Yaniv Donenfeld - Sr. Business Development Manager Karl D'Adamo - Senior Director of Engineering, Snapchat November 26, 2018 https://www.youtube.com/watch?v=8OPkt93WyPA
51% of kubernetes clusters are run on aws
NodePort allocate a specific port for a service, and it will allow you to define a port and all nodes for that service will receive traffic on that port, and use it for the configured servicel. Nodes can forward to other nodes that actually contain pods with that service associated with the port
Another option is an ingress object using an ingress object controller. This avoids the overhead associated with node port navigating through the node ip, then to the pod
See iam access info in picture.
Logging: workers
look into using fluentd couldwatch plugin. see info in picture https://eksworkshop.com/logging
another good session to review is: CON361 - Deep Dive on Amazon EKS
Snapchat info for use of EKS: How to manage the scaling of the engineering organizations This guy manages teams that build internal apps for the Snapchat engineering teams
Choose a vendor over roll your own (vanilla kubernetes vs EKS). Choose a vendor if the cost delta is small, and the vendor is providing a service above the vanilla install
~1600 APIs in snap plan is to have 200-400 services, running on kubernetes / EKS 7500 cores, 250k transactions / sec
consider redundancy and failover / backup strategy based on services that can handle bulk loading (lower pri)
optimizing the instance types and counts (fewer, larger instances saved them $)
reducing the amount of overprovisioning that is going on.
https://www.youtube.com/watch?v=95nfMj4PVDA
Awesome presentation. Good examples of how to overcome huge scale tech problems.
https://www.youtube.com/watch?v=Jnl29J3RJQ4
review slides, really good slides.
use code pipeline to manage the process (states, with tasks) review session DEV309 for additional details
deploy to prod w/ code deploy
code pipeline sounds like a competitor to jenkins
- look up
- look up
- Rollback when deployment fails
https://www.youtube.com/watch?v=bjOEDItOdjI
- enablement and repeatability
- speed - guardrails required
- inclusiveness
- focus on differentiating factors
- Built-in as opposed to bolt on
- visibility
- compliance
- ...
https://www.youtube.com/watch?v=5UDSxV9pbnU
too basic overview of iam and policies
November 26, 2018 https://www.youtube.com/watch?v=08AjVGGQaKQ
see slides: github.com/alexcasalboni/
best practices
- put dependencies in a separate /lib directory
- dependency injection is bad for quick starts (use dagger2 over sprint boot)
- use jackson-jr for data binding (java)
- use env vars to modify operational behaviour (for fastest secrets mgmt)
- minimize package size
SAM for local cli testing of lambda functions AWS Cloud9 (cloud based IDE) AWS CodeStar will create environment, ide/code build/code deploy/etc
- Web Application Pattern cloudfront and s3 for static api gateway to lambda to dynamodb cognito for user mgmt edge optimized (cloudfront distribution) check lambda@edge use cases and blueprints (search for cloudfront) private API (can be used through direct connect
GraphQL is implemented in AWS AppSync
- Stream Processing Patterns Kineses
- video streams
- data streams
- data firehose
- dta analytics
-
Data lakes ingest into S3 from Kinesis or IoT or Direct connect (or sftp) catalog and search data using dynamodb, glue, ES analytics and processing (lambda, etc., s3 select, quicksight, athena, lambda, sagemaker, EMR, Glue [ETL]) https://aws.amazon.com/answers/big-dta/data-lake-solution/ athena: SELECT gram, year, sum(count) FROM ngram WHERE gram = 'just say no' GROPU BY gram, year ORDER BY year ASC; reduce cost for athena queries by reducing files scanned: s3://bucket/flight/parquet/year=2018/month=11/day=25
-
Machine Learning frameworks (i.e. caffe or tensorflow) Platforms (sagemaker, Mechanical Turk) API driven services:
- vision (amazon rekognition)
- language (polly, transcrie, translate, comprehend)
- chatbots, Amazon Lex
just a big sales pitch for cisco
https://www.youtube.com/watch?v=AU7EBRViwhE
VMWare sales pitch. Good functionality for managing the number of nodes deployed in a kubernetes cluster. Similar functionality to openshift
https://www.youtube.com/watch?v=w7zeXk6Kggk
install to dev environment: https://github.com/fusor/catasb
https://aws.amazon.com/quickstart/architecture/openshift
openshift service catalog allows you bind aws services to openshift applications demo w/ s3, ml
Openshift 3.11 info:
- multiple consoles
- service catalog
- application console
- cluster console
- visibility into nodes
- resource utilization for nodes
- rbac users and sercie accounts with a specific role
- visually audit a role's verbs and objects
- cluster event stream
- visually audit a role's verbs and objects
- operator sdk
- jenkins plugins
- AWS atoscale groups
- router improvements
- http/2
- reload config changes
- ssl/tls cert validation
- EFK logging of router
- security
- define rules to enforce compliance
- prometheus monitoring is built in and GA
- logging
- ES 5 and Kibana 5
quickstart https://aws.amazon.com/quickstart/architecture/openshift
Workshop - no video other CON 323 CON 411
workshop - no video
lab: https://s3-us-west-2.amazonaws.com/aws-well-architected-labs/Operations/DEV306CloudWatch.html
Will be posted to github aws well architected framework
Design Principles
- perform operations as code
- annotated documentation
- make frequent, small, reversible changes
- refine ops procedures frequently
- antisipate failure (have a pre-mortem to determine risk, and drive out the risk)
- learn from all operational failures
reasons to change
- something you want
- something to fix
- to satisfy requirements (regulatory) Otherwise you shouldn't be making the change (example, daily patching will break things w/ no value if your compliance requirement is to patch monthly)
updates on new VPC capabilities VPC sharing allows multiple accounts to share a VPC. There is one account that is the owner, and that defines the CIDR block. The owner defines route tables. But the participants own the resources. The owner cannot delete participant's resources. Must be in the same AWS organization no VPC peering required No AZ cost for data transfer
VPC Sharing https://amzn.to/2Aovw2Z
Hybrid Clouds (using R53 over hybrid) https://amzn.to/2ByEw7s
Client VPN allows (laptop to VPN into a VPC)
Client VPN session: NET304
VPC to VPC connections using VPC Peering can be complex with lots of VPCs for full Mesh VPC peering, n(n-1)/2 VPC Peering COnnections i.e. 10 VPCs, fully meshed is 45 VPC Peering connections VPC route limits constrain the amount of VPC peering connections using aws Transit Gateway (TGW) VPCs (or direct connect) are attached to a TGW. Transit Gateways allow for a lot more flexibility of VPC connections (and on prem connection options)
workshop, no video
https://stg403.s3.amazonaws.com/guide.html
putting in glacier
- use lifecycle rule
- s3 put opbject to glacier
- s3 put copy to glacier
- Cross Region Replication w/ destination bucket lifecycle rule to add to glacier
- s3 now provides restore notifications (SNS, SQS, Lambda)
two modes for s3 object locks
- Governance mode (specific IAM permisssions to remove WORM protections)
- Compliance Mode (no API/user to remove WORM protection)
lots of feature announcements
visual studio code toolkit (not GA, but on github): https://github.com/aws/aws-toolkit-vscode
#DEV305 - AWS DevOps Essensitals and intro workshop on CI/CD workshop, no video
https://github.com/awslabs/aws-devops-essential
my run notes:
workshop, no video
https://amzn.to/serverless-security
current risk priority: owasp.org
scenario: wildrydes.com expansion for customization
- cloudformation supports privagelink (traffic does not traverse the internet)
- StackSets are stacks accross multiple regions
- amazon.com uses stacksets to create temporary accounts w/ budgets, etc.
- $1k max budget
- 7 day max life
- max 2 accounts per developer
- automatically deleted
Improved Handling of secrets: SSM Parameter store allows the use of "global" parameters in CF templates dynamic references lets you use {{resolve:ssm-secure:xxxxxxx:1}} instead of pwds in the CF templates also can resolve resolve:secretsmaager
CF Macros enables template coders to write short-hand, instructions that expand when deployed
- utility fns
- iteration/ looping
- strings can be reused accross CF stacks in the account