What is Amazon Web Services (AWS)?

Enterprises want to focus on their core business, meaning data. What they don’t want is to spend time and effort on on-premises data centers dealing with infrastructure duties like maintaining the DC power, cabling, connectivity, andtasks related to the infrastructure components, security, and software patching. They just want to consume the infrastructure as they need, and when it’s no longer needed, why bother about hardware? 

Amazon Web Services (AWS), the first ever cloud computing platform, provides a solution to this. Created in 2006, AWS today provides the largest set of cloud services on a cloud platform.

AWS proposes the pay-as-you-go (PAYG) model, which means you only pay for what you consume – no more, no less. If you don’t need a resource within AWS, you can release it and simply stop paying for it. 

The cloud computing model is fairly simple and has benefits:

• It trades capital expense for variable expense (no upfront cost/you pay on demand)
• There are massive economies of scale
• You will no longer need to guess capacity
• You will be in the position of increasing speed and agility (no need to wait weeks to deploy on-prem solutions)
• You can stop spending money on maintaining data centers
• You can go global in minutes, deploying apps worldwide in a few clicks

Why use AWS

Global presence

AWS is the largest cloud provider with a presence in 245 countries. So it goes without saying that wherever you are in the world, you will find an AWS infrastructure close to you. This counts a lot if the latency for your applications can be an issue.

Low latency

With services like CloudFront and Global Accelerator, your need for low latency will be taken care of, regardless of the technique used (caching or geolocalization)

Affordable services

AWS provides the broadest range of computing, networking, and storage options at the best price compared to its main competitors.

Security

AWS is the most secure of the CSPs and provides encryption for data at-rest or in-transit. AWS also provides security services for any security levels, including:

• Securing your AWS accounts with IAM & AWS Organizations
• Securing the cyber threat with GuardDuty (intrusion detection system) and web application firewalls (WAF)
• Key storage with AWSKey Management Service (KMS)
• Identify an malicious insider with CloudTrail

Disaster recovery

Business continuity is an important element for your business, and downtime or data loss can lead to disaster.  You have four options to protect against this:

• Back up and restore: this involves backing up services and restoring them in the event of a disaster. This translates to recovery time objective (RTO) and recovery point objective (RPO) in hours.
• Pilot light with core services in standby mode: this translates to RTO/RPO in a dozen minutes.
• Warm standby with a full backup of services in standby mode and data replication: this translates to RTO/RPO  in minutes.
• Multi-site active/active architecture: this is where the production services are spread over the two AWS sites and translates into no downtime.

How does the AWS cloud work?

AWS Global Cloud Infrastructure

The AWS Global Cloud Infrastructure is the most secure, extensive, and reliable cloud platform, offering more than 200 services globally.

AWS infrastructure is built with regions and availability zones (AZ) to help you enable your services and applications all around the globe.

• A region is a physical location where the service is provided and is made with clustered data centers
  • It is completely physically isolated from the rest of the AWS infrastructure
  • There are at least two AZs per region
  • US-EAST-1 is the largest AWS region, and it is also the region that the billing information comes from
  • Not all AWS services are available in all AWS regions, and this can be an important criterion when selecting the most appropriate region to host your applications

• An AZ can be seen as a data center operated by AWS.

It has redundant power, connectivity, and networking. Having multiple AZs within your region enables you to provide a more highly available, resilient, and scalable application than operating a single on-premises data center yourself. All AZs are interconnected with high bandwidth and low-latency networking over fully redundant metro fibers.

• AWS Local Zones, otherwise known as edge locations or points of presence (PoP) allow you to place your AWS services closer to the end users for accelerated performance and a better user experience.
• US GovCloud allow customers to host sensitive Controlled Unclassified Information

AWS Shared Responsibility Model

Contrary to an on-remises data center, the AWS cloud user does not have to worry about its data center maintenance, as this is under AWS responsibility. For the user, this means:.

• No cabling
• No power and cooling
• No racking
• No software patching (*except with IaaS)

The AWS cloud user, however, is solely responsible for their data in the cloud.

There are three flavors of the shared responsibility model:

• IaaS, where AWS is additionally responsible for the storage, virtualization layer/servers, and network configuration on top of its data centers.
• Platform-as-a-Service, where AWS is responsible for OS, database and security on top of all of its IaaS responsibilities
• Software-as-a-Service (SaaS), where AWS provides the entire stack of the application

How to properly architect your cloud application

The six pillars of the AWS well-architected framework

This framework gives the design principles and best practices for running your workloads in the AWS cloud. An AWS cloud application will be powerful if the following dimensions have been properly considered upfront:

• Operational excellence focusing on running/monitoring systems as well as improving procedures/processes. AWS products for operational excellence include CloudFormation and CloudWatch.
• Security to protect the information and the systems. This also includes data integrity, managing user permissions, protecting the cloud infrastructure, and detecting security breaches. AWS products for security include IAM, WAF, Shield, Trusted Advisor, Organizations, Guard Duty, Cloud Trail, and KMS)
• Reliability to quickly recover from failure and meet the demands. AWS products for reliability include Lambda, S3, Glacier, and EC2 Auto Scaling.
• Performance efficiency to use and maintain computing resources efficiently as demand evolves. Here, selecting resource type and size is key to accommodate your workload’s requirements. AWS products for performance efficiency include CloudFront, Auto Scaling, Direct Connect, Elasticache, and Relational Database Service
• Cost optimization to avoid unnecessary fees. AWS products for cost optimization include Auto Scaling, Budget, Cost Explorer, and Trusted Advisor.
• Sustainability to increase the efficiency across the components and maximize the benefits. AWS products for sustainability include Auto Scaling, ELB, Amazon S3.

Other concepts to consider about AWS Cloud

• Elasticity: The principle of AWS cloud is to pay what the user consumes. If the user does not use a service anymore, they are free to release it and not pay for it any longer. The elasticity is the ability to acquire and release resources when needed or  not needed.
• Scaling flavors:
  • Horizontal scaling is the act of increasing or decreasing the number of computing systems to cope with demand. EC2 Auto Scaling is the perfect example of horizontal scaling; for example, if the demand increases, you can add more EC2 instances
  • Vertical scaling is the act of adding more resources to your existing system like CPU, RAM, or disk

AWS vs competing cloud providers

The section below compares the three main CSPs on the market: AWS, Microsoft Azure, and Google Cloud Platform (GCP).

The information below is based on Q4 2021 public data.

Establishment

Global Presence

Services Comparison

AWS and Aviatrix use cases

The list below shows some specific use cases where Aviatrix is a fantastic addition to AWS:

Cybersecurity

• Protecting against malicious IPs: Internet access is everywhere in the cloud. If you want to protect your business from security risks like data exfiltration, DDoS, or compromised hosts, then ThreatIQ with ThreatGuard is the perfect tool. It dynamically identifies, flags, and remediates potential threats to known malicious destinations without impacting your data plane.
• Network behavior analytics: Aviatrix’s Network Behavior Analytics continuously fingerprints your workloads and network traffic, offering improved accuracy and anomaly detection over time. It highlights any indicator of compromise and quickly locates and remediates anomalous behaviors as a result of data exfiltration, DDoS, or port scanning, for example.

Full operational visibility and control (Day 2 Operations)

It is very cumbersome to troubleshoot an end-to-end flow within AWS when it is built with AWS VPCs and AWS transit gateway (TGW) constructs. Two tools are necessary for this operation:

• VPC flow logs, for when the flow is in the VPC

Route analyzer, for when the flow crosses the TGW constructs

Aviatrix CoPilot is a single pane of glass to pinpoint where the issue is: misconfiguration of native constructs like VPC route tables, performance, and latency. With added capabilities in its Aviatrix Controller like Ping, Traceroute, and Packet Capture, it completes the broad range of operational capabilities.

Overcoming the overlapping IP’s challenge

If a provider or a merger needs to communicate to your AWS cloud environment but has the same CIDR/IP addressing scheme, then routing is not possible. Aviatrix provides different flavors of natting to accommodate the different use cases, thus overcoming this limitation.

Expanding your cloud environment outside of AWS

Enterprises might decide to go multi-cloud if a specific application or service is not supported by their original CSP of choice. Thus, configuration, consolidation, and security are not easy when it comes to connecting the two CSPs. Aviatrix provides its Multi-Cloud Network Architecture with its Transit Layer built with Transit Gateways, and Transit Peering between the two CSPs delivering a highly resilient, highly available, and secure multi-cloud network backbone.

Workloads encryption

A highly regulated industry may be required to encrypt the workloads even within AWS, and not only when leaving AWS. Aviatrix provides a solution by enabling IPsec everywhere. The traffic between two AWS VPCs then will be encrypted.