In the second installment of our Moving to the Cloud series, we look at the AWS products and services you'll want to review before making the decision to move into their cloud.
In the intro to our Moving to the Cloud series we introduced the value proposition that Amazon Web Services (AWS) provides via its Infrastructure-as-a-Service (IaaS) platform. If you find that the value proposition works for your company then you should review the products and services to see which workloads make sense to move to the AWS cloud. AWS provides a broad spectrum of products and services which fulfill many use cases. In this installment we introduce the major offerings that may allow you to see if AWS capabilities will meet your needs.
In the second installment of our Moving to the Cloud series, we look at the AWS products and services you'll want to review before making the decision to move to the cloud.This post will introduce the four major services that will be critical in your decision to move to the AWS cloud:
- Compute & Networking,
- Database and
- Security & Identity
These are the fundamentals required to move any workload to the cloud. Additional services such as Analytics, Management Tools, Application and Mobile services will be introduced in other posts. Before diving into each of the major services let's look at AWS IaaS from the big picture perspective.
AWS has been and continues to invest globally to increase their footprint of facilities so customers can use them as needed to improve performance and availability. AWS defines this footprint by using Regions and Availability Zones (AZ) as shown in the diagram below.
Each AWS Region is a collection of data centers and Availability Zones mapped to those data centers. Each region is physically isolated from another one in terms of networking, power, water usage and location. In addition to providing companies decreased latency based on their user locations the regions can also provide for compliance and data sovereignty rules.
Each Region currently contains from two to five availability zones. Availability zones are isolated with separate locations, power and networking but are connected with low latency private network links. Availability zones have multiple data centers but never share one with another AZ. Most on premises data center may be similar to running within a single AZ, but with AWS you have the ability to fail over into another AZ as shown below.
Several services such as EC2, VPC and Load Balancer make up the Compute & Networking set of services that are part of the foundation of moving to the AWS Cloud. The diagram below is an example of some of the services that can be used to build out needed infrastructure within AWS. The major services are briefly described below.
Amazon Elastic Compute Cloud (EC2) are re-sizable computing capacity that can easily be launched to create virtual servers within regions and availability zones in AWS to build and run your applications and software. Templates called Amazon Machine Images (AMI) which contain software configurations (operating systems, application server, applications) can be launched as instances into an AWS availability zone or multiple zones and regions.
For each instance you can select a type that defines the CPU, memory and storage. Existing VM snapshots can be be migrated into AWS as AMIs and then launched as instances. Instances can be launched, terminated or changed when needed. The process to launch can drop the time to add hundreds of servers from months in a typical on premise environment to minutes within AWS.
Amazon Virtual Private Cloud (VPC) is a way for you to create an isolated and secure private network within AWS. You can launch resources into this private network and customize configuration by selecting your own range of IP addresses and creating your own subnets, route tables and network gateways. VPCs can be connected to in many ways including the internet, corporate network via VPN and to other VPCs. Subnets can be configured to meet both public facing and secure private facing resources.
Security groups are virtual firewalls that can be setup to control the inbound and outbound traffic for each instance. You can add rules for both inbound and outbound and any traffic outside of those will not be permitted.
Amazon Route 53 is a highly available and scalable web service to manage Domain Name Systems (DNS). DNS servers are used to map URL names into numeric IP address that connect users to applications. Many large companies that manage this on premise or through their own cloud servers do not have the high availability that this service provides at a very cost effective rate. When DNS goes down web applications also go down. The recent DDOS attack was an extreme event that showed how important DNS being up to running a business. Amazon Route 53 with a global footprint along with other tools that AWS provides is much better at managing against such attacks.
Auto Scaling is an automated way of ensuring resources scale to demand thereby creating a performance and cost optimized IaaS solution. You can group EC2 instances into Auto Scaling Groups. Then, by setting up Launch Configurations and Scaling Plans, you are providing the when, how and what configurations to use for scaling up and down. Minimum and maximum instances can be defined as shown below.
The AWS Elastic Load Balancing is used to distribute incoming traffic to multiple EC2s allowing you to gain fault tolerance as well as balance capacity. The load balancer comes in two types. The Classic Load Balancer can be used for simple load balancing across multiple EC2 instances, and the Application Load Balancer can be used for more advanced routing capabilities.
AWS offers various storage options. The three considerations in determining which option is the best are durability, availability and security. Durability has to do with redundancy of the data in terms of storage across multiple facilities and multiple devices within a facility. The higher the redundancy, the higher the durability. Availability is how quickly the data can be accessed. Production data needs much quicker access times relative to archived data. All data needs encryption along with the ability to control access and permissions. The three major options from AWS are briefed below.
- Amazon Simple Storage Service (S3) - S3 is a simple cost effective storage solution for object storage. It has a simple web interface to store and retrieve objects. It has a durability of 99.999999999 % which means if you store 10,000 objects you may lose 1 object every 10,000,000 years. Its primarily use is as a bulk repository of data for analytics, storage for web content and for backup and recovery solutions.
- Amazon Elastic Block Storage (EBS) - EBS is storage associated with EC2 instances to provide consistent and low latency performance for running workloads for Big Data applications, ERP applications using relational databases such as Oracle and SQL Server and log monitoring applications like Splunk. It is automatically replicated within its Availability Zone for fault tolerance.
- Amazon Elastic File System (EFS) - EFS is a newer service that AWS offers for simple and scalable file storage. It automatically scales up and down based on what you choose to store up to Petabytes. Availability is very high as well reaching several GB per second. Durability is similar to the other AWS options with redundancy built in. It comes with an easy to use interface, but can also integrate with other applications or use APIs to work with an OS file system. It eliminates any forecasting and administration that is needed to handle growth.
AWS offers many different database products for a variety of use cases. These include:
- Amazon Relational Database Service (RDS) which supports six different common database engines
- Amazon Aurora - Amazon's own MySQL compatible database
- Amazon DynamoDB - Amazon's own NoSQL database
- Amazon Redshift - Amazon's own data warehouse service with petabyte-scale capabilities
- Amazon Elasticache - an in memory cache service
This post will focus more on RDS as it may be the most common use case for most enterprise companies considering moving to the cloud.
Amazon RDS is available for six different database engines:
- Microsoft SQL Server
- Amazon Aurora
You can also run your database using EC2 Instances, but then the responsibility to administer the database, patching, upgrades and provisioning more infrastructure would be your responsibilities. By using RDS, these type of database administration will be done by AWS. Creating RDS instances are quick and easy, highly scalable, durable, fast and secure. You only pay for what you consume, which is typically more cost effective than on premise systems that require sizing beyond maximum usage rather than demand usage.
Due to the scale and growth of AWS, they have been able to invest in developing the security features of their offerings in ways that are very difficult for even very large organizations can do for their on premise data centers. Security is a primary value proposition in all of the services they provide, but a few are highlighted below followed by more detailed information on Identity Access Management and Directory Services.
- Infrastructure Security - these include firewalls in Amazon VPC and web application firewalls in AWS Web Application Firewall (WAF). Encryption in transit with TLS layer for all services. Connectivity options for private or dedicated connections from customer offices and on premise environments.
- DDoS Mitigation - several services such as Route 53, CloudFront and autoscaling can help mitigate DDoS attacks.
- Data Encryption - data encryption capabilities are available for all storage solutions. Key management can be done via AWS Key Management Service or on your own.
- Inventory and Configuration - AWS offers tools to analyze and improve your security. Amazon Inspector can be used to detect vulnerabilities for networks, OS and attached storage. Deployment tools can manage the creation and decommissioning of AWS resources. AWS Conf can be used to track and manage changes on all resources over time. Tools such as AWS CloudFormation can be used to create and deploy standard, preconfigure environments.
- Monitoring and Logging - AWS CloudTrail can be used to track API calls to detect who, what, and from where calls were being made. AWS CloudWatch can monitor for specific events and threshold and send alert notifications.
AWS IAM is a centrally managed service providing you to control access to all AWS resources for users. By creating users, groups and permissions you can allow and deny access to resources. AWS does not charge for this service. The use cases include fine-grained access control to AWS resources, Multi-factor authentication for highly privileged users, managing access control for mobile and browser based applications and IAM can be integrated with a corporate directory such as Microsoft Access Directory. All access can be tracked via CloudTrail.
AWS Directory Service, also know as AWS Microsoft AD, can be used to connect to existing on premise Microsoft AD, or you can create your MS AD in AWS. For Hybrid environments using AWS and On Premise Data Center this eliminates managing in both places. The AD can reside in either AWS or On Premise and manage both. By using the AWS version you can eliminate installation, patching and updates as AWS will be responsible for the software administration.
In the last ten years AWS has continuously increased the breadth of their products and services so most organizations considering a move to the cloud can migrate a majority of their workloads to the cloud. The basic products and services of AWS - compute, networking, storage, databases and security, were outlined in this post, though there are many other services offered such as Analytics, Management Tools, Developer Tools, etc., as well as a host of related 3rd party products and services available through the AWS Marketplace. Each of these may provide further use cases beyond the basics.
Part 3 of the Moving to the Cloud Series will review the next decision point related to the challenge of migrating to AWS. Stay tuned.