AWS architect

  1. Brief
  2. Scenario
  3. Solution
  4. AWS CloudFormation

Brief

This exercise is designed to assess your architecting, technical and business writing skills. It is a representation of a part of what AWS solutions architects do on a daily basis.


Scenario

Let’s suppose that you are a freelance cloud architect hired for a startup company which is in the early stage of their business. The customer was trying to launch a web application on AWS cloud for conducting a proof of concept (PoC) for their service but encountered issues and failed in loading the web page while configuring Elastic Load balancer (ELB) and EC2 Server. The EC2 has LAMP stack includes MySQL, Apache and PHP and the application page (demo.html) is located in the document root of the web server.

As a cloud architect you are tasked to:

구분내용
a)Troubleshoot the issue by modifying the misconfiguration generated by given CloudFormation template and load the demo.html page through elastic load balancer(ELB) hostname. [See instruction below]
b)Propose changes to the current implementation that would improve the reliability, security, cost, operation and performance before the project goes into production The architecture should specifically address the requirements/concerns as described below:
  • A Highly available architecture that resists to the failure of single component
  • Scaling to meet the demand, but with uncertainty around when and how much this demand will be they are very concerned about buying too much resource too soon
  • Disaster Recovery should be considered in case of multiple components failure
  • Their ability to configure their database and data access layer for high performance and throughput
  • Making the user experience in the browser very low latency even though a large portion of their user base will be from far away
  • Effective distribution of load regardless whether it’s http/1.1 or http/2 request
  • A self-healing infrastructure that recovers from failed service instances
  • Security of data at rest and in transit
  • Securing access to the environment as the delivery team expands
  • An archival strategy for inactive objects greater than 6 months
  • Ability to easily manage and replicate multiple environments based on their blueprint architecture.
  • Application lifecycle management should be considered as a DevOps strategy
  • Cost-effectiveness should also be considered across all components of the architecture
  • Access logs generated need to be collected and aggregated for visualization

Solution

NoTask
1A Highly available architecture that resists to the failure of single component
-using multi component with ELB, and EC2 split to EC2 + RDS
2Scaling to meet the demand, but with uncertainty around when and how much this demand will be they are very concerned about buying too much resource too soon
-Scale-up and Scale-out issue, Calculate expected traffic and needed size and scale
3Disaster Recovery should be considered in case of multiple components failure
-Backup and restore policy and solution needed each components
4Their ability to configure their database and data access layer for high performance and throughput
-split RDS role with read and write
5Making the user experience in the browser very low latency even though a large portion of their user base will be from far away
-Consider cache and CDN
6Effective distribution of load regardless whether it’s http/1.1 or http/2 request
-Application ELB
7A self-healing infrastructure that recovers from failed service instances
-consider AWS OpsWorks
8Security of data at rest and in transit
-Amazon Glacier, Amazon Simple Storage Service(S3) w/ AWS Storage Gateway
9Securing access to the environment as the delivery team expands
-IAM and Authorization
10An archival strategy for inactive objects greater than 6 months
-Archivie
11Ability to easily manage and replicate multiple environments based on their blueprint architecture.
-Blueprint
12Application lifecycle management should be considered as a DevOps strategy
-AWS DevOps
13Cost-effectiveness should also be considered across all components of the architecture
-Cost-Effectiveness
14Access logs generated need to be collected and aggregated for visualization
-Amazon CloudWatch

http1.1 vs 2.0 Data archive DevOps BioTech Blueprint VMware blueprint, Specify Amazon AWS Blueprint Information AWS architecture center AWS reliability VC https://brunch.co.kr/@conceptnd/32 https://jeongyoon.tistory.com/52 Amazon Calc Region and Zone k8s lamp

구분연차투자규모자금조달제품화
시드머니  엔젤투자,클라우드펀딩초기상태
시리즈A2-5년차10-20억엔젤프로토타입
시리즈B 30-100억VC제품증명완료
시리즈C-E 100억 이상VC,헷지펀드,투자은행글로벌,주식공개

AWS CloudFormation

given CloudFormation yaml code

AWSTemplateFormatVersion: '2010-09-09'
Description: |

  AWS CloudFormation for AWS Korea SA Assignment
  This is the AWS CloudFormation template which will be used to assess the capability of the candidate.
  AWS resources used if you create a stack from this template and consume all your promotional credit.

Parameters:
  CandidateName:
    Description: 'Please input your name here:'
    Type: String
    MaxLength: '30'
    MinLength: '3'
    ConstraintDescription: 'Please input your full name.'

Resources:

  SAAVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      InstanceTenancy: default
      EnableDnsSupport: 'true'
      EnableDnsHostnames: 'true'
      Tags:
        - Key: Environment
          Value: sa-assignment
        - Key: Name
          Value: !Join ['-', [SAAVPC, !Ref 'CandidateName']]

  SAAPublicSubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      CidrBlock: 10.0.0.0/24
      AvailabilityZone: ap-northeast-2a
      MapPublicIpOnLaunch: 'True'
      VpcId: !Ref 'SAAVPC'
      Tags:
        - Key: environment
          Value: sa-assignment
        - Key: Name
          Value: !Join ['-', [PublicSubnetA, !Ref 'CandidateName']]

  SAAPublicSubnetB:
    Type: AWS::EC2::Subnet
    Properties:
      CidrBlock: 10.0.1.0/24
      AvailabilityZone: ap-northeast-2c
      MapPublicIpOnLaunch: 'True'
      VpcId: !Ref 'SAAVPC'
      Tags:
        - Key: Environment
          Value: sa-assignment
        - Key: Name
          Value: !Join ['-', [PublicSubnetB, !Ref 'CandidateName']]


  SAAPrivateSubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      CidrBlock: 10.0.2.0/24
      AvailabilityZone: ap-northeast-2a
      VpcId: !Ref 'SAAVPC'
      Tags:
        - Key: Environment
          Value: sa-assignment
        - Key: Name
          Value: !Join ['-', [PrivateSubnetA, !Ref 'CandidateName']]

  SAAPrivateSubnetB:
    Type: AWS::EC2::Subnet
    Properties:
      CidrBlock: 10.0.3.0/24
      AvailabilityZone: ap-northeast-2c
      VpcId: !Ref 'SAAVPC'
      Tags:
        - Key: Environment
          Value: sa-assignment
        - Key: Name
          Value: !Join ['-', [PrivateSubnetA, !Ref 'CandidateName']]

  SAAIGW:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Environment
          Value: sa-assignment
        - Key: Name
          Value: !Join ['-', [IGW, !Ref 'CandidateName']]

  SAANetworkACL:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId: !Ref 'SAAVPC'
      Tags:
        - Key: Environment
          Value: sa-assignment
        - Key: Name
          Value: !Join ['-', [NACL, !Ref 'CandidateName']]

  SAARouteTablePublic:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref 'SAAVPC'
      Tags:
        - Key: Environment
          Value: sa-assignment
        - Key: Name
          Value: !Join ['-', [PublicRouteTable, !Ref 'CandidateName']]

  SAARouteTablePrivate:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref 'SAAVPC'
      Tags:
        - Key: Environment
          Value: sa-assignment
        - Key: Name
          Value: !Join ['-', [PrivateRouteTable, !Ref 'CandidateName']]

  SAAInstance1:
    Type: AWS::EC2::Instance
    Properties:
      DisableApiTermination: 'false'
      InstanceInitiatedShutdownBehavior: stop
      ImageId: ami-dac312b4
      InstanceType: t2.micro
      Monitoring: 'false'
      UserData: IyEvYmluL2Jhc2gNCnl1bSB1cGRhdGUgLXkNCnl1bSBpbnN0YWxsIC15IGh0dHBkMjQNCnNlcnZpY2UgaHR0cGQgc3RhcnQNCmNoa2NvbmZpZyBodHRwZCBvbg0KZ3JvdXBhZGQgd3d3DQp1c2VybW9kIC1hIC1HIHd3dyBlYzItdXNlcg0KY2hvd24gLVIgcm9vdDp3d3cgL3Zhci93d3cNCmNobW9kIDI3NzUgL3Zhci93d3cNCmZpbmQgL3Zhci93d3cgLXR5cGUgZCAtZXhlYyBjaG1vZCAyNzc1IHt9ICsNCmZpbmQgL3Zhci93d3cgLXR5cGUgZiAtZXhlYyBjaG1vZCAwNjY0IHt9ICsNCmVjaG8gJzxodG1sPjxoZWFkPjx0aXRsZT5TdWNjZXNzITwvdGl0bGU+PC9oZWFkPjxib2R5PjxpZnJhbWUgd2lkdGg9IjU2MCIgaGVpZ2h0PSIzMTUiIHNyYz0iaHR0cHM6Ly93d3cueW91dHViZS5jb20vZW1iZWQvSnMyMXhLTUZkd3ciIGZyYW1lYm9yZGVyPSIwIiBhbGxvd2Z1bGxzY3JlZW4+PC9pZnJhbWU+PGhyPlJlZmVyZW5jZXM6IDxiciAvPjxhIGhyZWY9Imh0dHBzOi8vbWVkaWEuYW1hem9ud2Vic2VydmljZXMuY29tL0FXU19DbG91ZF9CZXN0X1ByYWN0aWNlcy5wZGYiPkNsb3VkIEFyY2hpdGVjdHVyZSBiZXN0IHByYWN0aWNlczwvYT48YnIgLz48YSBocmVmPSJodHRwczovL2QwLmF3c3N0YXRpYy5jb20vd2hpdGVwYXBlcnMvYXJjaGl0ZWN0dXJlL0FXU19XZWxsLUFyY2hpdGVjdGVkX0ZyYW1ld29yay5wZGYiPldlbGwtQXJjaGl0ZWN0ZWQgRnJhbWV3b3JrPC9hPjxiciAvPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmFtYXpvbi5qb2JzL2VuL3ByaW5jaXBsZXMiPkFtYXpvbiBMZWFkZXJzaGlwIFByaW5jaXBsZXM8L2E+PGJyIC8+DQo8L2JvZHk+PC9odG1sPicgPiAvdmFyL3d3dy9odG1sL2RlbW8uaHRtbA==
      Tags:
        - Key: Environment
          Value: sa-assignment
        - Key: Name
          Value: !Join ['-', [Instance1, !Ref 'CandidateName']]
      NetworkInterfaces:
        - AssociatePublicIpAddress: 'true'
          DeleteOnTermination: 'true'
          Description: 'Primary network interface'
          DeviceIndex: 0
          SubnetId: !Ref 'SAAPublicSubnetA'
          GroupSet: [!Ref 'SAASGAPP']

  SAAELB:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      Subnets: [!Ref 'SAAPublicSubnetB']
      Instances: [!Ref 'SAAInstance1']
      SecurityGroups: [!Ref 'SAASGELB']
      Listeners:
      - LoadBalancerPort: '80'
        InstancePort: '80'
        Protocol: HTTP
      HealthCheck:
        HealthyThreshold: '2'
        Interval: '15'
        Target: TCP:443
        Timeout: '5'
        UnhealthyThreshold: '2'
      Tags:
        - Key: Environment
          Value: sa-assignemnt
        - Key: Name
          Value: !Join ['-', [ELB, !Ref 'CandidateName']]

  SAASGELB:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: SA Assignment - ELB security group
      VpcId: !Ref 'SAAVPC'
      Tags:
        - Key: Environment
          Value: sa-assignment
        - Key: Name
          Value: ELBSecurityGroup

  SAASGAPP:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: SA Assignment - App server security group
      VpcId: !Ref 'SAAVPC'
      Tags:
        - Key: Environment
          Value: sa-assignment
        - Key: Name
          Value: AppServerSecurityGroup

  SAANACLEntry1:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      CidrBlock: 0.0.0.0/0
      Egress: 'true'
      Protocol: '-1'
      RuleAction: allow
      RuleNumber: '100'
      NetworkAclId: !Ref 'SAANetworkACL'

  SAANACLEntry2:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      CidrBlock: 0.0.0.0/0
      Protocol: '-1'
      RuleAction: allow
      RuleNumber: '100'
      NetworkAclId: !Ref 'SAANetworkACL'

  SAANACLAssoc1:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      NetworkAclId: !Ref 'SAANetworkACL'
      SubnetId: !Ref 'SAAPublicSubnetA'

  SAANACLAssoc2:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      NetworkAclId: !Ref 'SAANetworkACL'
      SubnetId: !Ref 'SAAPublicSubnetB'

  SAANACLAssoc3:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      NetworkAclId: !Ref 'SAANetworkACL'
      SubnetId: !Ref 'SAAPrivateSubnetA'

  SAANACLAssoc4:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      NetworkAclId: !Ref 'SAANetworkACL'
      SubnetId: !Ref 'SAAPrivateSubnetB'

  SAAIGWAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref 'SAAVPC'
      InternetGatewayId: !Ref 'SAAIGW'

  SAASubnetRoutePublicA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref 'SAARouteTablePublic'
      SubnetId: !Ref 'SAAPublicSubnetA'

  SAASubnetRoutePublicB:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref 'SAARouteTablePublic'
      SubnetId: !Ref 'SAAPublicSubnetB'

  SAASubnetRoutePrivateA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref 'SAARouteTablePrivate'
      SubnetId: !Ref 'SAAPrivateSubnetA'

  SAASubnetRoutePrivateB:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref 'SAARouteTablePrivate'
      SubnetId: !Ref 'SAAPrivateSubnetB'

  SAARoutePublic:
    Type: AWS::EC2::Route
    Properties:
      DestinationCidrBlock: 0.0.0.0/0
      RouteTableId: !Ref 'SAARouteTablePublic'
      GatewayId: !Ref 'SAAIGW'
    DependsOn: SAAIGW

Outputs:
  LoadBalancerDNSName:
    Description: 'The DNS name of the load balancer'
    Value: !GetAtt SAAELB.DNSName

© 2018. All rights reserved.

Powered by Hydejack v8.4.0