Danny Mak, Partner Solutions Architect, APAC shares how to modernize with containers and build using DevOps on AWS during the AWS ASEAN Partner Techshift.
3. Modernizing your applications
• Go service oriented architecture (and
to microservices and beyond!)
• Modernize with containers!
• Build with DevOps!
• Offload security considerations!
5. Characteristics of Service Oriented Architectures
Do one
thing wellIndependent
Decentralized
Black box
Polyglot
You build it, you run it
6. Containers are Natural for SOA
• Simple to model
• Any app, any language
• Image is the version
• Test & deploy same artifact
• Stateless servers decrease change risk
7. Amazon ECS
• Fully managed, elastic service – you don’t
need to run anything, and the service
scales as your microservices architecture
grows
• Shared state optimistic scheduling
• Integration with Amazon CloudWatch for
monitoring and logging
• Integration with AWS DevOps services for
continuous integration and delivery (CI/CD)
8. Deploying Containers on ECS – Choose a Scheduler
Batch Jobs
(Monthly reporting, consolidated shipping)
ECS task scheduler
Run tasks once
Batch jobs
RunTask (random)
StartTask (placed)
Long-Running Apps
(CRM web interface, content management module)
ECS service scheduler
Health management
Scale-up and scale-down
AZ aware
Grouped containers
9. Example Architecture on ECS
Amazon
ECR
Amazon
RDS
Application Load
Balancer
ECS Cluster
ECS Cluster
IAM
Amazon API
Gateway*
Amazon
Route 53
Amazon CloudWatch
10. Automatic Service Scaling
Publish metrics
Auto Scaling ECS service
Availability
Zone A
Availability
Zone B
Order
Module
Add/Remove ECS
tasks
Order
Module
ReportingScaling Policies
Amazon
CloudWatch
Amazon ECS
Application
Load Balancer
17. DevOps Stack on AWS
17
MonitorProvisionDeployTestBuildCode
AWS Elastic Beanstalk
CloudWatchCloudFormationCodeDeploy
CodeCommit
CodePipeline AWS Opsworks
AWS Elastic Container Service
CodeBuild
18. Where do I go from here?
• Collect Metrics. Graph anything that moves
• Log everything, Centralize logging, Log Analytics
• Infrastructure as Code
• Automated configuration management
• One click environment creation
• CI-CD pipelines
• Automated testing
19. We have a strong partner list, and it’s growing
Source Build Test Deploy
*beta
22. Beyond the Front Door
Injecting Tenant
Context
Security &
Isolation
Tenant
Access
Roles
Tenant
Provisioning
23. First, We Need A Tenant
New Tenant
On-Boarding
Tenant
Identity Broker
Identity
Provider
Tenant
Management
Billing
• User: bob@test.com
• TenantID: 491048735
• TenantID: 491048735
• Domain: abc.com
• Tier: Platinum
• Status: Active
Domain
Provisioning SSL
Certificate
IAM Policy
24. Key Tenant Provisioning Considerations
• Find a seamless model for binding tenant to identities
• Consider fault tolerance for 3rd Party integrations
• Need to factor in tenant lifecycle management
• Allow for tenant level variation in identity policies
• Let identity providers do the heavy lifting
• Lean on automation and repeatability
25. Identity & Isolation: Many Levels, One Goal
Full Stack
Isolation
Web Tier
App Tier
Tenant 1
Web Tier
App Tier
Tenant 2
Resource-Level
Isolation
Tenant 1 Tenant 2
Tenant 1 Tenant 2
Tenant 1 Tenant 2
Application-Level
Isolation
Tenant1
Tenant2
Tenant1
Tenant2
Tenant1
Tenant3
Key
26. IAM Policies Scope Tenant Access
Web Tier
App Tier
Tenant1 Access
Policy
CustomerTable
Tenant2 Access
Policy
T1-Bucket T2-Bucket
27. Binding Policies to Tenants
Web
Application
Tenant
Identity Broker
Identity
Provider
AWS cloud
• Identity resolved to AWS Security Token
Services (STS)
• Acquire token with tenant-scoped
access
• Leverage a temporary token
• No need for separate AWS identity
28. Key Security & Isolation Considerations
• Applying isolation may require a hybrid of AWS and
application strategies
• Avoid having separate IAM users for each tenant
• Automate testing of isolation policies/strategy
• Consider the scale, management, and automation
impacts of managing access policies
• Let IAM enforce your tenant level scoping
29. Applying Tenant Context
Tenant
Access Control
Homepage
Access Control
Catalog
Service
Access Control
Cart Service
TenantContext
{
UserID: “bob@abc.com”
Role: “Admin”,
TenantID: “93194942”
}
JWT Token
Authorization: Bearer<JWT>
Authorization: Bearer<JWT>
Authorization: Bearer<JWT>
Access Control
Auth ServiceTenant Service
31. SaaS Identity Considerations
• SaaS identity is bigger than authentication
• Use identity broker pattern to decouple from identity
providers
• Leave the heavy lifting, risk, and innovation to
someone else
• Automate role and policy provisioning/management
• Add tenant context to identity token to limit bottlenecks
32. Recap: Be Agile
Elastic Container Services
has modernize applications
in SOA. With DevOps and
offloading identity, AWS
services provides the agility
needed in the SaaS world.
33. Takeaways
• Modernize the app with SOA on ECS
• DevOps with AWS Code* services for agility
• Offload SaaS identity and focus on app innovation