What are cloud services?

  • AWS is a public-cloud service
  • The public clouds used at large companies are almost always hybrid clouds
  • Definition of 'hybrid cloud': The cloud infrastructure is a composite of two or more distinct cloud infrastructures (Private, Community, or Public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability

Base model of cloud services

Comparison of local ICT products and cloud products

Using the DMZ infrastructure from AWS

Companies use protective barriers behind the cloud

Introduction to public cloud architecture

AWS Shared responsibility model

"Security OF the Cloud" - AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud.

"Security IN the Cloud" - Customer responsibility will be determined by the AWS Cloud services that a customer selects.
On-Premises Security Model

AWS Security Model for IaaS

AWS Security Model for PaaS

AWS Security Model for SaaS

Security duty of AWS and the user

AWS Global Infrastructure

Region vs Availability zones

AWS Availability Zones

Edge Location (Cloudfront)

Public cloud provider compliance plan

Chunghwa Telecom provides numerous routes and connections to the cloud

How does AWS manage for the user?

Organization vs Link account

Account groups by tier: Your account can be defined in organizational units (OU); specific access policies are connected to each OU to satisfy budget, security, and compliance needs

AWS service control policies (SCP)

How Secure AWS Account

AWS account

IAM(Identity and Access Management) user

AWS credentials

Secure HTTPS access points
  • HTTP or HTTPS using SSL/TLS access
  • VPC allows VPN access as well
  • Redundant connection to more than one communication service at each Internet-facing edge
Security logs

AWS Trusted Advisor security checks

We have compulsory security management policy for backup and HA design

  • Identity and Access Management (IAM), Virtual Private Cloud (VPC), Key Management Service (KMS), AWS Shield, Web Application Firewall (WAF) defense against DDoS attacks.
  • AWS Config performs monitoring and alerts by combining CloudWatch and CloudTrail.
  • AWS has other tools to help with automation (e.g., SNS, Lambda)

What is the AWS VPC?

  • The Amazon Web Services Virtual Private Cloud (VPC) provides customers with a logically isolated section of the AWS cloud.
  • The customer's VPC, by default, is unable to access the internet, and unable to access executables from the internet
    • The customer can fully control their virtual network environment
    • Certified and easy-to-understand network concepts:
      • Customers can set the IP range
      • ACL/security group
      • Subnetworks
      • Routing table
      • Network gateway
  • Possesses an agile and sufficient security policy
VPC As Policy
  • VPC can logically isolate their local environments section (development/testing/production)
  • The customer can cease using a specific VPC environment (such as testing) at any time they do not want to use it, and thereby control costs
VPC use scenario (1)

Running single tier, public web applications (such as blogs or simple websites)

Billing models
  • Internet to VPC, Free
  • VPC to Internet, Charging by GB/Day、GB/Week、GB/Month、TB/Month
VPC use scenario (2)

Public web applications + backend servers that are not publicly accessible

  • If executables on private subnetworks need to have traffic passing through to the internet, it can pass through a NAT gateway on a public subnetwork before accessing the internet
  • The database server NAT gateway can be used to connect to the internet for software updates, while there is no ability for the internet to establish a connection with the database server

Billing models
  • Internet to VPC, Free
  • VPC to Internet, Charging by GB/Day、GB/Week、GB/Month、TB/Month
  • Data Processed per NAT Gateway, Charging by GB/Day、GB/Week、GB/Month、TB/Month
VPC use scenario (3)

Public web applications + backend servers that are not publicly accessible + backend servers connect back to customer's network

  • The expandable web front end in public subnetworks can run multi-tiered applications; data is saved on the public subnetwork which connect to your intended network over IPsec AWS Site-to-Site VPN

Billing models
  • Internet to VPC, Free
  • VPC to Internet, Charging by GB/Day, GB/Week, GB/Month, TB/Month
  • VPN Connection Usage, Charging by Utilized/Month, Hours/Day, Hours/Week, Hours/Month
VPC use scenario (4)

The customer wanted to use Amazon's infrastructure to expand its network onto the cloud and did not need to be public to the internet

Billing models
  • VPN Connection Usage, Charging by Utilized/Month, Hours/Day, Hours/Week, Hours/Month

AWS Direct Connection

  • The customer can use direct connection to establish a connection with AWS. Then, connecting their datacenter, office, or host administrator environment to AWS, they can cut costs and enhance their bandwidth delivery capacity. And in addition, the connection is more secure and stable than that over the internet
Chunghwa Telecom Advantages in Direct Connection
  • Combining Chunghwa Telecom's IDC and international backbone network, Chunghwa Telecom can provide the customer with access to global cloud services
  • Multiple line types, multiple nodes, multiple routes, distributed backup, high quality direct connect access services
Direct Connection Type
Connection method
  • Dedicated Connection
  • Dedicated connection uses a 1G or 10G physical Ethernet port for a single customer. Customers can order a dedicated connection directly from AWS through the control panel, CLI, or API

  • Hosted Connection
  • A variety of capacities are provided, from 50M to a maximum of 10G. Chunghwa Telecom deploys each host connection on the network connection shared by AWS and multiple customers, while AWS ensures that the entire hosted connection capacity of the network connections between Chunghwa Telecom and AWS is sufficient. The customer completes acceptance through the AWS management console, CLI, or API to enable the managed connection

AWS ELB application

Scenario 1: Classic Load Balancing
  • Automatic distributed introduction of application traffic
  • Introduces new resources as applications are developed
  • Detects and processes application faults
  • Billing models
    • Calculates both the number of execution hours and the data traffic (in GB) transmitted by the load balancer; anything less than one hour is calculated as one hour
Scenario 2: Application Load Balancing
  • Traffic can be routed to other targets (clusters) based on the request
    • Client request to use host field to route client by HTTP
    • Client request to use URL path routing by HTTP
    • Client request to use network segment routing by source IP
  • Billing models
  • Calculates both the number of execution hours and the data traffic (in GB) transmitted by the load balancer; anything less than one hour is calculated as one hour
  • -Load Balancer Capacity Units (LCU) is defined as the highest amount of resources consumed for each pricing method (new connections, active connections, bandwidth, rule) when the ALB processes traffic

Scenario 3: Network Load Balancing
  • Suited for high throughput applications; it can support millions of requests each second and process sudden changes in traffic mode
  • Low latency makes it suitable for latency-sensitive applications
  • Source IP address is reserved so that the backend can see the user's IP address; the application performs subsequent processing
  • Billing models
    • Calculates both the number of execution hours and the LCU per hour; anything less than one hour is calculated as one hour

-Load Balancer Capacity Units (LCU) is defined as the highest amount of resources consumed for each pricing method (new connections, active connections, bandwidth, rule) when the ALB processes traffic

What is CDN?

  • The CDN (Content Delivery Network) refers to computer network systems interconnected through the Internet, using the servers closest to each user to provide faster and more reliable music, pictures, videos, applications, and files to users. This provides high-performance, expandable, and low-cost network content for users

AWS CloudFront

  • Is a content delivery network that can transmit data, video, application, and API content securely with low latency and high transmission speeds
  • CloudFront save the content the customer wants to deliver to the Edge Server closets to the customer, allowing the customer to access the content nearby
    • Accelerates the transmission of content
    • Lowers the burden from serve access
  • Billing models
  • Data transfer, file size, traffic distribution for the edge server location (U.S., Canada, Europe, Japan, Hong Kong, Singapore...), SSL certification

What is DNS?

  • All connected devices (computers, mobile phones, tablets...) use numbers, called IP addresses, to find and communicate with each other. In other words, when you open a browser to view a website, you don't need to remember the lengthy number; instead, just enter a domain name like "example.com" to connect to the correct location

AWS Route53

  • Domain name system (DNS) services
  • High accessibility and expandability; 100% usable SLA
  • Billing models
    • Host administration region (domain name and number, e.g., example.com and domain.com), number of user-initiated inquiries, name of net domains purchased through AWS
AWS Route53 VPC use scenario (1)

Routing according to the health status of services

AWS Route53 VPC use scenario (2)

Routing according to weight

AWS Route53 VPC use scenario (3)

Routing according to latency

AWS Route53 VPC use scenario (4)

Routing according to the geographical location

What is right sizing?

  • Objective
    • The customer's VPC, by default, is unable to access the internet, and unable to access executables from the internet
  • Reason
    • After multiple users open EC2 / RDS resources, they become habitually used without much adjustment based on actual user conditions
    • Pay as you go is one of the advantages of the cloud. Most IT personnel, when making hardware specification requirements, overestimate hardware in the cloud era because of peak usage.
  • Strengths
    • Maximized investment efficiency
    • Added accuracy for projected usage and billing amounts
    • Since usage is regularly monitored, cooperation in teams can be open and transparent
    • Both accounts and efficiency are optimized
  • User timing
    • Ordinary: Long-term collection of the user's conditions, such as CPU, memory, storage I/O, networking.
    • Regular: Regular review of the use scenario for efficacy Once per month recommended
  • Method
    • User billing report and tagging
    • Appropriate specifications are selected to replace anything that is deemed ineffective
    • A tool is used to assist in right sizing that collects usage data and determines user efficiency

How right sizing is done?

  • AWS's built-in resource management function can perform right sizing
  • All instances are tagged; some common tags include:

    • User
    • Application
    • Environment
      • Development environment
      • Testing environment
      • Production environment

  • Instance families are chosen for the particulars of each case
    • EC2
      • General purpose
      • Compute optimized
      • Memory optimized
      • Storage optimized
      • Accelerated computing
    • RDS
      • General purpose: Standard Performance, Burstable Performance
      • Memory Optimized

    • In AWS, EC2 and RDS are used to delineate several instance families based on multiple applications
    • Instances in an instance family each have their own pricing standards. And so in different application cases, the most appropriate and beneficial solution should be chosen to reflect the actual use condition data. For example: If you use choose C (Computation optimized), the unit CPU computational resources are cheaper than other types.
    • A newer and cheaper device is chosen for the same type and level of instance. For example: c4.8xlarge EC2 is converted to c4.4xlarge; and US$570 can be saved per month.
    • EC2 or RDS burstable devices can be used if your service usage is concentrated over small segments of time.
    • For example: Uses T instance devices. Uses few computations during off-peak hours to accumulate credits. When more computations are made during peak hours, the credits are used.


  • Principle for collection of usage data
    • Long-term monitoring of the following situations (over at least two weeks, and preferably over a month)
      • vCPU, memory, network
    • Attempts to analyze usage characteristics, such as:
      • Periodic peak use (daily work-hours email system)
      • Predictable instantaneous traffic (bursts of traffic from short-term marketing events)

An tool that assists with right sizing

  • Amazon CloudWatch
    • Free quota and charges for over-quota use(charging standards)
    • Observing CPU usage, network traffic, and hard disk I/O to adjust to suitable instance
    • Provides customized dashboard charges; dashboard for US$3/month
  • AWS Trusted Advisor
    • Paid value-added services are evaluated by AWS certified experts.
    • Including best practice inspection and recommendation for five items: cost optimization, security, fault tolerance, efficiency, and services

Right sizing rules

The right method is chosen according to the application
  • Steady state
  • With a completely predictable amount of usage, reserved instances can help reduce budgets

  • Variable, but predictable
  • Applications that are engaged for regular duties; suitable for auto-scaling

  • Dev/test/production
  • Tagging makes management easier. Can be shut down over vacation periods to save costs

  • Temporary
  • See the bidding-type Amazon EC2 Spot Instance, whose pricing method is more economical when compared to On-Demand Instance at peak periods

In consideration of closing resources when idle
  • Before closing resources, three things need to be considered
    • Whose instance is this? Who is using it?
    • What are the potential impacts from closing the instance?
    • What is the difficulty of re-establishing the same instance at a later time?
Consider the compatibility of resources
  • Right sizing can be switched in similar instance families and can be switched to different instances. Before closing resources, three things need to be considered
  • When switching to different instance families, the Virtualization Type, network connection type, and support platform need to be considered
Database
  • Database storage and instances are decoupled
    • It means that when the database instance is adjusted to higher or lower specifications it does not impact the remaining storage. Monitoring of capacity and efficiency are separate.
  • Can be adjusted according to the hard drive storage device
    • General purpose SSD or provisioned IOPS SSD
  • Before adjustment, it needs to be considered whether there is a corresponding license
    • Commercial engines (SQL Server, Oracle)
    • Those who chose Bring Your Own License (BYOL) should pay attention to the following
Summary of right sizing rules
  • Right sizing is the most effective way of saving money
  • Periodic resource and efficiency review with AWS assistive tools
  • Close idle instances/use appropriate instance
  • Tags are established for each instance for easier monitoring