AWS - ELB

Posted on 2019-08-13 |

Reference

https://youtu.be/VIgAT7vjol8

Elastic Load Balancing: Deep Dive and Best Practices - 2018

Layer 4 and Layer 7 Load balancing difference,
- Layer 4 support TCP; Layer 7 only support http and https(will terminate the TLS)
- Layer 7 Connection will be terminated and pooled
- Layer 7 Headers can be modified
- X-Forwarded-For http header will be modified
Product mapping
- Application LB is layer 7 LB; Network LB is layer 4 LB

ALB

ALB support Path and host based routing (single ELB dispatch all traffic) ; deep integration with EKS – Micro Service Archi
ALB can do Redirects ; Fix response ; Slow start (configurable like 10 min) ; ALB IPV4 and V6 support;
ALB update certs
- IAM to control who have access to update
- Use ACM (AWS Certificate Manager) to directly push and rotate certs with ALB
Integrate with AWS WAF
Server Name Indication (SNI) : load balancing multiple applications that have muti certs
Authentication at ALB layer (OIDC, Cognito, SAML)
Muti-AZ (by default) and no extra bandwidth charge ;
Absorbs impact of DNS caching (?)
Health check ; recommend to use http code to check; work with auto scaling

NLB

Million Level request / second
Static IP for each AZ
- Firewall example: 2 layers of NLB ; fewer static ip simplified the firewall config
- Route 53 will route to multiple static ip addresses in different AZ.
Support Proxy Protocol V2
Cloudwatch metrics for NLB : it has flow log

Netflix Demo – Identity Platform

Workforce Identity-as-a-Service
Federate All The Things
Developer Self-Service
- SSO; SAML , OAuth2

AWS - DevOps 2019

Posted on 2019-08-06 |

Reference

Empowering DevOps for Secure by Design (see it live)

https://youtu.be/8UG9E5moCdo

Workloads are provisioned in min, so security also needs to be addressed in min.
- Automated security provision
- Secure-by-Design
IBM CloudDeployment Services: multi-cloud support

Reference

Enterprise DevOps: Patterns of Efficiency

https://youtu.be/qyhuMDozWXk

DevOps vs ITIL ; DevOps vs CICD ; Enterprise DevOps vs DevOps for Startups

DevOps share core value with ITIL
Enterprise DevOps
- Insource value creation
- DevOps legacy apps
- Culture of inclusion

DevOps_EnterpriseDevOps

AWS - Digital Transformation

Posted on 2019-08-05 |

Reference

https://youtu.be/4Gr7hv24jK4

Culture, Skills, Organization, Finance

Culture
- If you want to build a ship , don’t drum up the people to gather the wood, divide the work, and give orders. Instead , teach them to yearn for the vast and endless sea
- Use good judgement instead of process (security , flexibility, HA)
- Ahead in the cloud “BEST PRACTICES for navigating the future of enterprise IT”
- a Seat at the Table
Skill
- Training and compensation
- Recommend book : POWERFUL
Organization
- Move from projects to product teams
  - CD; DevOps, “run what you wrote”; Reduce tech-debt and lock-in
  - The Phoenix Project ; The DevOps Handbook
Capex vs Opex
- CTO and CFO who decide the IT structure?
- With cloud, it’s hard to go Capex (pay as you go)

Pathway to digital transformation

Time to value: try to do simple things quickly
- elite companies are 2555* times faster than slow companies
Distributed optimized capacity
- Scale, HA, cost-optimized; cloud native
Critical workloads data center replacement : Strategic
- Who runs the “file drill” for IT ?
  - Chaos Engineering (Book)

AWS - VPC

Posted on 2019-08-05 |

Reference

https://youtu.be/ar6sLmJ45xs

North-South :
West-East :

Challenge with current VPC architecture

lots of VPC and lots of connections and lots of peering
- VPC peering : can’t transit
- Transit VPC (VPC with 10.1.0.0/16 and 10.2.0.0/16 go through transit VPC of 10.0.0.0/16)
- Transit Gateway (2018)

Transit Gateway (2018) – tgw

Centralize VPN and AWS Direct Connect
5k VPC across accounts
Flexible
- Control segmentation and sharing with routing
Compared with transit VPC
- AWS build in service
AWS HyperPlane
- Backbone of NLB, NAT Gateway, EFS and now Transit Gateway
- Region wide scope

Demo

vpc_flat

Flat : Every VPC should talk to each other.

AWS - CloudFormation 2019

Posted on 2019-08-01 |

what’s New

more resources including Alexa and custom resource

Managing enterprise complexity

Seamless handling secrets
StackSet – overide

Improved handling of secrets

Use SSM to handle dynamic parameter

1	MasterUsername: ''{{resolve: secretsmanager:MyRDSSecrets:SecretString:username}}

AWS Cloudformation Macros
- Iteration
- Transformation
CloudFormation Linter
- Scripted --> Declarative --> DSLs --> Imperative

AWS - CloudFormation 2019

Posted on 2019-08-01 |

https://d1.awsstatic.com/whitepapers/Big_Data_Analytics_Options_on_AWS.pdf

Amazon Kinesis

Amazon Kinesis Data Streams enables you to build custom applications that process or analyze streaming data.
- Capture and store terabytes of data per hour from hundreds of thousands of sources
- Store a cursor in DynamoDB
Amazon Kinesis Video Streams enables you to build custom applications that process or analyze streaming video.
Amazon Kinesis Data Firehose enables you to deliver real-time streaming data to AWS destinations such as Amazon S3, Amazon Redshift, Amazon Kinesis Analytics, and Amazon Elasticsearch Service.
Amazon Kinesis Data Analytics enables you to process and analyze streaming data with standard SQL.

Lambda

Default limit for concurrency is 1000

Anti-pattern

Long running
Dynamic Websites
Stateful Applications

EMR

Anti-pattern

Small data set, Amazon EMR is built for massive parallel processing;
ACID transaction requirements

AWS - CLoudwatch 2019

Posted on 2019-07-29 |

Some numbers about cloudwatch

as of Oct 2018, 100 petabytes of logs per month
Cloudwatch Egress
- S3; lambda; elastisearch; kinesis firehose

CLoudwatch Logs Insight

Similar feature like ElastiCache. (handson with investigating the traffic security issue)

Reference

https://youtu.be/g1wxfYVjCPY

AWS - Amazon Lambda

Posted on 2019-07-25 |

A Serverless Journey: AWS Lambda Under the Hood

Lambda Load Balancing

lambda_components

Front End Invoke: authentication the caller, load configs & env ; confirm concurrency with Counting Service
Counting Service: Region wide view of concurrency to help set limits (quorum protocol, 2/3 agreement protocol ); <1.5 milliseconds response time
Worker Manager : assume role, track the container lifecyle (running, idle) and maintain the worker pool
Worker : provision sandbox and download customer code and run;
* warm sandbox means the sandbox finished previous run
* sandbox is equivalent of docker image
Placement Service: provision worker
Example,
- Fannie Mae scale to between 20 and 50,000 concurrent executions over minutes.

Lambda Handling Failures

Multi-AZ

Security Isolation

lambda_layers

EC2 as worker level
EC2 Bare Metal as worker level (no hardware share with other account)
- Firecraker mode
Virtual Devices have very limited access to improve security

Managing Utilization

AWS - IoT

Posted on 2019-07-23 |

Reference

https://youtu.be/LbeWdLaXYDo

Home automation ; Home security ; Home networking

FreeRTOS / Greegrass --> IoT Core, management, Analytics / Database, ML --> IoT applications

DEMO from Vestel

VESTEL
Dedicated IoT group
Highlight of current archi
- Use IoT Core
- Use API Gateway to support service for both Alexa and GoogleHome
- Use lambda to run logic against IoT Core and try serveless

Simplify large number of IoT devices

WPA3 Specification, new device provision protocol
By using the mobile to scan the barcode to get the public key of the device ; then the router automatically allow the device to connect to internet.

Home Security & Monitoring

Amazon FreeRTOS,
AWS Greengrass, allows local RTOS communicate each other
SageMaker: training the model --> export model to S3
IoT Core, create a rule, subscribe sound from rule and assign to lambda to call the trained model to detect the sound.
Push the model to greengrass (local) , then device can push the data to local greengrass to run the same the lambda function.
Greengrass discovery – a green grass device can discover and connect with the greengrass device

AWS - Polly

Posted on 2019-07-23 |

https://aws.amazon.com/blogs/machine-learning/build-your-own-text-to-speech-applications-with-amazon-polly/#

Lambda changed to 3.7
- 2 lines of code need to be updated.

1	print ("Text to Speech function. Post ID in DynamoDB: " + postId)

1
2
3

#In Python 3 it makes a difference whether you open the file in binary or text mode. Just add the b flag to make it binary:
with open(output, "ab") as file:
    file.write(stream.read())