Amazon RDS

 
Amazon RDS allows us to quickly create a relational database instance and flexibly scale the associated compute resources and storage capacity to meet our application demand. Amazon RDS manages the database instance on our behalf by performing backups, handling failover, and maintaining the database software. By using Amazon RDS we offload DB management tasks(resizing, replication, patch management) to Amazon who maintain network infrastructure and datacenters, leveraging the same industry-leading practices and procedures that keep web properties running optimally.

Security:
By default all the ports to Amazon RDS are blocked and we can provide authorized access from certain specific list of IP addresses to the RDS port. It also support SSL connection to encrypt the traffic between the Database server and client. Moreover RDS can be hosted inside the VPC. Slightly annoying feature for RDS that, at the time of creation it ask for master username and password, but that account is really not a root account for database and still has slightly stricter permission that default root on locally install RDS.

Reliability and Backup:
Amazon's Multi-AZ deployment model that enhances database availability while protecting our latest database updates against unplanned outages. When we create or modify our DB Instance to run as a Multi-AZ deployment, Amazon RDS automatically provision and manage a “standby” replica in a different Availability Zone (independent infrastructure in a physically separate location, but in the same region). Database updates are made concurrently on the primary and standby resources to prevent replication lag. In the event of planned database maintenance, DB Instance failure, or an Availability Zone failure, Amazon RDS automatically failover to the up-to-date standby so that database operations can resume quickly without administrative intervention.

What makes it tempting:

• Automatic backup : You can configure the backup retention policy in terms of days.
• Choice of backup/maintenance window: You can choose, to select the backup and maintain windows for your DB instance, such that those operations will be performed in that window to ensure the uptime of your service.

This information can be updated without restarting the Amazon RDS DB instance, thus giving us 24/7 availability & seamless control of the database access. Amazon RDS generates an SSL certificate for each DB Instance, thus allowing us to encrypt the DB Instance connections for enhanced security.
At the time of deletion, the DB Instance is marked for deletion and once the instance no longer indicates ‘deleting’ status, it has been removed. At this point the instance is no longer accessible and unless a final snapshot copy was asked for, it cannot be restored and will not be listed by any of the tools or APIs.

Amazon RDS hosted on cloud will always serve traffic originating from Amazon VPC (Virtual private cloud). Amazon VPC allows us to provision a private, isolated section of the Amazon Web Services (AWS) Cloud where we will launch AWS resources in a virtual defined network. With Amazon VPC, we can define a virtual network topology that closely resembles a traditional network which anyone can operate in their own datacenter. By doing this, we gain complete control over our virtual networking environment, including selection of our own IP address range, creation of subnets, and configuration of route tables and network gateways.

For example, we have a public-facing subnet for Expressway Service Gateway (ESG) which serve legitimate traffic with mutual authentication mechanism from the Internet, and place our backend systems such as tenant-manager and tenants hosted on boot strap agents on a private-facing subnet with no Internet access. We leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet. Any traffic originating from this point (either via tenant-manager or tenants) will be redirected to RDS via Amazon VPC internet gateway over https channel.

Using Amazon Cloud Watch we can monitor activities on Amazon RDS. Amazon Cloud Watch provides monitoring for AWS cloud resources and the applications we run on AWS. System administrator can use it to collect and track metrics, gain insight, and react immediately to keep our applications and businesses running smoothly. Administrator can also monitor custom metrics generated by RDS. With Amazon Cloud Watch, we gain system-wide visibility into resource utilization, application performance, and operational health status of RDS.
Links for reference:
http://aws.amazon.com/rds/
http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
http://d36cz9buwru1tt.cloudfront.net/AWS_Running_Databases_in_the_Cloud.pdf
http://aws.amazon.com/rds/#features

Amazon VPC

Amazon offers VPC service which allows having a private subnet in the cloud. Although the main feature of this service is ability to setup a VPN between cloud and on premise network, ability to setup a private network is a feature we cannot ignore.

There are 4 different VPC flavors offered by EC2, mainly differentiated on the basis of Public or Private Subnet.

Public Subnet :  A public subnet is the one which hosts instances which are directly addressable over internet (when an Elastic IP is associated with them), and these instances also can access internet directly without any proxy or gateway.

Private Subnet : A private subject is one where instances are not addressable over internet. These instances in turn can not directly accesses internet. If internet access is required it can only be done through a NATed gateway instance which resides in Public subnet or through a internet gateway which resides in the remote network (with which VPN is setup).

 

VPC with a Single Public Subnet Only:

This allows one to host a VPC with a public network. Such that all the instances will be directly accessible over internet (if assigned an EIP), and in turn can have direct connection to internet.

One can use this option If

1. Service is to be hosted on the same/private subnet
2. You need ability to choose the IP address for your instances

VPC with Public and Private Subnets

This one is useful when you need to deploy a multi layer application, such that your presentation tier (web server etc) is hosted in the public subnet such that its accessible over public internet, and remaining middle and data tier is hosted on the private subnet such that only internal components (on private subnet) presentation tier has access to it, providing much needed security on a publicly deployed system. This is the most useful architecture/flavor which will be used for application deployment in cloud.

VPC with Public and Private Subnets and Hardware VPN Access

This one is useful when a service to be deployed depends on a VPN access to lets say an on premises setup (lets say hosting LDAP which is needed for Authentication/Authorization in the publicly deployed application).

VPC with a Private Subnet Only and Hardware VPN Access

This is useful when a cloud setup is to be used for things like backup/processing, and mainline services like backend etc are hosted on premise and connected using a VPN to the cloud setup. Lets say cloud setup is used for testing on wide range of platforms, but all necessary backend are hosted on premise.

Get MD5 sum on Windows 2008

 

Windows doesn’t have inbuilt tools or commands to get MD5 sum. But Microsoft provides a tool that you can use on windows to get MD5 sum for any file.

You can download File Checksum Integrity Verifier (FCIV) utility from here.

Download and extract this utility to C:\Tools and use following commands to get the MD5 sum:

C:\Tools>fciv.exe –add sample.zip -md5

// File Checksum Integrity Verifier version 2.05.

9f14f0605d0fa5c21b83e972394f50db sample.zip

Identity Federation

Federating an individual’s or an entity’s identity in order to facilitate Single sign-on across intranet site or across multiple domains, achieved by setting up required trust relationships between the Identity provide and service provider.
Identity provider is an entity which stores the identity (authentication and authorization) information for the users. So every time user wants to access a services, instead of providing the authentication parameters (username password, certificates, tokens) directly to the service, its provided to the identity provider which host this information. On successful authentication, Idp provides an security token to the user which he can take it to the service. Service instead of authenticating the user, tries to validate the token and makes sure that it is issued by the authority which is trusted by the service. If token found legitimate, it grants the access to the user.
Lets look at a real life example of this federation scenario; lets say you go to a car rental company. Obviously car rental company will never ask you to prove yourself that you can drive the car, because it trusts DMV for doing that, so it asks you to go to DMV for verifying that you can drive. When you go to DMV, it tests your driving skill and if found eligible, issues an Driver’s License, which is nothing but your proof that you know driving and the rules of the road. When you go to a car rental company it will never ask you about your ability of driving but will just validate the Driving license.
          
In this example you would see that, Car Rental trusts DMV for verifying an individual’s ability to drive. This way both Car Rental Company and DMV does what they do best, one rents the car to the driver’s who need it and one verifies the individual’s ability to drive. More over, the License issued by the DMV has many more attribute and also used an an Identity Proof, so it is used to validate a user for multiple services.

See following Kapsule for more details

Simple Password on Windows 2008

 

Windows 2008 by default needs a complex password. Here is how you can disable that setting and use your own favorite password.

I think its always good to have complex password set, but in your test/lab environment if you cannot use use simple password that drives me crazy and I hate when I have to remember multiple password for my lab machines.

So this work around should only be used for non-production/non-publically hosted machines, and of course it’s a workaround so not a recommended setting at all.

File Transfer to remote machine with RDP

 

When you are connected to remove machine over RDP, there is an easy way to copy files to/from the local machine. No its not with the help of sharing file/folders…that’s not a good option for multiple reasons, not safe, cannot be used if you are behind firewall or proxy (file sharing port won’t be available).

If you explore the RDP dialog, you would see that you can share local resources with the remote machine. If you go to Local Resources tab, and click on More, it will open up a dialog where you can select local resources that you want to share. Notice that Clipboard will be selected by default that’s why you will be able to share the clipboard content between these two machines.

If you have more than one drive, you can select the one that you want to share.

 

After then when you connect to remote machine, you would see that selected drive will appear there as local driver, which will allow you to copy content to/from these machines.

Amazon EC2 : Reserved Instance

I was using Amazon windows instance for one of our client. We wanted to continue using this for some more time so we thought of exploring some options where we can minimize the cost (Reserved Instances).

Amazon offers Reserved Instance where in you have to pay much lesser cost for the instances that you plan to use for a longer period of time. The way it works is,
1) You decide how long you want to commit to the instance 1 Year or 3 years.
2) You decide the region in which you want the instance
3) Decide the type of instance you want to go for.

Be very cautious while choosing various options here because whatever you choose is not reversible or editable at all.

After this, once your payment is done, (probably at the end of the month when your bill is generated), you are eligible for the EC2 Reserved Instance, and your billing will now be at a very low price per hour. If you have a running instance it will be billed as a reserved instance or if you bring up new instance of the same configuration then it will be treated as the Reserved Instance. What ever option you go for the key is, same region and same configuration that you had chosen while specifying the configuration for Reserved Instance. If you have multiple instances of the same configuration in the same region then the one which is on for the longer period of time will be billed under Reserved Instance

(Amazon make sure that you pay less, they are being very nice to their customers :) )

How much do I save?

Although the usage charges are radically different for On Demand and Reserved Instances, there is a upfront cost that you pay for the later one. So unless you plan to use it for more than 5/8 months, you don't really save a lot. But if you have plan for using the instance for more time than this, then Reserved Instance is the best option to go for. For a longer use the savings are really significant.

I did some calculations for the instance that I was using Standard- Large (m1.large):

Windows:

For 4 months you pay $1283 for On Demand Instance. And pay $1486 for Reserved Instance.

For 5 months you pay $1728 for On Demand instance, and $1630 for Reserved Instance.

So your saving starts from 5th month on wards.

Linux:

For 6 months you pay $1468 for On Demand Instance, and $1428 for Reserved Instance.

For 7 months you pay $1713 for On Demand instance, and $1514 for Reserved Instance.

So your saving starts from 7th month on wards (obviously these figures are considering that your machine always on :) )

 

Savings would change depending upon the instance that you are using but surely you will save a lot in the long run.

 

Another interesting comparison is available @ http://spreadsheets.google.com/pub?key=rNtzGcAig_2X0xAP28V_2Jg

 

Technorati Tags: Amazon,EC2,Cloud Computing