星期三, 3月 20, 2019

Architecting on AWS 上課小記 - Day 2

Fast review with day 1

Security Groups
  • Rules are stateful
    • 建立規則之後, 雙向就自動建立
  • 可以使用另外一個 Security Group 來當來源建立 security group ( Chaining Diagram )( 這點很好用 )

Network ACLs
  • Are stateless
    • Inbound 與 outbound 規則都要寫, 否則可能不會通
    • 有 allow 也有 deny, 所以要注意順序
    • Rule 數字越小越優先

Lab 3 講完 Module 6 再做

Module 6

Virtual Private Gateway ( VGW )
  • 會給兩個 end point ( 高可用性 )

AWS Direct Connect ( DX )
  • 專線, 提供 1G or 10G

Extending On-Premises Network to AWS using DX
  • 透過 DX 連接 VGW

Connecting VPCs
  • 使用情境
    • 跨 Region 使用
    • 跨不同帳戶
  • VPC Peering
    • 點對點的關係
    • Transitive peering relationships are not supported
      • VPC-A 與 VPC-B 連, VPC-B與VPC-C連, 不代表 VPC-A 與 VPC-C 串接
    • Use private IP addresses
    • Intra and inter-region support
    • IP spaces can not overlap

Connecting VPCs - Transit Gateway

VPC Endpoints
  • Privately connect your EC2 instances to services outside your VPC without leaving AWS.
  • Must be in the same region
  • 在同一個 Region 直接連線 service, 不需要連到 internet
  • Types of endpoints
    • Interface endpoint
    • Gateway endpoint
      • Amazon S3
      • Amazon DynamoDB


==== Class Break ====

ELB
  • Region 等級服務
  • ALB( Application Load Balancer )
  • NLB( Network Load Balancer )
  • CLB

Amazon Route 53
  • HA and scalable cloud DNS service

Lab 3 Creating a Virtual Private Cloud

Module 7 IAM

Identity and Access Management
  • Authentication
    • Security Credentials
      • User / Password ( Web )
      • AccessKey ID & Secret AccessKey ( CLI, SDK )
  • Authorization ( Policy )

The AWS Account Root User
  • Full access to all AWS services and resources.
  • Has extreme power and cannot be limited ( 不能降權限 )

A Safer Way to Administer
  • Create IAM admin user
  • Lock away the root user credentials
  • Use IAM admin user


中午休息

==== Class Break ====

IAM Principals
  • IAM user
    • IAM users are not separate AWS accounts
    • No default permissions
  • Federated user
  • IAM role
  • Identity provider( IdP )

Granting Permission
  • Policy
    • A formal declaration of one or more permissions
    • Evaluated at the time of request
    • IAM policies ONLY control access to AWS services
    • IAM has no visibility above the hypersior
    • Resource-Based policy
      • Attached to an AWS resource
      • Attached to
        • AWS resources
      • Control
        • Actions allow by specific principal
        • What conditions are required
        • Are always inline policies
        • NO AWS-managed resource-based policies
    • Identity-Based policy
      • Attached to an IAM principal
      • Attached to
        • User
        • Group
        • Role
      • Control
        • Actions performed
        • Which resources
        • What conditions are required

Applying Permissions
  • 可能會出現
    • Principal
    • Action
    • Resource / NotResource
    • Effect
      • Allow 或是 Deny

Policy 優先順序
  • Explicit Deny
  • Explicit Allow
  • Implicit Deny ( 沒有被上面定義到的 )

課本上的案例使用 NotResource + Deny 的方式來定義 Explicit Deny
  • 這樣是比較嚴謹的方式
  • 因為當 之後 policy 疊加的時候, 規範的 Explicit Deny蓋過其他 Policy 的 Explicit Allow

IAM Roles
  • 用途
    • 暫時提供權限的方式, 不想要給在 User or Group
    • 跨帳號的情境 ( 例如別的帳號的 user 來存取自己帳號的 resource )
  • Define a set of permissions to access the resources that a user or service needs.
  • The permissions are not attached to an IAM user or group
  • The permissions are attached to a role and the role is assumed by the user or the service. ( assumed - 切換過去 )

Policy 名稱
  • 綁在 IAM 上面會叫 IAM Policy
  • 綁在 resource 上面會叫 S3 Bucket Policy or SNS Policy ( by 服務名稱 )
  • Role 上面上面的 Policy 名稱
    • Trust Policy
    • Access Policy

IAM Roles Use cases
  • Provide AWS resources with access to AWS services
  • Provide access to externally authenticated users ( 外部認證使用者 )
  • Provide access to third parties
  • Switch roles to access resources in
    • Your AWS account
    • Any other AWS account ( cross-account access )

Assume a Role
  • AWS Management Console
  • AWS CLI
  • AssumeRole API call
  • AWS Security Token Service ( AWS STS )(暫時性)

Amazon Cognito

休息到 14:30
==== Class Break ====

Module 8

High Availability Factors
  • Fault tolerance ( 容錯 )
    • The built-in redundancy of an application’s components
  • Recoverability
  • Scalability

Two types of Elasticity
  • Time-Based
  • Volume-Based

Monitoring Infrastructure with Amazon CloudWatch
  • Metrics
  • Logs
  • Alarms
  • Events
  • Rules
  • Targets

Using Auto Scaling to Provide Elasticity

Lab 4: Create HA environment

到 16:15
==== Class Break ====

Module 9

AWS CloudFormation

AWS Systems Manager
  • Automated configuration and ongoing management of system at scale

AWS OpsWorks for Infrastructure and Deployment Automation
  • 託管的 Chef 或是託管的puppet


AWS Elastic Beanstalk

Lab 5: Automating Infrastructure Deployment

沒有留言: