AWS服务器配置部署手册

金风科技传播与信息云管理平台Amazon AWS部署文档1、Web服务器用于部署金风科技传播与信息云管理平台。

服务器要求：服务器类型：EC2推荐使用AMI：Amazon Linux AMI最低配置：t2.micro (变量ECU, 1 vCPU, 2.5 GHz, Intel Xeon Family, 1 GiB 内存, 8G存储)推荐配置：rge (6.5 ECU, 2 vCPU, 2.4 GHz, Intel Xeon E5-2676v3, 8 GiB 内存, 仅32G存储)数量：1台（根据实际情况可以部署多台）2、文件转换服务器用于部署文件转换服务器。

服务器要求：服务器类型：EC2推荐使用AMI：Amazon Linux AMI最低配置：t2.micro (变量ECU, 1 vCPU, 2.5 GHz, Intel Xeon Family, 1 GiB 内存, 8G存储)推荐配置：rge (6.5 ECU, 2 vCPU, 2.4 GHz, Intel Xeon E5-2676v3, 8 GiB 内存, 仅32G存储)数量：1台（根据实际情况可以部署多台）3、数据库服务用于数据存储。

服务要求：服务类型：RDS数据库类型：生产MySQL数据库版本：5.6.27最低配置：db.t2.micro (2 vCPU, 8 GiB 内存,5G)推荐配置：rge (2 vCPU, 8 GiB 内存,20G)4、文件存储服务用于平台用户文件的存储和下载。

服务要求：服务类型：S3存储桶：数量1 可以弹性最大5TB5、多媒体服务用于存储用户的较大的音频和视频文件，可以在线预览。

服务要求：服务类型：Elastic Transcoder、S3存储桶：数量1 可以弹性最大5TB注：多媒体服务申请时，只有个别地区有此服务，需要申请存储桶，存储视频、音频和封面文件，此服务的地区要与存储桶地区一致。

aws使用方法AWS（亚马逊云服务）是一种云计算平台，为个人、企业和组织提供各种云服务和解决方案，包括虚拟服务器、存储、数据库、网络服务等。

在本文中，我们将介绍AWS的使用方法。

首先，您需要创建一个AWS账户。

前往AWS官方网站并按照指引注册账户。

在注册过程中，您需要提供一些个人或组织的信息，同时需要提供您的付款信息。

一旦注册成功并登录到AWS控制台，您将能够访问AWS的各种服务。

AWS提供了丰富的云服务，可以根据您的需求选择适合的服务。

例如，如果您想运行一个虚拟服务器，可以使用Amazon EC2（亚马逊弹性计算云）服务。

在EC2中，您可以选择不同的服务器实例类型、操作系统和存储选项。

根据您的需求配置您的虚拟服务器，并启动它。

AWS还提供了存储服务，例如Amazon S3（简单存储服务），用于存储和检索任意数量的数据。

您可以创建存储桶并将文件上传到该存储桶中。

这些存储桶可以供您公开访问，或者设置为私有以进行更高级别的安全性。

此外，AWS还提供了数据库服务，如Amazon RDS（关系数据库服务），可以轻松管理和扩展关系数据库实例。

您可以选择不同的数据库引擎（如MySQL、PostgreSQL、Oracle等）并配置实例规格、备份计划等。

AWS还提供了诸如Amazon Route 53（域名系统服务）、Elastic Load Balancer （弹性负载均衡器）和Amazon VPC（虚拟私有云）等网络服务，以提供可靠和安全的网络基础设施。

最后，AWS还提供了一系列工具和服务，用于监控和管理您的AWS资源。

例如，AWS CloudWatch可以帮助您监控资源利用率和性能指标，AWS Identity and Access Management（IAM）可以帮助您管理对AWS服务的访问权限。

总结来说，AWS是一种强大而灵活的云服务平台，提供了各种各样的服务和解决方案。

通过注册AWS账户并访问AWS控制台，您可以根据需求选择和配置适合您的服务，并轻松管理和扩展您的云基础设施。

AWS Storage Gateway使用手册一、文档说明本文档将主要介绍如何使用AWS Storage Gateway的文件网关和VMwareESXI，来简化文件上传至S3的过程。

二、Storage Gateway介绍2.1 Storage GatewayAWS Storage Gateway 将本地软件设备与S3存储相连接，从而在本地IT 环境与S3存储基础设施传输数据。

可以使用此服务将数据存储到AWS S3，利用经济高效的可扩展存储来帮助保持数据安全性。

2.2 Storage Gateway分类AWS Storage Gateway 提供了基于文件网关、卷网关以磁网关的方式。

2.2.1 文件网关文件网关–文件网关支持连接到Amazon Simple Storage Service (Amazon S3) 的文件接口并将服务和虚拟软件设备组合在一起。

通过使用此组合，可以使用行业标准文件协议(如网络文件系统(NFS)) 在Amazon S3 中存储和检索对象。

软件设备(也就是网关) 作为运行在VMware ESXi 或Microsoft Hyper-V 管理程序上的虚拟机(VM) 部署到的本地环境中。

利用网关，可以将S3 中的对象作为NFS 装载点上的文件进行访问。

2.2.2 卷网关卷网关提供了支持云的存储卷，可以从本地应用程序服务器将该存储卷作为Internet 小型计算机系统接口(iSCSI) 设备安装。

2.2.3 磁带网关利用虚拟磁带库，将数据经济高效且持久的方式在Amazon Glacier 中，可以对备份数据进行存档。

2.3 工作原理(架构)2.3.1 文件网关通过服务器挂载NFS文件系统。

写入到NFS 的文件网关会异步更新Amazon S3 中的对象，所有数据传输都是通过HTTPS 完成的。

通过服务器挂载NFS文件系统。

写入到NFS 的文件网关会异步更新Amazon S3 中的对象，所有数据传输都是通过HTTPS 完成的。

AWS BEST PRACTICESHigh Availability Setup and Automating Route Table Change for an Active-Passive FortiGate Next Generation Firewall DeploymentQ3 2017• In an Active-Passive FortiGate HA environment in AWS, if the Active firewall has an issue and cannot process the traffic, amanual change is necessary for the route table to go through the Secondary Firewall. This is not ideal and might increasethe outage time.• To work around this, a python script can be used to automate the process. The python script monitors the primaryfirewall, and if the primary firewall goes down, it makes theappropriate API calls to automate the route table changesneeded to move to the secondary firewall.• When the primary firewall is restored, the python script will make the API calls to AWS to change the route table back to the primary firewall.• HA example:FORTIGATE HA SETUP: VPC_CFT STEPSStep 1. Download the CloudFormation template.https:///fortigatetemplates/FortiGate-HAtemplate5.4.5_ondemand.templateStep 2. Log in to AWS Management Console using your AWS login credentials. https://Step 3. Navigate to CloudFormation service in the Management Tools Section of the Management Console.Step 5. Choose the option “Upload a template to Amazon S3,” click on “Choose File,” and browse to the downloaded template from step 1. Click Next.Step 8. Click Next and provide a key name (optional).Step 10. Wait for the CloudFormation service to finish creating all the resources. The “events” tab should list the information the template is creating. The “resources” tab should list the resources as they are created.Step 13. Log in to the Worker Node through ssh. The IP address of the Worker Node is listed in the results section of the CloudFormation stack. The Worker Node is an Amazon Linux AMI that has the scripts required to monitor the FortiGates./AWSEC2/latest/UserGuide/EC2_GetStarted.html#ec2-connect-to-instance-linuxExample screenshot of the command to log in and how it looks after login.Step 14. Navigate to the folder fortigateha once you are logged into the worker node. • cd fortigatehaStep 15. Execute the python script fortigateha.py with the runtime variable stack name. python fortigateha.pyOnce this is done, FortiGate HA setup is complete.Copyright © 2017 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , FortiCare and FortiGuard , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.GLOBAL HEADQUARTERSFortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +1.408.235.7700/sales EMEA SALES OFFICE 905 rue Albert Einstein 06560 Valbonne France Tel: +33.4.8987.0500APAC SALES OFFICE 300 Beach Road 20-01The Concourse Singapore 199555Tel: +65.6513.3730LATIN AMERICA HEADQUARTERS Sawgrass Lakes Center 13450 W. Sunrise Blvd., Suite 430Sunrise, FL 33323Tel: +1.954.368.9990Step 16. Once the script is started, the output will look like:Congratulations: You have created an active:passive automated HA architecture in your AWS VPC.。

AWS云计算技术手册1. 引言随着云计算技术的快速发展，越来越多的企业选择使用亚马逊网络服务（Amazon Web Services，简称AWS）来满足其计算和数据存储需求。

本手册将介绍AWS云计算技术的基本概念、核心服务和最佳实践，旨在帮助读者全面了解和应用AWS的能力。

2. AWS云计算简介2.1 云计算概述2.1.1 云计算的定义2.1.2 云计算的优势2.1.3 云计算的分类2.2 AWS云计算平台2.2.1 AWS的起源和发展2.2.2 AWS的基本架构2.2.3 AWS的全球基础设施3. AWS核心服务3.1 计算服务3.1.1 Amazon Elastic Compute Cloud（EC2）- EC2实例的创建和管理- 安全组和密钥对的配置- 实例的自动伸缩3.2 存储服务3.2.1 Amazon Simple Storage Service（S3）- S3存储桶的创建和配置- 对象的上传和下载- S3数据备份和冗余3.3 数据库服务3.3.1 Amazon Relational Database Service（RDS） - RDS数据库实例的创建和管理- 数据库的备份和恢复- 数据库的扩展和优化3.4 网络与内容分发服务3.4.1 Amazon Virtual Private Cloud（VPC）- VPC网络的设置和操作- 子网和路由表的配置- 安全连接的建立4. 最佳实践指南4.1 安全性和合规性4.1.1 Identity and Access Management（IAM） - IAM用户的创建和权限管理- IAM角色和策略的配置- IAM安全最佳实践4.2 弹性和可伸缩性4.2.1 弹性负载均衡器（ELB）- ELB的配置和管理- 监控和调整负载均衡- 高可用性和自动伸缩4.3 成本优化4.3.1 AWS计费模型- 按需实例的优化策略- 预留实例的购买和利用- 成本管理和优化工具5. 结论云计算已经成为现代企业获取弹性和可伸缩计算资源的重要手段，而AWS作为全球领先的云计算平台，为用户提供了丰富的服务和工具。

Secure Y our Migration to AWS with a Cloud-Native Managed Firewall ServiceExecutive SummaryMost organizations now run more than half of their workloads on public clouds,leveraging the agility and scalability of the cloud to meet rapidly evolving businessdemands. However, as you move your workloads to the cloud, your network becomesmore decentralized—which means the traditional methods used to secure your on-premises data centers are no longer enough. Ensuring consistent protection and visibilityacross distributed environments requires an enterprise-class network security solutionwith cloud-native benefits. Today’s cloud-first companies are looking for simplifiedsecurity operations integrated with native cloud service provider services to stop zero-day security threats while removing barriers to delivering essential business outcomes.FortiGate Cloud-Native Firewall (FortiGate CNF) combines next-generationfirewall capabilities with distinct cloud-based service advantages. FortiGate CNFis underpinned by FortiOS, our powerful security operating system designed to runconsistently in any environment. This unique approach ensures a common networksecurity experience across AWS cloud and on-premises environments. It also nativelyincorporates FortiGuard artificial intelligence (AI)-powered Security Services for real-time detection of and protection against malicious external and internal threats.Securing AWS Deployments Can Be Very ChallengingOne of the biggest challenges to operating cloud workloads is applying legacy network security operations—including configuration, provisioning, and firewall software maintenance—to the cloud. And the need to constantly scale the infrastructure and ensure availability as needs grow compounds those issues even further. Another challenge is multiple user accounts operating in diverse environments across AWS without consistent or adequate security protections.Most organizations also require more than the basic security available by default on AWS. The AWS Network Firewall requires additional custom security packages to ensure proper protection. But many companies don’t have the security and cloud expertise or resources needed to build and maintain them.Finally, organizations want solutions that integrate into cloud workflows to avoid the runaway costs typically associated with cloud usage.FortiGate CNF Ensures Consistent Protections Across Y our AWS EnvironmentsFortiGate Cloud-Native Firewall is a managed firewall service that removes complexity while improving security efficacy and supporting consistent security policies across different AWS environments. With no infrastructure to manage, organizations can focus on their business operations on the cloud, easily deploying effective security policies to protect their business-critical applications and data.58% of 823 cybersecurity professionals polled say they will run more than 50% of their workloads on public clouds in the next 12–18 months.1SOLUTION BRIEFFortiGate CNF is designed for three critical use cases:• Outbound traffic inspection: Content inspection of outgoing traffic from AWS workloads to the internet• Inbound traffic protection: Deep visibility into incoming traffic and advanced security measures to protect AWS workloads • East-west traffic filtering: Inspection and control of traffic between AWS VPCs and preventing the lateral spread of threats This CNF service delivers seamless scalability, implicit resiliency, streamlined workflows, and flexible consumption through deep cloud-native integrations with native AWS services like AWS Gateway Load balancer, AWS Firewall Manager, and AWS Marketplace. Through this service, Fortinet and AWS bring together the best of both worlds—deep security expertise and leading-edge cloud technology—in a simple-to-manage and easy-to-consume service.FortiGate CNF Enterprise-Grade ProtectionsCloud-native integrations: FortiGate CNF offers the robust inspection capabilities of a next-generation firewall. This includes support for security policies and deep visibility into the application layer—combined with advanced AI-powered detection and comprehensive protection, including geo-IP blocking, advanced filtering, threat protection, etc. It also supports metadata-based policies and dynamic objects to abstract away network dependencies and protect elastic workloads with changing IP addresses.It simplifies security delivery to deliver zero operations overhead. Unlike other solutions, FortiGate CNF requires just one CNF instance with an appropriate policy set to secure an entire AWS region, including multiple accounts, sub-nets, VPCs, and availability zones.Flexible management: The FortiGate CNF console provides a lightweight user interface and intuitive wizards to easily create, deploy, and manage security policies for AWS environments. For more sophisticated enterprise IT cases, a centralized management tool like FortiManager can define, deploy, and manage advanced security policies across multiple deployments and hybrid environments.Optimal pricing: By aggregating security across a region into a single CNF instance, enterprises can avoid the extra costs entailed by other vendor offerings that charge by cloud networks or availability zones. FortiGate CNF also offers competitive hourly and linear traffic inspection costs. The service also utilizes AWS Graviton instances to deliver even better price performance.November 23, 2022 12:07 PMBetter Protection EverywhereFortiGate CNF reduces the mean time to identify and remediate non-complianceissues. Its deeper traffic inspection reduces risks from attacks on AWS workloadscaused by web-based threats, vulnerability exploits, and other external andinternal threat vectors.Integration with the AWS Gateway Load Balancer helps network security teams moveat the speed and scale of applications teams. It eliminates do-it-yourself automationand easily secures Amazon VPC environments—while improving high availability andscale. And integration with the AWS Firewall Manager streamlines security workflowsand automates security rollout, saving time and increasing efficiency.The centralized FortiManager management solution allows enterprises to applysecurity policies consistently across hybrid environments—on-premises and onAWS. Complexity in securing elastic workloads, where network address–basedpolicies won’t work, is reduced using its dynamic object policies. Cloud-firstenterprises can also leverage the lightweight user interface and intuitive wizards inthe FortiGate CNF console to easily create, deploy, and manage security policiesfor their AWS environment.Organizations that deploy FortiGate CNF also save on infrastructure costs as thereis no security software infrastructure to build, deploy, or operate. They also save ontraining and resourcing costs otherwise necessary to deliver DIY security on AWS.FortiGate CNF delivers the following benefits:•Comprehensive network protection •Streamlined cloud workflows •Consistent hybrid-cloud security management • Optimized TCO Comprehensive Security for AWS Begins with FortiGate Cloud-Native FirewallWith today’s C-suite focused on the business value of cloud adoption, cloud security is now a business imperative. They need network security options in the cloud that offer enterprise-grade security, simplicity, flexibility, and predictable costs. And increasingly, they need those services to span their hybrid network environments. FortiGate Cloud-Native Firewall delivers on these needs, providing advanced network protection at any scale. With FortiGate CNF, you can maintain a robust security posture and accelerate your cloud journey on AWS without compromising security and compliance.Copyright © 2022 Fortinet, Inc. All rights reserved. Fortinet ®, FortiGate ®, FortiCare ® and FortiGuard ®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.1 “Cloud Security Report,” Cybersecurity Insiders, accessed November 23, 2022.2Ibid.The public cloud Infrastructure-as-a-Service (IaaS) market is expected to reach $225 billion by 2025. The size of cloud security—at nearly $20 billion already in 2022—underscores the importance of security to organizations in various phases of their cloud journey.2。

如何使用AWS云服务进行应用部署与管理第一章：AWS云服务概述1.1 云计算与AWS云服务的关系1.2 AWS云服务的优势及适用场景1.3 AWS云服务的主要产品和服务介绍第二章：AWS基础设施搭建与环境准备2.1 注册AWS账号与创建IAM用户2.2 创建Virtual Private Cloud（VPC）2.3 设置安全组和网络访问控制列表（NACL）2.4 设置网络和子网2.5 创建EC2实例第三章：应用部署与管理工具介绍3.1 AWS Elastic Beanstalk3.1.1 Elastic Beanstalk的优势与适用场景3.1.2 Elastic Beanstalk的使用步骤和主要功能3.2 AWS OpsWorks3.2.1 OpsWorks的优势与适用场景3.2.2 OpsWorks的使用步骤和主要功能3.3 AWS CloudFormation3.3.1 CloudFormation的优势与适用场景3.3.2 CloudFormation的使用步骤和主要功能第四章：实际应用部署案例分析4.1 使用Elastic Beanstalk进行应用部署与管理4.1.1 创建应用环境4.1.2 配置环境变量4.1.3 持续集成与自动化部署4.2 使用OpsWorks进行应用部署与管理4.2.1 创建OpsWorks堆栈4.2.2 配置应用层和数据库层4.2.3 定制Chef运行列表4.3 使用CloudFormation进行应用部署与管理4.3.1 编写CloudFormation模板4.3.2 创建并部署Stack4.3.3 更新和删除Stack第五章：AWS云服务的监控与调优5.1 AWS CloudWatch监控服务详解5.1.1 CloudWatch监控指标5.1.2 创建和设置CloudWatch报警5.2 AWS自动扩展组（Auto Scaling）的使用5.2.1 配置自动扩展组5.2.2 设置自动伸缩策略5.3 AWS负载均衡（ELB）的配置与使用5.3.1 创建和配置负载均衡器5.3.2 与Auto Scaling、Elastic Beanstalk集成第六章：AWS云服务的安全管理6.1 AWS Identity and Access Management（IAM）的原理和使用6.1.1 创建用户和用户组6.1.2 设置权限和访问控制6.1.3 多因素身份验证（MFA）6.2 AWS Web Application Firewall（WAF）的配置与使用6.2.1 创建WebACL6.2.2 配置规则和条件6.2.3 实时流量监控和阻断6.3 AWS Key Management Service（KMS）的使用6.3.1 创建和管理加密密钥6.3.2 加密应用数据和存储第七章：备份与恢复7.1 AWS数据库备份与恢复策略7.1.1 RDS数据库的备份与恢复7.1.2 DynamoDB的备份与恢复7.2 AWS存储备份与恢复策略7.2.1 S3存储桶的备份与恢复7.2.2 Glacier冷存储的备份与恢复第八章：成本管理与优化8.1 AWS计费模型与定价方式8.2 使用AWS计费工具进行成本监控和报告生成8.3 成本优化的策略和实践第九章：最佳实践与经验分享9.1 保持应用高可用性的最佳实践9.2 提高应用性能的最佳实践9.3 安全管理的最佳实践9.4 成本管理和优化的最佳实践总结：AWS云服务在应用部署与管理方面的优势和应用案例的总结。

本话题讨论的主要内容•系统部署的风险分析•蓝/绿部署的重要概念•在AWS上进行蓝/绿部署的益处•在AWS上进行蓝/绿部署模式•数据层面切换的最佳实践•成本优化系统部署的风险•面临的挑战•应用程序出错•基础架构失效•容量的问题•扩展的问题•人为的错误•流程失效•回滚的问题•对业务的影响•宕机时间•数据丢失•糟糕的客户体验•损失收入•业务人员的抱怨•员工压力太大•浪费时间和资源在AWS上定义蓝/绿部署什么是蓝/绿部署?•“蓝”•(existing production environment)•“绿”•(parallel environmentrunning a differentversion of theapplication)•“部署”•(ability to switch traffic betweenthe two environments)什么是环境?Boundary for where things changed and what needs to be deployed示例:App component, app tier, microservice 示例:DNS, load balancerv2.2.103v2.3.020在AWS上进行蓝/绿部署的益处•AWS:•弹性部署•多样的选择•容量可动态调整•按实际用量付费•高效快速在AWS上进行蓝/绿部署模式共有的问题: 环境的自动化•成功的部署取决于对如下风险的克服:•应用程序出问题(功能性的问题)•应用程序的性能问题•人员/流程失效•基础架构失效•回滚的容量•高额的成本•蓝/绿部署的不同模式对以上这些风险有不同的处理方式CloudFormation全面的自动化平台✓定义从网络到软件的整个环境✓控制高一级的自动化服务: Elastic Beanstalk,OpsWorks, Auto Scaling自动化平台的长处模式: 经典的DNS切换•部署流程:•从已有的应用环境开始•部署新的应用环境•测试绿的应用环境•通过DNS逐步切换流量•监控你的环境•出现问题，回滚到蓝的应用环境模式: 经典的DNS切换•部署流程:•从已有的应用环境开始•部署新的应用环境•测试绿的应用环境•通过DNS逐步切换流量•监控你的环境•出现问题，回滚到蓝的应用环境•部署流程:•从已有的应用环境开始•部署新的应用环境•测试绿的应用环境•通过DNS逐步切换流量•监控你的环境•出现问题，回滚到蓝的应用环境模式: 经典的DNS 切换模式: 经典的DNS切换•部署流程:•从已有的应用环境开始•部署新的应用环境•测试绿的应用环境•通过DNS逐步切换流量•监控你的环境•出现问题，回滚到蓝的应用环境模式: 经典的DNS切换•部署流程:•从已有的应用环境开始•部署新的应用环境•测试绿的应用环境•通过DNS逐步切换流量•监控你的环境•出现问题，回滚到蓝的应用环境模式: 经典的DNS切换•部署流程:•从已有的应用环境开始•部署新的应用环境•测试绿的应用环境•通过DNS逐步切换流量•监控你的环境•出现问题，回滚到蓝的应用环境模式: 经典的DNS切换•部署流程:•从已有的应用环境开始•部署新的应用环境•测试绿的应用环境•通过DNS逐步切换流量•监控你的环境•出现问题，回滚到蓝的应用环境•"Resources": {•"myApp": { "Type": "AWS::ElasticBeanstalk::Application "},•"myConfigTemplate": { •"Type":"AWS::ElasticBeanstalk::ConfigurationTemplate "•},•"myBlueAppVersion ": {•"Type": "AWS::ElasticBeanstalk::ApplicationVersion "•},•"myBlueEnvironment ": {•"Type":"AWS::ElasticBeanstalk::Environment "•},•"myBlueEndpoint ": {"Type": “AWS::Route53::RecordSet "},•..."myGreenAppVersion ": {"Type": "AWS::ElasticBeanstalk::ApplicationVersion "},"myGreenEnvironment ": {"Type": "AWS::ElasticBeanstalk::Environment "},"myGreenEndpoint ": {"Type": "AWS::Route53::RecordSet "}...自动化你的应用环境•Use CloudFormation templates to model your environment•Version-control your templates•Use Elastic Beanstalk or OpsWorks to model your applications inside the template•Update CloudFormationstack from updated template containing green environmentAmazon Route 53 基于权重的DNS切换•AWS Elastic Beanstalk environment endpoint swap•DNS record time-to-live (TTL)•Reaction time = (TTL ×no. of DNS caches) + Route53 propagation time, up to 1min •Beware of misbehaving DNS clients•Auto Scaling and Amazon Elastic Load Balancing (ELB) need time to scale•Measurable metrics•ELB: Latency, SurgeQueueLength, SpillOverCount, BackendConnectionErrors •Your application metrics•Your deployment goals模式回顾:经典的DNS切换风险克服的程度说明程序的功能问题优有利于逐层剖析问题程序的性能问题优平滑切换，流量分流管理人员/流程出错好取决于自动化框架基础架构失效好取决于自动化框架回滚中DNS TTL 的复杂性(reaction time,flip/flop)成本优通过Auto Scaling来优化成本让我们去掉DNS的切换…模式: 切换Auto Scaling Groups•部署流程:•Amazon Elastic Load Balancer(ELB) ，部署在应用前段•从现有的Auto Scaling Group(ASG)开始•部署&扩展新的ASG•测试绿的应用环境•在ELB上注册绿的ASG•在ELB上去除蓝的ASG模式: 切换Auto Scaling Groups•部署流程:•Amazon Elastic Load Balancer(ELB) 部署在应用前段•从现有的Auto Scaling Group(ASG)开始•部署&扩展新的ASG•测试绿的应用环境•在ELB上注册绿的ASG•在ELB上去除蓝的ASG模式: 切换Auto Scaling Groups•部署流程:•Amazon Elastic Load Balancer(ELB) 部署在应用前段•从现有的Auto Scaling Group(ASG)开始•部署&扩展新的ASG•测试绿的应用环境•在ELB上注册绿的ASG•在ELB上去除蓝的ASG模式: 切换Auto Scaling Groups•部署流程:•Amazon Elastic Load Balancer(ELB) 部署在应用前段•从现有的Auto Scaling Group(ASG)开始•部署&扩展新的ASG•测试绿的应用环境•在ELB上注册绿的ASG•在ELB上去除蓝的ASG模式: 切换Auto Scaling Groups•部署流程:•Amazon Elastic Load Balancer(ELB) 部署在应用前段•从现有的Auto Scaling Group(ASG)开始•部署&扩展新的ASG•测试绿的应用环境•在ELB上注册绿的ASG•在ELB上去除蓝的ASG模式: 切换Auto Scaling Groups•部署流程:•Amazon Elastic Load Balancer(ELB) 部署在应用前段•从现有的Auto Scaling Group(ASG)开始•部署&扩展新的ASG•测试绿的应用环境•在ELB上注册绿的ASG•在ELB上去除蓝的ASG模式: 切换Auto Scaling Groups•部署流程:•Amazon Elastic Load Balancer(ELB) 部署在应用前段•从现有的Auto Scaling Group(ASG)开始•部署&扩展新的ASG•测试绿的应用环境•在ELB上注册绿的ASG•在ELB上去除蓝的ASG模式: 切换Auto Scaling Groups•部署流程:•Amazon Elastic Load Balancer(ELB) 部署在应用前段•从现有的Auto Scaling Group(ASG)开始•部署&扩展新的ASG•测试绿的应用环境•在ELB上注册绿的ASG•在ELB上去除蓝的ASG在ELB后面切换Auto Scaling groups•Register with ELB:–One or more EC2 instances–One or more Auto Scaling groups •Least outstanding requests algorithm favors green ASG instances for new connections•Connection draining -gracefully stop receiving traffic•Scale out green ASG before ELB registration•Put blue instances in standby •$ aws autoscaling attach-load-balancers \•--auto-scaling-group-name "green-asg" \•--load-balancer-names "my-app-elb"•$ aws autoscaling set-desired-capacity \•--auto-scaling-group-name "green-asg" \•--desired-capacity X•$ aws autoscaling detach-load-balancers \•--auto-scaling-group-name "blue-asg" \•--load-balancer-names "my-app-elb"•$ aws autoscaling enter-standby \•--instance-ids i-xxxxxxxx\•--auto-scaling-group-name "blue-asg"\•--should-decrement-desired-capacity模式回顾: 切换Auto Scaling groups风险克服的程度说明程序的功能问题优有利于逐层剖析问题，附加ELB程序的性能问题好流量分流管理，力度较粗，ELB预热人员/流程出错好取决于自动化框架基础架构失效优Auto-scaling回滚优没有DNS的复杂性成本优通过Auto Scaling来优化成本让我们继续减少应用环境的限制…模式: 切换Launch Configurations•部署流程:•从现有的在ELB后面的ASG &Launch Configuration 开始•在ASG上注册更新的绿的LaunchConfiguration•将ASG的容量逐步增加到原有容量的2倍•将ASG的容量减少到原有的容量•为增加可控性，将老的实例切换到备份状态模式: 切换Launch Configurations•部署流程:•从现有的在ELB后面的ASG &Launch Configuration 开始•在ASG上注册更新的绿的LaunchConfiguration•将ASG的容量逐步增加到原有容量的2倍•将ASG的容量减少到原有的容量•为增加可控性，将老的实例切换到备份状态模式: 切换Launch Configurations•部署流程:•从现有的在ELB后面的ASG &Launch Configuration 开始•在ASG上注册更新的绿的LaunchConfiguration•将ASG的容量逐步增加到原有容量的2倍•将ASG的容量减少到原有的容量•为增加可控性，将老的实例切换到备份状态模式: 切换Launch Configurations•部署流程:•从现有的在ELB后面的ASG &Launch Configuration 开始•在ASG上注册更新的绿的LaunchConfiguration•将ASG的容量逐步增加到原有容量的2倍•将ASG的容量减少到原有的容量•为增加可控性，将老的实例切换到备份状态模式: 切换Launch Configurations•部署流程:•从现有的在ELB后面的ASG &Launch Configuration 开始•在ASG上注册更新的绿的LaunchConfiguration•将ASG的容量逐步增加到原有容量的2倍•将ASG的容量减少到原有的容量•为增加可控性，将老的实例切换到备份状态模式: 切换Launch Configurations•部署流程:•从现有的在ELB后面的ASG &Launch Configuration 开始•在ASG上注册更新的绿的LaunchConfiguration•将ASG的容量逐步增加到原有容量的2倍•将ASG的容量减少到原有的容量•为增加可控性，将老的实例切换到备份状态切换launch configurations•Launch configurations:Blueprints for ASG instance provisioning, each ASG points to exactly one •Scale-out & replacement:Events will use the attached (green) launch configuration to provision instances•Scale-in:ASG scale-in events will terminate instances with oldest launchconfiguration first while trying to keep capacity in AZs balanced•May need to address AZ imbalances separately•Temporarily remove instances from ASGPlace specific ASG instances (blue) into standby –stop receiving traffic模式回顾: 切换Launch Configurations风险克服的程度说明程序的功能问题中在异构环境中定位错误比较复杂程序的性能问题中流量分流的力度不够细, initial trafficload人员/流程出错好取决于自动化框架基础架构失效优Auto-Scaling回滚优没有DNS的复杂性成本好通过Auto Scaling来优化成本, 但是开始时需要额外的扩展蓝/绿部署模式总结模式对风险的克服经典式DNS切换切换Auto Scalinggroups切换launch configs程序的功能问题Canary analysis Canary analysis Mixed fleet程序的性能问题Granular traffic switch Instance-levelgranularityMixed fleet人员/流程的错误Automation: Use CloudFormation with Elastic Beanstalk, OpsWork, third party 基础架构失效Automation framework Auto Scaling, ELB Auto Scaling, ELB 回滚的能力DNS ELB ELB 成本管理Gradual scaling Gradual scaling Some over-provisioning部署的复杂性Simple,DNS weightsAuto Scaling control Scale-in adjustments。