CIW Lab with CoheisveFT: Get started in public cloud - Part 2 Hands On

copyright 2013

Getting Started with Public Cloud and AWS

1

CohesiveFT | Chicago Ideas Week Lab

Thursday, October 17, 13

copyright 2013

Agenda• Level Set: Cloud, Virtualization & Networking Basics

• Working together: AWS and CohesiveFT• AWS Core: Starting in EC2 and S3• Hands on: Setting up your own AWS • Life in the Cloud: What others are doing in public cloud

2Thursday, October 17, 13

copyright 2013

Welcome back

3

Patrick KerpanCEO, Co-founder

Ryan KoopDirector of Marketing, Co-founder

Your Presenter

Coming Up

@cohesiveft#CIW

Ryan is responsible for product development and manages teams for public relations, international events, and content marketing. His role spans the technical product development, customer support, business development and thought leadership needs of a growing company.

Before CohesiveFT, Ryan worked at a trading platform software company in the US Derivative Markets.


copyright 2013

Jump into AWS: Amazon POV

4

Graphic from http://docs.amazonwebservices.com/gettingstarted/latest/awsgsg-intro/intro.htmlLayer 0

Layer 4

Layer 3

Layer 2

Layer 1

Layer 5

Layer 7

Layer 6SaaS

PaaS

IaaS


http://docs.amazonwebservices.com/gettingstarted/latest/awsgsg-intro/intro.html


copyright 2013


4


Layer 4

Layer 3

Layer 2

Layer 1

Layer 5

Layer 7

Layer 6SaaS

PaaS

IaaS




copyright 2013


4


Layer 4

Layer 3

Layer 2

Layer 1

Layer 5

Layer 7

Layer 6SaaS

PaaS

IaaS




copyright 2013

Jump into AWS: My POV


copyright 2013

AWS Regions = Availability Zones

6

Choose specific regions to:• Optimize latency • Address regulatory requirements• Create a point-of-presence (POP)

Internet Availability Zone

Servers

Region: US East

Servers

Availability Zone


copyright 2013

AWS & Cloud Provides Global Reach


copyright 2013

AWS Terminology: Image & Instance

8

Image - template to launch an Amazon EC2 instance with your software

Instance - the AWS name for a server / virtual machine.

Image

Detailed information can be found at: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/instance-types.html

Instance

In AWS, you can launch an instance from community or marketplace AMIs


http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/instance-types.html

http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/instance-types.html

copyright 2013

Amazon Web Services Offerings (Console)

9

More information at aws.amazon.com/console


copyright 2013

Set up your AWS account

10

• Go to www.aws.amazon.com

• Follow the steps to set up and verify

• Recommended: Sign up for Free,No support options


http://www.aws.amazon.com

http://www.aws.amazon.com

copyright 2013

Amazon Simple Storage Service (Amazon S3)


copyright 2013


12



copyright 2013

Amazon S3

13

• Backup and Storage – Provide data backup and storage services for others.

• Application Hosting – Provide services that deploy, install, and manage web applications.

• Media Hosting – Build a redundant, scalable, and highly available infrastructure that hosts video, photo, or music uploads and downloads.

• Software Delivery – Host your software applications that customers can download.

More on using S3 here: http://aws.amazon.com/s3/#resources


http://aws.amazon.com/s3/#resources


copyright 2013

Create a Bucket in S3


copyright 2013

Upload files to your bucket• In the Upload - Select Files wizard

- to upload an entire folder, click Enable Enhanced Uploader • Click Add Files.

• Select the file > click Open• Click Start Upload.

15

To hide the Transfer dialog box, click the Close button at top right in the Transfers panel. To open it again, click Transfers.


copyright 2013

Move Objects• In the Amazon S3 console, right-click

the object that you want to move, and then click Cut.

• Navigate to the bucket or folder you want to move the object. Right-click the folder or bucket and then click Paste Into.


https://console.aws.amazon.com/s3

https://console.aws.amazon.com/s3

copyright 2013

Amazon S3

17

Highlights• Unlimited object storage•Upload files (from 1 byte to 5 terabytes each) from your computer

•Browse the contents of your buckets with either HTTP or SOAP interface

• Can create an authenticated URL to give time limited 3rd party access to a bucket

More on using S3 here: http://aws.amazon.com/s3/#resources




copyright 2013

Life in the cloud: using S3 at CohesiveFT

18

Images: Wikipedia

Customers

Analysts

Investors


copyright 2013


18

Images: Wikipedia

Customers

Analysts

Investors


copyright 2013


18

Images: Wikipedia

Customers

Analysts

Investors


copyright 2013


18

Images: Wikipedia

Customers

Analysts

Investors


copyright 2013


18

Images: Wikipedia

Customers

Analysts

Investors


copyright 2013


18

Images: Wikipedia

Customers

Analysts

Investors


copyright 2013

Amazon Elastic Compute Cloud (Amazon EC2)


copyright 2013


20



copyright 2013

AWS Terminology: EC2

21

• Security Group: a set of rules you create to act as a firewall to control traffic for one or more instances

• Spot Instance: instance you allow to run on any unused Amazon EC2 compute capacity - prices fluctuate periodically depending on the supply, demand and capacity

• Reserved Instance: pricing model that enables you to reserve capacity for EC2 instances, lowers average cost


copyright 2013

Amazon Web Services - EC2

22

• Launch and manage Instances

• Launch virtual servers in the cloud

•Find, manage and create Amazon Machine Images (AMIs)

• Create and manage Security Groups


copyright 2013

Two Kinds of AWS Images

23

EBS-backed•Boot in <1min•Limited to 1TB•Data persists after instance termination

•Stop function allows you to change the instance settings (grow or shrink)

•Charged for runtime and and storage

•All AWS Marketplace AMIs are EBS-backed

Instance Store-backed•Boot in <5mins•Limited to 10GB*•Data on instance only persists during the life of the instance

•Instance attributes are fixed for the life of the instance

•Cheaper only charged runtime


copyright 2013

Amazon Web Services - Select AMI

24

• Choose from Quick Start popular AMIs Marketplace, or Community AMIs

• Search “wordpress”• Select WordPress BitNami (free tier)

OR• (optional) VNS3 Free Edition


copyright 2013


24





copyright 2013


24





copyright 2013


24





copyright 2013


24





copyright 2013

AWS Terminology: Security Groups

25

Security Groups• Acts as a firewall that controls the traffic allowed into a group of instances

• Add rules that govern inbound traffic; can add or modify rules at any time

• Cannot map security groups across regions

Rules• Specify a certain protocol (TCP, UDP or ICMP)• Specify destination port or ports (if the protocol is TCP or UDP)• Specify source (IP address or addresses using CIDR notation*)

*combination of IP addresses represented by xxx.xxx.xxx.xxx/n where n is the number of 1 bits in the mask. Example 192.168.12.0/23 represents address range 192.168.12.0- 192.168.13.255


copyright 2013

Amazon Web Services - Launching EC2 Instances

26

• Select Region

• Continue

• Choose instance type(t.micro recommended)

• Accept T&C


copyright 2013

Amazon Web Services - Launching with EC2 Console

27

• Select Region

• Accept Terms

• Select a Version

• Launch with EC2 in your region(US West)


copyright 2013

Amazon Web Services - Launching EC2 Instances

28

• Choose Instance Type

• Next

• Configure Instance Details• Network - public and private IP• Additional Storage• Tagging• Security Group• Access - SSH Key


copyright 2013

Connecting & Securing EC2 Instances


copyright 2013

AWS Basic Terminology: Elastic IP Addresses

30

Elastic IP Address (Static IP address):• Associated with account, rather than a particular instance• If your instance fails, can map its replacement to the same IP address• Each account is limited to 5 elastic IP addresses• You are charged $.01/hr when these IP addresses are not mapped to an instance

Amazon Instance

Amazon Instance

204.236.202.134 63.250.226.146

Amazon Instance

Amazon Instance

204.236.202.134 204.236.202.134

Amazon randomly assigns public IP addresses Assign instances with your Elastic IP Address


copyright 2013

Public IP Address: 69.241.45.4Internet Service Provider

(Comcast)

Public and Private IP Addresses

31

Home ComputerPrivate IP Address: 192.168.02

Router

Web Server (Amazon)www.cohesiveft.com

Public IP Address: 72.21.194.1

LAN WAN

ModemPrivate IP Address: 192.168.0.1

Public IP Address: 124.150.112.92


http://www.cohesiveft.com




copyright 2013

Connections Between Regions

32

Region: US West

LAN

Region: US East

WAN

LAN

• Connectivity between availability zones is a LAN connection• Connectivity between regions is a WAN connection

Servers

Availability Zone

Servers

Availability Zone Servers

Availability Zone

Servers

Availability Zone


copyright 2013

Amazon VPC Security Groups

33

VPC Security Groups• The Security Groups you created for EC2 cannot be used in VPC

• Can control both inbound and outbound traffic

• At the instance level - instances in the same subnet can be in different security groups

Rules• Specify protocol• Specify port or port range• For inbound traffic: source IP address or CIDR range• For outbound traffic: destination IP address or CIDR range


copyright 2013

Amazon Web Services - Security Groups

34

Security Groups• Acts as a firewall that controls the traffic allowed into a group of instances

• Add rules that govern inbound traffic; can add or modify rules at any time

• Can create up to 500 EC2 security groups with up to 100 rules each

Rules• Specify a certain protocol (TCP, UDP or ICMP)• Specify destination port or ports (if the protocol is TCP or UDP)• Specify source (IP address or addresses using CIDR notation)


copyright 2013

Lab: Let’s launch something


copyright 2013

Wifi

36

SSID: 20NorthConference

PW: 3126295000


copyright 2013

Signing Up, Launching and Configuring a Wordpress Server

37

1. Sign up for Free Tier AWS Account2. Enable EC23. Create a Test Security Group4. Browse the Marketplace5. Launch a Bitnami Wordpress Server6. Configure the Wordpress Server

....10. Profits


copyright 2013

Bitnami Wordpress Server Information•https://aws.amazon.com/marketplace/pp/

B007IP8BKQ/ref=sp_mpg_product_title?ie=UTF8&sr=0-2- username: user- password: bitnami


https://aws.amazon.com/marketplace/pp/B007IP8BKQ/ref=sp_mpg_product_title?ie=UTF8&sr=0-2






copyright 2013

Appendix: What else is there?


copyright 2013

Gartner’s POV


copyright 2013

Market Landscape

41

http://prezi.com/-kbf6rxf6pmd/the-cloud-market-landscape-from-cohesiveft/






copyright 2013

Appendix: AWS and CohesiveFT


copyright 2013

AWS VPC vs. CohesiveFT VNS3

43

Feature AWSVNS3

EnhancesVNS3

Extends

Features available in all zones of EC2 USA today ✓ ✓ ✓

Features available in all zones of EC2 EU today ✓ ✓ ✓

Features integrated to EC2 existing security lattice (EC2 Security groups) ✓ ✓ ✓

Can use EC2 Elastic IP Addresses ✓ ✓ ✓

Ability to use Amazon load balancing service today ✓ ✓ ✓

Access to Amazon S3 ✓ ✓ ✓

Support all EC2 Instance Types in All Regions and Zones ✓ ✓ ✓

Ability to use Elastic Load Balncers across VPCs within a region ✓ ✓ ✓

Ability to use Elastic Load Balncers across VPCs across regions for failover ✓ ✓ ✓

Ability to use Elastic Load Balncers across VPCs within a region ✓ ✓ ✓

Ability to use Elastic Load Balncers across VPCs across regions for failover ✓ ✓ ✓

{AWS Interoperability


copyright 2013


44

Feature AWSVNS3

EnhancesVNS3

Extends

Multiple VPCs per AWS Account ✷ ✓ ✓

Multiple VPN Gateways per AWS Account ✷ ✓ ✓

Multiple Customer Gateways per AWS Account ✷ ✓ ✓

Multiple VPN Connections per VPN Gateway ✓ ✓

Can ASSIGN SPECIFIC addresses to specific servers in my "VPC" ✓ ✓ ✓

Create a Virtual Private Cloud on AWS’s scalable infrastructure, and specify its private IP address range from any block you choose. ✓ ✓ ✓

Divide your VPC’s private IP address range into one or more subnets in a manner convenient for managing applications and services you run in your VPC.

✓ ✓ ✓

Private IP Address Range Shared across Mutiple Clouds and/or Virtual Infrastructures ✓ ✓ ✓

{

{AWS

Availability

Address Control


copyright 2013


45

Feature AWSVNS3

EnhancesVNS3

Extends

Allow customers to use BGP ✓ ✓ ✓

Can use UDP multicast in my EC2 subnets ✓ ✓ ✓

Can use UDP multicast between EC2 regions ✓ ✓ ✓

SSL VPN Support ✓ ✓ ✓

Multicast between data center and EC2 ✓ ✓ ✓

Support GRE Termination ✓ ✓ ✓

Custom Layer 3 protocol modules (services based) ✓ ✓ ✓

Traffic can be routed directly to the Internet and NOT back across the internet, into my datacenter and back out again ✓ ✓ ✓

Securely route traffic to EC2 EU from EC2 US without having to route through the datacenter ✓ ✓ ✓

Custom topologies & design services (declarative topology description) ✓ ✓ ✓

Provides outbound NATing from Private VPC subnets ✓ ✓ ✓

End user VPN Clients can connect to VPC using SSL Client ✓ ✓ ✓

End user VPN Clients can connect to VPC using IPsec Client ✓ ✓ ✓

Dynamic route updates available to SSL and IPsec Clients ✓ ✓ ✓

Ability to move IP addresses between virtual infrastructures or clouds ✓ ✓ ✓

{{Topology

Control

Protocol Control


copyright 2013


46

Feature AWSVNS3

EnhancesVNS3

Extends

Ability to create Cloud-based WANs that integrate corporate sites, cloud infras, partner sites, and colo or MSP infra. ✓ ✓ ✓

Provides outbound NATing from Public VPC subnets ✓ ✓ ✓

Allows port forwarding from Internet to select inside VPC servers ✓ ✓ ✓

Route traffic between your VPC and the Internet over the VPN connection so that it can be examined by your existing security and networking assets before heading to the public Internet.

✓ ✓ ✓

Control inbound and outbound access to and from individual subnets using network access control lists.

✓ ✓ ✓

Bridge together your VPC and your IT infrastructure via an encrypted IPSEC connection.

✓ ✓ ✓

Network firewall controlling the VLAN ✓ ✓ ✓

Intrusion/Extrusion detection in the cloud - monitoring x-cloud subnets ✓ ✓ ✓

Access controlled on the host level by a unique cryptographic credential per virtual network address.

✓ ✓ ✓

Cryptographic identity linking (and segregating) multiple gateway routers ✓ ✓ ✓

Remote Support controlled by multi-organziation (customer and vendor) 2-factor authentication

✓ ✓ ✓

{

{Topology

Control (cont’d)

Security Control


copyright 2013


47

Feature AWS VNS3 Enhances

VNS3 Extends

Windows and Linux device support ✓ ✓ ✓

Supports industry standard security appliances NAT'ed behind customer edge (Cisco ASA for example) ✓ ✓ ✓

Eucalyptus to EC2 support ✓ ✓ ✓

vCloud to EC2 support ✓ ✓ ✓

GoGrid/Rackspace/ElasticHosts/CloudSigma/Flexiant/etc - to EC2 ✓ ✓ ✓

OpenStack to EC2 ✓ ✓ ✓

IBM Smart Cloud and Smart Cloud Plus to EC2 ✓ ✓ ✓

Easily integrate mobile phones and tables to VPC infrastructure ✓ ✓ ✓

Citrix Virtual Infra to EC2 ✓ ✓ ✓

Parallels Virtual Infra to EC2 ✓ ✓ ✓

KVM Virtual Infra to EC2 ✓ ✓ ✓

VMware Virtual Infra to EC2 ✓ ✓ ✓

Let other AWS accounts (Partners, ISVs) launch instances to talk to VPC owner's instances directly ✓ ✓ ✓

{Market Interoperability


copyright 2013


48

Feature AWSVNS3

EnhancesVNS3

Extends

2-way failover in VPC ✓ ✓ ✓

Instance can be both be part of a VPC and accessible to the general Internet ✓ ✓ ✓

Ability to create N-number of IDENTICAL defined subnets without routable connectivity allows significant gains in dev/test/staging. ✓ ✓ ✓

Web-based management interface ✓ ✓ ✓

Support for customer's IPsec endpoints behind NAT ? ✓ ✓ ✓

N-way failover in VPC ✓ ✓ ✓

Support for 3DES and AES 256 encrption ✓ ✓ ✓

Common abstraction model/interface across all clouds and virtual infrastructures ✓ ✓ ✓

Geographic or datacenter redundancy from customer side to VPC ✓ ✓ ✓

Emergency access possible if IPsec connection is down. ✓ ✓ ✓

Ability to connect a single VPC to multiple datacenters directly, as opposed to daisy-chaining datacenters via customer WAN. ✓ ✓ ✓

Ability to directly "dump" the interfaces to see traffic traversal and connection attempts.

✓ ✓ ✓

SNMP support for popular Enterprise monitoring systems. ✓ ✓ ✓

{Enterprise View


copyright 2013

VNS3 Demo


copyright 2013

Demo of the VNS3 Application SDN solution: Look for this functionality• Ability to span data centers and vendors

• Heterogeneous control; cloud vendor runs his network, customer runs their own network

• Overlay devices peer via cryptographic identity and checksums

• Ability to separate network location from identity

• Application (and its owners) are in control of addressing, protocol, topology and security

50

VNS3 Product FamilyApplication SDN

• VNS3 Manager (virtual appliance)

• VNS3 Routing Agent (runs on cloud hosts)

• VNS3 Command and Control (Mgmt tool under development)


copyright 2013

Demo Topology #1


copyright 2013

Demo Topology #2


copyright 2013

The first “process” customizable cloud transport network device

VNS3

Customer controlled, and co-created, for

the best hybrid cloud experienceQ4 2013

VNS3 3.5 allows customers to embed features and functions provided by other vendors - or developed in house, safely and securely into their Cloud Network.

• Not just a scripting interpreter that allows control over known, existing features• Completely new functions, processes, computation delivered to the core of the

customer cloud network (patent pending)

53

Router

ReverseProxy

ContentCaching

LoadBalancing

IntrusionDetection

More....

Switch FirewallIPsec/SSL

VPNConcentrator

ProtocolRedistributor

Dynamic & Scriptable

SDN

Proxy


copyright 2013

CohesiveFT

Chicago, IL [email protected] +1 888.444.3962

Stay in touch!

@cohesiveFTCohesiveFT.com/blogSlideshare: www.slideshare.net/CohesiveFTCloudCamp.org/Chicago

Questions?


mailto:[email protected]

mailto:[email protected]

http://www.slideshare.net/CohesiveFT

http://www.slideshare.net/CohesiveFT

Technology

CIW Lab with CoheisveFT: Get started in public cloud - Part 2 Hands On