Each year, the AWS re:Invent conference provides an enormous amount of learning opportunities for attendees to gain knowledge around new releases and techniques. These opportunities lead to immediate, practical use cases for the technologies showcased at the conference.
At WWT, our team of Cloud Architects make it their mission to stay up-to-date with everything and anything cloud, so this event from AWS provides a great amount of insight for every one of our technical teams and end customers.
Take a look at this year's re:Invent takeaways straight from the experts themselves.
David Ball – Cloud Platform Architect
I attended a Builders Session, EUC307: WorkSpaces DR Best Practices, hosted by JP Santana, an AWS Senior Solutions Architect, in which he discussed a WorkSpaces “warm standby” DR Solution he architected and developed for a customer. This session was a follow-up to a blog post JP wrote detailing the solution.
In its original configuration, the solution is implemented via a CloudFormation stack deployed to your DR region. The CloudFormation template creates an S3 bucket, a Systems Manager maintenance window and Lambda functions to create (or remove) WorkSpaces instances in the DR region. The solution continuously checks the user accounts of a specific Active Directory OU and as user accounts are added or removed from this OU, WorkSpaces (AutoStop running mode) are automatically created or terminated from the DR region to ensure that a DR WorkSpace is available to an “active user.”
This solution provides an easy method to have WorkSpaces ready to go in another region, should a DR event occur. But as we worked through the solution, two thoughts occurred to me:
- Can the solution/CF template be modified to create/delete WorkSpaces based on an Active Directory Group as opposed to an Active Directory OU? Why? What kind of AD GPO application mess may arise if I’m moving a subset of user objects from multiple departments with potentially multiple policy requirements to a single OU just to ensure they have WorkSpace at the ready in a DR region?
- The use case for this solution can’t be limited to DR. Surely, I can use this to create both Production and DR WorkSpaces instances.
Since returning from re:Invent, I edited the solution to automatically create/delete WorkSpaces based on AD group membership, and it can easily be used to deploy both production and DR WorkSpaces instances by deploying the same CloudFormation template in the production and DR regions.
Rama Kukkadapu – Cloud Platform Architect
I captured the experience from my first AWS Re:Invent using some favorite sessions (all available online for review).
Session SEC335-R: How to deploy secure workloads with AWS Control Tower
I have put significant effort on AWS Control Tower improvements and features. AWS made tremendous progress on CT 2.1 version caveats and found solutions for most of them with CT 2.2. This included introducing new features like adding “constraints,” systems manager and billing guardrails.
They also mentioned that AWS will discontinue release patches for Landing Zone starting in the middle of next year (2020) and will make a strong migration path for existing LZ customers. Their recommendation is to have “Greenfield“ customers start using Control Tower while existing users keep using LZ.
Amazon VPC, governance automation and CloudFormation StackSets
I enjoyed NET305-R: Advanced VPC design and new capabilities for Amazon VPC, because it showed that where a lot of limits are increased and information into new features. I also had a great experience with the SEC313-S session, Beyond the scripts: Governance automation master class, which talked about using right resources at the right place and right time. Lastly, session DOP325-R1: Deploying AWS CloudFormation StackSets across accounts and Regions was a nice refresher on access controls and best way to use and manage CloudFormation StackSets.
John Harbin – Cloud Platform Architect
My week at re:Invent focused on learning more about two big hybrid cloud offerings, Outposts and VMC on AWS. I found it interesting that each of these achieves "hybrid" from the opposite approach: AWS reaching into the data center with Outposts, and VMware reaching into the cloud with VMC.
Amazon recognizes that customers want the same experience whether their workloads are in the cloud or on-premises. Outposts gives customers the ability to run AWS services within their local data centers via the same control plane and management interface they've been using for years. In the same manner, VMC allows businesses to extend their current vSphere environments into the cloud, maintaining their own familiarity while also gaining the flexibility cloud offers with infrastructure as a service (IaaS).
These offerings are going to give businesses a great deal of options regarding where and how to deploy workloads, in addition to some pretty amazing out of the box capabilities. We seem to be moving into more of a "cloud mesh" rather than having a distinction between public, private and hybrid cloud deployments.
- AWS re:Invent 2019: AWS Outposts: Extend the AWS experience to on-premises environments (CMP302-R1)
- AWS re:Invent 2019: Transform your business with the VMware and AWS hybrid cloud (ENT212-2)
Bill Johns – Cloud Platform Architect
The 2019 re:Invent conference was quite the whirlwind for me; I learned a lot.
Control Tower is growing up — I feel it’s part of the initial message we need to share with our customers. No longer is Landing Zone full of peril and confusion, because Control Tower provides an excellent ‘starter’ LZ with initial security and governance controls. I feel that as the product matures, more flexibility is being added. I experienced SEC204, Security and Governance with AWS Control Tower and AWS Org. Combining Control Tower and AWS organizations greatly simplify securing and templatizing initial AWS environment creation and operation.
I also attended the CMP212 - 5G Edge Compute presentation. AWS is looking forward to the next big thing in compute. IoT is here and doing well: from connected refrigerators and smart speakers to human-sensing security cameras. These items all rely on cloud compute to execute or assist with the operational features.
As the IoT cloud expands, user applications are demanding lower and lower latency and becoming less forgiving to packet loss. The next-gen applications will require low latency and direct network connections (think streamed video games). AWS is partnering with Verizon (and many others I believe) to attach edge compute clusters at 5G aggregation points in order to serve these new next-gen applications. Imagine what we can do with ~5ms latency combined with edge compute — the growth of edge compute is assured.
My favorite presentation was on AWS Network Manager. I feel the technologies showcased here can help our customers immediately. Think about replacing the current direct wire or MPLS WAN network with routers that automatically connect to the physically closest AWS VPN endpoint, then using AWS backbone to route traffic to another VPN device, bypassing the instability of the public internet.
The VPN devices can be configured to self-register and configure with AWS enabling companies to ship secure ‘branch office-in-a-box’ type of deployments. Personally, I was really impressed with this idea. I hope to see it in action shortly.
Dan Pallone – Cloud Platform Architect
So, re:Invent was incredible. I lost sight of time and work. I was able to see a couple of keynotes, several workshops and many people. Areas I wanted to focus on were serverless and EKS.
The EKS workshop was great. They shared a workshop link I added to the list of workshops for NET403-R1 - Deep dive: Container networking at scale on Amazon EKS & Amazon EC2. I liked the session; I did not know you could build namespace networks with docker in EKS. It is detailed out in the first lesson in the workshop.
Below is a list of other workshops I attended, and I'm still reflecting on how to implement in our work with customers:
- NET401-R - Build your AWS Ground Station mission profile with AWS CloudFormation
- API316-R1 - Building serverless workflows using AWS Step Functions
- NET202-R - Using AWS Global Accelerator for multi-region applications
- DOP201-R1 - DevOps essentials: Introductory workshop on CI/CD practices
- NET205-R1 - Getting started with Global Accelerator
- SVS327-R1 - Build serverless APIs with the AWS CDK
- SVS305-R - How to secure your serverless applications
- GPSTEC406 - AWS Alien Attack workshop
- NET404-R3 - How to test network performance on AWS
- SVS332-R2 - AWS Step Functions: From zero to hero
Brandon Hunter – Cloud Platform Architect
Though on the surface, AWS re:Invent 2019 may not have seemed quite as glamorous and action-packed as years past, Amazon still never ceases to awe and amaze its users and fanbase. If we could take away one word from Amazon’s keynotes and core messaging this year, it appeared to be: machine learning.
They’ve made it easier to build and maintain your own machine learning models with services like Amazon SageMaker Studio, which is a web-based full-featured Integrated Development Environment (IDE) specifically designed and built for your ML work.
Additionally, they’ve released their own applied ML-based platform services such as Amazon CodeGuru, which can automatically review your source code and make recommendations to improve aspects of your code like suboptimal performance patterns or inadequate error-handling logic, both of which may cost you additional time, resources, money and heartache down the road. More and more, Amazon is dispensing with the theory and strengthening their applied ML platform services portfolio, which anyone can explore and get started with today.
Another equally (if not more) compelling trend was Amazon showing that it’s continuing to extend their services edge and the reach of their flagship compute, storage and network infrastructure services far more closely to their consumers. The basis of this being AWS Outpost, which went GA this year, that provides us with the same hardware infrastructure, services, APIs and tools to run our applications both in the cloud and in our data centers.
Today these include basic infrastructure services such as EC2, EBS, ECS, EKS and VPC, but also platform services like Amazon RDS on AWS Outposts (in preview) EMR, AppMesh and S3 for Outpost (available in 2020). Building on that capability with services such as AWS Local Zones, Amazon can now also deploy this same hardware (with select services available) more closely to large IT, industry and population centers such as Los Angeles, CA (their first deployment area) — where no other AWS infrastructure otherwise exists today.
Lastly, they’ve announced AWS Wavelength and their first strategic partnership with Verizon Wireless (other providers to come), which provides developers with the capabilities to deliver ultra-low latency applications directly to mobile edge 5G consumers. This is a crucial step toward the realization on the promises of 5G mobile technology, as it can reduce device-to-server application latency down by several orders of magnitude, with implications for entirely new applications in smart cities, smart cars, robotics, public health and safety, emergency medicine and many more.
The future is incredibly bright with Amazon as the torchbearer, forging the path and lighting the way for the advancement of humanity for generations to come.