AWS architect
in blog on blockchain
Brief
This exercise is designed to assess your architecting, technical and business writing skills. It is a
representation of a part of what AWS solutions architects do on a daily basis.
Scenario
Let’s suppose that you are a freelance cloud architect hired for a startup company which is in the early stage of their business. The customer was trying to launch a web application on AWS cloud for conducting a proof of concept (PoC) for their service but encountered issues and failed in loading the web page while configuring Elastic Load balancer (ELB) and EC2 Server. The EC2 has LAMP stack includes MySQL, Apache and PHP and the application page (demo.html) is located in the document root of the web server.
As a cloud architect you are tasked to:
| 구분 | 내용 |
|---|---|
| a) | Troubleshoot the issue by modifying the misconfiguration generated by given CloudFormation template and load the demo.html page through elastic load balancer(ELB) hostname. [See instruction below] |
| b) | Propose changes to the current implementation that would improve the reliability, security, cost, operation and performance before the project goes into production The architecture should specifically address the requirements/concerns as described below: |
- A Highly available architecture that resists to the failure of single component
- Scaling to meet the demand, but with uncertainty around when and how much this
demand will be they are very concerned about buying too much resource too soon - Disaster Recovery should be considered in case of multiple components failure
- Their ability to configure their database and data access layer for high performance and
throughput - Making the user experience in the browser very low latency even though a large
portion of their user base will be from far away - Effective distribution of load regardless whether it’s http/1.1 or http/2 request
- A self-healing infrastructure that recovers from failed service instances
- Security of data at rest and in transit
- Securing access to the environment as the delivery team expands
- An archival strategy for inactive objects greater than 6 months
- Ability to easily manage and replicate multiple environments based on their blueprint
architecture. - Application lifecycle management should be considered as a DevOps strategy
- Cost-effectiveness should also be considered across all components of the architecture
- Access logs generated need to be collected and aggregated for visualization
Solution
| No | Task |
|---|---|
| 1 | A Highly available architecture that resists to the failure of single component |
| - | using multi component with ELB, and EC2 split to EC2 + RDS |
| 2 | Scaling to meet the demand, but with uncertainty around when and how much this demand will be they are very concerned about buying too much resource too soon |
| - | Scale-up and Scale-out issue, Calculate expected traffic and needed size and scale |
| 3 | Disaster Recovery should be considered in case of multiple components failure |
| - | Backup and restore policy and solution needed each components |
| 4 | Their ability to configure their database and data access layer for high performance and throughput |
| - | split RDS role with read and write |
| 5 | Making the user experience in the browser very low latency even though a large portion of their user base will be from far away |
| - | Consider cache and CDN |
| 6 | Effective distribution of load regardless whether it’s http/1.1 or http/2 request |
| - | Application ELB |
| 7 | A self-healing infrastructure that recovers from failed service instances |
| - | consider AWS OpsWorks |
| 8 | Security of data at rest and in transit |
| - | Amazon Glacier, Amazon Simple Storage Service(S3) w/ AWS Storage Gateway |
| 9 | Securing access to the environment as the delivery team expands |
| - | IAM and Authorization |
| 10 | An archival strategy for inactive objects greater than 6 months |
| - | Archivie |
| 11 | Ability to easily manage and replicate multiple environments based on their blueprint architecture. |
| - | Blueprint |
| 12 | Application lifecycle management should be considered as a DevOps strategy |
| - | AWS DevOps |
| 13 | Cost-effectiveness should also be considered across all components of the architecture |
| - | Cost-Effectiveness |
| 14 | Access logs generated need to be collected and aggregated for visualization |
| - | Amazon CloudWatch |
http1.1 vs 2.0
Data archive
DevOps
BioTech Blueprint
VMware blueprint, Specify Amazon AWS Blueprint Information
AWS architecture center
AWS reliability
VC
https://brunch.co.kr/@conceptnd/32
https://jeongyoon.tistory.com/52
Amazon Calc
Region and Zone
k8s lamp
| 구분 | 연차 | 투자규모 | 자금조달 | 제품화 |
|---|---|---|---|---|
| 시드머니 | 엔젤투자,클라우드펀딩 | 초기상태 | ||
| 시리즈A | 2-5년차 | 10-20억 | 엔젤 | 프로토타입 |
| 시리즈B | 30-100억 | VC | 제품증명완료 | |
| 시리즈C-E | 100억 이상 | VC,헷지펀드,투자은행 | 글로벌,주식공개 |
AWS CloudFormation
given CloudFormation yaml code
AWSTemplateFormatVersion: '2010-09-09'
Description: |
AWS CloudFormation for AWS Korea SA Assignment
This is the AWS CloudFormation template which will be used to assess the capability of the candidate.
AWS resources used if you create a stack from this template and consume all your promotional credit.
Parameters:
CandidateName:
Description: 'Please input your name here:'
Type: String
MaxLength: '30'
MinLength: '3'
ConstraintDescription: 'Please input your full name.'
Resources:
SAAVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
InstanceTenancy: default
EnableDnsSupport: 'true'
EnableDnsHostnames: 'true'
Tags:
- Key: Environment
Value: sa-assignment
- Key: Name
Value: !Join ['-', [SAAVPC, !Ref 'CandidateName']]
SAAPublicSubnetA:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.0.0/24
AvailabilityZone: ap-northeast-2a
MapPublicIpOnLaunch: 'True'
VpcId: !Ref 'SAAVPC'
Tags:
- Key: environment
Value: sa-assignment
- Key: Name
Value: !Join ['-', [PublicSubnetA, !Ref 'CandidateName']]
SAAPublicSubnetB:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.1.0/24
AvailabilityZone: ap-northeast-2c
MapPublicIpOnLaunch: 'True'
VpcId: !Ref 'SAAVPC'
Tags:
- Key: Environment
Value: sa-assignment
- Key: Name
Value: !Join ['-', [PublicSubnetB, !Ref 'CandidateName']]
SAAPrivateSubnetA:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.2.0/24
AvailabilityZone: ap-northeast-2a
VpcId: !Ref 'SAAVPC'
Tags:
- Key: Environment
Value: sa-assignment
- Key: Name
Value: !Join ['-', [PrivateSubnetA, !Ref 'CandidateName']]
SAAPrivateSubnetB:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.3.0/24
AvailabilityZone: ap-northeast-2c
VpcId: !Ref 'SAAVPC'
Tags:
- Key: Environment
Value: sa-assignment
- Key: Name
Value: !Join ['-', [PrivateSubnetA, !Ref 'CandidateName']]
SAAIGW:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Environment
Value: sa-assignment
- Key: Name
Value: !Join ['-', [IGW, !Ref 'CandidateName']]
SAANetworkACL:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: !Ref 'SAAVPC'
Tags:
- Key: Environment
Value: sa-assignment
- Key: Name
Value: !Join ['-', [NACL, !Ref 'CandidateName']]
SAARouteTablePublic:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref 'SAAVPC'
Tags:
- Key: Environment
Value: sa-assignment
- Key: Name
Value: !Join ['-', [PublicRouteTable, !Ref 'CandidateName']]
SAARouteTablePrivate:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref 'SAAVPC'
Tags:
- Key: Environment
Value: sa-assignment
- Key: Name
Value: !Join ['-', [PrivateRouteTable, !Ref 'CandidateName']]
SAAInstance1:
Type: AWS::EC2::Instance
Properties:
DisableApiTermination: 'false'
InstanceInitiatedShutdownBehavior: stop
ImageId: ami-dac312b4
InstanceType: t2.micro
Monitoring: 'false'
UserData: IyEvYmluL2Jhc2gNCnl1bSB1cGRhdGUgLXkNCnl1bSBpbnN0YWxsIC15IGh0dHBkMjQNCnNlcnZpY2UgaHR0cGQgc3RhcnQNCmNoa2NvbmZpZyBodHRwZCBvbg0KZ3JvdXBhZGQgd3d3DQp1c2VybW9kIC1hIC1HIHd3dyBlYzItdXNlcg0KY2hvd24gLVIgcm9vdDp3d3cgL3Zhci93d3cNCmNobW9kIDI3NzUgL3Zhci93d3cNCmZpbmQgL3Zhci93d3cgLXR5cGUgZCAtZXhlYyBjaG1vZCAyNzc1IHt9ICsNCmZpbmQgL3Zhci93d3cgLXR5cGUgZiAtZXhlYyBjaG1vZCAwNjY0IHt9ICsNCmVjaG8gJzxodG1sPjxoZWFkPjx0aXRsZT5TdWNjZXNzITwvdGl0bGU+PC9oZWFkPjxib2R5PjxpZnJhbWUgd2lkdGg9IjU2MCIgaGVpZ2h0PSIzMTUiIHNyYz0iaHR0cHM6Ly93d3cueW91dHViZS5jb20vZW1iZWQvSnMyMXhLTUZkd3ciIGZyYW1lYm9yZGVyPSIwIiBhbGxvd2Z1bGxzY3JlZW4+PC9pZnJhbWU+PGhyPlJlZmVyZW5jZXM6IDxiciAvPjxhIGhyZWY9Imh0dHBzOi8vbWVkaWEuYW1hem9ud2Vic2VydmljZXMuY29tL0FXU19DbG91ZF9CZXN0X1ByYWN0aWNlcy5wZGYiPkNsb3VkIEFyY2hpdGVjdHVyZSBiZXN0IHByYWN0aWNlczwvYT48YnIgLz48YSBocmVmPSJodHRwczovL2QwLmF3c3N0YXRpYy5jb20vd2hpdGVwYXBlcnMvYXJjaGl0ZWN0dXJlL0FXU19XZWxsLUFyY2hpdGVjdGVkX0ZyYW1ld29yay5wZGYiPldlbGwtQXJjaGl0ZWN0ZWQgRnJhbWV3b3JrPC9hPjxiciAvPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmFtYXpvbi5qb2JzL2VuL3ByaW5jaXBsZXMiPkFtYXpvbiBMZWFkZXJzaGlwIFByaW5jaXBsZXM8L2E+PGJyIC8+DQo8L2JvZHk+PC9odG1sPicgPiAvdmFyL3d3dy9odG1sL2RlbW8uaHRtbA==
Tags:
- Key: Environment
Value: sa-assignment
- Key: Name
Value: !Join ['-', [Instance1, !Ref 'CandidateName']]
NetworkInterfaces:
- AssociatePublicIpAddress: 'true'
DeleteOnTermination: 'true'
Description: 'Primary network interface'
DeviceIndex: 0
SubnetId: !Ref 'SAAPublicSubnetA'
GroupSet: [!Ref 'SAASGAPP']
SAAELB:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
Subnets: [!Ref 'SAAPublicSubnetB']
Instances: [!Ref 'SAAInstance1']
SecurityGroups: [!Ref 'SAASGELB']
Listeners:
- LoadBalancerPort: '80'
InstancePort: '80'
Protocol: HTTP
HealthCheck:
HealthyThreshold: '2'
Interval: '15'
Target: TCP:443
Timeout: '5'
UnhealthyThreshold: '2'
Tags:
- Key: Environment
Value: sa-assignemnt
- Key: Name
Value: !Join ['-', [ELB, !Ref 'CandidateName']]
SAASGELB:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: SA Assignment - ELB security group
VpcId: !Ref 'SAAVPC'
Tags:
- Key: Environment
Value: sa-assignment
- Key: Name
Value: ELBSecurityGroup
SAASGAPP:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: SA Assignment - App server security group
VpcId: !Ref 'SAAVPC'
Tags:
- Key: Environment
Value: sa-assignment
- Key: Name
Value: AppServerSecurityGroup
SAANACLEntry1:
Type: AWS::EC2::NetworkAclEntry
Properties:
CidrBlock: 0.0.0.0/0
Egress: 'true'
Protocol: '-1'
RuleAction: allow
RuleNumber: '100'
NetworkAclId: !Ref 'SAANetworkACL'
SAANACLEntry2:
Type: AWS::EC2::NetworkAclEntry
Properties:
CidrBlock: 0.0.0.0/0
Protocol: '-1'
RuleAction: allow
RuleNumber: '100'
NetworkAclId: !Ref 'SAANetworkACL'
SAANACLAssoc1:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
NetworkAclId: !Ref 'SAANetworkACL'
SubnetId: !Ref 'SAAPublicSubnetA'
SAANACLAssoc2:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
NetworkAclId: !Ref 'SAANetworkACL'
SubnetId: !Ref 'SAAPublicSubnetB'
SAANACLAssoc3:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
NetworkAclId: !Ref 'SAANetworkACL'
SubnetId: !Ref 'SAAPrivateSubnetA'
SAANACLAssoc4:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
NetworkAclId: !Ref 'SAANetworkACL'
SubnetId: !Ref 'SAAPrivateSubnetB'
SAAIGWAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref 'SAAVPC'
InternetGatewayId: !Ref 'SAAIGW'
SAASubnetRoutePublicA:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref 'SAARouteTablePublic'
SubnetId: !Ref 'SAAPublicSubnetA'
SAASubnetRoutePublicB:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref 'SAARouteTablePublic'
SubnetId: !Ref 'SAAPublicSubnetB'
SAASubnetRoutePrivateA:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref 'SAARouteTablePrivate'
SubnetId: !Ref 'SAAPrivateSubnetA'
SAASubnetRoutePrivateB:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref 'SAARouteTablePrivate'
SubnetId: !Ref 'SAAPrivateSubnetB'
SAARoutePublic:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
RouteTableId: !Ref 'SAARouteTablePublic'
GatewayId: !Ref 'SAAIGW'
DependsOn: SAAIGW
Outputs:
LoadBalancerDNSName:
Description: 'The DNS name of the load balancer'
Value: !GetAtt SAAELB.DNSName
