HK-AWS-Well-Architected-Workshop

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Notices
All information, guidance and materials (collectively, "Information") provided to you in connection with the Program are for
informational purposes only. You are solely responsible for making your own independent assessment of the Information and your
use of AWS's products or services. Neither this document nor any other Information provided to you creates any warranties (express or
implied), representations, contractual commitments, conditions or assurances from AWS, its affiliates, suppliers or licensors. Neither
this document nor any other information provided to you are part of, nor do they modify, any agreements between you and AWS. All
information in this document will be shared with only the Customer and the AWS Team.

Herman Mak, Solutions Architect
10 April 2019
Best Practices
Using the Well Architected Framework
Kwunhok Chan, Solutions Architect
Clifford Duke, Solutions Architect

Agenda
• Introduction
• Well Architected Pillar: Security
• Well Architected Pillar: Performance Efficiency
• Well Architected Pillar: Reliability
• Break
• Well Architected Pillar: Cost Optimization
• Well Architected Pillar: Operational Excellence
• Breakout Discussions

Workshop Format
After presentation of all pillars, we will work in groups to
fill in worksheet then discuss any questions
For a One-on-One review with a Solutions Architect book
your time before you leave
…. and please rate the workshop!

What to Expect from the Session
Learn about
• The AWS Well-Architected Framework (5 pillars)
• General design principles
• Best practices
• Value proposition
Understand the business impact of your design decisions

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introduction

Am I doing it right?

“Are you Well-Architected?”
• Show you how to build strategies & best practices for
architecting your applications in the cloud
• Give you questions that allow you to measure your
architecture against best practices
• Help identify how to address any shortcomings

AWS Reference Architectures
https://aws.amazon.com/architecture https://aws.amazon.com/whitepapers

AWS Trusted Advisor

AWS Well-Architected Framework

Purpose of the AWS Well-Architected Framework
• Increases awareness of architectural best practices
• Addresses foundational areas that are often neglected
• Consistent approach to evaluating architectures
• Composed of
• Pillars
• Design principles
• Questions – starting point to get you thinking

Pillars of Well-Architected Framework
Security Reliability Performance
Efficiency
Cost
Optimization
Operational
Excellence

Design Principles of Well-Architected Framework
Stop guessing
capacity needs
Test systems at
scale
Data-driven
architectures
Automate to enable
experimentation
Allow for
evolution

AWS Well-Architected Tool

AWS Well-Architected Tool
Pillar Area
Question Text
Question Context
Your Answers

Worksheet
• Work through the questions
• Use the questions as a prompt
• CURRENT STATE – what is being done now?
• FUTURE STATE – what do you think they should be doing?
• Not an absolute right or wrong – use case specific
• It’s a guide

2019/04/10
Well Architected Framework
Security

The security pillar focuses on protecting
information & systems. Key topics include
confidentiality and integrity of data, identifying
and managing who can do what with privilege
management, protecting systems, and establishing
controls to detect security events.

Resources:
Website:
https://aws.amazon.com/architecture/well-architected/
Whitepaper

Implement a Strong Identity Foundation
Enable Traceability
Apply Security at All Layers
Automate security best practices
Design Principal:
Protect data in transit and at rest
Prepare for security events

Identity and access management
Detective controls
Infrastructure protection
Data protection
Definitions:
Incident response

Identity and Access Management
• Protecting AWS credentials
•How do you protect your Root Account?
•How do you assign your IAM Users, Groups?
•How about the API/CLI access?
•Did you create Appropriate Policies?
• Fine-grained authorization
•Least privilege practice
•IAM Role for resources

Identity and Access Management
• Protecting AWS credentials
• MFA for Root Account
• MFA for critical API Call
• IAM
• IAM instance profiles for EC2 instances
• AWS STS
• Fine-grained authorization
• IAM, IAM Role
• AWS Organizations

Detective Controls
• Capture and Analyze Logs:
• Track all the activities and resource changes on your cloud env
• Keep the log, centralized, and prepare for analyze
• Analyze those logs from: compute, storage, applications
• Integrate Auditing Controls with Notification and Workflow:
• Discover potential events of interest
• Triggered from changes in infrastructure
• Better to have stronger build process before production

Detective Controls
• Capture and Analyze Logs:
• Capture: CloudTrial, AWS Config
• Store: CloudWatch Logs, S3, Glacier
• Analyze: Elasticsearch Service, EMR, Athena
• Integrate Auditing Controls with Notification and Workflow:
• CloudWatch, CloudWatch Events
• AWS Config Rules
• CloudWatch API & AWS SDKs
• Inspector

Infrastructure Protection
• Protecting network and host-level boundaries:
• How you provide isolation and boundaries for resource?
• How to design your network topology?
• How to protect your network access?
• What will you do, if you have hybrid cloud?
• System(OS) security configuration and maintenance
• How to manage your system security configuration?
• How to make sure your system is secure?
• Do you applied Least-privilege approach, in your system?
• Enforcing service-level protection
• Who can access service-endpoints? And how?
• Who can access the resource of this service? And how?
• Did you prevent all the possible data leak?

Infrastructure Protection
• Protecting network and host-level boundaries:
• VPC
• Security Group
• NetACL
• DirectConnect
• System security configuration and maintenance
• VPC Security Group
• Amazon Inspector
• Systems Manager
(Run Command, State Manager, Inventory, Parameter Store, Patch Manager)
• Enforcing service-level protection
• IAM
• AWS KMS allows you to set policies on the individual key
• Amazon S3 allows you to set bucket policies for each S3 bucket.

Data Protection
• Data Classification
• Categorize organizational data based on levels of sensitivity
• Manage appropriate data classification system with different requirement level
• Public data? Internal data? HIPPA PHI?
• Encryption/tokenization
• Protect your content against unauthorized user and unnecessary explosure.
• Protecting data at rest
• Protecting data in transit
• Data backup/replication/recovery
• Against the deletion or destruction of data
• Ensure continued business operations

Data Protection
• Data Classification
• Resource Tag
• Detect abnormal access à Amazon Macie
• AWS KMS
• Encryption/tokenization
• AWS KMS
• AWS CloudHSM
• Amazon DynamoDB
• Protecting data at rest
• AWS KMS
• AWS S3, EBS, Glacier all support KMS

Data Protection
• Protecting data in transit
• AWS Certificate Manager (ACM)
• ELB Classic Load Balancers/ Application Load Balancers
• Amazon CloudFront
• AWS Shield
• AWS WAF???
• Data backup/replication/recovery
• Amazon S3
• Amazon S3 Cross-Region Replication
• Amazon S3 Lifecycle polices and versioning

Incident Response
• Clean Room
• Maintain situational awareness of incident
• Describe your resource with Tag. (Whom to response?)
• How to get access for the right people during an incident?
• How to clean a same environment to investigate incident/reproduce defect?

Incident Response
• Clean Room
• IAM should be used to grant appropriate authorization to incident response teams
• AWS CloudFormation
• EC2 APIs
• AWS Step Functions

Q: How are you protecting access to
and use of the AWS root account
credentials??
No MFA on Root
Root Actively Used
MFA and Minimal Use of Root
No Use of Root

Q: How are you classifying your
data?
No Data Classification Schema
Data Not Classified
Using Data Classification Schema
All Data Treated as Sensitive

2019/04/10
Performance Efficiency

The performance efficiency pillar focuses on using
IT and computing resources efficiently. Key topics
include selecting the right resource types and sizes
based on workload requirements, monitoring
performance, and making informed decisions to
maintain efficiency as business needs evolve.

Website:
https://aws.amazon.com/architecture/well-architected/
Whitepaper
Resources:

Democratize advanced technologies
Go global in minutes
Use server-less architectures
Experiment more often
Design Principal:
Mechanical sympathy

Selection
Definitions:
Monitoring
Review
Trade-offs

Selection
• Compute
• Instances
• Containers
• Functions
• Elasticity
• Storage
• Database
• OLTP
• NoSQL
• OLAP
• Data Indexing and searching
• Network

Selection
• Compute
• EC2 à GPU? FPGA? Burstable? HPC?
• ECS, EKS, Fargate
• Lambda + APIGateway
• Storage
• EBS, EFS, EC2 instance store, Glacier
• Database
• RDS
• DynamoDB, DAX
• Redshift, S3, Athena
• ES
• Network
• Route53, VPC, CloudFront, DirectConnect

Review
• Infrastructure as code
• Deployment pipeline
• Well-defined metrics
• Performance test automatically
• Load generation
• Performance visibility
• visualization
à CodeDeploy, CloudFormation, CloudWatch
Benchmarking
Load Testing

Monitoring
• Active
• You setup and collect in every environment
• Passive
• Collected from outside of your system
• Understand user experience performance
• Geographically performance variability
• The impact of API use
• Phases
Generation àAggregation àReal-time processing and alarming àStorage àAnalytics
à CloudWatch, S3, EMR

Trade-offs
• Caching
• Application Level
• Database Level
• Geographic Level
• Partitioning or Sharding
• Compression
• Buffering

Q: How did you select your storage
solution?
Considered Characteristics
Options no Explored
Considered Configuration Options
Have not Considered Configuration Options to Improve Performance
Considered Access Patterns
Have not Considered Access Patterns to Improve Performance

2019/04/10
Reliability

The reliability pillar focuses on the ability to
prevent, and quickly recover from failures to meet
business and customer demand. Key topics include
foundational elements around setup, cross project
requirements, recovery planning, and how we
handle change.

How to calculate Availability? How many 9s?
Background

How to calculate Availability?
Background
With hard dependency?
With redundant components?
Cost?

Foundation - Networking
Definitions:
Understand Availability Needs
Application Design for Availability
Operational Consideration for Availability

• Allow IP address space for more than one VPC per Region.
• Consider cross-account connections. For example, each line of business
might have a unique account and VPCs. These accounts should be able to
connect back to shared services.
• Within a VPC, allow space for multiple subnets that span multiple AZ.
• Always leave unused CIDR block space within a VPC.
• How are you going to be resilient to failures in your topology?
• What happens if you misconfigure something and remove connectivity?
• Will you be able to handle an unexpected increase in traffic/use of your
services?
• Will you be able to absorb an attempted DoS attack?

• Key Services for Network Topology
• Amazon VPC
• AWS Direct Connect
• Amazon EC2
• Amazon route53
• Elastic Load Balancing
• AWS Shield

Application Design for Availability
• Fault Isolation Zones
• Multiple independent component in parallel
• Multi-AZ
• Redundant components
• Micro-service architecture
• Recovery Oriented Computing
• Distributed systems best practices
• Throttling
• Retry with exponential fallback
• Fail fast
• Use of idempotency tokens à assume an action must occur exactly once
• Constant work
• Circuit breaker
• Bi-modal behavior and static stability

• Automate Deployments to Eliminate Impact
• Canary deployment
• Blue-Green deployment
• Feature toggles
• Failure isolation zone deployments
• Testing
• Monitoring and Alarming
Generation àAggregation àReal-time processing and alarming àStorage àAnalytics
• Operational Readiness Reviews
• Auditing

• Automate Deployments to Eliminate Impact
• AWS Code Deploy
• Testing
• Monitoring and Alarming
• Amazon Cloudwatch
• AWS X-Ray
• Amazon S3
• Amazon EMR
• Operational Readiness Reviews
• Auditing
• Amazon Cloudwatch Logs
• AWS Config
• AWS CloudTrail

Q: How are you managing AWS
Service Limits for your Account(s)?
Unaware
Aware but not Tracking
Monitor and Manage Limits
Aware of Fixed Service Limits
Sufficient Buffer in Service Limits to Accommodate for Failover
Service Limits are Considered

2019/04/10
Cost Optimization

Cost Optimization focuses on avoiding un-needed
costs. Key topics include understanding and
controlling where money is being spent, selecting
the most appropriate and right number of
resource types, analyzing spend over time, and
scaling to meet business needs without
overspending.

Adopt Consumption Model
Measure Overall Efficiency
Stop spending on On-Premise-DC
Analyze and Attribute Expenditure
Design Principal:
Adopt Managed Service

Cost Effective
Match Supply and Demand
Expenditure Awareness
Optimizing Over Time
Definitions:

Cost Effective
• Appropriate Provisioning
• Over-estimated? Under-estimated?
• Right Sizing
• Instance Type? Instance Family?
Database Type? Storage Type?
• Purchase Options
• On Demand? Reserved Instance? Spot
Instance?
• All Upfront? No Upfront? Partial
Upfront?
• GEO Selection
• Centralized? Distributed?
• Managed Services
• Self managed cost? Human resource
cost?

Cost Effective
• Appropriate Provisioning
• Based on Cloudwatch and historical data
• Right Sizing
• Cloudwatch, Logs, Trusted Advisor
• Monitoring reflect end-users’ experience
• Purchase Options
• Cost Explorer
• Hybrid combination: On Demand + Reserved Instance + Spot Instance
• GEO Selection
• S3, CloudFront
• Managed Services
• RDS, Dynamodb…
• SES, SQS, SNS…
• Lambda, APIGW…

Match supply and demand
• Demand-Based:
• How quickly you need to provision
• Understand the size of margin between supply and demand
• Buffer-Based:
• Components run at different rates over time
• Time-Based:
• Align the resource capacity to predictable timeframe in real-world
• Office hours, Weekdays, Campaign, Super Hot Selling Holiday…

Match supply and demand
• Demand-Based:
• Auto-Scaling, Pre-built AMI
• Load-Balacing
• CloudWatch, CloudWatch Alert/Event/Trigger
• Buffer-Based:
• SQS
• Kinesis
• Spot Instances
• Lambda
• Time-Based:
• Auto-Scaling
• CloudFormation

• Stakeholders:
• CFO/Financial Controllers
• BU Owners
• Tech Lead
• 3rd Parties
• Visibility and Controls:
• I want to estimate & forecast billing
• I want to receive Alert if exceed threshold
• I want to analyze spending/usage
• I want to know RI Utilization/Coverage

• Cost Attribution
• Account Structure (Multi-Account) varies by business reasons
• Set specific limit to particular workloads (Sub Account? IAM user?)
• Specific reservation for certain workloads (Central DB?)
• Tagging
• Entity Lifecycle Tracking

• Stakeholders/Visibility and Controls:
• Cost Explorer
• Billing Alarm, CloudWatch Alarm, SNS
• Cost Attribution
• Consolidated Billing *Quota Discount
• IAM
• Tagging
• Resource Tag
• Entity Lifecycle Tracking
• CloudTrail
• Config
• IAM

• Measure, Monitor, and Improve:
• Establish a Cost Optimization Function
• Establish Goals and Metrics
• Gather Insight and Perform Analysis
• Report and Validate
• Stay Ever Green
• Stay up-to-date with AWS
• Check with managed services

• Measure, Monitor, and Improve:
• TAM (Technical Account Manager)
• Utilization, RI Coverage
• Trusted Advisor
• Stay Ever Green
• Trusted Advisor
• AWS Blog
• What’s New At AWS

Q: How do you make sure your
capacity matches but does not
substantially exceed what you need?
Provision for Peak
Demand-based Approach
Buffered-Based Approach
Time-Based Approach

2019/04/10
Operational Excellence

The operational excellence pillar focuses on
running and monitoring systems to deliver
business value, and continually improving
processes and procedures. Key topics include
managing and automating changes, responding to
events, and defining standards to successfully
manage daily operations.

Perform operations as code
Annotated documentation
Make frequent, small, reversible changes
Refine operations procedures frequently
Design Principal:
Anticipate failure
Learn from all operational failure

Prepare
Operate
Evolve
Definitions:

Prepare

Prepare
• Operational priorities
• Understand your workload
• Role
• Business goal
• External regulatory and compliance requirement
• Design for operations
• How it will be deployed, updated, and operated?
• Defect reduction and fixes(quick and safe)
• Log, monitor, metrics
• Operational readiness
• Checklists
• Runbooks
• process

Prepare
• Operational priorities
• AWS Support : Business Support/Enterprise Support
• Trusted Advisor
• Cloud Compliance : (https://aws.amazon.com/compliance/programs/)
• Well Architected Framework
• Design for operations
• CloudWatch
• CloudFormation
• Developer Tools
• AWS X-Ray
• Operational readiness
• Lambda
• AWS Config
• AWS Systems Manager

Operate
• Understanding operational Health
• Monitoring
• What metrics?
• Which level?
• Only number or useful insights?
• Responding to Events
• Planned events, unplanned events….
• How to response?
• RCA

Operate
• Understanding operational Health
• CloudWatch, CloudWatch Logs
• ES
• Personal Health Dashboard
• Service Health Dashboard
• Responding to Events
• AWS Lambda
• CloudWatch, CloudWatch Events
• SNS
• Auto Scaling
• Systems Manager

Evolve
• Learning from Experience
• Analyze your operations over time
• Review, and validate insights
• Sharing learning
• Use code methodologies.
• Sharing resource with other accounts
• Integrate with 3rd party tools

Evolve
• Learning from Experience
• ES
• QuickSight
• Athena
• S3
• CloudWatch
• Sharing learning
• IAM
• SNS
• CodeCommit
• Lambda
• CloudFormation
• AMIs

Q: What best practices for cloud
operations are you using?
Operational Checklist to Evaluate Readiness
Not Evaluating Readiness
Proactive Plan for Events
No Active Plan for Events
Security Checklist to Evaluate Security Readiness
Not Evaluating Security Readiness

https://bit.ly/2Ia7W0k
Worksheet

Thank You!

HK-AWS-Well-Architected-Workshop

Related slideshows

More Related Content

HK-AWS-Well-Architected-Workshop