Download AWS presentation_20160822

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
Document related concepts

Wireless security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Computer security wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Storage virtualization wikipedia , lookup

Transcript 
1
Domain 1.0 Part 4 – Designing highly available, cost-efficient,
fault-tolerant, scalable systems
Presented by
Chris Williams
2
Who Am I?
Chris Williams
Enterprise Consultant for GreenPages Solutions
@mistwire
http://mistwire.com
VCAP-DCA5, VCAP-DCD5, VCP4-6
MCSE
AWS-SA Associate
vExpert 2016
VTUG Leader
vBrownBag Host (and now presenter!)
3
Why AWS Certification?
http://www.forbes.com/sites/louiscolumbus/2016/02/21/15-top-paying-it-certifications-in-2016-aws-certified-solutions-architect-leads-at-125k/#65dd81fa6702
Study Material
•Review the exam blueprint available from Amazon
•AWS QwikLabs
•AWS Associate Exam Whitepapers
•#vBrownBag VPC Private Island for Rent with Sarah Zelechoski
•#vBrownBag IAM with Timothy Patterson
•Chris Williams Study Notes
•Alex Galbraith Study Notes, and Tips & Gotchas
•http://acloud.guru
4
5
Objectives
Hybrid IT Architectures
Direct Connect
Storage Gateway
Directory Services
VPC
6
Direct Connect
Direct Connect
“AWS Direct Connect makes it easy to establish a dedicated network
connection from your premises to AWS. Using AWS Direct Connect, you
can establish private connectivity between AWS and your datacenter,
office, or colocation environment, which in many cases can reduce your
network costs, increase bandwidth throughput, and provide a more
consistent network experience than Internet-based connections.”
7
Direct Connect
• Slower to provision than a VPN because it’s a physical connection
• Bypass ISPs in your network path (if you don’t want traffic to traverse Internet)
• Procure rack space within the facility housing the AWS Direct Connect location & deploy your equipment
nearby.
• Connect this equipment to AWS Direct Connect using a cross-connect
• Use VLANs (802.1q) to use 1 connection to access both public (S3) and private (EC2 in a VPC) AWS resources
• Available in:
• 10Gbps
• 1Gbps
• Sub 1Gbps groups purchased through AWS Direct Connect Partners
8
Direct Connect
9
10
Storage Gateway
Storage Gateway
The AWS Storage Gateway is a service connecting an on-premises software
appliance with cloud-based storage to provide seamless and secure integration
between an organization’s on-premises IT environment and AWS’s storage
infrastructure. The service allows you to securely store data in the AWS cloud for
scalable and cost-effective storage. The AWS Storage Gateway supports industrystandard storage protocols that work with your existing applications. It provides
low-latency performance by maintaining frequently accessed data on-premises
while securely storing all of your data encrypted in Amazon Simple Storage Service
(Amazon S3) or Amazon Glacier.
11
Storage Gateway
• Popular exam topic
• Connects on-prem software appliance with AWS storage to provide seamless & secure between an
org’s on-prem IT environment & AWS storage infrastructure.
• Asynchronous replication backed up to S3 as EBS snapshots
• Data is stored within a single region (user specified)
• Software appliance is supported on VMware or Hyper-V
12
Types of Storage Gateways
• Gateway-Stored Volumes (cloud is backup)
• Keep entire data set on-prem & asynch backed up to S3
• Create storage volumes up to 16TB in size & mount them as iSCSI devices
• Used for offsite backups (recover locally or from EC2)
• Constantly replicating changes up to S3 in the form of Amazon EBS snapshots
• Gateway-Cached Volumes (cloud is primary)
• Only most frequently accessed data is stored on-prem, entire data set is stored in S3
• Using S3 as your SAN array
• Create storage volumes up to 32TBs in size & mount them as iSCSI devices
• If you lose internet access, you will lose access to your data.
• Gateway Virtual Tape Library (VTL)
• Limitless collection of virtual tapes. VTL = S3, Virtual Tape Shelf = Amazon Glacier
• Up to 10 virtual tape drives per gateway
• Exposes iSCSI interface so popular backup application (Netbackup , Backup Exec, Veeam, ect..) can point directly to VTL and replace physical tapes.
13
14
Directory Services
Directory Services
AWS Directory Service is a managed service offering, providing directories that contain
information about your organization, including users, groups, computers, and other
resources. You can choose from 3 different directory types, including AWS Directory Service
for Microsoft Active Directory (Enterprise Edition), also referred to as Microsoft AD, Simple
AD, and AD Connector. As a managed offering, AWS Directory Service is designed to reduce
management tasks, thereby allowing you to focus more of your time and resources on your
business. There is no need to build out your own complex, highly-available directory topology
because each directory is deployed across multiple Availability Zones, and monitoring
automatically detects and replaces domain controllers that fail. In addition, data replication
and automated daily snapshots are configured for you. There is no software to install and
AWS handles all of the patching and software updates.
https://aws.amazon.com/directoryservice/faqs/
15
Directory Services
https://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active-Directory-ADFS-and-SAML-2-0
1. The flow is initiated when a user (let’s call him Bob) browses to the ADFS sample site
(https://Fully.Qualified.Domain.Name.Here/adfs/ls/IdpInitiatedSignOn.aspx) inside his domain. When you install ADFS, you get
a new virtual directory named adfs for your default website, which includes this page
2. The sign-on page authenticates Bob against AD. Depending on the browser Bob is using, he might be prompted for his AD
username and password.
3. Bob’s browser receives a SAML assertion in the form of an authentication response from ADFS.
4. Bob’s browser posts the SAML assertion to the AWS sign-in endpoint for SAML (https://signin.aws.amazon.com/saml). Behind
the scenes, sign-in uses the AssumeRoleWithSAML API to request temporary security credentials and then constructs a sign-in
URL for the AWS Management Console.
5. Bob’s browser receives the sign-in URL and is redirected to the console.
Did you notice SAML? Good.
16
Directory Services
https://blogs.aws.amazon.com/security/post/Tx2PC3QQDXJKASD/How-to-Connect-Your-On-Premises-Active-Directory-to-AWS-Using-AD-Connector
1. A user opens the secure custom sign-in page and supplies
their Active Directory user name and password.
2. The authentication request is sent over SSL to AD
Connector.
3. AD Connector performs LDAP authentication to Active
Directory.
Note: AD Connector locates the nearest domain controllers by
querying the SRV DNS records for the domain.
4. After the user has been authenticated, AD Connector calls
the STS AssumeRole method to get temporary security
credentials for that user. Using those temporary security
credentials, AD Connector constructs a sign-in URL that
users use to access the console.
Note: If a user is mapped to multiple roles, the user will be presented
with a choice at sign-in as to which role they want to assume. The
user session is valid for 1 hour.
17
VPC
18
VPC
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically
isolated section of the Amazon Web Services (AWS) cloud where you can
launch AWS resources in a virtual network that you define. You have
complete control over your virtual networking environment, including
selection of your own IP address range, creation of subnets, and
configuration of route tables and network gateways.
19
VPC
You can easily customize the network configuration for your Amazon Virtual Private
Cloud. For example, you can create a public-facing subnet for your webservers that
has access to the Internet, and place your backend systems such as databases or
application servers in a private-facing subnet with no Internet access. You can
leverage multiple layers of security, including security groups and network access
control lists, to help control access to Amazon EC2 instances in each subnet.
20
VPC
Shameless plugs incoming!
• For the exam know how to build a custom VPC from memory
http://mistwire.com/2016/06/aws-how-to-create-a-custom-vpc-with-public-private-subnets/
• Need an AWS account?
http://mistwire.com/2016/05/how-to-get-your-free-aws-account-spin-up-your-first-vm/
• (don’t forget this part!)
http://mistwire.com/2016/05/aws-create-billing-alerts-so-that-our-free-account-doesnt-surprise-us/
21
VPC LIVE DEMO!??!
22
23
Thank you
Contact
Locations
Online
Toll Free (800) 989-2989
Direct (207) 439-7310
Fax (207) 439-7334
Headquarters:
33 Badgers Island West
Kittery ME 03904
greenpages.com
greenpages.com/blog
twitter.com/GreenPagesIT
Additional Offices:
Boston MA
New York NY
Alpharetta GA
Tampa FL
Related documents
AWS, SYSTEM RELIABILITY AND QUALITY MANAGEMENT
AWS, SYSTEM RELIABILITY AND QUALITY MANAGEMENT
US Air Force
US Air Force
The idea of physical security morphs as infrastructure
The idea of physical security morphs as infrastructure
G08 - Spatial Database Group
G08 - Spatial Database Group
Connecting On-Premise Systems to Cloud
Connecting On-Premise Systems to Cloud
Advances in AWS Technology
Advances in AWS Technology
Extend Your IT Infrastructure with Amazon Virtual Private Cloud
Extend Your IT Infrastructure with Amazon Virtual Private Cloud
The Complete Guide to Securing Amazon RDS
The Complete Guide to Securing Amazon RDS
Regulatory statistics and information
Regulatory statistics and information
Whitepaper: AWS Database Migration Service Best Practices
Whitepaper: AWS Database Migration Service Best Practices
YOSHI®AWS D3 Yoshi Air Water System
YOSHI®AWS D3 Yoshi Air Water System
Whitepaper: Backup and Recovery Approaches Using AWS
Whitepaper: Backup and Recovery Approaches Using AWS
Performance Efficiency Pillar
Performance Efficiency Pillar
Microsoft SharePoint Server on AWS: Reference Architecture
Microsoft SharePoint Server on AWS: Reference Architecture
Encrypting Data at Rest in AWS
Encrypting Data at Rest in AWS
Enterprise Data Warehousing on AWS
Enterprise Data Warehousing on AWS
Weather Observations across the Southern Andes
Weather Observations across the Southern Andes
Module 7 Active Directory and Account Management
Module 7 Active Directory and Account Management
Mkcomptab Bernie Simon July 10, 1996 Usage
Mkcomptab Bernie Simon July 10, 1996 Usage
AWS SDK for Java Developer Guide
AWS SDK for Java Developer Guide
FNIRS Measures of Prefrontal Cortex Lateralization During Stuttered
FNIRS Measures of Prefrontal Cortex Lateralization During Stuttered
the climate and weather of
the climate and weather of