Sunteți pe pagina 1din 34

Build on AWS:

Building & Modernizing


Brent Maxwell
Partner Solutions Architect, APAC, AWS
Be Agile: SaaS Reference Architecture Landscape
Modernising your applications

• Go Service Oriented Architecture (& to


microservices and beyond!)
• Modernize with containers
• Build with DevOps
• Offload security considerations
Scaling on monolithic vs SOA applications

Order UI User UI UI
Order UI User UI UI
Shipping
Order UI UI

Order Shipping
Order Service Shipping
Service
Service Service
Order
Service Service
Service
Service Service
Service
User
Service
Characteristics of Service Oriented Architectures

Decentralized Polyglot

Do one
Independent thing well

Black box You build it, you run it


Containers are Natural for SOA
• Simple to model
• Any app, any language
• Image is the version
• Test & deploy same artifact
• Stateless servers decrease change risk
Amazon ECS

• Fully managed, elastic service – you


don’t need to run anything, and the
service scales as your microservices
architecture grows
• Shared state optimistic scheduling
• Integration with Amazon CloudWatch for
monitoring and logging
• Integration with AWS DevOps services
for continuous integration and delivery
(CI/CD)
Deploying Containers on ECS – Choose a Scheduler

Batch Jobs Long-Running Apps


(Monthly reporting, consolidated shipping) (CRM web interface, content management module)

ECS task scheduler ECS service scheduler


Run tasks once Health management
Batch jobs Scale-up and scale-down
RunTask (random) AZ aware
StartTask (placed) Grouped containers
Example Architecture on ECS

Amazon
ECS Cluster
Route 53

Application Load Amazon


Balancer RDS

ECS Cluster

Amazon API
Gateway*

Amazon IAM Amazon CloudWatch


ECR
Automatic Service Scaling

Auto Scaling ECS service

Add/Remove ECS
Availability Availability
tasks
Zone A Zone B

Order
Amazon ECS
Module
Order
Module
Scaling Policies Reporting

Publish metrics

Amazon
CloudWatch

Application
Load Balancer
Blue-Green Deployments

0%
100%
Route 53
record set
with
weighted
routing Task Task
policy
Service Discovery with Route 53 and Application Load
Balancers

PandaCRM.com

Amazon
PandaCRM.com PandaCRM.com/report
Route 53

PandaCRM.com/order Application Load


Balancer

i-aaa i-bbb i-ccc

8080 8081 8080


oAuth Target Group Reporting Target Group

i-aaa i-bbb i-ccc

8090 8001 8002


Portal Target Group

ECS Cluster
What about DevOps?
The DevOps Stack

Continuous Deployment

Communication
Agile Delivery Pipelines

Deployment Automation

Continuous Automated Configuration


Integration Testing Management
DevOps Practices
• Infrastructure as code
• Application and Infrastructure version management
• Test Automation
• Monitoring and logging
• Continuous Integration/Deployment
Release processes levels

Source Build Test Production

Continuous integration

Continuous delivery

Continuous deployment
DevOps Stack on AWS

Code Build Test Deploy Provision Monitor

AWS Elastic Beanstalk

CodePipeline AWS Opsworks

CodeCommit
AWS Elastic Container Service

CodeBuild CodeDeploy CloudFormation CloudWatch

17
Where do I go from here?
• Collect Metrics. Graph anything that moves
• Log everything, Centralize logging, Log Analytics
• Infrastructure as Code
• Automated configuration management
• One click environment creation
• CI-CD pipelines
• Automated testing
We have a strong partner list, and it’s growing

Source Build Test Deploy

*beta
Continuous Deployment

4. Push Image

AWS

3. Build
CodeBuild

Artifact
Amazon instance
2. Trigger
1. Commit ECR
Pipeline
Code

AWS
CodeCommit AWS
CodePipeline Amazon ECS

Spot
5. Update

Instance
Stack

6. Update Service

AWS
CloudFormation
Don’t forget security

Don’t forget security


Beyond the Front Door

Tenant

Access

Tenant Security & Injecting Tenant


Provisioning Roles
Isolation Context
First, We Need A Tenant

Domain • TenantID: 491048735


Provisioning SSL • Domain: abc.pandacrm.com
Certificate • Tier: Platinum
• Status: Active

New Tenant Tenant


Billing
On-Boarding Management
Tenant

Identity
Identity Broker
Provider

• User: bob@abc.com IAM Policy


• TenantID: 491048735
Key Tenant Provisioning Considerations

• Find a seamless model for binding tenant to identities


• Consider fault tolerance for 3rd Party integrations
• Need to factor in tenant lifecycle management
• Allow for tenant level variation in identity policies
• Let identity providers do the heavy lifting
• Lean on automation and repeatability
Identity & Isolation: Many Levels, One Goal

Full Stack Resource-Level Application-Level


Isolation Isolation Isolation

Key
Tenant 1 Tenant 2 Tenant1
Web Tier Web Tier Tenant2
Tenant1
Tenant 1 Tenant 2 Tenant3
App Tier App Tier
Tenant2
Tenant1
Tenant 1 Tenant 2 Tenant 1 Tenant 2
IAM Policies Scope Tenant Access

Web Tier

App Tier

Tenant1 Access Tenant2 Access


Policy Policy

CustomerTable

T1-Bucket T2-Bucket
Binding Policies to Tenants

Web Identity
Identity Broker
Application Provider
Tenant

Identity resolved to AWS Security Token


Services (STS)
• Acquire token with tenant-scoped
access
• Leverage a temporary token
AWS cloud
• No need for separate AWS identity
Key Security & Isolation Considerations

• Applying isolation may require a hybrid of


AWS and application strategies
• Avoid having separate IAM users for each
tenant
• Automate testing of isolation policies/strategy
• Consider the scale, management, and
automation impacts of managing access
policies
• Let IAM enforce your tenant level scoping
Applying Tenant Context
JWT Token
{
Tenant UserID: “bob@abc.com”
Authorization: Bearer<JWT> Role: “Admin”,
TenantID: “93194942”
}
Access Control
Tenant Context

Authorization: Bearer<JWT> Homepage


Authorization: Bearer<JWT>

Access Control Access Control Access Control


Catalog
Cart Service Tenant Service
Auth Service
Service
SaaS Identity Flow

Web Multi-Factor
Identity Broker
Application Authentication
Tenant

Identity
Provider

UserID: bob@abc.com
TenantID: “93194942”
Role: “Admin”

IAM Policy
AWS cloud
SaaS Identity Considerations
• SaaS identity is bigger than authentication
• Use identity broker pattern to decouple from identity
providers
• Leave the heavy lifting, risk, and innovation to someone
else
• Automate role and policy provisioning/management
• Add tenant context to identity token to limit bottlenecks
Recap: Be Agile

Elastic Container Services


helps modernize applications
in SOA.

With DevOps and offloading


identity, AWS services
provide the agility needed in
the SaaS world.
Takeaways
• Modernize the app with SOA on ECS
• DevOps with AWS Code* services for agility
• Offload SaaS identity and focus on app innovation
THANK YOU