load Amazon Amazon Amazon IAM AWS WAF Amazon AWS
EC2 Glacier Balancing* Route 53 RDS Aurora CloudWatch CloudTrail

Amazon
Auto Scaling AWS Amazon EFS Application Amazon Amazon Amazon AWS KMS AWS Shield AWS AWS
Lambda S3 Load VPC* DynamoDB ElastiCache CloudFormation Config
Balancer

AWS Direct VPN Amazon EC2


AWS
Connect connection Systems Manager
Storage
Gateway

119
The Layered Security Approach
• Secured Infrastructure
– Secured endpoints
– Compliance alignments and
frameworks
– Certifications and attestations
• VPC
– Workload isolation Instance
Firewall
• Security Group
– Port/protocol filtering
Security group
• Instance Firewall
– Rule-based protection at the OS level Subnet

VPC

120
AWS Identity & Access Management
A core AWS security service.

Defines administrative profiles.


Who can do what on the AWS console or by the additional management tools.

Admin Group SupportGroup Policy


"Action": [
 Mike "support:*",
 TravisSupport Group "acm:DescribeCertificate",
"acm:GetCertificate",
 John
 Mike "acm:List*",
"apigateway:GET",
 Sup1 "appstream:Get*",
AdministratorAccess
 Theresa "autoscaling:Describe*",
"aws-marketplace:ViewSubscriptions",
"cloudformation:Describe*",
SupportUsers ...

https://aws.amazon.com/iam/
121
IAM Root Account Best Practices

• 1st account created (email + password)

• Do not use the root user for your everyday tasks

• Securely lock away the root user credentials


– Delete any programmatic keys

– Enable MFA on Root Account

– Change the Root password to a strong password

https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
123
IAM Roles Best Practices
IAM identity that can be assumable by anyone who needs it.
Ex.: users, applications, services, federated users

Long term passwords

Long term access keys

Temporary security credentials

API Call
Apps.
Assuming IAM Role [credentials]
codes
Create, delete, change bucket

124 EC2 instance S3 bucket


AWS Key Management Service (AWS KMS)
• Data encryption with KMS
• Managed service to use encryption keys

• Integrated with many AWS services

• Integrated with AWS CloudTrail

– provide auditable logs of key usage

126 https://aws.amazon.com/kms/
AWS Management Services

Compute Storage Networking Databases Security Management

Amazon Amazon ECS Amazon Amazon EBS Elastic Load Amazon Amazon Amazon IAM AWS WAF Amazon AWS
EC2 Glacier Balancing* Route 53 RDS Aurora CloudWatch CloudTrail

Amazon
Auto Scaling AWS Amazon EFS Application Amazon Amazon Amazon AWS KMS AWS Shield AWS AWS
Lambda S3 Load VPC* DynamoDB ElastiCache CloudFormation Config
Balancer

AWS Direct VPN Amazon EC2


AWS
Connect connection Systems Manager
Storage
Gateway

129
AWS CloudWatch

• Monitoring service for AWS cloud resources and applications


• Collect and track metrics, monitor log files, and set alarms
• Gain visibility into resource utilization, application performance, and
operational health
• Set alarms to send notifications or take other automated actions
• Supports custom dashboards
• Use cases:
– Cost management; billing alerts

https://aws.amazon.com/cloudwatch/

130
AWS CloudTrail
• CloudTrail provides the event history of AWS account activity
• Permits governance, Who did
that?!
compliance, audit.
• Logs API calls.
• Security analysis.
• Tracking of resource changes.
• Problems solution.

133
AWS Config
Managed service for tracking AWS inventory and configuration, and
configuration change notification.

AWS Config
Amazon Amazon
EC2 EBS

Amazon AWS
VPC CloudTrail

Security Audit Change Troubleshootin


Discovery
analysis compliance management g

135
Agenda

MODULE 4 - PRICING, TCO, COST OPTIMIZATION


4 Foundations

MODULE 5 - AWS WELL ARCHITECTING FRAMEWORK


5
2 You know more that you realize

MODULE 6 - RESOURCES
6
2 Foundations
Module 4:
Pricing, TCO and Cost Optimization
on AWS

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 137
Cloud Value Framework

Cost Savings Staff Operational Business


(TCO) Productivity Resilience Agility

What is it? Infrastructure cost


savings / avoidance from
Efficiency improvement
by function on a task by
Benefit of improving
SLAs & reducing
Deploying new features /
applications faster and
moving to the Cloud. task basis. unplanned outage. reducing errors.

Examples 50%+ reduction in


TCO (GE)
Over 500 hours per year
of server configuration
Critical workloads run in
multiple AZs & Regions
Launch of new
products 75% faster
time saved (Sage) for robust DR (Expedia) (Unilever)

Typical Most Compelling


Focus Cloud Benefits

138
TCO the way customers typically see it
illustrative
Software - OS, Virtualization Licenses
1 Server Costs Hardware – Server, (+Maintenance)
(+Maintenance)

2 Storage Costs Hardware – Storage Disks

Network Hardware – LAN Switches, Load Balancer


3 Network Costs Bandwidth costs

4 IT Labor Costs Server Admin Virtualization Admin

139
TCO the way it really is Overhead
On-prem.
Colocation
illustrative
Hardware – Server, Rack Software - OS, Facilities Cost
1 Server Costs Chassis PDUs, ToR Switches Virtualization Licenses
(+Maintenance) (+Maintenance) Space Power Cooling

Hardware – Storage Disks, Facilities Cost


2 Storage Costs SAN/FC Switches
Software - Backup
Business Value:
Space Power Cooling

Cost of delays
Network Hardware – LAN Facilities Cost Risk premium
Software – Network
3 Network Costs Switches, Load Balancer
Monitoring Space Power Cooling
Competitive abilities
Bandwidth costs
Governance
Etc.

4 IT Labor Costs Server Admin, Virtualization Admin, Storage Admin, Network Admin, Support Team

Project planning, Advisors, Legal, Contractors, Managed Services,


5 Extras Training, Cost of capital

AWS overhead costs are included in the publicly listed prices.


140
Resources to get started

AWS TCO Calculator


https://awstcocalculator.com

AWS Economics Center


http://aws.amazon.com/economics/

Case Studies and Research


http://aws.amazon.com/solutions/case-studies

141
Tools for Cost Visibility
Cost Explorer TAGs

• Monthly Spend by Service View • Identify and organize your AWS resources
• Monthly Spend by Linked Account View • Integrated with multi AWS Services
• Daily Spend View • EC2, RDS, S3, Glaciers, Redshift, etc...

142
AWS Pricing Philosophy

01 02 03

Pay Only for Low Cost No Up-Front


What You Use Capital Expense

143
On-Demand and Reserved

Instance Type Benefits When to Position Workloads

On-Demand Billing by the second Customer seeking to Short-Term/Fluctuates


(new as of 10/2/17) avoid long contracts Desired to Run to
and upfront payments Completion
Modify compute Dev/Test
capacity

Standard - 50%-70% less than Customer able to Steady-state


Reserved On-Demand instances commit to 1yr, 3 year applications
Instance term

145
Convertible Reserved Instances

Instance Type Benefits When to Position Workloads

Convertible – Reserved Reduced price during For customers lacking Steady-state but can
Instance Reserved Instance term understanding of change
Change Reserved future workloads
Instance family, type,
OS, or tenancy Example

C3 RI C4 RI

146
Spot Instances

Instance Type Benefits When to Position Workloads

Spot Fleet Discounts compared to When workloads can Batch processing,


on-demand pricing continue after Hadoop workflow, HPC
Run continuously for interruptions; for grid
Unused EC2 instance that is a set duration at lower diversification across Encoding, rendering,
available for less than the On- pricing multiple instance types modeling, analysis, or
Demand price. and AZs continuous integration

147
Dedicated Instances and Dedicated
Hosts
Instance Type Benefits When to Position Workloads

Dedicated Instance Instances run on For workloads that Data isolation required
hardware dedicated to require dedicated
you only hardware to meet
unique security and
compliance needs

Customer must pay an hourly instance fee Customer must pay a dedicated per region fee

Dedicated Host Instances run on For existing server- Data isolation required
hardware dedicated to bound software License dependent
you only licenses that are bound applications or services
License portability to VMs, sockets, or
Fine grain control of physical cores
hardware

148
.
Estimating Cost Savings
New!
• Simple Monthly Calculator AWS Pricing Calculator

150
Agenda

MODULE 4 - PRICING, TCO, COST OPTIMIZATION


4 Foundations

MODULE 5 - AWS WELL ARCHITECTING FRAMEWORK


5
2 You know more that you realize

MODULE 6 - RESOURCES
6
2 Foundations
Module 5:
AWS Well-Architected Framework
The AWS Well-Architected Framework

• Design Principles
– Stop guessing your capacity needs
– Test systems at production scale
– Automate to make architectural experimentation easier
– Allow for evolutionary architectures
– Data-Driven Architectures
– Improve through game days

154
Pillars of AWS Well-Architected

Operational Security Reliability Performance Cost


Excellence Efficiency Optimization

155
Applying Operational Excellence

Availability Zone A
2. Use of CodeStar
1. Use of Public Web Tier App Tier Data Tier
Subnet (Private (Private
Amazon to deploy
CloudWatch to x.x.x.x/x Subnet) Subnet)
users x.x.x.x/x x.x.x.x/x Aurora Infrastructure as
achieve visibility Example
Services: Code
in the cloud RDGW
NAT Reserved Reserved
ISD/WAF

On-Demand On-Demand

replication
Auto Auto
Scaling Scaling
Group Group

internet Data Tier


Public Web Tier App Tier
Subnet (Private (Private Amazon
x.x.x.x/x Subnet) Subnet)
x.x.x.x/x x.x.x.x/x Aurora
Example
Services:
RDGW Reserved Reserved
NAT
IDS/WAF
admin
Web App DB
On-Demand Security On-Demand Security Security
Group Group Group

Availability Zone B

158
Hey, everybody! Get ready for our..

Pop Quiz!
bit.ly/awsCloudPract
Simulation: CPC Prep Test and
Discussion
Agenda

MODULE 4 - PRICING, TCO, COST OPTIMIZATION


4 Foundations

MODULE 5 - AWS WELL ARCHITECTING FRAMEWORK


5
2 You know more that you realize

MODULE 6 - RESOURCES
6
2 Foundations
Module 6:
APN Resources to Help You
APN Program Resources

Monthly Partner-Facing
APN Program Guide Webinars
APN Personnel Resources

Benefits and
Requirements

Training and
Certification APN Blog, Newsletter,
Twitter

APN Portal

Marketing

https://partnercentral.awspartner.com
APN Partner
I Programs

176
APN How-To Guides and AWS Events

Sponsorship
AWS How-To Guides AWS Events
Opportunities

Building Your Business AWS Global Summits: AWS Field Programs


With AWS one-day events Free half-day events

500-6,000
50-500

APN Partner Development AWS re-Invent:


Plan four-day events

+50,000

177
Partner Training

AWS Digital Learning Platform

https://www.aws.training/
Workshops and Bootcamps Videos, Labs, and Classes

Specialty Courses for APN Partners With Business and Technical Tracks

Accreditations Business Track Technical Track


AWS Technical Professional
AWS Business Professional
AWS TCO and Cloud Economics
AWS TCO and Cloud Economics
AWS Foundations Technical
AWS Foundations Business
Well-Architected Framework
Big Data and Analytics on AWS
Windows on AWS
Windows on AWS
Migration to AWS
Migration to AWS
SAP on AWS
SAP on AWS
Amazon Connect
Amazon Connect
Professional Services BootCamp
Machine Learning on AWS
Machine Learning on AWS
Introduction to Cloud Adoption
Framework

178 https://partnercentral.awspartner.com
Available AWS Certifications

https://youtu.be/WqUQNp1hAH8

179
Class Evaluation and Assessment

Please look for the email link to take the THANK


YOU
class evaluation survey.

Guillermo Cabrera
[email protected]
183

You might also like