SlideShare a Scribd company logo

AWS VPC distilled for MongoDB devOps

Krishna Sankar
Krishna Sankar

Notes about Amazon VPC, a canonical architecture and finally how to implement MongoDB replica sets. My blog http://goo.gl/0guF2 has the color pictures. And the file is at http://doubleclix.files.wordpress.com/2012/10/vpc-distilled-04.pdf. For some reason, slideshare trims the colors.

Technology
1 of 20
Download to read offline
AWS VPC Distilled - For MongoDB devOps Krishna Sankar @ksankar October 27,2012
Essential  DevOps Ref:  h4p://speakerdeck.com/u/dampier/p/rock-­‐‑solid-­‐‑mongo-­‐‑ops 2
AWS  VPC  Top  10 1.  Any  mature  AWS  infrastructure  should   use  VPC  (for  prod  &  dev  !)   2.  VPC  is  not  that  hard,  but  really  requires   devOps  skills   3.   cccc   4.  Designing  VPC  is  a  heist,  single-­‐handed  !   5.  VPC  gives  greater  control  &  flexibility  –   use  the  force  wisely  &  keep  your  designs   simple  
AWS  VPC  Top  10 6.  VPC  allows  one  to  design  multi-­‐layered   security  –  security  groups  at  the   application  layer  &  network  layer  ACLs   7.  VPC  gives  isolation  semantics  viz  private   subnet  vs.  public  subnet,  routing  via   internet  gateway,  NAT  et  al   8.  Incorporate  resilience,  knowing  that  VPC   can  span  availability  zones     9.  For  now,  inter  VPC  routing  &  VPC  designs   across  regions  are  not  that  easy   10. Plan  your  Reserved  Instances   o  vpc  &  non-­‐vpc  RIs  are  separate  &  not  changeable.  They  will   work,  but  capacity  is  not  guaranteed  i.e.  you  could  get  into   trouble  when  you  bounce  the  instances  
Canonical  VPC  Architecture 6 10.200.0.0/1 Dev VPC - bnet   Public  su 0/24   ubnet   0. ud   Private  s 0/24   10.200.7 Amazon  Clo NAT   P>   10.200.8 0. IGW   <Public  I rod VPC Availability Zone : us-west-2a P /16 bnet   10.100.0.0 bnet   AZ : us-west-2b IGW   Public  su 0/24     ubnet P rivate  su /24   0. Private  s 0/24   10.200.9 0.0 10.100.1 10.100.2 0. t-1a y Zon e : us-eas NAT   Availabilit o  Normally  your  instances  would  be   P>   ast-1b <Public  I AZ : us-e created  here   st-1c o  With  a  public  DNS     A Z : us-ea ubnet   o  And  a  host  name  viz:   Private  s 0/24   0. ubnet   10.100.4 ec2-­‐46-­‐137-­‐23-­‐217.eu-­‐ Private  s 0/24   10.100.3 0. west-­‐1.compute.amazonaws.com   o  Amazon  does  protect  it’s  cloud  from   attacks  et  al.  Still  not  fully  secure,  and   less  control  (for  example  cannot   reconfigure  security  groups)  
Canonical  VPC  Architecture 6 10.200.0.0/1 Dev VPC - bnet   Public  su 0/24   ubnet   0. ud   Private  s 0/24   10.200.7 Amazon  Clo NAT   P>   10.200.8 0. IGW   <Public  I rod VPC Availability Zone : us-west-2a P /16 bnet   10.100.0.0 bnet   AZ : us-west-2b IGW   Public  su 0/24     ubnet P rivate  su /24   0. Private  s 0/24   10.200.9 0.0 10.100.1 10.100.2 0. t-1a y Zon e : us-eas NAT   Availabilit o  VPC   P>   ast-1b <Public  I AZ : us-e o  Create  a  separate  VPC  for  each   st-1c function  –  usually  dev  &  prod   A Z : us-ea ubnet   o  AWS  has  regions  (US-­‐Virginia,  US-­‐ Private  s 0/24   0. California,  US-­‐Oregon,  EU-­‐Ireland,   ubnet   10.100.4 Private  s 0/24   AsiaPac-­‐Singapore,  AsiaPac-­‐Tokyo  &   0. 10.100.3 SouthAmerica-­‐Sao  Paulo   o  Each  region  has  2  or  more   availability  zones   o     A  VPC  can  span  Availability  Zones,   but  not  Regions  
Canonical  VPC  Architecture 6 10.200.0.0/1 Dev VPC - bnet   Public  su 0/24   ubnet   0. ud   Private  s 0/24   10.200.7 Amazon  Clo NAT   P>   10.200.8 0. IGW   <Public  I rod VPC Availability Zone : us-west-2a P /16 bnet   10.100.0.0 bnet   AZ : us-west-2b IGW   Public  su 0/24     ubnet P rivate  su /24   0. Private  s 0/24   10.200.9 0.0 10.100.1 10.100.2 0. t-1a y Zon e : us-eas NAT   Availabilit o  Subnets   P>   ast-1b <Public  I AZ : us-e o  Create  multiple  subnets  in  a  VPC   st-1c o  Subnets  cannot  span  availability   A Z : us-ea ubnet   zones  (or  regions)  –  so  create  (at   Private  s 0/24   0. ubnet   10.100.4 least)  one  subnet  per  availability   Private  s 0/24   10.100.3 0. zone   o  There  are  two  types  of  subnets   Public  subnet  &  Private  subnet   o  We  will  take  a  look  into  each  of  them   in  the  next  couple  of  slides  
Canonical  VPC  Architecture 6 10.200.0.0/1 Dev VPC - bnet   Public  su 0/24   ubnet   0. ud   Private  s 0/24   10.200.7 Amazon  Clo NAT   P>   10.200.8 0. IGW   <Public  I rod VPC Availability Zone : us-west-2a P /16 bnet   10.100.0.0 bnet   AZ : us-west-2b IGW   Public  su 0/24     ubnet P rivate  su /24   0. Private  s 0/24   10.200.9 0.0 10.100.1 10.100.2 0. t-1a y Zon e : us-eas NAT   Availabilit o  Public  Subnets  (1  of  3)   P>   ast-1b <Public  I AZ : us-e o  Public  subnets  are  for  instances  that   st-1c need  to  be  accessed  from  the   A Z : us-ea ubnet   Internet  –  usually  web  servers,   Private  s 0/24   0. ubnet   10.100.4 application  servers,  cache  servers   Private  s 0/24   10.100.3 0. and  ssh  bastions  belong  in  this   category   o  The  instances  in  the  public  subnet   communicate  with  the  external   world  via  an  Internet  Gateway  (igw)    
Canonical  VPC  Architecture 6 10.200.0.0/1 Dev VPC - bnet   Public  su 0/24   ubnet   0. ud   Private  s 0/24   10.200.7 Amazon  Clo NAT   P>   10.200.8 0. IGW   <Public  I rod VPC Availability Zone : us-west-2a P /16 bnet   10.100.0.0 bnet   AZ : us-west-2b IGW   Public  su 0/24     ubnet P rivate  su /24   0. Private  s 0/24   10.200.9 0.0 10.100.1 10.100.2 0. t-1a y Zon e : us-eas NAT   Availabilit o  Public  Subnets  (2  of  3)   P>   ast-1b <Public  I AZ : us-e o  The  security  groups  determine   st-1c which  ports  are  open  and  for  which   A Z : us-ea ubnet   hosts   Private  s 0/24   0. ubnet   10.100.4 o  Usually  web-­‐server-­‐group(80,443),   Private  s 0/24   10.100.3 0. app-­‐server-­‐group  &  ssh-­‐group(22)   are  the  two  major  port  groups   o  You  can  also  restrict  the  hosts  that   can  communicate  via  the  security   groups  
Canonical  VPC  Architecture 6 10.200.0.0/1 Dev VPC - bnet   Public  su 0/24   ubnet   0. ud   Private  s 0/24   10.200.7 Amazon  Clo NAT   P>   10.200.8 0. IGW   <Public  I rod VPC Availability Zone : us-west-2a P /16 bnet   10.100.0.0 bnet   AZ : us-west-2b IGW   Public  su 0/24     ubnet P rivate  su /24   0. Private  s 0/24   10.200.9 0.0 10.100.1 10.100.2 0. t-1a y Zon e : us-eas NAT   Availabilit o  Public  Subnets  (3  of  3)   P>   ast-1b <Public  I AZ : us-e o  Unlike  the  non-­‐vpc  instances,  the   st-1c instances  in  the  public  subnets  do   A Z : us-ea ubnet   not  have  a  public  IP;  nor  do  they   Private  s 0/24   0. ubnet   10.100.4 have  a  host  name  that  is  externally   Private  s 0/24   10.100.3 0. resolvable   o  So  you  need  to  allocate  an  elastic  IP   &  then  assign  it  to  the  instance  in   the  public  subnet  
Canonical  VPC  Architecture 6 10.200.0.0/1 Dev VPC - bnet   Public  su 0/24   ubnet   0. ud   Private  s 0/24   10.200.7 Amazon  Clo NAT   P>   10.200.8 0. IGW   <Public  I rod VPC Availability Zone : us-west-2a P /16 bnet   10.100.0.0 bnet   AZ : us-west-2b IGW   Public  su 0/24     ubnet P rivate  su /24   0. Private  s 0/24   10.200.9 0.0 10.100.1 10.100.2 0. t-1a y Zon e : us-eas NAT   Availabilit o  Private  Subnets   P>   ast-1b <Public  I AZ : us-e o  The  instances  in  the  private  subnet   st-1c cannot  be  accessed  directly  from  the   A Z : us-ea ubnet   internet   Private  s 0/24   0. ubnet   10.100.4 o  By  default,  all  the  instances  inside  a   Private  s 0/24   10.100.3 0. VPC  can  access  the  private  subnet   o  Usually  a  NAT  instance  would  be   created  and  then  the  instances  in  the   private  subnet  can  access  out  –  this  is   mainly  for  upgrades  &  downloads  
Canonical  VPC  Architecture 6 10.200.0.0/1 Dev VPC - bnet   Public  su 0/24   ubnet   0. ud   Private  s 0/24   10.200.7 Amazon  Clo NAT   P>   10.200.8 0. IGW   <Public  I rod VPC Availability Zone : us-west-2a P /16 bnet   10.100.0.0 bnet   AZ : us-west-2b IGW   Public  su 0/24     ubnet P rivate  su /24   0. Private  s 0/24   10.200.9 0.0 10.100.1 10.100.2 0. t-1a y Zone : us-eas o  VPC  subnetting  patterns   NAT   Availabilit o  Put  your  web/application  server,   P>   b <Public  I AZ : us-east-1 cache  &  ssh  gateways  in  public   st-1c subnets   A Z : us-ea ubnet   Private  s 0/24   o  Database  servers  should  be  in  the   0. ubnet   10.100.4 private  subnet   Private  s 0/24   0. 10.100.3 o  Control  access  via  security  groups   o  You  can  add  network  level  ACLs  for   one  more  layer  of  security  (in  case   of  misconfiguration  at  the  security   group  layer)  
Canonical  VPC  Architecture 6 10.200.0.0/1 Dev VPC - bnet   Public  su 0/24   ubnet   0. ud   Private  s 0/24   10.200.7 Amazon  Clo NAT   P>   10.200.8 0. IGW   <Public  I rod VPC Availability Zone : us-west-2a P /16 bnet   10.100.0.0 bnet   AZ : us-west-2b IGW   Public  su 0/24     ubnet P rivate  su /24   0. Private  s 0/24   10.200.9 0.0 10.100.1 10.100.2 0. t-1a y Zon e : us-eas NAT   Availabilit o  Topics  for  another  day   P>   ast-1b <Public  I AZ : us-e o  Scale  out  the  web  tier  with   st-1c multiple  public  subnets  across   A Z : us-ea ubnet   availability  zone     Private  s 0/24   0. ubnet   10.100.4 o  Dynamic  Scaling  with  AutoScaling   Private  s 0/24   10.100.3 0. o  Load  balancing  with  ELB  across   subnets  &  regions   o   Disaster  Recovery  Architectures   with  cross  region  &  cross-­‐cloud  
VPC  Pragmatics 1.  Amazon  has  (very)  detailed  documentation   o  I  really  like  the  users  guide  http://goo.gl/loUcI  (Good  work  guys)   o  Print  it,  read  it  &  annotate  it  with  notes  in  the  margin  !   2.  Multi-­‐layer  security  capable   o  Security  groups     o  Network  ACLs  are  fully  open  initially   3.  No  private  DNS  –  you  need  to  run  your  own   DNS   o  I  use  /etc/hosts  –  it  is  not  scalable,  but  works  fine.  For  example   MongoDB  replication  needs  to  resolve  the  hosts  in  a  replica  set   o  AWS  Feature  request  -­‐  Private  DNS  in  Ruote53     4.  Have  granular  security  groups  for  more  control   o  ssh-­‐group  that  opens  port  22   o  web-­‐server-­‐group  that  opens  80  &  443   o  app-­‐server-­‐group  –  as  needed   o  db-­‐group  that  opens  database  ports    -­‐  3306  for  mysql,  27017  for  mongo   et  al  
VPC  Pragmatics 5.  Have  a  scheme  &  assign  IP  addresses  to   the  instances  –  private  and  public   subnet   o  The  host  name  will  be  created  from  this  IP  address   o  For  example  if  you  assign  an  IP  10.100.23.67  to  an  instance,   it  will  have  a  host  name  ip-­‐10-­‐100-­‐23-­‐67   6.  Use  a  different  port  than  22  for  ssh.   o  A  decent  port  scan  will  let  the  world  know  what  your  ssh   port  is   o  While  it  doesn’t  guarantee  any  more  security,  it  will  be  a   quick  defense    against  script-­‐kiddies  
MongoDB  Replicasets  over  Amazon  VPC   q Goals  (1  of  2)   ud   Amazon  Clo o  Security  (Healthcare-­‐ grade)   C Prod VP 6 o  Max  resilience  against  data   .0/1 bnet   10.100.0 loss   Public  su 0/24   0. bnet   o  No  SPOF  (Single  Point  Of   10.100.1 P rivate  su /24   0.0 10.100.2 Failure)   t-1a o  Consistently  high  average   y Zon e : us-eas Availabilit throughput   ast-1b AZ : us-e o  Reasonable  resilience  &   ast-1c ubnet   AZ : us-e Private  s failure  separation(  Start   ubnet   0.0/24   Private  s 0/24   10.100.4 0. with  availability  zones  &   10.100.3 extend  to  region  as   needed)   o  Balance  cost,  latency,   availability  &  survivability  
MongoDB  Replicasets  over  Amazon  VPC   q Goals  (2  of  2)   ud   Amazon  Clo o  Recoverability   o  >  1  Replicaset   C Prod VP 6 o  Operations  efficiency   .0/1 bnet   10.100.0 o  Good  backup  against  all   Public  su 0/24   0. bnet   possible  failure  scenarios   10.100.1 P rivate  su /24   0.0 10.100.2 o  Good  snapshot  strategy  for   t-1a frequent  &  consistent   y Zon e : us-eas Availabilit snapshots   ast-1b AZ : us-e o  Recovery  scripts/processes   ast-1c ubnet   AZ : us-e Private  s o  Operational  finesse  –  e.g.   ubnet   0.0/24   Private  s 0/24   10.100.4 0. Zero  Downtime  upgrades   10.100.3
MongoDB  Replicasets  over  Amazon  VPC   o  Web  Servers,  Application   ud   servers  &  cache  servers  in  the   Amazon  Clo public  subnet   C Prod VP 6 .0/1 bnet   10.100.0 o  MongoDB  Primary  in  the   Public  su 0/24   0. bnet   10.100.1 P rivate  su /24   same  availability  zone,  but  in   0.0 10.100.2 a  private  subnet   e : us-eas t-1a o  m2.xlarge  instance  with   y Zon Availabilit ast-1b enhanced  I/O;  EBS   AZ : us-e ast-1c ubnet   AZ : us-e Private  s ubnet   0.0/24   Private  s 0/24   10.100.4 o  2  Secondary  MongoDB  in   0. 10.100.3 private  subnet  in  two   different  availability  zones   o  m1.large  instances;  EBS  
MongoDB  Replicasets  over  Amazon  VPC   ud   Amazon  Clo C Prod VP 6 q  Backup  Strategy   .0/1 bnet   10.100.0 o  Snapshot  from  Secondary   Public  su 0/24   0. bnet   o  Hourly  backup  –  rotate   10.100.1 P rivate  su /24   0.0 10.100.2 every  24  hrs   t-1a o  Daily  backup  –  rotate  every   y Zon e : us-eas Availabilit month   ast-1b AZ : us-e o  Weekly  backup  –  rotate   ast-1c ubnet   AZ : us-e Private  s yearly.     ubnet   0.0/24   Private  s 0/24   10.100.4 10.100.3 0. o  Keep  a  copy  in  a   different  cloud  
VPC/MongoDB  Pragmatics 1.  DNS  for  replication   o  MongoDB  replication  needs  to  resolve  the  hosts  in  a  replica  set   o  I  use  /etc/hosts  –  it  is  not  scalable,  but  works  fine.   o  AWS  Feature  request  -­‐  Private  DNS  in  Ruote53     2.  10Gen  has  (very)  detailed  documentation   3.  And  MongoDB  replication  setup  is  easy  &   straightforward   o  Thanks  Guys     4.  Snapshots  are  important   1.  Against  program  errors   2.  Against  database  corruption   3.  Against  operations  mistakes   4.  Snapshot  scripts  could  be  a  little  trickier   o  I  will  update  after  a  few  days  of  experience  

Recommended

(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...Amazon Web Services
 
Pandas, Data Wrangling & Data Science
Pandas, Data Wrangling & Data SciencePandas, Data Wrangling & Data Science
Pandas, Data Wrangling & Data ScienceKrishna Sankar
 
An excursion into Graph Analytics with Apache Spark GraphX
An excursion into Graph Analytics with Apache Spark GraphXAn excursion into Graph Analytics with Apache Spark GraphX
An excursion into Graph Analytics with Apache Spark GraphXKrishna Sankar
 
An excursion into Text Analytics with Apache Spark
An excursion into Text Analytics with Apache SparkAn excursion into Text Analytics with Apache Spark
An excursion into Text Analytics with Apache SparkKrishna Sankar
 
Big Data Analytics - Best of the Worst : Anti-patterns & Antidotes
Big Data Analytics - Best of the Worst : Anti-patterns & AntidotesBig Data Analytics - Best of the Worst : Anti-patterns & Antidotes
Big Data Analytics - Best of the Worst : Anti-patterns & AntidotesKrishna Sankar
 
Data Science with Spark
Data Science with SparkData Science with Spark
Data Science with SparkKrishna Sankar
 
Architecture in action 01
Architecture in action 01Architecture in action 01
Architecture in action 01Krishna Sankar
 
Data Science with Spark - Training at SparkSummit (East)
Data Science with Spark - Training at SparkSummit (East)Data Science with Spark - Training at SparkSummit (East)
Data Science with Spark - Training at SparkSummit (East)Krishna Sankar
 

Recommended

(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...Amazon Web Services
 
Pandas, Data Wrangling & Data Science
Pandas, Data Wrangling & Data SciencePandas, Data Wrangling & Data Science
Pandas, Data Wrangling & Data ScienceKrishna Sankar
 
An excursion into Graph Analytics with Apache Spark GraphX
An excursion into Graph Analytics with Apache Spark GraphXAn excursion into Graph Analytics with Apache Spark GraphX
An excursion into Graph Analytics with Apache Spark GraphXKrishna Sankar
 
An excursion into Text Analytics with Apache Spark
An excursion into Text Analytics with Apache SparkAn excursion into Text Analytics with Apache Spark
An excursion into Text Analytics with Apache SparkKrishna Sankar
 
Big Data Analytics - Best of the Worst : Anti-patterns & Antidotes
Big Data Analytics - Best of the Worst : Anti-patterns & AntidotesBig Data Analytics - Best of the Worst : Anti-patterns & Antidotes
Big Data Analytics - Best of the Worst : Anti-patterns & AntidotesKrishna Sankar
 
Data Science with Spark
Data Science with SparkData Science with Spark
Data Science with SparkKrishna Sankar
 
Architecture in action 01
Architecture in action 01Architecture in action 01
Architecture in action 01Krishna Sankar
 
Data Science with Spark - Training at SparkSummit (East)
Data Science with Spark - Training at SparkSummit (East)Data Science with Spark - Training at SparkSummit (East)
Data Science with Spark - Training at SparkSummit (East)Krishna Sankar
 
R, Data Wrangling & Predicting NFL with Elo like Nate SIlver & 538
R, Data Wrangling & Predicting NFL with Elo like Nate SIlver & 538R, Data Wrangling & Predicting NFL with Elo like Nate SIlver & 538
R, Data Wrangling & Predicting NFL with Elo like Nate SIlver & 538Krishna Sankar
 
R, Data Wrangling & Kaggle Data Science Competitions
R, Data Wrangling & Kaggle Data Science CompetitionsR, Data Wrangling & Kaggle Data Science Competitions
R, Data Wrangling & Kaggle Data Science CompetitionsKrishna Sankar
 
The Hitchhiker's Guide to Machine Learning with Python & Apache Spark
The Hitchhiker's Guide to Machine Learning with Python & Apache SparkThe Hitchhiker's Guide to Machine Learning with Python & Apache Spark
The Hitchhiker's Guide to Machine Learning with Python & Apache SparkKrishna Sankar
 
Data Science Folk Knowledge
Data Science Folk KnowledgeData Science Folk Knowledge
Data Science Folk KnowledgeKrishna Sankar
 
Data Wrangling For Kaggle Data Science Competitions
Data Wrangling For Kaggle Data Science CompetitionsData Wrangling For Kaggle Data Science Competitions
Data Wrangling For Kaggle Data Science CompetitionsKrishna Sankar
 
Bayesian Machine Learning - Naive Bayes
Bayesian Machine Learning - Naive BayesBayesian Machine Learning - Naive Bayes
Bayesian Machine Learning - Naive BayesKrishna Sankar
 
The Art of Social Media Analysis with Twitter & Python
The Art of Social Media Analysis with Twitter & PythonThe Art of Social Media Analysis with Twitter & Python
The Art of Social Media Analysis with Twitter & PythonKrishna Sankar
 
Big Data Engineering - Top 10 Pragmatics
Big Data Engineering - Top 10 PragmaticsBig Data Engineering - Top 10 Pragmatics
Big Data Engineering - Top 10 PragmaticsKrishna Sankar
 
Scrum debrief to team
Scrum debrief to team Scrum debrief to team
Scrum debrief to team Krishna Sankar
 
The Art of Big Data
The Art of Big DataThe Art of Big Data
The Art of Big DataKrishna Sankar
 
Precision Time Synchronization
Precision Time SynchronizationPrecision Time Synchronization
Precision Time SynchronizationKrishna Sankar
 
The Hitchhiker’s Guide to Kaggle
The Hitchhiker’s Guide to KaggleThe Hitchhiker’s Guide to Kaggle
The Hitchhiker’s Guide to KaggleKrishna Sankar
 
Nosql hands on handout 04
Nosql hands on handout 04Nosql hands on handout 04
Nosql hands on handout 04Krishna Sankar
 
Cloud Interoperability Demo at OGF29
Cloud Interoperability Demo at OGF29Cloud Interoperability Demo at OGF29
Cloud Interoperability Demo at OGF29Krishna Sankar
 
A Hitchhiker's Guide to NOSQL v1.0
A Hitchhiker's Guide to NOSQL v1.0A Hitchhiker's Guide to NOSQL v1.0
A Hitchhiker's Guide to NOSQL v1.0Krishna Sankar
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

More Related Content

More from Krishna Sankar

R, Data Wrangling & Predicting NFL with Elo like Nate SIlver & 538
R, Data Wrangling & Predicting NFL with Elo like Nate SIlver & 538R, Data Wrangling & Predicting NFL with Elo like Nate SIlver & 538
R, Data Wrangling & Predicting NFL with Elo like Nate SIlver & 538Krishna Sankar
 
R, Data Wrangling & Kaggle Data Science Competitions
R, Data Wrangling & Kaggle Data Science CompetitionsR, Data Wrangling & Kaggle Data Science Competitions
R, Data Wrangling & Kaggle Data Science CompetitionsKrishna Sankar
 
The Hitchhiker's Guide to Machine Learning with Python & Apache Spark
The Hitchhiker's Guide to Machine Learning with Python & Apache SparkThe Hitchhiker's Guide to Machine Learning with Python & Apache Spark
The Hitchhiker's Guide to Machine Learning with Python & Apache SparkKrishna Sankar
 
Data Science Folk Knowledge
Data Science Folk KnowledgeData Science Folk Knowledge
Data Science Folk KnowledgeKrishna Sankar
 
Data Wrangling For Kaggle Data Science Competitions
Data Wrangling For Kaggle Data Science CompetitionsData Wrangling For Kaggle Data Science Competitions
Data Wrangling For Kaggle Data Science CompetitionsKrishna Sankar
 
Bayesian Machine Learning - Naive Bayes
Bayesian Machine Learning - Naive BayesBayesian Machine Learning - Naive Bayes
Bayesian Machine Learning - Naive BayesKrishna Sankar
 
The Art of Social Media Analysis with Twitter & Python
The Art of Social Media Analysis with Twitter & PythonThe Art of Social Media Analysis with Twitter & Python
The Art of Social Media Analysis with Twitter & PythonKrishna Sankar
 
Big Data Engineering - Top 10 Pragmatics
Big Data Engineering - Top 10 PragmaticsBig Data Engineering - Top 10 Pragmatics
Big Data Engineering - Top 10 PragmaticsKrishna Sankar
 
Scrum debrief to team
Scrum debrief to team Scrum debrief to team
Scrum debrief to team Krishna Sankar
 
Precision Time Synchronization
Precision Time SynchronizationPrecision Time Synchronization
Precision Time SynchronizationKrishna Sankar
 
The Hitchhiker’s Guide to Kaggle
The Hitchhiker’s Guide to KaggleThe Hitchhiker’s Guide to Kaggle
The Hitchhiker’s Guide to KaggleKrishna Sankar
 
Nosql hands on handout 04
Nosql hands on handout 04Nosql hands on handout 04
Nosql hands on handout 04Krishna Sankar
 
Cloud Interoperability Demo at OGF29
Cloud Interoperability Demo at OGF29Cloud Interoperability Demo at OGF29
Cloud Interoperability Demo at OGF29Krishna Sankar
 
A Hitchhiker's Guide to NOSQL v1.0
A Hitchhiker's Guide to NOSQL v1.0A Hitchhiker's Guide to NOSQL v1.0
A Hitchhiker's Guide to NOSQL v1.0Krishna Sankar
 

More from Krishna Sankar (15)

R, Data Wrangling & Predicting NFL with Elo like Nate SIlver & 538
R, Data Wrangling & Predicting NFL with Elo like Nate SIlver & 538R, Data Wrangling & Predicting NFL with Elo like Nate SIlver & 538
R, Data Wrangling & Predicting NFL with Elo like Nate SIlver & 538
 
R, Data Wrangling & Kaggle Data Science Competitions
R, Data Wrangling & Kaggle Data Science CompetitionsR, Data Wrangling & Kaggle Data Science Competitions
R, Data Wrangling & Kaggle Data Science Competitions
 
The Hitchhiker's Guide to Machine Learning with Python & Apache Spark
The Hitchhiker's Guide to Machine Learning with Python & Apache SparkThe Hitchhiker's Guide to Machine Learning with Python & Apache Spark
The Hitchhiker's Guide to Machine Learning with Python & Apache Spark
 
Data Science Folk Knowledge
Data Science Folk KnowledgeData Science Folk Knowledge
Data Science Folk Knowledge
 
Data Wrangling For Kaggle Data Science Competitions
Data Wrangling For Kaggle Data Science CompetitionsData Wrangling For Kaggle Data Science Competitions
Data Wrangling For Kaggle Data Science Competitions
 
Bayesian Machine Learning - Naive Bayes
Bayesian Machine Learning - Naive BayesBayesian Machine Learning - Naive Bayes
Bayesian Machine Learning - Naive Bayes
 
The Art of Social Media Analysis with Twitter & Python
The Art of Social Media Analysis with Twitter & PythonThe Art of Social Media Analysis with Twitter & Python
The Art of Social Media Analysis with Twitter & Python
 
Big Data Engineering - Top 10 Pragmatics
Big Data Engineering - Top 10 PragmaticsBig Data Engineering - Top 10 Pragmatics
Big Data Engineering - Top 10 Pragmatics
 
Scrum debrief to team
Scrum debrief to team Scrum debrief to team
Scrum debrief to team
 
The Art of Big Data
The Art of Big DataThe Art of Big Data
The Art of Big Data
 
Precision Time Synchronization
Precision Time SynchronizationPrecision Time Synchronization
Precision Time Synchronization
 
The Hitchhiker’s Guide to Kaggle
The Hitchhiker’s Guide to KaggleThe Hitchhiker’s Guide to Kaggle
The Hitchhiker’s Guide to Kaggle
 
Nosql hands on handout 04
Nosql hands on handout 04Nosql hands on handout 04
Nosql hands on handout 04
 
Cloud Interoperability Demo at OGF29
Cloud Interoperability Demo at OGF29Cloud Interoperability Demo at OGF29
Cloud Interoperability Demo at OGF29
 
A Hitchhiker's Guide to NOSQL v1.0
A Hitchhiker's Guide to NOSQL v1.0A Hitchhiker's Guide to NOSQL v1.0
A Hitchhiker's Guide to NOSQL v1.0
 

Recently uploaded

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Recently uploaded (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

AWS VPC distilled for MongoDB devOps

  • 1. AWS VPC Distilled - For MongoDB devOps Krishna Sankar @ksankar October 27,2012
  • 2. Essential  DevOps Ref:  h4p://speakerdeck.com/u/dampier/p/rock-­‐‑solid-­‐‑mongo-­‐‑ops 2
  • 3. AWS  VPC  Top  10 1.  Any  mature  AWS  infrastructure  should   use  VPC  (for  prod  &  dev  !)   2.  VPC  is  not  that  hard,  but  really  requires   devOps  skills   3.   cccc   4.  Designing  VPC  is  a  heist,  single-­‐handed  !   5.  VPC  gives  greater  control  &  flexibility  –   use  the  force  wisely  &  keep  your  designs   simple  
  • 4. AWS  VPC  Top  10 6.  VPC  allows  one  to  design  multi-­‐layered   security  –  security  groups  at  the   application  layer  &  network  layer  ACLs   7.  VPC  gives  isolation  semantics  viz  private   subnet  vs.  public  subnet,  routing  via   internet  gateway,  NAT  et  al   8.  Incorporate  resilience,  knowing  that  VPC   can  span  availability  zones     9.  For  now,  inter  VPC  routing  &  VPC  designs   across  regions  are  not  that  easy   10. Plan  your  Reserved  Instances   o  vpc  &  non-­‐vpc  RIs  are  separate  &  not  changeable.  They  will   work,  but  capacity  is  not  guaranteed  i.e.  you  could  get  into   trouble  when  you  bounce  the  instances  
  • 5. Canonical  VPC  Architecture 6 10.200.0.0/1 Dev VPC - bnet   Public  su 0/24   ubnet   0. ud   Private  s 0/24   10.200.7 Amazon  Clo NAT   P>   10.200.8 0. IGW   <Public  I rod VPC Availability Zone : us-west-2a P /16 bnet   10.100.0.0 bnet   AZ : us-west-2b IGW   Public  su 0/24     ubnet P rivate  su /24   0. Private  s 0/24   10.200.9 0.0 10.100.1 10.100.2 0. t-1a y Zon e : us-eas NAT   Availabilit o  Normally  your  instances  would  be   P>   ast-1b <Public  I AZ : us-e created  here   st-1c o  With  a  public  DNS     A Z : us-ea ubnet   o  And  a  host  name  viz:   Private  s 0/24   0. ubnet   10.100.4 ec2-­‐46-­‐137-­‐23-­‐217.eu-­‐ Private  s 0/24   10.100.3 0. west-­‐1.compute.amazonaws.com   o  Amazon  does  protect  it’s  cloud  from   attacks  et  al.  Still  not  fully  secure,  and   less  control  (for  example  cannot   reconfigure  security  groups)  
  • 6. Canonical  VPC  Architecture 6 10.200.0.0/1 Dev VPC - bnet   Public  su 0/24   ubnet   0. ud   Private  s 0/24   10.200.7 Amazon  Clo NAT   P>   10.200.8 0. IGW   <Public  I rod VPC Availability Zone : us-west-2a P /16 bnet   10.100.0.0 bnet   AZ : us-west-2b IGW   Public  su 0/24     ubnet P rivate  su /24   0. Private  s 0/24   10.200.9 0.0 10.100.1 10.100.2 0. t-1a y Zon e : us-eas NAT   Availabilit o  VPC   P>   ast-1b <Public  I AZ : us-e o  Create  a  separate  VPC  for  each   st-1c function  –  usually  dev  &  prod   A Z : us-ea ubnet   o  AWS  has  regions  (US-­‐Virginia,  US-­‐ Private  s 0/24   0. California,  US-­‐Oregon,  EU-­‐Ireland,   ubnet   10.100.4 Private  s 0/24   AsiaPac-­‐Singapore,  AsiaPac-­‐Tokyo  &   0. 10.100.3 SouthAmerica-­‐Sao  Paulo   o  Each  region  has  2  or  more   availability  zones   o     A  VPC  can  span  Availability  Zones,   but  not  Regions  
  • 7. Canonical  VPC  Architecture 6 10.200.0.0/1 Dev VPC - bnet   Public  su 0/24   ubnet   0. ud   Private  s 0/24   10.200.7 Amazon  Clo NAT   P>   10.200.8 0. IGW   <Public  I rod VPC Availability Zone : us-west-2a P /16 bnet   10.100.0.0 bnet   AZ : us-west-2b IGW   Public  su 0/24     ubnet P rivate  su /24   0. Private  s 0/24   10.200.9 0.0 10.100.1 10.100.2 0. t-1a y Zon e : us-eas NAT   Availabilit o  Subnets   P>   ast-1b <Public  I AZ : us-e o  Create  multiple  subnets  in  a  VPC   st-1c o  Subnets  cannot  span  availability   A Z : us-ea ubnet   zones  (or  regions)  –  so  create  (at   Private  s 0/24   0. ubnet   10.100.4 least)  one  subnet  per  availability   Private  s 0/24   10.100.3 0. zone   o  There  are  two  types  of  subnets   Public  subnet  &  Private  subnet   o  We  will  take  a  look  into  each  of  them   in  the  next  couple  of  slides  
  • 8. Canonical  VPC  Architecture 6 10.200.0.0/1 Dev VPC - bnet   Public  su 0/24   ubnet   0. ud   Private  s 0/24   10.200.7 Amazon  Clo NAT   P>   10.200.8 0. IGW   <Public  I rod VPC Availability Zone : us-west-2a P /16 bnet   10.100.0.0 bnet   AZ : us-west-2b IGW   Public  su 0/24     ubnet P rivate  su /24   0. Private  s 0/24   10.200.9 0.0 10.100.1 10.100.2 0. t-1a y Zon e : us-eas NAT   Availabilit o  Public  Subnets  (1  of  3)   P>   ast-1b <Public  I AZ : us-e o  Public  subnets  are  for  instances  that   st-1c need  to  be  accessed  from  the   A Z : us-ea ubnet   Internet  –  usually  web  servers,   Private  s 0/24   0. ubnet   10.100.4 application  servers,  cache  servers   Private  s 0/24   10.100.3 0. and  ssh  bastions  belong  in  this   category   o  The  instances  in  the  public  subnet   communicate  with  the  external   world  via  an  Internet  Gateway  (igw)    
  • 9. Canonical  VPC  Architecture 6 10.200.0.0/1 Dev VPC - bnet   Public  su 0/24   ubnet   0. ud   Private  s 0/24   10.200.7 Amazon  Clo NAT   P>   10.200.8 0. IGW   <Public  I rod VPC Availability Zone : us-west-2a P /16 bnet   10.100.0.0 bnet   AZ : us-west-2b IGW   Public  su 0/24     ubnet P rivate  su /24   0. Private  s 0/24   10.200.9 0.0 10.100.1 10.100.2 0. t-1a y Zon e : us-eas NAT   Availabilit o  Public  Subnets  (2  of  3)   P>   ast-1b <Public  I AZ : us-e o  The  security  groups  determine   st-1c which  ports  are  open  and  for  which   A Z : us-ea ubnet   hosts   Private  s 0/24   0. ubnet   10.100.4 o  Usually  web-­‐server-­‐group(80,443),   Private  s 0/24   10.100.3 0. app-­‐server-­‐group  &  ssh-­‐group(22)   are  the  two  major  port  groups   o  You  can  also  restrict  the  hosts  that   can  communicate  via  the  security   groups  
  • 10. Canonical  VPC  Architecture 6 10.200.0.0/1 Dev VPC - bnet   Public  su 0/24   ubnet   0. ud   Private  s 0/24   10.200.7 Amazon  Clo NAT   P>   10.200.8 0. IGW   <Public  I rod VPC Availability Zone : us-west-2a P /16 bnet   10.100.0.0 bnet   AZ : us-west-2b IGW   Public  su 0/24     ubnet P rivate  su /24   0. Private  s 0/24   10.200.9 0.0 10.100.1 10.100.2 0. t-1a y Zon e : us-eas NAT   Availabilit o  Public  Subnets  (3  of  3)   P>   ast-1b <Public  I AZ : us-e o  Unlike  the  non-­‐vpc  instances,  the   st-1c instances  in  the  public  subnets  do   A Z : us-ea ubnet   not  have  a  public  IP;  nor  do  they   Private  s 0/24   0. ubnet   10.100.4 have  a  host  name  that  is  externally   Private  s 0/24   10.100.3 0. resolvable   o  So  you  need  to  allocate  an  elastic  IP   &  then  assign  it  to  the  instance  in   the  public  subnet  
  • 11. Canonical  VPC  Architecture 6 10.200.0.0/1 Dev VPC - bnet   Public  su 0/24   ubnet   0. ud   Private  s 0/24   10.200.7 Amazon  Clo NAT   P>   10.200.8 0. IGW   <Public  I rod VPC Availability Zone : us-west-2a P /16 bnet   10.100.0.0 bnet   AZ : us-west-2b IGW   Public  su 0/24     ubnet P rivate  su /24   0. Private  s 0/24   10.200.9 0.0 10.100.1 10.100.2 0. t-1a y Zon e : us-eas NAT   Availabilit o  Private  Subnets   P>   ast-1b <Public  I AZ : us-e o  The  instances  in  the  private  subnet   st-1c cannot  be  accessed  directly  from  the   A Z : us-ea ubnet   internet   Private  s 0/24   0. ubnet   10.100.4 o  By  default,  all  the  instances  inside  a   Private  s 0/24   10.100.3 0. VPC  can  access  the  private  subnet   o  Usually  a  NAT  instance  would  be   created  and  then  the  instances  in  the   private  subnet  can  access  out  –  this  is   mainly  for  upgrades  &  downloads  
  • 12. Canonical  VPC  Architecture 6 10.200.0.0/1 Dev VPC - bnet   Public  su 0/24   ubnet   0. ud   Private  s 0/24   10.200.7 Amazon  Clo NAT   P>   10.200.8 0. IGW   <Public  I rod VPC Availability Zone : us-west-2a P /16 bnet   10.100.0.0 bnet   AZ : us-west-2b IGW   Public  su 0/24     ubnet P rivate  su /24   0. Private  s 0/24   10.200.9 0.0 10.100.1 10.100.2 0. t-1a y Zone : us-eas o  VPC  subnetting  patterns   NAT   Availabilit o  Put  your  web/application  server,   P>   b <Public  I AZ : us-east-1 cache  &  ssh  gateways  in  public   st-1c subnets   A Z : us-ea ubnet   Private  s 0/24   o  Database  servers  should  be  in  the   0. ubnet   10.100.4 private  subnet   Private  s 0/24   0. 10.100.3 o  Control  access  via  security  groups   o  You  can  add  network  level  ACLs  for   one  more  layer  of  security  (in  case   of  misconfiguration  at  the  security   group  layer)  
  • 13. Canonical  VPC  Architecture 6 10.200.0.0/1 Dev VPC - bnet   Public  su 0/24   ubnet   0. ud   Private  s 0/24   10.200.7 Amazon  Clo NAT   P>   10.200.8 0. IGW   <Public  I rod VPC Availability Zone : us-west-2a P /16 bnet   10.100.0.0 bnet   AZ : us-west-2b IGW   Public  su 0/24     ubnet P rivate  su /24   0. Private  s 0/24   10.200.9 0.0 10.100.1 10.100.2 0. t-1a y Zon e : us-eas NAT   Availabilit o  Topics  for  another  day   P>   ast-1b <Public  I AZ : us-e o  Scale  out  the  web  tier  with   st-1c multiple  public  subnets  across   A Z : us-ea ubnet   availability  zone     Private  s 0/24   0. ubnet   10.100.4 o  Dynamic  Scaling  with  AutoScaling   Private  s 0/24   10.100.3 0. o  Load  balancing  with  ELB  across   subnets  &  regions   o   Disaster  Recovery  Architectures   with  cross  region  &  cross-­‐cloud  
  • 14. VPC  Pragmatics 1.  Amazon  has  (very)  detailed  documentation   o  I  really  like  the  users  guide  http://goo.gl/loUcI  (Good  work  guys)   o  Print  it,  read  it  &  annotate  it  with  notes  in  the  margin  !   2.  Multi-­‐layer  security  capable   o  Security  groups     o  Network  ACLs  are  fully  open  initially   3.  No  private  DNS  –  you  need  to  run  your  own   DNS   o  I  use  /etc/hosts  –  it  is  not  scalable,  but  works  fine.  For  example   MongoDB  replication  needs  to  resolve  the  hosts  in  a  replica  set   o  AWS  Feature  request  -­‐  Private  DNS  in  Ruote53     4.  Have  granular  security  groups  for  more  control   o  ssh-­‐group  that  opens  port  22   o  web-­‐server-­‐group  that  opens  80  &  443   o  app-­‐server-­‐group  –  as  needed   o  db-­‐group  that  opens  database  ports    -­‐  3306  for  mysql,  27017  for  mongo   et  al  
  • 15. VPC  Pragmatics 5.  Have  a  scheme  &  assign  IP  addresses  to   the  instances  –  private  and  public   subnet   o  The  host  name  will  be  created  from  this  IP  address   o  For  example  if  you  assign  an  IP  10.100.23.67  to  an  instance,   it  will  have  a  host  name  ip-­‐10-­‐100-­‐23-­‐67   6.  Use  a  different  port  than  22  for  ssh.   o  A  decent  port  scan  will  let  the  world  know  what  your  ssh   port  is   o  While  it  doesn’t  guarantee  any  more  security,  it  will  be  a   quick  defense    against  script-­‐kiddies  
  • 16. MongoDB  Replicasets  over  Amazon  VPC   q Goals  (1  of  2)   ud   Amazon  Clo o  Security  (Healthcare-­‐ grade)   C Prod VP 6 o  Max  resilience  against  data   .0/1 bnet   10.100.0 loss   Public  su 0/24   0. bnet   o  No  SPOF  (Single  Point  Of   10.100.1 P rivate  su /24   0.0 10.100.2 Failure)   t-1a o  Consistently  high  average   y Zon e : us-eas Availabilit throughput   ast-1b AZ : us-e o  Reasonable  resilience  &   ast-1c ubnet   AZ : us-e Private  s failure  separation(  Start   ubnet   0.0/24   Private  s 0/24   10.100.4 0. with  availability  zones  &   10.100.3 extend  to  region  as   needed)   o  Balance  cost,  latency,   availability  &  survivability  
  • 17. MongoDB  Replicasets  over  Amazon  VPC   q Goals  (2  of  2)   ud   Amazon  Clo o  Recoverability   o  >  1  Replicaset   C Prod VP 6 o  Operations  efficiency   .0/1 bnet   10.100.0 o  Good  backup  against  all   Public  su 0/24   0. bnet   possible  failure  scenarios   10.100.1 P rivate  su /24   0.0 10.100.2 o  Good  snapshot  strategy  for   t-1a frequent  &  consistent   y Zon e : us-eas Availabilit snapshots   ast-1b AZ : us-e o  Recovery  scripts/processes   ast-1c ubnet   AZ : us-e Private  s o  Operational  finesse  –  e.g.   ubnet   0.0/24   Private  s 0/24   10.100.4 0. Zero  Downtime  upgrades   10.100.3
  • 18. MongoDB  Replicasets  over  Amazon  VPC   o  Web  Servers,  Application   ud   servers  &  cache  servers  in  the   Amazon  Clo public  subnet   C Prod VP 6 .0/1 bnet   10.100.0 o  MongoDB  Primary  in  the   Public  su 0/24   0. bnet   10.100.1 P rivate  su /24   same  availability  zone,  but  in   0.0 10.100.2 a  private  subnet   e : us-eas t-1a o  m2.xlarge  instance  with   y Zon Availabilit ast-1b enhanced  I/O;  EBS   AZ : us-e ast-1c ubnet   AZ : us-e Private  s ubnet   0.0/24   Private  s 0/24   10.100.4 o  2  Secondary  MongoDB  in   0. 10.100.3 private  subnet  in  two   different  availability  zones   o  m1.large  instances;  EBS  
  • 19. MongoDB  Replicasets  over  Amazon  VPC   ud   Amazon  Clo C Prod VP 6 q  Backup  Strategy   .0/1 bnet   10.100.0 o  Snapshot  from  Secondary   Public  su 0/24   0. bnet   o  Hourly  backup  –  rotate   10.100.1 P rivate  su /24   0.0 10.100.2 every  24  hrs   t-1a o  Daily  backup  –  rotate  every   y Zon e : us-eas Availabilit month   ast-1b AZ : us-e o  Weekly  backup  –  rotate   ast-1c ubnet   AZ : us-e Private  s yearly.     ubnet   0.0/24   Private  s 0/24   10.100.4 10.100.3 0. o  Keep  a  copy  in  a   different  cloud  
  • 20. VPC/MongoDB  Pragmatics 1.  DNS  for  replication   o  MongoDB  replication  needs  to  resolve  the  hosts  in  a  replica  set   o  I  use  /etc/hosts  –  it  is  not  scalable,  but  works  fine.   o  AWS  Feature  request  -­‐  Private  DNS  in  Ruote53     2.  10Gen  has  (very)  detailed  documentation   3.  And  MongoDB  replication  setup  is  easy  &   straightforward   o  Thanks  Guys     4.  Snapshots  are  important   1.  Against  program  errors   2.  Against  database  corruption   3.  Against  operations  mistakes   4.  Snapshot  scripts  could  be  a  little  trickier   o  I  will  update  after  a  few  days  of  experience