AWS云计算方案交流

1、AWS云计算方案交流China Startup CustomersChina Enterprise Customers1,950AWS Direct ConnectAWS Elastic BeanstalkGovCloudAmazon CloudTrailCloudHSMWorkSpacesAmazon KinesisAmazon AppStreamAmazon SNSIdentity & Access ManagementAmazon Route 53AWS Import/ExportAmazon SWFRedshiftDynamo DBCloudSearchAWS Data Pipelin

2、eAWS Certificate ManagerAWS KMSAmazon ConfigAmazon RDS for AuroraWorkDocsDirectory ServiceCodeCommitAWS CodePipelineAWS Service CatalogCloudWatch LogsAmazon EFSAmazon API GatewayAmazon Machine LearningAWS Device FarmAWS WAFElasticsearch ServiceQuickSightImport/Export SnowballRDS for MariaDBAmazon In

3、spectorAWS IoTEC2 ContainerRegistryAmazon ElastiCacheAWS CloudFormationMobile Analytics AWS Mobile HubAWS Storage GatewayAWS OpsWorksElastic TranscoderAmazon SESEC2Container ServiceAmazon CognitoAWS CodeDeployGlacierAmazon WorkMailLambda* As of 1 Feb 2016Infrastructure(Region, AZ, Edge Locations)Cor

4、e Services(Compute, Storage, Network, Database)Administration & Security(ID, Access, Auditing, Key, Monitoring&Logs)AnalyticsApplicationDeveloper ToolsMobileIoT Gaming* As of 1 Feb 201620094828072282201120132015AWS has been continually expanding its services to support virtually any cloud workload a

5、nd now has more than 50 services that range from compute, storage, networking, database, analytics, application services, deployment, management and mobile. AWS has launched a total of 54 new features and/or services year to date*, for a total of 1,950 new features and/or services since inception in

6、 2006.AWS Rapid Pace of InnovationAdministration & SecurityPlatform ServicesCore ServicesInfrastructureApplicationsHere?There?Administration& SecurityAccess ControlIdentity ManagementKey Management & StorageMonitoring& LogsResource & Usage AuditingPlatformServicesAnalyticsApp ServicesDeveloper Tools

7、 & OperationsMobile ServicesDataPipelinesDataWarehouseHadoopReal-timeStreaming DataApplication Lifecycle ManagementContainersDeploymentDevOpsEvent-driven ComputingResource TemplatesIdentityMobile AnalyticsPush NotificationsSyncApp StreamingEmailQueuing & NotificationsSearchTranscodingWorkflowCoreSer

8、vicesCDNCompute(VMs, Auto-scaling & Load Balancing)Databases(Relational, NoSQL, Caching)Networking(VPC, DX, DNS)Storage(Object, Block and Archival)InfrastructureAvailability ZonesPoints of PresenceRegionsEnterpriseApplicationsBusiness EmailSharing & CollaborationVirtual DesktopTechnical & Business S

9、upportAccountManagementPartnerEcosystemProfessionalServicesSecurity & Pricing ReportsSolutionsArchitectsSupportTraining & Certification服务的广度与深度企业使用云计算的阶段分析Optimization for Cloud ArchitectureOperation AutomationSecurity / Log / Audit ServicesMore PaaS IntegrationDevOps阶段一阶段二Migration with IaaS and Ke

10、y PaaS阶段三Founded in 1920, Qantas is Australias largest domestic and international airlineThe airline wanted to develop an in-flight application that would aggregate and present passenger information to cabin crewBy developing the application on AWS, Qantas can quickly and inexpensively provide cabin

11、 crew with insights into customer needs and wantsQantas Operates In-Flight Application with Near 100% Availability Using AWSTigerair Uses AWS to Process More than 50 Transactions a SecondTigerair is a Singapore-based budget airline that carries more than 5 million passengers a year.AWS represents a

12、scalable, low-risk opportunity, and we have earmarked it as our platform of choiceMark LimHead of IT Operations, Tigerair”“Needed to run passenger reconciliation and flight operations software more quickly Recreated entire network environment in the AWS Cloud, with Amazon S3 used for storageProcesse

13、s more than 50 transactions per secondCapable of processing 90 percent of passengers at Singapores Changi Airport in approximately ten minutes or lessReports that it spends 40 percent less than it would on a comparable physical infrastructure Boxever Uses AWS to Enable Real-time Processing of Hundre

14、ds of Millions of Events DailyBoxevers customer intelligence platform for the travel industry enables retailers to analyze large volumes of customer data in real time. We can comply with security regulations worldwide, in part because of the best practices from AWS.Needing to process and store an in

15、creasingly large data set securely, the company turned to AWSNow Boxever uses AWS for real-time and batch processing, encrypting and storing data on AWS. Reduced time to provision servers from months to minutes Enabled global presence Provided real-time processing capabilityAlan GilesCTO, Boxever”“A

16、WS服务介绍传统IT与AWS服务的映射关系混合IT架构介绍/technology/research/technical-professionals/hybrid-cloud.jsp“Hybrid IT is the result of combining internal and external services, usually from a combination of internal and public clouds, in support of a business outcome.”混合IT架构的定义混合IT架构的定义BuildDeliverServicesBusinessOu

17、tcomesSolutions混合IT架构的关注点Cloud AppsOn-Premise Apps私有网络负载迁移访问控制管理集成物理数据中心AWS安全职责分担模型基础设施物理安全服务器平台存储平台 网络平台虚拟化层操作系统应用帐户管理安全组防火墙网络配置+=客户审计与合规要求管控与风险管理要求信息安全数据安全私有网络扩展物理数据中心AWS Direct ConnectAWS虚拟私有云Virtual Private Cloud (AWS VPC)IPSec VPNAWS VPC构建虚拟私有云虚拟私有云（VPC,Virtual Private Cloud)子网（Subnets）路由表（Rout

18、e Tables）, 安全组（Security Groups）, 网络访问控制列表（NACL）虚拟私有网关（Virtual Private Gateway）Internet网关（Internet Gateway）弹性IP和负载均衡（Elastic IPs and Load Balancers）AWS Direct ConnectAWS VPC构建虚拟私有云Public Subnet/24互联网客户数据中心网络/16Web Server (EIP)Web Server (EIP)Web Server (EIP)NAT (EIP)Private Subnet/24DB ServerDB Serve

19、rDB ServerAmazon EC2API endpointAmazon S3API endpointRVPC/16Custom Route TableDestinationTarget/16local/0Internet GatewayMain Route TableDestinationTarget/16local/8Virtual Private Gateway/0NAT InstanceInternet GatewayVPNGatewayCustomer Data CenterAWS regionAWS Direct ConnectLocationAWS Direct Connec

20、t Private Virtual Interface (PVI) connects to VGW on VPC1 PVI per VPC802.1Q VLAN Tags isolate traffic across AWS Direct ConnectPrivate Fiber ConnectionOne or Multiple50 500 Mbps,1 Gbps or 10 Gbps pipesPublic/MarketingWebInternalEnterprise AppsDev andTest envsAnalyticsRedshift EMR AWS VPC构建虚拟私有云计算负载扩

21、展 - 以虚拟机为单位你的数据中心EC2虚机自动扩展组ELB弹性负载均衡用户定义的网络网络逻辑隔离动态平行扩展VM Import专属实例与专属主机（Dedicated Instance & Dedicated Host)物理隔离单租户基础架构处理能力自动扩展虚拟机物理机计算负载扩展 - 以容器为单位你的数据中心ELB弹性负载均衡处理能力自动扩展ELB完成服务发现Docker on VM/PMECS容器服务Docker管理软件任务与服务Task定义任务单元Service定义Docker工具支持Container Partners:/containers/partners/端到端管理编排日志监控D

22、evOps存储扩展与备份你的数据中心对象存储客户端和服务器端加密块存储单卷最高可达16TB, 20000 IOPSAWS Storage GatewayEBS块存储私有加密密钥管理 Cloud HSMS3对象存储Glacier归档存储Glacier运维管理集成将AWS集成到运维中：AWS CloudWatch 提供了对AWS资源的实时监控，并可以集成自定义的metirc，创建和响应警报AWS SNS可以和物理数据中心的告警系统整合目前的管理工具仍然适用（可以安装在EC2上）某些工具已经和AWS API进行了整合平滑融入到已建立的运维管理流程中自动化部署和管理服务Amazon CloudWatc

23、hAWS IAM (Identity & Access Mgmt)AWS OpsWorksAWS CloudFormationAWS Elastic BeanstalkWeb AppEnterprise AppDatabaseMonitor resourcesManage users, groups & permissionsDev-Ops framework for application lifecycle managementTemplates to deploy & manageAutomate resource management贯彻始终的安全保障VPC虚拟私有云/私有网络/VPN

24、安全组防火墙数据加密IAM身份认证和访问管理安全日志AWS Trusted Advisor安全组Security Group私有子网混合IT架构下的容灾常见DR架构Backup and RestorePilotLightWarmStandbyMulti-SiteEach architecture differs from the other In terms of RTO, RPO and CostBack up and restoreCreate instances from AMIsRestore datafrom backupsPilot Light ArchitectureCreate

25、 instances from AMIsPilot Light ArchitectureWarm Standby ArchitectureWarm Standby ArchitectureMulti-site ArchitectureUbiquitous LoggingBoeing Digital Airline Project OverviewCloud enabledElasticScalableSoftware as a ServiceBusiness DriversMonetizingMonitoringApplication Development OptimizationTechn

26、ical DriversIntegrated Development EnvironmentHorizontal Integration development and managementGovernanceSOAPublish/subscribe modelData/Functions/VisualizationInternal/External services modelsSecureVPC Perimeter securityVPC to VPC PeeringIntra-VPC securityLogging and AuditingMessage Oriented Middlew

27、areEnterprise Service BusGlobal RegistryGlobal SecurityLoad balancedDefense in DepthStarts with the account governance and network designEnds with Proactive monitoring and adaptive intrusion prevention - ELKELKObjectivesDe-clutter all of the logsAssociate server and application log informationProvid

28、e runtime and configuration management auditabilityDevelop alerts to provide proactive monitoring against threat patternsLogstashFilteringKibanaVisualizationElasticSearchIndexingLogging ELK Deep DiveLogging ELK Deep DiveSQS QueueAuto Scaling GroupElasticSearchAuto Scaling GroupKibanaInternal Elastic

29、 Load BalancingInternal Elastic Load BalancingAuto Scaling GroupReverse ProxyAuto Scaling GroupLogstash IndexerHTTP TrafficHTTPS TrafficLog Shippingvia Amazon SQSCloudWatch AlarmCloudWatch AlarmScale Down AlarmScale UpAlarmResulting In Near Real-time Security Tracking/Analysis Expedited Root Cause A

30、nalysis ActivitiesStreaming ingest of log data every 5 seconds.Security tie-ins from application to networking to infrastructure.Dynamic correlation of data within a single location resulting in quicker RCA activities.Immediate Validation of Security Incident RemediationAllows for Segregation of Dut

31、ies for Threat Analysis vs. Operational Configuration/SupportMechanized asset managementBuild integrations to enterprise asset systems using Describe APIs. Infrastructure deployment code and environment templates become the new CMDB CI. Reliance on logging, tagging, metadata replace individual serve

32、rs as CIs. Unreliable connections between “hard” and “soft” data are eliminated. Security management layerSeparate AWS account or Amazon VPCUse of Amazon VPC peering to create shared security servicesCan be done with subnetsReuse of centralized security tools (proxies, WAF, logging infrastructure, a

33、uthentication services)Peer ReviewShared Infrastructure Security Services moved to VPC1 to 1 Peering = App IsolationSecurity Groups and NACLs still applyAWS regionPublic-facingweb appInternalcompanyapp #1HA pair VPN endpointscompany data centerInternalcompanyapp #2Internalcompanyapp #3Internalcompan

34、yapp #4ServicesVPCInternalcompanyDevInternalcompanyQAAD, DNSMonitoringLoggingSecurity Groups still bound to single VPCSecurity Management Layer Using VPC PeeringReduced reliance on long-term, privileged accessAssumeRole APIs baked into the heart of developer behavior, federation, cross-account gover

35、nanceUse SAML 2.0Just-in-time access. Use APIs to only open up the network for management when necessary. Change and break/fix ticketing executes scripts to build bastions or open up Security Groups upon approval or stage.Cross-functional DevSecOps teamsStarting with virtual or matrix teams focused

36、on bringing security functions into the engineering and delivery of applications. Not a side job, but a real day job.Dedicated teams focused on automation and shorter release iterations.Shared infrastructure teams focus on consistency, tenancy, and proper isolation between application developer teams.Version Cont