Showing posts with label Amazon Web Services. Show all posts
Showing posts with label Amazon Web Services. Show all posts

Monday, November 24, 2014

Amazon Web Services Part 3: EC2 Container Service


At the AWS Re:Invent conference, Amazon announced a new feature "EC2 Container Service" - ECS

Wait, if my compute instance is Linux based, I can install Docker on that instance what does this new feature do for me?  In fact user can create and manage Docker containers in AWS Elastic Beanstalk.

If we look into this we can find that this new feature is also described as "Container Management for the AWS Cloud".  Deploying container on the cloud is easy but this is exactly why we need a management system to keep thing under control and to provide additional benefits for customers deploying container based application.  As the container technology is becoming more and more mature with the help of Docker, we need to have management tools in place.  In my opinion as with virtual machine, later on we need to have a complete monitoring and orchestration tools to provide autoscaling functionality.  And as the trend goes, policy will be defined for just like what OpenStack Congress does.

On November 13, 2014, I blogged about Docket in OpenStack and Heat is used to manage containers.  Both Google and Microsoft uses the open source Kubernetes to manage containers in their respective cloud offering.

ECS Benefits
During the product announce at the AWS Re:Invent conference keynote, there is a slide to show the benefits of this new EC2 Container Service:
image source: http://blog.docker.com/media/ec2.png
If you cannot see the image, the 4 benefits are:

  • Native Docker support for AWS customers
  • Significantly easier to manage Docker apps
  • Integrated with Docker Hub
  • Enable app portability
ECS Terminologies
On the Amazon blog Jeff Barr (@jeffbarr) has an article that has a list of terminologies to help us understand EC2 Container Service:

  • Cluster - A cluster is a pool of EC2 instances in a particular AWS Region, all managed by EC2 Container Service. One cluster can contain multiple instance types and sizes, and can reside within one or more Availability Zones.
  • Scheduler - A scheduler is associated with each cluster. The scheduler is responsible for making good use of the resources in the cluster by assigning containers to instances in a way that respects any placement constraints and simultaneously drives as much parallelism as possible, while also aiming for high availability.
  • Container - A container is a packaged (or "Dockerized," as the cool kids like to say) application component. Each EC2 instance in a cluster can serve as a host to one or more containers.
  • Task Definition - A JSON file that defines a Task as a set of containers. Fields in the file define the image for each container, convey memory and CPU requirements, and also specify the port mappings that are needed for the containers in the task to communicate with each other.
  • Task - A task is an instantiation of a Task Definition consisting of one or more containers, defined by the work that they do and their relationship to each other.
  • ECS-Enabled AMI - An Amazon Machine Image (AMI) that runs the ECS Agent and dockerd. We plan to ECS-enable the Amazon Linux AMI and are working with our partners to similarly enable their AMIs.
ECS Function

From the Amazon Web Service official web site,  EC2 Container Service is a highly scalable, high performance container management service that supports Docker containers and allow user to:

  • Easily run distributed applications on a managed cluster of Amazon EC2 instances.
  • Launch and stop container-enabled applications with simple API calls, allows you to query the state of your cluster from a centralized service, and gives you access to many familiar Amazon EC2 features like security groups, EBS volumes and IAM roles.
  • Schedule the placement of containers across your cluster based on your resource needs, isolation policies, and availability requirements.
  • Eliminates the need for you to operate your own cluster management and configuration management systems or worry about scaling your management infrastructure.
The smallest unit for EC2 Container Service to manage is a cluster.  From the terminology section about, cluster is defined as a pool of Amazon resources in an AWS Region.  When we look at the product detail of ECS, it is described as a tool for "complete visibility and control of your cluster from creating and terminating Docker containers to viewing detailed cluster state information". 

Future Direction

In my opinion, in a cloud the ability to meter and monitor is an important aspect especially for public cloud where resource is being charged.  Amazon had not announced anything on this yet in AWS Re:Invent. As of this writing this feature is still in preview status - FREE.  As the container technology in Amazon Web Services become more mature, it is very possible that it will become a paid service.  After all, the purpose of AWS is to make money. 

Another area that has potential for container technology to grow is PaaS.  Red Hat is using the container technology for it PaaS offering and I think AWS will be catching up in this area also. 

Network Function Virtualization with container is a hot topic these days but it seem AWS is not doing much in the networking area. 


Related Post:
Amazon Web Services Part 1: Do you know all of these icons?
Amazon Web Services Part 2: Security Offerings

Reference:
"Amazon EC2 Container Service (ECS) - Container Management for the AWS Cloud." Amazon EC2 Container Service (ECS) - Container Management for the AWS Cloud. N.p., n.d. Web. 17 Nov. 2014.
"AWS | Amazon EC2 Container Service." Amazon Web Services, Inc. N.p., n.d. Web. 17 Nov. 2014.
Posted by at 130 comments:
Labels: , , , , ,

Sunday, November 23, 2014

Amazon Web Services Part 2: Security Offerings

In the early days of cloud computing, the major stumbling block for moving to the public cloud is - SECURITY.
image source: http://core0.staticworld.net/images/article/2012/09/hackers_security_password-100004008-orig.jpg

Amazon Web Services (AWS) has made special effort in marketing that AWS is "safe". Even the U.S. government is starting to migrate some of its IT operation to Amazon.  Amazon has a special “region” for the U.S. government – AWS GovCloud, where it has its specific regulatory and compliance requirement for sensitive data.

Let us take a look at what security AWS has to offer and let you decide if it is good enough for you to use. 

Shared Security Model
Depending on the feature used, Amazon does not have full control on the application that is running on its infrastructure.  Amazon present a "Shared" security model where whatever is under the control and/or management of Amazon it will provide world-class security and compliance.  For the portion that is under the control of the customer such as applying security patches and updates to the Microsoft Windows Operating System, it is the responsibility of the customer to keep that portion safe while Amazon will provide as much assistance/resources for the customer to accomplish such task.

image source: http://evident.io/images/blog-9-25-image-4.png

Amazon also provide the ability for the customer to prove regulatory compliance such as HIPPA, ISO 27001 etc.  For AWS Compliance we can go to this website for more information.  Penetrating testing can be performed by customer (with written approval) to validate if their resources in the AWS Infrastructure is secure.

AWS Security
Security provided by AWS can be looked at in 4 areas:
  1. AWS Infrastructure Security
  2. AWS Access Security
  3. AWS Account Security
  4. AWS Service-specific Security

Let's take a quick look at these 4 areas.

 AWS Infrastructure Security
As described on my last post, AWS infrastructure is divided into Regions, Availability Zone and Edge Locations.  

Regions are defined geographically and can be think of as physical Data Centers.  According to Amazon's web site on security these data centers are highly secured physically with security guards on duty 24X7, state-of-the art electronic surveillance and multi-factor access control systems.  AWS has a strong incident-response team to address any kind of failure within the AWS Infrastructure.

As the name suggested Availability Zones are defines such that they are physically separated within a typical metropolitan area.   This helps to provide data availability in case of the lost of a data center.  Data availability is one of the 3 main security aspect.

Network is part of AWS Infrastructure. Security Groups (virtual firewall that controls the traffic for one or more instances) is deployed for EC2.  Also, dedicated fiber links between regions and if necessary, customer can paid for dedicated link from the customer's location into AWS's local region.  The use of security certification and/or SSL for access into AWS either via web access or API.

AWS Access Security
AWS separates its production network with its corporate network which minimize the risk of rouge AWS employee gaining access to the customer's data.  For AWS employees who needs to gain access to any components in the AWS infrastructure must gain written approval and through the AWS Access Management System. AWS employees are required to have criminal background checks.

AWS Account Security
To follow security best practice, AWS provide customer with the ability to create user account with different roles such that each account is granted least amount of privilege via the AWS Identity and Access Management system (AWS IAM).

Also, AWS provides features such as:
  • Key Management and rotation
  • Temporary Security credentials
  • Multi-factor Authentication (MFA)

for additional access security.  These are all industry security best practices.  Security certificate are used heavily in AWS and to rotate the access key and certificates is just like changing the password for a user.  Most enterprise with a Microsoft Active Directory mandates user to change their password in a configured interval.  Also, multi-factor authentication such as the use of Access Token minimize the risk of user password being compromised because attacker will have to process the Access Token to gain access to AWS.

AWS Service-specific Security
Each AWS service has security build-in.  Since AWS as a long list of services, we can not go into specific detail as to how each service provides security for the user.  For a more detailed description of service-specific security go to http://aws.amazon.com/security to get the latest version of the "AWS: Overview of Security Processes".

Related Post:
Amazon Web Services Part 1: Do you know all of these icons?
Posted by at 38 comments:
Labels: , , ,

Saturday, November 22, 2014

Amazon Web Services Part 1: Do you know all of these icons?

I came across this diagram the other day and it looks like a pretty painting in a museum.  This shows the Amazon Web Services icons

image source: http://www.conceptdraw.com/How-To-Guide/picture/Design%20Elements%20-%20AWS%20-%20Amazon%20Web%20Services%20architecture%20solution-2.png

  Well may be it is a little bit exaggerated. A painting in a museum should look like this:


What got my attention from this diagram is the color.  The colors of the icons are nicely aligned like an array of soldiers.

This diagram not only gives an overview of the Amazon Web Services offerings it also groups the offering by category.  At the AWS re:Invent conference keynote AWS Sr. Vice President Andy Jassy said that by end of 2014 AWS will have more than 500 feature to offer to its users. New feature is announced at re:Invent such as Aurora, CodeDeploy, CodeCommit, CodePipeline

Amazon Web Services has the following category of services:
  • Compute
  • Storage
  • Database
  • Networking
  • Content Delivery
  • Application Services
  • Deployment and Management
  • Monitoring
Amazon is well known as an online bookstore.  In 2002, it introduces the Amazon Web Services.  At that time cloud computing is a buzz word where everyone is talking about it.  With VMware bring server virtualization to maturity, cloud is becoming a reality to be an useful product because the virtualization technology is able to meet the demand of the cloud.  The idea of the cloud is very good.  On my last post I mentioned about the 5 characteristics of a cloud as defined by NIST (National Institute of Standards and Technology):
  • On-demand self-service
  • Broad network access
  • Resource pooling
  • Rapid elasticity
  • Measured service
In the beginning security is a main concern for hosting in the cloud.  Recently, people seem to be willing to embrace the idea of the cloud and Amazon has market itself as a “safe” cloud.  Even the U.S. government is starting to migrate some of its IT operation to Amazon.  Amazon has a special “region” for the U.S. government – AWS GovCloud, where it has its specific regulatory and compliance requirement for sensitive data.

AWS Architecture
Besides knowing what features/services are offered by AWS, we need to know how these services fit into the big picture.  This diagram show the AWS architecture.

image source: http://vmtoday.com/wp-content/uploads/sites/11/2013/08/amazon-web-services-global-infrastructure-resized-600.png

As I have mentioned before, I am a software developer for networking equipment and I eat, sleep and walk with the 7 Layers of OSI model that describe the networking stack.  I always like to see diagram showing different layers of feature or function or service.  Remember in one of my post in the OpenStack Series I have looked at OpenStack with different perspective.  Now when I look at Amazon Web Services, I found myself doing the similar approach.

This diagram logically divide the AWS services into:
  • Deployment and Management
  • Application Services
  • Foundation Services

Similar to the OpenStack approach the Foundation Services consist of Compute, Storage and Networking as well as Database

AWS Global Infrastructure
One thing that we have not look at is the bottom layer - AWS Global Infrastructure.  To understand Amazon Web Services besides knowing it offering and how they fit together,  it is also important to know how AWS put together the physical hardware because this affects both the performance and security of the application being deployed in the AWS public cloud.

When we look at AWS Global Infrastructure we have to know:
Regions
  • Geographically separated Data Center
  • In June 2014 there were 10 AWS Regions worldwide
  • In November 2014 there are 11 AWS Regions worldwide

Availability Zone
  • Independent failover zone
  • Physically separated within a metropolitan area to provide High Availability
image source: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/images/aws_regions.png

Edge Location
  • Located in major cities
  • Used by CloudFront for faster content delivery
  • AWS's DNS system - Route 53 reside in Edge Locations
image source: http://image.slidesharecdn.com/2014enterprisesummitsecuritybestpractices-141017212923-conversion-gate01/95/aws-security-best-practices-and-design-patterns-6-638.jpg?cb=1413599732

Resources on Amazon Web Services
If you want more resources about Amazon Web Service, go to the Amazon online site and search for "Amazon Web Services" and there are a lots of eBook on this subject and they are FREE.

Related Post:
Amazon Web Services Part 2: Security Offerings
Posted by at 297 comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)