AWS Cloud Getting Started

Amazon cloud

This blog post is having the introductory information about Amazon Cloud.

There are two types of cloud in amazon

• Amazon Elastic Compute Cloud(EC2). https://aws.amazon.com/ec2/  instance types:  https://aws.amazon.com/ec2/instance-types/
• Amazon Lightsail. Lightsail includes everything you need to launch your project quickly--a virtual machine, solid state drive (SSD)-based storage, data transfer, Domain Name System (DNS) management, and a static IP--for a low, predictable monthly price. https://aws.amazon.com/lightsail/. The price details are here https://aws.amazon.com/lightsail/pricing

EC2 - Steps to created an EC2 instance

• Instance types - (https://aws.amazon.com/ec2/instance-types/) that selects the hardware
• Different instance purchasing option
• Spot instance - Lower than on-demand price, but can be available only if unused instance available
• On-demand instance - Pay by hour
• Dedicated instance
• a

1. Login to Amazon console - https://us-east-2.console.aws.amazon.com/console/home?region=us-east-2
2. Select Services menu and click on EC2
3. It displays the list of AMIs(Amazon Machine Image - Include OS and other apps and memory and hardware details). Select one image and then select instance type 
4. Select VPC(Refer VPC  for step to create a VPC)
5. Select what kind of subnet. May select public sub net
6. Select a role that used to communicate to other services
7. Go to Advanced Details and click on User Data. Put the script that required to be executed when EC2 instance get launched. For example to extract the zip file and execute it that contains the application code
8. Leave the storage as default 
9. Add the tags. Tags used to categorize the EC2 instance for eg. Name, Department etc.
10. Select the security group. You can create a new security group or select an existing one. Select an existing security group say "web-security-group"(Enable HTTP Access), "default"(default VPN security group) & "db-security-group"(DB instance security group)
11. Now launch it via clicking on the "Launch" button on the last review page

VPC

• Information about VPC can be found here https://aws.amazon.com/vpc
• AWS always provide a default VPC for a region with a single public subnet- https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html
• Create VPC & Create public and private subnets. Subnets - https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html
• Allow 5 VPCs per region
• 200 subnet per VPC
• 200 route table 
• 500 security group
• 50 inbound/outbound rule

1. Login to Amazon console & select Services menu and click on VPC
2. Provide the VPC dashboard. Launch VPC Wizard that displays the following options. Select Option 1 from the below
1. VPC with single public subnet. Subnet instances use elastic or public ip
2. VPC with a single public & a private subnet. public subnet use public ip to access internet. Private subnet needs to use the NAT device which is there in public subnet to access the internet. The NAT usage is  having hourly charge
3. Same as 2 but private subnet connected to on-premise via IPSec VPN tunnel. VPN charges apply
4. Same as 3 but without the public subnet. So the private sub net can not be accessible from the net
3. In the next screen provide the following
1. Network ip : 10.10.0.0/16 (make sure to provide a subnet mask with value >15)
2. VPC Name: ecomvpc
3. Public Subnet IP: 10.10.1.0/24
4. Select the availability zone
5. Leave the rest of the values as default and click on the button create VPC
4. Next step is to create the IGW
5. Now the subnet and VPC are running. Next step is to create an EC2 instance. While creating the EC2 instance provide the VPC name and subnet names are the one from here. Refer EC2
6. Now the public subnet can be accessed from the internet and can host an http server. The DB has to be there in another subnet. For that need to create a private subnet in the same VPC. For that do the following steps
1. Click on the subnets left menu from the VPC dashboard and click on create subnet with the following details
1. Name : Private DB Subnet
2. VPC: the VPC created previously
3. Subnet IP: 10.10.2.0/24 
2. Click on create to create the new subnet
7. Install the DB in the newly created private subnet. The database will be already available for web app in public subnet because both of them are in the same VPC. But the private subnet is not available from internet. The following steps to create the db in the subnet
8. Now for getting high availability the public subnet and private subnet has to be created in another availability zone with the following details
1. Name : Pubic Subnet2
2. VPC: the VPC created previously
3. Subnet IP: 10.10.3.0/24 
4. Avaialability zone : zone 2
5. Name : Private Subnet2
6. VPC: the VPC created previously
7. Subnet IP: 10.10.4.0/24 
8. Avaialability zone : zone 2
9. Now to allow public subnet2 to allow internet traffic it has to be associated with IGW via the route table. For that do the following steps
1. Go to list of route tables and select associate the public sub net 2 as well to the route table . Refer the steps from IGW 5.4
10. Now configure Load Balancer for that go to ELB
11. When the VPC required to communicate to own DataCenter use VPG(Virtual Private Gateway)
12. If you want to communicate with a VPC that is in the same region use VPC Peering. Make sure that each VPC don't have colliding cidr ip ranges
13. If you want the private subnet to connect to the outbound flow to internet you need to use a NAT.
14. To create security groups to control the access restrictions refer Security Group

IGW(Internet GateWay)

1. The subnet is not able to connect to internet. For that required to create IGW. Go to VPC Dashboard and click on Internet Gateways menu on the left
2. Click on the create internet gateway button and provide the name. IGW got created
3. Now when we are listing all Gateways the one created above having a status as detached. This means that it is not attached to any VPC. To attach the gateway to the VPC click on actions->Attach to VPC and select the VPC created above
4. Refer Create Route Table 
5. The instances in VPCs should be having public or elastic IPs to connect to internet. Elastic IP address to make it as static with a cost if it is not allocated to instance
6. IGW do the network ip address translation of your VPC network
7. Only 1 IGW can be attached to a VPC

Route Table

• Route table is a set of rules to determine how the network traffic  is directed
• Each subnet must associate with a route table and a subnet can associate with only a single route table
• Multiple subnets can be associated with a single route table

1. Now required to create a custom route table(white listing). For that click on the route table left hand menu in VPC dashboard. Click on create route table to create the route table with the following details
1. Name : ecomRouteTable
2. VPC: The VPC created above
3. click on create route table to create the route table
2. Now the route table is created to handle only local traffic. The next steps to be followed to allow internet traffic
1. When you select the route table created on above you will see the edit pane.
2. From the edit pane select the tab routes you will see only local. Click on the edit button to edit the routes and add the following 
3. Add a new route  row 0.0.0.0/0 - which represents the traffic from the internet. Put the Target as the IGW created(refer IGW) on save
4. To associate the route to public subnet. Click on the subnet association tab and click edit and select the public subnet created previously and click save

ELB(Elastic Load Balancer)

Elastic Load Balancing offers three types of load balancers.

• Application Load Balancer - HTTP/HTTPS traffic load balancing
• Network Load Balancer - handle tens of millions of requests per second
• Classic Load Balancer - legacy

https://creately.com/blog/diagrams/aws-templates-for-architecture-diagrams/

1. Configure the Elastic Load Balancer (ELB) to select which ip to route(public subnet 1 or public subnet 2). [ https://aws.amazon.com/elasticloadbalancing/ ]
1. Go to EC2 Dashboard (https://us-east-2.console.aws.amazon.com/ec2/v2/home) and click on left hand menu load balancers and click create load balancer button. There are 3 types of load balancers: application (HTTP/s), Network(TLS,STP,UDP)- having high performance over application load balancer, Classic(old style that supports https/tcp). Here the application ELB will be created with the following details
1. Name: ecomelb
2. Scheme: Internet facing
3. VPC: The VPC created previously
4. Availability zones: Zone1 & Zone2 and select the 2 public subnets from each zones
2. Now go to the tab security groups to set the security group in ELB. Select the web-security group which enable to access 80
3. Go to Configure Routing tab to configure the routing that contains the 2 web servers. 
1. Target Group : New Target Group
2. Name: WebserverGroup
3. Protocol:HTTP
4. Port: 80
5. Leave the rest as default and click on Register Targets button that leads to the page that showing the list of running web servers targets. Select them and click on add to registered button to add them to the list
4. After Review click on create button to create the ELB. You can see the DNS name for the ELB to access the website using ELB.

VPG(Virtual Private Gateway)

1. VPG has to be created at VPC side
2. At customer side required to create a Customer Gateway which can be a device or a software
3. VPN tunnel used to communicate between VPG and customer gateway

NAT(Network Address Translation)

• This is used to connect private subnet to internet
• NAT can be a Gateway or Device
• NAT has to be added to public subnet so that it get internet connectivity
• NAT use its ip address while communicating to internet like a proxy server
• NAT require an elastic ip

1. Click on the NAT left hand menu in VPC dashboard. Click on create NAT to create the NAT with the following details
1. Siubnet: public subnet created earlier
2. Elastic IP: the elastic ip created earlier but not assigned ye
2. Click on create to create the NAT
3. Edit the route table and select the Default route table which is currently assigned to the Default route table
4. Add a new route  row 0.0.0.0/0 - which represents the traffic to the internet. Put the Target as the NAT created(while selecting the target IGW and NAT will be shown never select IGW for private subnet as best practice)

Security Group

• Security Group acts as a virtual firewall 
• you can add rules to control the connection
• Normally add the instance inside a security group so that it can control what traffic in and out
• By default security group allow all outbound traffic
• Security groups are always permissive and you can not do deny access
• A webserver security group will allow 80 & 443 ports and a MySQL DB security group will allow port:1433 and RDP port. While adding RDP put a source IP address so that only that IP can do remote desktop access

1. Click on the Security Group left hand menu in VPC dashboard. Click on create Security Group  to create the Security Group with the following details
1. Name: webserverSG
2. Group:webserverSG
3. VPC: the vpc created earlier
2. Click on create to create the security group
3. Go to Inbound rules and add the following rows
1. Type: HTTP 80 (this will automatically fill rest. But if you are selecting Custom you need to fill all yourself)
2. Protocol: TCP
3. Port: 80
4. Source: 0.0.0.0/0 or put another security group name if you want to allow inbound only from a security group
4. Add 443 and save
5. Creare another security group for DB Server with the name:dbserverSG with following details and save
1. Type: MS SQL 
2. Protocol: TCP
3. Port: 1433
4. Source: webserverSG (This way the DB access will be restricted from webserver only)

ACL(Access Control Layer)

• ACL is an optional layer of security to black list
• * DENY means deny all and you can not modify that
• Each subnet in your VPC should be associated with an ACL. If not associated with a custom ACL, by default it will be assigned to default ACL
• Subnet can be associated with one ACL but and ACL can be associated with multiple subnets
• ACL contains a numbered rules in order starting with lowest rule number#
• When an allowed traffic found it allows the traffic even if there is a rule to deny it on a higher number 
• Rule number increment by 100 so that there will be enough room to add extra rules in between

1. Click on the Network ACL left hand menu in VPC dashboard. Click on create Network ACL  to create it with the following details
2. Provide the rules

LightSail - Steps to created an LightSail 

1. Login to Amazone console - https://us-east-2.console.aws.amazon.com/console/home?region=us-east-2
2. Select Services menu and click on LightSail
3. It displays the list of blueprint. Select say Magento. Select the plan and provide the name

Other Amazon Terms 

Region

A collection of availability zones. Minimum 2 availability zones required for a region. Run application always in both availability zone. Refer  - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html

While selecting a region the following questions to be asked

• Latency - Where are your customer located?
• Cost - Some region is having less cost than the other region
• Compliance - Legal restriction saying that the data should be there in the country
• Service Availability - New services might be available only in some regions and it takes some time to roll out to other regions#

Container Services

Amazon Elastic Container Service (ECS) - Container Orchestration using Docker(may be docker swarm) to deploy. https://aws.amazon.com/ecs/

Amazon Elastic Container Service for Kubernate (EKS). Container Orchestration using kuberante(Kubernate is developed by Google). https://aws.amazon.com/eks/

AWS Fargate - a compute engine for Amazon ECS and Amazon EKS that allows you to run containers without having to manage servers or clusters. https://aws.amazon.com/fargate/

Elastic Block Storage(EBS) & Elastic File System(EFS)

Storing images videos etc. which is considered as object storage uses EFS eg.S3(simple Storage Service). It stores 3 copies of the files for redundancy. 5T is the size of a single file/object. https://aws.amazon.com/s3. Steps to create S3.

EFS can be attached to different subnets from different VPCs. It does not required to be inside a subnet.  https://aws.amazon.com/efs/. Using Amazon EFS you can mount an on premise storage but it is not possible using S3

1. Go to Dashboard, Select Services menu and click on S3 and click on create bucket will provide a popup to enter the details. 
1. Bucket Name: ecomBucket
2. Region: Us West
3. Copy Setting from an Existing Bucket: 
2. Click on create button to create the bucket. But this bucket is private
3.  Edit the bucket and click on upload button to upload a file/image.
4. After loading the file when we click on the object we can see the information about the object. One among them is a link which is a public link. But when we access the object using that link it says access denied
5. So go to object and select permissions tab and click on the public radio button to give the access as public

Storing blocks amazon uses EBS eg. Amazon RDS. https://aws.amazon.com/ebs and pricing can be found here https://aws.amazon.com/ebs/pricing/

Amazon DB

There are 2 types RDS and Dynamo

RDS

• Any database of your choice like MySQL, Oracle etc. 
• Patches installations, scaling, performance etc. are automatically handled
• You can use the AWS Database Migration Service (AWS DMS) (https://aws.amazon.com/dms) to quickly and securely migrate your databases to AWS
• Pricing - https://aws.amazon.com/rds/pricing/
• Steps to create an RDS(assume that the subnet already got created)

1. Go to Dashboard, Select Services menu and click on RDS
2. Click on the create database button and select the database as say amazon arora, mysql, postgress etc.

Dynamo

• No transaction support
• No SQL
• Big Data
• No need to mention about the capacity of the machine instead just mention about the throughput
• Replicate the data in 3 facilities in a region
• Dynamo DB 
• Tables contains a simple partition key which is the primary key
• Table contains a sort key as well
• Composite primary key is partition key + sort key together
• Secondary index contains the subset of attributes from a table and can contain many secondary indexes
• Local secondary index is having the same partition key as base table but having a different sort key
• Global secondary index is having both partition key  and sort key as different form base table 
•  
• https://aws.amazon.com/dynamodb  pricing - https://aws.amazon.com/dynamodb/pricing/ 
• Steps to create 

1. Go to Dashboard, Select Services menu and click on DynamoDB
2. Click on create table button and create the table
1. Table Name: Music
2. Partition Key: Artist
3. Sort Key: Song Title
3. Once table got created click on items tab and create items via entering the above attributes and you can search using partition key and sort key

• Steps to create Local Instance

1. Go and download http://dynamodb-local.s3-website-us-west-2.amazonaws.com/dynamodb_local_latest.zip the zip file and extract it to locale drive
2. Run command >java -Djava.library.path=./DynamoDBLocal_lib -jar DynamoDBLocal.jar -sharedDb
3. Got to http://localhost:8000/shell  to access the shell

Monitoring & Cloud watch

• Cloud watch collect data points like cpu, memory etc.   - https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CW_Support_For_AWS.html
• Required to install cloud watch agent in the cloud/on-premise servers to collect the information
• visualize log is used to visualize and analyse log - https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html
• It can trigger events/alarm depends on the thresholds. Events  - https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html 
•  Refer https://aws.amazon.com/cloudwatch/
• Auto scaling can be done at cloud watch so that a new instance can be automatically created. https://aws.amazon.com/ec2/autoscaling
• Steps to configure cloud watch auto sca

1. Go to EC2 Dashboard, Select Auto Scaling Group from left hand menu and click on create auto scaling group button.This will provide which AMI to use it for auto scale
2. Select AMI that should be used for the new instance
3. Click on the next button and provide the below information for the instance
1. Name: WebServer
2. Role:The same role as the original EC2 instance
3. In advanced details pate the user data section with the script. Refer EC2  creation step
4. Select the storage, security group etc
5. Click on lauch configuration
4. Click on the lauched configuration and edit the following details
1. Group Size : 2 (2 instances will be get created)
2. Network: VPC name
3. Subnet: The public subnet or can create a new one and assign here as well
4. Load Balancing: Receive data from 1 or more ELB
5. On the scaling policy tab change the following
6. Select radio button to select the scaling policy to adjust. This is the one that will decide what policy to select when cloud watch decided to change the scaling
7. Scale min:2 & Max: 4 
8. Name: Scale Up
9. Metric Type: Average CPU Utilization
10. Target Value: 60%
11. Instance need: 300 (seconds required to warm up after scaling)
12. Click on next button to configure notifications if required in the notification tab
13. Review and create the group

Security

• physical data center, network & hyper wiser security responsibility belongs to AWS and rest starting from guest OS onward belongs to the client
• AWS provide a wide range of encryption tools or can use custom encryption as well
• Automatic encryption are there in EBS & S3
• Encryption keys like  AWS HSM, Key Management Service(KMS) can be used
• Shared responsibility model https://aws.amazon.com/compliance/shared-responsibility-model/
• Security White Paper - https://d1.awsstatic.com/whitepapers/Security/Intro_to_AWS_Security.pdf

Amazon Inspector

is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

Suppose that you have several Amazon EC2 instances, and you want to ensure that they’re all properly configured with the recommended password complexity settings. Instead of manually checking the settings for each EC2 instance, you can run a vulnerability assessment through Amazon Inspector, which scans all of the EC2 instances to check if the password complexity settings are compliant.

AWS Security Hub

Instead of constantly switching back and forth between separate tools, you can monitor all your security findings and compliance checks in AWS Security Hub. It aggregates, organizes, and prioritizes your security findings

AWS Web Application Firewall (WAF)

 a service that helps to protect your web applications and APIs against common web exploits that may affect application availability, compromise security, or consume excessive resources.

AWS Key Management Service (KMS)

control the encryption keys that are used to encrypt and protect your data

AWS Shield

a managed DDoS protection service that safeguards applications running on AWS. It comes in two tiers: Standard(default with no extra cost) and Advanced

Autoscaling

The following are the EC2 scaling options

• Maintain the current instance levels at all times
• Manual scaling
• Scheduled scaling
• Dynamic scaling - based  on load or specified parameter
• Predictive scaling

Cost Management Tools

• AWS Cost Explorer  - https://aws.amazon.com/aws-cost-management/aws-cost-explorer/
• provide reports on cost
• View data for up to the last 13 months
• Forecast how much you're likely to spend for the next 3 months
• Get recommendations for Amazon EC2 rightsizing and reservation purchases
• AWS Budgets
• Allows to create alerts when the cost exceeds threshold. This can be done with Cloud Watch as well but AWS Budget provides more granularity and visibility
• AWS Trusted advisor - https://aws.amazon.com/premiumsupport/trustedadvisor/
• Identify improvement on cost, security etc.
• AWS Total Cost of Ownership (TCO) Calculator
• compare the cost of running applications in an on-premises or traditional hosting environment to running the applications with AWS

Code Your Infrastructure with AWS CloudFormation(Governance)

•  Describe the AWS resources that you want to create and configure in a single text file, JSON/YAML
• AWS CloudFormation provisions your resources in a safe, repeatable manner, allowing you to build and rebuild your infrastructure and applications without having to perform manual actions or write custom scripts

Get Actionable Insights from AWS Trusted Advisor

Checks against your environment to see if it meets predefined criteria. It provides feedback and best practices in five categories: cost optimization, security, fault tolerance, performance, and service limits.

The status of the check is shown on the dashboard page using color coding and icons.

• Red circle exclamation point: action recommended
• Yellow triangle exclamation point: investigation recommended
• Green square check mark: no problem detected

AWS Well-Architected Framework

https://d1.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

https://aws.amazon.com/architecture/well-architected/?ref=wellarchitected-wp&wa-lens-whitepapers.sort-by=item.additionalFields.sortDate&wa-lens-whitepapers.sort-order=desc

https://aws.amazon.com/well-architected-tool/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc 

AWS Cloud Adoption Framework (CAF)

help you assess your needs across a wide range of areas and develop the right workstreams to achieve your goals.

organizes guidance into six areas of focus, called perspectives

1. Business Perspective - IT is aligned with business needs and that IT investments are linked to key business results
2. People Perspective - development of an organization-wide change management strategy for successful cloud adoption. Use the People Perspective to evaluate organizational structures and roles, new skill and process requirements, and identify gaps
3. Governance Perspective - focuses on the skills and processes to align IT strategy with business strategy & understand how to update the staff skills
4. Platform Perspective - principles and patterns for implementing new solutions in the cloud, and migrating on-premises workloads to the cloud
5. Security Perspective - organization meets security objectives for visibility, auditability, control, and agility
6. Operations Perspective - enable, run, use, operate, and recover IT workloads to the level that is agreed upon with your business stakeholders

To get started, take the 16-question  AWS Cloud Adoption Readiness Tool (CART) assessment

Amazon pricing - https://aws.amazon.com/pricing/

Pricing calculator - https://calculator.aws/. For more info https://aws.amazon.com/blogs/aws/check-it-out-new-aws-pricing-calculator-for-ec2-and-ebs/