Amazon invited me to record a segment in the AWS Architecture series. This was a fun afternoon in their studio.
I ran a project to deploy an HPC cluster using on-demand AWS Elastic Compute Cloud (EC2) resources. The HPC cluster provides researchers with compute resource to quickly run mathematical simulations across very large datasets. This deployment was a replacement for aging on premises HPC hardware and an opportunity to trial Amazon AWS in a hybrid cloud configuration. High security implementation:
One way firewall rules between company network and AWS (company connects out to AWS resources, AWS resources can’t connect in) Encryption of data in transit and at rest AWS Direct Connect connecting company to AWS.
I’ve done a couple of other posts on using AD credentials with AWS API. You setup AWS IAM to trust AD Federation Services (ADFS) for authentication. You get temporary access keys to use with the AWS API. This is safer than making lots of IAM accounts with long term passwords (Secret Access Keys) that end up embedded in code and stored who knows where. See previous posts for an overview of AD authentication to AWS.
Getting a Direct Connect link to AWS from our colo datacentre was straight forward. Encrypting traffic between colo and AWS via Direct Connect is proving to be more difficult. Although the traffic is logically isolated, we wanted it encrypted as it traverses 3rd party WAN providers.
This is the best resource I’ve come across so far explaining how to setup a VPN over AWS direct connect: https://www.youtube.com/watch?v=SMvom9QjkPk
Terraform is a tool by Hashicorp (who do Vagrant, Packer and other ops tools). You maintain a single configuration file and it trues up your environment, creating and deleting machines, to match the configuration file. Their products are coming together into a cohesive suite. The first part describes the Terraform product.
At 30 mins there’s a description of “DevOps” (that cuts through much of the BS). Basically:
Developers care about:
I presented at AWS User Group UK meetup on Hybrid deployments and High Performance Computing.
https://www.youtube.com/watch?v=jvVEldPLmnM http://www.meetup.com/AWSUGUK/events/206136202/
So it turns out AWS isn’t so Enterprise friendly. If you plan to start using Amazon AWS as an extension to your datacentre, be aware that you better put everything in one VPC (July 2015).
Systems in peered VPCs are not accessible from corporate network over AWS VPN or Direct Connect :-(
Be aware of limitations on transiting VPCs in your cloud networking designs.
http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/invalid-peering-configurations.html#edge-to-edge-vgw
Hey there Enterprise Administrator! Avoid storing AWS API keys by using Windows authentication instead[/caption]
Are you an Enterprise investigating AWS? Don’t want to become a security news story like these guys? https://www.google.co.uk/search?q=news+aws+secret+access+key+hack Are you used to multiple levels of physical and logical security for access to your equipment? https://www.youtube.com/watch?v=_qc5TG2ulx8 Is access to your VPC config shielded by nothing but some AWS API credentials? (which are probably stored in plain text..) Can your AWS credentials be used from the public internet (instead of only from the Office)?
When you get started with Amazon Web Services (AWS) one thing to do early is secure access to the web console. Rather than manage another set of user accounts you can reuse your corporate directory (Microsoft Active Directory) to login to the AWS console. You use AD Federation Services to do this. Also, if you keep your ADFS server internal, then your AWS console is not accessible from the public Internet.
My head in the clouds as usual. Today I passed the AWS Certified Solutions Architect - Associate exam. I used Ryan Kroonenburn’s course on Udemy to skill up. I recommend it: Udemy - AWS Certified Solutions Architect associate by Ryan Kroonenburn
Update: Ryan quit Udemy’s platform and setup his own by founding https://www.ACloudGuru.com