Presented by: Sameh Tawfiq

OCB Academy
Overview of Amazon Web Services

• Amazon Web Services (AWS) is a subsidiary of Amazon.

• In 2006, AWS began offering IT infrastructure services

to businesses as web services.
• AWS Offers over 140 AWS services are available.

• Serves businesses in 190 countries around the world.

GARTNER MAGIC QUADRANT FOR INFRASTRUCTURE AS A SERVICE
(IAAS) 2018
Cloud Service Models
AWS Platform
Game Development Artificial Intelligence Messaging

Business Productivity Internet Of Things Desktop & App Streaming

Application Services Developer Tools Mobile Services

Analytics Security & Identity Management Tools

Migration Storage Databases

Networking & Content Delivery Compute

AWS Global Infrastructure

 AZ #3 AZ #3

AZ #1 AZ #2 AZ #1 AZ #2
Region Region

Each Region consists of multiple availability which are connected with low latency, high throughput, and
highly redundant networking.
AWS Platform

VPC Route 53

Direct Connect

Networking & Content Delivery

AWS Platform

EC2 EC2 Container

Service

Elastic
Beanstalk

Compute
AWS Platform

S3 EFS

Glacier Storage Gateway

Storage
AWS Platform

RDS Redshift

Dynamo DB Elasticache

Database
AWS Platform
Course Roadmap
• AWS Introduction
• EC2 (Compute) – Load Balancing – Autoscale
• EBS (Block Storage)
• EFS (File based Storage)
• S3 (Object Storage)
• Storage Gateway (Hybrid Environment)
• VPC (Networking)
• Cloud Watch (Monitoring)
• ECS (EC2 Container Service)
• IAM (Identity/Access Management)
• Cloud Formation (Infrastructure as code)
 EC2
Elastic Compute Cloud
EC2 Essentials

Amazon Elastic Compute Cloud (Amazon EC2) is a web service

that provides resizable compute capacity in the cloud.

Amazon EC2 reduces the time required to obtain and boot new
Server instances to minutes, allowing you to quickly scale capacity, both up
and down, as your computing requirements changes.
EC2 Instance Configuration
• Amazon Machine Image(AMI): The operating system (and other settings).

• Instance Type: The hardware (compute power, ram, network bandwidth, etc.).

• Network interface: (public, private, or elastic IP address).

• Storage: include two options

- Elastic Block Store (EBS) – which is “persistent storage”
- Instance Store – which is “ephemeral storage”

• Security group: must be assigned to an instance during the creation process.

• Tag: can be used to organize provisioned instances.

• Key Pair: to manage login authentication
Hypervisor
Shared Tenancy Isolation:

Shared Host Resources:

Instance

CPUs

RAM
Storage
System Status checks
• Monitor the systems in which your instances run.
• Reasons for failure:
- Loss of network connectivity
- Loss of system power
- Software issues on physical host
- Hardware issues on the physical host that impact network reachability
Instance Status checks
• Monitor the network and software configuration on an instance
• You must intervene to fix
• Reasons for failure:
- Incorrect networking or startup configuration
- Exhausted memory
- Corrupted file system
- Incompatible kernel
• Solutions:
- Make instance configuration changes
- Reboot the instance
EC2 Types
Type Category Description Use Cases
T2 Burstable Shared CPUs, lowest cost Web Servers
M5 General Purpose Balance of compute, memory, Mid-size/small Databases,
Network resources Application Servers
C5 Compute Optimized Advanced CPUs Analytics, CPU intensive Apps
D2 Dense Storage Local and large storage capacity Fileservers, Data warehousing
R4 Memory Optimized More RAM Memory cashing
I3 IO Optimized Local SSD storage, High IOPS NoSQL databases
G3 GPU Graphics GPUs with video encoders 3D applications streaming
F1 Accelerated Computing Custom HW accelerations Genomics
Security Group Essentials
• Security Group is a virtual firewall that controls the traffic
for one or more instances.

• When you launch an instance, you associate one or more security groups
with the instance.

• All Inbound traffic is blocked by default.

• Security group Rule can allow traffic to or from its associated instances.
• Security rule specifies the protocol - port range - source.
Elastic Load Balancer
• ELB distributes incoming application traffic across multiple
EC2 instances, in multiple Availability Zones to increase
the fault tolerance of the applications.

• It’s Usually run at layer 4 or layer 7.

• Adding/Removing instances to ELB is non-disruptive.

• Health checks, which are used to monitor the health of the

registered instances. Instance that doesn’t response will be
quarantined.
Classic Elastic Load Balancer

• A Classic Elastic load balancer is designed for simple balancing of traffic to

multiple EC2 instance.

• A listener checks for connection requests from clients, using the protocol
and port that you configure, and forwards requests to one or more
registered instances

• Layer 4 and 7, There are no granular routing rules.

Application Load Balancer
• An Application Load Balancer is designed for balancing of traffic to one or
more instance target groups using content based rules.

• Content-based rules can be configured using:

- Host-based rule: Routing traffic based on the host field of the HTTP header.
- Path-based rule: Routing traffic based on the URL path of the HTTP header.

• Can balance traffic to multiple ports

/ /images

Target Group #1 Target Group #2

Network Load Balancer
• Network Load Balancer is designed to for extreme performance.

• Layer 4 TCP load balancing.

• Suitable for sudden extreme increasing of requests.

Autoscaling (Scale out)
• Auto Scaling is a service that automates the process of increasing or
decreasing the number of provisioned instances for the application.
• High Availability and Cost are the benefits of using Auto Scaling.
• Auto scaling components:
- Launch Configuration: The EC2 “template” to provision new instances (i.e. AMI,
instance type, security groups, etc.)
- Auto Scaling group: All the rules that govern when an EC2 instances is automatically
provisioned or terminated.
- CloudWatch Alarms: Metrics are selected that indicates load on instances (CPU,
latency, etc.) and the Alarms which triggers auto scaling
polices.
EBS (Elastic Block Store)
Amazon EBS allows you to create storage volumes and
attach them to Amazon EC2 instances. Once attached you

can create file system on top of these volumes.

Amazon EBS volumes are placed in a specific availability zone,

where they are automatically replicated to protect you from the failure of

a single component.
EBS Volume Types

• General Purpose SSD (GP2): Balances both price and performance.

• Provisioned IOPS SSD: I/O intensive application.

• Throughput Optimized HDD (ST1): Big data, Data warehouses.

• Cold HDD (SC1): Lowest cost Storage for infrequently accessed workloads.
EBS Snapshots
Are point-in-time copies of EBS volumes that are stored in S3
Snapshot Properties:
• Snapshots are incremental in nature, as it stores only the changes since
the most recent snapshot.

• Snapshots can be used to create fully restored EBS volume.

• When an old snapshot is deleted, blocks required to restore other snapshots

are retained.

• Snapshots can be used to create AMI images.

EBS Performance
• New EBS volumes operates at maximum performance as soon as they are
available.
• For volumes restored from snapshots:
- Maximum performance is not reached until all the blocks on the volume are
read.
- Must be initialized (reading all the blocks).
EC2 Options
• On Demand - allow you to pay fixed rate by the hour with no commitment.

• Reserved - Provide you with a capacity reservation, and offer a significant

discount on the hourly change for an instance. 1 Year or 3 Year terms.

• Spot - enable you to bid whatever price you want for instance capacity,
providing for even greater savings if your applications have flexible start
and end time.

• Dedicated Hosts – physical EC2 server dedicated for your use.

Rest API
What is an API and how does it fit in the picture?
What is API (Application Programming Interface)?

An API is a way to let software components to talk to each other.

Analogy:
What is REST API?

REST is acronym for REpresentational State Transfer.

A REST API is an application program interface (API) that uses HTTP requests to
GET, PUT, POST and DELETE data.
HTTP( Hypertext Transfer Protocol):
HTTP( Hypertext Transfer Protocol):
URL (Uniform Resource Locator)
Rest Requests:
Rest Requests:
AWS Rest API:

AWS provides an API Endpoint for each Cloud Service providing a library of all
available methods.

Endpoints Example:
https://ec2.amazonaws.com/
https://s3.amazonaws.com/
AWS Rest API:

• The AWS Command Line Interface (CLI) is a unified tool to manage your AWS
services.

• With just one tool to download and configure, you can control multiple AWS
services from the command line and automate them through scripts.

• Can be installed on any machine on Cloud or On-premises, any OS windows,

Linux.
AWS Rest API:
CLI command
aws ec2 describe-instances
aws ec2 describe-volumes
aws ec2 create-key-pair --key-name <value>
API Call
https://ec2.amazonaws.com/?Action=DescribeInstan
ces &AUTHPARAMS
https://ec2.amazonaws.com/?Action=DescribeVolum
es &AUTHPARAMS
https://ec2.amazonaws.com/?Action=CreateKeyPair
&KeyName=my-key-pair &AUTHPARAMS
AWS Storage
EFS – S3
NFS/CIFS iSCSI/FC Web/Rest API
Why do we need object based storage?
What is Object-based Storage?
Object storage, also called object-based storage, is an approach to addressing
and manipulating data storage as discrete units, called objects. Objects are
kept inside a single repository, and are not nested as files inside a folder
inside other folders.
Hierarchical file system vs. Flat Address Space
Comparison
Traditional Storage Object-based Storage
Applications Applications

File System

File System

Object Interface

Storage component
Logical Block Interface

Hard Drive Object-based Storage Device (OSD)

 S3
Simple Storage Service
S3
S3 provides secure, durable, highly-scalable object storage.

Amazon S3 is easy to use, with a simple web services interface

to store and retrieve any amount of data from anywhere from the web.
S3 Buckets
• Buckets are the main storage container (name space) of S3.
• Can create sub name spaces under the bucket for organizing.
• Bucket is regional, and its name must be globally unique.

S3 Objects
• Objects consists of the following:
• Key
• Value
• Version ID
• Metadata
S3 Essentials
• Bulk (unlimited) object storage
• Various storage classes to optimize cost.
• Object versioning
• Object management via lifecycle policies
• Hosting static files & websites
• Files shares and backup/archiving for hybrid networks (via AWS Storage
Gateway)
• Objects stay within an AWS region and are synced across all AZ’s for
extremely high available and durability.
S3 Storage tiers
EFS
Elastic File System (EFS)
• EFS is a shared filesystem option for EC2.

• EFS storage capacity is elastic. As using EFS, applications will always

have the storage they need, without having to provision or attach larger
storage devices.

• EFS is fully-managed (no maintenance required).

• EFS Supports the network File System 4.0 and 4.1 (NFSV4) protocols.
Elastic File System (EFS)
Benefits:

• As EFS can be accessed by many EC2 instances at the same time, then
Application that span multiple EC2 instances can access the same data.
Elastic File System (EFS)
Benefits:

• EFS provides a mount point for each availability zone.

Elastic File System (EFS)
Benefits:

• EFS file systems can be mounted to on-premises servers via AWS Direct
connect, so it allows to migrate data for on-premises servers to EFS
and/or use it as a backup solution.

• EFS can scale to petabytes in size, and you pay only for the amount
of storage you are using.
Storage Gateway
Hybrid Environment
Storage Gateway
• AWS Storage Gateway is a hybrid storage service that enables

your on-premises applications to seamlessly use AWS cloud storage.

Storage Gateway use cases

• Backup and Achieving

• Disaster Recovery
• Data Migration

• Cloud data processing

Storage Gateway types

• File Gateway (NFS)

• Virtual Gateway (iSCSI)

• Gateway-Stored Volumes
• Gateway-Cached Volumes
• Tape Gateway (VTL)
Storage Gateway types (cont’d)
• File Gateway
- Allows to store and retrieve files from S3 using standard file protocol (NFS4).
- Comprised of S3 service and virtual appliance.
Storage Gateway types (Cont’d)
• Gateway-Stored Volumes
- Stores all the data locally (on premises) in storage volumes.
- Gateway will periodically take snapshots of the data as incremental
backups and stores them in S3.
Storage Gateway types (Cont’d)
• Gateway-Cached Volumes
- Create storage volumes and mount them as iSCSi devices to on-premises
servers.

- The gateway will store the data written to this volume in Amazon
S3 as point-in time snapshot and will cache frequently accessed data on-
premises in the storage device.
Storage Gateway types (Cont’d)
• Tape Gateway
- A cloud virtual tape library that writes to Glacier.

- Used for archiving data.

Demo
File Gateway
Lab Architecture
Step 1:
Create a bucket on S3 which will be configured with our storage GW
appliance.
Step 2:
Storage File Gateway setup
Download OVA file of File GW
Deploy file GW OVA on vSphere ESXi host
Enter a name & provide the downloaded ova
Provide the storage of the appliance
Configure NAT mapping & Disk provisioning
Complete the deployment
After the new appliance is deployed, modify it to add new disk of
150G for cache
Back to Storage Gateway console, and add the local GW appliance IP
address
Configure the appliance GW with time zone & name
Configure the GW with the cache disk added before
To configure the file share
Enter the bucket name
Review setting and edit if required
Mount the file share from any client locally

Show the shared NFS using df -h

Test the appliance functionality, by adding a new file from the client

Then, check from S3 console

 VPC
Virtual Private Cloud
Amazon Virtual Private Cloud (VPC)

Amazon VPC lets you provision a logically isolated section/network

of AWS where you can launch AWS resources in a virtual network
that you define. VPC resembles corporate DC.
VPC Essentials
• Ability to configure Internet gateway to provide a route to Internet.

• Ability to customize networks, can have Private and Public subnets.

• To define custom IP address ranges inside of each subnet.

• Extending corporate/on-premises network to AWS as if it was part of your

network by VPN.

• AWS provides a DNS server for your VPC so each instance has a hostname.

• Layered security:
• Instance level Security Groups (firewall on the instance level)
• Subnet level network ACLs (firewall on the subnet level)
VPC Routing Basics
Internet Gateway:
• Internet Gateway allows communication between instances and internet.

• Is a horizontal scaled, redundant and highly available.

• Provides NAT translation for instances that have a public IP addresses.

Route tables:
• Contains a set of rules (routes) that are used to determine where network
traffic is directed.

• Can make any subnet private or public by modifying routes in its associated
route table.
VPC Peering
• VPC peering to used to extend your private network.

• This for sharing resources by private IPs.

• VPC peering can established between 2 VPCs in the same or different regions.

• VPC peering can be configured between 2 different accounts.

• To peer VPCs, they must have separate (non overlapping) CIDR block ranges.
• You can configure the peering to connect the entire VPC, or just a specific
subnets.
VPC Peering
VPC Security Basics
• ACLs operate at the network/subnet level.

• They support allow AND deny rules for traffic travelling into or out of a subnet.
• They are stateless:so return traffic must be allowed through an outbound rule.
VPC Security Basics Cont’d
• Security groups are security for the instance level.

• They support only allow rules.

• They are stateful : so return traffic are allowed regardless of rules.

• All rules are evaluated before deciding to allow traffic .

CloudWatch Service
CloudWatch Basics

• Real-time monitoring of your resources on your AWS.

• Repository of metrics (AWS provided and custom).
• Metrics are data points related to resources and applications.
• Examples:
- CPU utilization on EC2.
- ELB like request count.

• Metrics can be graphed and compared.

• These graphs can be configured as widgets and added to dashboards.

CloudWatch Alarms

• Cloud watch alarms allow the system administrator to be notified when

certain thresholds are met on metrics.
• Three states of alarm:
- OK: Means the threshold is in the normal range.
- Alarm: Means the threshold has been exceeded.
- Insufficient: There is not enough data to evaluate the state.
• The main components of an alarm configuration:
- Metric: The data we are measuring.
- Thresholds: The point at which we want some type of notification.
- Period: The defined amount of time before notification.
- Action: What to do
CloudWatch Events

• Cloud watch Events are similar to Alarms, instead of configuring thresholds

Events are matching event patterns and use targets to react.

• Example:

- Sharing an EBS snapshot triggers Lambda function or SNS topic.

- Accessing specific files send notification.

 IAM
Identity and Access
Management
IAM
• IAM (Identity and Access Management) is where you manage
AWS users, groups and roles and their access to AWS accounts and
services.
• IAM is a global scooped service, which means it’s not associated with
specific region
• The common use of IAM is to manage:
• Users
• Groups
• Policies
• API keys
• Password policies as well as MFA
IAM
IAM Policy
• A Policy is a document that states one or more permissions.
• IAM provides pre-built policy templates to assign to users/groups as:
• Administrator access
• Power user access
• Read-only access
• You can also create custom policies using visual editor or written from
scratch.
IAM Role
• A Role is something that another entity can “assume”, and in doing
so acquire temp permissions defined by the role .

• Entities that can assume a role can be:

• AWS services
• Federated users(Active Directory, LDAP, or web identity)
• IAM users/Groups

• Role must be used because policies cannot be directly attached to AWS

services.
IAM Access Key
• API Access Keys are used to sign programmatic requests to AWS. They are
required to make calls to AWS from the:
• AWS command Line Interface (CLI)
• Tools for Windows PowerShell
• AWS SDKs
• Direct HTTP calls using the APIs
• Example:
IAM Security Token Service (STS):
• STS allows you to create temporary security credentials that grant trusted
users access to your AWS resources.

• These temporary credentials are for short-term use, with a configurable

session duration between 15 min to 36 hours.
 ECS
EC2 Container Service
 Container Basics
• A container is a unit that contains an application, libraries,
run time and file system required to run it.

• Containers run on container engine that generally runs within a single OS

such as Linux.

• Containers provide the isolation benefits of virtualization. But are more

lightweight allowing faster starts and more dense packing within a host.
Container Basics (cont’d)
A popular container engine is
Docker and it’s the basis of
ECS
 Docker image
• A Docker image is containing everything needed to run an
application as a container. This includes:
code
runtime
libraries
environment variables
configuration files

The image can then be deployed to any Docker environment and executable
as a container.
 Docker hub
• Docker Hub is the world's largest library and community
for container images.

• Images that pulled from Docker hub are saved locally on

docker host.

• Docker Registry is a local repository for docker images.

 Docker file
• Docker can build images automatically by reading
the instructions from a Dockerfile.

• A Dockerfile is a text document that contains all the commands a user

could call on the command line to assemble an image.
 Amazon ECS Cluster
• ECS is a managed container engine. It allows docker containers to be
deployed and managed within AWS environments. ECS can utilize
infrastructure clusters based on EC2 or fargate where AWS manages the
backing infrastructure.
 Amazon ECS Cluster
• Logical group of EC2 instances that you can place containers onto.

• Can utilize on-demand, spot, or reserved EC2 instances.

• Can include different EC2 instance types.

• EC2 instances are linked via VPC.

• ECS Agent is installed on each EC2 instance in the cluster to communicate

with the Docker daemon and manage the state of the containers.
 Amazon ECS Cluster
1- EC2 Mode
 Amazon ECS Cluster
2- Fargate Mode
Amazon ECS Definition
ECS Demo
1- Create Cluster
1- Create Cluster (cont.)
1- Create Cluster (cont.)
1- Create Cluster (cont.)
2- Create Task Definition
2- Create Task Definition (cont.)
2- Create Task Definition (cont.)
2- Create Task Definition (cont.)
2- Create Task Definition (cont.)
2- Create Task Definition (cont.)
2- Create Task Definition (cont.)
3- Run new Task
3- Run new Task (cont.)
3- Run new Task (cont.)
3- Run new Task (cont.)
3- Run new Task (cont.)