DevOps is renowned for fast methodologies, increased security (in the form of DevSecOps), as well as the quick and easy scalability of software development projects. These advantages make it essential for companies to embrace the DevOps culture as a guarantee of future success and growth.
At the heart of this change, we have Amazon and its pioneering cloud offering, Amazon Web Services. Being the most popular in the market means Amazon has some of the best services, infrastructure, locations, and support in the market. The amount of trained professionals in AWS DevOps is also the highest among the big three; Google Cloud Platform, Microsoft Azure, and AWS.
AWS DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity when using Amazon’s cloud platform.
It goes without question that AWS does a great job at enabling DevOps professionals to have all the tools they need to build a quick, scalable, and secure environment. As the pioneer of cloud computing, Amazon offers fully programmable services that can be configured and accessed with a rich CLI.
Amazon’s services are made to be easily scalable. Furthermore, every service is readily available from the get-go. AWS DevOps professionals looking to apply DevOps automations’ best practices will be able to configure and set up their environment quickly with ease.
This process is made simple by the many automation tools provided by AWS, such as AWS CloudFormation or even using their frequently updated Terraform provider. These services will directly assist AWS DevOps engineers in creating and managing CI/CD, load balancers, Identity and Access Management (IAM), and much more.
AWS Identity and Access Management (IAM) allows companies to share securely, control, and access the resources in an AWS environment. The security team can set policies to allow which credentials can access certain services, which actions they can take while using the service, control access requests, log changes, perform them, and much more.
Amazon's highly configurable IAM makes it possible to implement a vital principle of DevSecOps. The Principle of Least Privilege (PoLP) ensures that every human user, application, connected device, service, or system has the bare minimum access to perform their job function. It is important to note that this principle is a pillar of cybersecurity.
However, many companies fail to obey this pillar resulting in an issue referred to as Privilege Creep. Essentially, it is a scenario where companies that have revoked a user's access will regrant this administrative access at a later point in time so that this user can perform required tasks. The issue is that once a privilege is granted, it's rarely revoked or reduced to appropriate levels. This creates a security loop where users that do not need access to certain permissions, still have them.
An AWS DevOps security engineer can easily identify outliers that have unauthorized permissions using Amazon's IAM solutions. What’s more, the security engineer can revoke these accesses. Alternatively, this process can be fully automated by granting temporary access elevation to a user or have it partially automated. The security team will then be warned of permission issues and fix them as they see fit manually.
Amazon Elastic Kubernetes Service (EKS) is Amazon's solution to Kubernetes clusters. It comes with 99.95% uptime at no additional cost. Moreover, It provides auto-scaling that needs some configuration and is disabled by default. It also has strong network security in that it ensures Role-based Access Control (RBAC) is always-on, improving its Kubernetes clusters' security.
While Amazon has produced a secure, flexible, and competitive offering with EKS, Google Kubernetes Engine (GKE) is still the Kubernetes cluster that offers the most features. This is because EKS is still a relatively new service as it was launched in June 2018. Some essential features are still missing on EKS such as node auto-upgrade that GKE offers.
Another example of the disparity between GKE and EKS is how scalability works. GKE allows for greater customization when it comes to autoscaling. The auto scaler provided by GKE is an open-source project that can be configured to scale Kubernetes nodes based on their workload.
Given it is the first and most developed cloud computing company, AWS offers the most advanced services offering in the market. Amazon's Elastic Load Balancing is one of the most popular AWS DevOps services since, after being configured, it can automatically distribute traffic across multiple available servers, reduce load and guarantee optimal performance during periods of heavy load.
This service is the backbone of AWS since it facilitates easy mitigation of huge spikes in traffic. Essentially, with this service, you do not need to purchase additional on-premise servers, wait for configuration, or even run the risk of buying more than may be required. After the period of congestion passes, downsizing to regular compute, network, and storage needs is a simple and painless process that can also be fully automated.
Below we'll briefly discuss some of the most popular and vital AWS services and their purposes, as we believe these are the essential services that every AWS DevOps Engineer should be familiar with.
CloudFormation is an excellent service for AWS DevOps. this boils down to the fact that AWS maintains Cloudformation and thus supports more services. However, other third-party tools such as Hashicorp's Terraform can also be useful in some cases. Essentially, using AWS Terraform allows its usage in multiple cloud platforms and ensures greater flexibility. However, certain projects will still benefit more from using AWS CloudFormation.
With AWS CloudWatch, DevOps professionals can monitor AWS applications in real-time. It comes pre-configured to automatically monitor and log latency, CPU usage, requests, and more. Furthermore, CloudWatch is highly customizable, and all relevant metrics can be monitored and written to a log after configuration.
Another core capability of CloudWatch is that it makes it easy to catch issues as they happen, identify resource usage spikes, and monitor performance. Additionally, it helps the AWS DevOps team be proactive with any possible issues and how to best solve them.
All in all, CloudWatch is responsible for fulfilling the principles of monitoring and logging needs in the AWS DevOps methodology.
ECR can be configured to support private Docker registries. You can use the registries with AWS IAM to control users' access levels, services, and applications, defining which users can access the protected container images.
ECR allows AWS DevOps professionals to streamline the process between development and production, enabling the hosting of images in an architecture that can be fully automated and quickly scaled to the necessary needs. ECR also comes equipped with vulnerability image scanning, making it an essential feature for DevSecOps. It uses the Common Vulnerability Scoring System (CVSS) to assess the severity of issues found.
AWS Elastic Compute Cloud AWS EC2) aims to provide scalable computing capacity on AWS. With EC2, you have total control over your resources, from choosing your OS, resizing your machines, to changing its network configuration or disk, and much more. One thing to keep in mind is that you are charged for the server being ON even if the resources are not being used. For example, if you make an EC2 instance and forget about it, you will be charged even if you are not running anything on it. However, you can save money by using a spot instance or committing to reserved instances.
AWS Lambda is an event-driven, serverless computing platform. With it, there's no need to worry about resource management or which resource to launch. Essentially, you can import your code (your choice of either container image or ZIP file), and Lambda will run it without the need for additional configuration. Furthermore, AWS Lambda supports functions written in Node.JS, Python, Go, JAVA, and many other programming languages.
The Lambda platform focuses on the core product instead of managing the OS, provisioning, or scaling its parts. With Lambda, you will only be charged when your code is executed. Nothing else, no surprises.
AWS RDS allows for a simple way to scale, operate, and configure databases in the cloud. As a result, RDS is ideal for AWS DevOps with the automation of administrative tasks. You won't need to invest development time provisioning hardware, applying backups, patches, or setting up databases.
AWS RDS supports Amazon Aurora, MariaDB, Microsoft SQL Server, MySQL, Oracle, and PostgreSQL. In addition, RDS comes with a key DevOps feature when dealing with databases: The ability to improve resilience by duplicating your database in several separated instances, complete with automated backups and automatic substitution of hosts and snapshots.
Amazon Simple Storage Service is a flexible and reliable service used to store objects, packed with Amazon's high availability and 99.999999999% durability.
The service can receive data using APIs, and Amazon also offers S3 transfer acceleration, which can be useful for companies working with large amounts of data frequently.
Some of the most common applications of S3 are data storage, disaster recovery (DR), data backup, web hosting with Amazon CloudFront to improve content delivery, and much more.
Amazon Elastic Container Service (ECS) is a highly scalable, high-performance container management service that supports Docker containers and allows you to easily run applications on a managed cluster of Amazon Elastic Compute Cloud (Amazon EC2) instances.
Amazon ECS eliminates the need for you to install, operate, and scale your own cluster management infrastructure. With simple API calls, you can launch and stop container-enabled applications, query the complete state of your cluster, and access many familiar features like security groups, Elastic Load Balancing, Amazon Elastic Block Store (EBS) volumes, and Identity Access Management (IAM) roles.
One of AWS ECS' standout features is that you can configure it so you only pay for the running application and not the entire server as is the case with AWS EC2. Additionally, it removes the need to manage the server itself, and instead focus on the application.
Amazon Virtual Private Cloud is the main service used when dealing with AWS private networks. It has an intimate connection with how your applications are organized inside the AWS servers. It directly commands how your applications interact with external networks acting as a network layer to all instances created by any AWS Service in AWS DevOps. For example, you could create an RDS instance and it would use the VPC that your other services like EC2 would. The same case applies to load balancers. All in all, anything that you would want to run in a specific network can use a configured VPC, internal or externally.
Working with Amazon Web Services may seem complex at first. However, Amazon offers extensive documentation about every service, technology, and practice within its ecosystem. Being the leading company in the market means the community is the largest, has some of the best professionals to help you learn AWS DevOps, and the best courses to prepare for what you may find working with AWS.
A great way to ensure you're ready to take on AWS DevOps is to pass the AWS Certified DevOps Engineer Professional exam and attain its certification. It will test every skill the job requires with theoretical and practical cases while ensuring you have a good grasp of all the tools and services used daily by a DevOps Professional.
Источник: DZone DevOpsdevops aws aws ec2 aws and devops aws security aws services aws cloudformation aws devops aws rds aws iam