AWS Architecture Best Practices Overview (XI)

AWS Architecture Best Practices

AWS reasonable frame struts framework

• Security - protection and monitoring system
  • To protect information systems and assets
  • Risk assessment and mitigation strategies
• Reliability - recover from failures and fewer interruptions
  • Recovery from infrastructure or service failures
  • Dynamic access to computing resources to meet the needs of
  • Reduce configuration errors and network problems to reduce temporary interruption
• Performance - prudent use of resources
  • Efficient use of computing resources to meet system requirements
  • When demand changes and technological developments still maintain efficiency
• Cost optimization - eliminating unnecessary expenses
  • Reduce unnecessary costs and suboptimal resource
• Operational excellence

Reasonable architecture design principles

• Stop conjecture capacity requirements - there is a waste of traditional environments
• Because of the high cost of testing, it is usually unable to simulate real production environment to test the traditional environment - at the production level testing system
• Reduce the risk of organizational changes - the traditional environment requires waiting in line serialized test, various changes in the testing process, which may affect subsequent tests.
• By automating allow easier deployment - low cost create a script and replication system to track changes and restore
• The continuous development of support infrastructure - the traditional environment by restricting the product life cycle, early decisions may also become an obstacle, unable to respond to changing business needs
• Data-driven architecture - in a cloud environment, the relevant data can be collected by CloudWatch, to understand the architecture of load. Cloud infrastructure exists in the form of code, it is possible to use these data to improve the architecture.
• By simulating large-scale flow improvements achieved - by simulating large-scale flow, to improve the deficiencies in infrastructure, and the accumulation of experience and programs to deal with.

High availability and redundancy

• Found that single point of failure in the current architecture, the introduction of redundancy to eliminate
• Select the most appropriate backup and recovery plan the most efficient redundancy
• Using different available geographical area to achieve high availability
• ELB use Route53 and automatically switch to achieve redundancy initiative mechanism to reduce downtime

Flexible design

• The system is resilient over time or in response to business needs to respond to sudden changes with the load growth, with the user, traffic, growth in data size without compromising performance
• The resource growth should be introduced economies of scale, cost should follow the nursery rhymes to your dimension so that the system creates business value
  • Vertical scaling
    • Examples of adjustment achieved by stopping the more CPU, RAM, IO, networking and other functions
    • Vertical scaling has its upper limit, is not easily achieved
  • Zoom level
  • Stateless applications
  • All operations do not need to know the context of the past, the session will not be stored
  • It can be extended to any level of safety and are free to terminate, because it would not share session data between systems resources
  • All nodes do not need to recognize the existence of other nodes, only need to handle the workload can be allocated to him
• Autoscaling best practice
  • Stateless components
    • Most applications need to maintain some status information, such as login information.
    • Option One:
      • The application can achieve a degree of stateless locally on the client (e.g., HTTP Cookie) session ID is stored by a user, but there will be two problems:
      • Cookie on the local end customer information vulnerable to tampering, each user needs to transmit the session state resources occupancy increases latency
    • Option II:
      • Associated database server, as DynamoDB, enabling server component stores user session information of stateless
  • Stateful component
    • Many applications and architecture can not be transformed into stateless
    • Many legacy systems are designed to be set up must be calculated separately run it relies on local resources

Automated Deployment

• Public cloud biggest benefit is the ability to use the API to automate the deployment process, it is recommended to perform automated deployment from the beginning
• Automation and repeatable deployments will effectively reduce errors and facilitate effective scalability update process
• Bootstrap examples
  • Examples of using automated action Bootstrap
    • For simply designated as name, role information in the initialization process, there are other scripts automatically, providing all the necessary resources to start the automation of different options, including code, script and configuration and so on.
  • Repeat to create the same environment
  • Remain abstract cloud infrastructure
  • Reduce manual errors chance deployment
  • Create a self-discovery and self-healing environment

Select the appropriate storage

• S3
  • Web require large-scale storage capacity and performance
  • High durability data backup and disaster recovery support
• Glacier
  • Long-term data archiving and backup
• Cloudfront
  • The use of content delivery network deployment static, dynamic, and interactive content streaming edge position in the world
• DynamoDB
  • Fast and flexible NoSQL database, flexible data model and reliable performance
  • Decoupling stateful applications may be used, the user state stored in DynamoDB manipulation can be achieved without the application status of the components
• EBS
  • Lot reliable storage to run critical applications such as Oracle, SAP, Exchange, etc.
• RDS
  • Highly available SQL database
• Redshift
  • PB-class data warehouse to support business analysis
• ElasticCache
  • Redis cluster cache memory
• EFS (elastic file system)
  • Shared application among a plurality of generic file system instances EC2

At each level to establish security

• Traditional security audits and is regularly audited, but in the cloud can provide continuous monitoring and management, colleagues used the code to embed security policy infrastructure design
• Best Practices
  • Inventory data and prioritizing, to apply the appropriate level of encryption during transmission and storage
  • AWS features multi-level defense
    • Network level: VPC, subnets, security groups, routing control
    • Host level: WAF, IAM
  • The security to AWS
    • Use AWS hosting service, a security patch and managed by AWS
    • Reduce privileged access
    • Applications use temporary security token to run on EC2
  • IAM conducted using accounts and privileges management
    • Joint use of temporary tokens provide access
    • The credentials automatic distribution and rotation
    • The minimum grant permission standard safety practices
  • Use code to achieve security
    • Use CloudFormation script reliably deploy security called "Golden Environment"
    • Best security practices will be easily integrated and reused in different environments to CICD pipeline in
    • Automatic discovery can be used to test the safety and security policy baseline deviation
    • CloudFormation can be used as product introduction AWS Service Catalog consistency in governance
  • Real-time audit
    • AWS achieve continuous monitoring and control automation, minimize security risks
    • With Config Rules can know whether a component in a short time non-compliance
    • CloudWatch provides extensive logging,
    • CloudTrail realize the actual API calls
    • All logs can be prepared Lambda, EMR and other automatic process

Parallel processing thinking

• The cloud can easily achieve parallel processing
• When such storing and retrieving data, the cloud is designed to handle massive parallel operations, so in order to improve performance and throughput, the design should be used as much as possible parallel requests
• Web applications should be designed to support parallel processing ELB load balance incoming requests distribution
• Batch scene more use of slave node has more than hadoop architecture

Loosely coupled design

• The system is designed to form a plurality of independent system architecture, component more loose, the lower the interdependence, larger systems can scale
• Amazon API Gateway provides an open interface definition method is fully hosted service
• It enables developers to create, publish, maintain and monitor API and the protection of all sizes
• It can handle hundreds of thousands of concurrent involved API calls, including traffic management, authorization and access control
• Asynchronous mode loosely coupled integration is used, the use of loosely coupled integration Kinesis or SQS
• The asynchronous integrated coupling may introduce additional flexibility, message processing may be performed again failed

AWS Best Practices

• Achieve scalable architecture - to respond to changes in demand
• Automatic deployment environment - eliminating the manual to improve the stability and consistency of the system, and improve organizational efficiency
• The use of disposable resources - servers and other components considered as a temporary resource
• Loosely-coupled components - interdependent reduced, when a failure or a change in component, other components are not affected, and the ELB are primary decoupling SQS solution
• Design services rather than designing servers - hosting solutions and services architecture allows no environment to achieve greater reliability and the environment, such as Lambda, SQS, SNS, DynamoDB
• More appropriate database solution - technology and match the workload, select relational databases, NoSQL databases, data warehouses as well as for search optimized data storage
• Single point of failure - embodiment redundancy to avoid single point of failure undermine the entire system can be selected to start automatic shutdown solutions or underlying hosting service automatically replaced when a failure
• Cost optimization - ensure that resources are appropriately sized, it can be automatically reduced and expanded according to demand and take advantage of different pricing plans capital expenditure into variable expenses.
• Use caching - as much as possible to reduce redundant data retrieval operation
• In each position protection Infrastructure Security - security can be achieved between the peripheral and internal resources or resources

Event-driven architecture

Outline

• Cloud computing advantage is quick to respond to changes in demand resources, to respond to changes.
• Under the traditional model, even in the cloud computing platform, it will lead to full capacity when the server can not respond to the visit, although the manual extension only takes a few minutes, but also unacceptable

Based on an event-driven architecture

• CloudWatch monitoring solution
  • CloudWatch monitoring server using queues, by setting the threshold to trigger a variety of expansion, the threshold value may be set to a specific rule settings application custom metrics.
• AutoScaling
  • To provide a seamless experience received by CloudWatch alarms instantiate extension, the application is ready to go before the service reaches full capacity
  • Vertical expansion
    • Examples of changes in specifications, such as CPU, memory, etc.
    • Vertical expansion always has its ceiling, and there may be more of a performance problem, the length of the recovery, such as Java stack caused by too much, and may need to restart the server
  • Horizontal expansion
    • The number of instances change, add and delete instances
    • Almost no capacity constraints, only the application design process need to consider the level of support extended

• EC2 Auto Recovery
  • When EC2 problems, for instance damaged or automatic recovery feature is automatically replaced
  • Because the network connection is lost may be detected by CloudWatch, system power consumption, the host software and hardware problems caused by damage to EC2
  • Examples can be replaced to maintain the same instance ID, meta data, IP address, but the memory data will be lost
  • China is not yet supported in the area
  • You can not use EBS instance storage must be supported storage

Web Application Design

Business Value of Web applications

Web hosting cloud-based architecture practice architecture

• Route53 provide DNS service
• Cloudfront provide edge caching for high-volume content
• ELB points less than the front-end Web server traffic AutoScaling group
• Web server security group achieved outside the firewall security policy
• Back-end server security group to achieve back-end firewall security policy
• ELB traffic back-end to back-end distributed application cluster
• ElastiCache provides caching services for applications, thereby reducing the load on the database layer
• By S3 to store and provide static assets