Scribd Logo
Upload

Welcome to Scribd!

  • Aws Techshift 2017 Build On Aw 1896831771 171201185100

    Uploaded by

    HN
    53 views34 pages
    aws-techshift

    Original Title

    aws-techshift-2017-build-on-aw-426fafed-2468-414a-a76e-8f0c762cd567-1896831771-171201185100

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    aws-techshift

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    53 views34 pages

    Aws Techshift 2017 Build On Aw 1896831771 171201185100

    Uploaded by

    HN
    aws-techshift

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 34

    Build on AWS:

    Building & Modernizing


    Brent Maxwell
    Partner Solutions Architect, APAC, AWS
    Be Agile: SaaS Reference Architecture Landscape
    Modernising your applications

    • Go Service Oriented Architecture (& to


    microservices and beyond!)
    • Modernize with containers
    • Build with DevOps
    • Offload security considerations
    Scaling on monolithic vs SOA applications

    Order UI User UI UI
    Order UI User UI UI
    Shipping
    Order UI UI

    Order Shipping
    Order Service Shipping
    Service
    Service Service
    Order
    Service Service
    Service
    Service Service
    Service
    User
    Service
    Characteristics of Service Oriented Architectures

    Decentralized Polyglot

    Do one
    Independent thing well

    Black box You build it, you run it


    Containers are Natural for SOA
    • Simple to model
    • Any app, any language
    • Image is the version
    • Test & deploy same artifact
    • Stateless servers decrease change risk
    Amazon ECS

    • Fully managed, elastic service – you


    don’t need to run anything, and the
    service scales as your microservices
    architecture grows
    • Shared state optimistic scheduling
    • Integration with Amazon CloudWatch for
    monitoring and logging
    • Integration with AWS DevOps services
    for continuous integration and delivery
    (CI/CD)
    Deploying Containers on ECS – Choose a Scheduler

    Batch Jobs Long-Running Apps


    (Monthly reporting, consolidated shipping) (CRM web interface, content management module)

    ECS task scheduler ECS service scheduler


    Run tasks once Health management
    Batch jobs Scale-up and scale-down
    RunTask (random) AZ aware
    StartTask (placed) Grouped containers
    Example Architecture on ECS

    Amazon
    ECS Cluster
    Route 53

    Application Load Amazon


    Balancer RDS

    ECS Cluster

    Amazon API
    Gateway*

    Amazon IAM Amazon CloudWatch


    ECR
    Automatic Service Scaling

    Auto Scaling ECS service

    Add/Remove ECS
    Availability Availability
    tasks
    Zone A Zone B

    Order
    Amazon ECS
    Module
    Order
    Module
    Scaling Policies Reporting

    Publish metrics

    Amazon
    CloudWatch

    Application
    Load Balancer
    Blue-Green Deployments

    0%
    100%
    Route 53
    record set
    with
    weighted
    routing Task Task
    policy
    Service Discovery with Route 53 and Application Load
    Balancers

    PandaCRM.com

    Amazon
    PandaCRM.com PandaCRM.com/report
    Route 53

    PandaCRM.com/order Application Load


    Balancer

    i-aaa i-bbb i-ccc

    8080 8081 8080


    oAuth Target Group Reporting Target Group

    i-aaa i-bbb i-ccc

    8090 8001 8002


    Portal Target Group

    ECS Cluster
    What about DevOps?
    The DevOps Stack

    Continuous Deployment

    Communication
    Agile Delivery Pipelines

    Deployment Automation

    Continuous Automated Configuration


    Integration Testing Management
    DevOps Practices
    • Infrastructure as code
    • Application and Infrastructure version management
    • Test Automation
    • Monitoring and logging
    • Continuous Integration/Deployment
    Release processes levels

    Source Build Test Production

    Continuous integration

    Continuous delivery

    Continuous deployment
    DevOps Stack on AWS

    Code Build Test Deploy Provision Monitor

    AWS Elastic Beanstalk

    CodePipeline AWS Opsworks

    CodeCommit
    AWS Elastic Container Service

    CodeBuild CodeDeploy CloudFormation CloudWatch

    17
    Where do I go from here?
    • Collect Metrics. Graph anything that moves
    • Log everything, Centralize logging, Log Analytics
    • Infrastructure as Code
    • Automated configuration management
    • One click environment creation
    • CI-CD pipelines
    • Automated testing
    We have a strong partner list, and it’s growing

    Source Build Test Deploy

    *beta
    Continuous Deployment

    4. Push Image

    AWS

    3. Build
    CodeBuild

    Artifact
    Amazon instance
    2. Trigger
    1. Commit ECR
    Pipeline
    Code

    AWS
    CodeCommit AWS
    CodePipeline Amazon ECS

    Spot
    5. Update

    Instance
    Stack

    6. Update Service

    AWS
    CloudFormation
    Don’t forget security

    Don’t forget security


    Beyond the Front Door

    Tenant

    Access

    Tenant Security & Injecting Tenant


    Provisioning Roles
    Isolation Context
    First, We Need A Tenant

    Domain • TenantID: 491048735


    Provisioning SSL • Domain: abc.pandacrm.com
    Certificate • Tier: Platinum
    • Status: Active

    New Tenant Tenant


    Billing
    On-Boarding Management
    Tenant

    Identity
    Identity Broker
    Provider

    • User: bob@abc.com IAM Policy


    • TenantID: 491048735
    Key Tenant Provisioning Considerations

    • Find a seamless model for binding tenant to identities


    • Consider fault tolerance for 3rd Party integrations
    • Need to factor in tenant lifecycle management
    • Allow for tenant level variation in identity policies
    • Let identity providers do the heavy lifting
    • Lean on automation and repeatability
    Identity & Isolation: Many Levels, One Goal

    Full Stack Resource-Level Application-Level


    Isolation Isolation Isolation

    Key
    Tenant 1 Tenant 2 Tenant1
    Web Tier Web Tier Tenant2
    Tenant1
    Tenant 1 Tenant 2 Tenant3
    App Tier App Tier
    Tenant2
    Tenant1
    Tenant 1 Tenant 2 Tenant 1 Tenant 2
    IAM Policies Scope Tenant Access

    Web Tier

    App Tier

    Tenant1 Access Tenant2 Access


    Policy Policy

    CustomerTable

    T1-Bucket T2-Bucket
    Binding Policies to Tenants

    Web Identity
    Identity Broker
    Application Provider
    Tenant

    Identity resolved to AWS Security Token


    Services (STS)
    • Acquire token with tenant-scoped
    access
    • Leverage a temporary token
    AWS cloud
    • No need for separate AWS identity
    Key Security & Isolation Considerations

    • Applying isolation may require a hybrid of


    AWS and application strategies
    • Avoid having separate IAM users for each
    tenant
    • Automate testing of isolation policies/strategy
    • Consider the scale, management, and
    automation impacts of managing access
    policies
    • Let IAM enforce your tenant level scoping
    Applying Tenant Context
    JWT Token
    {
    Tenant UserID: “bob@abc.com”
    Authorization: Bearer<JWT> Role: “Admin”,
    TenantID: “93194942”
    }
    Access Control
    Tenant Context

    Authorization: Bearer<JWT> Homepage


    Authorization: Bearer<JWT>

    Access Control Access Control Access Control


    Catalog
    Cart Service Tenant Service
    Auth Service
    Service
    SaaS Identity Flow

    Web Multi-Factor
    Identity Broker
    Application Authentication
    Tenant

    Identity
    Provider

    UserID: bob@abc.com
    TenantID: “93194942”
    Role: “Admin”

    IAM Policy
    AWS cloud
    SaaS Identity Considerations
    • SaaS identity is bigger than authentication
    • Use identity broker pattern to decouple from identity
    providers
    • Leave the heavy lifting, risk, and innovation to someone
    else
    • Automate role and policy provisioning/management
    • Add tenant context to identity token to limit bottlenecks
    Recap: Be Agile

    Elastic Container Services


    helps modernize applications
    in SOA.

    With DevOps and offloading


    identity, AWS services
    provide the agility needed in
    the SaaS world.
    Takeaways
    • Modernize the app with SOA on ECS
    • DevOps with AWS Code* services for agility
    • Offload SaaS identity and focus on app innovation
    THANK YOU

    You might also like