Hybrid Cloud with AWS | AWS Whitepaper Summary

MOHAMMAD ALTRKAWI — Fri, 10 Sep 2021 07:51:54 +0000

In this whitepaper summary (originally published at November 2020), we will navigate through various offerings from AWS for hybrid technical and organizational adoption of cloud services. AWS is a pioneer in this field, as it understands the need to integrate cloud, on-premises and edge infrastructure of existing and potential customers.

In addition, and with respect to the huge effort the contributors of this whitepaper did, we will try to update the information and figures that represent the current offerings. Finally, the inspiring use case of Dropbox adoption of AWS hybrid cloud will be presented.

Considerations of Hybrid Cloud with AWS

Create a Hybrid Cloud Strategy

Ongoing migration to the cloud.
Ensuring business continuity during disaster.
Expanding on-premises cloud infrastructure to support low-latency apps.
Expanding international footprint with AWS.

Create a Technical Strategy

Identify the guiding tenets for hybrid cloud architecture.
Define guiding principles for a planned hybrid cloud implementation.

Hybrid Cloud Use Cases

Application Migration to the Cloud

VMware cloud with AWS delivers a faster, easier, and cost-effective path to the hybrid cloud while allowing customers to modernize applications enabling faster time-to-market and increased innovation, especially with the new Amazon EC2 i3en.metal instances powered by Intel® Xeon® Scalable processors.

Cloud Services On-premises

AWS Outposts is a fully managed service that offers the same AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience.

Data Center Extension

Cloud Bursting, with offerings of bursting for compute resource through Amazon EC2, Amazon ECS, Amazon EKS, and AWS Fargate, or bursting for storage through Amazon S3 APIs and AWS Storage Gateway for block and file storage.
Backup and Disaster Recovery, with offerings such as Amazon S3 APIs, AWS Storage Gateway, AWS DataSync and AWS Transfer for SFTP.
Distributed Data Processing, where low-latency or local data reside on-premises, while asynchronous processing, archiving, compliance, business analytics processing and machine learning-based predictions reside on AWS. AWS offerings for those purposes include AWS Storage Gateway, AWS Backup, AWS DataSync, AWS Transfer Family, Amazon Kinesis Data Firehose and Amazon Managed Streaming for Apache Kafka (Amazon MSK) for data importing, and leverage AWS Analytics, AWS Machine Learning, AWS Serverless, AWS Containers for data processing.
Geographic Expansion, where customers take benefit of AWS Outposts in countries where AWS regions do not exist, and AWS Global Infrastructure in countries covered by AWS regions.

Edge Computing

AWS Snowball, AWS Snowcone and AWS Snowmobile.
AWS IoT Greengrass, which is an open-source edge runtime and cloud service for building, deploying, and managing device software.
AWS Wavelength for mobile edge computing applications.

ISV and Software Compatibility

AWS has built the most complete and proven approach for rapidly migrating tens to thousands of applications to the AWS Cloud to help you leverage your existing on-premises ISV software investments. Find out more at AWS Marketplace.

Operations and Management Framework for Hybrid Cloud with AWS

Hybrid Cloud Infrastructure

Core Services

Device and Fleet Management

Identity, Security and Access Management

Unified Hybrid Cloud Management

Compute Services

Storage Services

Networking Services

Dropbox Hybrid Cloud Architecture

References

Original Whitepaper: https://bit.ly/3zLhxSe
AWS Global Infrastructure: https://aws.amazon.com/about-aws/global-infrastructure/
Hybrid Cloud with AWS: https://aws.amazon.com/hybrid/
Dropbox’s re:Invent Presentation: https://www.youtube.com/watch?v=1_hKrGjYteQ

Best Practices for Designing Amazon API Gateway Private APIs and Private Integration | AWS Whitepaper Summary

MOHAMMAD ALTRKAWI — Sun, 15 Aug 2021 19:41:54 +0000

In this whitepaper summary (originally created by Takaki Matsumoto), we will introduce the best practices for deploying private APIs and private integrations in API Gateway, and discusses security, usability, and architecture.

Introduction

Private APIs provide a secure means to invoke APIs via an interface VPC endpoint. API Gateway private integration makes it simple to expose your HTTP/HTTPS resources integration can integrate with private APIs, so the APIs can send requests to a Network Load Balancer (NLB), or through Application Load Balancer (ALB) or AWS Cloud Map for HTTP APIs. Private Integration forwards external traffic sent to APIs to private resources, without exposing the APIs to the internet.

Amazon API Gateway

Amazon API Gateway is a fully managed service that helps you easily create, publish, maintain, monitor, and secure APIs at any scale. This service offers the following types of APIs:

REST API, which comes with multiple endpoint types, like edge-optimized, regional, and private (the one we will focus on here)
WebSocket APIs, which is preferred for building real-time, 2-way communication apps. Private integration is provided by creating a route with VPC link.
HTTP APIs, which is the newest offering in API Gateway, with support for auto deployment, CORS and enhanced performance. Private integration is support through ALB, AWS Cloud Map, and NLB.

REST API

To make APIs accessible only from Amazon VPCs, you can use REST APIs with the private endpoint type. The traffic to the APIs will not leave the AWS network. There are three options to invoke a private API through different domain name system (DNS) names.

Resource-Based Policy

Resource-based policies are attached to a resource like a REST API in API Gateway. For resource-based policies, you can specify who has access to the resource and what actions are permitted. Private APIs require the use of a resource policy, and Deployments without a resource policy will fail.

Private Integration

Private integration is used to allow traffic routing from API Gateway to VPCs, which is achieved using VPC links and VPC endpoint service that is tied to NLBs. A common use case is to invoke EC2-hosted apps behind NLB through VPC links.

Sample Architecture Patterns

Basic Architecture

Points of interest

Security group attached with the endpoint must allow TCP port 443.
Private API resource policy must allow requests from VPC and interface VPC endpoint.

Cross-Account Architecture

Points of interest

Both accounts must exist in the same region.
Private API resource policy must allow access from other account’s VPC or interface VPC endpoint.

On-Premises Architecture

Points of interest

Use Route53 alias records for access through web app to avoid CORS issues.

Private Integration Architecture with ECS

Points of interest

Use NLB to route traffic to Amazon ECS cluster

WebSocket API

This API type of API Gateway allow creating APIs that is accessible using WebSocket protocol. WebSocket APIs allow bidirectional connections that is often used with real-time apps, such as chats apps, multiplayer games, and financial trading apps.

Private Integration

The same design principles apply to WebSocket APIs as for REST APIs, except for response handling, which is optional in WebSocket APIs.

Sample Architectural Pattern

Points of interest

NLB has TLS listener on TCP port 443.
The target group points to Amazon ECS service.

HTTP API

This API type is the newest of API Gateway, which comes with enhanced features, performance, easier developer experience, and reduced request pricing.

Private Integration

HTTP APIs offers three types of private integration targets, which widen the design choices according the backend service to create VPC endpoints.

NLB: with a TCP or TLS listener.
ALB: with a HTTP or HTTPS listener.
AWS Cloud Map, with Service Discovery features.

Sample Architectural Patterns

ALB Architecture (ECS)

Points of interest

ALB uses path-based routing rules to route traffic to two different ECS services.

Cloud Map Architecture (Microservices)

Points of interest

Service discovery in Cloud Map allow routing requests to different endpoints.

Security

Private APIs and associated integration comes with extra security, due to limited access to resources within a private network. The following tables lists supported authorization options for all API Gateway offerings:

IAM: which serves with all API types.
Amazon Cognito: which serves with REST and WebSocket, and commonly used with web and mobile apps
Lambda: also works with all API types, and allow developers to design business logic around authorization.
JWT: which serves with HTTP API only.

Cost Optimization

As mentioned before, HTTP APIs offers the lowest pricing tiers if the application design accepts both REST APIs and HTTP APIs. Serverless Application Lens offers cost optimization practices for, like cost-effective resources, matching supply and demand, and expenditure awareness.
The following list show a highlight of the pricing tiers for REST and HTTP, but more information can be found at Amazon API Gateway Pricing:

REST API: ranging from one million calls/12 months at free tier to over 20 billion requests/month with $1.15 per million.
HTTP API: ranging from one million calls/12 months at free tier to over 300 million requests/month at $0.9 per million Private Integration in REST and WebSocket requires NLB, but it’s billed per hour. For infrequent usage of the APIs, a VPC-enabled Lambda function is more cost effective, because it’s billed per request.

Conclusion

Amazon API Gateway provides different API types and endpoint types. This paper primarily covered private API and integration design patterns, and best practices. Additionally, it covered security and cost optimization. You can leverage the information provided in this whitepaper to determine the best-suited architecture for your application.

References
Original Whitepaper

Forem: MOHAMMAD ALTRKAWI

Hybrid Cloud with AWS | AWS Whitepaper Summary

Considerations of Hybrid Cloud with AWS

Create a Hybrid Cloud Strategy

Create a Technical Strategy

Hybrid Cloud Use Cases

Application Migration to the Cloud

Cloud Services On-premises

Data Center Extension

Edge Computing

ISV and Software Compatibility

Operations and Management Framework for Hybrid Cloud with AWS

Hybrid Cloud Infrastructure

Core Services

Device and Fleet Management

Identity, Security and Access Management

Unified Hybrid Cloud Management

Compute Services

Storage Services

Networking Services

Dropbox Hybrid Cloud Architecture

References

Best Practices for Designing Amazon API Gateway Private APIs and Private Integration | AWS Whitepaper Summary

Introduction

Amazon API Gateway

REST API

Resource-Based Policy

Private Integration

Sample Architecture Patterns

Basic Architecture

Cross-Account Architecture

On-Premises Architecture

Private Integration Architecture with ECS

WebSocket API

Private Integration

Sample Architectural Pattern

HTTP API

Private Integration

Sample Architectural Patterns

ALB Architecture (ECS)

Cloud Map Architecture (Microservices)

Security

Cost Optimization

Conclusion