\u53c2\u52a0\u4e862019\u5e74\u7684AWS re:Invent\u6d3b\u52a8\u7684\u603b\u7ed3\u3002<\/p>\n
\u56e0\u4e3a\u5728\u8bbe\u8ba1\u4e2d\uff0c\u6211\u6ce8\u610f\u5230\u4e86\u4e00\u4e2a\u5173\u952e\u8bcd”blast radius”\uff0c\u56e0\u6b64\u4e2a\u4eba\u89c9\u5f97\u6709\u5fc5\u8981\u8bb0\u4f4f\u5b83\u3002<\/p>\n
\u5728 AWS \u4e2d\uff0c\u6709 “train your builders” \u8fd9\u6837\u7684\u5173\u952e\u70b9\uff0c\u4f8b\u5982\u4e2a\u5b66\u4e60\u578b\u4f1a\u8bae re:invent \u672c\u8eab\u5c31\u662f\u4e00\u4e2a\u4f8b\u5b50\uff0c\u8fd8\u6709 builders’ library \u63d0\u4f9b\u7684\u6700\u4f73\u5b9e\u8df5\uff0c\u4ee5\u53ca\u9488\u5bf9\u673a\u5668\u5b66\u4e60\u7684\u5f00\u53d1\u8005\u5b66\u4e60\u670d\u52a1\u63d0\u4f9b\uff08\u5982 DeepRacer\uff09\u3002\u53ef\u4ee5\u5728\u5404\u4e2a\u65b9\u9762\u611f\u53d7\u5230 AWS \u63d0\u4f9b\u8fd9\u79cd\u673a\u4f1a\u3002<\/p>\n
\u4ece\u52a8\u5411\u4e0a\u770b\uff0c\u4f5c\u4e3a\u65b0\u7684\u670d\u52a1\uff0c\u4f3c\u4e4e\u4e3b\u8981\u662f\u4e3a\u4e86\u6d88\u9664\u4e0eai\/ml\u548con-prem\u7684\u969c\u788d\u800c\u6dfb\u52a0\u4e86\u9ad8\u6027\u80fd\u5904\u7406\u548c\u4f4e\u5ef6\u8fdf\u7f51\u7edc\u3002<\/p>\n
\u611f\u89c9\u5c31\u50cf\u662f\u5728\u62c9\u65af\u7ef4\u52a0\u65af\u7684\u9152\u5e97\u548c\u8d4c\u573a\u7fa4\u4e2d\u4e3e\u884c\u4e00\u573a\u5927\u89c4\u6a21\u7684\u6d3b\u52a8\uff0c\u7531\u4e8e\u6211\u4f4f\u7684\u9152\u5e97\uff08\u540d\u4e3aBally’s\uff09\u7684\u4ea4\u901a\u4e0d\u662f\u5f88\u65b9\u4fbf\uff0c\u6240\u4ee5\u9700\u8981\u6b65\u884c\u5927\u7ea620\u5206\u949f\u5230\u8fbe\u9694\u58c1\u7684\u4f1a\u573a\uff0c\u5bfc\u81f4\u6211\u611f\u5230\u5f88\u7d2f\uff08\u5982\u679c\u53ef\u80fd\u7684\u8bdd\uff0c\u4f4f\u5728\u6d3b\u52a8\u4f1a\u573a\u7684\u9152\u5e97\u4e4b\u4e00\u4f1a\u66f4\u8f7b\u677e\uff0c\u56e0\u4e3a\u53ef\u4ee5\u4e58\u5750\u7a7f\u68ad\u5df4\u58eb\uff09\u3002<\/p>\n
\u5728\u65e9\u665a\u9910\u6642\uff0c\u98df\u7269\u9078\u64c7\u4e3b\u8981\u6709\u81ea\u52a9\u9910\u548c\u5916\u5e36\uff0c\u9910\u5ef3\u7a7a\u9593\u901a\u5e38\u90fd\u5f88\u5bec\u655e\uff0c\u6240\u4ee5\u6211\u53ea\u5728\u7b2c\u4e00\u5929\u7684\u5348\u9910\u6642\u9078\u64c7\u4e86\u5916\u5e36\uff0c\u5176\u4ed6\u6642\u9593\u90fd\u662f\u5728\u81ea\u52a9\u9910\u5ef3\u7528\u9910\u3002\u83dc\u80b4\u7684\u7a2e\u985e\u6839\u64da\u4e0d\u540c\u7684\u65e5\u5b50\u800c\u6709\u6240\u8b8a\u5316\uff0c\u6709\u4e9e\u6d32\u6599\u7406\u3001\u58a8\u897f\u54e5\u6599\u7406\u7b49\u7b49\uff0c\u4f46\u5c0d\u6211\u7684\u98f2\u98df\u6c92\u6709\u7522\u751f\u7279\u5225\u7684\u5f71\u97ff\u3002<\/p>\n
<\/p>\n
\u9ad8\u6027\u80fd\u306a instances \u3078\u306e\u5bfe\u5fdc 1<\/p>\n
fargate for eks\u3001eks \u30a4\u30f3\u30d5\u30e9\u306e managed
\nnetworking\u3001\u8a00\u53ca\u306a\u3057<\/p>\n
cassandra (mcs) \u306e\u8ffd\u52a0\u3001 wide column database<\/p>\n
outposts (on-prem workload)<\/p>\n
local zones (low latency to local end-users)<\/p>\n
wavelength (5G)<\/p>\n
Amazon CodeGuru<\/p>\n
Java \u306e\u307f\u3063\u307d\u3044\u306e\u3067\u8272\u3005\u306a\u8a00\u8a9e\u306e\u5bfe\u5fdc\u304c\u5f85\u3061\u9060\u3057\u3044<\/p>\n
Amazon Kendra<\/p>\n
\u4f01\u696d\u5185\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u306e\u691c\u7d22\u306f\u7686\u56f0\u3063\u3066\u3044\u3066\u9700\u8981\u304c\u3042\u308b\u3093\u3060\u308d\u3046<\/p>\n
Amazon Builders’ Library<\/p>\n
\u8aad\u3080\u5fc5\u8981\u304c\u3042\u308b<\/p>\n
\u5728\u665a\u4e0a8\u70b9\u6392\u961f\uff0c\u4f46\u7b49\u5f85\u4e24\u4e2a\u5c0f\u65f6\u5230\u5f00\u59cb\u65f6\u95f4\u548c\u7b49\u5f85\u961f\u4f0d\u7ea6\u4e00\u5c0f\u65f6\u90fd\u5f88\u8f9b\u82e6\u3002\u5230\u8fbe\u62c9\u65af\u7ef4\u52a0\u65af\u4e4b\u524d\u5df2\u7ecf\u8017\u5c3d\u4e86\u4f53\u529b\uff0c\u65e0\u6cd5\u575a\u6301\u5230\u6700\u540e\u53c2\u52a0\u6bd4\u8d5b\u3002<\/p>\n
<\/p>\n
<\/p>\n
regional control plane -> zone (zone control plane, data plane)<\/p>\n
well architectured framework
\ntenets<\/p>\n
minimize blast radius (spike, etc.)
\nserverless (lambda, kinesis – no zone based)
\ninfra as code<\/p>\n
analytics cell router -> analytics cells -> KINESIS -> s3 for datastore -> (engineer, asap, ml, etc.)
\ns3 -> asap -> detections cell router -> detection cells -> findings repos<\/p>\n
router
\ns3 event log -> sns -> (analytics cell router)[sqs -> (lambda -> dynamodb rules)] -> analytics cells
\nrules<\/p>\n
load balancing, data segregation (source recognized source a to cell a)
\ndata replication (prod cells copy to test cells), blue\/green deployment
\nnever look s3? spof (\u3088\u304f\u308f\u304b\u3089\u3093\u304b\u3063\u305f\uff09<\/p>\n
cell<\/p>\n
apache flink checkpoint and save<\/p>\n
key takeways<\/p>\n
small vs. large
\ndesign for failure
\nthinnest possible layer<\/p>\n
eks managed vpc | customer managed vpc<\/p>\n
zone \u9593\u306f\u3069\u3046\u3075\u308a\u308f\u3051\u308b\u306e\u304b\uff1f -> 53 \u3063\u307d\u3044<\/p>\n
eks celluar arch (1 cell = 1 aws account = frontend, cluster events, control plane management, etc.)
\npipeline -> prow cluster<\/p>\n
enhancement<\/p>\n
managed node groups (single command, up to date, ha)<\/p>\n
simplify worker node management, self managed, k8s ecosystem tooling (autoscaler)<\/p>\n
vision (globally available, easy to use, production ready, cost-effective, high performance)<\/p>\n
snap service mesh on eks<\/p>\n
eks, envoy, switchboard, spinnaker<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
fault isolation zones: cell-based, multi-az
\nmicroservice
\ndistributed best practices: throttling, retry, circuit breaker<\/p>\n
strategy: backup & restore (multi-region) high level rto, rpo
\nstrategy: pilot light
\nstrategy: warm standby
\nstrategy: active-active<\/p>\n
(one ex. read locally, write globally)<\/p>\n
s3 – cross-region replication<\/p>\n
replication time control (new! two weeks ago)<\/p>\n
ebs – snapshot copy
\ndynamodb – multi-master, multi-region (no complexity write globally)
\nrds:- cross-region read replicas
\ninter-region vpc peering -> white paper
\nsnapchat<\/p>\n
99.99% (tier0), 99.95% (tier1), 99% (tier2), 95% (tier3)
\nlegacy<\/p>\n
monolithic, single region -> multi-region active-active
\nrepl: dynamodb streams -> stream service -> other regions, etc.<\/p>\n
continuous resilience<\/p>\n
disaster recovery -> chaos engineering -> continuous resilience<\/p>\n
\u6ca1\u6709\u65b0\u7684\u4fe1\u606f\u5417\uff1f
\n\u6709\u4eba\u79bb\u5f00\u5ea7\u4f4d\u5f15\u4eba\u6ce8\u76ee\u3002<\/p>\n
\u8d85\u8fc765000\u540d\u4e0e\u4f1a\u8005
\n\u8d85\u8fc73000\u573a\u4f1a\u8bae<\/p>\n
! \u8f6c\u53d8<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
\u5728\u672c\u5730\uff1a97\uff05<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
serverless<\/p>\n
data silos -> data lake<\/p>\n
s3 access point https:\/\/aws.amazon.com\/jp\/blogs\/aws\/easily-manage-shared-data-sets-with-amazon-s3-access-points\/<\/p>\n
redshift ra3 instances with managed storage https:\/\/aws.amazon.com\/jp\/blogs\/aws\/amazon-redshift-update-next-generation-compute-instances-and-managed-analytics-optimized-storage\/<\/p>\n
elasticsearch service (ultrawarm) https:\/\/aws.amazon.com\/jp\/blogs\/aws\/announcing-ultrawarm-preview-for-amazon-elasticsearch-service\/<\/p>\n
database<\/p>\n
managed cassandra service (wide column) https:\/\/aws.amazon.com\/jp\/blogs\/aws\/new-amazon-managed-apache-cassandra-service-mcs\/<\/p>\n
ml<\/p>\n
usecase: health care
\nsage maker studio, notebooks, experiments, debugger, model monitor, autopilot
\nfraud detector
\ncodeguru (\u4e00\u756a\u76db\u308a\u4e0a\u304c\u3063\u305f\uff09<\/p>\n
contact lens for amazon connect
\nkendra
\nbreak on-prem barriers
\noutposts GA<\/p>\n
native aws or vmware cloud on aws<\/p>\n
local zones
\n5G<\/p>\n
8 capabilities
\nwavelength<\/p>\n
<\/p>\n
identity<\/p>\n
diy identity store – vulunerable
\nhashed – attask, salt hashed – …
\n(ok) ssecure remote password protocol (SRP)
\nAmazon Cognito (SRP, etc.)<\/p>\n
x multiple identities o centralize identity management and privilege management<\/p>\n
delegation: OIDC + OAUTH, federation: SAML, no long-term credentials, rbac
\ndelegation<\/p>\n
aws security token service -> temporary iam creds<\/p>\n
jwt: identity token, access token, refresh token
\nleast privilege, iam condition<\/p>\n
access control to api gateway<\/p>\n
with cognito
\nallowed -> jwt + context.identity
\nwith lambda authorizer -> policy
\nothers<\/p>\n
basic request vailidations on api gateway: parameters, payload with JSON schema
\nCORS<\/p>\n
access control to dynamodb (iam, cognito condition), s3 (iam, bucket policies)<\/p>\n
s3 access point (multi access control)<\/p>\n
lambda<\/p>\n
shared responsibility model
\niam invoke, actions, assume<\/p>\n
common vulnerabilities: ddos<\/p>\n
aws shield<\/p>\n
common: OWASP top risks to web apps – XSS<\/p>\n
aws waf filtering rules<\/p>\n
common: SQL injection<\/p>\n
use prepared<\/p>\n
apply security at all layers
\nsecure coding practices<\/p>\n
accessing db creds: x hard coded, ! env or config file, o aws secrets manager, o iam authentication for amazon rds
\ndata api for amazon aurora serverless https:\/\/docs.aws.amazon.com\/ja_jp\/AmazonRDS\/latest\/AuroraUserGuide\/data-api.html<\/p>\n
monolitic functions -> microservies + event-driven architectures (small functions)
\nowasp secure coding practices<\/p>\n
remove human interaction, self service tools, abstraction layers allow for modular evolution<\/p>\n
enable your developers<\/p>\n
preparing hackathon<\/p>\n
everything continuous, all the time<\/p>\n
how long x takes?<\/p>\n
keep your systems simple<\/p>\n
gall’s law<\/p>\n
democratize your data
\ndevelop a culture of openness<\/p>\n
legacy: ecs containers<\/p>\n
goal: 100x clients, faster, more data<\/p>\n
shift<\/p>\n
docker -> serverless, tdd, devops, devs, and QA are all one<\/p>\n
customer want: routing, observability, security, transparency
\narch<\/p>\n
proxy<\/p>\n
virtual node, virtual service, virtual router<\/p>\n
design<\/p>\n
frontend service, envoy management service, transformer
\nfrontend service<\/p>\n
authentication
\nauthorization
\nvalidation
\npersistence<\/p>\n
picking<\/p>\n
customer configuration\/metadata, relationships between resources, serializable cross-key\/table -> JournalDB<\/p>\n
transformer<\/p>\n
mesh id -> buckets (split brain -> allow extra)
\nevent-driven processing<\/p>\n
reactive, efficient, creates backlog, requires reconciliation
\nlevel-driven processing: bounded workload (bimodal behavior), self-healing, less efficient<\/p>\n
envoy<\/p>\n
envoy data store<\/p>\n
synthesized envoy configuration, relationships node to manifest, eventually consistency, single key -> dynamodb<\/p>\n
discovery – listeners – routes – secrets – clusters – endpoints
\nmanagement<\/p>\n
actor system(connection manager, manifest manager, aws cloud map, aws certificate manager)<\/p>\n
operations (canary)<\/p>\n
deployment: first (container images and cloudformation templates), second, remaining
\nmonitoring: rate, errors, duration (+ cloudwatch log insight)<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
terminology: ecs cluster (namespace), ecs task (like pods), service (many tasks)
\nstart ec2 instances first, and then run ecs tasks (infra first)
\ntask placement: available instances -> resources (like resource limit) -> placement constraints (like affinity) -> strategy
\ninfra first: available instances not found, spread placement strategies, scaling (cloudwatch metrics -> alarm auto scaling groups: metrics are based only on existing tasks and resources)<\/p>\n
application first<\/p>\n
tenets: applications own their requirements, infrastructure responds to application requirements<\/p>\n
ECS Capacity Providers<\/p>\n
ecs cluster ( ecs cp ( ec2 asg (ec2 instances)))
\necs cp<\/p>\n
abstracts capacity
\n0-10 \/cluster
\nused by tasks\/services<\/p>\n
run tasks under cp without instances -> instances start -> tasks placed
\nec2 spot \/ fargate spot<\/p>\n
price up to 90%\/80%
\nreclaimed by ec2\/ reclaimed
\ninstances pools\/automatic<\/p>\n
<\/p>\n
insist on the highest standards
\nraise the bar for testing<\/p>\n
1000s unit tests, 100s integration tests, pre-prod env, roll-forward\/back testing<\/p>\n
be technically fearless<\/p>\n
mitigate fear with professionalism, testing, and open-@minded scrutiny
\naws lindbergh award<\/p>\n
modeling
\nfocus on blast radius<\/p>\n
shuffle sharding https:\/\/aws.amazon.com\/jp\/blogs\/architecture\/shuffle-sharding-massive-and-magical-fault-isolation\/<\/p>\n
modular separation
\ndouble down on simplicity<\/p>\n
saying no to many features,<\/p>\n
unreasonable redundancy<\/p>\n
striping, shuffle sharding
\nteeny cache<\/p>\n
static stability
\ndegrade gracefully<\/p>\n
<\/p>\n
delivery: dev\/test -> review -> pre-production -> production
\ndev\/test<\/p>\n
use cloud desktops at amazon
\nuse cloud9 internally
\nsupport aws toolkit for third party IDE<\/p>\n
debugging timeline 30min -> 10 min
\ndemo<\/p>\n
review<\/p>\n
codecommit supports approval rules
\ncodeguru review\/profiler<\/p>\n
ci\/cd<\/p>\n
2001: monolith -> 2002: 2-pizza teams (devops, full ownership, full accountability, focused innovation)<\/p>\n
delivery pipelines (dev tool team)<\/p>\n
delivery: source -> build -> alpha (pre-production, automated tests) -> beta (pre-production, automated integration tests, load\/perf tests, browser tests) -> gamma (pre-production, automated integration tests, synthetics tests, api smoke tests) -> one az\/fractional (production, synthetic monitoring) … -> one region…
\ndelivery is pessimistic
\npipeline blockers: time windows, pipeline policies, ocverage, review, security scans, dependency updates, etc.<\/p>\n
modern applications<\/p>\n
monolithic -> n-tier -> micoservices & serverless
\naws cdk<\/p>\n
a look ahead<\/p>\n
security<\/p>\n
<\/p>\n
<\/p>\n
iam role -> resource<\/p>\n
short-term creds for iam role
\nif any policy denies -> access denied
\nif some policy allows -> allow
\notherwise denied<\/p>\n
cross account: recommendation – keep it simple<\/p>\n
resource based policy
\nrole trust policy<\/p>\n
\u53c2\u52a0\u4e862019\u5e74\u7684AWS re:Invent\u6d3b\u52a8\u7684\u603b\u7ed3\u3002 \u5370\u8c61 \u56e0\u4e3a\u5728\u8bbe\u8ba1\u4e2d\uff0c\u6211\u6ce8\u610f\u5230\u4e86\u4e00\u4e2a\u5173\u952e\u8bcd” […]<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-50445","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"yoast_head":"\n