best practices for protecting cloud workloads - november 2016 webinar series
TRANSCRIPT
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
19 November 2016
Best Practices for Protecting Cloud Workloads
Lee Kear– AWS Storage Specialist Solutions Architect
Agenda
Traditional vs Cloud protection
Amazon S3 - Object storage
EC2 AMIs
EBS
RDS
Third Party Tools
Q&A
Traditional Datacenter
Servers
Hypervisor
OS
App
OS
App
OS
App
OS
App
Servers
Tier-1 SAN / NAS
AWS Cloud
App + OS
Management& Infrastructure
Primary Storage
Region
Availability Zone 1 Availability Zone 2
AMI (Amazon Machine Image)
Configuration ScriptsCloud Formation Templates
App Data
Cloud formation
Auto-scaling
Amazon S3
EC2
root
EC2
root
EC2
root
EC2
root
EC2
root
EC2
root
EC2
root
EC2
root
RDS
Requires Protection*
Traditional protection vs Cloud protection
Amazon EFS
File
Amazon EBS Amazon EC2Instance Store
Block
Amazon S3 Amazon Glacier
Object
Storage is a platform: AWS Storage Maturity
Amazon S3 Amazon Glacier
Object
Object Storage is the Destination for Backups
RDS DynamoDB RedShift
Database
EMR Data Pipeline Kinesis
AnalyticsLambdaEC2
Compute
CloudFront Elastic Transcoder
Content Delivery
What is Amazon S3
Highly durable object storage at cost effective prices
Internet-scale storage Grow without limits
Low price per GB per monthNo commitmentNo up-front cost
Built-in redundancyDesigned for 99.999999999% durability
Benefit from AWS’s massive security investments
Key Features of Amazon S3
Data Management Cost monitoring and controls Lifecycle management
Ease of use Programmatic access using AWS SDKs REST APIs Management Console, AWS CLI
Event Notifications Delivered using SQS, SNS, or Lambda Enable you to trigger workflows, alerts or
other processing
Data protection Versioning Cross-region replication
Security Multi-factor authentication delete Flexible access control mechanisms Time-limited access to object Access logs Multiple client and server-side Encryption options
Active data Archive dataInfrequently accessed data
S3 - Standard S3 – StandardInfrequent Access
Glacier
Choice of storage class on Amazon S3
Preserve, retrieve, and restore every version of every object stored in your bucket
S3 automatically adds new versions and preserves deleted objects with delete markers
Easily control the number of versions kept by using lifecycle expiration policies
Easy to turn on in the AWS Management ConsoleKey = photo.gif
ID = 121212
Key = photo.gifID = 111111
Versioning Enabled
PUTKey = photo.gif
Amazon S3 Versioning
Versioning
Lifecyclepolicies
Recycle bin
Automaticcleaning
Versioning + lifecycle policies
Best PracticeTip: Restricting deletes
Bucket policies can restrict deletes
For additional security, enable MFA (multi-factor authentication) delete, which requires additional authentication to:
Change the versioning state of your bucket
Permanently delete an object version
MFA delete requires both your security credentials and a code from an approved authentication device
Automated, fast, and reliable asynchronous replication of data across AWS regions
Only replicates new PUTs. Once S3 is configured, all new uploads into a source bucket will be replicated
Entire bucket or prefix based 1:1 replication between any 2 regions Versioning required
Source(Virginia)
Destination(Oregon)
Use cases: Compliance—store data hundreds of miles apart Lower latency—distribute data to regional customers) Security—create remote replicas managed by separate AWS accounts
Amazon S3 Cross-region Replication
Client-side encryption use AWS SDKs You manage the encryption keys and never send them to AWS
Server-side encryption (SSE) with Amazon S3 managed keys “Check-the-box” to encrypt your data at rest. Keys managed by S3
SSE with customer provided keys You manage your encryption keys and provide them for PUTs and GETS
SSE with AWS Key Management Service managed keys Keys managed centrally in AWS KMS with permissions and auditing of usage
For more details – watch Encryption and Key Management in AWS: https://www.youtube.com/watch?v=uhXalpNzPU4
Amazon S3 Data Encryption Options
Amazon Glacier is optimized for
infrequent retrieval
Stop managing physical media
Even lower cost than Amazon S3;
Same high durability
3-5 hour retrieval latency
%5 free tier on retrievals
$0.007 per GB/month
$86 per TB/year
Replace tape libraries, VTLs
What is Amazon GlacierArchival storage for infrequently accessed data
Key Features of Amazon Glacier
Vault Inventory Inventory all archives Available as JSON or CSV
Ease of use Programmatic access using AWS SDKs REST APIs Management Console, AWS CLI
Data Retrieval PoliciesDefine data retrieval limits and cost ceilingExample: ”Free Tier Only”, “Max Retrieval Rate”
Access Controls Integrated with AWS IAM Supports MFA device access
Integrated Lifecycle Management Integrated with Amazon S3 Lifecycle policies Establish auto-archive rules for Amazon S3 objects
Tagging Support Tag vaults for cost management Filter cost reports based on tags
Working with AMI (Amazon Machine Images)
AZ1
AZ2 AZ3
RegionS3
Linux
WindowsEC2
root
CustomEC2
root
EC2
root
Region
S3
Linux
Windows
Custom
Sydney
Oregon
Protecting data in EBS (Elastic Block Store)
AZ1
AZ2 AZ3
Region
S3EC2
InstanceStore Elastic Block Store (EBS)
/data
Snap 1
Snap 2
Snap 3
EC2
InstanceStore Elastic Block Store (EBS)
/data
Amazon RDS engines
Commercial Open source Amazon Aurora
RDS BackupsMySQL, PostgreSQL, MariaDB, Oracle, SQL Server Scheduled daily backup of entire instance in user defined 30 minute backup window Archive database change logs 35 day max retention for backups Stored in S3 Latest restorable time is typically within 5 minutes of current time
Aurora Automatic, continuous, incremental backups Point-in-time restore No impact on database performance 35 day retention
RDS Snapshots
Full copies of your Amazon RDS database that
are separate from your scheduled backups
User initiated
Backed by Amazon S3
Used to create a new RDS instance
Remain encrypted if using encryption
Can be shared with other accounts
Can be copied to other regions
Use cases: Resolve production issues
Nonproduction environments
Point-in-time restore
Final copy before terminating a database
Disaster recovery
Cross-region copy
Copy between accounts
RDS Snapshots
Restoring creates an entire new database instance You define all the instance configuration just like a new instance
Restoring
Redshift
Automatic, continuous, incremental backups Point-in-time restore By default - 1 day retention
Can be extended to 35 days Can create final snapshot before deleting
a Redshift cluster
Automated Backup and instant recovery of EC2 environments Brings Enterprise-class backup to Amazon EC2 Enables EC2 Disaster Recovery across AWS Accounts and Regions
Cloud Protection Manager
Easy and simple backup of VMs Flexible, automated scheduling Policy-based asset management Application-consistent backup Secure, reliable, scalable Instant recovery of full VMs Extensive Alerts and reporting
Point in time block-level incremental snapshots
Snapshot data stored in S3 Instant recovery of volumes Available across availability zones Multi-region copy
Enterprise-class Backup Software AWS Native Snapshots
CPM Brings Backup to Amazon EC2
Commvault Ties Together On Premise and Cloud Data Strategies
AWS and Commvault together combine to minimize networking, storage and infrastructure costs, while providing the business a sound data protection and disaster recovery strategy.
Commvault Orchestrates the Enterprise Back up in the Cloud: Keep backups of cloud
workloads internal to the cloud.
Back up to the Cloud: Allow on premise workloads the ability to leverage AWS. For large data sets, seed the cloud with snowball.
Disaster Recovery in the Cloud: Provide DRaaS, recover workloads for on premise solutions and in cloud workloads.
Workload Portability: Portability to and from the cloud. For large data sets, seed the cloud with snowball.
Archiving to the Cloud: Moving legacy data to tier 2 storage in the cloud for long term archive.
IntelliSnapSnapshot integration tocollapse backup windows
Discover and categorize InstancesBy Region, Zone, OS, Name, etc
Recover entire VM, parts of a VMor individual items from any copy target
Discover
Restore
EC2
Snap
Policy driven retention of snap, object storage, onsite disk and tape copies
365 Day
30 Day
7 year
Snapshot
7 Day
Leverage
Copy
1
Live Browse Replicate Migrate
2 3 3
Automatically discover newly created EC2 instances which fall outside defined categories
Leverage AWS Snap engine for • Agent-less Instance Protection• Oracle Agent• Linux FS Agent
EC2EC2
Oracle
EC2FS
EC2
S3
EC2
GlacierS3-IA
Strategies for Cloud Data Protection – S3
Take advantage of S3 (maximize durability, scalability and costs efficiency)
Use Versioning to Create Recycle Bin
Use MFA Delete to prevent deletion
Use Cross Region Replication to Another Account for the most critical data
Strategies for Cloud Data Protection – EC2
Keep EC2 Instances stateless (less to protect)
Use AMIs + Scripts + Automation (Cloud Formation, Auto-scaling or 3rd party tools)
Leverage AMIs to keep durable copies of pre-configured operating systems and apps
Strategies for Cloud Data Protection - EBS
When using EBS, snapshots can create durable copies of whole volumes
Third Party solutions can make managing your EBS snapshots easier
Strategies for Cloud Data Protection - RDS
Leverage managed services for database workloads
Backups are done for you!
Easy to restore!
RDS Snaphots give you flexibility to point in time copy of your database that can be copied to another region or another account.
What’s next?
Getting started with S3 and Glacier:http://aws.amazon.com/s3/getting-started/http://aws.amazon.com/glacier/getting-started/
Getting started with EC2 and EBS:https://aws.amazon.com/ec2/getting-started/https://aws.amazon.com/ebs/getting-started/
Getting started with RDS:https://aws.amazon.com/rds/getting-started/
AWS Youtube channel:https://www.youtube.com/user/AmazonWebServices/playlists
Q&A
Learn more at: http://aws.amazon.com/s3/
http://aws.amazon.com/ebs/
http://aws.amazon.com/rds/