Architecture Best Practices

1) Partition by Function
2) Split Horizontally
3) Avoid Distributed Transactions
4) Decouple Functions Asynchronously
5) Move Processing To Asynchronous Flows
6) Virtualize At All Levels
7) Cache Appropriately

Abstract your architecture taking into “layered approach” into consideration

Split tiers

  • Your application can be a classic three tiered application but you can expand it with AWS. You can split these tiers between on premises and AWS architecture. Let’s say web/db layer in AWS and app layer on premises. If you cannot move it, it has to stay there

Mapping the layers to the equivalents of AWS

  • Data –> Storage, Replicate, Archive
  • Applications –> Burst, Scale, 86
  • Management Services –> Management Services
  • Operating Systems –> Operating Systems (no difference at all!)
  • Hypervisors –> EC2
  • Network –> VPC, Direct Connect
  • Data Centre –> AZs, Regions

  • Data Centre Compliance/Security: Certain features included (PCI compliance, etc.) Going through all these compliance take time on your premises.
  • Data Centre Layers: Availability Zones are not just DCs, they can be clusters as well. It is an artifact. It is a different construct.
  • If you are building a hybrid app, you need to determine the speed requirement for your app
  • Distance determines the expansion vs a new data centre: maximum distance per data centre expansion, minimum requirements for an independent data centre, how to measure latency for data centre interconnects

Network Layer: 3 high level options

  • Internet
  • IPSec: AWS terminates your IPSec connection. Don’t double-encrypt. In AWS, there is redundancy in your connection.
  • Direct Connect: Basically it’s Ethernet. AWS gives you 1G 10G ports basically. This port requires two things. First one is BGP and second is VLAN tagging. Direct Connect are not in AWS regions. The way you provision is via AWS Console and AWS sends you back a letter, we provisioned this and you need to work with service providers etc. You can failover from Direct Connect to VPN as per default design

How to interconnect regions?

  • If you are using public VIFs over Direct Connect, AWS advertises your IP address to all other US regions. In theory, one connection to every region can be possible

Hypervisor Layer

  • EC2 manages all the virtualisation tasks such as Gold Images, snapshots, block disks are accessible etc.

Bidirectional Gold Image Replication

  • There is no one way to move workloads to AWS. How can you make sure same images available on your premises and AWS. You can have replication in the OS layer. Maybe all you need to move the application or even just the data. Don’t get stuck on the idea of importing/exporting the whole VM

vCenter Image Migration

  • You can basically log in to vCenter plugin (AWS Management Portal for vCenter) of AWS to move VMs to AWS. It also works with IAM.

  • AWS uses HVMs. If you are using paravirtualization, you will have license issues.

Management Service Layer

  • How you are doing security, logging, deploying services, provisioning infrastructure, directory services? Deploys in two nodes
  • Directory Service connect: you can actually expand your on-premises active directory of corporate DC. Treat AWS as a new location. The decision will be as to you provisioning a new DC in terms of decisions.
  • Simple AD - built on Samba 4 Active Directory compatible server
  • Simplifies IAM Federation

Delegation vs Federation

  • In delegation, you are actually giving the privileges to another user. In federation, you have another identity store and federate those with AWS. You can manually build a store and with your Data Center credentials, control AWS identity system. AWS IAM is only for managing AWS. If you want to manage AWS infra with using your own credentials, you need to use federation. Supported federations are like SAML, OpenID, web identities(facebook etc). You can actually use a single set of credentials and map these credentials to the roles of AWS and federate the connectivity. So that you can even make the API calls using your Active Directory credentials. Your identity system can be easily integrated to AWS.
  • Avoids complexity and cost of hosting SAML-based federation infrastructure
  • Acts as a proxy - no data is stored on AWS infra
  • Supports existing RADIUS based MFA

Resource tracking and cost allocation

  • Tagging, granular billing. How do you do these in your DC? For example with AWS Config, you can track and audit every changes on your AWS infrastructure. Describe every AWS object through an API call. Resources in AWS can have custom tags which can be used to control permissions and allocate costs, enabling charge back and of services usage
  • Dynamically generate a full inventory

Operations and Security Integration

  • AWS Cloud Trail and Cloud Watch: You have to integrate operations on AWS. Need to have a unified Operations layer, whatever I am doing with AWS, I need to push it to on premises as well. AWS OpsWorks is automated deployment management solution. It allows to build stacks. You have lots of configuration and all thing comes as a stack. You want to manage the desired state all the time. Deploy your stacks/workloads. What do I do on my premises? AWS OpsWorks works for your servers anywhere, even on your promises. The agent is installed on the DC and you can run the things OpsWorks provides. You don’t have to build the whole Chef recipes. Use case: you can expand your workloads into the Cloud with OpsWorks. Or you can move test/dev to AWS etc.
  • Security monitoring integration points with CloudTrail and SIEM Aggregator
  • Logging with CloudTrail and SNMP MIBs to SIEM aggregator
  • Platform and app health to SIEM Aggregator via agent on EC2 guest
  • Cloudwatch logs provide scalable low cost log aggregation
  • AWS CodeDeploy: You can deploy your code to any internet connected computer. It is an agent based solution. You app is bundled. It can stay on Github or S3 etc., it supports rolling updates, you don’t have to go down. It pulls tail of logs on deployment failures to centralize error information
  • Configurable rolling update speed
  • Reuse configuration management cookbooks or other existing setup tools
  • Backup gateways integrated with AWS S3 Take advantage of current investments and solutions for options like
  • De-duplication, compression, WAN acceleration, Data expansion, Virtual volumes presented to local network and local disk cache to provide fast on-premises access